General
-
Target
Trojan-Ransom.Win32.Snocry.dmv-8f9a62a9e43ed55f0fa810737facc6460dc89c41f16f4d610debc8a35babe6b9
-
Size
84KB
-
Sample
230425-v1h1bsbh48
-
MD5
420b2f010edbc63a68b2cce2cdf1e5e9
-
SHA1
4cf5072cfe0eb42d387713067e2706902c89b294
-
SHA256
8f9a62a9e43ed55f0fa810737facc6460dc89c41f16f4d610debc8a35babe6b9
-
SHA512
de85edb0217c3d1e615e81154831fe0f3f7c7514f843f253eecf38da09895558b4dc71c1e4141dd196bda7aa75d2c14c85658355a834f98238370df0bea46f35
-
SSDEEP
1536:cYYxci1ZP39zud52ilpPXvlMq12Kpuyjg1kF3mI:+xFyd52ilpPX6q2y8kF3j
Static task
static1
Behavioral task
behavioral1
Sample
Trojan-Ransom.Win32.Snocry.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Trojan-Ransom.Win32.Snocry.exe
Resource
win10v2004-20230220-en
Malware Config
Extracted
C:\PerfLogs\HELP_DECRYPT_YOUR_FILES.TXT
enc4@usa.com
enc4@dr.com
enc4r@usa.com
enc4r@dr.com
Extracted
C:\PerfLogs\HELP_DECRYPT_YOUR_FILES.TXT
enc4@usa.com
enc4@dr.com
enc4r@usa.com
enc4r@dr.com
Extracted
C:\PerfLogs\HELP_DECRYPT_YOUR_FILES.HTML
enc4@usa.com<br>
enc4@dr.com<br>
enc4r@usa.com<br>
enc4r@dr.com<br>
Extracted
C:\Users\Admin\Documents\HELP_DECRYPT_YOUR_FILES.HTML
enc4@usa.com
enc4@dr.com
enc4r@usa.com
enc4r@dr.com
Extracted
C:\Users\HELP_DECRYPT_YOUR_FILES.HTML
enc4@usa.com<br>
enc4@dr.com<br>
enc4r@usa.com<br>
enc4r@dr.com<br>
Extracted
C:\odt\HELP_DECRYPT_YOUR_FILES.TXT
enc4@usa.com
enc4@dr.com
enc4r@usa.com
enc4r@dr.com
Extracted
C:\Users\Admin\Documents\HELP_DECRYPT_YOUR_FILES.HTML
enc4@usa.com
enc4@dr.com
enc4r@usa.com
enc4r@dr.com
Targets
-
-
Target
Trojan-Ransom.Win32.Snocry.dmv-8f9a62a9e43ed55f0fa810737facc6460dc89c41f16f4d610debc8a35babe6b9
-
Size
84KB
-
MD5
420b2f010edbc63a68b2cce2cdf1e5e9
-
SHA1
4cf5072cfe0eb42d387713067e2706902c89b294
-
SHA256
8f9a62a9e43ed55f0fa810737facc6460dc89c41f16f4d610debc8a35babe6b9
-
SHA512
de85edb0217c3d1e615e81154831fe0f3f7c7514f843f253eecf38da09895558b4dc71c1e4141dd196bda7aa75d2c14c85658355a834f98238370df0bea46f35
-
SSDEEP
1536:cYYxci1ZP39zud52ilpPXvlMq12Kpuyjg1kF3mI:+xFyd52ilpPX6q2y8kF3j
Score10/10-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-