Extracted

• • Target

    91qsdf.exe

  • Size

    147KB

  • MD5

    3c2c0b97e9295c60267c533010ad9253

  • SHA1

    270ddd75d7880a91c0a0cafaffed4f2757f54770

  • SHA256

    984d394fb9324130b52cc05e04db17fd6e1743652e3500e8fbc0b28cc06f125c

  • SHA512

    c6fed2954e05a33d5ef99610b937450043fc61fa0537f9da982e2c0dcac1ee26f734609ed207b12ad8dda31d191af2072c76b9f19ffbaa4a56b09b47a5955914

  • SSDEEP

    3072:GqJogYkcSNm9V7DQ4loXzHg0cSlm7FzT:Gq2kc4m9tDQ4aX00cWm7F

  Score

  10^/10

  defense_evasiondiscoveryransomwarespywarestealer

  • Renames multiple (361) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Drops desktop.ini file(s)

  • Indicator Removal: File Deletion

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion

  • Drops file in System32 directory

  • Sets desktop wallpaper using registry

    ransomware

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2