General
-
Target
9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d
-
Size
56KB
-
Sample
221220-wyjdradf61
-
MD5
8cffb643c8773ff71c8879fe20074f71
-
SHA1
4ed2f6d803b03262becdc6045f04aca8a4fd5c4c
-
SHA256
9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d
-
SHA512
c3e8913c95f527e00f41488fa48285e297af014d01ef2a8d2f9fccdf7f7ce7c23bfcc6cad9128892fb80d8f6181e32427b9dd6bf247638788333e1dca9c01769
-
SSDEEP
1536:gNeRBl5PT/rx1mzwRMSTdLpJ0ifl+/wA1rK:gQRrmzwR5JkwAE
Static task
static1
Behavioral task
behavioral1
Sample
9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
Resource
win10v2004-20220812-en
Malware Config
Extracted
C:\Users\Admin\Desktop\info.hta
https://pidgin.im/download/windows/
Extracted
C:\info.hta
https://pidgin.im/download/windows/
Targets
-
-
Target
9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d
-
Size
56KB
-
MD5
8cffb643c8773ff71c8879fe20074f71
-
SHA1
4ed2f6d803b03262becdc6045f04aca8a4fd5c4c
-
SHA256
9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d
-
SHA512
c3e8913c95f527e00f41488fa48285e297af014d01ef2a8d2f9fccdf7f7ce7c23bfcc6cad9128892fb80d8f6181e32427b9dd6bf247638788333e1dca9c01769
-
SSDEEP
1536:gNeRBl5PT/rx1mzwRMSTdLpJ0ifl+/wA1rK:gQRrmzwR5JkwAE
Score10/10-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Modifies boot configuration data using bcdedit
-
Modifies Windows Firewall
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-