Resubmissions

03-02-2021 11:43

210203-6bgge2nfan 10

22-11-2020 06:42

201122-6x1at779dj 10

General

  • Target

    Downloads.rar

  • Size

    184MB

  • Sample

    210203-6bgge2nfan

  • MD5

    9e3e4dd2eca465797c3a07c0fa2254fe

  • SHA1

    16ceee08c07179157b0fb6de04b7605360f34b20

  • SHA256

    f1bbcc5c678d174d858ae089f4494e3ea8bcfc418098d61804a15e437f08aff7

  • SHA512

    f6033af5252203878aa0d1ba77f4816694a953103927362f6308c527e84c61be00816bf9ccba207991f93248ffefaaf31e27f5fd7806d3a4cb35d4104e79f746

Malware Config

Extracted

Family

zloader

Botnet

main

Campaign

26.02.2020

C2

https://airnaa.org/sound.php

https://banog.org/sound.php

https://rayonch.org/sound.php

rc4.plain

Extracted

Family

revengerat

Botnet

XDSDDD

C2

84.91.119.105:333

Extracted

Family

revengerat

Botnet

Victime

C2

cocohack.dtdns.net:84

Extracted

Family

zloader

Botnet

25/03

C2

https://wgyvjbse.pw/milagrecf.php

https://botiq.xyz/milagrecf.php

rc4.plain

Extracted

Family

revengerat

Botnet

samay

C2

shnf-47787.portmap.io:47787

Extracted

Family

zloader

Botnet

09/04

C2

https://eoieowo.casa/wp-config.php

https://dcgljuzrb.pw/wp-config.php

rc4.plain

Extracted

Family

zloader

Botnet

07/04

C2

https://xyajbocpggsr.site/wp-config.php

https://ooygvpxrb.pw/wp-config.php

rc4.plain

Extracted

Family

revengerat

Botnet

INSERT-COIN

C2

3.tcp.ngrok.io:24041

Extracted

Family

revengerat

Botnet

YT

C2

yukselofficial.duckdns.org:5552

Extracted

Family

revengerat

Botnet

system

C2

yj233.e1.luyouxia.net:20645

Targets

    • Target

      Endermanch@000.exe

    • Size

      6MB

    • MD5

      f2b7074e1543720a9a98fda660e02688

    • SHA1

      1029492c1a12789d8af78d54adcb921e24b9e5ca

    • SHA256

      4ea1f2ecf7eb12896f2cbf8683dae8546d2b8dc43cf7710d68ce99e127c0a966

    • SHA512

      73f9548633bc38bab64b1dd5a01401ef7f5b139163bdf291cc475dbd2613510c4c5e4d7702ecdfa74b49f3c9eaed37ed23b9d8f0064c66123eb0769c8671c6ff

    • Disables Task Manager via registry modification

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Modifies WinLogon

    • Enumerates physical storage devices

      Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    • Sets desktop wallpaper using registry

    • Target

      Endermanch@7ev3n.exe

    • Size

      315KB

    • MD5

      9f8bc96c96d43ecb69f883388d228754

    • SHA1

      61ed25a706afa2f6684bb4d64f69c5fb29d20953

    • SHA256

      7d373ccb96d1dbb1856ef31afa87c2112a0c1795a796ab01cb154700288afec5

    • SHA512

      550a891c1059f58aa983138caf65a7ea9c326cb1b94c15f3e7594128f6e9f1295b9c2dbc0925637dba7c94e938083fffc6a63dc7c2e5b1e247679931cce505c6

    • Target

      Endermanch@AnViPC2009.exe

    • Size

      1MB

    • MD5

      910dd666c83efd3496f21f9f211cdc1f

    • SHA1

      77cd736ee1697beda0ac65da24455ec566ba7440

    • SHA256

      06effc4c15d371b5c40a84995a7bae75324b690af9fbe2e8980f8c0e0901bf45

    • SHA512

      467d3b4d45a41b90c8e29c8c3d46ddfbdee9875606cd1c1b7652c2c7e26d60fedac54b24b75def125d450d8e811c75974260ba48a79496d2bdaf17d674eddb47

    Score
    8/10
    • Executes dropped EXE

    • Loads dropped DLL

    • JavaScript code in executable

    • Enumerates physical storage devices

      Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    • Target

      Endermanch@Antivirus.exe

    • Size

      1MB

    • MD5

      c7e9746b1b039b8bd1106bca3038c38f

    • SHA1

      cb93ac887876bafe39c5f9aa64970d5e747fb191

    • SHA256

      b1369bd254d96f7966047ad4be06103830136629590182d49e5cb8680529ebd4

    • SHA512

      cf5d688f1aec8ec65c1cb91d367da9a96911640c695d5c2d023836ef11e374ff158c152b4b6207e8fcdb5ccf0eed79741e080f1cbc915fe0af3dacd624525724

    • BadRabbit

      Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Target

      Endermanch@AntivirusPlatinum.exe

    • Size

      739KB

    • MD5

      382430dd7eae8945921b7feab37ed36b

    • SHA1

      c95ddaebe2ae8fbcb361f3bf080d95a7bb5bf128

    • SHA256

      70e5e902d0ac7534838b743c899f484fe10766aefacc6df697219387a8e3d06b

    • SHA512

      26abc02bde77f0b94613edc32e0843ac71a0a8f3d8ba01cb94a42c047d0be7befef52a81984e9a0fa867400082a8905e7a63aaaf85fa32a03d27f7bc6a548c3b

    • Windows security bypass

    • Disables RegEdit via registry modification

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Windows security modification

    • Enumerates physical storage devices

      Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    • Target

      Endermanch@AntivirusPro2017.exe

    • Size

      816KB

    • MD5

      7dfbfba1e4e64a946cb096bfc937fbad

    • SHA1

      9180d2ce387314cd4a794d148ea6b14084c61e1b

    • SHA256

      312f082ea8f64609d30ff62b11f564107bf7a4ec9e95944dfd3da57c6cdb4e94

    • SHA512

      f47b05b9c294688811dd72d17f815cce6c90f96d78f6835804d5182e2f4bfbd2d6738de854b8a79dea6345f9372ba76a36920e51e6cb556ef4b38b620e887eb4

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Enumerates physical storage devices

      Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    • Target

      Endermanch@BadRabbit.exe

    • Size

      431KB

    • MD5

      fbbdc39af1139aebba4da004475e8839

    • SHA1

      de5c8d858e6e41da715dca1c019df0bfb92d32c0

    • SHA256

      630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da

    • SHA512

      74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87

    Score
    10/10
    • BadRabbit

      Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Target

      Endermanch@Birele.exe

    • Size

      116KB

    • MD5

      41789c704a0eecfdd0048b4b4193e752

    • SHA1

      fb1e8385691fa3293b7cbfb9b2656cf09f20e722

    • SHA256

      b2dcfdf9e7b09f2aa5004668370e77982963ace820e7285b2e264a294441da23

    • SHA512

      76391ac85fdc3be75441fcd6e19bed08b807d3946c7281c647f16a3be5388f7be307e6323fac8502430a4a6d800d52a88709592a49011ecc89de4f19102435ea

    Score
    10/10
    • Modifies WinLogon for persistence

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Target

      Endermanch@Cerber5.exe

    • Size

      313KB

    • MD5

      fe1bc60a95b2c2d77cd5d232296a7fa4

    • SHA1

      c07dfdea8da2da5bad036e7c2f5d37582e1cf684

    • SHA256

      b3e1e9d97d74c416c2a30dd11858789af5554cf2de62f577c13944a19623777d

    • SHA512

      266c541a421878e1e175db5d94185c991cec5825a4bc50178f57264f3556080e6fe984ed0380acf022ce659aa1ca46c9a5e97efc25ff46cbfd67b9385fd75f89

