General
-
Target
2f9967e58f4c436c102a7de4c8e5b5aef61db1ddc0c5df601dc70b25b7416b46.zip
-
Size
838KB
-
Sample
240121-w24tvsfhbq
-
MD5
488a551dd01cc6bc36008ce424dd6dbc
-
SHA1
1b6cf03e2a3eb481dec4b493b59a1e4a7562c092
-
SHA256
7423ad9016d0b5b23321061351662642f991b98ca1b252f77bb8be25ab154543
-
SHA512
6efca81a2edc839bd6fdadb64b7059f8f16abbdefc7eac21255ff98a63b03c88731a3d0fa55e7ef2858e93ddfcaf71b74b30df31b3cf40ed17d0f7d736d2b792
-
SSDEEP
12288:m7kCxvNrsM5pRud/HVw8KuXycJdIWIAVxxz3zjKO0uC5/ocjd2n2ckSxWcYBzCcK:mrVs2R+fVwpmnvO1uYlon2bCcE
Malware Config
Targets
-
-
Target
2f9967e58f4c436c102a7de4c8e5b5aef61db1ddc0c5df601dc70b25b7416b46
-
Size
956KB
-
MD5
57f8fbce24a06fa399c8690a6703a850
-
SHA1
248bf857d4739f60fbb0f4e9dbd855f3cbf2d09f
-
SHA256
2f9967e58f4c436c102a7de4c8e5b5aef61db1ddc0c5df601dc70b25b7416b46
-
SHA512
048228574eb2d74a1f499281d44dd3631e395840db58c37a154fefdae00a759c01502d99fd23619c26d17bcff39e95dc8a21f3133707e49dcaab53057a048c33
-
SSDEEP
24576:+9EZn4OkTe8Rfzvbi+1WmYL/hfqDTJI1enwRn+9:eEZbk68RffEhmJII
Score9/10-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit
-
Renames multiple (173) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes backup catalog
Uses wbadmin.exe to inhibit system recovery.
-
Disables Task Manager via registry modification
-
.NET Reactor proctector
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Sets desktop wallpaper using registry
-