Overview

overview

10

Static

static

10

001e9becdd...93.exe

windows10-2004-x64

7

1a1cf2a2f6...31.exe

windows10-2004-x64

7

2eac3720bc...61.exe

windows10-2004-x64

1

320e3af17b...4c.exe

windows10-2004-x64

3

33bcab7033...70.exe

windows10-2004-x64

6

47a52afd63...2e.exe

windows10-2004-x64

10

4b24d27301...69.exe

windows10-2004-x64

7

4c481d251f...5a.exe

windows10-2004-x64

1

4c9ab76300...dd.exe

windows10-2004-x64

6

50a04b093c...95.dll

windows10-2004-x64

6

5266183553...2f.dll

windows10-2004-x64

8

547798defb...6e.exe

windows10-2004-x64

10

5fb2242c04...96.exe

windows10-2004-x64

1

63a0bf6385...12.exe

windows10-2004-x64

10

6a08b51e02...68.exe

windows10-2004-x64

5

803d827a2c...53.exe

windows10-2004-x64

7

85523c6377...c3.exe

windows10-2004-x64

3

8ab3db7349...03.exe

windows10-2004-x64

9

9b87457fe8...f0.exe

windows10-2004-x64

8

a3c7b0df18...cc.exe

windows10-2004-x64

1

ab4fa067af...38.exe

windows10-2004-x64

10

b1c5c3ca41...7d.exe

windows10-2004-x64

3

ca561f9403...c5.exe

windows10-2004-x64

7

d278eb3d6c...8f.exe

windows10-2004-x64

6

d3e04348f4...91.exe

windows10-2004-x64

10

d7e876a714...c9.exe

windows10-2004-x64

7

dd8bf2763c...38.exe

windows10-2004-x64

dd9ca1355f...9a.exe

windows10-2004-x64

7

dd9d07d1f5...27.exe

windows10-2004-x64

10

ef3c260fed...49.exe

windows10-2004-x64

10

f40df86d68...df.exe

windows10-2004-x64

10

fb861230c0...01.exe

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Desktop.rar

  • Size

    5.6MB

  • Sample

    231023-z4pphafg4y

  • MD5

    9462bef27d5673bc39e7c6197f0b30f1

  • SHA1

    5f4814afabbcc89a9d47b99f90b91b13b5edf250

  • SHA256

    ad3bcb65313043b1a43b8fb210f3a20a87df8a8145ed9a18b086d0859616caa2

  • SHA512

    f4c64d04ff64646e21abbe5d8abc828546e765e0f00817fbe70c1f11983ff46f9cc09ee94bfda335a1f0c5db01010ac1173746bee4e9dc52b802973dfc1dba7f

  • SSDEEP

    98304:1fyslh/MRTs8LWWCxyJrMqTnucb85kcK5+u4CYtivrRFQNogZX/Tko+0+xE:Mqh0RI8LW3xkrxV9cArLQH

Score
10/10
gandcrablockymodiloadersodinokibi33360adwarediscoveryevasionpersistenceransomwarespywarestealertrojanupx

