Overview

overview

10

Static

static

10

202305173c...de.exe

windows7-x64

9

202305173c...de.exe

windows10-2004-x64

9

Sharing

Copy URL
Twitter E-mail

General

  • Target

    202305173caa52bf3388a5a37efe69ef1ff8055edarkside

  • Size

    146KB

  • Sample

    230518-q1va5sac9w

  • MD5

    3caa52bf3388a5a37efe69ef1ff8055e

  • SHA1

    258a6ea8a43e98653e4e7095dbc2ddf6b8a196e5

  • SHA256

    a8fe7e11f97a293db5fda072cc9e64a161c76ababd37754acce5ccd6dfa30d1c

  • SHA512

    606df9ba4077bb9c2bc4004a437354ea6343e730e1efb466103de5b2dc6b0584384e7b8d4886d973ec5b978112553349e17287b11f9c6d8c3ee38b33b74fdde5

  • SSDEEP

    3072:HqJogYkcSNm9V7DEqkByaf4I2jH4sT6T:Hq2kc4m9tDERBl76H4sT

Score
10/10
lockbitransomwarespywarestealer

Malware Config

Targets

    • Target

      202305173caa52bf3388a5a37efe69ef1ff8055edarkside

    • Size

      146KB

    • MD5

      3caa52bf3388a5a37efe69ef1ff8055e

    • SHA1

      258a6ea8a43e98653e4e7095dbc2ddf6b8a196e5

    • SHA256

      a8fe7e11f97a293db5fda072cc9e64a161c76ababd37754acce5ccd6dfa30d1c

    • SHA512

      606df9ba4077bb9c2bc4004a437354ea6343e730e1efb466103de5b2dc6b0584384e7b8d4886d973ec5b978112553349e17287b11f9c6d8c3ee38b33b74fdde5

    • SSDEEP

      3072:HqJogYkcSNm9V7DEqkByaf4I2jH4sT6T:Hq2kc4m9tDERBl76H4sT

    Score
    9/10
    ransomwarespywarestealer

    • Renames multiple (341) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Renames multiple (589) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks