General
-
Target
e21cbdbf6414ffc0ef4175295c7e188800a66b7b83302bd35b7e3fd6fabfccde
-
Size
709KB
-
Sample
241115-q67hnatqfw
-
MD5
0d7e80ec85db5cb45642235cb2381a0c
-
SHA1
f0a15a7ecaff7d0659bab2a416e5d668ff67724e
-
SHA256
e21cbdbf6414ffc0ef4175295c7e188800a66b7b83302bd35b7e3fd6fabfccde
-
SHA512
bb54a37b50b26b33724462faaf5d8d6328721a980bb51a95cfffce048d1ccca4050ee0a3740f47604de6504de70026c5f1567efe8be3913cea2ef9f1012a8921
-
SSDEEP
12288:klXYLQe1BJTAhHvVIgLfnEYbLrOqP0NbuLyoHNAoBmbgLO:klip10hREYbLrBWbuLod
Static task
static1
Behavioral task
behavioral1
Sample
e21cbdbf6414ffc0ef4175295c7e188800a66b7b83302bd35b7e3fd6fabfccde.exe
Resource
win10ltsc2021-20241023-en
Malware Config
Extracted
C:\Program Files\dotnet\host\fxr\8.0.2\RECOVERY INFO.txt
http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/4A5269AFE952FCF19F51570A3D86E233AD91951CEAB9F22F0D9EFC976FDF03ED
Targets
-
-
Target
e21cbdbf6414ffc0ef4175295c7e188800a66b7b83302bd35b7e3fd6fabfccde
-
Size
709KB
-
MD5
0d7e80ec85db5cb45642235cb2381a0c
-
SHA1
f0a15a7ecaff7d0659bab2a416e5d668ff67724e
-
SHA256
e21cbdbf6414ffc0ef4175295c7e188800a66b7b83302bd35b7e3fd6fabfccde
-
SHA512
bb54a37b50b26b33724462faaf5d8d6328721a980bb51a95cfffce048d1ccca4050ee0a3740f47604de6504de70026c5f1567efe8be3913cea2ef9f1012a8921
-
SSDEEP
12288:klXYLQe1BJTAhHvVIgLfnEYbLrOqP0NbuLyoHNAoBmbgLO:klip10hREYbLrBWbuLod
Score10/10-
Renames multiple (7643) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-