Overview

overview

10

Static

static

10

dora.exe

windows7-x64

8

dora.exe

windows10-2004-x64

10

Resubmissions

20-06-2024 09:01

240620-ky7wkayglc 10

20-06-2024 08:49

240620-kq693aydpc 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    dora.exe

  • Size

    49KB

  • Sample

    240620-kq693aydpc

  • MD5

    17356ef8f161730156c221300ea3cf5b

  • SHA1

    25a05bd0a9a4167b7fd08feb44de269910701c82

  • SHA256

    18ba97ec9c00b85d27d9d20c62ef7bd9484ad68a33e2a2121a1bcbed19f2eacd

  • SHA512

    df964b7aac2dbbaf7a04e935dbb566e1207b0d11971f28bba9c0c136adeff475bec31c92e54be7d4da786f70d9cb339ff37e6a8f9196ceb16ab185cc956912cf

  • SSDEEP

    768:daQRff0B31aCytHLykiKPT3JATD2qBwV2ckjbnsb0Ah99De0YADQT4J74:daD318HxZATvnsblYOJ

Score
10/10
makopdefense_evasionexecutionimpactransomware

Malware Config

Extracted

Path

C:\Program Files\Common Files\microsoft shared\ClickToRun\+README-WARNING+.txt

Ransom Note
!i!i!i!i!i!i!i!i!i!!i!i!i!i!i!i!i!i!i!i!i!i!i!i!i!!i!i!i!i!i!i!i!i!i!i!i!i!i!i!i!!i!i!i!i!i!i!i!i!i!i!i!i!i!i!i!!i!i! Your files are encrypted and an important part of your data is stolen!!! If you try to decrypt the files yourself, they may be corrupted and this may lead to the loss of your files! !i!i!i!i!i!i!i!i!i!!i!i!i!i!i!i!i!i!i!i!i!i!i!i!i!!i!i!i!i!i!i!i!i!i!i!i!i!i!i!i!!i!i!i!i!i!i!i!i!i!i!i!i!i!i!i!!i!i! You need to contact us at this email address: [email protected] If we do not receive a response from you, your data will end up on the Internet. !i!i!i!i!i!i!i!i!i!!i!i!i!i!i!i!i!i!i!i!i!i!i!i!i!!i!i!i!i!i!i!i!i!i!i!i!i!i!i!i!!i!i!i!i!i!i!i!i!i!i!i!i!i!i!i!!i!i! Send me ID, which is indicated in the name of your files, and you will receive instructions on how to decrypt all files. Do not ignore this message, contact us as soon as possible to quickly get your files back. !i!i!i!i!i!i!i!i!i!!i!i!i!i!i!i!i!i!i!i!i!i!i!i!i!!i!i!i!i!i!i!i!i!i!i!i!i!i!i!i!!i!i!i!i!i!i!i!i!i!i!i!i!i!i!i!!i!i!

Targets

    • Target

      dora.exe

    • Size

      49KB

    • MD5

      17356ef8f161730156c221300ea3cf5b

    • SHA1

      25a05bd0a9a4167b7fd08feb44de269910701c82

    • SHA256

      18ba97ec9c00b85d27d9d20c62ef7bd9484ad68a33e2a2121a1bcbed19f2eacd

    • SHA512

      df964b7aac2dbbaf7a04e935dbb566e1207b0d11971f28bba9c0c136adeff475bec31c92e54be7d4da786f70d9cb339ff37e6a8f9196ceb16ab185cc956912cf

    • SSDEEP

      768:daQRff0B31aCytHLykiKPT3JATD2qBwV2ckjbnsb0Ah99De0YADQT4J74:daD318HxZATvnsblYOJ

    Score
    10/10
    defense_evasionexecutionimpactransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Renames multiple (3371) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Blocklisted process makes network request

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks