Downloads.rar

Target

Downloads.rar

Size

184MB

Sample

201122-6x1at779dj

Score

10 ^/10

MD5

9e3e4dd2eca465797c3a07c0fa2254fe

SHA1

16ceee08c07179157b0fb6de04b7605360f34b20

SHA256

f1bbcc5c678d174d858ae089f4494e3ea8bcfc418098d61804a15e437f08aff7

SHA512

f6033af5252203878aa0d1ba77f4816694a953103927362f6308c527e84c61be00816bf9ccba207991f93248ffefaaf31e27f5fd7806d3a4cb35d4104e79f746

Extracted

Family	zloader
Botnet	main
Campaign	26.02.2020
C2	https://airnaa.org/sound.php https://banog.org/sound.php https://rayonch.org/sound.php https://airnaa.org/sound.php https://banog.org/sound.php https://rayonch.org/sound.php
rc4.plain

Extracted

Family	revengerat
Botnet	XDSDDD
C2	84.91.119.105:333 84.91.119.105:333

Extracted

Family	revengerat
Botnet	Victime
C2	cocohack.dtdns.net:84 cocohack.dtdns.net:84

Extracted

Family	zloader
Botnet	25/03
C2	https://wgyvjbse.pw/milagrecf.php https://botiq.xyz/milagrecf.php https://wgyvjbse.pw/milagrecf.php https://botiq.xyz/milagrecf.php
rc4.plain

Extracted

Family	revengerat
Botnet	samay
C2	shnf-47787.portmap.io:47787 shnf-47787.portmap.io:47787

Extracted

Family	zloader
Botnet	09/04
C2	https://eoieowo.casa/wp-config.php https://dcgljuzrb.pw/wp-config.php https://eoieowo.casa/wp-config.php https://dcgljuzrb.pw/wp-config.php
rc4.plain

Extracted

Family	zloader
Botnet	07/04
C2	https://xyajbocpggsr.site/wp-config.php https://ooygvpxrb.pw/wp-config.php https://xyajbocpggsr.site/wp-config.php https://ooygvpxrb.pw/wp-config.php
rc4.plain

Extracted

Family	revengerat
Botnet	INSERT-COIN
C2	3.tcp.ngrok.io:24041 3.tcp.ngrok.io:24041

Extracted

Family	revengerat
Botnet	YT
C2	yukselofficial.duckdns.org:5552 yukselofficial.duckdns.org:5552

Extracted

Family	revengerat
Botnet	system
C2	yj233.e1.luyouxia.net:20645 yj233.e1.luyouxia.net:20645

Extracted

Path	\??\c:\_R_E_A_D___T_H_I_S___S9T11QD_.txt
Family	cerber
Ransom Note	Hi, I'am CRBR ENCRYPTOR ;) ----- ALL YOUR DOCUMENTS, PH0T0S, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ----- The only one way to decrypt your files is to receive the private key and decryption program. To receive the private key and decryption program go to any decrypted folder, inside there is the special file (_R_E_A_D___T_H_I_S_) with complete instructions how to decrypt your files. If you cannot find any (_R_E_A_D___T_H_I_S_) file at your PC, follow the instructions below: ----- 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://xpcx6erilkjced3j.onion/0595-186B-78CE-0098-BEB7 Note! This page is available via "Tor Browser" only. ----- Also you can use temporary addresses on your personal page without using "Tor Browser". ----- 1. http://xpcx6erilkjced3j.1n5mod.top/0595-186B-78CE-0098-BEB7 2. http://xpcx6erilkjced3j.19kdeh.top/0595-186B-78CE-0098-BEB7 3. http://xpcx6erilkjced3j.1mpsnr.top/0595-186B-78CE-0098-BEB7 4. http://xpcx6erilkjced3j.18ey8e.top/0595-186B-78CE-0098-BEB7 5. http://xpcx6erilkjced3j.17gcun.top/0595-186B-78CE-0098-BEB7 ----- Note! These are temporary addresses! They will be available for a limited amount of time! -----
URLs	http://xpcx6erilkjced3j.onion/0595-186B-78CE-0098-BEB7 http://xpcx6erilkjced3j.1n5mod.top/0595-186B-78CE-0098-BEB7 http://xpcx6erilkjced3j.19kdeh.top/0595-186B-78CE-0098-BEB7 http://xpcx6erilkjced3j.1mpsnr.top/0595-186B-78CE-0098-BEB7 http://xpcx6erilkjced3j.18ey8e.top/0595-186B-78CE-0098-BEB7 http://xpcx6erilkjced3j.17gcun.top/0595-186B-78CE-0098-BEB7

