General

  • Target

    c682ee4f31bf55339dc6e34c5f6242015888729465c0335e3eb60af05847633a

  • Size

    144KB

  • Sample

    240810-q22fvasakr

  • MD5

    0d1ef0e9b611dcc79ad1d134990811d3

  • SHA1

    95cd22a171745294e6e13843c274a427cc6acdda

  • SHA256

    c682ee4f31bf55339dc6e34c5f6242015888729465c0335e3eb60af05847633a

  • SHA512

    90a9bf17aa09d01607b090566050459ccafc7dff7a1cc0515e5f1fa1ef82f795d918198704388a1b29eec1b959d1164df090e3243136807fa975097e32e05bb0

  • SSDEEP

    3072:eOFqYZEtiRjB+OpBmUHkRCBMmn3T/znyS4:eO8xwjBx8UHkt2DJ4

Malware Config

Targets

    • Target

      c682ee4f31bf55339dc6e34c5f6242015888729465c0335e3eb60af05847633a

    • Size

      144KB

    • MD5

      0d1ef0e9b611dcc79ad1d134990811d3

    • SHA1

      95cd22a171745294e6e13843c274a427cc6acdda

    • SHA256

      c682ee4f31bf55339dc6e34c5f6242015888729465c0335e3eb60af05847633a

    • SHA512

      90a9bf17aa09d01607b090566050459ccafc7dff7a1cc0515e5f1fa1ef82f795d918198704388a1b29eec1b959d1164df090e3243136807fa975097e32e05bb0

    • SSDEEP

      3072:eOFqYZEtiRjB+OpBmUHkRCBMmn3T/znyS4:eO8xwjBx8UHkt2DJ4

    • Ryuk

      Ransomware distributed via existing botnets, often Trickbot or Emotet.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Renames multiple (8013) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

MITRE ATT&CK Enterprise v15

Tasks