Malware Config

Extracted

Family

gandcrab

C2

http://gdcbghvjyqy7jclk.onion.top/

Extracted

Family

sodinokibi

Botnet

33

Campaign

360

Decoy

2020hindsight.info

frameshift.it

billyoart.com

omegamarbella.com

scholarquotes.com

ziliak.com

matthieupetel.fr

cardsandloyalty.com

limmortelyouth.com

solutionshosting.co.uk

gsconcretecoatings.com

annenymus.com

barbaramcfadyenjewelry.com

ciga-france.fr

ayudaespiritualtamara.com

fann.ru

paprikapod.com

galaniuklaw.com

azerbaycanas.com

testitjavertailut.net
Attributes
  • net

    true

  • pid

    33

  • prc

    xfssvccon.exe

    mspub.exe

    tbirdconfig.exe

    sqlservr.exe

    dbeng50.exe

    oracle.exe

    excel.exe

    winword.exe

    synctime.exe

    sqlagent.exe

    encsvc.exe

    msftesql.exe

    mydesktopqos.exe

    mysqld_nt.exe

    thebat.exe

    dbsnmp.exe

    msaccess.exe

    thebat64.exe

    mydesktopservice.exe

    mysqld.exe

    outlook.exe

    ocssd.exe

    ocautoupds.exe

    onenote.exe

    thunderbird.exe

    infopath.exe

    sqbcoreservice.exe

    wordpad.exe

    sqlbrowser.exe

    powerpnt.exe

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    360

Targets

    • Target

      001e9becdd7d9887c6fbe487073ad3dc068124a5300f4128d9ed32db4f63f793

    • Size

      31KB

    • MD5

      6ad501cfa7dad1014e008cbfd988404c

    • SHA1

      27be2f03ec2e1c0ecf566f0f3fd3c0bdf75a9fb8

    • SHA256

      001e9becdd7d9887c6fbe487073ad3dc068124a5300f4128d9ed32db4f63f793

    • SHA512

      798838c0eea397797a2daaf98a77344e70e75b18304a7cb864a3920b5c255721b84220ea550e61715f92fb8f28ca2d91522e138fbf8d76d8e74ad5ecf8410307

    • SSDEEP

      768:Ik+HPVo3WDZ7g1p4nZPTB7cZt7L0BlYfHCkr:n+H9ou7g1p4nr74OLYfHC6

    Score
    7/10
    upx

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1

    • Target

      1a1cf2a2f6a49b8d2a84b9b5ec5f783e7d9be30b6a17a28795bc351bb3cdde31

    • Size

      125KB

    • MD5

      f589a54f5660a756b745212fcc5b3c2c

    • SHA1

      5103d785c2dba038f7ce2f7f00dbd55a3c1f9a3e

    • SHA256

      1a1cf2a2f6a49b8d2a84b9b5ec5f783e7d9be30b6a17a28795bc351bb3cdde31

    • SHA512

      8effd05c1ead4342e6a612f5368469b7a923c9d7697cce074261bc9b078e75861a8105e2c179270cda00fe22a1d75e389d4a4c463ba8990c749d5ad7f029537b

    • SSDEEP

      1536:vEpR+iRa2LNCkfAI6wzMb6tEVBLK5wvFS2qeAb1WVPShFBkblSAeTNa5G3U/1:DKxBMb6sBJfQASh3MlKTNa5P/

    Score
    7/10
    upx

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral2

    • Target

      2eac3720bcfb4550e3093f053880b373068360bc8583f2aee059905bcad29c61

    • Size

      1.2MB

    • MD5

      76d26edcad21f551904c2022b13f9e18

    • SHA1

      be08028c16a264259df8a0406534aea99ffcb63e

    • SHA256

      2eac3720bcfb4550e3093f053880b373068360bc8583f2aee059905bcad29c61

    • SHA512

      7be1982f8c7a7f1cfec0b62cd84516c05986caad8b3ab2bad767d4dc249f0d75b450a9548e923ae971cfcce5527d350678207f0ac60533d99c02c6f49118e4cb

    • SSDEEP

      24576:kZv4B9NbMTWRoX3Uusm5RnveE0QBS6M4MRbEjAtmXfSrF6CT:kZA38bvoQBS6MVbmYjrEm

    Score
    1/10
    behavioral3

    • Target

      320e3af17bb8787283fe0c4af9d3a778c191d8374f19c0bc6b6ee2f22363094c

    • Size

      96KB

    • MD5

      d5df2bc1cd0cbc5ad1d4886336cfe61c

    • SHA1

      44fe30558cedef580bb115e81b6eb2ebd4910a81

    • SHA256

      320e3af17bb8787283fe0c4af9d3a778c191d8374f19c0bc6b6ee2f22363094c

    • SHA512

      446a7422f9b023d5e98276766838d31e5954413d9153b985d96eced001277e28645e39d7f3a7c23ec721dedb8ee3326a48d12e2350967e9324e44d6bde7a7a27

    • SSDEEP

      1536:nhUNGjqT4RDyXlsxbJZ/w7XAxx9ul0HZHHq/HHGCkLa+daxo5:OGtRD2lsxb47QH1Dz4xo5

    Score
    3/10
    behavioral4

    • Target

      33bcab70334406fb3331b4b3fffbf8c51df52d93efb5d673d865b7a7496b1570

    • Size

      445KB

    • MD5

      e988bb37ac1a1215def5f77c679fb701

    • SHA1

      020fecf6072e87035411808552ead5a73a34ce6a

    • SHA256

      33bcab70334406fb3331b4b3fffbf8c51df52d93efb5d673d865b7a7496b1570

    • SHA512

      997ac8e3d18405705624434dfe5e2985f7fae39a77e3763a1ac879e799d58f24fcd1b2966eae951cf7447517c489a37a01aac1adb0f16df04c911a33fb0c0163