Extracted

Path	C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___PZECJ_.hta
Ransom Note	☑ English CRBR ENCRYPTOR Instructions ☑ Select your language English العربية 中文 Nederlands Français Deutsch Italiano 日本語 한국어 Polski Português Español Türkçe Can't yo zB u find the necessary files? Is the c HMlRpek ontent of your files not readable? It is normal be R7CyrrzkG cause the files' names and the data in your files have been encryp 5 ted by "CRBR Encryptor". It me T2t ans your files are NOT damage CXYKPst1NV d! Your files are modified only. This modification is reversible. F em3uuILL rom now it is not poss dYW ible to use your files until they will be decrypted. The only way to dec frIv rypt your files safely is to buy the special decryption software "CRBR Decryptor". Any attempts to rest OZYYi1 ore your files with the thir 5KgTMx d-party software will be fatal for your files! You can proc 1xzkYWF eed with purchasing of the decryption softw OX are at your personal page: Ple Ils ase wait... http://xpcx6erilkjced3j.1n5mod.top/0595-186B-78CE-0098-BEB7http://xpcx6erilkjced3j.19kdeh.top/0595-186B-78CE-0098-BEB7http://xpcx6erilkjced3j.1mpsnr.top/0595-186B-78CE-0098-BEB7http://xpcx6erilkjced3j.18ey8e.top/0595-186B-78CE-0098-BEB7http://xpcx6erilkjced3j.17gcun.top/0595-186B-78CE-0098-BEB7 If t a his page cannot be opened cli hrd ck here to get a new addr KFLXePuboX ess of your personal page. If the addre 4McDG ss of your personal page is the same as befo mr re after you tried to get a new one, you c eFS an try to get a new address in one hour. At th yVv is page you will receive the complete instr 4q0n4FakI1 uctions how to buy the decrypti 8jmCvN8bOA on software for restoring all your files. Also at this page you will be able to res sZlv5H tore any one file for free to be sure "CRBR Decryptor" will help you. If your per ybWkrO sonal page is not availa 9HIsPZxk ble for a long period there is another way to open your personal page - insta wQ4B0 llation and use of Tor Browser: run your Inte pPvgk rnet browser (if you do not know what it is run the Internet Explorer); ent A6FNmja er or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER; wait for the site load juK ing; on the site you will be offered to do VHPWCalIG7 wnload Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; ru rOpg n Tor Browser; connect with the butt On on "Connect" (if you use the English version); a normal Internet bro XA73 wser window will be opened after the initialization; type or copy the add Dg ress http://xpcx6erilkjced3j.onion/0595-186B-78CE-0098-BEB7 in this browser address bar; pre 5YIF ss ENTER; the site sho Nsu3 uld be loaded; if for some reason the site is not lo bw ading wait for a moment and try again. If you have any pr IdyRiBwA oblems during installation or use of Tor Browser, please, visit https://www.youtube.com and type request in the searc 998rv h bar "Install Tor Browser Windows" and you will find a lot of training videos about Tor Browser installation and use. Addit J ional information: You will fi jNWt nd the instru fqMdd ctions ("_R_E_A_D___T_H_I_S_.hta") for re v storing your files in any f NaM0pD older with your enc IGL rypted files. The instr 5iUAJuKTG uctions "_R_E_A_D___T_H_I_S_.hta" in the f jN older i s with your encry 6VpS pted files are not vir b uses! The instruc of4jg tions "_R_E_A_D___T_H_I_S_.hta" will he Fy lp you to dec aO9KgAW rypt your files. Remembe hNJgb6 r! The worst si jGUT tuation already happ a2 ened and now the future of your files de eHU5FXOmt pends on your determ BXIHcn ination and speed of your actions. لا يمكنك العثور ع M لى الملفات الضرورية؟ هل محتوى الملفات غير قابل للقراءة؟ هذا أمر طبيع wJ ي لأن أسماء الملفات والبيانات في الملفات قد تم تشفيرها بواسطة "CRBR Encryptor". وهذا يعني أن xyyWDCxE الملفات الخاصة بك ليست تالفة! فقد تم تعديل ملفاتك فقط. ويمكن التراجع عن هذا. ومن الآن فإنه لا يكن استخدام الملفات الخاصة بك حتى يتم فك تشفيرها. الطريقة الوحي ALPt6 دة لفك تشفير ملفاتك بأمان هو أن تشتري برنامج فك التشفير المتخصص "CRBR Decryptor". إن أية محاولات لاستعادة s1F19g الملفات الخاصة بك بواسطة برامج من طرف ثالث سوف تكون مدمرة لملفاتك! يمكنك الشروع في شراء برنامج فك التشفير من صفحتك الشخصية: أرجو الإنتظار... http://xpcx6erilkjced3j.1n5mod.top/0595-186B-78CE-0098-BEB7http://xpcx6erilkjced3j.19kdeh.top/0595-186B-78CE-0098-BEB7http://xpcx6erilkjced3j.1mpsnr.top/0595-186B-78CE-0098-BEB7http://xpcx6erilkjced3j.18ey8e.top/0595-186B-78CE-0098-BEB7http://xpcx6erilkjced3j.17gcun.top/0595-186B-78CE-0098-BEB7 في حالة تعذر dtEy فتح هذه الصفحة انقر هنا لإنشاء عنوان جديد لصفحتك الشخصية. في هذه الصفحة aJ سوف تتلقى تعليمات كاملة حول كيفية شراء برنامج فك التشفير لاستعادة جميع الملفات الخاصة بك. في هذه الص fMamDlcs فحة أيضًا سوف تتمكن من استعادة ملف واحد بشكل مجاني للتأكد من أن "CRBR Decryptor" سوف يساعدك. إذا كانت صف gdxcblX حتك الشخصية غير متاحة لفترة طويلة فإن ثمّة طريقة أخرى لفتح صفحتك الشخصية - تحميل واستخدام متصفح Tor: قم بتشغيل متصفح الإنترنت الخاص بك (إذا كنت لا تعرف ما هو قم بتشغيل إنترنت إكسبلورر); قم بكتابة أو نسخ العنوان https://www.torproject.org/download/download-easy.html.en إلى شريط العنوان في المستعرض الخاص بك ثم اضغط ENTER; انتظر لتحميل الموقع; سوف يعرض عليك الموقع تحميل متصفح Tor. قم بتحميله وتشغيله، واتبع تعليمات التثبيت، وانتظر حتى اكتمال التثبيت; قم بتشغيل متصفح Tor; اضغط على الزر "Connect" (إذا كنت تستخدم النسخة الإنجليزية); سوف تُفتح نافذة متصفح الإنترنت العادي بعد البدء; قم بكتابة أو نسخ العنوان http://xpcx6erilkjced3j.onion/0595-186B-78CE-0098-BEB7 في شريط العنوان في المتصفح; اضغط ENTER; يجب أن يتم تحميل الموقع؛ إذا لم يتم تحميل الموقع لأي سبب، انتظر للحظة وحاول مرة أخرى. إذا كان لديك أية مشكلات أثناء عملية التثبيت أو استخدام متصفح Tor، يُرجى زيارة https://www.youtube.com واكتب الطلب "install tor browser windows" أو "تثبيت نوافذ متصفح Tor" في شريط البحث، وسوف تجد الكثير من أشرطة الفيديو للتدريب حول تثبيت متصفح Tor واستخدامه. معلومات إض LL3Nr40I7k افية: سوف تجد hKMBo3 إرشادات استعادة الملفات الخاصة بك ("_R_E_A_D___T_H_I_S_") في أي مجلد مع ملفاتك المشفرة. الإرشادات ("_RE IXEt AD_THIS_FILE_") الموجودة في المجلدات مع ملفاتك المشفرة ليست فيروسات والإرشادات ("_R_E_A_D___T_H_I_S_") سوف تساعدك على فك تشفير الملفات الخاصة بك. تذكر أن أسوأ موقف قد حدث بال Ky02iIyLq فعل، والآن مستقبل ملفاتك يعتمد على عزيمتك وسرعة الإجراءات الخاصة بك. 您找不到所需 Jm 的文件？您文件的内容无法阅读？这是正常的，因 qwASbLIcC 为您文件的文件名和数据已经被“CRBR Encryptor”加密了。这意味着您 j5xc5O2 的文件并没有损坏！您的文件只是被修改了，这个修改是可逆的，解密之前您无法使用您的文件。安全解密您文件 kiC 的唯一方式是购买特别的解密软件“CRBR Decryptor”。任何使用第三方 QJIMEVEJL 软件恢复您文件的方式对您的文件来说都将是致命的！您可以在您的个人页面上购买解密软件：请稍候... http://xpcx6erilkjced3j.1n5mod.top/0595-186B-78CE-0098-BEB7http://xpcx6erilkjced3j.19kdeh.top/0595-186B-78CE-0098-BEB7http://xpcx6erilkjced3j.1mpsnr.top/0595-186B-78CE-0098-BEB7http://xpcx6erilkjced3j.18ey8e.top/0595-186B-78CE-0098-BEB7http://xpcx6erilkjced3j.17gcun.top/0595-186B-78CE-0098-BEB7 如果这个 m0 页面无法打开，请点击这里生成您个人页面的新地址。您将在这个页面上 bk 看到如何购买解密软件以恢复您的文件。