Downloads.rar

General
Target

Downloads.rar

Size

184MB

Sample

210203-6bgge2nfan

Score
10 /10
MD5

9e3e4dd2eca465797c3a07c0fa2254fe

SHA1

16ceee08c07179157b0fb6de04b7605360f34b20

SHA256

f1bbcc5c678d174d858ae089f4494e3ea8bcfc418098d61804a15e437f08aff7

SHA512

f6033af5252203878aa0d1ba77f4816694a953103927362f6308c527e84c61be00816bf9ccba207991f93248ffefaaf31e27f5fd7806d3a4cb35d4104e79f746

Malware Config

Extracted

Family zloader
Botnet main
Campaign 26.02.2020
C2

https://airnaa.org/sound.php

https://banog.org/sound.php

https://rayonch.org/sound.php

rc4.plain

Extracted

Family revengerat
Botnet XDSDDD
C2

84.91.119.105:333

Extracted

Family revengerat
Botnet Victime
C2

cocohack.dtdns.net:84

Extracted

Family zloader
Botnet 25/03
C2

https://wgyvjbse.pw/milagrecf.php

https://botiq.xyz/milagrecf.php

rc4.plain

Extracted

Family revengerat
Botnet samay
C2

shnf-47787.portmap.io:47787

Extracted

Family zloader
Botnet 09/04
C2

https://eoieowo.casa/wp-config.php

https://dcgljuzrb.pw/wp-config.php

rc4.plain

Extracted

Family zloader
Botnet 07/04
C2

https://xyajbocpggsr.site/wp-config.php

https://ooygvpxrb.pw/wp-config.php

rc4.plain

Extracted

Family revengerat
Botnet INSERT-COIN
C2

3.tcp.ngrok.io:24041

Extracted

Family revengerat
Botnet YT
C2

yukselofficial.duckdns.org:5552

Extracted

Family revengerat
Botnet system
C2

yj233.e1.luyouxia.net:20645

Targets
Target

Endermanch@000.exe

MD5

f2b7074e1543720a9a98fda660e02688

Filesize

6MB

Score
8 /10
SHA1

1029492c1a12789d8af78d54adcb921e24b9e5ca

SHA256

4ea1f2ecf7eb12896f2cbf8683dae8546d2b8dc43cf7710d68ce99e127c0a966

SHA512

73f9548633bc38bab64b1dd5a01401ef7f5b139163bdf291cc475dbd2613510c4c5e4d7702ecdfa74b49f3c9eaed37ed23b9d8f0064c66123eb0769c8671c6ff

Tags

Signatures

  • Disables Task Manager via registry modification

    Tags

  • Enumerates connected drives

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query Registry Peripheral Device Discovery System Information Discovery
  • Modifies WinLogon

    Tags

    TTPs

    Winlogon Helper DLL Modify Registry
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    Tags

    TTPs

    System Information Discovery
  • Sets desktop wallpaper using registry

    Tags

    TTPs

    Defacement Modify Registry

Related Tasks

Target

Endermanch@7ev3n.exe

MD5

9f8bc96c96d43ecb69f883388d228754

Filesize

315KB

Score
10 /10
SHA1

61ed25a706afa2f6684bb4d64f69c5fb29d20953

SHA256

7d373ccb96d1dbb1856ef31afa87c2112a0c1795a796ab01cb154700288afec5

SHA512

550a891c1059f58aa983138caf65a7ea9c326cb1b94c15f3e7594128f6e9f1295b9c2dbc0925637dba7c94e938083fffc6a63dc7c2e5b1e247679931cce505c6

Tags

Signatures

  • Modifies WinLogon for persistence

    Tags

    TTPs

    Winlogon Helper DLL Modify Registry
  • UAC bypass

    Tags

    TTPs

    Bypass User Account Control Disabling Security Tools Modify Registry
  • Executes dropped EXE

  • Modifies WinLogon to allow AutoLogon

    Description

    Enables rebooting of the machine without requiring login credentials.