    • SSDEEP

      6144:z4rhk3Qi52SBsimmsGJJ7iVTEcUahucFYkLdHHexabB5g5KimJin7S/qYu2a:zpQi52SBs710JZcD5ReMNu5Ft76uX

    Score
    6/10
    persistence
    behavioral5

    • Target

      47a52afd63406238b1b5ce59a7cb282685629b14169405015b0cef20fbe4f62e

    • Size

      692KB

    • MD5

      d631afaace32d5329733a9a9a49e51c1

    • SHA1

      898bbd2972f932b201aa0d0470b971777965839e

    • SHA256

      47a52afd63406238b1b5ce59a7cb282685629b14169405015b0cef20fbe4f62e

    • SHA512

      c01266f21d9b3b0ad171389cd5e0fc7b65f51dad98436dc73bd37f6d997ec87197fd0303af4b26e296ac4b9bdc975127dcaed2898c02def7bb4f3845ea155c94

    • SSDEEP

      12288:1ijnGp4df9EfRSnFwj6pNYSb8mXcfeD+EJY7bZHJNzejM2vkdISFDfken5:wnGabS2FwewZHvd/dLdTBnn5

    Score
    10/10
    persistenceupx

    • Modifies WinLogon for persistence

      persistence

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral6

    • Target

      4b24d273019579ba3c1e0ad261954c0941d114aab802fa2d1fcb14dab9f3e869

    • Size

      766KB

    • MD5

      97c79f53087fe9e29d9cb33c30d00333

    • SHA1

      b65db348b65e13cd6669d71f293be4b21e2edec0

    • SHA256

      4b24d273019579ba3c1e0ad261954c0941d114aab802fa2d1fcb14dab9f3e869

    • SHA512

      4c3ae99b5462b1c030343baa663d94500be40bd0cae14557e1c997ff63ee6966293f4e5e1e4967085ce61f1e132dcfb00baae5e54afbb99be9ae2f68e471eed1

    • SSDEEP

      12288:65MUXQCYVScN3p+bOT8DOHQjsfku5JEO7ShNqc124tjsZlpfqreZKC08nxN:85A9D3pYOQeQjs8S2xTv2IoZldqrepnx

    Score
    7/10
    persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    behavioral7

    • Target

      4c481d251f29295af1af599374ea93f9fc24b6139fbb02ec115bec9f4e7bc25a

    • Size

      76KB

    • MD5

      8ef0e38c773de949ff39c4642528e2fa

    • SHA1

      c9f7258af7766bf093567ff5bb8413547593e814

    • SHA256

      4c481d251f29295af1af599374ea93f9fc24b6139fbb02ec115bec9f4e7bc25a

    • SHA512

      2bae3c9458537e6494b5fac4508ff2f251d42ea50c7b15561f7ea21e3af7c44a69339e45806f98bb9adefe225c13dd4224ffc04692347b57ee5bfbc48bf749b2

    • SSDEEP

      1536:KP0B3eu/yVqAJfBgIX2/ULX6htt25Prhx7a9:Kc3e4yIW5F6Q6WhFa

    Score
    1/10
    behavioral8

    • Target

      4c9ab763001721e04e9efc44e1e97351557f8a4b1cf5471b141e7358cd1296dd

    • Size

      73KB

    • MD5

      0b86474cc124beeec871e7ca53b333f5

    • SHA1

      43e4c87efaf509a17bc4f517cb9133f6cd5297ea

    • SHA256

      4c9ab763001721e04e9efc44e1e97351557f8a4b1cf5471b141e7358cd1296dd

    • SHA512

      71274745d3ff6b3e26571ee4dacad7084f04be705afd7196de697fd985ffa289d7e87b962d707130bde0af9eb9784ad6fd005f308843de8feedcceae78d0f58b

    • SSDEEP

      1536:n55u555555555pmgSeGDjtQhnwmmB0ybMqqU+2bbbAV2/S2mr3IdE8mne0Avu5rJ:DMSjOnrmBTMqqDL2/mr3IdE8we0Avu5h

    Score
    6/10
    persistence

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral9

    • Target

      50a04b093c8f05481eb672ebec0537f61e233071798d1f3b939e17e333b51795

    • Size

      349KB

    • MD5

      8b5ea4d800861e7dfb4bfcad593e8ca3

    • SHA1

      ec5379f66dbc66afe09eaa7dc07bcba551f9739d

    • SHA256

      50a04b093c8f05481eb672ebec0537f61e233071798d1f3b939e17e333b51795

    • SHA512

      7a9cb045bb8b811254ff01d5389ec5e4a799ecde5441ddf0b35d52d524c2bfd142da8f5701ed88672fd451866f32cce7ca8c1d409153e7d71678e8a466fb1418

    • SSDEEP

      6144:W323b9t48aRkIzdNrFt9tlZZspbSoA1v3j0ciHMnjKiV6p/KBTA/:W3wb9ukIzdNrZtBkk3EHAWiZBTA

    Score
    6/10
    adwarestealer

    • Installs/modifies Browser Helper Object

      BHOs are DLL modules which act as plugins for Internet Explorer.

      stealeradware
    behavioral10

    • Target

      5266183553addd392a0968ea9e835c00e55a27468829ab65832cda37508c8e2f

    • Size

      28KB

    • MD5

      f9440a2aa3f1cdeb448e4fbe7a09cfd4

    • SHA1

      6fcc6bc2df88ea794cf06f388c36d218f448b21b

    • SHA256

      5266183553addd392a0968ea9e835c00e55a27468829ab65832cda37508c8e2f

    • SHA512

      813c772160ebc72a8d832eb4e9e6e40fe9b1d4b4d8243ae19184cf7d9f1c24f95557aec2f9965efc442b3cdac1f619fbed5c9f1a7fae4664ad04ea864e3d47bd

    • SSDEEP

      384:y31jyYPVeDmeJWjgye9OQ/1/ZMDseMySH:MRyYPVQm3Er/9wNhSH

    Score
    8/10
    persistence

    • Blocklisted process makes network request

    • Adds Run key to start application

      persistence
    behavioral11

    • Target

      547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e

    • Size

      161KB

    • MD5

      adcf55265a209bad0f166437319396ef

    • SHA1

      00e99ecb276e96f54dd99759c72a71aca09b4fa1

    • SHA256

      547798defb6d577ec9f13b00fb1be293f903aaa974ddc049be16d6437aeec86e

    • SHA512

      98876cee418e7ab54f5e120c550c2be1050a4fd79e4102e343a446fd63ef9d4f8b49c7b6a9acccd49c2be1791665e9561c9b7c6e6d76a8168981f8cfde412c39

    • SSDEEP

      1536:Lbb832pdNx0q8KStnznExkW+pkK8i7Pbi4eTMluxtXDCntTnICS4AKEqtUJCaoKc:Hp5SexkWi1Lbi4eTMlwDCnu/qWdb0r

    Score
    10/10
    sodinokibiransomware

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral12

    • Target

      5fb2242c04ce18830b84de73c4f0fc4e9c8a5e6877a14f414fcbfaa5a3948896

    • Size

      2KB

    • MD5

      f2f14d0487ffb297f6ddb67b8e1643d5

    • SHA1

      f92ca8b8d2cd1512017e5b4a656f2f79fd640722

    • SHA256

      5fb2242c04ce18830b84de73c4f0fc4e9c8a5e6877a14f414fcbfaa5a3948896

    • SHA512

      a0f89aafdeb693951d12adfeb90e4e2025e9ce015498169cb3e7023b7c611b536556befde2fabfb58d504bef88d0e4509bf3192d81a6471defe9c0d34402308c

