ransom[.]zip | Triage

Sharing

Copy URL

Twitter E-mail

General

Target

ransom.zip
Size

17KB
MD5

69f563a2916f41d64b3340443132e1d7
SHA1

ec23f638761f749611d83d27adaa17b25217b282
SHA256

0c35ab1832945198c2e913891461a84f4872b5be60a64fd91084eead9e4e23e6
SHA512

0955f35b596e60e07bfef65abb55449ece63a1d27b96ce713e4437e35e96521323caa7501f3ce068b32d83276d905cb2e316da5e56f1988b2175ab1ba1acaa8d
SSDEEP

384:JdIWUBBZUAv0AgJwl+EILb/3UgxgCLZXkMevPdBRLSWEs:JSvD6dEkb86gCXKPjR+WT

Score

3^/10

Malware Config

Signatures

Unsigned PE 2 IoCs

Checks for missing Authenticode signature.

resource
unpack001/host.exe
unpack001/update.exe

Files

ransom.zip
.zip

Password: infected
host.exe
.exe windows:6 windows x86 arch:x86

Password: infected

9577ed9a21e32789d25bcadd09703b13

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

advapi32

CryptReleaseContext
CryptSetKeyParam
CheckTokenMembership
FreeSid
CryptDestroyHash
CryptHashData
CryptDeriveKey
CryptCreateHash
AllocateAndInitializeSid
CryptGenRandom
CryptEncrypt
CryptAcquireContextA
CryptDestroyKey

shell32

ShellExecuteExA
SHGetKnownFolderPath
ShellExecuteA

ole32

CoTaskMemFree

wininet

InternetConnectA
HttpSendRequestA
InternetCloseHandle
InternetOpenA
HttpOpenRequestA

kernel32

IsDebuggerPresent
InitializeSListHead
GetSystemTimeAsFileTime
GetCurrentThreadId
GetCurrentProcessId
QueryPerformanceCounter
IsProcessorFeaturePresent
TerminateProcess
GetCurrentProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
GetModuleFileNameA
CloseThreadpool
CreateThreadpool
FindFirstFileA
GetDriveTypeA
FindNextFileA
FindClose
CloseThreadpoolCleanupGroup
CloseThreadpoolCleanupGroupMembers
Sleep
GetLastError
CreateThreadpoolCleanupGroup
SubmitThreadpoolWork
CreateThreadpoolWork
GetModuleHandleW

vcruntime140

_except_handler4_common
__current_exception
strstr
__current_exception_context
strrchr
memset

api-ms-win-crt-runtime-l1-1-0

exit
terminate
_controlfp_s
_crt_atexit
_register_onexit_function
_initialize_onexit_table
_seh_filter_exe
_set_app_type
_c_exit
_configure_narrow_argv
_get_initial_narrow_environment
_initterm
_initterm_e
_exit
_register_thread_local_exe_atexit_callback
__p___argc
__p___argv
_cexit
_initialize_narrow_environment

api-ms-win-crt-utility-l1-1-0

rand
srand

api-ms-win-crt-stdio-l1-1-0

fopen
fwrite
__p__commode
__acrt_iob_func
fclose
fread
feof
_set_fmode
__stdio_common_vsprintf
__stdio_common_vfprintf

api-ms-win-crt-filesystem-l1-1-0

_stat64i32
remove

api-ms-win-crt-string-l1-1-0

_stricmp
_strdup

api-ms-win-crt-convert-l1-1-0

wcstombs

api-ms-win-crt-time-l1-1-0

_time64

api-ms-win-crt-heap-l1-1-0

malloc
_set_new_mode
free

api-ms-win-crt-math-l1-1-0

__setusermatherr

api-ms-win-crt-locale-l1-1-0

_configthreadlocale

Sections

.text
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 1024B - Virtual size: 784B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
update.exe
.exe windows:6 windows x86 arch:x86

