Extracted

• • Target

    8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351

  • Size

    1.7MB

  • MD5

    3f4181968baaf480a628d522c14cee75

  • SHA1

    0cfbe9d8a205fa528c00c96253ff309ab666ee90

  • SHA256

    8df97f59144a4f3d55572156abd94b750a1a6ebbb5d1a08c001b5e1f4a1ce351

  • SHA512

    319332107b9da31aaa752dc75d5291c80668c204be2b6f0a3d31d4a48428bdccd5dcc7787678eb003fbb3d61af5245ea0d8c87b343cbaf77877e5f0c49e69db4

  Score

  10^/10

  ouroborosxmrigevasionmacrominerpersistenceransomware

  • Ouroboros/Zeropadypt

    Ransomware family based on open-source CryptoWire.

    ransomwareouroboros

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig

  • Drops file in Drivers directory

  • Executes dropped EXE

  • Modifies Windows Firewall

    evasion

  • Modifies extensions of user files

    Ransomware generally changes the extension on encrypted files.

    ransomware

  • Suspicious Office macro

    Office document equipped with macros.

    macro

  • Drops startup file

  • Loads dropped DLL

  • Adds Run key to start application

    persistence

  • Drops desktop.ini file(s)

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory

  behavioral1