您可以在这个页 keLi 面使用“CRBR Decryptor”免费恢复任何文件。如果您的个人页面长 5PXAQp 期不可用，有其他方法可以打开您的个人页面 - 安装并使用 Tor 浏览器：使用您的上网浏览器（如果您不知道使用 Internet Explorer 的话）；在浏览器的地址栏输入或复制地址 https://www.torproject.org/download/download-easy.html.en 并按 ENTER 键；等待站点加载；您将在站点上下载 Tor 浏览器；下载并运行它，按照安装指南进行操作，等待直至安装完成；运行 Tor 浏览器；使用“Connect”按钮进行连接（如果您使用英文版）；初始化之后将打开正常的上网浏览器窗口；在浏览器地址栏中输入或复制地址 http://xpcx6erilkjced3j.onion/0595-186B-78CE-0098-BEB7 按 ENTER 键；该站点将加载；如果由于某些原因等待一会儿后没有加载，请重试。如果在安装期间或 epGm 使用 Tor 浏览器期间有任何问题，请访问 https://www.baidu.com 并在搜索栏中输入“怎么安装 Tor 浏览器”，您将找到有关如何安装洋葱 Tor 浏览器的说明和教程。附加 cfjws 信息：您将在任何带 BBBn 有加密文件的文件夹中找到恢复您文件(“_R_E_A_D___T_H_I_S_.hta”)的说明。带有加密 WiNmnZs6 文件的文件夹中的(“_R_E_A_D___T_H_I_S_.hta”)说明不是病毒，(“_R_E_A_D___T_H_I_S_.hta”)说明将帮助您解密您的文件。请记住，最坏的 nF 情况都发生过了，您的文件还能不能用取决于您的决定和反应速度。 Kunt u de nodige files niet vinden? Is de inhoud van uw bestanden niet leesbaar? Het is gewoonlijk omdat de bestandsnamen en de gegevens in uw bestanden zijn versleuteld door “CRBR Encryptor”. Het betekent dat uw bestanden NIET beschadigd zijn! Uw bestanden zijn alleen gewijzigd. Deze wijziging is omkeerbaar. Vanaf nu is het niet mogelijk uw bestanden te gebruiken totdat ze ontsleuteld zijn. De enige manier om uw bestanden veilig te ontsleutelen is door de speciale ontsleutel-software “CRBR Decryptor” te kopen. Elke poging om uw bestanden te herstellen met software van een derde partij zal fataal zijn voor uw bestanden! U kunt op uw persoonlijke pagina de ontsleutel-software kopen: Even geduld aub... http://xpcx6erilkjced3j.1n5mod.top/0595-186B-78CE-0098-BEB7http://xpcx6erilkjced3j.19kdeh.top/0595-186B-78CE-0098-BEB7http://xpcx6erilkjced3j.1mpsnr.top/0595-186B-78CE-0098-BEB7http://xpcx6erilkjced3j.18ey8e.top/0595-186B-78CE-0098-BEB7http://xpcx6erilkjced3j.17gcun.top/0595-186B-78CE-0098-BEB7 Als deze pagina niet geopend kan worden klik dan hier om een nieuw adres aan uw persoonlijke pagina toe te voegen. Op deze pagina zult u de complete instructies ontvangen hoe u de ontsleutel-software kunt kopen om al uw bestanden te herstellen. Op deze pagina kunt u ook één file gratis herstellen om u ervan te verzekeren dat “CRBR Decryptor” u zal helpen. Als uw persoonlijke pagina langere tijd niet beschikbaar is, is er een andere manier om uw persoonlijke pagina te openen – het installeren en gebruiken van Tor Browser: start uw intern f8PrxPIR et browser (als u niet weet welke dat is, start dan Internet Explorer); voer het adr JII es in of kopieer het adres https://www.torproject.org/download/download-easy.html.en in de adresbalk van uw browser en druk op ENTER; wacht totdat de site laad gsgb t; op de site word Mp t u aangeboden om de Tor Browser te laden; downloadt het en voer het uit, volg de installatie instructies, en wacht totdat de installatie compleet is; voer Tor Brow 4QI ser uit; maak verbinding m Ugh et de knop “Connect” (als u de Engelse versie gebruikt); een normale Intern kD7Lj et browser zal openen na de installatie; typ of kopieer het a 9rMCk dres http://xpcx6erilkjced3j.onion/0595-186B-78CE-0098-BEB7 in de adresbalk van uw browser; druk EN 7CI TER; de site zou moeten la Eg den; als om enige reden de site niet laadt, wacht dan even en probeer opnieuw. Indien uw problemen heeft tijdens de installatie of het gebruik van Tor Browser, ga dan naar https://www.youtube.com en typ in de zoekbalk “install tor browser windows” en u zult een heleboel training video’s vinden over de installatie en het gebruik van Tor Browser. Aanvullende informatie: U vindt de instructies om uw bestanden te herstellen (“_R_E_A_D___T_H_I_S_.hta”) in elke folder met uw versleutelde bestanden. De instructies (“_R_E_A_D___T_H_I_S_.hta”) in de folders met uw versleutelde bestanden zijn geen virussen, de instructies (“_R_E_A_D___T_H_I_S_.hta”) zal u helpen uw bestanden te ontsleutelen. Denk eraan, het ergste is al gebeurd en de toekomst van uw bestanden hangt af van uw vastberadenheid en de snelheid van uw acties. Vous ne trouvez pas les fic xD hiers necessaires? Le contenu de vos fichiers n’est pas lisible? C’est normal car les noms d YsWLg1HO0 es fichiers et des donnees dans vos fichiers ont ete cryptes par «CRBR Encryptor». Cela signifie que vos fich Cd0oMqzXw iers ne sont PAS endommages! Vos fichiers sont seulement modifies. Cette modification est reversible. A partir de maintenant, il n’est plus possible d’utiliser vos fichiers jusqu'a ce qu’ils soient decryptes. La seule facon de dec L rypter vos fichiers en toute securite est d’acheter le logiciel de decryptage special «CRBR Decryptor». Toute tentative visant a rest pl aurer vos fichiers avec le logiciel tiers sera fatale pour vos fichiers! Vous pouvez proceder a l’achat du logiciel de decryptage sur vot 3uBR0adotF re page personnelle: S'il vous plaît, att 6mqOr endez... http://xpcx6erilkjced3j.1n5mod.top/0595-186B-78CE-0098-BEB7http://xpcx6erilkjced3j.19kdeh.top/0595-186B-78CE-0098-BEB7http://xpcx6erilkjced3j.1mpsnr.top/0595-186B-78CE-0098-BEB7http://xpcx6erilkjced3j.18ey8e.top/0595-186B-78CE-0098-BEB7http://xpcx6erilkjced3j.17gcun.top/0595-186B-78CE-0098-BEB7 Si vous ne pouvez pas ouvrir cette page cliquez ici pour generer une nouvelle adresse pour votre page personnelle. A cette page, vous recevrez les instructions comple MuSnqz tes sur la facon d'acheter le logiciel de decryptage pour la restauration de tous vos fichiers. Egalement a cette page, vous serez en mesure de restaure h r n’importe quel fichier gratuitement pour etre sur que «CRBR Decryptor» vous aidera. Si votre page personn v5XqSHShf elle n’est pas disponible pendant une longue periode il y a une autre facon d’ouvrir votre page personnelle - installation et utilisation de Tor Browser: executez votre navigateur Internet (si vous ne savez pas ce que c’est, lancez Internet Explorer); saisissez ou copiez l’adresse https://www.torproject.org/download/download-easy.html.en dans la barre d’adresses de votre navigateur et appuyez sur ENTREE; attendez que le site charge; sur le site, il vous sera propose de telecharger Tor Browser; Telechargez et executez-le, suivez les instructions d’installation, attendez que l’installation se termine; lancez Tor Browser; connectez-vous avec le bouton «Connect» (si vous utilisez la version anglaise); une fenetre du navigateur Internet normale sera ouverte apres l’initialisation; tapez ou copiez l’adresse http://xpcx6erilkjced3j.onion/0595-186B-78CE-0098-BEB7 dans cette barre d’adresse de navigateur; appuyez sur ENTREE; le site doit etre charge; Si pour une raison quelconque, le site ne se
URLs	http://xpcx6erilkjced3j.1n5mod.top/0595-186B-78CE-0098-BEB7http://xpcx6erilkjced3j.19kdeh.top/0595-186B-78CE-0098-BEB7http://xpcx6erilkjced3j.1mpsnr.top/0595-186B-78CE-0098-BEB7http://xpcx6erilkjced3j.18ey8e.top/0595-186B-78CE-0098-BEB7http://xpcx6erilkjced3j.17gcun.top/0595-186B-78CE-0098-BEB7 http://xpcx6erilkjced3j.onion/0595-186B-78CE-0098-BEB7 https://www.baidu.com

Target

Endermanch@000.exe

MD5

f2b7074e1543720a9a98fda660e02688

Filesize

6MB

Score

8 ^/10

SHA1

1029492c1a12789d8af78d54adcb921e24b9e5ca

SHA256

4ea1f2ecf7eb12896f2cbf8683dae8546d2b8dc43cf7710d68ce99e127c0a966

SHA512

73f9548633bc38bab64b1dd5a01401ef7f5b139163bdf291cc475dbd2613510c4c5e4d7702ecdfa74b49f3c9eaed37ed23b9d8f0064c66123eb0769c8671c6ff

Tags

evasion persistence ransomware

Signatures

Disables Task Manager via registry modification

Tags

evasion
Enumerates connected drives

Description

Attempts to read the root path of hard drives other than the default C: drive.

TTPs

Query Registry Peripheral Device Discovery System Information Discovery
Modifies WinLogon

Tags

persistence

TTPs

Winlogon Helper DLL Modify Registry
Sets desktop wallpaper using registry

Tags

ransomware

TTPs

Defacement Modify Registry

Related Tasks

behavioral1

Target

Endermanch@7ev3n.exe

MD5

9f8bc96c96d43ecb69f883388d228754

Filesize

315KB

Score

10 ^/10

SHA1

61ed25a706afa2f6684bb4d64f69c5fb29d20953

SHA256

7d373ccb96d1dbb1856ef31afa87c2112a0c1795a796ab01cb154700288afec5

SHA512

550a891c1059f58aa983138caf65a7ea9c326cb1b94c15f3e7594128f6e9f1295b9c2dbc0925637dba7c94e938083fffc6a63dc7c2e5b1e247679931cce505c6

Tags

bootkit evasion persistence ransomware trojan

Signatures

Modifies WinLogon for persistence

Tags

persistence

TTPs

Winlogon Helper DLL Modify Registry
UAC bypass

Tags

evasion trojan

TTPs

Bypass User Account Control Disabling Security Tools Modify Registry
Executes dropped EXE
Modifies WinLogon to allow AutoLogon

Description

Enables rebooting of the machine without requiring login credentials.

Tags

ransomware bootkit

TTPs

Winlogon Helper DLL Modify Registry
Adds Run key to start application

Tags

persistence

TTPs

Registry Run Keys / Startup Folder Modify Registry

Related Tasks

behavioral2

Target

Endermanch@AnViPC2009.exe

MD5

910dd666c83efd3496f21f9f211cdc1f

Filesize

1MB

Score

10 ^/10

SHA1

77cd736ee1697beda0ac65da24455ec566ba7440

SHA256

06effc4c15d371b5c40a84995a7bae75324b690af9fbe2e8980f8c0e0901bf45

SHA512

467d3b4d45a41b90c8e29c8c3d46ddfbdee9875606cd1c1b7652c2c7e26d60fedac54b24b75def125d450d8e811c75974260ba48a79496d2bdaf17d674eddb47

Tags

badrabbit bootkit evasion ransomware

Signatures

BadRabbit

Description

Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.

Tags

ransomware badrabbit
Deletes NTFS Change Journal

Description

The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.

Tags

ransomware

TTPs

Inhibit System Recovery Data Destruction
Clears Windows event logs

Tags

evasion ransomware

TTPs

Indicator Removal on Host
Blacklisted process makes network request
Executes dropped EXE
Modifies WinLogon to allow AutoLogon

Description

Enables rebooting of the machine without requiring login credentials.

Tags

ransomware bootkit

TTPs

Winlogon Helper DLL Modify Registry
Loads dropped DLL
JavaScript code in executable

Related Tasks

behavioral3

Target

Endermanch@Antivirus.exe

MD5

c7e9746b1b039b8bd1106bca3038c38f

Filesize

1MB

Score

7 ^/10

SHA1

cb93ac887876bafe39c5f9aa64970d5e747fb191

SHA256

b1369bd254d96f7966047ad4be06103830136629590182d49e5cb8680529ebd4

SHA512

cf5d688f1aec8ec65c1cb91d367da9a96911640c695d5c2d023836ef11e374ff158c152b4b6207e8fcdb5ccf0eed79741e080f1cbc915fe0af3dacd624525724

Tags

persistence spyware

Signatures

Reads user/profile data of web browsers

Description

Infostealers often target stored browser data, which can include saved credentials etc.

Tags

spyware

TTPs

Data from Local System Credentials in Files
Adds Run key to start application

Tags

persistence

TTPs

Registry Run Keys / Startup Folder Modify Registry

Related Tasks

behavioral4

Target

Endermanch@AntivirusPlatinum.exe

MD5

382430dd7eae8945921b7feab37ed36b

Filesize

739KB

Score

10 ^/10

SHA1

c95ddaebe2ae8fbcb361f3bf080d95a7bb5bf128

SHA256

70e5e902d0ac7534838b743c899f484fe10766aefacc6df697219387a8e3d06b

SHA512

26abc02bde77f0b94613edc32e0843ac71a0a8f3d8ba01cb94a42c047d0be7befef52a81984e9a0fa867400082a8905e7a63aaaf85fa32a03d27f7bc6a548c3b

Tags

badrabbit bootkit evasion persistence ransomware trojan upx

Signatures

BadRabbit

Description

Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.

Tags

ransomware badrabbit
Deletes NTFS Change Journal

Description

The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.

Tags

ransomware

TTPs

Inhibit System Recovery Data Destruction
Windows security bypass

Tags

evasion trojan

TTPs

Disabling Security Tools Modify Registry
Clears Windows event logs

Tags

evasion ransomware

TTPs

Indicator Removal on Host
Blacklisted process makes network request
Disables RegEdit via registry modification

Tags

evasion
Executes dropped EXE
Modifies WinLogon to allow AutoLogon

Description

Enables rebooting of the machine without requiring login credentials.

Tags

ransomware bootkit

TTPs

Winlogon Helper DLL Modify Registry
Modifies extensions of user files

Description

Ransomware generally changes the extension on encrypted files.

Tags

ransomware
UPX packed file

Description

Detects executables packed with UPX/modified UPX open source packer.

Tags

upx
Windows security modification

Tags

evasion trojan

TTPs

Disabling Security Tools Modify Registry
Modifies service

Tags

persistence

TTPs

Modify Registry Modify Existing Service

Related Tasks

behavioral5

Target

Endermanch@AntivirusPro2017.exe

MD5

7dfbfba1e4e64a946cb096bfc937fbad

Filesize

816KB

Score

7 ^/10

SHA1

9180d2ce387314cd4a794d148ea6b14084c61e1b

SHA256

312f082ea8f64609d30ff62b11f564107bf7a4ec9e95944dfd3da57c6cdb4e94

SHA512

f47b05b9c294688811dd72d17f815cce6c90f96d78f6835804d5182e2f4bfbd2d6738de854b8a79dea6345f9372ba76a36920e51e6cb556ef4b38b620e887eb4

Tags

bootkit persistence spyware

Signatures

Reads user/profile data of web browsers

Description

Infostealers often target stored browser data, which can include saved credentials etc.

Tags

spyware

TTPs

Data from Local System Credentials in Files
Adds Run key to start application

Tags

persistence

TTPs

Registry Run Keys / Startup Folder Modify Registry
Enumerates connected drives

Description

Attempts to read the root path of hard drives other than the default C: drive.

TTPs

Query Registry Peripheral Device Discovery System Information Discovery
Writes to the Master Boot Record (MBR)

Description

Bootkits write to the MBR to gain persistence at a level below the operating system.

Tags

bootkit persistence

TTPs

Bootkit

Related Tasks

behavioral6

Target

Endermanch@BadRabbit.exe

MD5

fbbdc39af1139aebba4da004475e8839

Filesize

431KB

Score

10 ^/10

SHA1

de5c8d858e6e41da715dca1c019df0bfb92d32c0

SHA256

630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da

SHA512

74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87

Tags

badrabbit bootkit evasion ransomware

Signatures

BadRabbit

Description

Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.

Tags

ransomware badrabbit
Deletes NTFS Change Journal

Description

The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.

Tags

ransomware

TTPs

Inhibit System Recovery Data Destruction
Clears Windows event logs

Tags

evasion ransomware

TTPs

Indicator Removal on Host
Blacklisted process makes network request
Executes dropped EXE
Modifies WinLogon to allow AutoLogon

Description

Enables rebooting of the machine without requiring login credentials.

