Downloads.rar
Downloads.rar
184MB
201122-6x1at779dj
9e3e4dd2eca465797c3a07c0fa2254fe
16ceee08c07179157b0fb6de04b7605360f34b20
f1bbcc5c678d174d858ae089f4494e3ea8bcfc418098d61804a15e437f08aff7
f6033af5252203878aa0d1ba77f4816694a953103927362f6308c527e84c61be00816bf9ccba207991f93248ffefaaf31e27f5fd7806d3a4cb35d4104e79f746
Extracted
Family | zloader |
Botnet | main |
Campaign | 26.02.2020 |
C2 |
https://airnaa.org/sound.php https://banog.org/sound.php https://rayonch.org/sound.php |
rc4.plain |
|
Extracted
Family | revengerat |
Botnet | XDSDDD |
C2 |
84.91.119.105:333 |
Extracted
Family | revengerat |
Botnet | Victime |
C2 |
cocohack.dtdns.net:84 |
Extracted
Family | zloader |
Botnet | 25/03 |
C2 |
https://wgyvjbse.pw/milagrecf.php https://botiq.xyz/milagrecf.php |
rc4.plain |
|
Extracted
Family | revengerat |
Botnet | samay |
C2 |
shnf-47787.portmap.io:47787 |
Extracted
Family | zloader |
Botnet | 09/04 |
C2 |
https://eoieowo.casa/wp-config.php https://dcgljuzrb.pw/wp-config.php |
rc4.plain |
|
Extracted
Family | zloader |
Botnet | 07/04 |
C2 |
https://xyajbocpggsr.site/wp-config.php https://ooygvpxrb.pw/wp-config.php |
rc4.plain |
|
Extracted
Family | revengerat |
Botnet | INSERT-COIN |
C2 |
3.tcp.ngrok.io:24041 |
Extracted
Family | revengerat |
Botnet | YT |
C2 |
yukselofficial.duckdns.org:5552 |
Extracted
Family | revengerat |
Botnet | system |
C2 |
yj233.e1.luyouxia.net:20645 |
Extracted
Path | \??\c:\_R_E_A_D___T_H_I_S___S9T11QD_.txt |
Family | cerber |
Ransom Note |
Hi, I'am CRBR ENCRYPTOR ;)
-----
ALL YOUR DOCUMENTS, PH0T0S, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED!
-----
The only one way to decrypt your files is to receive the private key and decryption program.
To receive the private key and decryption program go to any decrypted folder,
inside there is the special file (*_R_E_A_D___T_H_I_S_*) with complete instructions
how to decrypt your files.
If you cannot find any (*_R_E_A_D___T_H_I_S_*) file at your PC, follow the instructions below:
-----
1. Download "Tor Browser" from https://www.torproject.org/ and install it.
2. In the "Tor Browser" open your personal page here:
http://xpcx6erilkjced3j.onion/0595-186B-78CE-0098-BEB7
Note! This page is available via "Tor Browser" only.
-----
Also you can use temporary addresses on your personal page without using "Tor Browser".
-----
1. http://xpcx6erilkjced3j.1n5mod.top/0595-186B-78CE-0098-BEB7
2. http://xpcx6erilkjced3j.19kdeh.top/0595-186B-78CE-0098-BEB7
3. http://xpcx6erilkjced3j.1mpsnr.top/0595-186B-78CE-0098-BEB7
4. http://xpcx6erilkjced3j.18ey8e.top/0595-186B-78CE-0098-BEB7
5. http://xpcx6erilkjced3j.17gcun.top/0595-186B-78CE-0098-BEB7
-----
Note! These are temporary addresses! They will be available for a limited amount of time!
-----
|
URLs |
http://xpcx6erilkjced3j.onion/0595-186B-78CE-0098-BEB7 http://xpcx6erilkjced3j.1n5mod.top/0595-186B-78CE-0098-BEB7 http://xpcx6erilkjced3j.19kdeh.top/0595-186B-78CE-0098-BEB7 http://xpcx6erilkjced3j.1mpsnr.top/0595-186B-78CE-0098-BEB7 http://xpcx6erilkjced3j.18ey8e.top/0595-186B-78CE-0098-BEB7 http://xpcx6erilkjced3j.17gcun.top/0595-186B-78CE-0098-BEB7 |
Extracted
Path | C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___PZECJ_.hta |
Ransom Note |
☑ English CRBR ENCRYPTOR
Instructions
☑ Select your language
English
العربية
中文
Nederlands
Français
Deutsch
Italiano
日本語
한국어
Polski
Português
Español
Türkçe
Can't yo zB u find the necessary files?
Is the c HMlRpek ontent of your files not readable?
It is normal be R7CyrrzkG cause the files' names and the data in your files have been encryp 5 ted by "CRBR Encryptor".
It me T2t ans your files are NOT damage CXYKPst1NV d! Your files are modified only. This modification is reversible.
F em3uuILL rom now it is not poss dYW ible to use your files until they will be decrypted.
The only way to dec frIv rypt your files safely is to buy the special decryption software "CRBR Decryptor".
Any attempts to rest OZYYi1 ore your files with the thir 5KgTMx d-party software will be fatal for your files!
You can proc 1xzkYWF eed with purchasing of the decryption softw OX are at your personal page:
Ple Ils ase wait... http://xpcx6erilkjced3j.1n5mod.top/0595-186B-78CE-0098-BEB7http://xpcx6erilkjced3j.19kdeh.top/0595-186B-78CE-0098-BEB7http://xpcx6erilkjced3j.1mpsnr.top/0595-186B-78CE-0098-BEB7http://xpcx6erilkjced3j.18ey8e.top/0595-186B-78CE-0098-BEB7http://xpcx6erilkjced3j.17gcun.top/0595-186B-78CE-0098-BEB7
If t a his page cannot be opened cli hrd ck here to get a new addr KFLXePuboX ess of your personal page.
If the addre 4McDG ss of your personal page is the same as befo mr re after you tried to get a new one,
you c eFS an try to get a new address in one hour.
At th yVv is page you will receive the complete instr 4q0n4FakI1 uctions how to buy the decrypti 8jmCvN8bOA on software for restoring all your files.
Also at this page you will be able to res sZlv5H tore any one file for free to be sure "CRBR Decryptor" will help you.
