medusalocker | d7b21d35c8b924b9b59fbb4cb104c3e386a2cd2aec9eb9d149fd6f9cac9a4672

Sharing

Copy URL

Twitter E-mail

General

Target

download.zip
Size

3.9MB
Sample

240101-r1lvfacfam
MD5

d539343c60a3f93f10d8c28c4da769c3
SHA1

39cbeaf892e29d53057fa80e51360d57e3b6e142
SHA256

d7b21d35c8b924b9b59fbb4cb104c3e386a2cd2aec9eb9d149fd6f9cac9a4672
SHA512

1bf0239a44b18a8e2bee1851bc7a225b931d9b32aa74ce06840b4650b3413d5b3701ad7e3aac19e46d307c2aa6b16bccb3bdabf84db2ea2ab5b3b34c17565e85
SSDEEP

49152:E6Q/1OLt3OK9t1kHJMkhBaSHvgsurtH+2OdrFHPxMlsn6zudI1Ju4OhKhe50zlru:E0hV6MEBaSHMtH+2OvIsGudOJgKM5l

Score

10^/10

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\HOW_TO_BACK_FILES.html

Ransom Note

<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; word-break: break-all; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">80MZ2+5i6KaDDsL20UMvU/N8OaBuOYeT7FSE9hSrgQsJXj/CD/5JAaYDMb2Ye1cxDaGBcTl9k79mU1DoSMkn1Z1ZAzNYKsCX+AG+5l1cKsC4ZHSMmGUqNTRPXBQ2C9ZpbCNxb/h7echB5ge+s4gxGQlUGQcy4ueKO5WwFK94k1HY3dOFlDlutd/PHY6vAfwWsKoz0MXamqAxa2i3GeZvUY5GMd+qI5Pav0b9MnrkJpKvhh+KEhTgOzPqfeDI59cJm7OCvPPAcd8J/2bQ4frhKPkG5zhzpMtM4jdx2MEnn4vfPMLyttaehf9v3L0WZ0Ro9wfQcKv66dufZs2+69jlLGc57lXL5snIQ2AhqdGB5ibuHx0K/CPOub4Q325HLR0E8UxtuDpe3aDHPk73HXb5nQlKhPqavHIFvskZHRQWBa+AkYiDXbci6y2DI1TDdM57vNk2lb44e2USDZ+U2343O84Len/n15QoVAb4CTTqKVbGoHCYPmwbUZ+9okjeEEvn95OqBRCyfoBNPciE7YUHurxQ5Hk6zI7CbkW4SM1XAulIK/LcS2QTD3f3aoqO/6NBNsRqJ5NLBCTf8pi7N7vbOB3dFSgfYitifdNCxcsEBmwjCwygDPvTAYTE31zd6zGn5WugAS+C/F8MZphdDRKcogXusf1c6FvAfc+6n+UoHWJrSrlynSA1is1IyTDfnRvHIP4HiKtSbPfpFTpxvvni1f7J841pcQWvrJcgNneDOGIV/ngvlO16wjh5d665pddtexnGtGG7phUT7Upx7SaXlLkZe8ZQqEgYNoYuM5aYtU1Va5lc8GoTtKPeg0M5isH3dOjpQRBm2/DgXh9kM+bfX2j3jhUYaAc2Voe0j12rX59+z4paoNu39AcBFyfaGGqeZFPwaMSjsnw+uC6Tuq4VcM3M/KbB+HJzQNPjjGYsbcsDSwJBzyeENW1QXMzys36H8P2FvTM/kJouPu2DEPnBXdtjhffdKj0Zic+ZHq8wMiIG/km2WOLu+O4nn+fhjDRPjVjfRNXj2dQ8JZi8coHePeejwUO6AaOZ6xf4hH4UpditxuZzDtS0NVlgORSi69D/rbvqVY6l3lNbK2GEHdK0EE05nzV9+2PAII6+GAf0BTQPnd4MSGSMQ9klotkxpkMqJEiIfoaDJhdasqHKqedPjpQP+midT14ArAv+8EIUCRP1B8xuGUnAmCqH7NhUvvvrykFDHdjHeRS+A3cxitm4VlgcTaR66ZGVQI0Sp7/f27eKEHp+0UEFWx8IdN1bzs0gaEn9yYEObCOZxXHejW/XINiXXHH7QdrVPgT7FFAl08fpdp9fnKQQLiafSoL/IvGZh2eIVc1Wbt8UP0oM33lqRjzZVS8ZUTxw/cQJ2Z+6YPbo5hR+jALH7m8AAmwiTbJRPxpKAattj1JWKtfvcWku1RNkj7fbdalhAeDhkKIALreM51FlGnu9vSJFycKJO865kKBP3Ky4erTf+zU1RCNxmZLChvkBZQC51FxnaF1n+aQtiVC3IJWtiqmITJN7JCMiP2oLOhEq3a+SQ9UlE95bvY5elSqad9Npn+Ek51D4cLSGGnob3XA5yXZ2ZkVaaSXfJ2e55Yn1ixnlk6cQoxuPi46yOgPGCiL/jd4b7pM1TTALvN9imb7Dq6FDYXs7wGebTUuCQe79cExpXRNEHU6sPZ4YT6cx8/JIWNrk0OYB1Ik=</span> <br>  </div> </div>  <div class="tabs">  <div class="tab"> <div id="tab-content1" class="content"> <div class="text">  <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br>  <hr> <b>Contact us for price and get decryption software.</b><br><br> <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</a><br> * Note that this server is available via Tor browser only<br><br> Follow the instructions to open the link:<br> 1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br> 2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br> 3. Now you have Tor browser. In the Tor Browser open <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion<br> </a> 4. Start a chat and follow the further instructions. <br> <hr> <b>If you can not use the above link, use the email:</b><br> <a href="[email protected] ">[email protected] </a> <br> <a href="[email protected] ">[email protected] </a> <br> <p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br> <b> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> </div> </div> </div>   </div> </div>  </div> </div> </body> </html>

