General
-
Target
d158534622b057b387a617ebe2931fef6d5c7d386b6dfbeb652c4781846f87c1
-
Size
1.2MB
-
Sample
210928-lc3kdsbeck
-
MD5
1d46afb839b846ede01cb925470f0488
-
SHA1
8cffc99cda16d5d6b5192c62fefae6c0ac89b33d
-
SHA256
d158534622b057b387a617ebe2931fef6d5c7d386b6dfbeb652c4781846f87c1
-
SHA512
888862ef478c79823a56af36f303e5a5686ce31bfdcb4e9b630e8bea791f10bf52f22b7fdb24be4b01b6087292467b45ebeb52d4f954b482f24094af14f64f10
Static task
static1
Behavioral task
behavioral1
Sample
d158534622b057b387a617ebe2931fef6d5c7d386b6dfbeb652c4781846f87c1.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
d158534622b057b387a617ebe2931fef6d5c7d386b6dfbeb652c4781846f87c1.exe
Resource
win10-en-20210920
Malware Config
Extracted
C:\README1.txt
pilotpilot088@gmail.com
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README2.txt
pilotpilot088@gmail.com
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README3.txt
pilotpilot088@gmail.com
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README4.txt
pilotpilot088@gmail.com
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README5.txt
pilotpilot088@gmail.com
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README6.txt
pilotpilot088@gmail.com
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README7.txt
pilotpilot088@gmail.com
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README8.txt
pilotpilot088@gmail.com
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README9.txt
pilotpilot088@gmail.com
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README10.txt
pilotpilot088@gmail.com
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Targets
-
-
Target
d158534622b057b387a617ebe2931fef6d5c7d386b6dfbeb652c4781846f87c1
-
Size
1.2MB
-
MD5
1d46afb839b846ede01cb925470f0488
-
SHA1
8cffc99cda16d5d6b5192c62fefae6c0ac89b33d
-
SHA256
d158534622b057b387a617ebe2931fef6d5c7d386b6dfbeb652c4781846f87c1
-
SHA512
888862ef478c79823a56af36f303e5a5686ce31bfdcb4e9b630e8bea791f10bf52f22b7fdb24be4b01b6087292467b45ebeb52d4f954b482f24094af14f64f10
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Modifies Installed Components in the registry
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Sets desktop wallpaper using registry
-