If your per ybWkrO sonal page is not availa 9HIsPZxk ble for a long period there is another way to open your personal page - insta wQ4B0 llation and use of Tor Browser:
run your Inte pPvgk rnet browser (if you do not know what it is run the Internet Explorer);
ent A6FNmja er or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER;
wait for the site load juK ing;
on the site you will be offered to do VHPWCalIG7 wnload Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;
ru rOpg n Tor Browser;
connect with the butt On on "Connect" (if you use the English version);
a normal Internet bro XA73 wser window will be opened after the initialization;
type or copy the add Dg ress http://xpcx6erilkjced3j.onion/0595-186B-78CE-0098-BEB7
in this browser address bar;
pre 5YIF ss ENTER;
the site sho Nsu3 uld be loaded; if for some reason the site is not lo bw ading wait for a moment and try again.
If you have any pr IdyRiBwA oblems during installation or use of Tor Browser, please, visit https://www.youtube.com and type request in the searc 998rv h bar "Install Tor Browser Windows" and you will find a lot of training videos about Tor Browser installation and use.
Addit J ional information:
You will fi jNWt nd the instru fqMdd ctions ("*_R_E_A_D___T_H_I_S_*.hta") for re v storing your files in any f NaM0pD older with your enc IGL rypted files.
The instr 5iUAJuKTG uctions "*_R_E_A_D___T_H_I_S_*.hta" in the f jN older i s with your encry 6VpS pted files are not vir b uses! The instruc of4jg tions "*_R_E_A_D___T_H_I_S_*.hta" will he Fy lp you to dec aO9KgAW rypt your files.
Remembe hNJgb6 r! The worst si jGUT tuation already happ a2 ened and now the future of your files de eHU5FXOmt pends on your determ BXIHcn ination and speed of your actions.
لا يمكنك العثور ع M لى الملفات الضرورية؟
هل محتوى الملفات غير قابل للقراءة؟
هذا أمر طبيع wJ ي لأن أسماء الملفات والبيانات في الملفات قد تم تشفيرها بواسطة "CRBR Encryptor".
وهذا يعني أن xyyWDCxE الملفات الخاصة بك ليست تالفة! فقد تم تعديل ملفاتك فقط. ويمكن التراجع عن هذا.
ومن الآن فإنه لا يكن استخدام الملفات الخاصة بك حتى يتم فك تشفيرها.
الطريقة الوحي ALPt6 دة لفك تشفير ملفاتك بأمان هو أن تشتري برنامج فك التشفير المتخصص "CRBR Decryptor".
إن أية محاولات لاستعادة s1F19g الملفات الخاصة بك بواسطة برامج من طرف ثالث سوف تكون مدمرة لملفاتك!
يمكنك الشروع في شراء برنامج فك التشفير من صفحتك الشخصية:
أرجو الإنتظار... http://xpcx6erilkjced3j.1n5mod.top/0595-186B-78CE-0098-BEB7http://xpcx6erilkjced3j.19kdeh.top/0595-186B-78CE-0098-BEB7http://xpcx6erilkjced3j.1mpsnr.top/0595-186B-78CE-0098-BEB7http://xpcx6erilkjced3j.18ey8e.top/0595-186B-78CE-0098-BEB7http://xpcx6erilkjced3j.17gcun.top/0595-186B-78CE-0098-BEB7
في حالة تعذر dtEy فتح هذه الصفحة انقر هنا لإنشاء عنوان جديد لصفحتك الشخصية.
في هذه الصفحة aJ سوف تتلقى تعليمات كاملة حول كيفية شراء برنامج فك التشفير لاستعادة جميع الملفات الخاصة بك.
في هذه الص fMamDlcs فحة أيضًا سوف تتمكن من استعادة ملف واحد بشكل مجاني للتأكد من أن "CRBR Decryptor" سوف يساعدك.
إذا كانت صف gdxcblX حتك الشخصية غير متاحة لفترة طويلة فإن ثمّة طريقة أخرى لفتح صفحتك الشخصية - تحميل واستخدام متصفح Tor:
قم بتشغيل متصفح الإنترنت الخاص بك (إذا كنت لا تعرف ما هو قم بتشغيل إنترنت إكسبلورر);
قم بكتابة أو نسخ العنوان https://www.torproject.org/download/download-easy.html.en إلى شريط العنوان في المستعرض الخاص بك ثم اضغط ENTER;
انتظر لتحميل الموقع;
سوف يعرض عليك الموقع تحميل متصفح Tor. قم بتحميله وتشغيله، واتبع تعليمات التثبيت، وانتظر حتى اكتمال التثبيت;
قم بتشغيل متصفح Tor;
اضغط على الزر "Connect" (إذا كنت تستخدم النسخة الإنجليزية);
سوف تُفتح نافذة متصفح الإنترنت العادي بعد البدء;
قم بكتابة أو نسخ العنوان http://xpcx6erilkjced3j.onion/0595-186B-78CE-0098-BEB7
في شريط العنوان في المتصفح;
اضغط ENTER;
يجب أن يتم تحميل الموقع؛ إذا لم يتم تحميل الموقع لأي سبب، انتظر للحظة وحاول مرة أخرى.
إذا كان لديك أية مشكلات أثناء عملية التثبيت أو استخدام متصفح Tor، يُرجى زيارة https://www.youtube.com واكتب الطلب "install tor browser windows" أو "تثبيت نوافذ متصفح Tor" في شريط البحث، وسوف تجد الكثير من أشرطة الفيديو للتدريب حول تثبيت متصفح Tor واستخدامه.
معلومات إض LL3Nr40I7k افية:
سوف تجد hKMBo3 إرشادات استعادة الملفات الخاصة بك ("*_R_E_A_D___T_H_I_S_*") في أي مجلد مع ملفاتك المشفرة.
الإرشادات ("*_RE IXEt AD_THIS_FILE_*") الموجودة في المجلدات مع ملفاتك المشفرة ليست فيروسات والإرشادات ("*_R_E_A_D___T_H_I_S_*") سوف تساعدك على فك تشفير الملفات الخاصة بك.
تذكر أن أسوأ موقف قد حدث بال Ky02iIyLq فعل، والآن مستقبل ملفاتك يعتمد على عزيمتك وسرعة الإجراءات الخاصة بك.
您找不到所需 Jm 的文件?
您文件的内容无法阅读?