    Score
    1/10
    • Target

      Endermanch@CleanThis.exe

    • Size

      618KB

    • MD5

      a50fc0da1d2b3c4aa8a6adaccf69a5de

    • SHA1

      e001f4043ab4be644ea10e0d65303d6e57b31ffe

    • SHA256

      cf6eb8377789e316629c0396a2dbb53c69b5fd67bbd0e7163b8d305aaa756e90

    • SHA512

      4bbc7676391ed4085f628d1f4e1f0af16f5cd6fd9efb8c61176bccdb6ee03b06896c6ddfba9fcf363b133ade3a8a1b8cd17ef92d8eb9adeec247f9bd41dbec2b

    Score
    10/10
    • Modifies WinLogon for persistence

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Enumerates physical storage devices

      Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    • Target

      Endermanch@ColorBug.exe

    • Size

      53KB

    • MD5

      6536b10e5a713803d034c607d2de19e3

    • SHA1

      a6000c05f565a36d2250bdab2ce78f505ca624b7

    • SHA256

      775ba68597507cf3c24663f5016d257446abeb66627f20f8f832c0860cad84de

    • SHA512

      61727cf0b150aad6965b4f118f33fd43600fb23dde5f0a3e780cc9998dfcc038b7542bfae9043ce28fb08d613c2a91ff9166f28a2a449d0e3253adc2cb110018

    • BadRabbit

      Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Adds Run key to start application

    • Target

      Endermanch@DeriaLock.exe

    • Size

      484KB

    • MD5

      0a7b70efba0aa93d4bc0857b87ac2fcb

    • SHA1

      01a6c963b2f5f36ff21a1043587dcf921ae5f5cd

    • SHA256

      4f5bff64160044d9a769ab277ff85ba954e2a2e182c6da4d0672790cf1d48309

    • SHA512

      2033f9637b8d023242c93f54c140dd561592a3380a15a9fdc8ebfa33385ff4fc569d66c846a01b4ac005f0521b3c219e87f4b1ed2a83557f9d95fa066ad25e14

    Score
    8/10
    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Drops startup file

    • Target

      Endermanch@Deskbottom.exe

    • Size

      461KB

    • MD5

      c954b69e480950ad8f138bf8848c562c

    • SHA1

      207c3f932d8ac66bc10e090a97c02ac07dbb68fa

    • SHA256

      2f4bd27bffe3a5d1f541f1ee682d060316a0043312b35f18dfe5137efe8d7680

    • SHA512

      e8bbce74a647939337df72c3ab29c320aeef2b6f0214d68768bc7da8262a978e6ed54f7b1aefadb394abc85518757acf8e8633a145c39cb3f712adf8561aeaa9

    Score
    1/10
    • Target

      Endermanch@DesktopPuzzle.exe

    • Size

      239KB

    • MD5

      2f8f6e90ca211d7ef5f6cf3c995a40e7

    • SHA1

      f8940f280c81273b11a20d4bfb43715155f6e122

    • SHA256

      1f5a26f24a2bfdd301008f0cc51a6c3762f41b926f974c814f1ecaa4cb28e5e6

    • SHA512

      2b38475550edee5519e33bd18fea510ad73345a27c20f6457710498d34e3d0cf05b0f96f32d018e7dc154a6f2232ea7e3145fd0ed5fb498f9e4702a4be1bb9c8

    Score
    10/10
    • BadRabbit

      Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Target

      Endermanch@FakeAdwCleaner.exe

    • Size

      190KB

    • MD5

      248aadd395ffa7ffb1670392a9398454

    • SHA1

      c53c140bbdeb556fca33bc7f9b2e44e9061ea3e5

    • SHA256

      51290129cccca38c6e3b4444d0dfb8d848c8f3fc2e5291fc0d219fd642530adc

    • SHA512

      582b917864903252731c3d0dff536d7b1e44541ee866dc20e0341cbee5450f2f0ff4d82e1eee75f770e4dad9d8b9270ab5664ffedfe21d1ad2bd7fe6bc42cf0e

    • Executes dropped EXE

    • Adds Run key to start application

    • Enumerates physical storage devices

      Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    • Target

      Endermanch@FreeYoutubeDownloader.exe

    • Size

      396KB

    • MD5

      13f4b868603cf0dd6c32702d1bd858c9

    • SHA1

      a595ab75e134f5616679be5f11deefdfaae1de15

    • SHA256

      cae57a60c4d269cd1ca43ef143aedb8bfc4c09a7e4a689544883d05ce89406e7

    • SHA512

      e0d7a81c9cdd15a4ef7c8a9492fffb2c520b28cebc54a139e1bffa5c523cf17dfb9ffe57188cf8843d74479df402306f4f0ce9fc09d87c7cca92aea287e5ff24

    • BadRabbit

      Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Enumerates physical storage devices

      Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    • Target

      Endermanch@HMBlocker.exe

    • Size

      48KB

    • MD5

      21943d72b0f4c2b42f242ac2d3de784c

    • SHA1

      c887b9d92c026a69217ca550568909609eec1c39

    • SHA256

      2d047b0a46be4da59d375f71cfbd578ce1fbf77955d0bb149f6be5b9e4552180

    • SHA512

      04c9fa8358944d01b5fd0b6d5da2669df4c54fe79c58e7987c16bea56c114394173b6e8a6ac54cd4acd081fcbc66103ea6514c616363ba8d212db13b301034d8

    • Modifies WinLogon to allow AutoLogon

      Enables rebooting of the machine without requiring login credentials.

    • Adds Run key to start application

    • Enumerates physical storage devices

      Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    • Target

      Endermanch@HappyAntivirus.exe

    • Size

      1MB

    • MD5

      cb02c0438f3f4ddabce36f8a26b0b961

    • SHA1

      48c4fcb17e93b74030415996c0ec5c57b830ea53

    • SHA256

      64677f7767d6e791341b2eac7b43df90d39d9bdf26d21358578d2d38037e2c32

    • SHA512

      373f91981832cd9a1ff0b8744b43c7574b72971b5b6b19ea1f4665b6c878f7a1c7834ac08b92e0eca299eb4b590bf10f48a0485350a77a5f85fc3d2dd6913db3

    Score
    10/10
    • BadRabbit

      Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Target

      Endermanch@Illerka.C.exe

    • Size

      378KB

    • MD5

      c718a1cbf0e13674714c66694be02421

    • SHA1

      001d5370d3a7ee48db6caaecb1c213b5dfdf8e65

    • SHA256

      cde188d6c4d6e64d6abfdea1e113314f9cdf9417bca36eb7201e6b766e5f5a7f

    • SHA512

      ba0ddff47b618740dfcb63024435c36d895889dd3cf6b4559969283ba8100e8063f5c7767e56dfab67a2b5c96e4ae22e141e5b09e81be5cec9aa7ca7827b4b8a

    • UAC bypass

    • Executes dropped EXE

    • Checks whether UAC is enabled

    • Enumerates physical storage devices

      Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    • Target

      Endermanch@InternetSecurityGuard.exe

    • Size

      6MB

    • MD5

      04155ed507699b4e37532e8371192c0b

    • SHA1

      a14107131237dbb0df750e74281c462a2ea61016

    • SHA256

      b6371644b93b9d3b9b32b2f13f8265f9c23ddecc1e9c5a0291bbf98aa0fc3b77

    • SHA512

      6de59ebbc9b96c8a19d530caa13aa8129531ebd14b3b6c6bbb758426b59ed5ab12483bfa232d853af2e661021231b4b3fcc6c53e187eeba38fa523f673115371

    • Checks for common network interception software

      Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

    • Enumerates VirtualBox registry keys

    • Blocks application from running via registry modification

      Adds application to list of disallowed applications.

    • Drops file in Drivers directory

    • Sets file execution options in registry

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Checks for any installed AV software in registry

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Enumerates physical storage devices

      Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    • Target

      Endermanch@Koteyka2.exe

    • Size

      762KB

    • MD5

      7734f0e56da17e9a5940fd782d739f9b

    • SHA1

      4dfae67e40be6c4c83191ea0cf8d1b28afba884c

    • SHA256

      8855299560183b57556d9714a2b958cdc6190fcdfb270633da2a47dfeee20015

    • SHA512

      53d07938bafbcb9524cdba6d25e09fcdae128a83718ab686374f0526730e2e6380f60e3bf951601e48f6f8e64563c484ddd8baf9be2878a5ad393817028a9632