    Tags

    TTPs

    Winlogon Helper DLL Modify Registry
  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry

Related Tasks

Target

Endermanch@AnViPC2009.exe

MD5

910dd666c83efd3496f21f9f211cdc1f

Filesize

1MB

Score
8 /10
SHA1

77cd736ee1697beda0ac65da24455ec566ba7440

SHA256

06effc4c15d371b5c40a84995a7bae75324b690af9fbe2e8980f8c0e0901bf45

SHA512

467d3b4d45a41b90c8e29c8c3d46ddfbdee9875606cd1c1b7652c2c7e26d60fedac54b24b75def125d450d8e811c75974260ba48a79496d2bdaf17d674eddb47

Tags

Signatures

  • Executes dropped EXE

  • Loads dropped DLL

  • JavaScript code in executable

  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    Tags

    TTPs

    System Information Discovery

Related Tasks

Target

Endermanch@Antivirus.exe

MD5

c7e9746b1b039b8bd1106bca3038c38f

Filesize

1MB

Score
10 /10
SHA1

cb93ac887876bafe39c5f9aa64970d5e747fb191

SHA256

b1369bd254d96f7966047ad4be06103830136629590182d49e5cb8680529ebd4

SHA512

cf5d688f1aec8ec65c1cb91d367da9a96911640c695d5c2d023836ef11e374ff158c152b4b6207e8fcdb5ccf0eed79741e080f1cbc915fe0af3dacd624525724

Tags

Signatures

  • BadRabbit

    Description

    Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.

    Tags

  • Executes dropped EXE

  • Modifies extensions of user files

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry

Related Tasks

Target

Endermanch@AntivirusPlatinum.exe

MD5

382430dd7eae8945921b7feab37ed36b

Filesize

739KB

Score
10 /10
SHA1

c95ddaebe2ae8fbcb361f3bf080d95a7bb5bf128

SHA256

70e5e902d0ac7534838b743c899f484fe10766aefacc6df697219387a8e3d06b

SHA512

26abc02bde77f0b94613edc32e0843ac71a0a8f3d8ba01cb94a42c047d0be7befef52a81984e9a0fa867400082a8905e7a63aaaf85fa32a03d27f7bc6a548c3b

Tags

Signatures

  • Windows security bypass

    Tags

    TTPs

    Disabling Security Tools Modify Registry
  • Disables RegEdit via registry modification

    Tags

  • Executes dropped EXE

  • UPX packed file

    Description

    Detects executables packed with UPX/modified UPX open source packer.

    Tags

  • Windows security modification

    Tags

    TTPs

    Disabling Security Tools Modify Registry
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    Tags

    TTPs

    System Information Discovery

Related Tasks

Target

Endermanch@AntivirusPro2017.exe

MD5

7dfbfba1e4e64a946cb096bfc937fbad

Filesize

816KB

Score
7 /10
SHA1

9180d2ce387314cd4a794d148ea6b14084c61e1b

SHA256

312f082ea8f64609d30ff62b11f564107bf7a4ec9e95944dfd3da57c6cdb4e94

SHA512

f47b05b9c294688811dd72d17f815cce6c90f96d78f6835804d5182e2f4bfbd2d6738de854b8a79dea6345f9372ba76a36920e51e6cb556ef4b38b620e887eb4

Tags

Signatures

  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry
  • Enumerates connected drives

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query Registry Peripheral Device Discovery System Information Discovery
  • Writes to the Master Boot Record (MBR)

    Description

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    Tags

    TTPs

    Bootkit
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    Tags

    TTPs

    System Information Discovery

Related Tasks

Target

Endermanch@BadRabbit.exe

MD5

fbbdc39af1139aebba4da004475e8839

Filesize

431KB

Score
10 /10
SHA1

de5c8d858e6e41da715dca1c019df0bfb92d32c0

SHA256

630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da

SHA512

74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87

Tags

Signatures

  • BadRabbit

    Description

    Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.

    Tags

  • Executes dropped EXE

  • Modifies extensions of user files

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

Related Tasks

Target

Endermanch@Birele.exe

MD5

41789c704a0eecfdd0048b4b4193e752

Filesize

116KB

Score
10 /10
SHA1

fb1e8385691fa3293b7cbfb9b2656cf09f20e722

SHA256

b2dcfdf9e7b09f2aa5004668370e77982963ace820e7285b2e264a294441da23

SHA512

76391ac85fdc3be75441fcd6e19bed08b807d3946c7281c647f16a3be5388f7be307e6323fac8502430a4a6d800d52a88709592a49011ecc89de4f19102435ea

Tags

Signatures

  • Modifies WinLogon for persistence

    Tags

    TTPs

    Winlogon Helper DLL Modify Registry
  • UPX packed file

    Description

    Detects executables packed with UPX/modified UPX open source packer.