    Score
    1/10
    behavioral13

    • Target

      63a0bf6385356dd0297449bdca2a2f171846315505800e81a4c0285f09c87312

    • Size

      304KB

    • MD5

      abebbf12d4f5c17f5fc6d295b780e5a0

    • SHA1

      58f129763b6b98483f44c5847de8c34c01316d65

    • SHA256

      63a0bf6385356dd0297449bdca2a2f171846315505800e81a4c0285f09c87312

    • SHA512

      8f64772716006990bbca182fbee187d6792fd9eb9b6d891296bb4d9067a7568fc57ec845a5302afe206b935900e8f76061035f5cfd14bbe487f3311ae9dbb900

    • SSDEEP

      6144:6h+ykFDX/tt5ipwQd3Zks1NqZNlPur5UMRjIjXn+Z:s+ykFJfimQd3V1QZNu5FRQ3s

    Score
    10/10
    modiloaderevasionpersistencetrojan

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

      trojanmodiloader

    • Checks for common network interception software

      Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

      evasion

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • ModiLoader Second Stage

    • Adds policy Run key to start application

      persistence

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Deletes itself

    • Adds Run key to start application

      persistence

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral14

    • Target

      6a08b51e02a7b510972907c326041222ff4632ba53b89573fca7e80b59c4e168

    • Size

      260KB

    • MD5

      1603aa73ddc1b52002505f49f4680ae0

    • SHA1

      82bea2f53c75ff446723bf2842fa357c3b0fe0ce

    • SHA256

      6a08b51e02a7b510972907c326041222ff4632ba53b89573fca7e80b59c4e168

    • SHA512

      39f49d626c38be26d413570e490998f62d769badacb872dce295657dbbd9cb3690d9324f26b59e377c4be1716ec34d2e3e4f8d3586078432b18b2f3178a34511

    • SSDEEP

      6144:CkMYmk7nSPwZCNnRFujfLRvhgmvH/VCrEfEa:CkMdkDSPlfFurLdfVCPa

    Score
    5/10

    • Suspicious use of SetThreadContext

    behavioral15

    • Target

      803d827a2cd764008783e691ce132ef853dbfa77017e5d2eeae47ceb3ca50f53

    • Size

      1.1MB

    • MD5

      ae90880e6556ebb938795518af3a08b2

    • SHA1

      8647dce3b9cce0197ab0e9b832de1f6d2413dd45

    • SHA256

      803d827a2cd764008783e691ce132ef853dbfa77017e5d2eeae47ceb3ca50f53

    • SHA512

      049ee5204617be840fbce46209b52e788932ffa061c7aa7121caee80d3bcbd26cede1d5657ef4e06bde550f16b7f12d0fbf965340a75ed1b4f6e281afa3135fe

    • SSDEEP

      24576:xdtRKR7yXFNlMcc7xWzyXe0nyrFPZM7ZNe+d+8/zUX0rSbKnvW5iaO:/y70F0vNXfn+FSlPc4SkvWXO

    Score
    7/10
    discoverypersistence

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral16

    • Target

      85523c6377c27e22068a2ef347997a295981b91e103b3cf3387ed80aa0b010c3

    • Size

      134KB

    • MD5

      0b70c8523df90c5c45c4c6eeb2bd5f9a

    • SHA1

      478ccd48fa43dcff2f213ee7763a6c5423531e7b

    • SHA256

      85523c6377c27e22068a2ef347997a295981b91e103b3cf3387ed80aa0b010c3

    • SHA512

      da9390a8cf04db418386bc6c696eccbc738d61d4560888b14c4085d1c96b43b9a144ef97cc5366806c24cf7ffb0a6b7300be6b88f8b5a31ded15b3af219097bd

    • SSDEEP

      3072:i/aSNtBvGruIQdaoVOWNq6zrUYh9oDrFcgNe6wPFbQ:iiSx+PQdao4WprhvofFfNxE

    Score
    3/10
    behavioral17

    • Target

      8ab3db7349f38d6463a3c6a7155ab297f18d92262a098064ea2472cecc7e3103

    • Size

      652KB

    • MD5

      245e27d4cbe922994b4f53fa96e1159b

    • SHA1

      47d2c5a68e96ae7bc43f305a7d5df082f93c623e

    • SHA256

      8ab3db7349f38d6463a3c6a7155ab297f18d92262a098064ea2472cecc7e3103

    • SHA512

      6daa517675e33e223412e9d5b1f6e724359bec45cae0bde1743d158c91bf932fc1c29e4c4d0db16eae585a63a8d7a5124dd86c7c15dbb89074927fa12a3cc7fd

