General
-
Target
Document.zip
-
Size
102KB
-
Sample
240426-h4qhcsbe67
-
MD5
c929bb1946ed66780816df986e5a6d11
-
SHA1
ef8438219728dc2a759bd58ae168488e85f4599c
-
SHA256
874d3f892c299a623746d6b0669298375af4bd0ea02f52ac424c579e57ab48fd
-
SHA512
09133826bc477b49e3c7e45770059463e541fd6092a03506fdc08ad137dc0c5e43a9f59fced44ed343f75bd5dc27179e4044686ce0122138cb0431e2a1e98b44
-
SSDEEP
3072:IJ1mfyam5pu+iKHGi1r2VJiJ02oH2LvUZA3pGZ:IJiBU5imGikniJ0yLvUq3pM
Malware Config
Targets
-
-
Target
Document.doc.scr
-
Size
194KB
-
MD5
407ea767aa26ae13f9ff20d0999c8dda
-
SHA1
07e615132ef78e827047ffc4cc6c9d44f5a976fd
-
SHA256
f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4
-
SHA512
6c14d07b497af375f2f4db4da321ed7e5fb60a6f26281bcdbfc513eb1033d98442ff83ee58849a721bd7e14a0b7094b98397923c35bd4b6ae91c179784de6b02
-
SSDEEP
3072:L6glyuxE4GsUPnliByocWepVeKna4iJ0Cv+LmaGqsqRxB:L6gDBGpvEByocWePk4iJ0C2LYcx
Score9/10-
Renames multiple (331) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s)
-
Drops file in System32 directory
-
Sets desktop wallpaper using registry
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-