    Tags

  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry

Related Tasks

Target

Endermanch@Cerber5.exe

MD5

fe1bc60a95b2c2d77cd5d232296a7fa4

Filesize

313KB

Score
1 /10
SHA1

c07dfdea8da2da5bad036e7c2f5d37582e1cf684

SHA256

b3e1e9d97d74c416c2a30dd11858789af5554cf2de62f577c13944a19623777d

SHA512

266c541a421878e1e175db5d94185c991cec5825a4bc50178f57264f3556080e6fe984ed0380acf022ce659aa1ca46c9a5e97efc25ff46cbfd67b9385fd75f89

Related Tasks

Target

Endermanch@CleanThis.exe

MD5

a50fc0da1d2b3c4aa8a6adaccf69a5de

Filesize

618KB

Score
10 /10
SHA1

e001f4043ab4be644ea10e0d65303d6e57b31ffe

SHA256

cf6eb8377789e316629c0396a2dbb53c69b5fd67bbd0e7163b8d305aaa756e90

SHA512

4bbc7676391ed4085f628d1f4e1f0af16f5cd6fd9efb8c61176bccdb6ee03b06896c6ddfba9fcf363b133ade3a8a1b8cd17ef92d8eb9adeec247f9bd41dbec2b

Tags

Signatures

  • Modifies WinLogon for persistence

    Tags

    TTPs

    Winlogon Helper DLL Modify Registry
  • Maps connected drives based on registry

    Description

    Disk information is often read in order to detect sandboxing environments.

    TTPs

    Query Registry Peripheral Device Discovery System Information Discovery
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    Tags

    TTPs

    System Information Discovery

Related Tasks

Target

Endermanch@ColorBug.exe

MD5

6536b10e5a713803d034c607d2de19e3

Filesize

53KB

Score
10 /10
SHA1

a6000c05f565a36d2250bdab2ce78f505ca624b7

SHA256

775ba68597507cf3c24663f5016d257446abeb66627f20f8f832c0860cad84de

SHA512

61727cf0b150aad6965b4f118f33fd43600fb23dde5f0a3e780cc9998dfcc038b7542bfae9043ce28fb08d613c2a91ff9166f28a2a449d0e3253adc2cb110018

Tags

Signatures

  • BadRabbit

    Description

    Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.

    Tags

  • Executes dropped EXE

  • Modifies extensions of user files

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry

Related Tasks

Target

Endermanch@DeriaLock.exe

MD5

0a7b70efba0aa93d4bc0857b87ac2fcb

Filesize

484KB

Score
8 /10
SHA1

01a6c963b2f5f36ff21a1043587dcf921ae5f5cd

SHA256

4f5bff64160044d9a769ab277ff85ba954e2a2e182c6da4d0672790cf1d48309

SHA512

2033f9637b8d023242c93f54c140dd561592a3380a15a9fdc8ebfa33385ff4fc569d66c846a01b4ac005f0521b3c219e87f4b1ed2a83557f9d95fa066ad25e14

Tags

Signatures

  • Modifies extensions of user files

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

  • Drops startup file

Related Tasks

Target

Endermanch@Deskbottom.exe

MD5

c954b69e480950ad8f138bf8848c562c

Filesize

461KB

Score
1 /10
SHA1

207c3f932d8ac66bc10e090a97c02ac07dbb68fa

SHA256

2f4bd27bffe3a5d1f541f1ee682d060316a0043312b35f18dfe5137efe8d7680

SHA512

e8bbce74a647939337df72c3ab29c320aeef2b6f0214d68768bc7da8262a978e6ed54f7b1aefadb394abc85518757acf8e8633a145c39cb3f712adf8561aeaa9

Related Tasks

Target

Endermanch@DesktopPuzzle.exe

MD5

2f8f6e90ca211d7ef5f6cf3c995a40e7

Filesize

239KB

Score
10 /10
SHA1

f8940f280c81273b11a20d4bfb43715155f6e122

SHA256

1f5a26f24a2bfdd301008f0cc51a6c3762f41b926f974c814f1ecaa4cb28e5e6

SHA512

2b38475550edee5519e33bd18fea510ad73345a27c20f6457710498d34e3d0cf05b0f96f32d018e7dc154a6f2232ea7e3145fd0ed5fb498f9e4702a4be1bb9c8

Tags

Signatures

  • BadRabbit

    Description

    Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.