这是正常的,因 qwASbLIcC 为您文件的文件名和数据已经被“CRBR Encryptor”加密了。
这意味着您 j5xc5O2 的文件并没有损坏!您的文件只是被修改了,这个修改是可逆的,解密之前您无法使用您的文件。
安全解密您文件 kiC 的唯一方式是购买特别的解密软件“CRBR Decryptor”。
任何使用第三方 QJIMEVEJL 软件恢复您文件的方式对您的文件来说都将是致命的!
您可以在您的个人页面上购买解密软件:
请稍候... http://xpcx6erilkjced3j.1n5mod.top/0595-186B-78CE-0098-BEB7http://xpcx6erilkjced3j.19kdeh.top/0595-186B-78CE-0098-BEB7http://xpcx6erilkjced3j.1mpsnr.top/0595-186B-78CE-0098-BEB7http://xpcx6erilkjced3j.18ey8e.top/0595-186B-78CE-0098-BEB7http://xpcx6erilkjced3j.17gcun.top/0595-186B-78CE-0098-BEB7
如果这个 m0 页面无法打开,请 点击这里 生成您个人页面的新地址。
您将在这个页面上 bk 看到如何购买解密软件以恢复您的文件。
您可以在这个页 keLi 面使用“CRBR Decryptor”免费恢复任何文件。
如果您的个人页面长 5PXAQp 期不可用,有其他方法可以打开您的个人页面 - 安装并使用 Tor 浏览器:
使用您的上网浏览器(如果您不知道使用 Internet Explorer 的话);
在浏览器的地址栏输入或复制地址 https://www.torproject.org/download/download-easy.html.en 并按 ENTER 键;
等待站点加载;
您将在站点上下载 Tor 浏览器;下载并运行它,按照安装指南进行操作,等待直至安装完成;
运行 Tor 浏览器;
使用“Connect”按钮进行连接(如果您使用英文版);
初始化之后将打开正常的上网浏览器窗口;
在浏览器地址栏中输入或复制地址 http://xpcx6erilkjced3j.onion/0595-186B-78CE-0098-BEB7 按 ENTER 键;
该站点将加载;如果由于某些原因等待一会儿后没有加载,请重试。
如果在安装期间或 epGm 使用 Tor 浏览器期间有任何问题,请访问 https://www.baidu.com 并在搜索栏中输入“怎么安装 Tor 浏览器”,您将找到有关如何安装洋葱 Tor 浏览器的说明和教程。
附加 cfjws 信息:
您将在任何带 BBBn 有加密文件的文件夹中找到恢复您文件(“*_R_E_A_D___T_H_I_S_*.hta”)的说明。
带有加密 WiNmnZs6 文件的文件夹中的(“*_R_E_A_D___T_H_I_S_*.hta”)说明不是病毒,(“*_R_E_A_D___T_H_I_S_*.hta”)说明将帮助您解密您的文件。
请记住,最坏的 nF 情况都发生过了,您的文件还能不能用取决于您的决定和反应速度。
Kunt u de nodige files niet vinden?
Is de inhoud van uw bestanden niet leesbaar?
Het is gewoonlijk omdat de bestandsnamen en de gegevens in uw bestanden zijn versleuteld door “CRBR Encryptor”.
Het betekent dat uw bestanden NIET beschadigd zijn! Uw bestanden zijn alleen gewijzigd. Deze wijziging is omkeerbaar. Vanaf nu is het niet mogelijk uw bestanden te gebruiken totdat ze ontsleuteld zijn.
De enige manier om uw bestanden veilig te ontsleutelen is door de speciale ontsleutel-software “CRBR Decryptor” te kopen.
Elke poging om uw bestanden te herstellen met software van een derde partij zal fataal zijn voor uw bestanden!
U kunt op uw persoonlijke pagina de ontsleutel-software kopen:
Even geduld aub... http://xpcx6erilkjced3j.1n5mod.top/0595-186B-78CE-0098-BEB7http://xpcx6erilkjced3j.19kdeh.top/0595-186B-78CE-0098-BEB7http://xpcx6erilkjced3j.1mpsnr.top/0595-186B-78CE-0098-BEB7http://xpcx6erilkjced3j.18ey8e.top/0595-186B-78CE-0098-BEB7http://xpcx6erilkjced3j.17gcun.top/0595-186B-78CE-0098-BEB7
Als deze pagina niet geopend kan worden klik dan hier om een nieuw adres aan uw persoonlijke pagina toe te voegen.
Op deze pagina zult u de complete instructies ontvangen hoe u de ontsleutel-software kunt kopen om al uw bestanden te herstellen.
Op deze pagina kunt u ook één file gratis herstellen om u ervan te verzekeren dat “CRBR Decryptor” u zal helpen.
Als uw persoonlijke pagina langere tijd niet beschikbaar is, is er een andere manier om uw persoonlijke pagina te openen – het installeren en gebruiken van Tor Browser:
start uw intern f8PrxPIR et browser (als u niet weet welke dat is, start dan Internet Explorer);
voer het adr JII es in of kopieer het adres https://www.torproject.org/download/download-easy.html.en in de adresbalk van uw browser en druk op ENTER;
wacht totdat de site laad gsgb t;
op de site word Mp t u aangeboden om de Tor Browser te laden; downloadt het en voer het uit, volg de installatie instructies, en wacht totdat de installatie compleet is;
voer Tor Brow 4QI ser uit;
maak verbinding m Ugh et de knop “Connect” (als u de Engelse versie gebruikt);
een normale Intern kD7Lj et browser zal openen na de installatie;
typ of kopieer het a 9rMCk dres http://xpcx6erilkjced3j.onion/0595-186B-78CE-0098-BEB7
in de adresbalk van uw browser;
druk EN 7CI TER;
de site zou moeten la Eg den; als om enige reden de site niet laadt, wacht dan even en probeer opnieuw.
Indien uw problemen heeft tijdens de installatie of het gebruik van Tor Browser, ga dan naar https://www.youtube.com en typ in de zoekbalk “install tor browser windows” en u zult een heleboel training video’s vinden over de installatie en het gebruik van Tor Browser.
Aanvullende informatie:
U vindt de instructies om uw bestanden te herstellen (“*_R_E_A_D___T_H_I_S_*.hta”) in elke folder met uw versleutelde bestanden.
