General
-
Target
meeting-86146677597.ics
-
Size
2KB
-
Sample
231005-hsza5ahc5s
-
MD5
c2bcb6353b4088997b8458e368e278d8
-
SHA1
1f1412b1af71356a3145438f369751a2924f1f1b
-
SHA256
c46a1c55d279cb97a11187bf17574ab20f5d9a7295580209f0faf5de8683742d
-
SHA512
b7a6b6b8f6e85c84326b6860cc433bd3f21e349a187633f5f0985a3ebcf45aea301f58d628ea4b8fc563d08c233c8b8760bf345561da13e04ccabdd3e0de373f
Malware Config
Targets
-
-
Target
meeting-86146677597.ics
-
Size
2KB
-
MD5
c2bcb6353b4088997b8458e368e278d8
-
SHA1
1f1412b1af71356a3145438f369751a2924f1f1b
-
SHA256
c46a1c55d279cb97a11187bf17574ab20f5d9a7295580209f0faf5de8683742d
-
SHA512
b7a6b6b8f6e85c84326b6860cc433bd3f21e349a187633f5f0985a3ebcf45aea301f58d628ea4b8fc563d08c233c8b8760bf345561da13e04ccabdd3e0de373f
Score10/10-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Renames multiple (53) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s)
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1