    • SSDEEP

      12288:txSSwVr2GJCW87DJxtG0etNNYwnb8mjEJW++GzPUeS4SvS/incHD:nVnGJCW8JxE5ywnb8HW++LeS4Sq/inCD

    Score
    9/10
    ransomwarespywarestealerupx

    • Renames multiple (2022) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Drops file in Drivers directory

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Drops file in System32 directory

    behavioral18

    • Target

      9b87457fe85670e2c059cedaa560a8a31027e96fe18b2b6a7fe610f38423b2f0

    • Size

      60KB

    • MD5

      6aa22fd28d56b38bdf8dfc90dbd6dc96

    • SHA1

      1e28cf53cbcacde5a272669cdd1670785183272a

    • SHA256

      9b87457fe85670e2c059cedaa560a8a31027e96fe18b2b6a7fe610f38423b2f0

    • SHA512

      cb882269950289b614c1009eabc0a69ac8fb371a62af4e488413e10c60c0defeb5ad891e56a680e9cd60cb6971bcef8e35cc2899b17897d6ba1767e5be97ec35

    • SSDEEP

      768:3kWI7wOxRW1Hn/txYKtXeQJCAhxPPqEAQemUJiKrji0tSdZRNoN5J:3kWI7kHn/f/tugCsxPSEA3mUJiKadYJ

    Score
    8/10
    persistenceupx

    • Modifies Installed Components in the registry

      persistence

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral19

    • Target

      a3c7b0df189bdd47c7e113ff3b664f26b0bcd6f4f878186e882ea199e15c28cc

    • Size

      118KB

    • MD5

      07f771d8afa8f16121d508edd32fbbf1

    • SHA1

      77e5b9e6cb0f35585863430e7611289a293a6e06

    • SHA256

      a3c7b0df189bdd47c7e113ff3b664f26b0bcd6f4f878186e882ea199e15c28cc

    • SHA512

      f9cd46f37499d1239ba8a032f17858be2b9a6aaea769535303313d50ca04ede10189a63dc8ac158fb1c2ead04092d18b846e7c043b72af1300e127b354bd6108

    • SSDEEP

      3072:dSKf2N9xxjcgjQFrUBX/7RVIc7BFNROGgn:8KfUjcOWrY/7jxE

    Score
    1/10
    behavioral20

    • Target

      ab4fa067af1c9a107b879341e255eb9f05779608ce31217c1a2d60d28a2c8838

    • Size

      84KB

    • MD5

      7d3294046b8db4fa7229ea4e226808c9

    • SHA1

      3586e1d378e8547b0d7c3eb58fcbf9d789b1981d

    • SHA256

      ab4fa067af1c9a107b879341e255eb9f05779608ce31217c1a2d60d28a2c8838

    • SHA512

      4028df37dc553d47141f32a6e09019878ef66923f2fa87f17ae2b0f4068d11b7f4e10a22acf9120f710151a638bbf9a5fd121b6876361e23df36ecdc12b1c07a

    • SSDEEP

      1536:6C8Kd354Ru7qqWIk0rJ771bI6tcMCFnZGqckwVXicpt:6C8AJR/tH1b/GZtckwVXTpt

    Score
    10/10
    persistence
    behavioral21

    • Target

      b1c5c3ca41c322b47a5feb62ebb0e5daa3c1c682aa1dedb98fd3b7dff3eca57d

    • Size

      181KB

    • MD5

      4e8226759c8ef58bab4c3253ecc61c52

    • SHA1

      9a2380a1992841b12392e7da6bbee7c95a0ae1af

    • SHA256

      b1c5c3ca41c322b47a5feb62ebb0e5daa3c1c682aa1dedb98fd3b7dff3eca57d

    • SHA512

      0bf9a36f8c68b532d9f215be5897597ccc130157e4936cae008f43fe5ecfd25fc633c65437a8870eea51218812bfb5c0e2cf9c1babb69e8faa1fb120973e777e

