General
-
Target
IN.exe
-
Size
419KB
-
Sample
240104-sccsasdad2
-
MD5
18ea7cd52e5227ad429944bd35b22261
-
SHA1
7dc130cf074b365d2a2e7675bb8dfc8b88abdfcb
-
SHA256
32683d698c35b724a25e4742fa41fb8df3cf7e7750e84bf8e13d7fa1ac55ea14
-
SHA512
7b9c3bae053f3ac17b810a5a40460b5d7d4dbfa1b7380505569d1c4a16117777adf97ac93ecd85bf366c63c415f3aa7e3b80d82a8b5ec5cb065ec8f5831a7fee
-
SSDEEP
6144:4CmPvkrISw8ZMQsFMFEXmtT+n4CQi2oD9HoZwIYaTR/dXszI2lUC4:L3W6MoFlV+n4CQRoD9IygT/L
Malware Config
Targets
-
-
Target
IN.exe
-
Size
419KB
-
MD5
18ea7cd52e5227ad429944bd35b22261
-
SHA1
7dc130cf074b365d2a2e7675bb8dfc8b88abdfcb
-
SHA256
32683d698c35b724a25e4742fa41fb8df3cf7e7750e84bf8e13d7fa1ac55ea14
-
SHA512
7b9c3bae053f3ac17b810a5a40460b5d7d4dbfa1b7380505569d1c4a16117777adf97ac93ecd85bf366c63c415f3aa7e3b80d82a8b5ec5cb065ec8f5831a7fee
-
SSDEEP
6144:4CmPvkrISw8ZMQsFMFEXmtT+n4CQi2oD9HoZwIYaTR/dXszI2lUC4:L3W6MoFlV+n4CQRoD9IygT/L
Score10/10-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit
-
Renames multiple (234) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes System State backups
Uses wbadmin.exe to inhibit system recovery.
-
Modifies Installed Components in the registry
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-