De instructies (“*_R_E_A_D___T_H_I_S_*.hta”) in de folders met uw versleutelde bestanden zijn geen virussen, de instructies (“*_R_E_A_D___T_H_I_S_*.hta”) zal u helpen uw bestanden te ontsleutelen.
Denk eraan, het ergste is al gebeurd en de toekomst van uw bestanden hangt af van uw vastberadenheid en de snelheid van uw acties.
Vous ne trouvez pas les fic xD hiers necessaires?
Le contenu de vos fichiers n’est pas lisible?
C’est normal car les noms d YsWLg1HO0 es fichiers et des donnees dans vos fichiers ont ete cryptes par «CRBR Encryptor».
Cela signifie que vos fich Cd0oMqzXw iers ne sont PAS endommages! Vos fichiers sont seulement modifies. Cette modification est reversible. A partir de maintenant, il n’est plus possible d’utiliser vos fichiers jusqu'a ce qu’ils soient decryptes.
La seule facon de dec L rypter vos fichiers en toute securite est d’acheter le logiciel de decryptage special «CRBR Decryptor».
Toute tentative visant a rest pl aurer vos fichiers avec le logiciel tiers sera fatale pour vos fichiers!
Vous pouvez proceder a l’achat du logiciel de decryptage sur vot 3uBR0adotF re page personnelle:
S'il vous plaît, att 6mqOr endez... http://xpcx6erilkjced3j.1n5mod.top/0595-186B-78CE-0098-BEB7http://xpcx6erilkjced3j.19kdeh.top/0595-186B-78CE-0098-BEB7http://xpcx6erilkjced3j.1mpsnr.top/0595-186B-78CE-0098-BEB7http://xpcx6erilkjced3j.18ey8e.top/0595-186B-78CE-0098-BEB7http://xpcx6erilkjced3j.17gcun.top/0595-186B-78CE-0098-BEB7
Si vous ne pouvez pas ouvrir cette page cliquez ici pour generer une nouvelle adresse pour votre page personnelle.
A cette page, vous recevrez les instructions comple MuSnqz tes sur la facon d'acheter le logiciel de decryptage pour la restauration de tous vos fichiers.
Egalement a cette page, vous serez en mesure de restaure h r n’importe quel fichier gratuitement pour etre sur que «CRBR Decryptor» vous aidera.
Si votre page personn v5XqSHShf elle n’est pas disponible pendant une longue periode il y a une autre facon d’ouvrir votre page personnelle - installation et utilisation de Tor Browser:
executez votre navigateur Internet (si vous ne savez pas ce que c’est, lancez Internet Explorer);
saisissez ou copiez l’adresse https://www.torproject.org/download/download-easy.html.en dans la barre d’adresses de votre navigateur et appuyez sur ENTREE;
attendez que le site charge;
sur le site, il vous sera propose de telecharger Tor Browser; Telechargez et executez-le, suivez les instructions d’installation, attendez que l’installation se termine;
lancez Tor Browser;
connectez-vous avec le bouton «Connect» (si vous utilisez la version anglaise);
une fenetre du navigateur Internet normale sera ouverte apres l’initialisation;
tapez ou copiez l’adresse http://xpcx6erilkjced3j.onion/0595-186B-78CE-0098-BEB7
dans cette barre d’adresse de navigateur;
appuyez sur ENTREE;
le site doit etre charge; Si pour une raison quelconque, le site ne se
|
URLs |
http://xpcx6erilkjced3j.1n5mod.top/0595-186B-78CE-0098-BEB7http://xpcx6erilkjced3j.19kdeh.top/0595-186B-78CE-0098-BEB7http://xpcx6erilkjced3j.1mpsnr.top/0595-186B-78CE-0098-BEB7http://xpcx6erilkjced3j.18ey8e.top/0595-186B-78CE-0098-BEB7http://xpcx6erilkjced3j.17gcun.top/0595-186B-78CE-0098-BEB7 http://xpcx6erilkjced3j.onion/0595-186B-78CE-0098-BEB7 https://www.baidu.com |
Endermanch@000.exe
f2b7074e1543720a9a98fda660e02688
6MB
1029492c1a12789d8af78d54adcb921e24b9e5ca
4ea1f2ecf7eb12896f2cbf8683dae8546d2b8dc43cf7710d68ce99e127c0a966
73f9548633bc38bab64b1dd5a01401ef7f5b139163bdf291cc475dbd2613510c4c5e4d7702ecdfa74b49f3c9eaed37ed23b9d8f0064c66123eb0769c8671c6ff
Tags
Signatures
-
Disables Task Manager via registry modification
-
Enumerates connected drives
Description
Attempts to read the root path of hard drives other than the default C: drive.
TTPs
-
Modifies WinLogon
Tags
TTPs
-
Sets desktop wallpaper using registry
Tags
TTPs
Related Tasks
Endermanch@7ev3n.exe
9f8bc96c96d43ecb69f883388d228754
315KB
61ed25a706afa2f6684bb4d64f69c5fb29d20953
7d373ccb96d1dbb1856ef31afa87c2112a0c1795a796ab01cb154700288afec5
550a891c1059f58aa983138caf65a7ea9c326cb1b94c15f3e7594128f6e9f1295b9c2dbc0925637dba7c94e938083fffc6a63dc7c2e5b1e247679931cce505c6
Tags
Signatures
-
Modifies WinLogon for persistence
Tags
TTPs
-
UAC bypass
Tags
TTPs
-
Executes dropped EXE
-
Modifies WinLogon to allow AutoLogon
Description
Enables rebooting of the machine without requiring login credentials.
Tags
TTPs
-
Adds Run key to start application
Tags
TTPs
Related Tasks
Endermanch@AnViPC2009.exe
910dd666c83efd3496f21f9f211cdc1f
1MB
77cd736ee1697beda0ac65da24455ec566ba7440
06effc4c15d371b5c40a84995a7bae75324b690af9fbe2e8980f8c0e0901bf45
467d3b4d45a41b90c8e29c8c3d46ddfbdee9875606cd1c1b7652c2c7e26d60fedac54b24b75def125d450d8e811c75974260ba48a79496d2bdaf17d674eddb47
Tags
Signatures
-
BadRabbit
Description
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
Tags
-
Deletes NTFS Change Journal
Description
The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.
