Extracted

• • Target

    ransom.zip

  • Size

    831KB

  • MD5

    7cd61bf217379a23bf42b1f9d08affab

  • SHA1

    ac4cca1c691780cb6f33b476495b2fa30e00214b

  • SHA256

    2882cbed0fb11c95d01b487a85338f4ec25fd44fc3f0936d68af4832d1be9a54

  • SHA512

    e408d2f8bcad00448cacbc38bc747a83c4b23f484e789d129f110a51ffae417e644ae1b48350942630cbb12b3616480f73875afd55668b1b380af4606e40e44f

  • SSDEEP

    24576:RyS4x8Uhh9cBLMfwp0zhbWA/7rYQXYJpD7r1OGKoW4XH:Y5xTHhhhnZYPhPH

  Score

  3^/10

  discovery
  behavioral1behavioral2behavioral3behavioral4behavioral5behavioral6behavioral7behavioral8behavioral9

• • Target

    ransom/Build/DECRYPTION_ID.txt

  • Size

    16B

  • MD5

    abf6627efc21c211433afb3cead31d9e

  • SHA1

    a6612acd7ba9f678f0cd30a3a38de3756d61d173

  • SHA256

    9e20febb10124d938c514475adbe4872df835b95cd2a988b9c068eb43a8c65d7

  • SHA512

    ea5cfa28be631822bf2a52d62a4cf7b426e0317ef039462d657e5bba7ab75ebde15089e2fb7bd99568a109f8b365b6065d8929c413639a0e9b491b224850febb

  Score

  1^/10
  behavioral10behavioral11behavioral12behavioral13behavioral14behavioral15behavioral16behavioral17behavioral18

• • Target

    ransom/Build/LB3.exe

  • Size

    145KB

  • MD5

    b2cb742a43762106fc03fa1e26fd4f68

  • SHA1

    aef4e9199b06b835b6e677c0910d3ed6fdf96ef3

  • SHA256

    f4dcf20fcdd95d241eadcd88ce30998189d0682132456e9254321a8d6d281611

  • SHA512

    d0521e8a496e53a309acf7f9d388e684bfa068cc77d23ae6a7da75e6dea962b2a9e3dd5a27dc5e45c054aa025e3ff1a3c237a996aab2fbcfaa68483481ca4975

  • SSDEEP

    3072:5qJogYkcSNm9V7D58PleQQuloQwssCnT:5q2kc4m9tDcQvuiQfD

  Score

  9^/10

  defense_evasiondiscoveryransomwarespywarestealer

  • Renames multiple (356) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Drops desktop.ini file(s)

  • Indicator Removal: File Deletion

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion

  • Drops file in System32 directory

  • Sets desktop wallpaper using registry

    ransomware

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral19behavioral20behavioral21behavioral22behavioral23behavioral24behavioral25behavioral26behavioral27

• • Target

    ransom/keygen.exe

  • Size

    31KB

  • MD5

    71c3b2f765b04d0b7ea0328f6ce0c4e2

  • SHA1

    bf8ecb6519f16a4838ceb0a49097bcc3ef30f3c4

  • SHA256

    ea6d4dedd8c85e4a6bb60408a0dc1d56def1f4ad4f069c730dc5431b1c23da37

  • SHA512

    1923db134d7cee25389a07e4d48894dde7ee8f70d008cd890dd34a03b2741a54ec1555e6821755e5af8eae377ef5005e3f9afceb4681059bc1880276e9bcf035

  • SSDEEP

    768:A6+T41GjHbdWCWDwDD01riWpJxKpAQJs/3JGIDLQ5:b+U+hHIBpJxixgQ

  Score

  3^/10

  discovery
  behavioral28behavioral29behavioral30behavioral31behavioral32