General
-
Target
abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
-
Size
1.1MB
-
Sample
221110-jldxaafhg6
-
MD5
ad539ebdf9e34e02be487134cf9a6713
-
SHA1
b5af8a12c5a6ed369debaad7eab59e3cb1715e2d
-
SHA256
abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14
-
SHA512
386291d7dd9fa62f7514e784a238bd7a5099a0d2edd8af6085c61e3953a6914faf3dc299f07d56bed3b5b337a18c8b636c84f88693d3bc2512f8dfd51e711492
-
SSDEEP
24576:g3BzKGHF0bxTCFvXwKt/aISpu4Qc6F3v1HT2BzN2tgGS3YzYhoHWxVGI8WIQbQ:KV4xTCwu4Qc6/F87gIwQ
Malware Config
Targets
-
-
Target
abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
-
Size
1.1MB
-
MD5
ad539ebdf9e34e02be487134cf9a6713
-
SHA1
b5af8a12c5a6ed369debaad7eab59e3cb1715e2d
-
SHA256
abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14
-
SHA512
386291d7dd9fa62f7514e784a238bd7a5099a0d2edd8af6085c61e3953a6914faf3dc299f07d56bed3b5b337a18c8b636c84f88693d3bc2512f8dfd51e711492
-
SSDEEP
24576:g3BzKGHF0bxTCFvXwKt/aISpu4Qc6F3v1HT2BzN2tgGS3YzYhoHWxVGI8WIQbQ:KV4xTCwu4Qc6/F87gIwQ
Score10/10-
Deletes NTFS Change Journal
The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.
-
UAC bypass
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit
-
Deletes backup catalog
Uses wbadmin.exe to inhibit system recovery.
-
Disables Task Manager via registry modification
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-