Tags

ransomware bootkit

TTPs

Winlogon Helper DLL Modify Registry

Related Tasks

behavioral7

Target

Endermanch@Birele.exe

MD5

41789c704a0eecfdd0048b4b4193e752

Filesize

116KB

Score

10 ^/10

SHA1

fb1e8385691fa3293b7cbfb9b2656cf09f20e722

SHA256

b2dcfdf9e7b09f2aa5004668370e77982963ace820e7285b2e264a294441da23

SHA512

76391ac85fdc3be75441fcd6e19bed08b807d3946c7281c647f16a3be5388f7be307e6323fac8502430a4a6d800d52a88709592a49011ecc89de4f19102435ea

Tags

badrabbit bootkit evasion persistence ransomware

Signatures

BadRabbit

Description

Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.

Tags

ransomware badrabbit
Deletes NTFS Change Journal

Description

The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.

Tags

ransomware

TTPs

Inhibit System Recovery Data Destruction
Modifies WinLogon for persistence

Tags

persistence

TTPs

Winlogon Helper DLL Modify Registry
Clears Windows event logs

Tags

evasion ransomware

TTPs

Indicator Removal on Host
Executes dropped EXE
Modifies WinLogon to allow AutoLogon

Description

Enables rebooting of the machine without requiring login credentials.

Tags

ransomware bootkit

TTPs

Winlogon Helper DLL Modify Registry
Modifies extensions of user files

Description

Ransomware generally changes the extension on encrypted files.

Tags

ransomware
Adds Run key to start application

Tags

persistence

TTPs

Registry Run Keys / Startup Folder Modify Registry

Related Tasks

behavioral8

Target

Endermanch@Cerber5.exe

MD5

fe1bc60a95b2c2d77cd5d232296a7fa4

Filesize

313KB

Score

10 ^/10

SHA1

c07dfdea8da2da5bad036e7c2f5d37582e1cf684

SHA256

b3e1e9d97d74c416c2a30dd11858789af5554cf2de62f577c13944a19623777d

SHA512

266c541a421878e1e175db5d94185c991cec5825a4bc50178f57264f3556080e6fe984ed0380acf022ce659aa1ca46c9a5e97efc25ff46cbfd67b9385fd75f89

Tags

cerber evasion ransomware

Signatures

Cerber

Description

Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

Tags

ransomware cerber
Blacklisted process makes network request
Modifies Windows Firewall

Tags

evasion

TTPs

Modify Existing Service
Drops startup file
Enumerates connected drives

Description

Attempts to read the root path of hard drives other than the default C: drive.

TTPs

Query Registry Peripheral Device Discovery System Information Discovery
Drops file in System32 directory
Sets desktop wallpaper using registry

Tags

ransomware

TTPs

Defacement Modify Registry

Related Tasks

behavioral9

Target

Endermanch@CleanThis.exe

MD5

a50fc0da1d2b3c4aa8a6adaccf69a5de

Filesize

618KB

Score

10 ^/10

SHA1

e001f4043ab4be644ea10e0d65303d6e57b31ffe

SHA256

cf6eb8377789e316629c0396a2dbb53c69b5fd67bbd0e7163b8d305aaa756e90

SHA512

4bbc7676391ed4085f628d1f4e1f0af16f5cd6fd9efb8c61176bccdb6ee03b06896c6ddfba9fcf363b133ade3a8a1b8cd17ef92d8eb9adeec247f9bd41dbec2b

Tags

badrabbit bootkit evasion persistence ransomware

Signatures

BadRabbit

Description

Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.

Tags

ransomware badrabbit
Deletes NTFS Change Journal

Description

The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.

Tags

ransomware

TTPs

Inhibit System Recovery Data Destruction
Modifies WinLogon for persistence

Tags

persistence

TTPs

Winlogon Helper DLL Modify Registry
Clears Windows event logs

Tags

evasion ransomware

TTPs

Indicator Removal on Host
Blacklisted process makes network request
Executes dropped EXE
Modifies WinLogon to allow AutoLogon

Description

Enables rebooting of the machine without requiring login credentials.

Tags

ransomware bootkit

TTPs

Winlogon Helper DLL Modify Registry
Maps connected drives based on registry

Description

Disk information is often read in order to detect sandboxing environments.

TTPs

Query Registry Peripheral Device Discovery System Information Discovery

Related Tasks

behavioral10

Target

Endermanch@ColorBug.exe

MD5

6536b10e5a713803d034c607d2de19e3

Filesize

53KB

Score

6 ^/10

SHA1

a6000c05f565a36d2250bdab2ce78f505ca624b7

SHA256

775ba68597507cf3c24663f5016d257446abeb66627f20f8f832c0860cad84de

SHA512

61727cf0b150aad6965b4f118f33fd43600fb23dde5f0a3e780cc9998dfcc038b7542bfae9043ce28fb08d613c2a91ff9166f28a2a449d0e3253adc2cb110018

Tags

persistence

Signatures

Adds Run key to start application

Tags

persistence

TTPs

Registry Run Keys / Startup Folder Modify Registry

Related Tasks

behavioral11

Target

Endermanch@DeriaLock.exe

MD5

0a7b70efba0aa93d4bc0857b87ac2fcb

Filesize

484KB

Score

10 ^/10

SHA1

01a6c963b2f5f36ff21a1043587dcf921ae5f5cd

SHA256

4f5bff64160044d9a769ab277ff85ba954e2a2e182c6da4d0672790cf1d48309

SHA512

2033f9637b8d023242c93f54c140dd561592a3380a15a9fdc8ebfa33385ff4fc569d66c846a01b4ac005f0521b3c219e87f4b1ed2a83557f9d95fa066ad25e14

Tags

badrabbit bootkit evasion ransomware

Signatures

BadRabbit

Description

Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.

Tags

ransomware badrabbit
Deletes NTFS Change Journal

Description

The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.

Tags

ransomware

TTPs

Inhibit System Recovery Data Destruction
Clears Windows event logs

Tags

evasion ransomware

TTPs

Indicator Removal on Host
Executes dropped EXE
Modifies WinLogon to allow AutoLogon

Description

Enables rebooting of the machine without requiring login credentials.

Tags

ransomware bootkit

TTPs

Winlogon Helper DLL Modify Registry
Modifies extensions of user files

Description

Ransomware generally changes the extension on encrypted files.

Tags

ransomware
Drops startup file

Related Tasks

behavioral12

Target

Endermanch@Deskbottom.exe

MD5

c954b69e480950ad8f138bf8848c562c

Filesize

461KB

Score

1 ^/10

SHA1

207c3f932d8ac66bc10e090a97c02ac07dbb68fa

SHA256

2f4bd27bffe3a5d1f541f1ee682d060316a0043312b35f18dfe5137efe8d7680

SHA512

e8bbce74a647939337df72c3ab29c320aeef2b6f0214d68768bc7da8262a978e6ed54f7b1aefadb394abc85518757acf8e8633a145c39cb3f712adf8561aeaa9

Related Tasks

behavioral13

Target

Endermanch@DesktopPuzzle.exe

MD5

2f8f6e90ca211d7ef5f6cf3c995a40e7

Filesize

239KB

Score

10 ^/10

SHA1

f8940f280c81273b11a20d4bfb43715155f6e122

SHA256

1f5a26f24a2bfdd301008f0cc51a6c3762f41b926f974c814f1ecaa4cb28e5e6

SHA512

2b38475550edee5519e33bd18fea510ad73345a27c20f6457710498d34e3d0cf05b0f96f32d018e7dc154a6f2232ea7e3145fd0ed5fb498f9e4702a4be1bb9c8

Tags

badrabbit bootkit evasion ransomware

Signatures

BadRabbit

Description

Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.

Tags

ransomware badrabbit
Deletes NTFS Change Journal

Description

The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.

