Extracted

Extracted

Extracted

Extracted

Extracted

• • Target

    0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f.bin.sample

  • Size

    370KB

  • MD5

    b8421f1d4bd96ca5b1e9a6e919e6a167

  • SHA1

    e1040ad363c3a5bb7587faebaab0aecdc70a21df

  • SHA256

    0361e25d7f958c3e5f76eb62917004939f40c020e2303c97ab8be431199baa6f

  • SHA512

    e2ee73d80631d51d4d5267f34e6c7873c79fe1968d73daea141d782fc693fb6f436be18c9a3756fca3e68a44e2e75c9376e194f3ab11f95942e93b3a28117b63

  Score

  10^/10

  discoveryevasionpersistencetrojan

  • Modifies Windows Defender Real-time Protection settings

    evasiontrojan

  • Disables Task Manager via registry modification

    evasion

  • Downloads MZ/PE file

  • Modifies Windows Firewall

    evasion

  • Modifies file permissions

    discovery

  • Windows security modification

    evasiontrojan

  • Modifies WinLogon

    persistence
  behavioral1behavioral2

• • Target

    121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717.bin.sample

  • Size

    91KB

  • MD5

    1d3ed93e99f01fa636b02faab5690de5

  • SHA1

    b818f4c33e346c2ce23e62e95d4c0eaa7f0a3128

  • SHA256

    121c11c4054bce9730e87051eb734241b787ed4b5523db2c1226c29776501717

  • SHA512

    0628321e5a61bfd6d62c46d1171d9ab5153f5ec8dbda7f924c1a0cc857a12183863b105b6a0a10a107167e188bc830cf032490261a1d80d695740fb3f8dbe308

  Score

  9^/10

  ransomware

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomware

  • Modifies extensions of user files

    Ransomware generally changes the extension on encrypted files.

    ransomware

  • Deletes itself

  • Drops startup file

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  behavioral3behavioral4

• • Target

    16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d.bin.sample

  • Size

    107KB

  • MD5

    26b35eb4806754b0e7d71b547478448e

  • SHA1

    f0322d746071c1594ae37bae2467781f42e6ee3c

  • SHA256

    16e6e08c37a95acc32a5f05db98e1dab07d52e3ab4ee415c67c8aaa006e8179d

  • SHA512

    6663d50e19ae58f6cc74f4edaa83b60a0f1cb42e8190056e444fc1c722cf7caccea488bb2e2fe250c039286e2fc4a3fb0520f40aea7f31734ea210cc6155b9b2

  Score

  9^/10

  ransomware

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomware

  • Modifies extensions of user files

    Ransomware generally changes the extension on encrypted files.

    ransomware

  • Deletes itself

  • Drops startup file

  behavioral5behavioral6

• • Target

    1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554.bin.sample

  • Size

    368KB

  • MD5

    2a6f56addd8adcbb1a6cc8e1d6090012

  • SHA1

    03227744a280d56267cbef448f7e54a924f46173

  • SHA256

    1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554

  • SHA512

    63d951d531ac8c9be311a73ab3c70f3b0afe77a71bbc949ede5564bc98de523bc324c926cb9d4a49dd25171f62333e645e4a56d9e2b4cceab3976672a4eba2c0

  Score

  10^/10

  discoveryevasionpersistencetrojan

  • Modifies Windows Defender Real-time Protection settings

    evasiontrojan

  • Disables Task Manager via registry modification

    evasion

  • Downloads MZ/PE file

  • Executes dropped EXE

  • Modifies Windows Firewall

    evasion

  • Loads dropped DLL

  • Modifies file permissions

    discovery

  • Windows security modification

    evasiontrojan

  • Modifies WinLogon

    persistence
  behavioral7behavioral8

• • Target

    1e189b1013b6fc1b32514c7ff98962fc49563b9027798e71bc7755a525530514.bin.sample

  • Size

    82KB

  • MD5

    fe68d6631a5ed731e065858e78809da6

  • SHA1

    2feb2430217ea991d6f034ed9e253e35b3bebc88

  • SHA256

    1e189b1013b6fc1b32514c7ff98962fc49563b9027798e71bc7755a525530514

  • SHA512

    299863ee06b0803b6bc6385d964d464ca7393d8ff7445d9ce6ccf3aadf11ab1e6a0178931b2bfcefae5185d54205c712e867c4e2f88b22d3757c95100f7a2f62