    • SSDEEP

      3072:ou6a+u8pfzqrKlG3lV+3p/k0Dkjok5SUnkKkvdDtz+P+0:NvGh+Wl2lVQV1DulkKmNtz+G0

    Score
    3/10
    behavioral22

    • Target

      ca561f9403ab4be76ca66646df1a3da826fa2cc1972dd005ad23861abb317cc5

    • Size

      36KB

    • MD5

      1d6e8403b70897468d8e8c983e7d39f5

    • SHA1

      55941b50024fde3e014ba921de892228215ff464

    • SHA256

      ca561f9403ab4be76ca66646df1a3da826fa2cc1972dd005ad23861abb317cc5

    • SHA512

      5317f0ed0b56a7e34085f8d3d99995b1c166a188ce57c2354d4b4444df275e2edc2e55034501221408477a4e2876f807e7c368ea2f829079095df377c781475d

    • SSDEEP

      384:DXqQR5hXOQiEREEZMFfINYl+b/fXoiSv6m7k7t8ekuD7p:WQThXpyf/l+LoH7E5H

    Score
    7/10
    upx

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral23

    • Target

      d278eb3d6cc29c6de4b086aaa6214412d62fe2bb850c0ead63a403c3a24b2c8f

    • Size

      124KB

    • MD5

      a0e69d718631af37a4421fc84f658f93

    • SHA1

      af15fa80ce962a445e4742c50d97e23cb622502b

    • SHA256

      d278eb3d6cc29c6de4b086aaa6214412d62fe2bb850c0ead63a403c3a24b2c8f

    • SHA512

      93f6ec3c3d3e0bf7b007f302b18bb5e230a2b390663d4030d1614a1e5e7417a3e4ed7229a601805618d8adc6a768f7b598543f38c9b67cb585c10d9f7ec88bce

    • SSDEEP

      1536:yJdAwtDCFXLkauQpeVwLXJi+bfE2i0JL4iDSiLseoM4gkuSrgJsTUZ:yfDCFime85vjiKIYr4gtSUKTUZ

    Score
    6/10
    persistence
    behavioral24

    • Target

      d3e04348f412615e23ad0aebfee1b4338f5edf99776bdedf08fbb0462868ef91

    • Size

      94KB

    • MD5

      2ce9d15f7b43b0dec6c3935de0743113

    • SHA1

      50cf913875f1447f894cf795a549df3c84f8f402

    • SHA256

      d3e04348f412615e23ad0aebfee1b4338f5edf99776bdedf08fbb0462868ef91

    • SHA512

      f06a98af22ecd806604f32a6b8584b918997b021ca1b91ab86dff9e3d9a7cdfb65aa8ab73edfd5cef5b98949cd6bd84a3925f3f1b5078b34bce7ee6c866ae42e

    • SSDEEP

      1536:Ga/ySwKA8SE/+PN7A80iTubsESYPgFYtJEpTC2WbJCH7lkJJtn3gOt0:Ga/ySwK1SUYuXuYP8abNJtn3gOt0

    Score
    10/10
    persistence
    behavioral25

    • Target

      d7e876a714e2632fa42e6636177962516736074c76f486dc34de020ec13af0c9

    • Size

      303KB

    • MD5

      70e94f2ed65211ee0b4ee143fa6d300b

    • SHA1

      ff8bb6f7220ed3f67d23b710bffddfa3e2e46d83

    • SHA256

      d7e876a714e2632fa42e6636177962516736074c76f486dc34de020ec13af0c9

    • SHA512

      fbd1fde8675d966fb47f86f59f6bd8c3dc2d5f97d12d56d1cd978cd918058b128496c5b1382fda9876958f91e32088d97646ebca2926833c738e39f62d6a8332

    • SSDEEP

      6144:7CSOgPDKvKum02kU1zZcYfNE+JoEPNaUW/AFSjNCi:+SxPDfuuVH1bPNaUWFj3

    Score
    7/10
    persistence

    • Drops startup file

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral26

    • Target

      dd8bf2763ce09cbeb21cdbf802b9f7475c7998e459714150fae07ffcd027bb38

    • Size

      88KB

    • MD5

      46cd91959a5d80e0071c70f101abc27d

    • SHA1

      1baadd139627a8f7ea60c97abcfd47ce18c222f3

    • SHA256

      dd8bf2763ce09cbeb21cdbf802b9f7475c7998e459714150fae07ffcd027bb38

    • SHA512

      02cbac9abc7b5faa7b2fe02453b3b6c8374538671593fd83b7828c22fad1b450c7bd0d9c34d87fac36fd82b9172b3a6ca0fb97f4be496b694d0ed210d3e20547