Tags

ransomware

TTPs

Inhibit System Recovery Data Destruction
Clears Windows event logs

Tags

evasion ransomware

TTPs

Indicator Removal on Host
Executes dropped EXE
Modifies WinLogon to allow AutoLogon

Description

Enables rebooting of the machine without requiring login credentials.

Tags

ransomware bootkit

TTPs

Winlogon Helper DLL Modify Registry
Modifies extensions of user files

Description

Ransomware generally changes the extension on encrypted files.

Tags

ransomware

Related Tasks

behavioral14

Target

Endermanch@FakeAdwCleaner.exe

MD5

248aadd395ffa7ffb1670392a9398454

Filesize

190KB

Score

10 ^/10

SHA1

c53c140bbdeb556fca33bc7f9b2e44e9061ea3e5

SHA256

51290129cccca38c6e3b4444d0dfb8d848c8f3fc2e5291fc0d219fd642530adc

SHA512

582b917864903252731c3d0dff536d7b1e44541ee866dc20e0341cbee5450f2f0ff4d82e1eee75f770e4dad9d8b9270ab5664ffedfe21d1ad2bd7fe6bc42cf0e

Tags

badrabbit bootkit evasion persistence ransomware

Signatures

BadRabbit

Description

Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.

Tags

ransomware badrabbit
Deletes NTFS Change Journal

Description

The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.

Tags

ransomware

TTPs

Inhibit System Recovery Data Destruction
Clears Windows event logs

Tags

evasion ransomware

TTPs

Indicator Removal on Host
Blacklisted process makes network request
Executes dropped EXE
Modifies WinLogon to allow AutoLogon

Description

Enables rebooting of the machine without requiring login credentials.

Tags

ransomware bootkit

TTPs

Winlogon Helper DLL Modify Registry
Modifies extensions of user files

Description

Ransomware generally changes the extension on encrypted files.

Tags

ransomware
Adds Run key to start application

Tags

persistence

TTPs

Registry Run Keys / Startup Folder Modify Registry

Related Tasks

behavioral15

Target

Endermanch@FreeYoutubeDownloader.exe

MD5

13f4b868603cf0dd6c32702d1bd858c9

Filesize

396KB

Score

8 ^/10

SHA1

a595ab75e134f5616679be5f11deefdfaae1de15

SHA256

cae57a60c4d269cd1ca43ef143aedb8bfc4c09a7e4a689544883d05ce89406e7

SHA512

e0d7a81c9cdd15a4ef7c8a9492fffb2c520b28cebc54a139e1bffa5c523cf17dfb9ffe57188cf8843d74479df402306f4f0ce9fc09d87c7cca92aea287e5ff24

Tags

discovery persistence

Signatures

Executes dropped EXE
Adds Run key to start application

Tags

persistence

TTPs

Registry Run Keys / Startup Folder Modify Registry
Checks installed software on the system

Description

Looks up Uninstall key entries in the registry to enumerate software on the system.

Tags

discovery

TTPs

Query Registry

Related Tasks

behavioral16

Target

Endermanch@HMBlocker.exe

MD5

21943d72b0f4c2b42f242ac2d3de784c

Filesize

48KB

Score

10 ^/10

SHA1

c887b9d92c026a69217ca550568909609eec1c39

SHA256

2d047b0a46be4da59d375f71cfbd578ce1fbf77955d0bb149f6be5b9e4552180

SHA512

04c9fa8358944d01b5fd0b6d5da2669df4c54fe79c58e7987c16bea56c114394173b6e8a6ac54cd4acd081fcbc66103ea6514c616363ba8d212db13b301034d8

Tags

badrabbit bootkit persistence ransomware

Signatures

BadRabbit

Description

Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.

Tags

ransomware badrabbit
Modifies WinLogon to allow AutoLogon

Description

Enables rebooting of the machine without requiring login credentials.

Tags

ransomware bootkit

TTPs

Winlogon Helper DLL Modify Registry
Adds Run key to start application

Tags

persistence

TTPs

Registry Run Keys / Startup Folder Modify Registry

Related Tasks

behavioral17

Target

Endermanch@HappyAntivirus.exe

MD5

cb02c0438f3f4ddabce36f8a26b0b961

Filesize

1MB

Score

1 ^/10

SHA1

48c4fcb17e93b74030415996c0ec5c57b830ea53

SHA256

64677f7767d6e791341b2eac7b43df90d39d9bdf26d21358578d2d38037e2c32

SHA512

373f91981832cd9a1ff0b8744b43c7574b72971b5b6b19ea1f4665b6c878f7a1c7834ac08b92e0eca299eb4b590bf10f48a0485350a77a5f85fc3d2dd6913db3

Related Tasks

behavioral18

Target

Endermanch@Illerka.C.exe

MD5

c718a1cbf0e13674714c66694be02421

Filesize

378KB

Score

10 ^/10

SHA1

001d5370d3a7ee48db6caaecb1c213b5dfdf8e65

SHA256

cde188d6c4d6e64d6abfdea1e113314f9cdf9417bca36eb7201e6b766e5f5a7f

SHA512

ba0ddff47b618740dfcb63024435c36d895889dd3cf6b4559969283ba8100e8063f5c7767e56dfab67a2b5c96e4ae22e141e5b09e81be5cec9aa7ca7827b4b8a

Tags

badrabbit bootkit evasion ransomware trojan

Signatures

BadRabbit

Description

Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.

Tags

ransomware badrabbit
Deletes NTFS Change Journal

Description

The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.

Tags

ransomware

TTPs

Inhibit System Recovery Data Destruction
UAC bypass

Tags

evasion trojan

TTPs

Bypass User Account Control Disabling Security Tools Modify Registry
Clears Windows event logs

Tags

evasion ransomware

TTPs

Indicator Removal on Host
Executes dropped EXE
Modifies WinLogon to allow AutoLogon

Description

Enables rebooting of the machine without requiring login credentials.

Tags

ransomware bootkit

TTPs

Winlogon Helper DLL Modify Registry
Modifies extensions of user files

Description

Ransomware generally changes the extension on encrypted files.

Tags

ransomware
Checks whether UAC is enabled

Tags

evasion trojan

TTPs

System Information Discovery

Related Tasks

behavioral19

Target

Endermanch@InternetSecurityGuard.exe

MD5

04155ed507699b4e37532e8371192c0b

Filesize

6MB

Score

9 ^/10

SHA1

a14107131237dbb0df750e74281c462a2ea61016

SHA256

b6371644b93b9d3b9b32b2f13f8265f9c23ddecc1e9c5a0291bbf98aa0fc3b77

SHA512

6de59ebbc9b96c8a19d530caa13aa8129531ebd14b3b6c6bbb758426b59ed5ab12483bfa232d853af2e661021231b4b3fcc6c53e187eeba38fa523f673115371

Tags

bootkit discovery evasion persistence spyware

Signatures

Checks for common network interception software

Description

Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

Tags

evasion

TTPs
Enumerates VirtualBox registry keys

Tags

evasion

TTPs

Query Registry Virtualization/Sandbox Evasion
Blocks application from running via registry modification

Description

Adds application to list of disallowed applications.

Tags

evasion
Drops file in Drivers directory
Sets file execution options in registry

Tags

persistence

TTPs

Registry Run Keys / Startup Folder Modify Registry
Reads user/profile data of web browsers

Description

Infostealers often target stored browser data, which can include saved credentials etc.

Tags

spyware

TTPs

Data from Local System Credentials in Files
Adds Run key to start application

Tags

persistence

TTPs

Registry Run Keys / Startup Folder Modify Registry
Checks for any installed AV software in registry

TTPs

Security Software Discovery
Checks installed software on the system

Description

Looks up Uninstall key entries in the registry to enumerate software on the system.