  Score

  10^/10

  evasionpersistenceransomwaretrojandiscovery

  • Modifies WinLogon for persistence

    persistence

  • Modifies Windows Defender Real-time Protection settings

    evasiontrojan

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomware

  • Modifies boot configuration data using bcdedit

    ransomwareevasion

  • Downloads MZ/PE file

  • Modifies Windows Firewall

    evasion

  • Modifies file permissions

    discovery

  • Windows security modification

    evasiontrojan
  behavioral9behavioral10

• • Target

    2033194ab3c2602eb9d3b31eeb5432514c423eac213f1219e5865dfee371ed58.bin.sample

  • Size

    115KB

  • MD5

    5584b055a41bad2ebd33c88e9f6ebf64

  • SHA1

    76b0d1fe179a03d3b62f11a07030edf510d9c7fa

  • SHA256

    2033194ab3c2602eb9d3b31eeb5432514c423eac213f1219e5865dfee371ed58

  • SHA512

    23628cd1081bbc5679ca4b8dac50b17c2004ad787e1d64de2685a8e23eb99a9ae37343f29983bee2cab0b08f61f06d40f877139fb458367c207d64691aa94f14

  Score

  10^/10

  makopdiscoveryevasionransomware

  • Makop

    Ransomware family discovered by @VK_Intel in early 2020.

    ransomwaremakop

  • Downloads MZ/PE file

  • Modifies Windows Firewall

    evasion

  • Drops startup file

  • Modifies file permissions

    discovery
  behavioral11behavioral12

• • Target

    21dd66ef4b2d0bf877fd6386c3dbc43457f982f5f67eed23c8b7c34234cda448.bin.sample

  • Size

    87KB

  • MD5

    f889c06ea602eb23ff52c32fe68a2681

  • SHA1

    0a65a614602f220e2c16aeb6b849b1cd86cc748c

  • SHA256

    21dd66ef4b2d0bf877fd6386c3dbc43457f982f5f67eed23c8b7c34234cda448

  • SHA512

    caf4bc0ed5195d882d84dc8c6b431fb0aefe001a724d022f846f423983cbaf3d8753f849e58f1b91406d2905798d41b4f4f53540024b5c6fe2edc3eb254276dc

  Score

  10^/10

  evasionpersistenceransomwaretrojandiscovery

  • Modifies WinLogon for persistence

    persistence

  • Modifies Windows Defender Real-time Protection settings

    evasiontrojan

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomware

  • Modifies boot configuration data using bcdedit

    ransomwareevasion

  • Downloads MZ/PE file

  • Modifies Windows Firewall

    evasion

  • Modifies file permissions

    discovery

  • Windows security modification

    evasiontrojan
  behavioral13behavioral14

• • Target

    2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d.bin.sample

  • Size

    121KB

  • MD5

    4096e6730b117ae60dc3e5d4fd31acda

  • SHA1

    03baaf95e69aa6da711eae0e75f4908e02087587

  • SHA256

    2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d

  • SHA512

    c8f7ed4b469fa0f98643f561e6e505dfb5ab78656910c9b3d9ee21b167e500460a29eb1a42270817490f458a8189a385d6bd7f9e3935bd48f6755d430a845e00

  Score

  8^/10

  discoveryevasion

  • Downloads MZ/PE file

  • Modifies Windows Firewall

    evasion

  • Drops startup file

  • Modifies file permissions

    discovery
  behavioral15behavioral16

• • Target

    47b51b615fe22292caf30a30a4d4057cf57a283a61045190b2a2331b763b6125.bin.sample

  • Size

    117KB

  • MD5

    acd3a6e3d27a498abc76a1b336f3493d

  • SHA1

    3550505124d4f2a7f6837cfab0593dcb48e0b192

  • SHA256

    47b51b615fe22292caf30a30a4d4057cf57a283a61045190b2a2331b763b6125

  • SHA512

    80afb4ecf4b023b4d21c33d5dbff430df75e2bfef974b072f5edb891bb633fab629012eda3e9ec5935910cabaf0e36d7b1ce76ae712da3df3d6c95f8f34cebf8