Tags
TTPs
-
Clears Windows event logs
Tags
TTPs
-
Blacklisted process makes network request
-
Executes dropped EXE
-
Modifies WinLogon to allow AutoLogon
Description
Enables rebooting of the machine without requiring login credentials.
Tags
TTPs
-
Loads dropped DLL
-
JavaScript code in executable
Related Tasks
Endermanch@Antivirus.exe
c7e9746b1b039b8bd1106bca3038c38f
1MB
cb93ac887876bafe39c5f9aa64970d5e747fb191
b1369bd254d96f7966047ad4be06103830136629590182d49e5cb8680529ebd4
cf5d688f1aec8ec65c1cb91d367da9a96911640c695d5c2d023836ef11e374ff158c152b4b6207e8fcdb5ccf0eed79741e080f1cbc915fe0af3dacd624525724
Tags
Signatures
-
Reads user/profile data of web browsers
Description
Infostealers often target stored browser data, which can include saved credentials etc.
Tags
TTPs
-
Adds Run key to start application
Tags
TTPs
Related Tasks
Endermanch@AntivirusPlatinum.exe
382430dd7eae8945921b7feab37ed36b
739KB
c95ddaebe2ae8fbcb361f3bf080d95a7bb5bf128
70e5e902d0ac7534838b743c899f484fe10766aefacc6df697219387a8e3d06b
26abc02bde77f0b94613edc32e0843ac71a0a8f3d8ba01cb94a42c047d0be7befef52a81984e9a0fa867400082a8905e7a63aaaf85fa32a03d27f7bc6a548c3b
Tags
Signatures
-
BadRabbit
Description
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
Tags
-
Deletes NTFS Change Journal
Description
The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.
Tags
TTPs
-
Windows security bypass
Tags
TTPs
-
Clears Windows event logs
Tags
TTPs
-
Blacklisted process makes network request
-
Disables RegEdit via registry modification
Tags
-
Executes dropped EXE
-
Modifies WinLogon to allow AutoLogon
Description
Enables rebooting of the machine without requiring login credentials.
Tags
TTPs
-
Modifies extensions of user files
Description
Ransomware generally changes the extension on encrypted files.
Tags
-
UPX packed file
Description
Detects executables packed with UPX/modified UPX open source packer.
Tags
-
Windows security modification
Tags
TTPs
-
Modifies service
Tags
TTPs
Related Tasks
Endermanch@AntivirusPro2017.exe
7dfbfba1e4e64a946cb096bfc937fbad
816KB
9180d2ce387314cd4a794d148ea6b14084c61e1b
312f082ea8f64609d30ff62b11f564107bf7a4ec9e95944dfd3da57c6cdb4e94
f47b05b9c294688811dd72d17f815cce6c90f96d78f6835804d5182e2f4bfbd2d6738de854b8a79dea6345f9372ba76a36920e51e6cb556ef4b38b620e887eb4
Tags
Signatures
-
Reads user/profile data of web browsers
Description
Infostealers often target stored browser data, which can include saved credentials etc.
Tags
TTPs
-
Adds Run key to start application
Tags
TTPs
-
Enumerates connected drives
Description
Attempts to read the root path of hard drives other than the default C: drive.
TTPs
-
Writes to the Master Boot Record (MBR)
Description
Bootkits write to the MBR to gain persistence at a level below the operating system.
Tags
TTPs
Related Tasks
Endermanch@BadRabbit.exe
fbbdc39af1139aebba4da004475e8839
431KB
de5c8d858e6e41da715dca1c019df0bfb92d32c0
630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87
Tags
Signatures
-
BadRabbit
Description
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
Tags
-
Deletes NTFS Change Journal
Description
The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.
Tags
TTPs
-
Clears Windows event logs
Tags
TTPs
-
Blacklisted process makes network request
-
Executes dropped EXE
-
Modifies WinLogon to allow AutoLogon
Description
Enables rebooting of the machine without requiring login credentials.
Tags
TTPs
Related Tasks
Endermanch@Birele.exe
41789c704a0eecfdd0048b4b4193e752
116KB
fb1e8385691fa3293b7cbfb9b2656cf09f20e722
b2dcfdf9e7b09f2aa5004668370e77982963ace820e7285b2e264a294441da23
76391ac85fdc3be75441fcd6e19bed08b807d3946c7281c647f16a3be5388f7be307e6323fac8502430a4a6d800d52a88709592a49011ecc89de4f19102435ea
Tags
Signatures
-
BadRabbit
Description
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
Tags
-
Deletes NTFS Change Journal
Description
The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.
Tags
TTPs
-
Modifies WinLogon for persistence
Tags
TTPs
-
Clears Windows event logs
Tags
TTPs
-
Executes dropped EXE
-
Modifies WinLogon to allow AutoLogon
Description
Enables rebooting of the machine without requiring login credentials.
Tags
TTPs
-
Modifies extensions of user files
Description
Ransomware generally changes the extension on encrypted files.
Tags
-
Adds Run key to start application
Tags
TTPs
Related Tasks
Endermanch@Cerber5.exe
fe1bc60a95b2c2d77cd5d232296a7fa4
313KB
c07dfdea8da2da5bad036e7c2f5d37582e1cf684
b3e1e9d97d74c416c2a30dd11858789af5554cf2de62f577c13944a19623777d
266c541a421878e1e175db5d94185c991cec5825a4bc50178f57264f3556080e6fe984ed0380acf022ce659aa1ca46c9a5e97efc25ff46cbfd67b9385fd75f89
Tags
Signatures
-
Cerber
Description
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
Tags
-
Blacklisted process makes network request
-
Modifies Windows Firewall
Tags
TTPs
-
Drops startup file
-
Enumerates connected drives
Description
Attempts to read the root path of hard drives other than the default C: drive.
TTPs
-
Drops file in System32 directory
-
Sets desktop wallpaper using registry
Tags
TTPs
Related Tasks
Endermanch@CleanThis.exe
a50fc0da1d2b3c4aa8a6adaccf69a5de
618KB
e001f4043ab4be644ea10e0d65303d6e57b31ffe
cf6eb8377789e316629c0396a2dbb53c69b5fd67bbd0e7163b8d305aaa756e90
4bbc7676391ed4085f628d1f4e1f0af16f5cd6fd9efb8c61176bccdb6ee03b06896c6ddfba9fcf363b133ade3a8a1b8cd17ef92d8eb9adeec247f9bd41dbec2b
Tags
Signatures
-
BadRabbit
Description
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
Tags
-
Deletes NTFS Change Journal
Description
The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.
