68b474238468ca6a581b8543f818f188bebb3641273dca142157e59db17831a5

General

Target

modelrisksetup.exe
Size

199.7MB
Sample

230510-pvsppaga45
MD5

136ab0b4d83741a844ca6ceee52f9357
SHA1

8e7599ffcb6afad89268dad46570e96a09feafa3
SHA256

68b474238468ca6a581b8543f818f188bebb3641273dca142157e59db17831a5
SHA512

74d3a941f072de246084b258fc032277ddbc052622289c608e8867f875b0537b203e4797c195e95e242fb1b77d975e183b8583ea18da44077667da7289c93c23
SSDEEP

6291456:uMMw4bylbVbIZWUU7XRLR9NrKzk3yA4Vss9X6oqUur:Iw4WlxtPdHN+A3/scoqUO

Score

10^/10

Malware Config

Extracted

Path

C:\Program Files\Vose Software\ModelRisk\System.Configuration.ConfigurationManager.dll

Ransom Note

MZ��@�� !�L�!This program cannot be run in DOS mode. $��PE��L��>�Z��" 0��9�� @�� @��Z9�O��@��,��>��`��8�� H��.text�� `.rsrc��@��@��@.reloc��`��*��@��B��9��H��+�� X~��8��j~��%-&(��s�� %��* *��0�$�� (��o�� &��,o�� ,**��,!(��,r��p(�� (�� *(�� **�(��,r��p��%�%�(�� *( �� *�(��,r��p��%�%�%�(�� *( �� *�(��,!r��p��%�%�%�%�(�� *(�� *~��*2r��p(��*2r+��p(��*2rW��p(��*2r��p(��*2r��p(��*2r��p(��*2r��p(��*2r5�p(��*2r��p(��*2r��p(��*2r��p(��*2r/�p(��*2r��p(��*2r��p(��*2rO�p(��*2r��p(��*2r�p(��*2r��p(��*2r��p(��*2r9�p(��*2r��p(��*2r��p(��*2r�p(��*2r{�p(��*2r��p(��*2r'�p(��*2r��p(��*2r��p(��*2rG�p(��*2r��p(��*2r��p(��*2rG �p(��*2r� �p(��*2r� �p(��*2r7 �p(��*2r� �p(��*2r� �p(��*2r�p(��*2re�p(��*2r��p(��*2r#�p(��*2rO�p(��*2r��p(��*2r��p(��*2rA �p(��*2r� �p(��*2r� �p(��*2r�p(��*2r]�p(��*2r��p(��*2r�p(��*2r��p(��*2r��p(��*2rc�p(��*2r��p(��*2rO�p(��*2r��p(��*2rK�p(��*2r��p(��*2r�p(��*2rW�p(��*2r��p(��*2r�p(��*2rC�p(��*2r��p(��*2r��p(��*2r%�p(��*2rY�p(��*2r��p(��*2r��p(��*2r9�p(��*2r��p(��*2r��p(��*2r'�p(��*2rw�p(��*2r��p(��*2r�p(��*2r3�p(��*2r}�p(��*2r��p(��*2r%�p(��*2r}�p(��*2r��p(��*2r��p(��*2ra�p(��*2r��p(��*2r��p(��*2r�p(��*2rI�p(��*2r��p(��*2r�p(��*2rK�p(��*2r��p(��*2r�p(��*2rq�p(��*2r��p(��*2r��p(��*2r/�p(��*2rm�p(��*2r��p(��*2r��p(��*2r�p(��*2rO�p(��*2r��p(��*2r��p(��*2r��p(��*2r1 �p(��*2r� �p(��*2r� �p(��*2r%!�p(��*2ro!�p(��*2r�!�p(��*2r�!�p(��*2r!"�p(��*2ru"�p(��*2r�"�p(��*2r�"�p(��*2r!#�p(��*2rE#�p(��*2r�#�p(��*2r�#�p(��*2r�#�p(��*2r$�p(��*2r;$�p(��*2r�$�p(��*2r�$�p(��*2r�$�p(��*2r�$�p(��*2r;%�p(��*2rU%�p(��*2r�%�p(��*2r�%�p(��*2r�%�p(��*2r'&�p(��*2ry&�p(��*2r�&�p(��*2r�&�p(��*2r'�p(��*2rO'�p(��*2r�'�p(��*2r�'�p(��*2r�'�p(��*2r(�p(��*2r_(�p(��*2r�(�p(��*2r)�p(��*2ru)�p(��*2r�)�p(��*2r-*�p(��*2rw*�p(��*2r�*�p(��*2r�*�p(��*2r/+�p(��*2rm+�p(��*2r�+�p(��*2r�+�p(��*2r/,�p(��*2rg,�p(��*2r�,�p(��*2r�,�p(��*2rE-�p(��*2r�-�p(��*2r�-�p(��*2r.�p(��*2rW.�p(��*2r�.�p(��*2r�.�p(��*2r%/�p(��*2r_/�p(��*2r�/�p(��*2r�/�p(��*2r0�p(��*2r=0�p(��*2r�0�p(��*2r61�p(��*2r�1�p(��*2r�1�p(��*2r2�p(��*2rL2�p(��*2r�2�p(��*2r�2�p(��*2r3�p(��*2rh3�p(��*2r�3�p(��*2r�3�p(��*2r�3�p(��*2r4�p(��*2rB4�p(��*2rf4�p(��*2r�4�p(��*2r�4�p(��*2r�4�p(��*2r65�p(��*2rd5�p(��*2r�5�p(��*2r�5�p(��*2r6�p(��*2rD6�p(��*2r�6�p(��*2r�6�p(��*2r�6�p(��*2r*7�p(��*B��(�� *�BSJB��v4.0.30319��l��!��#~��!��1��#Strings��|S��P7��#US�̊��#GUID��܊��$��#Blob��W� ��3�� U��, ��!k'�6K'� � �� + �}k'�� .K'��K'��8'7��'��sk'��N��g��M��j�� 4��=��!