  Score

  10^/10

  makopdiscoveryevasionransomware

  • Makop

    Ransomware family discovered by @VK_Intel in early 2020.

    ransomwaremakop

  • Downloads MZ/PE file

  • Modifies Windows Firewall

    evasion

  • Drops startup file

  • Modifies file permissions

    discovery
  behavioral17behavioral18

• • Target

    4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7.bin.sample

  • Size

    87KB

  • MD5

    3f52b4b4c36af074135666480cd1b65e

  • SHA1

    66d1435061a72556fff47e6676d5531b48f883da

  • SHA256

    4fefb51009b09d77ae3300be1f350dd0d301cbaac75b50053dcf1a39673302b7

  • SHA512

    d5c9e97d0733c6a938f90b45c236abd2cbb0b756246920c30c2e8e615588237a11e52904a26acc3d1dd7496943060158239b60d2665ba53637bf0df8b2b6b11e

  Score

  10^/10

  evasionpersistenceransomwaretrojan

  • Modifies WinLogon for persistence

    persistence

  • Modifies Windows Defender Real-time Protection settings

    evasiontrojan

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomware

  • Modifies boot configuration data using bcdedit

    ransomwareevasion

  • Modifies extensions of user files

    Ransomware generally changes the extension on encrypted files.

    ransomware

  • Drops startup file

  • Windows security modification

    evasiontrojan

  • Modifies WinLogon

    persistence
  behavioral19behavioral20

• • Target

    5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd.bin.sample

  • Size

    175KB

  • MD5

    da09586ba925a20faa4a2879697c9238

  • SHA1

    ab6ca1d039ac2d54a811486d731ebf94ad61bf47

  • SHA256

    5026eddb6f757aba5701d674a948372f2436756ee6a72c95228801a782f649cd

  • SHA512

    80f8b6a17fe17192244a223c8b6618b70a19e8bd0cb5179b1b058c455e36c32f53c2e7402e25144e3bbb800c56ef0ad2ac6a363c4d1615ff1ea84a0c1ab371e1

  Score

  10^/10

  evasionpersistenceransomwaretrojan

  • Modifies WinLogon for persistence

    persistence

  • Modifies Windows Defender Real-time Protection settings

    evasiontrojan

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomware

  • Modifies boot configuration data using bcdedit

    ransomwareevasion

  • Modifies extensions of user files

    Ransomware generally changes the extension on encrypted files.

    ransomware

  • Drops startup file

  • Windows security modification

    evasiontrojan

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon

    persistence
  behavioral21behavioral22

• • Target

    50ece411c1c1a69d1c495e7aa6af8e812dfa08dfd987e096ce57707da1054f85.bin.sample

  • Size

    398KB

  • MD5

    a3950b817d9d93bc89da5c5459c4c725

  • SHA1

    2a28807b8b1095d9a8c3339f156705ea46f31976

  • SHA256

    50ece411c1c1a69d1c495e7aa6af8e812dfa08dfd987e096ce57707da1054f85

  • SHA512

    479f3787bc0063df25a495155d86a1af9b64725644b36858b4f3b96916c3649fa22f568061eaf0bbb421e10d9e59df23e107578b81b51ff61b6613f94732bca6

  Score

  10^/10

  thanosevasionpersistenceransomwaretrojandiscovery

  • Contains code to disable Windows Defender

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Modifies WinLogon for persistence

    persistence

  • Modifies Windows Defender Real-time Protection settings

    evasiontrojan

  • Thanos Ransomware

    Ransomware-as-a-service (RaaS) sold through underground forums.