Tags
TTPs
-
Modifies WinLogon for persistence
Tags
TTPs
-
Clears Windows event logs
Tags
TTPs
-
Blacklisted process makes network request
-
Executes dropped EXE
-
Modifies WinLogon to allow AutoLogon
Description
Enables rebooting of the machine without requiring login credentials.
Tags
TTPs
-
Maps connected drives based on registry
Description
Disk information is often read in order to detect sandboxing environments.
TTPs
Related Tasks
Endermanch@ColorBug.exe
6536b10e5a713803d034c607d2de19e3
53KB
a6000c05f565a36d2250bdab2ce78f505ca624b7
775ba68597507cf3c24663f5016d257446abeb66627f20f8f832c0860cad84de
61727cf0b150aad6965b4f118f33fd43600fb23dde5f0a3e780cc9998dfcc038b7542bfae9043ce28fb08d613c2a91ff9166f28a2a449d0e3253adc2cb110018
Tags
Signatures
-
Adds Run key to start application
Tags
TTPs
Related Tasks
Endermanch@DeriaLock.exe
0a7b70efba0aa93d4bc0857b87ac2fcb
484KB
01a6c963b2f5f36ff21a1043587dcf921ae5f5cd
4f5bff64160044d9a769ab277ff85ba954e2a2e182c6da4d0672790cf1d48309
2033f9637b8d023242c93f54c140dd561592a3380a15a9fdc8ebfa33385ff4fc569d66c846a01b4ac005f0521b3c219e87f4b1ed2a83557f9d95fa066ad25e14
Tags
Signatures
-
BadRabbit
Description
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
Tags
-
Deletes NTFS Change Journal
Description
The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.
Tags
TTPs
-
Clears Windows event logs
Tags
TTPs
-
Executes dropped EXE
-
Modifies WinLogon to allow AutoLogon
Description
Enables rebooting of the machine without requiring login credentials.
Tags
TTPs
-
Modifies extensions of user files
Description
Ransomware generally changes the extension on encrypted files.
Tags
-
Drops startup file
Related Tasks
Endermanch@Deskbottom.exe
c954b69e480950ad8f138bf8848c562c
461KB
207c3f932d8ac66bc10e090a97c02ac07dbb68fa
2f4bd27bffe3a5d1f541f1ee682d060316a0043312b35f18dfe5137efe8d7680
e8bbce74a647939337df72c3ab29c320aeef2b6f0214d68768bc7da8262a978e6ed54f7b1aefadb394abc85518757acf8e8633a145c39cb3f712adf8561aeaa9
Related Tasks
Endermanch@DesktopPuzzle.exe
2f8f6e90ca211d7ef5f6cf3c995a40e7
239KB
f8940f280c81273b11a20d4bfb43715155f6e122
1f5a26f24a2bfdd301008f0cc51a6c3762f41b926f974c814f1ecaa4cb28e5e6
2b38475550edee5519e33bd18fea510ad73345a27c20f6457710498d34e3d0cf05b0f96f32d018e7dc154a6f2232ea7e3145fd0ed5fb498f9e4702a4be1bb9c8
Tags
Signatures
-
BadRabbit
Description
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
Tags
-
Deletes NTFS Change Journal
Description
The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.
Tags
TTPs
-
Clears Windows event logs
Tags
TTPs
-
Executes dropped EXE
-
Modifies WinLogon to allow AutoLogon
Description
Enables rebooting of the machine without requiring login credentials.
Tags
TTPs
-
Modifies extensions of user files
Description
Ransomware generally changes the extension on encrypted files.
Tags
Related Tasks
Endermanch@FakeAdwCleaner.exe
248aadd395ffa7ffb1670392a9398454
190KB
c53c140bbdeb556fca33bc7f9b2e44e9061ea3e5
51290129cccca38c6e3b4444d0dfb8d848c8f3fc2e5291fc0d219fd642530adc
582b917864903252731c3d0dff536d7b1e44541ee866dc20e0341cbee5450f2f0ff4d82e1eee75f770e4dad9d8b9270ab5664ffedfe21d1ad2bd7fe6bc42cf0e
Tags
Signatures
-
BadRabbit
Description
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
Tags
-
Deletes NTFS Change Journal
Description
The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.
Tags
TTPs
-
Clears Windows event logs
Tags
TTPs
-
Blacklisted process makes network request
-
Executes dropped EXE
-
Modifies WinLogon to allow AutoLogon
Description
Enables rebooting of the machine without requiring login credentials.
Tags
TTPs
-
Modifies extensions of user files
Description
Ransomware generally changes the extension on encrypted files.
Tags
-
Adds Run key to start application
Tags
TTPs
Related Tasks
Endermanch@FreeYoutubeDownloader.exe
13f4b868603cf0dd6c32702d1bd858c9
396KB
a595ab75e134f5616679be5f11deefdfaae1de15
cae57a60c4d269cd1ca43ef143aedb8bfc4c09a7e4a689544883d05ce89406e7
e0d7a81c9cdd15a4ef7c8a9492fffb2c520b28cebc54a139e1bffa5c523cf17dfb9ffe57188cf8843d74479df402306f4f0ce9fc09d87c7cca92aea287e5ff24
Tags
Signatures
-
Executes dropped EXE
-
Adds Run key to start application
Tags
TTPs
-
Checks installed software on the system
Description
Looks up Uninstall key entries in the registry to enumerate software on the system.
Tags
TTPs
Related Tasks
Endermanch@HMBlocker.exe
21943d72b0f4c2b42f242ac2d3de784c
48KB
c887b9d92c026a69217ca550568909609eec1c39
2d047b0a46be4da59d375f71cfbd578ce1fbf77955d0bb149f6be5b9e4552180
04c9fa8358944d01b5fd0b6d5da2669df4c54fe79c58e7987c16bea56c114394173b6e8a6ac54cd4acd081fcbc66103ea6514c616363ba8d212db13b301034d8
Tags
Signatures
-
BadRabbit
Description
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
Tags
-
Modifies WinLogon to allow AutoLogon
Description
Enables rebooting of the machine without requiring login credentials.
