General
-
Target
731797d30d8ff6eaf901e788bd4e6048
-
Size
108KB
-
Sample
240124-225daaagg8
-
MD5
731797d30d8ff6eaf901e788bd4e6048
-
SHA1
9d38ce8e4c3ca5fbdfdfbed3ec452151041189c0
-
SHA256
66ed5384220ff3091903e14a54849f824fdd13ac70dc4e0127eb59c1de801fc2
-
SHA512
ecb89742be1e524d0abf25fcc4d0a5a4df5e3fa357b2179289efe1569da32dd7372226bba955837c84900ec389568db76d70787a141456a3885b71b1e6e8243b
-
SSDEEP
1536:wjKfwB0Z6geEfm5YHrXXx/R6lsV3zH9/9FUWIQHL2ukcxw14CmV:bfK0ZFfm5Y7BR6lc9FUFQHL2Fcx1t
Static task
static1
Behavioral task
behavioral1
Sample
731797d30d8ff6eaf901e788bd4e6048.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
731797d30d8ff6eaf901e788bd4e6048.exe
Resource
win10v2004-20231215-en
Malware Config
Extracted
C:\RESTORE_FILES_INFO.txt
http://ft4zr2jzlqoyob7yg4fcpwyt37hox3ajajqnfkdvbfrkjioyunmqnpad.onion
Extracted
C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta
http://ft4zr2jzlqoyob7yg4fcpwyt37hox3ajajqnfkdvbfrkjioyunmqnpad.onion
Extracted
C:\RESTORE_FILES_INFO.txt
http://ft4zr2jzlqoyob7yg4fcpwyt37hox3ajajqnfkdvbfrkjioyunmqnpad.onion
Extracted
C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta
http://ft4zr2jzlqoyob7yg4fcpwyt37hox3ajajqnfkdvbfrkjioyunmqnpad.onion
Targets
-
-
Target
731797d30d8ff6eaf901e788bd4e6048
-
Size
108KB
-
MD5
731797d30d8ff6eaf901e788bd4e6048
-
SHA1
9d38ce8e4c3ca5fbdfdfbed3ec452151041189c0
-
SHA256
66ed5384220ff3091903e14a54849f824fdd13ac70dc4e0127eb59c1de801fc2
-
SHA512
ecb89742be1e524d0abf25fcc4d0a5a4df5e3fa357b2179289efe1569da32dd7372226bba955837c84900ec389568db76d70787a141456a3885b71b1e6e8243b
-
SSDEEP
1536:wjKfwB0Z6geEfm5YHrXXx/R6lsV3zH9/9FUWIQHL2ukcxw14CmV:bfK0ZFfm5Y7BR6lc9FUFQHL2Fcx1t
Score10/10-
Renames multiple (126) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Disables Task Manager via registry modification
-
Downloads MZ/PE file
-
Drops startup file
-
Drops desktop.ini file(s)
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-