General
-
Target
Nicht bestätigt 172391.crdownload
-
Size
13.5MB
-
Sample
230215-l4rbfabc82
-
MD5
2e3bdf628e9bfaa6fe04786c390bdc6e
-
SHA1
09e783f6b97b7e84e0b736b8db308d25a8c22633
-
SHA256
079c18a81472a9ed6c3f7522d2013a813ae24c50b2e5e7ea79c4d280e60a3c4e
-
SHA512
cc0a6b5ba08534c73f180160699e65fa02afb2f9551cae25442d8d9f96cf5457aea2d4b15d4467f2ddf81cdec31adfe468b80f3397ddbdf5550e33ecf487fe47
-
SSDEEP
3072:imCP97KZrhPNN0JNIT3DM8X2Rb+kDRsT:idF+BhPNNkNIzDdmRKkDk
Malware Config
Targets
-
-
Target
Nicht bestätigt 172391.crdownload
-
Size
13.5MB
-
MD5
2e3bdf628e9bfaa6fe04786c390bdc6e
-
SHA1
09e783f6b97b7e84e0b736b8db308d25a8c22633
-
SHA256
079c18a81472a9ed6c3f7522d2013a813ae24c50b2e5e7ea79c4d280e60a3c4e
-
SHA512
cc0a6b5ba08534c73f180160699e65fa02afb2f9551cae25442d8d9f96cf5457aea2d4b15d4467f2ddf81cdec31adfe468b80f3397ddbdf5550e33ecf487fe47
-
SSDEEP
3072:imCP97KZrhPNN0JNIT3DM8X2Rb+kDRsT:idF+BhPNNkNIzDdmRKkDk
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit
-
Blocklisted process makes network request
-
Deletes System State backups
Uses wbadmin.exe to inhibit system recovery.
-
Deletes backup catalog
Uses wbadmin.exe to inhibit system recovery.
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Loads dropped DLL
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-