General
-
Target
ab337d28b494a966f107fc428d71f78b
-
Size
1.8MB
-
Sample
240228-g1jpzadb31
-
MD5
ab337d28b494a966f107fc428d71f78b
-
SHA1
5c77dc1f673fbfb9d45de2a63aa16616f80b7a12
-
SHA256
647f46899b472f8a3ce181bd07ab2219a56e965bf4e24a0b489edb2bc5c8aa8d
-
SHA512
98ea77a94465780030eb05189ff9061790e438732b2b1245559c5ea0ad1c91f5c1458cf14d50f05c6ef4e97f3e1ab0a6c73109980644cd7ea9ae9a1555eec71a
-
SSDEEP
6144:Hrn8am/jie/+9h4/cdIG4Uues+f5PfZlfTBoIbY5RUvNjC4LBtJrJyCjSJlIyfh+:Hr
Static task
static1
Behavioral task
behavioral1
Sample
ab337d28b494a966f107fc428d71f78b.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
ab337d28b494a966f107fc428d71f78b.exe
Resource
win10v2004-20240226-en
Malware Config
Extracted
C:\$Recycle.Bin\S-1-5-21-2721934792-624042501-2768869379-1000\how_to_decrypt.hta
<b>fairexchange@qq.com</b>
OnClick="copytext('fairexchange@qq.com')"><b>fairexchange@qq.com
OnClick="copytext('fairexchange@qq.com')"
fairexchange@qq.com
Targets
-
-
Target
ab337d28b494a966f107fc428d71f78b
-
Size
1.8MB
-
MD5
ab337d28b494a966f107fc428d71f78b
-
SHA1
5c77dc1f673fbfb9d45de2a63aa16616f80b7a12
-
SHA256
647f46899b472f8a3ce181bd07ab2219a56e965bf4e24a0b489edb2bc5c8aa8d
-
SHA512
98ea77a94465780030eb05189ff9061790e438732b2b1245559c5ea0ad1c91f5c1458cf14d50f05c6ef4e97f3e1ab0a6c73109980644cd7ea9ae9a1555eec71a
-
SSDEEP
6144:Hrn8am/jie/+9h4/cdIG4Uues+f5PfZlfTBoIbY5RUvNjC4LBtJrJyCjSJlIyfh+:Hr
Score10/10-
Renames multiple (619) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-