General
-
Target
9ed9ed487238d528d158d25f1a6189aa9fbe37f5bba5e40e033e0b0a786119d5.exe
-
Size
298KB
-
Sample
221223-rwallsbg3y
-
MD5
40cb01660e4b45213c35e997b94238a0
-
SHA1
8a1f0f62eede7cd183158567f9b78384074f5fed
-
SHA256
9ed9ed487238d528d158d25f1a6189aa9fbe37f5bba5e40e033e0b0a786119d5
-
SHA512
305cedfe911fc108c33310a9954c368d9f3583f275d8cc002473bbb47294d7171b10854e2f513c589c4d17197e39dadcfc11c19bf9cf5573747651fefe5fd4e4
-
SSDEEP
6144:fMjokASLOMN9/wJP96/jdLnCd4C0+7s0Vlm2QV7wcNTLysyTXLI/dc46xPy3cYsF:nkAqOi94x96Rjw4C02silwNTLxyTX01a
Static task
static1
Behavioral task
behavioral1
Sample
9ed9ed487238d528d158d25f1a6189aa9fbe37f5bba5e40e033e0b0a786119d5.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
9ed9ed487238d528d158d25f1a6189aa9fbe37f5bba5e40e033e0b0a786119d5.exe
Resource
win10v2004-20221111-en
Malware Config
Extracted
pony
http://gruzdom.ru/api/
Targets
-
-
Target
9ed9ed487238d528d158d25f1a6189aa9fbe37f5bba5e40e033e0b0a786119d5.exe
-
Size
298KB
-
MD5
40cb01660e4b45213c35e997b94238a0
-
SHA1
8a1f0f62eede7cd183158567f9b78384074f5fed
-
SHA256
9ed9ed487238d528d158d25f1a6189aa9fbe37f5bba5e40e033e0b0a786119d5
-
SHA512
305cedfe911fc108c33310a9954c368d9f3583f275d8cc002473bbb47294d7171b10854e2f513c589c4d17197e39dadcfc11c19bf9cf5573747651fefe5fd4e4
-
SSDEEP
6144:fMjokASLOMN9/wJP96/jdLnCd4C0+7s0Vlm2QV7wcNTLysyTXLI/dc46xPy3cYsF:nkAqOi94x96Rjw4C02silwNTLxyTX01a
-
CrypVault
Ransomware family which makes encrypted files look like they have been quarantined by AV.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Modifies boot configuration data using bcdedit
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Accesses Microsoft Outlook accounts
-
Accesses Microsoft Outlook profiles
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-