Tags
TTPs
-
Adds Run key to start application
Tags
TTPs
Related Tasks
Endermanch@HappyAntivirus.exe
cb02c0438f3f4ddabce36f8a26b0b961
1MB
48c4fcb17e93b74030415996c0ec5c57b830ea53
64677f7767d6e791341b2eac7b43df90d39d9bdf26d21358578d2d38037e2c32
373f91981832cd9a1ff0b8744b43c7574b72971b5b6b19ea1f4665b6c878f7a1c7834ac08b92e0eca299eb4b590bf10f48a0485350a77a5f85fc3d2dd6913db3
Related Tasks
Endermanch@Illerka.C.exe
c718a1cbf0e13674714c66694be02421
378KB
001d5370d3a7ee48db6caaecb1c213b5dfdf8e65
cde188d6c4d6e64d6abfdea1e113314f9cdf9417bca36eb7201e6b766e5f5a7f
ba0ddff47b618740dfcb63024435c36d895889dd3cf6b4559969283ba8100e8063f5c7767e56dfab67a2b5c96e4ae22e141e5b09e81be5cec9aa7ca7827b4b8a
Tags
Signatures
-
BadRabbit
Description
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
Tags
-
Deletes NTFS Change Journal
Description
The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.
Tags
TTPs
-
UAC bypass
Tags
TTPs
-
Clears Windows event logs
Tags
TTPs
-
Executes dropped EXE
-
Modifies WinLogon to allow AutoLogon
Description
Enables rebooting of the machine without requiring login credentials.
Tags
TTPs
-
Modifies extensions of user files
Description
Ransomware generally changes the extension on encrypted files.
Tags
-
Checks whether UAC is enabled
Tags
TTPs
Related Tasks
Endermanch@InternetSecurityGuard.exe
04155ed507699b4e37532e8371192c0b
6MB
a14107131237dbb0df750e74281c462a2ea61016
b6371644b93b9d3b9b32b2f13f8265f9c23ddecc1e9c5a0291bbf98aa0fc3b77
6de59ebbc9b96c8a19d530caa13aa8129531ebd14b3b6c6bbb758426b59ed5ab12483bfa232d853af2e661021231b4b3fcc6c53e187eeba38fa523f673115371
Tags
Signatures
-
Checks for common network interception software
Description
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
Tags
TTPs
-
Enumerates VirtualBox registry keys
Tags
TTPs
-
Blocks application from running via registry modification
Description
Adds application to list of disallowed applications.
Tags
-
Drops file in Drivers directory
-
Sets file execution options in registry
Tags
TTPs
-
Reads user/profile data of web browsers
Description
Infostealers often target stored browser data, which can include saved credentials etc.
Tags
TTPs
-
Adds Run key to start application
Tags
TTPs
-
Checks for any installed AV software in registry
TTPs
-
Checks installed software on the system
Description
Looks up Uninstall key entries in the registry to enumerate software on the system.
Tags
TTPs
-
Enumerates connected drives
Description
Attempts to read the root path of hard drives other than the default C: drive.
TTPs
-
Writes to the Master Boot Record (MBR)
Description
Bootkits write to the MBR to gain persistence at a level below the operating system.
Tags
TTPs
Related Tasks
Endermanch@Koteyka2.exe
7734f0e56da17e9a5940fd782d739f9b
762KB
4dfae67e40be6c4c83191ea0cf8d1b28afba884c
8855299560183b57556d9714a2b958cdc6190fcdfb270633da2a47dfeee20015
53d07938bafbcb9524cdba6d25e09fcdae128a83718ab686374f0526730e2e6380f60e3bf951601e48f6f8e64563c484ddd8baf9be2878a5ad393817028a9632
Tags
Signatures
-
BadRabbit
Description
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
Tags
-
Deletes NTFS Change Journal
Description
The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.
Tags
TTPs
-
Clears Windows event logs
Tags
TTPs
-
Blacklisted process makes network request
-
Executes dropped EXE
-
Modifies WinLogon to allow AutoLogon
Description
Enables rebooting of the machine without requiring login credentials.
Tags
TTPs
Related Tasks
Endermanch@LPS2019.exe
2eb3ce80b26345bd139f7378330b19c1
1MB
10122bd8dd749e20c132d108d176794f140242b0
8abed3ea04d52c42bdd6c9169c59212a7d8c649c12006b8278eda5aa91154cd2
e3223cd07d59cd97893304a3632b3a66fd91635848160c33011c103cca2badbfe9b78fe258666b634e455872f3a98889ede5a425d8fae91cae6983da1ea1190a
Tags
Signatures
-
BadRabbit
Description
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
Tags
-
Deletes NTFS Change Journal
Description
The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.
Tags
TTPs
-
Clears Windows event logs
Tags
TTPs
-
Blacklisted process makes network request
-
Executes dropped EXE
-
Modifies WinLogon to allow AutoLogon
Description
Enables rebooting of the machine without requiring login credentials.
Tags
TTPs
-
Modifies extensions of user files
Description
Ransomware generally changes the extension on encrypted files.
Tags
-
Adds Run key to start application
Tags
TTPs
-
JavaScript code in executable
Related Tasks
Endermanch@Movie.mpeg.exe
d0deb2644c9435ea701e88537787ea6e
414KB
866e47ecd80da89c4f56557659027a3aee897132
ad6cd46f373aadad85fab5ecdb4cb4ad7ebd0cbe44c84db5d2a2ee1b54eb5ec3
6faac2e1003290bb3a0613ee84d5c76d3c48a4524e97975e9174d6fcfb5a6a48d6648b06ed5a4c10c3349f70efffc6a08a185fdeb0824250ae044b96ef39fcdf
Related Tasks
Endermanch@PCDefender.exe
e4d4a59494265949993e26dee7b077d1
878KB
83e3d0c7e544117d6054e7d55932a7d2dbaf1163
5ae57d8750822c203f5bf5e241c7132377b250df36a215dff2f396c8440b82dd
efd176555415e0771a22a6ca6f15a82aec14ca090d2599959612db9d8e07065e38a7b82e2bf7be67cbe1494733344879782f5516bb502e0177e7b540c96fa718
Tags
Signatures
-
BadRabbit
Description
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
Tags
-
Deletes NTFS Change Journal
Description
The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.
