Ransomware[.]zip | Triage

Sharing

Copy URL Twitter E-mail

General

Target

Ransomware.zip
Size

663KB
MD5

3d5e0c24ed0fc76a0bd3700dfe654966
SHA1

4cd13e895eb81eed4dfa03dd066cffbe406ca0c1
SHA256

062ce5323a2fae6d648446d2254f7df06482d59dc83e97f37adf7cdf185817d0
SHA512

5905377c483f6ddb6989dd060be8636c3da11d65265627b754969fd0498b678ef19399ea0ce157c290dfc3003bbfce9cc82cb70642c3b6e40079788e85ba598b
SSDEEP

12288:idNJMNuEZUJVSiiaG8tzNIMnsJn0n2EXwDDvCm4SHT73f1:oDMNuEZUJn7PsJn0n2EXwDD/4w73N

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/e04cdba2c9443b7a859fb328cf19fecd73b6a91d0964b405d56a42ee0721c671.exe

Files

Ransomware.zip
.zip

Password: infected
e04cdba2c9443b7a859fb328cf19fecd73b6a91d0964b405d56a42ee0721c671.exe
.exe windows:5 windows x86 arch:x86

dc23b4fa73a8645d2cdcb79c320ed34d

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_BYTES_REVERSED_LO
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED
IMAGE_FILE_BYTES_REVERSED_HI

Imports

kernel32

GetModuleHandleA
GetProcAddress

winspool.drv

ClosePrinter

comctl32

ImageList_Add

shell32

ShellExecuteW

ole32

IsEqualGUID

version

VerQueryValueW

user32

GetDC

oleaut32

VariantInit

netapi32

NetWkstaGetInfo

advapi32

RegLoadKeyW

gdi32

Pie

Exports

Exports

TMethodImplementationIntercept
__dbk_fcall_wrapper
dbkFCallWrapperAddr

Sections

.MPRESS1
Size: 658KB - Virtual size: 2.9MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.MPRESS2
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE