General
-
Target
FaceLift_x64.exe
-
Size
2.2MB
-
Sample
230205-af2lqaae3w
-
MD5
e290f0d032890af886ea200194d8f567
-
SHA1
5c2fbe34f4ffbb68bca64e4f871fcb6d1f3f4d07
-
SHA256
87cff53ba11140991a6b91eb4f8cb36a3f2adb4fb44eb0963132bfd25f085feb
-
SHA512
216c85193f628d11fba910954f55f9e95a9796f557384a6f1b58c25ae22029a462951bc1cf99314c52d7436cb3563238f317b5abecd1b4b11f9c1d4bf365fede
-
SSDEEP
24576:6srw/vH1kXgmi1c/6PU8f9Ezoe8miyxx+nT45XN7kbnnXx8w:6srqkQpc/V8EsymT45XN7kb
Static task
static1
Behavioral task
behavioral1
Sample
FaceLift_x64.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
FaceLift_x64.exe
Resource
win10v2004-20221111-en
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@Please_Read_Me@.txt
wannacry
115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
Targets
-
-
Target
FaceLift_x64.exe
-
Size
2.2MB
-
MD5
e290f0d032890af886ea200194d8f567
-
SHA1
5c2fbe34f4ffbb68bca64e4f871fcb6d1f3f4d07
-
SHA256
87cff53ba11140991a6b91eb4f8cb36a3f2adb4fb44eb0963132bfd25f085feb
-
SHA512
216c85193f628d11fba910954f55f9e95a9796f557384a6f1b58c25ae22029a462951bc1cf99314c52d7436cb3563238f317b5abecd1b4b11f9c1d4bf365fede
-
SSDEEP
24576:6srw/vH1kXgmi1c/6PU8f9Ezoe8miyxx+nT45XN7kbnnXx8w:6srqkQpc/V8EsymT45XN7kb
Score10/10-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies file permissions
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Drops file in System32 directory
-
Sets desktop wallpaper using registry
-