Tags
TTPs
-
Modifies WinLogon for persistence
Tags
TTPs
-
Clears Windows event logs
Tags
TTPs
-
Executes dropped EXE
-
Modifies WinLogon to allow AutoLogon
Description
Enables rebooting of the machine without requiring login credentials.
Tags
TTPs
-
Modifies extensions of user files
Description
Ransomware generally changes the extension on encrypted files.
Tags
-
Enumerates connected drives
Description
Attempts to read the root path of hard drives other than the default C: drive.
TTPs
-
JavaScript code in executable
-
Modifies service
Tags
TTPs
Related Tasks
Endermanch@PCDefenderv2.msi
b3dce5c3f95a18fd076fad0f73bb9e39
860KB
e80cc285a77302ee221f47e4e94823d4b2eba368
df2e3b2222dcdbb5e0dbdd1200ec8fd5f67fcbea99e0023df54307eab60030ff
c184436055cf74884ad0d2bd5ca00bcd5a62d6be46253fe8c71b4daaa5c710b9df34af1b6e41f6d1af94bcdec0d33679a6a1b34bf9755678b4e177f368c11d4c
Tags
Signatures
-
Modifies WinLogon for persistence
Tags
TTPs
-
Executes dropped EXE
-
Modifies WinLogon to allow AutoLogon
Description
Enables rebooting of the machine without requiring login credentials.
Tags
TTPs
-
Enumerates connected drives
Description
Attempts to read the root path of hard drives other than the default C: drive.
TTPs
-
Modifies service
Tags
TTPs
Related Tasks
Endermanch@PolyRansom.exe
3ed3fb296a477156bc51aba43d825fc0
220KB
9caa5c658b1a88fee149893d3a00b34a8bb8a1a6
1898f2cae1e3824cb0f7fd5368171a33aba179e63501e480b4da9ea05ebf0423
dc3d6e409cee4d54f48d1a25912243d07e2f800578c8e0e348ce515a047ecf5fa3089b46284e0956bbced345957a000eecdc082e6f3060971759d70a14c1c97e
Tags
Signatures
-
BadRabbit
Description
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
Tags
-
Deletes NTFS Change Journal
Description
The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.
Tags
TTPs
-
Modifies visibility of file extensions in Explorer
Tags
TTPs
-
UAC bypass
Tags
TTPs
-
Clears Windows event logs
Tags
TTPs
-
Blacklisted process makes network request
-
Executes dropped EXE
-
Modifies WinLogon to allow AutoLogon
Description
Enables rebooting of the machine without requiring login credentials.
Tags
TTPs
-
Suspicious Office macro
Description
Office document equipped with 4.0 macros.
Tags
-
Checks computer location settings
Description
Looks up country code configured in the registry, likely geofence.
TTPs
-
Reads user/profile data of web browsers
Description
Infostealers often target stored browser data, which can include saved credentials etc.
Tags
TTPs
-
Adds Run key to start application
Tags
TTPs
-
Drops file in System32 directory
Related Tasks
Endermanch@PowerPoint.exe
70108103a53123201ceb2e921fcfe83c
136KB
c71799a6a6d09ee758b04cdf90a4ab76fbd2a7e3
9c3f8df80193c085912c9950c58051ae77c321975784cc069ceacd4f57d5861d
996701c65eee7f781c2d22dce63f4a95900f36b97a99dcf833045bce239a08b3c2f6326b3a808431cdab92d59161dd80763e44126578e160d79b7095175d276b
Tags
Signatures
-
Executes dropped EXE
-
Modifies WinLogon to allow AutoLogon
Description
Enables rebooting of the machine without requiring login credentials.
Tags
TTPs
-
Deletes itself
-
Writes to the Master Boot Record (MBR)
Description
Bootkits write to the MBR to gain persistence at a level below the operating system.
Tags
TTPs
Related Tasks
Endermanch@ProgramOverflow.exe
c4aab3b24b159148d6d47a9e5897e593
566KB
7061c2e85de9f3fd51cccdecb8965f1e710d1fe5
03a4d3563a7519542c662b5fd5d61215f3d76a3902717efe11230292ea4bbafc
9bc522ff0d598a1f1425a09a2794584c4991a99bc382b0ee9135311950cdbf2f5331ae041a4b01052735b5fae3a2763ea1b5c01ce679b07fba73c6f75cb4c252
Signatures
-
Checks computer location settings
Description
Looks up country code configured in the registry, likely geofence.
TTPs
Related Tasks
Endermanch@RegistrySmart.exe
0002dddba512e20c3f82aaab8bad8b4d
1MB
493286b108822ba636cc0e53b8259e4f06ecf900
2d68fe191ba9e97f57f07f7bd116e53800b983d267da99bf0a6e6624dd7e5cf7
497954400ab463eb254abe895648c208a1cc951ecb231202362dadbe3ffb49d8d853b487589ce935c1dc8171f56d0df95093ffc655c684faa944c13bcfd87b8b
Tags
Signatures
-
BadRabbit
Description
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
Tags
-
Deletes NTFS Change Journal
Description
The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.
Tags
TTPs
-
Clears Windows event logs
Tags
TTPs
-
Blacklisted process makes network request
-
Executes dropped EXE
-
Modifies WinLogon to allow AutoLogon
Description
Enables rebooting of the machine without requiring login credentials.
Tags
TTPs
-
Modifies extensions of user files
Description
Ransomware generally changes the extension on encrypted files.
Tags
-
Adds Run key to start application
Tags
TTPs
-
Checks installed software on the system
Description
Looks up Uninstall key entries in the registry to enumerate software on the system.
Tags
TTPs
Related Tasks
Endermanch@SE2011.exe
02f471d1fefbdc07af5555dbfd6ea918
2MB
2a8f93dd21628933de8bea4a9abc00dbb215df0b
36619636d511fd4b77d3c1052067f5f2a514f7f31dfaa6b2e5677fbb61fd8cba
287b57b5d318764b2e92ec387099e7e313ba404b73db64d21102ba8656636abbf52bb345328fe58084dc70414c9e2d8cd46abd5a463c6d771d9c3ba68759a559
Tags
Signatures
-
Modifies WinLogon for persistence
Tags
TTPs
-
Executes dropped EXE
-
Checks computer location settings
Description
Looks up country code configured in the registry, likely geofence.
TTPs
-
Identifies Wine through registry keys
Description
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Tags
TTPs
-
Adds Run key to start application
Tags
TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger