General
-
Target
trig_e7c9ec3048d3ea5b16dce3.exe
-
Size
1.1MB
-
Sample
221129-s57s5scf83
-
MD5
2de26af68d2d6d73dae987eb2cdedd6e
-
SHA1
34d7fdb906b79f2912598378359668c57e65bb5d
-
SHA256
e7c9ec3048d3ea5b16dce31ec01fd0f1a965f5ae1cbc1276d35e224831d307fc
-
SHA512
e85e9c998042e1292312450ef44a9b913b8a67e1ee329fa1dbafc588b6cf1f6aa796fe694b6ae856d5b1c96c65fed71cf8ddee674c6ea49716f9788babc8fc57
-
SSDEEP
24576:kYj5E9T+xHeQhNmYOnW8FQrbID+u9v8zKLU:t5E9LQvRrtSvCUU
Static task
static1
Behavioral task
behavioral1
Sample
trig_e7c9ec3048d3ea5b16dce3.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
trig_e7c9ec3048d3ea5b16dce3.exe
Resource
win10v2004-20220812-en
Malware Config
Extracted
C:\Users\Admin\appdata\local\temp\how_to_decrypt.hta
phandaledr@onionmail.org
http://3x55o3u2b7cjs54eifja5m3ottxntlubhjzt6k6htp5nrocjmsxxh7ad.onion/
Targets
-
-
Target
trig_e7c9ec3048d3ea5b16dce3.exe
-
Size
1.1MB
-
MD5
2de26af68d2d6d73dae987eb2cdedd6e
-
SHA1
34d7fdb906b79f2912598378359668c57e65bb5d
-
SHA256
e7c9ec3048d3ea5b16dce31ec01fd0f1a965f5ae1cbc1276d35e224831d307fc
-
SHA512
e85e9c998042e1292312450ef44a9b913b8a67e1ee329fa1dbafc588b6cf1f6aa796fe694b6ae856d5b1c96c65fed71cf8ddee674c6ea49716f9788babc8fc57
-
SSDEEP
24576:kYj5E9T+xHeQhNmYOnW8FQrbID+u9v8zKLU:t5E9LQvRrtSvCUU
Score10/10-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Creates a large amount of network flows
This may indicate a network scan to discover remotely running services.
-
Drops desktop.ini file(s)
-