Extracted

• • Target

    552719d9dda2789ec880ab52ba8c7e695b631d6fab6d56474b4b6a4f8fe4c21e.exe

  • Size

    387KB

  • MD5

    ad607f046a6f855f06d0e7b2cab189c1

  • SHA1

    99a3416dea0f6eb2900c17b50ff171b15386e8bb

  • SHA256

    552719d9dda2789ec880ab52ba8c7e695b631d6fab6d56474b4b6a4f8fe4c21e

  • SHA512

    ca5edac411c12129debd510dcbb59cdea56adcc68c006410cbb7550ff520285eddcf4b6108ae78e40197850dd5f10adddc18b9c43c8c78f83602f4d2a6eed478

  • SSDEEP

    6144:VZVgqnvYmMKNLgYApEBQh9jToGZaFROm7kv6KreTqH6F:VZ+qnwSg/ECh9jTH3iGreTjF

  Score

  10^/10

  discoveryevasionransomware

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomware

  • Renames multiple (3593) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware

  • Stops running service(s)

    evasion

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Modifies file permissions

    discovery

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2