    ransomwarethanos

  • Thanos executable

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomware

  • Modifies boot configuration data using bcdedit

    ransomwareevasion

  • Downloads MZ/PE file

  • Executes dropped EXE

  • Modifies Windows Firewall

    evasion

  • Modifies file permissions

    discovery

  • Windows security modification

    evasiontrojan
  behavioral23behavioral24

• • Target

    551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c.bin.sample

  • Size

    89KB

  • MD5

    c0d3aae8bda692a1a97b54d9db53be65

  • SHA1

    dba09fa80ad5a64780777827ba27c3bc8443009c

  • SHA256

    551129c0d4dbeab8bef925857df93715036503429afedac79f5d8d1a1b9fcd5c

  • SHA512

    adb56650b539694f8f0976e1ed1cc46f98360062ff0edbd79b413a29efcb20176b37af67f1b50f2359cde3f2cd2ce9f1f242f1b4ad5c327bb9d5819d86584066

  Score

  10^/10

  discoveryevasionransomwaretrojan

  • Modifies Windows Defender Real-time Protection settings

    evasiontrojan

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomware

  • Downloads MZ/PE file

  • Modifies Windows Firewall

    evasion

  • Modifies file permissions

    discovery
  behavioral25behavioral26

• • Target

    58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.bin.sample

  • Size

    82KB

  • MD5

    e01e11dca5e8b08fc8231b1cb6e2048c

  • SHA1

    4983d07f004436caa3f10b38adacbba6a4ede01a

  • SHA256

    58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f

  • SHA512

    298bfb9fe55ddd80f1c6671622d7e9e865899a855b5bb8e0d85d8520160cedca6fd8bc72c9881925477bcab883bf6e6f4c69f997b774b74fe992e023a81269de

  Score

  10^/10

  discoveryevasionransomwaretrojan

  • Modifies Windows Defender Real-time Protection settings

    evasiontrojan

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomware

  • Downloads MZ/PE file

  • Modifies Windows Firewall

    evasion

  • Modifies file permissions

    discovery
  behavioral27behavioral28

• • Target

    5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4.bin.sample

  • Size

    108KB

  • MD5

    f06010cbf89e396a78cebfd0456e1859

  • SHA1

    33306e22ac0fa20a49cbbce252e08be91ac4414b

  • SHA256

    5e088eb0eb669be278eeef2204005e705c88f5a215e985b53dc42b4f9853b4e4

  • SHA512

    08d1aed5b3b797000fcf1005e5b3a4d991e0c68de0ec297238bc2822fe9d21d19d599f892aef7369cca8d2a5dca2dfac73fcf7441429153a66aa58a2039f1f29

  Score

  10^/10

  discoveryevasionransomwaretrojan

  • Modifies Windows Defender Real-time Protection settings

    evasiontrojan

  • Downloads MZ/PE file

  • Modifies Windows Firewall

    evasion

  • Modifies extensions of user files

    Ransomware generally changes the extension on encrypted files.

    ransomware

  • Deletes itself

  • Drops startup file

  • Modifies file permissions

    discovery

  • Windows security modification

    evasiontrojan
  behavioral29behavioral30

• • Target

    5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.bin.sample

  • Size

    94KB

  • MD5

    63f0ad9da8c823ca89c4c4ec0fce2c92

  • SHA1

    89e66f83eee1e47b231c060034c55cd09cc84a98

  • SHA256

    5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb

  • SHA512

    55365e3a80e5266ad79189ab80d82a5954e284f0ae63ac8ab387e351edb96213158bd00973a3db95b1280d919757125fad527f54e2e340e8324f3a62628159c3

  Score

  10^/10

  evasionpersistenceransomwaretrojan

  • Modifies WinLogon for persistence

    persistence

  • Modifies Windows Defender Real-time Protection settings

    evasiontrojan

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomware

  • Modifies boot configuration data using bcdedit

    ransomwareevasion

  • Modifies extensions of user files

    Ransomware generally changes the extension on encrypted files.

    ransomware

  • Drops startup file

  • Windows security modification

    evasiontrojan

  • Modifies WinLogon

    persistence
  behavioral31behavioral32