Tags

discovery

TTPs

Query Registry
Enumerates connected drives

Description

Attempts to read the root path of hard drives other than the default C: drive.

TTPs

Query Registry Peripheral Device Discovery System Information Discovery
Writes to the Master Boot Record (MBR)

Description

Bootkits write to the MBR to gain persistence at a level below the operating system.

Tags

bootkit persistence

TTPs

Bootkit

Related Tasks

behavioral20

Target

Endermanch@Koteyka2.exe

MD5

7734f0e56da17e9a5940fd782d739f9b

Filesize

762KB

Score

10 ^/10

SHA1

4dfae67e40be6c4c83191ea0cf8d1b28afba884c

SHA256

8855299560183b57556d9714a2b958cdc6190fcdfb270633da2a47dfeee20015

SHA512

53d07938bafbcb9524cdba6d25e09fcdae128a83718ab686374f0526730e2e6380f60e3bf951601e48f6f8e64563c484ddd8baf9be2878a5ad393817028a9632

Tags

badrabbit bootkit evasion ransomware

Signatures

BadRabbit

Description

Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.

Tags

ransomware badrabbit
Deletes NTFS Change Journal

Description

The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.

Tags

ransomware

TTPs

Inhibit System Recovery Data Destruction
Clears Windows event logs

Tags

evasion ransomware

TTPs

Indicator Removal on Host
Blacklisted process makes network request
Executes dropped EXE
Modifies WinLogon to allow AutoLogon

Description

Enables rebooting of the machine without requiring login credentials.

Tags

ransomware bootkit

TTPs

Winlogon Helper DLL Modify Registry

Related Tasks

behavioral21

Target

Endermanch@LPS2019.exe

MD5

2eb3ce80b26345bd139f7378330b19c1

Filesize

1MB

Score

10 ^/10

SHA1

10122bd8dd749e20c132d108d176794f140242b0

SHA256

8abed3ea04d52c42bdd6c9169c59212a7d8c649c12006b8278eda5aa91154cd2

SHA512

e3223cd07d59cd97893304a3632b3a66fd91635848160c33011c103cca2badbfe9b78fe258666b634e455872f3a98889ede5a425d8fae91cae6983da1ea1190a

Tags

badrabbit bootkit evasion persistence ransomware

Signatures

BadRabbit

Description

Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.

Tags

ransomware badrabbit
Deletes NTFS Change Journal

Description

The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.

Tags

ransomware

TTPs

Inhibit System Recovery Data Destruction
Clears Windows event logs

Tags

evasion ransomware

TTPs

Indicator Removal on Host
Blacklisted process makes network request
Executes dropped EXE
Modifies WinLogon to allow AutoLogon

Description

Enables rebooting of the machine without requiring login credentials.

Tags

ransomware bootkit

TTPs

Winlogon Helper DLL Modify Registry
Modifies extensions of user files

Description

Ransomware generally changes the extension on encrypted files.

Tags

ransomware
Adds Run key to start application

Tags

persistence

TTPs

Registry Run Keys / Startup Folder Modify Registry
JavaScript code in executable

Related Tasks

behavioral22

Target

Endermanch@Movie.mpeg.exe

MD5

d0deb2644c9435ea701e88537787ea6e

Filesize

414KB

Score

3 ^/10

SHA1

866e47ecd80da89c4f56557659027a3aee897132

SHA256

ad6cd46f373aadad85fab5ecdb4cb4ad7ebd0cbe44c84db5d2a2ee1b54eb5ec3

SHA512

6faac2e1003290bb3a0613ee84d5c76d3c48a4524e97975e9174d6fcfb5a6a48d6648b06ed5a4c10c3349f70efffc6a08a185fdeb0824250ae044b96ef39fcdf

Related Tasks

behavioral23

Target

Endermanch@NavaShield(1).exe

MD5

1f13396fa59d38ebe76ccc587ccb11bb

Filesize

9MB

Score

10 ^/10

SHA1

867adb3076c0d335b9bfa64594ef37a7e2c951ff

SHA256

83ecb875f87150a88f4c3d496eb3cb5388cd8bafdff4879884ececdbd1896e1d

SHA512

82ca2c781bdaa6980f365d1eedb0af5ac5a80842f6edc28a23a5b9ea7b6feec5cd37d54bd08d9281c9ca534ed0047e1e234873b06c7d2b6fe23a7b88a4394fdc

Tags

badrabbit discovery macro persistence ransomware spyware

Signatures

BadRabbit

Description

Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.

Tags

ransomware badrabbit
Blacklisted process makes network request
Executes dropped EXE
Modifies extensions of user files

Description

Ransomware generally changes the extension on encrypted files.

Tags

ransomware
Suspicious Office macro

Description

Office document equipped with 4.0 macros.

Tags

macro
Checks computer location settings

Description

Looks up country code configured in the registry, likely geofence.

TTPs

Query Registry System Information Discovery
Loads dropped DLL
Reads user/profile data of web browsers

Description

Infostealers often target stored browser data, which can include saved credentials etc.

Tags

spyware

TTPs

Data from Local System Credentials in Files
Adds Run key to start application

Tags

persistence

TTPs

Registry Run Keys / Startup Folder Modify Registry
Checks installed software on the system

Description

Looks up Uninstall key entries in the registry to enumerate software on the system.

Tags

discovery

TTPs

Query Registry
Drops Chrome extension
JavaScript code in executable

Related Tasks

behavioral24

Target

Endermanch@NavaShield.exe

MD5

1f13396fa59d38ebe76ccc587ccb11bb

Filesize

9MB

Score

1 ^/10

SHA1

867adb3076c0d335b9bfa64594ef37a7e2c951ff

SHA256

83ecb875f87150a88f4c3d496eb3cb5388cd8bafdff4879884ececdbd1896e1d

SHA512

82ca2c781bdaa6980f365d1eedb0af5ac5a80842f6edc28a23a5b9ea7b6feec5cd37d54bd08d9281c9ca534ed0047e1e234873b06c7d2b6fe23a7b88a4394fdc

Related Tasks

behavioral25

Target

Endermanch@PCDefender.exe

MD5

e4d4a59494265949993e26dee7b077d1

Filesize

878KB

Score

10 ^/10

SHA1

83e3d0c7e544117d6054e7d55932a7d2dbaf1163

SHA256

5ae57d8750822c203f5bf5e241c7132377b250df36a215dff2f396c8440b82dd

SHA512

efd176555415e0771a22a6ca6f15a82aec14ca090d2599959612db9d8e07065e38a7b82e2bf7be67cbe1494733344879782f5516bb502e0177e7b540c96fa718

Tags

badrabbit bootkit evasion persistence ransomware

Signatures

BadRabbit

Description

Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.

Tags

ransomware badrabbit
Deletes NTFS Change Journal

Description

The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.

Tags

ransomware

TTPs

Inhibit System Recovery Data Destruction
Modifies WinLogon for persistence

Tags

persistence

TTPs

Winlogon Helper DLL Modify Registry
Clears Windows event logs

Tags

evasion ransomware

TTPs

Indicator Removal on Host
Executes dropped EXE
Modifies WinLogon to allow AutoLogon

Description

Enables rebooting of the machine without requiring login credentials.

Tags

ransomware bootkit

TTPs

Winlogon Helper DLL Modify Registry
Modifies extensions of user files

Description

Ransomware generally changes the extension on encrypted files.

Tags

ransomware
Enumerates connected drives

Description

Attempts to read the root path of hard drives other than the default C: drive.

