General
-
Target
8f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1
-
Size
1.2MB
-
Sample
221128-gnrj2sag55
-
MD5
1aad30f76693aa8ec2fd2a9314b02125
-
SHA1
a199494ac4f065578323c1058e0f0cd5df563bc2
-
SHA256
8f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1
-
SHA512
fa2d623b0b33c1f7506209980f4699aa8efb4dc18b25cf97f6871fee209d0de7a79f7b3c63458aa0e49d868446e03d2a0cf59ca47c2eee74c67eeac21d03b31c
-
SSDEEP
24576:ADqBNB/RLKAlkmrTgCQgoB/7nhYfxknKBCXzOvERcd8Gu7q:ADkpRkmvQgo9zS6nMv7+1u
Static task
static1
Behavioral task
behavioral1
Sample
8f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
8f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1.exe
Resource
win10v2004-20220812-en
Malware Config
Extracted
C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-eaublmn.txt
http://tmc2ybfqzgkaeilm.onion.cab
http://tmc2ybfqzgkaeilm.tor2web.org
http://tmc2ybfqzgkaeilm.onion/
Extracted
C:\Users\Admin\Documents\!Decrypt-All-Files-eaublmn.txt
http://tmc2ybfqzgkaeilm.onion.cab
http://tmc2ybfqzgkaeilm.tor2web.org
http://tmc2ybfqzgkaeilm.onion/
Extracted
C:\Users\Admin\Documents\!Decrypt-All-Files-ipiermb.txt
http://tmc2ybfqzgkaeilm.onion.cab
http://tmc2ybfqzgkaeilm.tor2web.org
http://tmc2ybfqzgkaeilm.onion/
Extracted
C:\ProgramData\borcfwe.html
http://tmc2ybfqzgkaeilm.onion.cab
http://tmc2ybfqzgkaeilm.tor2web.org
http://tmc2ybfqzgkaeilm.onion
Targets
-
-
Target
8f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1
-
Size
1.2MB
-
MD5
1aad30f76693aa8ec2fd2a9314b02125
-
SHA1
a199494ac4f065578323c1058e0f0cd5df563bc2
-
SHA256
8f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1
-
SHA512
fa2d623b0b33c1f7506209980f4699aa8efb4dc18b25cf97f6871fee209d0de7a79f7b3c63458aa0e49d868446e03d2a0cf59ca47c2eee74c67eeac21d03b31c
-
SSDEEP
24576:ADqBNB/RLKAlkmrTgCQgoB/7nhYfxknKBCXzOvERcd8Gu7q:ADkpRkmvQgo9zS6nMv7+1u
Score10/10-
Executes dropped EXE
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Drops desktop.ini file(s)
-
Drops file in System32 directory
-
Sets desktop wallpaper using registry
-
Suspicious use of SetThreadContext
-