Password: infected

9577ed9a21e32789d25bcadd09703b13

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

advapi32

CryptReleaseContext
CryptSetKeyParam
CheckTokenMembership
FreeSid
CryptDestroyHash
CryptHashData
CryptDeriveKey
CryptCreateHash
AllocateAndInitializeSid
CryptGenRandom
CryptEncrypt
CryptAcquireContextA
CryptDestroyKey

shell32

ShellExecuteExA
SHGetKnownFolderPath
ShellExecuteA

ole32

CoTaskMemFree

wininet

InternetConnectA
HttpSendRequestA
InternetCloseHandle
InternetOpenA
HttpOpenRequestA

kernel32

IsDebuggerPresent
InitializeSListHead
GetSystemTimeAsFileTime
GetCurrentThreadId
GetCurrentProcessId
QueryPerformanceCounter
IsProcessorFeaturePresent
TerminateProcess
GetCurrentProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
GetModuleFileNameA
CloseThreadpool
CreateThreadpool
FindFirstFileA
GetDriveTypeA
FindNextFileA
FindClose
CloseThreadpoolCleanupGroup
CloseThreadpoolCleanupGroupMembers
Sleep
GetLastError
CreateThreadpoolCleanupGroup
SubmitThreadpoolWork
CreateThreadpoolWork
GetModuleHandleW

vcruntime140

_except_handler4_common
__current_exception
strstr
__current_exception_context
strrchr
memset

api-ms-win-crt-runtime-l1-1-0

exit
terminate
_controlfp_s
_crt_atexit
_register_onexit_function
_initialize_onexit_table
_seh_filter_exe
_set_app_type
_c_exit
_configure_narrow_argv
_get_initial_narrow_environment
_initterm
_initterm_e
_exit
_register_thread_local_exe_atexit_callback
__p___argc
__p___argv
_cexit
_initialize_narrow_environment

api-ms-win-crt-utility-l1-1-0

rand
srand

api-ms-win-crt-stdio-l1-1-0

fopen
fwrite
__p__commode
__acrt_iob_func
fclose
fread
feof
_set_fmode
__stdio_common_vsprintf
__stdio_common_vfprintf

api-ms-win-crt-filesystem-l1-1-0

_stat64i32
remove

api-ms-win-crt-string-l1-1-0

_stricmp
_strdup

api-ms-win-crt-convert-l1-1-0

wcstombs

api-ms-win-crt-time-l1-1-0

_time64

api-ms-win-crt-heap-l1-1-0

malloc
_set_new_mode
free

api-ms-win-crt-math-l1-1-0

__setusermatherr

api-ms-win-crt-locale-l1-1-0

_configthreadlocale

Sections

.text
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 1024B - Virtual size: 784B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

Password: infected

Password: infected

9577ed9a21e32789d25bcadd09703b13

Headers

DLL Characteristics

File Characteristics

Imports

advapi32

shell32

ole32

wininet

kernel32

vcruntime140

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-utility-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-locale-l1-1-0

Sections

.text Size: 8KB - Virtual size: 8KB

.rdata Size: 5KB - Virtual size: 4KB

.data Size: 1024B - Virtual size: 1KB

.reloc Size: 1024B - Virtual size: 784B

Password: infected

9577ed9a21e32789d25bcadd09703b13

Headers

DLL Characteristics

File Characteristics

Imports

advapi32

shell32

ole32

wininet

kernel32

vcruntime140

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-utility-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-locale-l1-1-0

Sections

.text Size: 8KB - Virtual size: 8KB

.rdata Size: 5KB - Virtual size: 4KB

.data Size: 1024B - Virtual size: 1KB

.reloc Size: 1024B - Virtual size: 784B

.text
Size: 8KB - Virtual size: 8KB

.rdata
Size: 5KB - Virtual size: 4KB

.data
Size: 1024B - Virtual size: 1KB

.reloc
Size: 1024B - Virtual size: 784B

.text
Size: 8KB - Virtual size: 8KB

.rdata
Size: 5KB - Virtual size: 4KB

.data
Size: 1024B - Virtual size: 1KB

.reloc
Size: 1024B - Virtual size: 784B