Emails

href="[email protected]

">[email protected]

href="[email protected]

">[email protected]

Extracted

Path

C:\odt\HOW_TO_BACK_FILES.html

Ransom Note

<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; word-break: break-all; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">SvaZbfJB6XoxXjroqOG4GOY2I7SLGTSq/cA/91c0xNimPL1WTsH1ZxWRuah0rvTbMqD972DW6Rf1YhlJwqrJdyLj/ozxlwrfpjiazRT3/GnTpoi4kHPUMP03+9L2Xj3kzhuRm+bHLrQuh/t/sFTtv/y42ta0apQ/Cf5Ahxb8c5kkhdd27pDYuBmkKu16kGCK9AJoNFNJmkLjcTcgEvfZpel/GRj8m4AHrA4VDzQEqdz0iaLLM8TscBgJj+mNfAcd/Vc4J/a35FfrNNvmpeoz13O4LA5J8kzJGgo+QIWO9NEnU5Y9mf2RZJXd9Jj7VKbPUZ/r586eqG0RhMXanKxgPs1nK2Ou+QQ92nWtjsE+fOMyCIsSZ1c2FU1ozZbEPLiu1HY8GTOzBgEa/iJdRkWpLTx9zX/g+cHS5lhTI33+pOdLu5oPP8L7eVsAJi0DxOnWp8TrkcENZlC2xfQYoaTYjp4+KjRp2rTwLgGjDOXee063DBSntlIMGuxLPfUhcQHCf++BLwzerImQYDQ4j5eFYBFGG/GWGSpVJ3xtBcHApUXxQesxIkgJ6+vbK4+JVy55j8+3VhZ95OV9fz/nL98I5Uo5b4o5mVUHVfFW5U26ccZ4iw7U8XxHVIDN8hmVzVSexbANqKnApy+U4CZq51RU34Kvk0OKCE+dWtWhHVTRO3jHaDobcVol5I/o64Mmzw2Pf2rWawXUBjC+IoqwKfEMHuVtleu+/vZDJraxiwDngbGDyF/rurMtt1WqJxvsd7mAHmzpqB1MV0Xs/+oQ/oMMjdMJZhRAF22Y9mymHaC5on7J+ek/1LFeXlHi6Iiuv2Gqv/CYfB/cQMW71zDThmqoeAPSmy6+wZCTuGSLRfCO/oZRdQvQsfNLBTurAFe+NtvIrqftIVGy5STqYwW0qeE1WmPp4XA2DxZi6hX3hJ7N7juOu1lhHJfuksx2NM6VMnsu2P14oyAbTkbsK7f1ujoYNVV0S4qaxFciyZi7vaS6gpROxSz25jlOl0H62vT/9L2AD6LTyN3tMi7vr5aJt7wcMEggyvOv24pjxVwToQzYklES42BixW1A9V31csVj/Vcc+BRWJGLdHqTcCr/bwZpAZGoZd37uVewhu0Gt3Xu2mXkHxIg5CoMOhxnFLMGjJWM13Sx2Q9N6Lqgy22xO/vV96JRPaRmKOaEZWwUZUykC9UV5ijH0nmln+8l5gQSaJFPtENR4vIHK/lAD2tYbJKZVdXrWXO9eWYZ2/vMsCaRAcSt1WtDmSzECz32RySwVX8gFcWgqk2iWYNFvwFwMBpohlwOIAPdYLDpW63vuUQRFif1sV0YBBWbwlF660uhZIPqxy4ZWsMjGho0WcjCJ0D/6FvicxCaXhrgubws1MOHyPg7SFVpgvpna1H//1LNFeVu77LW51zALL/wxtvFG0Co3Acw6NEXmo4IX/y4d+gNREtYFofbdyNn5YP75G2ya99aH4WRxvv9sHY2lAacSwS5f6XAkti004vgtsvx7hjWzd3MZ7WLwkxZ5WjfNDf/OMxIhDdRfBx/OgUxw13+QEBSVGTwDm+qF1IS3aQfZyxQBegk5aNyPHgbJ6sXH3qNDUO93JqX6peRSykGyNyGJjUH1/J9i9G7x8Co4EXaxpOHKMgwLQM7/y5PJ6AGFjTL1u8YSKolr1QwrO3luO/kEizHh8reWPLdVasXJcvRUHRqDogU=</span> <br>  </div> </div>  <div class="tabs">  <div class="tab"> <div id="tab-content1" class="content"> <div class="text">  <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br>  <hr> <b>Contact us for price and get decryption software.</b><br><br> <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</a><br> * Note that this server is available via Tor browser only<br><br> Follow the instructions to open the link:<br> 1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br> 2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br> 3. Now you have Tor browser. In the Tor Browser open <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion<br> </a> 4. Start a chat and follow the further instructions. <br> <hr> <b>If you can not use the above link, use the email:</b><br> <a href="[email protected] ">[email protected] </a> <br> <a href="[email protected] ">[email protected] </a> <br> <p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br> <b> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> </div> </div> </div>   </div> </div>  </div> </div> </body> </html>

Emails

href="[email protected]

">[email protected]

href="[email protected]

">[email protected]

Targets

- Target
  
  07ba533a694e1733f8ef1c18ac191867382f4ca7a51244cda6ef5ec119fbfe53
- Size
  
  586KB
- MD5
  
  03b47131c6a809c9222de2f97e03b49e
- SHA1
  
  7831520ec9797f8d776a191b2ac30bea4b9c28c0
- SHA256
  
  07ba533a694e1733f8ef1c18ac191867382f4ca7a51244cda6ef5ec119fbfe53
- SHA512
  
  54cc49085e2e9cadeebe4462e6906782fae221325baf2039886fe562bb2c485382453f85e1617577fd0117ab08ff718a23913db0bccdfdcfdbce854cd9a52176
- SSDEEP
  