TTPs

Query Registry Peripheral Device Discovery System Information Discovery
JavaScript code in executable
Modifies service

Tags

persistence

TTPs

Modify Registry Modify Existing Service

Related Tasks

behavioral26

Target

Endermanch@PCDefenderv2.msi

MD5

b3dce5c3f95a18fd076fad0f73bb9e39

Filesize

860KB

Score

10 ^/10

SHA1

e80cc285a77302ee221f47e4e94823d4b2eba368

SHA256

df2e3b2222dcdbb5e0dbdd1200ec8fd5f67fcbea99e0023df54307eab60030ff

SHA512

c184436055cf74884ad0d2bd5ca00bcd5a62d6be46253fe8c71b4daaa5c710b9df34af1b6e41f6d1af94bcdec0d33679a6a1b34bf9755678b4e177f368c11d4c

Tags

bootkit persistence ransomware

Signatures

Modifies WinLogon for persistence

Tags

persistence

TTPs

Winlogon Helper DLL Modify Registry
Executes dropped EXE
Modifies WinLogon to allow AutoLogon

Description

Enables rebooting of the machine without requiring login credentials.

Tags

ransomware bootkit

TTPs

Winlogon Helper DLL Modify Registry
Enumerates connected drives

Description

Attempts to read the root path of hard drives other than the default C: drive.

TTPs

Query Registry Peripheral Device Discovery System Information Discovery
Modifies service

Tags

persistence

TTPs

Modify Registry Modify Existing Service

Related Tasks

behavioral27

Target

Endermanch@PolyRansom.exe

MD5

3ed3fb296a477156bc51aba43d825fc0

Filesize

220KB

Score

10 ^/10

SHA1

9caa5c658b1a88fee149893d3a00b34a8bb8a1a6

SHA256

1898f2cae1e3824cb0f7fd5368171a33aba179e63501e480b4da9ea05ebf0423

SHA512

dc3d6e409cee4d54f48d1a25912243d07e2f800578c8e0e348ce515a047ecf5fa3089b46284e0956bbced345957a000eecdc082e6f3060971759d70a14c1c97e

Tags

badrabbit bootkit evasion macro persistence ransomware spyware trojan

Signatures

BadRabbit

Description

Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.

Tags

ransomware badrabbit
Deletes NTFS Change Journal

Description

The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.

Tags

ransomware

TTPs

Inhibit System Recovery Data Destruction
Modifies visibility of file extensions in Explorer

Tags

evasion

TTPs

Hidden Files and Directories Modify Registry
UAC bypass

Tags

evasion trojan

TTPs

Bypass User Account Control Disabling Security Tools Modify Registry
Clears Windows event logs

Tags

evasion ransomware

TTPs

Indicator Removal on Host
Blacklisted process makes network request
Executes dropped EXE
Modifies WinLogon to allow AutoLogon

Description

Enables rebooting of the machine without requiring login credentials.

Tags

ransomware bootkit

TTPs

Winlogon Helper DLL Modify Registry
Suspicious Office macro

Description

Office document equipped with 4.0 macros.

Tags

macro
Checks computer location settings

Description

Looks up country code configured in the registry, likely geofence.

TTPs

Query Registry System Information Discovery
Reads user/profile data of web browsers

Description

Infostealers often target stored browser data, which can include saved credentials etc.

Tags

spyware

TTPs

Data from Local System Credentials in Files
Adds Run key to start application

Tags

persistence

TTPs

Registry Run Keys / Startup Folder Modify Registry
Drops file in System32 directory

Related Tasks

behavioral28

Target

Endermanch@PowerPoint.exe

MD5

70108103a53123201ceb2e921fcfe83c

Filesize

136KB

Score

8 ^/10

SHA1

c71799a6a6d09ee758b04cdf90a4ab76fbd2a7e3

SHA256

9c3f8df80193c085912c9950c58051ae77c321975784cc069ceacd4f57d5861d

SHA512

996701c65eee7f781c2d22dce63f4a95900f36b97a99dcf833045bce239a08b3c2f6326b3a808431cdab92d59161dd80763e44126578e160d79b7095175d276b

Tags

bootkit persistence ransomware

Signatures

Executes dropped EXE
Modifies WinLogon to allow AutoLogon

Description

Enables rebooting of the machine without requiring login credentials.

Tags

ransomware bootkit

TTPs

Winlogon Helper DLL Modify Registry
Deletes itself
Writes to the Master Boot Record (MBR)

Description

Bootkits write to the MBR to gain persistence at a level below the operating system.

Tags

bootkit persistence

TTPs

Bootkit

Related Tasks

behavioral29

Target

Endermanch@ProgramOverflow.exe

MD5

c4aab3b24b159148d6d47a9e5897e593

Filesize

566KB

Score

7 ^/10

SHA1

7061c2e85de9f3fd51cccdecb8965f1e710d1fe5

SHA256

03a4d3563a7519542c662b5fd5d61215f3d76a3902717efe11230292ea4bbafc

SHA512

9bc522ff0d598a1f1425a09a2794584c4991a99bc382b0ee9135311950cdbf2f5331ae041a4b01052735b5fae3a2763ea1b5c01ce679b07fba73c6f75cb4c252

Signatures

Checks computer location settings

Description

Looks up country code configured in the registry, likely geofence.

TTPs

Query Registry System Information Discovery

Related Tasks

behavioral30

Target

Endermanch@RegistrySmart.exe

MD5

0002dddba512e20c3f82aaab8bad8b4d

Filesize

1MB

Score

10 ^/10

SHA1

493286b108822ba636cc0e53b8259e4f06ecf900

SHA256

2d68fe191ba9e97f57f07f7bd116e53800b983d267da99bf0a6e6624dd7e5cf7

SHA512

497954400ab463eb254abe895648c208a1cc951ecb231202362dadbe3ffb49d8d853b487589ce935c1dc8171f56d0df95093ffc655c684faa944c13bcfd87b8b

Tags

badrabbit bootkit discovery evasion persistence ransomware

Signatures

BadRabbit

Description

Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.

Tags

ransomware badrabbit
Deletes NTFS Change Journal

Description

The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.

Tags

ransomware

TTPs

Inhibit System Recovery Data Destruction
Clears Windows event logs

Tags

evasion ransomware

TTPs

Indicator Removal on Host
Blacklisted process makes network request
Executes dropped EXE
Modifies WinLogon to allow AutoLogon

Description

Enables rebooting of the machine without requiring login credentials.

Tags

ransomware bootkit

TTPs

Winlogon Helper DLL Modify Registry
Modifies extensions of user files

Description

Ransomware generally changes the extension on encrypted files.

Tags

ransomware
Adds Run key to start application

Tags

persistence

TTPs

Registry Run Keys / Startup Folder Modify Registry
Checks installed software on the system

Description

Looks up Uninstall key entries in the registry to enumerate software on the system.

Tags

discovery

TTPs

Query Registry

Related Tasks

behavioral31

Target

Endermanch@SE2011.exe

MD5

02f471d1fefbdc07af5555dbfd6ea918

Filesize

2MB

Score

10 ^/10

SHA1

2a8f93dd21628933de8bea4a9abc00dbb215df0b

SHA256

36619636d511fd4b77d3c1052067f5f2a514f7f31dfaa6b2e5677fbb61fd8cba

SHA512

287b57b5d318764b2e92ec387099e7e313ba404b73db64d21102ba8656636abbf52bb345328fe58084dc70414c9e2d8cd46abd5a463c6d771d9c3ba68759a559

Tags

evasion persistence

Signatures

Modifies WinLogon for persistence

Tags

persistence

TTPs

Winlogon Helper DLL Modify Registry
Executes dropped EXE
Checks computer location settings

Description

Looks up country code configured in the registry, likely geofence.

TTPs

Query Registry System Information Discovery
Identifies Wine through registry keys

Description

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

Tags

evasion

TTPs

Query Registry Virtualization/Sandbox Evasion
Adds Run key to start application

Tags

persistence

TTPs

Registry Run Keys / Startup Folder Modify Registry
Suspicious use of NtSetInformationThreadHideFromDebugger