General
-
Target
e94a083d8625a65b03889b5a0f41fe4c2126d044d8be3415e40a80f63c7d9600
-
Size
79KB
-
Sample
240417-rhkvescg3t
-
MD5
1e3a794bd7c4ab5703b0b07b2b52c6d0
-
SHA1
e777ec7c627c97f4539b9ca8797bea77e33c9ca4
-
SHA256
e94a083d8625a65b03889b5a0f41fe4c2126d044d8be3415e40a80f63c7d9600
-
SHA512
fcc48b6b4724f11dfb0c3b2e976f50addec5e6d46c4de8dfe14a7ef2541727d7998ad4b6f7ca9a1c969f64a5fba62d0fc4e07d1ce3f285a9994758a431baf41b
-
SSDEEP
1536:Nkb3J8DaxRoomzq3bs0elJSSwwOokPZuaWvQwzfuJRAdA+7Az:NkzJVxKoVsl0Xwej7GWJRAdA+Ez
Static task
static1
Behavioral task
behavioral1
Sample
0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe
Resource
win10v2004-20240412-en
Malware Config
Extracted
C:\Program Files\DVD Maker\es-ES\Restore-My-Files.txt
lockbit
http://lockbitks2tvnmwk.onion/?A0C155001DD0CB019849170FE0737279
Extracted
C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Restore-My-Files.txt
lockbit
http://lockbitks2tvnmwk.onion/?A0C155001DD0CB01CA300612A1153127
Targets
-
-
Target
0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76.exe
-
Size
150KB
-
MD5
5761ee98b1c2fea31b5408516a8929ea
-
SHA1
4d043df23e55088bfc04c14dfb9ddb329a703cc1
-
SHA256
0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76
-
SHA512
9dbf296719bc130bc700db94fd43985c32cb9de3b1867ed7c8666b62e4b9d0826b6df03cb125644c9338118d9caf679bfa1eb55da39f46b94db023bdcd9ff338
-
SSDEEP
3072:pm3/OyVPX/1jTCAR4fsp0Vb2xosM89QJ49cqO2DDHMqqD/Tx0Hv/:pq/1VP1OyysNmJyXsqqD/ls/
Score10/10-
Modifies boot configuration data using bcdedit
-
Renames multiple (8415) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-