  6144:gMO1jIO0u8krJilHXIdAXEZvGLw+nmYciNXyEuxIKvqoPFZLRbUqF5jQaBlQAhb/:ROhIOR/0lHXQAlL7aIKTvl
Score

1^/10
behavioral1 behavioral2
- Target
  
  0e971ff0e7f4cd4714931ac6bb685d91e28b34070866c9e7c976817aa5f6eb8d
- Size
  
  179KB
- MD5
  
  8e0e472d93c3ebeb725099bc1bbe0a9a
- SHA1
  
  7229e11205e794c75a65587bcef040ed345b3322
- SHA256
  
  0e971ff0e7f4cd4714931ac6bb685d91e28b34070866c9e7c976817aa5f6eb8d
- SHA512
  
  74a63a29a6ea5cfd2f7983b9828dd7a78b3d16072f5e044e795404eb67a2178ac091e15c9a29bafa7b9e7426c6aa709697cb9705ff25f7e40c9597ad1758eda3
- SSDEEP
  
  3072:2Rb6HWdU1NByFMuIBRC0eXLfQzueFsB0yxfWolUJFMXNsz5SkE+pbt8ICjGs:IbeBRmXLP0yJAJFMXNXyC
Score

8^/10

evasion ransomware spyware stealer
- Disables Task Manager via registry modification
  evasion
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
  ransomware
behavioral3 behavioral4
- Target
  
  111fb06de858ef843c882e40f34caf958054b0eeaeea877c49a23b1111916e8b
- Size
  
  662KB
- MD5
  
  b6c70f89f19670923f3f490ed5331395
- SHA1
  
  24c9df54d779be27508203666dc48a3fdabb0b87
- SHA256
  
  111fb06de858ef843c882e40f34caf958054b0eeaeea877c49a23b1111916e8b
- SHA512
  
  8a49a73c4086be3ae657452816070d7bf79dc653a9a7c783262348788ee80584c4456e3056f1427f4f1b8433de54437b996bfbede100430b2f7168c130511b0b
- SSDEEP
  
  12288:IG86nitqrIT6Eqk56i258EJsUQUUJ9LBHd2Uo:57itqr3e6d18J9LBHd2n
Score

9^/10

ransomware spyware stealer
- Renames multiple (1289) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops desktop.ini file(s)
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
- Drops file in System32 directory
behavioral5 behavioral6
- Target
  
  2de3cea3eb6eedbec7436f426a5259d4f65374b326823feee17175407f08e7a8
- Size
  
  464KB
- MD5
  
  79db8a12fc1a24a70c37c4cad0c29c6b
- SHA1
  
  ec6e79d2494862dd6cecbbd817926e282a6e2f4e
- SHA256
  
  2de3cea3eb6eedbec7436f426a5259d4f65374b326823feee17175407f08e7a8
- SHA512
  
  cbaf76ba0f245a103d3cfbd3cf3c78e353bee26931afdbde40c27355379ea9590e16aa430d9af82700fa8773cd4bb342cdfa73add60eab8ea549be7010d6f57f
- SSDEEP
  
  3072:KovCvStG1V1wisbM/OmsolxIrRuw+mqv9j1MWLQL:KqgRwLg/ODAx
Score

1^/10
behavioral7 behavioral8
- Target
  
  327a2a49164bc38c88a2d030ece9a7487b82e8a34d3f398e071654e5fcc4d7ca
- Size
  
  531KB
- MD5
  
  afce432f39419ac75edf95ca955d5937
- SHA1
  
  948b431bdd23bd5e65f0978e56ef09061943fb07
- SHA256
  
  327a2a49164bc38c88a2d030ece9a7487b82e8a34d3f398e071654e5fcc4d7ca
- SHA512
  
  9dc222c083a17ead29648fdf47102c4cfb296305790453adb5acaa13519e91651b07ce74a95336ba422fecbe64f9ee3606fb8a7afc33306f0e001da936ec8fee
- SSDEEP
  
