General
-
Target
230307-fppamsgd2w
-
Size
148KB
-
Sample
240311-q2hczagc39
-
MD5
a7637dfb6b9408fe020d9333d0ade6dc
-
SHA1
930c34743ab12c80512723db0aa7b8b4762fcc84
-
SHA256
cea3e8a3e541ae4c928c3cd33f6772f1a69746393ac1a5c4575379a09a92d1e1
-
SHA512
a522e3be00f3c32cd318cca7995e0f6f604a0590de3f4c2830920347328d405d178bdd2c2406e3b835cc5e5037e2d2348456b138878644231af94e51fc4b4e94
-
SSDEEP
3072:ym0ROZIL87L1yoklfzGp3XjRaDyZYMqqD/A+lHlC:ypMCL8rpHjRa0qqD/NjC
Static task
static1
Behavioral task
behavioral1
Sample
230307-fppamsgd2w.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
230307-fppamsgd2w.exe
Resource
win10v2004-20240226-en
Malware Config
Extracted
C:\Program Files\DVD Maker\Shared\Restore-My-Files.txt
lockbit
http://lockbit-decryptor.com/?BD61F8CA9173670ACA753E91F3F78A6D
http://lockbitks2tvnmwk.onion/?BD61F8CA9173670ACA753E91F3F78A6D
Extracted
C:\Program Files\dotnet\Restore-My-Files.txt
lockbit
http://lockbit-decryptor.com/?BD61F8CA9173670ACCBC4A9B281E07BB
http://lockbitks2tvnmwk.onion/?BD61F8CA9173670ACCBC4A9B281E07BB
Targets
-
-
Target
230307-fppamsgd2w
-
Size
148KB
-
MD5
a7637dfb6b9408fe020d9333d0ade6dc
-
SHA1
930c34743ab12c80512723db0aa7b8b4762fcc84
-
SHA256
cea3e8a3e541ae4c928c3cd33f6772f1a69746393ac1a5c4575379a09a92d1e1
-
SHA512
a522e3be00f3c32cd318cca7995e0f6f604a0590de3f4c2830920347328d405d178bdd2c2406e3b835cc5e5037e2d2348456b138878644231af94e51fc4b4e94
-
SSDEEP
3072:ym0ROZIL87L1yoklfzGp3XjRaDyZYMqqD/A+lHlC:ypMCL8rpHjRa0qqD/NjC
Score10/10-
Modifies boot configuration data using bcdedit
-
Renames multiple (9371) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-