    Score
    10/10
    • BadRabbit

      Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Target

      Endermanch@LPS2019.exe

    • Size

      1MB

    • MD5

      2eb3ce80b26345bd139f7378330b19c1

    • SHA1

      10122bd8dd749e20c132d108d176794f140242b0

    • SHA256

      8abed3ea04d52c42bdd6c9169c59212a7d8c649c12006b8278eda5aa91154cd2

    • SHA512

      e3223cd07d59cd97893304a3632b3a66fd91635848160c33011c103cca2badbfe9b78fe258666b634e455872f3a98889ede5a425d8fae91cae6983da1ea1190a

    • Executes dropped EXE

    • Adds Run key to start application

    • Enumerates physical storage devices

      Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    • Target

      Endermanch@Movie.mpeg.exe

    • Size

      414KB

    • MD5

      d0deb2644c9435ea701e88537787ea6e

    • SHA1

      866e47ecd80da89c4f56557659027a3aee897132

    • SHA256

      ad6cd46f373aadad85fab5ecdb4cb4ad7ebd0cbe44c84db5d2a2ee1b54eb5ec3

    • SHA512

      6faac2e1003290bb3a0613ee84d5c76d3c48a4524e97975e9174d6fcfb5a6a48d6648b06ed5a4c10c3349f70efffc6a08a185fdeb0824250ae044b96ef39fcdf

    Score
    10/10
    • BadRabbit

      Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Target

      Endermanch@NavaShield(1).exe

    • Size

      9MB

    • MD5

      1f13396fa59d38ebe76ccc587ccb11bb

    • SHA1

      867adb3076c0d335b9bfa64594ef37a7e2c951ff

    • SHA256

      83ecb875f87150a88f4c3d496eb3cb5388cd8bafdff4879884ececdbd1896e1d

    • SHA512

      82ca2c781bdaa6980f365d1eedb0af5ac5a80842f6edc28a23a5b9ea7b6feec5cd37d54bd08d9281c9ca534ed0047e1e234873b06c7d2b6fe23a7b88a4394fdc

    Score
    5/10
    • Enumerates physical storage devices

      Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    • Target

      Endermanch@NavaShield.exe

    • Size

      9MB

    • MD5

      1f13396fa59d38ebe76ccc587ccb11bb

    • SHA1

      867adb3076c0d335b9bfa64594ef37a7e2c951ff

    • SHA256

      83ecb875f87150a88f4c3d496eb3cb5388cd8bafdff4879884ececdbd1896e1d

    • SHA512

      82ca2c781bdaa6980f365d1eedb0af5ac5a80842f6edc28a23a5b9ea7b6feec5cd37d54bd08d9281c9ca534ed0047e1e234873b06c7d2b6fe23a7b88a4394fdc

    Score
    10/10
    • BadRabbit

      Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Enumerates physical storage devices

      Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    • Target

      Endermanch@PCDefender.exe

    • Size

      878KB

    • MD5

      e4d4a59494265949993e26dee7b077d1

    • SHA1

      83e3d0c7e544117d6054e7d55932a7d2dbaf1163

    • SHA256

      5ae57d8750822c203f5bf5e241c7132377b250df36a215dff2f396c8440b82dd

    • SHA512

      efd176555415e0771a22a6ca6f15a82aec14ca090d2599959612db9d8e07065e38a7b82e2bf7be67cbe1494733344879782f5516bb502e0177e7b540c96fa718

    Score
    10/10
    • Modifies WinLogon for persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • JavaScript code in executable

    • Enumerates physical storage devices

      Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    • Target

      Endermanch@PCDefenderv2.msi

    • Size

      860KB

    • MD5

      b3dce5c3f95a18fd076fad0f73bb9e39

    • SHA1

      e80cc285a77302ee221f47e4e94823d4b2eba368

    • SHA256

      df2e3b2222dcdbb5e0dbdd1200ec8fd5f67fcbea99e0023df54307eab60030ff

    • SHA512

      c184436055cf74884ad0d2bd5ca00bcd5a62d6be46253fe8c71b4daaa5c710b9df34af1b6e41f6d1af94bcdec0d33679a6a1b34bf9755678b4e177f368c11d4c