  1536:ymb6YYUjUDYEmb6YYUjUDY1q2JKeDDLXf9Xt1be41hmb6YYUjUDYjij:9+yID4+yIDkxJHDDLXVXt1beEA+yIDd
Score

8^/10

evasion
- Disables Task Manager via registry modification
  evasion
behavioral10 behavioral9
- Target
  
  36c10a3e1f93c4d50fb617ab7cd629bebea7ca5f827239ba98156ff88d27f7d9
- Size
  
  179KB
- MD5
  
  b0ca603398de86e031a781c9d7606ec5
- SHA1
  
  6be006b5098f6286032ab54bf5b2549fcb859060
- SHA256
  
  36c10a3e1f93c4d50fb617ab7cd629bebea7ca5f827239ba98156ff88d27f7d9
- SHA512
  
  629b6c8a5bb204fdef6d14b77105cef59af3c481364577f68b240b15c18141f7d8cf239f8dd8b26a4c01b861aeca1d3a44c26c41e671581a1592012bcca33853
- SSDEEP
  
  1536:6BBzTaVpK3p2oEvvHVUFWHy4h0ZX9efw1+b91RM:6BQVpKvEvPVU5ukX9l1+BzM
Score

8^/10

persistence
- Modifies Installed Components in the registry
  persistence
behavioral11 behavioral12
- Target
  
  67bf260c3ea1e11df9c162b370cb5182d6d9d66392d90f11729c90e911404c10
- Size
  
  276KB
- MD5
  
  80d0e4499a2ce6ac1d3bd1d43300c506
- SHA1
  
  a1ca861aacf0ef8369d7d5a169134c29f895e5ef
- SHA256
  
  67bf260c3ea1e11df9c162b370cb5182d6d9d66392d90f11729c90e911404c10
- SHA512
  
  e67bab4f57deb5f3cb6a227298a19c9f6d96ef0e6825be0ef9f1f3537ca7cc32e9ba4482a5f6e2240b0d6a15ee39061671d6d4928afcfb7feab09009d5e44d30
- SSDEEP
  
  3072:L6ZBn8Tiju3y8TBz5c3Px/rbtYkHOG0rpPVuwq7fxZ1v:gaijqNcpqful
Score

8^/10

evasion persistence spyware stealer
- Disables Task Manager via registry modification
  evasion
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
behavioral13 behavioral14
- Target
  
  70ec1874cf1304960c0b1b828216a22704caaff23ea514c1067efe9ce4b69aac
- Size
  
  188KB
- MD5
  
  c924d51f5943766d54ca1c2fe0dfd3c0
- SHA1
  
  4221c92cc0a689f47065dc28795969219727b82e
- SHA256
  
  70ec1874cf1304960c0b1b828216a22704caaff23ea514c1067efe9ce4b69aac
- SHA512
  
  1f2bb905ee4792553cd1a6d65eb22f48a157947ac9dd62d10fdc5e15f358f825d081a2f9153eae8afe576f94c4969f1e63bce2edf74a6f9cdd703e0d30ad4bc8
- SSDEEP
  
  3072:F7tWE2AM+gTuJEJjy1GS52CFgPhIikuJEfUsIVp/is4cWs:htc+jJOjEGkf4fJ/d
Score

1^/10
behavioral15 behavioral16
- Target
  
  817f5b0fcccda6756c485e463b3f0ea43bb894f866ce5cac9f7d1f065e3e1999
- Size
  
  339KB
- MD5
  
  f549cea3f3f2d8304b56997d241690dd
- SHA1
  
  b063ea7f64513aa2ddb3b7a7ac51f9d7cba7cf18
- SHA256
  
  817f5b0fcccda6756c485e463b3f0ea43bb894f866ce5cac9f7d1f065e3e1999
- SHA512
  
  3beeb0c83a0acfc41f1fb6273a04145783cd69ca126d924638ec2282ff162a39cf7b65b1107311f8be3d94003897e70ed78ecf2be07cda6d63b24ca8f6e512fd
- SSDEEP
  