    Tags

  • Executes dropped EXE

  • Modifies extensions of user files

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

Related Tasks

Target

Endermanch@FakeAdwCleaner.exe

MD5

248aadd395ffa7ffb1670392a9398454

Filesize

190KB

Score
8 /10
SHA1

c53c140bbdeb556fca33bc7f9b2e44e9061ea3e5

SHA256

51290129cccca38c6e3b4444d0dfb8d848c8f3fc2e5291fc0d219fd642530adc

SHA512

582b917864903252731c3d0dff536d7b1e44541ee866dc20e0341cbee5450f2f0ff4d82e1eee75f770e4dad9d8b9270ab5664ffedfe21d1ad2bd7fe6bc42cf0e

Tags

Signatures

  • Executes dropped EXE

  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    Tags

    TTPs

    System Information Discovery

Related Tasks

Target

Endermanch@FreeYoutubeDownloader.exe

MD5

13f4b868603cf0dd6c32702d1bd858c9

Filesize

396KB

Score
10 /10
SHA1

a595ab75e134f5616679be5f11deefdfaae1de15

SHA256

cae57a60c4d269cd1ca43ef143aedb8bfc4c09a7e4a689544883d05ce89406e7

SHA512

e0d7a81c9cdd15a4ef7c8a9492fffb2c520b28cebc54a139e1bffa5c523cf17dfb9ffe57188cf8843d74479df402306f4f0ce9fc09d87c7cca92aea287e5ff24

Tags

Signatures

  • BadRabbit

    Description

    Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.

    Tags

  • Executes dropped EXE

  • Modifies extensions of user files

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry
  • Checks installed software on the system

    Description

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    Tags

    TTPs

    Query Registry
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    Tags

    TTPs

    System Information Discovery

Related Tasks

Target

Endermanch@HMBlocker.exe

MD5

21943d72b0f4c2b42f242ac2d3de784c

Filesize

48KB

Score
8 /10
SHA1

c887b9d92c026a69217ca550568909609eec1c39

SHA256

2d047b0a46be4da59d375f71cfbd578ce1fbf77955d0bb149f6be5b9e4552180

SHA512

04c9fa8358944d01b5fd0b6d5da2669df4c54fe79c58e7987c16bea56c114394173b6e8a6ac54cd4acd081fcbc66103ea6514c616363ba8d212db13b301034d8

Tags

Signatures

  • Modifies WinLogon to allow AutoLogon

    Description

    Enables rebooting of the machine without requiring login credentials.

    Tags

    TTPs

    Winlogon Helper DLL Modify Registry
  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    Tags

    TTPs

    System Information Discovery

Related Tasks

Target

Endermanch@HappyAntivirus.exe

MD5

cb02c0438f3f4ddabce36f8a26b0b961

Filesize

1MB

Score
10 /10
SHA1

48c4fcb17e93b74030415996c0ec5c57b830ea53

SHA256

64677f7767d6e791341b2eac7b43df90d39d9bdf26d21358578d2d38037e2c32

SHA512

373f91981832cd9a1ff0b8744b43c7574b72971b5b6b19ea1f4665b6c878f7a1c7834ac08b92e0eca299eb4b590bf10f48a0485350a77a5f85fc3d2dd6913db3

Tags

Signatures

  • BadRabbit

    Description

    Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.

    Tags

  • Executes dropped EXE

  • Modifies extensions of user files

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

Related Tasks

Target

Endermanch@Illerka.C.exe

MD5

c718a1cbf0e13674714c66694be02421

Filesize

378KB

Score
10 /10
SHA1

001d5370d3a7ee48db6caaecb1c213b5dfdf8e65

SHA256

cde188d6c4d6e64d6abfdea1e113314f9cdf9417bca36eb7201e6b766e5f5a7f

SHA512

ba0ddff47b618740dfcb63024435c36d895889dd3cf6b4559969283ba8100e8063f5c7767e56dfab67a2b5c96e4ae22e141e5b09e81be5cec9aa7ca7827b4b8a

