Extracted

• • Target

    1.exe

  • Size

    147KB

  • MD5

    c09185c157831e4915c255d7002941f4

  • SHA1

    beca597f2c2c120c3d74163501a81f56664ff4f7

  • SHA256

    6f3d87f3dcfd248e64d26cf338a19f41a6f93affdde5fab071a631ff38637757

  • SHA512

    a843854ca79f4d98938635612d20f3d5b79d8661ee91d1ae130b2deffe95e44d7028f76b8b221c87fab0638afe5baf3c55e8348f8aa10dddc90133167a3c17bf

  • SSDEEP

    3072:SqJogYkcSNm9V7DnfX/91c6G+Mqc+2EIEMF+T:Sq2kc4m9tDnfXPc6g+2XEMF

  Score

  10^/10

  defense_evasiondiscoveryransomwarespywarestealer

  • Renames multiple (350) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Drops desktop.ini file(s)

  • Indicator Removal: File Deletion

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2