    Score
    10/10
    • Modifies WinLogon for persistence

    • Executes dropped EXE

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Enumerates physical storage devices

      Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    • Target

      Endermanch@PolyRansom.exe

    • Size

      220KB

    • MD5

      3ed3fb296a477156bc51aba43d825fc0

    • SHA1

      9caa5c658b1a88fee149893d3a00b34a8bb8a1a6

    • SHA256

      1898f2cae1e3824cb0f7fd5368171a33aba179e63501e480b4da9ea05ebf0423

    • SHA512

      dc3d6e409cee4d54f48d1a25912243d07e2f800578c8e0e348ce515a047ecf5fa3089b46284e0956bbced345957a000eecdc082e6f3060971759d70a14c1c97e

    • BadRabbit

      Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.

    • Modifies visibility of file extensions in Explorer

    • UAC bypass

    • Executes dropped EXE

    • Suspicious Office macro

      Office document equipped with 4.0 macros.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops file in System32 directory

    • Enumerates physical storage devices

      Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    • Target

      Endermanch@PowerPoint.exe

    • Size

      136KB

    • MD5

      70108103a53123201ceb2e921fcfe83c

    • SHA1

      c71799a6a6d09ee758b04cdf90a4ab76fbd2a7e3

    • SHA256

      9c3f8df80193c085912c9950c58051ae77c321975784cc069ceacd4f57d5861d

    • SHA512

      996701c65eee7f781c2d22dce63f4a95900f36b97a99dcf833045bce239a08b3c2f6326b3a808431cdab92d59161dd80763e44126578e160d79b7095175d276b

    • Executes dropped EXE

    • Modifies WinLogon to allow AutoLogon

      Enables rebooting of the machine without requiring login credentials.

    • Deletes itself

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Target

      Endermanch@ProgramOverflow.exe

    • Size

      566KB

    • MD5

      c4aab3b24b159148d6d47a9e5897e593

    • SHA1

      7061c2e85de9f3fd51cccdecb8965f1e710d1fe5

    • SHA256

      03a4d3563a7519542c662b5fd5d61215f3d76a3902717efe11230292ea4bbafc

    • SHA512

      9bc522ff0d598a1f1425a09a2794584c4991a99bc382b0ee9135311950cdbf2f5331ae041a4b01052735b5fae3a2763ea1b5c01ce679b07fba73c6f75cb4c252

    Score
    10/10
    • BadRabbit

      Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Target

      Endermanch@RegistrySmart.exe

    • Size

      1MB

    • MD5

      0002dddba512e20c3f82aaab8bad8b4d

    • SHA1

      493286b108822ba636cc0e53b8259e4f06ecf900

    • SHA256

      2d68fe191ba9e97f57f07f7bd116e53800b983d267da99bf0a6e6624dd7e5cf7

    • SHA512

      497954400ab463eb254abe895648c208a1cc951ecb231202362dadbe3ffb49d8d853b487589ce935c1dc8171f56d0df95093ffc655c684faa944c13bcfd87b8b

    Score
    8/10
    • Executes dropped EXE

    • Enumerates physical storage devices

      Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    • Target

      Endermanch@SE2011.exe

    • Size

      2MB

    • MD5

      02f471d1fefbdc07af5555dbfd6ea918

    • SHA1

      2a8f93dd21628933de8bea4a9abc00dbb215df0b

    • SHA256

      36619636d511fd4b77d3c1052067f5f2a514f7f31dfaa6b2e5677fbb61fd8cba

    • SHA512

      287b57b5d318764b2e92ec387099e7e313ba404b73db64d21102ba8656636abbf52bb345328fe58084dc70414c9e2d8cd46abd5a463c6d771d9c3ba68759a559

    • BadRabbit

      Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.

    • Modifies WinLogon for persistence

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Deletes itself

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Adds Run key to start application

    • Enumerates physical storage devices

      Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Matrix

Tasks