18bd1ff24cf637c9ce36cd4e995b217a616063167355497803cca6b58eab9020 | Triage

Submit
Reports

Overview

overview

9

Static

static

18bd1ff24c...20.exe

windows7-x64

1

18bd1ff24c...20.exe

windows10-2004-x64

9

Sharing

General

Target

18bd1ff24cf637c9ce36cd4e995b217a616063167355497803cca6b58eab9020
Size

388KB
Sample

221128-g841wacc89
MD5

7616872b3a200264a8d476db29be2313
SHA1

2d91b496b2b722ca990483fa9dd786c50bb20a91
SHA256

18bd1ff24cf637c9ce36cd4e995b217a616063167355497803cca6b58eab9020
SHA512

0a3018693edf7941b39c73f57bf6b0fc403a419a7121ecb8f0bd94be532e35f8fa2d2721c0ddb695855593125aa62f65ab1536cbb2267279c25ef8719a2530e9
SSDEEP

6144:PGxKInHfsR5Qh3By8wCmLLpwFwLJ7ubiZOlZjbuueYlSD7DQB6JYDxHfs9o/Sn:OUaHK4y9jLpXLtuVlZjbUYG7DNiH8N

Score

9^/10

persistence ransomware

Static task

static1

Behavioral task

behavioral1

Sample

18bd1ff24cf637c9ce36cd4e995b217a616063167355497803cca6b58eab9020.exe

Resource

win7-20221111-en

windows7-x64

2 signatures

150 seconds

Behavioral task

behavioral2

Sample

18bd1ff24cf637c9ce36cd4e995b217a616063167355497803cca6b58eab9020.exe

Resource

win10v2004-20221111-en

persistence ransomware

windows10-2004-x64

13 signatures

150 seconds

Malware Config

Targets

- Target
  
  18bd1ff24cf637c9ce36cd4e995b217a616063167355497803cca6b58eab9020
- Size
  
  388KB
- MD5
  
  7616872b3a200264a8d476db29be2313
- SHA1
  
  2d91b496b2b722ca990483fa9dd786c50bb20a91
- SHA256
  
  18bd1ff24cf637c9ce36cd4e995b217a616063167355497803cca6b58eab9020
- SHA512
  
  0a3018693edf7941b39c73f57bf6b0fc403a419a7121ecb8f0bd94be532e35f8fa2d2721c0ddb695855593125aa62f65ab1536cbb2267279c25ef8719a2530e9
- SSDEEP
  
  6144:PGxKInHfsR5Qh3By8wCmLLpwFwLJ7ubiZOlZjbuueYlSD7DQB6JYDxHfs9o/Sn:OUaHK4y9jLpXLtuVlZjbUYG7DNiH8N
Score

9^/10

persistence ransomware
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

File Deletion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

Tasks

static1

behavioral1

behavioral2

persistenceransomware

© 2018-2024

Terms | Privacy