��=� ��!1��P ��!�k ��b+�p ��K!�� +�� +'��!��+-��.!��+4� �a!��h!��u!��1��!��.1��!��%��!��%��!�� !�� !��>#��!��!��q��!�� !��"��*�"��U�"��+"��*�8"��E"��W�R"��_"��#�l"��y"��"�� "��"��U)��"��)��"��)��"��"��2+��"��"��"��"��Q*�#��#��p-�"#��9�/#��n��<#��0�I#��c�V#��c#��-�p#��g0�}#��#��.��#��e��#��4.��#��e��#��K-��#��G��#��#��#��#��~�$��F�$��S�&$��,�3$��@$��M$��Z$��'�g$��s �t$��%��$��*��$��$��$��Q��$��$��/��$��.��$��.��$��#��$��%��7�%��; �%��E(�*%�� 7%��D%��=�Q%��^%��#�k%��$�x%��#��%��!��%��7��%��p.��%��:��%�� %��%��%��q��%��C��%�� &��Z�&��!&��.&��;&��H&��e�U&��b&��,�o&��+�|&��+��&��*��&�� &�� &��&��@,��&��&��#��&��&��(��&��&��'��$�'��%'��2'��J�?'��L'��Z�Y'��b�f'��s'��'��@��'��'��v��'��+��'��x��'�� '��'��^,��'��Y%��'�� (��(��S�(��j�)(��6(��%�C(��1�P(��%�](��j(��<�w(��%��(��(��\��(��(��.��(��(��N ��(�� (��&��(��(��)��)��W� )��/�-)��:)��.*�G)��T)��a)��n)��q(�{)��)��!��)��)��?&��)��+��)��)��G��)��/��)��)��p1��)��30� *��j%�*��W�$*��1*�� >*��K*��j�X*��e*��r*��*��*��=��*��*��*��*��T��*��*��(��*��/(��*��:�+��J0�+��+��*�(+��5+��/�B+�� O+��u�\+��i+��G1�v+��0��+��'��+��-��+��+��'��/��g��{+��I)��{+��{+��.��{+��.��1��'��'��]�1�N)�I�'�1�R�1�t+!�1��+�1��+'�1��+-�1��+4�!�� <�Y�'C�a�'�i�'H�y�'N��'N��'N��'N��'N��'N��'N��'N��'N��'S��'X�.�k�B.�s�K.�{�j.��s.��~.��~.��~.��.��.��.��.��/.��.��.��.��A��+��^��!"��'��,��1,��21,��),��%,�� ,�� ,��B#,��,��u,�� ,��,��*,��Y,��,��*,��,��[,��,��#,��,��,�� ,��#,��Y),��),��),��,��6+,��&,��,��U*,��,��t-,��=,��r�,��0,��g,��,��-,��k0,��,��.,��i,��8.,��i,��O-,��K,��,��,��,��,��J,��W,��,,��,��,��,��',��w ,��&,��*,��,��,��U,��,��/,��.,��.,��#,��,��;,��? ,��I(,�� ,��,��A,��,��#,��$,��#,��%,��;,��t.,��>,�� ,��,��,��u,��G,�� ,��^,��,��,��,��,��i,��,��",,��+,��+,��*,�� ,��$&,��D,,��,��',��,��,,��,��,��(,��!,��,��N,��,��^,��f,��,��,��D�,��,��z,��+,��|,�� ,��,��b,,��]%,�� ,��,��W,��n,��,��%,��1,��%,��,��@,��%,��,��`�,��,��.,��,��R ,�� ,��&,��,��,��,��[,��/,��,��2*,��,��,��,��u(,��,��!,��,��C&,��+,��,��K,��/,��,��t1,��70,��n%,��[,��,�� ,��,��n,��,��,��,��,��A,��,��,��,��X,��,��(,��3(,��>,��N0,��,��.,��,��/,�� ,��y,��,��K1,��0,��',��-,��,�� !��#��%��'��)��+��-��/��1��3�� 5��!�7��"�9��#�;��$�=��%�?��&�A��'�C��(�E��)�G��*�I��+�K��,�M��-�O��.�Q��/�S��0�U��1�W��2�Y��3�[��4�]��5�_��6�a��7�c��8�e��9�g��:�i��;�k��<�m��=�o��>�q��?�s��@�u��A�w��B�y��C�{��D�}��E��F��G��H��I��J��K��L��M��N��O��P��Q��R��S��T��U��V��W��X��Y��Z��[��\��]��^��_��`��a��b��c��d��e��f��g��h��i��j��k��l��m��n��o��p��q��r��s��t��u��v��w��x��y��z��{��|��}��~�� !��#��%��'��)��+��-��/��1��3��5��7��9��;��=��?��A��C��E��G��I��K��M��O��Q��S��U��W��Y��[��]��_��a��c��e��g��i��k��m��o��q��s��u��w��y��{��}��b��!��0S��0 ��9��9�� &� �� {� �� $� �� >� �� L � �� 6-� �� 1� �� P � �� 2� �� !� �� 1� �� )� �� ?� �� e � �� (� �� g � �� -� �� (� �� 8� �� t� �� C� �� &� �� "� �� 0!� �� 0� �� M � �� e/� �� $� �� n!� �� l"� �� -� �� '"� �� D%� �� $� �� &� �� "/� �� < � �� l#� �� K/� �� 0� �� 7/� �� \.� �� 0� �� )� �� "� �� (� �� ,� �� " � �� .-� �� T!� �� &� �� d� �� p� �� -� �� "� �� <"� �� Q� �� &� �� V� �� R� �� >� �� 5!� �� 6� �� (� �� ? � �� %� �� (� �� [� �� z&� �� F� �� !