Extracted

Extracted

• • Target

    2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e

  • Size

    147KB

  • MD5

    e3e89421797130de9f4edebdd1980522

  • SHA1

    f3fad656375518254c520e5dc7d94a495443db7e

  • SHA256

    2ffd41be5a72da75b3de503e17bed058eb84e1e83be9e0b264cb987b4581259e

  • SHA512

    94d3670b2e2af3c18d4f441340973045bb9b658f401cf20e27b7376fdb4c37e7e8d2d39fa2f417536987957a5af7f81c44f433fa3cd392c288d852b427af38ec

  • SSDEEP

    3072:h6glyuxE4GsUPnliByocWepKooaLxQ3Rmz:h6gDBGpvEByocWeD8Rm

  Score

  10^/10

  defense_evasiondiscoveryransomwarespywarestealer

  • Renames multiple (358) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Drops desktop.ini file(s)

  • Indicator Removal: File Deletion

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion

  • Drops file in System32 directory

  • Sets desktop wallpaper using registry

    ransomware

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2