  6144:fc0h522p3l04ZMSmIp3Uy28uhyqe/I3ahlvFJxKvN0Ic22Zh1F:nhxp3lZnT9bDuaI3ahlvFJxK1nMh1F
Score

7^/10
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
behavioral17 behavioral18
- Target
  
  875a6185aa50896f96a40c75005c849b320ef27f7332e7a2c0c2c1d3d55faff0
- Size
  
  197KB
- MD5
  
  05c95cefcc2292424ffc1aff84215a4e
- SHA1
  
  83eeb67e6deaa063979aa5bbde7e9d9eeabab577
- SHA256
  
  875a6185aa50896f96a40c75005c849b320ef27f7332e7a2c0c2c1d3d55faff0
- SHA512
  
  7ae78baba3315c11e738a236f5542f0aff5a0c2232ef8e2b5d0f90582771c91ebebbb6c047c611890ae9185115e73ae476fb8403d4147924937a666075e65889
- SSDEEP
  
  6144:8fkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk4:8fkkkkkkkkkkkkkkkkkkkkkkkkkkkkkL
Score

1^/10
behavioral19 behavioral20
- Target
  
  887d386d2ea9af0c079f4010311069045df5c51d658921b2c9de81c4378b4bc6
- Size
  
  519KB
- MD5
  
  51ff96a2fe3ecc27f2bae4a243aca5d4
- SHA1
  
  eb8a0c988de8e2ba14f9a970651424ea64b17ba0
- SHA256
  
  887d386d2ea9af0c079f4010311069045df5c51d658921b2c9de81c4378b4bc6
- SHA512
  
  eda5c45118bea07a697b68c3ee190e84b7b35afa65711b6fae3ac7d42acafeaa2aa8f2e4a0056887c5b1c8af6b41bd5ddb9779f11f1b66993025a4a49a293102
- SSDEEP
  
  3072:aePKBpKkHYVqc4yByz3bnkzuZilMpX6Ldj1XaUrAp/GFIPFhmJnVifQRipMLh427:zKBpKAY+8nGSjemJnVZ4AT9Wy
Score

1^/10
behavioral21 behavioral22
- Target
  
  902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016
- Size
  
  334KB
- MD5
  
  4d8bdcee20a3de89ba08bd09cd4ea642
- SHA1
  
  cc4ddf3a821eb13db3d45ed7e4b0b2ed35c2a22e
- SHA256
  
  902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016
- SHA512
  
  024944b3910f72e80d1436627812fefb7bd4b4f3e9d541a747d549743a8edc5f279a0abf45fab6b3fc5ce47eea00b22958efa04513095c86c42efe24c450f28d
- SSDEEP
  
  6144:bkv89W2QcboLPlZvqEKvSlvgXCBVnTDg3GV06rPnek63AW1g3yEXq:bk09XelZvqEKv8gXCBlPHeByyEXq
Score

10^/10

evasion persistence ransomware
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Renames multiple (7562) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Deletes System State backups
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Modifies Installed Components in the registry
  persistence
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral23 behavioral24
- Target
  
  97b6e51df2a1187481fa28ada65be40fb6d727e0fa3b40cc6796780d680b300a
- Size
  
  207KB
- MD5
  
  729871063d04ce837b6b65a57f4a2153
- SHA1
  
  25f77150f1d34d19afcb8e7b543d52630dee2862
- SHA256
  
  97b6e51df2a1187481fa28ada65be40fb6d727e0fa3b40cc6796780d680b300a
- SHA512
  
  dc1869dd47e2d1cd55a71aa589f691066b2638954c3de34a86b14dac6f66e9c004dec02355dd060b3f4eae631166e9e93c2fd786a354168a10776b3508eab575
- SSDEEP
  
  3072:7ZyQGq+qT2atob56RHAKsSCLLBvAd2xLD0oVuAAg0FujoHtUjVVFOq0rO:7vRLDWkRHAKsSiPAOotUbF8O
Score

