Extracted

• • Target

    105912c9995a1d718c5442349d2cc4bb99426f75ff34554cdfd9a7272eeca398.exe

  • Size

    146KB

  • MD5

    a5f2eeb4c5cbb2c2ff3b103e304c4a37

  • SHA1

    604025da6efc564ae2b3b92c33eb3a2995ca81a4

  • SHA256

    105912c9995a1d718c5442349d2cc4bb99426f75ff34554cdfd9a7272eeca398

  • SHA512

    96e766e4f3aefacada98a5336320db9d26c5d7d5d150125183e5415786b57d46b3383880910cfbdcd0928960d4abcaeba19c0854b0fb4a863391f0b13617bf4e

  • SSDEEP

    1536:NzICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xDrZ5bKzpnSPyZxedH4UnFgDXv0R:eqJogYkcSNm9V7DmSPNHnFsvCT

  Score

  10^/10

  defense_evasiondiscoveryransomwarespywarestealer

  • Renames multiple (8950) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Drops desktop.ini file(s)

  • Indicator Removal: File Deletion

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion

  • Drops file in System32 directory

  • Sets desktop wallpaper using registry

    ransomware

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2