General
-
Target
rr.exe
-
Size
148KB
-
Sample
250422-mx1f7stsfw
-
MD5
d6739725d5d99d801ae99edb0cd5b1c8
-
SHA1
2006a7955c5b215e9af8d3d2ac1947312f472c15
-
SHA256
8a56e5f619b2abde688af72a1e714b096fab5e93cf89693fbb68adb0fc5a6321
-
SHA512
b4fc1224749bf465a67d9fbe13769a5ae521c7dbb82171aaac6eaafbc27e3cc027a009cb952235c1b24f4737992a8c2bad5c31ef1671bf4da91aaeef0f31f212
-
SSDEEP
1536:szICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xDLTR6FM0AuwBg/rti2ZqD6gaUyz:DqJogYkcSNm9V7DLTQq0Xi+qzaT
Behavioral task
behavioral1
Sample
rr.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral2
Sample
rr.exe
Resource
win11-20250411-en
Malware Config
Extracted
C:\RSN6Lzcyg.README.txt
Targets
-
-
Target
rr.exe
-
Size
148KB
-
MD5
d6739725d5d99d801ae99edb0cd5b1c8
-
SHA1
2006a7955c5b215e9af8d3d2ac1947312f472c15
-
SHA256
8a56e5f619b2abde688af72a1e714b096fab5e93cf89693fbb68adb0fc5a6321
-
SHA512
b4fc1224749bf465a67d9fbe13769a5ae521c7dbb82171aaac6eaafbc27e3cc027a009cb952235c1b24f4737992a8c2bad5c31ef1671bf4da91aaeef0f31f212
-
SSDEEP
1536:szICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xDLTR6FM0AuwBg/rti2ZqD6gaUyz:DqJogYkcSNm9V7DLTQq0Xi+qzaT
-
Renames multiple (13575) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Credentials from Password Stores: Windows Credential Manager
Suspicious access to Credentials History.
-
Deletes itself
-
Executes dropped EXE
-
Drops desktop.ini file(s)
-
Indicator Removal: File Deletion
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Enterprise v16
Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1