General
-
Target
0b856337d9d3255fc3b07635fdadecbe83e23eb5c205eccab83c21c2fb76edc9
-
Size
150KB
-
Sample
240314-ensq1acc76
-
MD5
ebe673b2ee28dd65565f2f389279ac47
-
SHA1
bcebe09c61d3e6c47aefcb6bca0882752e0053a9
-
SHA256
0b856337d9d3255fc3b07635fdadecbe83e23eb5c205eccab83c21c2fb76edc9
-
SHA512
c100672fd9055e0d07996347dcc59b5f689dfb607222d4213d4aea741e85d8db8837a9c46f3343fba82095d0734a21315df1c55f404294da13074a5567e5ad56
-
SSDEEP
3072:pm3/OyVPX/1jTCAR4fsp0Vb2xosM89QJ49cqO2DDHMqqD/Tx0Hv/R:pq/1VP1OyysNmJyXsqqD/ls/R
Static task
static1
Behavioral task
behavioral1
Sample
0b856337d9d3255fc3b07635fdadecbe83e23eb5c205eccab83c21c2fb76edc9.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
0b856337d9d3255fc3b07635fdadecbe83e23eb5c205eccab83c21c2fb76edc9.exe
Resource
win10v2004-20240226-en
Malware Config
Extracted
C:\Program Files\DVD Maker\fr-FR\Restore-My-Files.txt
lockbit
http://lockbitks2tvnmwk.onion/?A51C1D5E9695AD10A4CB5FAE6D05AF80
Extracted
C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\Restore-My-Files.txt
lockbit
http://lockbitks2tvnmwk.onion/?A51C1D5E9695AD10C389C299F16606FB
Targets
-
-
Target
0b856337d9d3255fc3b07635fdadecbe83e23eb5c205eccab83c21c2fb76edc9
-
Size
150KB
-
MD5
ebe673b2ee28dd65565f2f389279ac47
-
SHA1
bcebe09c61d3e6c47aefcb6bca0882752e0053a9
-
SHA256
0b856337d9d3255fc3b07635fdadecbe83e23eb5c205eccab83c21c2fb76edc9
-
SHA512
c100672fd9055e0d07996347dcc59b5f689dfb607222d4213d4aea741e85d8db8837a9c46f3343fba82095d0734a21315df1c55f404294da13074a5567e5ad56
-
SSDEEP
3072:pm3/OyVPX/1jTCAR4fsp0Vb2xosM89QJ49cqO2DDHMqqD/Tx0Hv/R:pq/1VP1OyysNmJyXsqqD/ls/R
Score10/10-
Modifies boot configuration data using bcdedit
-
Renames multiple (8676) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-