Tags

Signatures

  • UAC bypass

    Tags

    TTPs

    Bypass User Account Control Disabling Security Tools Modify Registry
  • Executes dropped EXE

  • Checks whether UAC is enabled

    Tags

    TTPs

    System Information Discovery
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    Tags

    TTPs

    System Information Discovery

Related Tasks

Target

Endermanch@InternetSecurityGuard.exe

MD5

04155ed507699b4e37532e8371192c0b

Filesize

6MB

Score
9 /10
SHA1

a14107131237dbb0df750e74281c462a2ea61016

SHA256

b6371644b93b9d3b9b32b2f13f8265f9c23ddecc1e9c5a0291bbf98aa0fc3b77

SHA512

6de59ebbc9b96c8a19d530caa13aa8129531ebd14b3b6c6bbb758426b59ed5ab12483bfa232d853af2e661021231b4b3fcc6c53e187eeba38fa523f673115371

Tags

Signatures

  • Checks for common network interception software

    Description

    Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

    Tags

    TTPs

  • Enumerates VirtualBox registry keys

    Tags

    TTPs

    Query Registry Virtualization/Sandbox Evasion
  • Blocks application from running via registry modification

    Description

    Adds application to list of disallowed applications.

    Tags

  • Drops file in Drivers directory

  • Sets file execution options in registry

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry
  • Checks for any installed AV software in registry

    TTPs

    Security Software Discovery
  • Checks installed software on the system

    Description

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    Tags

    TTPs

    Query Registry
  • Enumerates connected drives

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query Registry Peripheral Device Discovery System Information Discovery
  • Writes to the Master Boot Record (MBR)

    Description

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    Tags

    TTPs

    Bootkit
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    Tags

    TTPs

    System Information Discovery

Related Tasks

Target

Endermanch@Koteyka2.exe

MD5

7734f0e56da17e9a5940fd782d739f9b

Filesize

762KB

Score
10 /10
SHA1

4dfae67e40be6c4c83191ea0cf8d1b28afba884c

SHA256

8855299560183b57556d9714a2b958cdc6190fcdfb270633da2a47dfeee20015

SHA512

53d07938bafbcb9524cdba6d25e09fcdae128a83718ab686374f0526730e2e6380f60e3bf951601e48f6f8e64563c484ddd8baf9be2878a5ad393817028a9632

Tags

Signatures

  • BadRabbit

    Description

    Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.

    Tags

  • Executes dropped EXE

  • Modifies extensions of user files

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

Related Tasks

Target

Endermanch@LPS2019.exe

MD5

2eb3ce80b26345bd139f7378330b19c1

Filesize

1MB

Score
8 /10
SHA1

10122bd8dd749e20c132d108d176794f140242b0

SHA256

8abed3ea04d52c42bdd6c9169c59212a7d8c649c12006b8278eda5aa91154cd2

SHA512

e3223cd07d59cd97893304a3632b3a66fd91635848160c33011c103cca2badbfe9b78fe258666b634e455872f3a98889ede5a425d8fae91cae6983da1ea1190a

Tags

Signatures

  • Executes dropped EXE

  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    Tags

    TTPs

    System Information Discovery

Related Tasks

Target

Endermanch@Movie.mpeg.exe

MD5

d0deb2644c9435ea701e88537787ea6e

Filesize

414KB

Score
10 /10
SHA1

866e47ecd80da89c4f56557659027a3aee897132

SHA256

ad6cd46f373aadad85fab5ecdb4cb4ad7ebd0cbe44c84db5d2a2ee1b54eb5ec3

SHA512

6faac2e1003290bb3a0613ee84d5c76d3c48a4524e97975e9174d6fcfb5a6a48d6648b06ed5a4c10c3349f70efffc6a08a185fdeb0824250ae044b96ef39fcdf

Tags

Signatures

  • BadRabbit

    Description

    Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.

