General
-
Target
0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.7z
-
Size
60KB
-
Sample
240214-d43qgahb52
-
MD5
a017abcec26bd57cd0b1d60f44005ce2
-
SHA1
b1bc2dd9f7c62dfa3a7034b86ddcf839688c7a70
-
SHA256
ea0094eec469916f81aa039d87700c88c89f7e10b9c90243127de1c7ad2cfbc0
-
SHA512
047c0d46b8b4227f8c8f45abef8533d260af9b12a354104d069ec9b66d6d8e252f3b5405b53acd77992699ac35daf367e4903f4e09cbd6c2698c908d68fb5dc5
-
SSDEEP
768:U7J/6M8KCMCfcqlKCp81YQTg4Qjgzw/ftHkAzTWcTwmNSubpdON3EjFtdqkbsGyr:eJ/+xL8VYQTgNjZ/lHFzXTwy0J4/yr
Static task
static1
Behavioral task
behavioral1
Sample
0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe
Resource
win10v2004-20231215-en
Malware Config
Extracted
C:\Program Files\DVD Maker\es-ES\Restore-My-Files.txt
lockbit
http://lockbitks2tvnmwk.onion/?A0C155001DD0CB01C63E322AFF4FD716
Extracted
C:\Program Files\dotnet\Restore-My-Files.txt
lockbit
http://lockbitks2tvnmwk.onion/?A0C155001DD0CB01DDD3FE891C7FEB23
Targets
-
-
Target
0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76
-
Size
150KB
-
MD5
5761ee98b1c2fea31b5408516a8929ea
-
SHA1
4d043df23e55088bfc04c14dfb9ddb329a703cc1
-
SHA256
0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76
-
SHA512
9dbf296719bc130bc700db94fd43985c32cb9de3b1867ed7c8666b62e4b9d0826b6df03cb125644c9338118d9caf679bfa1eb55da39f46b94db023bdcd9ff338
-
SSDEEP
3072:pm3/OyVPX/1jTCAR4fsp0Vb2xosM89QJ49cqO2DDHMqqD/Tx0Hv/:pq/1VP1OyysNmJyXsqqD/ls/
Score10/10-
Modifies boot configuration data using bcdedit
-
Renames multiple (9332) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-