Extracted

• • Target

    4c0fec496abf0c29ef8358d913781b9d0c00e3e53487b72cfbf42753f0aa5176

  • Size

    700KB

  • MD5

    4f6dd08aeb0beca7061a2121e2f89f32

  • SHA1

    370de5096d1b9e9ccc2e18e6145dc8170e454d2e

  • SHA256

    4c0fec496abf0c29ef8358d913781b9d0c00e3e53487b72cfbf42753f0aa5176

  • SHA512

    47a73721cdab4f15ef65172bd110f82cc9e887e2d1f333e09b11ddf1213215bcc6f8c04144a8bc7ead53f66572812f5017157dc783df275680ce45a793949c1f

  • SSDEEP

    6144:Er+LuDj/chQaT1ptXl7ml2JcT0RQTPA7b/OQi5J:6+iDjkhQ8NRJcToQTui

  Score

  10^/10

  defense_evasionevasionexecutionimpactpersistenceransomwarespywarestealer

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution

  • Modifies boot configuration data using bcdedit

    ransomwareevasion

  • Renames multiple (167) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware

  • Deletes backup catalog

    Uses wbadmin.exe to inhibit system recovery.

    ransomware

  • Disables Task Manager via registry modification

    evasion

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Drops desktop.ini file(s)

  • Sets desktop wallpaper using registry

    ransomware
  behavioral1behavioral2