    Tags

  • Executes dropped EXE

  • Modifies extensions of user files

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

Related Tasks

Target

Endermanch@NavaShield(1).exe

MD5

1f13396fa59d38ebe76ccc587ccb11bb

Filesize

9MB

Score
5 /10
SHA1

867adb3076c0d335b9bfa64594ef37a7e2c951ff

SHA256

83ecb875f87150a88f4c3d496eb3cb5388cd8bafdff4879884ececdbd1896e1d

SHA512

82ca2c781bdaa6980f365d1eedb0af5ac5a80842f6edc28a23a5b9ea7b6feec5cd37d54bd08d9281c9ca534ed0047e1e234873b06c7d2b6fe23a7b88a4394fdc

Tags

Signatures

  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    Tags

    TTPs

    System Information Discovery

Related Tasks

Target

Endermanch@NavaShield.exe

MD5

1f13396fa59d38ebe76ccc587ccb11bb

Filesize

9MB

Score
10 /10
SHA1

867adb3076c0d335b9bfa64594ef37a7e2c951ff

SHA256

83ecb875f87150a88f4c3d496eb3cb5388cd8bafdff4879884ececdbd1896e1d

SHA512

82ca2c781bdaa6980f365d1eedb0af5ac5a80842f6edc28a23a5b9ea7b6feec5cd37d54bd08d9281c9ca534ed0047e1e234873b06c7d2b6fe23a7b88a4394fdc

Tags

Signatures

  • BadRabbit

    Description

    Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.

    Tags

  • Executes dropped EXE

  • Modifies extensions of user files

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    Tags

    TTPs

    System Information Discovery

Related Tasks

Target

Endermanch@PCDefender.exe

MD5

e4d4a59494265949993e26dee7b077d1

Filesize

878KB

Score
10 /10
SHA1

83e3d0c7e544117d6054e7d55932a7d2dbaf1163

SHA256

5ae57d8750822c203f5bf5e241c7132377b250df36a215dff2f396c8440b82dd

SHA512

efd176555415e0771a22a6ca6f15a82aec14ca090d2599959612db9d8e07065e38a7b82e2bf7be67cbe1494733344879782f5516bb502e0177e7b540c96fa718

Tags

Signatures

  • Modifies WinLogon for persistence

    Tags

    TTPs

    Winlogon Helper DLL Modify Registry
  • Enumerates connected drives

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query Registry Peripheral Device Discovery System Information Discovery
  • JavaScript code in executable

  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    Tags

    TTPs

    System Information Discovery

Related Tasks

Target

Endermanch@PCDefenderv2.msi

MD5

b3dce5c3f95a18fd076fad0f73bb9e39

Filesize

860KB

Score
10 /10
SHA1

e80cc285a77302ee221f47e4e94823d4b2eba368

SHA256

df2e3b2222dcdbb5e0dbdd1200ec8fd5f67fcbea99e0023df54307eab60030ff

SHA512

c184436055cf74884ad0d2bd5ca00bcd5a62d6be46253fe8c71b4daaa5c710b9df34af1b6e41f6d1af94bcdec0d33679a6a1b34bf9755678b4e177f368c11d4c

Tags

Signatures

  • Modifies WinLogon for persistence

    Tags

    TTPs

    Winlogon Helper DLL Modify Registry
  • Executes dropped EXE

  • Enumerates connected drives

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query Registry Peripheral Device Discovery System Information Discovery
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    Tags

    TTPs

    System Information Discovery

Related Tasks

Target

Endermanch@PolyRansom.exe

MD5

3ed3fb296a477156bc51aba43d825fc0

Filesize

220KB

Score
10 /10
SHA1

9caa5c658b1a88fee149893d3a00b34a8bb8a1a6

SHA256

1898f2cae1e3824cb0f7fd5368171a33aba179e63501e480b4da9ea05ebf0423

SHA512

dc3d6e409cee4d54f48d1a25912243d07e2f800578c8e0e348ce515a047ecf5fa3089b46284e0956bbced345957a000eecdc082e6f3060971759d70a14c1c97e

Tags

Signatures

  • BadRabbit

    Description

    Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.

    Tags

  • Modifies visibility of file extensions in Explorer

    Tags

    TTPs

    Hidden Files and Directories Modify Registry
  • UAC bypass

    Tags

    TTPs

    Bypass User Account Control Disabling Security Tools Modify Registry
  • Executes dropped EXE

  • Suspicious Office macro

    Description

    Office document equipped with 4.0 macros.

    Tags

  • Checks computer location settings

    Description

    Looks up country code configured in the registry, likely geofence.