� �� ,� �� v� �� <� �� 0)� �� "� �� ,� �� |� �� 0� �� p/� �� )� �� "� �� 0� �� 1� �� [� �� z!� �� "� �� $'� �� ,� �� T"� �� 5� �� &� �� K� �� d&� �� '� �� +%� �� z$� �� %� �� W$� �� &� �� E$� �� +� �� '� �� $� �� |'��|��p1�get_Could_not_create_from_default_value_2�p2�p3�<Module>�SR�get_DPAPI_bad_data�mscorlib�get_TypeNotPublic�get_Config_base_invalid_attribute_to_lock_by_add�get_Config_base_invalid_element_to_lock_by_add�get_Config_add_configurationsection_already_added�get_Config_add_configurationsectiongroup_already_added�get_Config_file_has_changed�get_Config_cannot_edit_configurationsection_when_not_attached�get_Config_cannot_edit_configurationsectiongroup_when_not_attached�get_Config_base_required_attribute_locked�get_Config_base_attribute_locked�get_Config_base_collection_item_locked�get_Config_cannot_edit_configurationsection_when_locked�get_Config_cannot_edit_configurationsection_when_location_locked�get_Config_section_locked�get_Config_base_element_locked�get_ProviderTypeLoadFailed�get_SettingsSaveFailed�get_ProviderInstantiationFailed�get_Config_write_failed�get_Decryption_failed�get_Encryption_failed�get_Config_tag_name_already_defined�get_Config_source_cannot_be_shared�get_Config_cannot_edit_configurationsection_when_it_is_undeclared�get_ObjectDisposed_StreamClosed�get_Config_more_data_than_expected�get_Config_root_section_group_cannot_be_edited�get_UserSettingsNotSupported�get_Config_element_locking_not_supported�get_Type_cannot_be_resolved�get_Config_base_collection_elements_may_not_be_removed�get_Config_base_collection_entry_already_removed�get_Item_name_reserved�get_Basicmap_item_name_reserved�get_Property_name_reserved�get_Config_location_location_not_allowed�get_Provider_Already_Initialized�get_Validator_element_not_valid�get_Parameter_Invalid�get_Property_Invalid�get_Config_namespace_invalid�get_Config_source_invalid�get_Config_tag_name_invalid�get_Validator_value_type_invalid�get_Config_section_override_mode_attribute_invalid�get_Config_section_allow_exe_definition_attribute_invalid�get_Config_section_allow_definition_attribute_invalid�get_Config_connectionstrings_declaration_invalid�get_Config_appsettings_declaration_invalid�get_Confi

URLs

https://github.com/dotnet/corefx/tree/30ab651fcb4354552bd4891619a0bdd81e0ebdbf��.NETFrameworkAssembly��

Targets

- Target
  
  modelrisksetup.exe
- Size
  
  199.7MB
- MD5
  
  136ab0b4d83741a844ca6ceee52f9357
- SHA1
  
  8e7599ffcb6afad89268dad46570e96a09feafa3
- SHA256
  
  68b474238468ca6a581b8543f818f188bebb3641273dca142157e59db17831a5
- SHA512
  
  74d3a941f072de246084b258fc032277ddbc052622289c608e8867f875b0537b203e4797c195e95e242fb1b77d975e183b8583ea18da44077667da7289c93c23
- SSDEEP
  
  6291456:uMMw4bylbVbIZWUU7XRLR9NrKzk3yA4Vss9X6oqUur:Iw4WlxtPdHN+A3/scoqUO
Score

10^/10

discovery macro persistence ransomware
- Blocklisted process makes network request
- Suspicious Office macro
  Office document equipped with macros.
  macro
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops file in System32 directory
behavioral1