7^/10

spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
behavioral25 behavioral26
- Target
  
  a4704be3a77f989693188a4a505b62719ffe87718f8891ab5d3e1de1b1a57572
- Size
  
  565KB
- MD5
  
  587163ebb29d37762be9b65b4553733a
- SHA1
  
  1688aadda5db2d63fdd296edd65a8063db1a3eec
- SHA256
  
  a4704be3a77f989693188a4a505b62719ffe87718f8891ab5d3e1de1b1a57572
- SHA512
  
  3222f727beb7e8b5d512355863bd0d280b7a6303a1a770345e9d48b48b4c8d37f10a78085ad1d82db265c3a97c2651856366975403aa8656c0127961208b589b
- SSDEEP
  
  6144:vQfvuXwa/F2wHHG/BY1oDShdi6QgEOr26QD3T:OmX37H7hA6P26Mj
Score

1^/10
behavioral27 behavioral28
- Target
  
  b21f34ecfa7135153d506b3fde2a0d0bd23b44eccedc635cbfa474e321040273
- Size
  
  352KB
- MD5
  
  4f88b5e510ecbd0adefdfc87c552289c
- SHA1
  
  047ec67b8e3c001086284d7176b2d239db565fb5
- SHA256
  
  b21f34ecfa7135153d506b3fde2a0d0bd23b44eccedc635cbfa474e321040273
- SHA512
  
  75b86d6de4bec5285559f7e9a0dbf46df48dbdf78386023e5f8668a7814bc1db5322d8bf9d306cfd65175112b94366641d671175d59d3edacc3d2b2ba802f348
- SSDEEP
  
  6144:X9PrHO8306KFnBCzDIZXY3HJmui45mkA2/1:drHBpgkDuoEuXbJ
Score

9^/10

persistence ransomware
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Renames multiple (121) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral29 behavioral30
- Target
  
  b75b3ff65632b65d1d641075bd2f5ed0ede93da3a35d7f50068b9371ee5c4552
- Size
  
  414KB
- MD5
  
  c2ed5b0eea4e4bf833e1a5549bde2024
- SHA1
  
  5b24af2e9802b503c7f41c17b561b0b6b38914d7
- SHA256
  
  b75b3ff65632b65d1d641075bd2f5ed0ede93da3a35d7f50068b9371ee5c4552
- SHA512
  
  0519a11af45ef901e0624e5b3f3ccdf5d3c8af7ca636304d8a1e8be6af607bf3df839b95381460342ca9fa25e8ac8c511be468b22c62e23c31322ad778bbf769
- SSDEEP
  
  6144:5ji4E09S/t71Pnk0vlg6D59mkwxpCkiesHjAqk55e5BT:Ji4E09qLnrbt9mCeujAJ55e5BT
Score

8^/10
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
behavioral31 behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

Sharing

General

Malware Config

Extracted

Extracted

Targets

Disables Task Manager via registry modification

Drops startup file

Reads user/profile data of web browsers

Drops desktop.ini file(s)

Sets desktop wallpaper using registry

Renames multiple (1289) files with added filename extension

Reads user/profile data of web browsers

Drops desktop.ini file(s)

Drops autorun.inf file

Drops file in System32 directory

Disables Task Manager via registry modification

Modifies Installed Components in the registry

Disables Task Manager via registry modification

Reads user/profile data of web browsers

Adds Run key to start application

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Suspicious use of NtCreateUserProcessOtherParentProcess

Deletes shadow copies

Modifies boot configuration data using bcdedit

Renames multiple (7562) files with added filename extension

Deletes System State backups

Modifies Installed Components in the registry

Adds Run key to start application

Enumerates connected drives

Reads user/profile data of web browsers

Deletes shadow copies

Renames multiple (121) files with added filename extension

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Blocklisted process makes network request

Checks computer location settings

Deletes itself

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26

behavioral27

behavioral28

behavioral29

behavioral30

behavioral31

behavioral32