    TTPs

    Query Registry System Information Discovery
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry
  • Drops file in System32 directory

  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    Tags

    TTPs

    System Information Discovery

Related Tasks

Target

Endermanch@PowerPoint.exe

MD5

70108103a53123201ceb2e921fcfe83c

Filesize

136KB

Score
8 /10
SHA1

c71799a6a6d09ee758b04cdf90a4ab76fbd2a7e3

SHA256

9c3f8df80193c085912c9950c58051ae77c321975784cc069ceacd4f57d5861d

SHA512

996701c65eee7f781c2d22dce63f4a95900f36b97a99dcf833045bce239a08b3c2f6326b3a808431cdab92d59161dd80763e44126578e160d79b7095175d276b

Tags

Signatures

  • Executes dropped EXE

  • Modifies WinLogon to allow AutoLogon

    Description

    Enables rebooting of the machine without requiring login credentials.

    Tags

    TTPs

    Winlogon Helper DLL Modify Registry
  • Deletes itself

  • Writes to the Master Boot Record (MBR)

    Description

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    Tags

    TTPs

    Bootkit

Related Tasks

Target

Endermanch@ProgramOverflow.exe

MD5

c4aab3b24b159148d6d47a9e5897e593

Filesize

566KB

Score
10 /10
SHA1

7061c2e85de9f3fd51cccdecb8965f1e710d1fe5

SHA256

03a4d3563a7519542c662b5fd5d61215f3d76a3902717efe11230292ea4bbafc

SHA512

9bc522ff0d598a1f1425a09a2794584c4991a99bc382b0ee9135311950cdbf2f5331ae041a4b01052735b5fae3a2763ea1b5c01ce679b07fba73c6f75cb4c252

Tags

Signatures

  • BadRabbit

    Description

    Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.

    Tags

  • Executes dropped EXE

  • Modifies extensions of user files

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

Related Tasks

Target

Endermanch@RegistrySmart.exe

MD5

0002dddba512e20c3f82aaab8bad8b4d

Filesize

1MB

Score
8 /10
SHA1

493286b108822ba636cc0e53b8259e4f06ecf900

SHA256

2d68fe191ba9e97f57f07f7bd116e53800b983d267da99bf0a6e6624dd7e5cf7

SHA512

497954400ab463eb254abe895648c208a1cc951ecb231202362dadbe3ffb49d8d853b487589ce935c1dc8171f56d0df95093ffc655c684faa944c13bcfd87b8b

Tags

Signatures

  • Executes dropped EXE

  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    Tags

    TTPs

    System Information Discovery

Related Tasks

Target

Endermanch@SE2011.exe

MD5

02f471d1fefbdc07af5555dbfd6ea918

Filesize

2MB

Score
10 /10
SHA1

2a8f93dd21628933de8bea4a9abc00dbb215df0b

SHA256

36619636d511fd4b77d3c1052067f5f2a514f7f31dfaa6b2e5677fbb61fd8cba

SHA512

287b57b5d318764b2e92ec387099e7e313ba404b73db64d21102ba8656636abbf52bb345328fe58084dc70414c9e2d8cd46abd5a463c6d771d9c3ba68759a559

Tags

Signatures

  • BadRabbit

    Description

    Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.

    Tags

  • Modifies WinLogon for persistence

    Tags

    TTPs

    Winlogon Helper DLL Modify Registry
  • Executes dropped EXE

  • Modifies extensions of user files

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

  • Deletes itself

  • Identifies Wine through registry keys

    Description

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    Tags

    TTPs

    Query Registry Virtualization/Sandbox Evasion
  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    Tags

    TTPs

    System Information Discovery
  • Suspicious use of NtSetInformationThreadHideFromDebugger

Related Tasks

Tasks

behavioral1

8/10

behavioral3

8/10

behavioral5

10/10

behavioral7

10/10

behavioral8

10/10

behavioral9

1/10

behavioral10

10/10

behavioral11

10/10

behavioral12

8/10

behavioral13

1/10

behavioral14

10/10

behavioral15

8/10

behavioral17

8/10

behavioral18

10/10

behavioral19

10/10

behavioral21

10/10

behavioral22

8/10

behavioral23

10/10

behavioral24

5/10

behavioral25

10/10

behavioral26

10/10

behavioral27

10/10

behavioral29

8/10

behavioral30

10/10

behavioral31

8/10