    • SSDEEP

      1536:6ru1VBhAud18xM0fvtDCa29nupLIvidmpaXI60csCBXo4fnqd+Ax478KqTTong:yubBhAud1R0fv49nuq5U0cB3C+noKqT5

    Score
    1/10
    behavioral27

    • Target

      dd9ca1355ff3ddd883f9d2d0e6df9b7a8ebff650003a616c533b30554cee2a9a

    • Size

      27KB

    • MD5

      c3681538fb48175e2c02e54f4f333011

    • SHA1

      9f4c1c10f5e85116655adf4848d603a7d9812ce0

    • SHA256

      dd9ca1355ff3ddd883f9d2d0e6df9b7a8ebff650003a616c533b30554cee2a9a

    • SHA512

      4e9ed852edcb46b222d1a2aa5d1983b06070d94b16834951bd4a89ed8cdf763cf8c373884bf0b1e1954393a86da6ec3a1fa836f0a7d827c10c9fc5c1927dff91

    • SSDEEP

      768:MBGnobwYevtCIPLPjDIn4WZcLVY1DPmY5:MBGn/xhjPjDInrZcLux5

    Score
    7/10
    spywarestealerupx

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral28

    • Target

      dd9d07d1f5bb4facb1b4e412ce9e52a5ca9a689f2f78c34bacf63af19f7ce127

    • Size

      59KB

    • MD5

      070ea95d38c625faa296ddf97f4ccbdd

    • SHA1

      8edd4105e2598d8469452057b7ed407f7bc607c1

    • SHA256

      dd9d07d1f5bb4facb1b4e412ce9e52a5ca9a689f2f78c34bacf63af19f7ce127

    • SHA512

      e998d93352b7f212daaef055f687b8c6d55ba7ce9322e1877fc2c71253602fb9fde4186e5e7e9d3e7e9a50547422bca8d63f2907deeaf7213476de1e52738109

    • SSDEEP

      768:ZPvCu13OPkWi8Bkpvtudj+Ms4QSsx4QQB1Z+A/B+Ubbiu1f/snPKaE42cFyqpe8Y:PI/ZB8vtYE4omAe/iQnoPFE6PBUz

    Score
    10/10
    persistence

    • Modifies WinLogon for persistence

      persistence

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral29

    • Target

      ef3c260fed0a71f0e679261aeb242133899f9ff03d68b5f95711a66ef919e549

    • Size

      189KB

    • MD5

      d8f3b153f6635d4257aa9de8cf5a0ef4

    • SHA1

      6502eaaecc168dd58fd7efca671f15734e12f958

    • SHA256

      ef3c260fed0a71f0e679261aeb242133899f9ff03d68b5f95711a66ef919e549

    • SHA512

      2fcc85ba83d1fe07950a649834866c3c5d51df5cbf65356f24d219b3ef35741a5a08fa7d62c2ced7302b5b0930047dfecce60caf74eb73ad5c21d48dd35d92e7

    • SSDEEP

      3072:qV8CZflmqu3ZJ9f1hzILPN54cuuu+meBwHAS//XpC2sk9PqcRxBCXfD2fS2zOy:qqChOZJt1hsLPN54cuuu+ZBDe/Bsk9DP

    Score
    10/10
    lockyransomware

    • Locky

      Ransomware strain released in 2016, with advanced features like anti-analysis.

      ransomwarelocky
    behavioral30

    • Target

      f40df86d68d075c73e1be8ed5b3201f0e55a9eccf662258a219acee35df398df

    • Size

      58KB

    • MD5

      b364e74e14f8a51d8198ddf8716dea25

    • SHA1

      a3477e425332dfec0c622f1a50cf80f1f6891110

    • SHA256

      f40df86d68d075c73e1be8ed5b3201f0e55a9eccf662258a219acee35df398df

    • SHA512

      cbc1a5f451d1fe8242466c357dcb6f6b7376ffb47f797930d88a282889711d6bcfad500243ce1b41bbc92ea4bab9094b8ea8f1415326ae2fceffae71a4f5f329

    • SSDEEP

      1536:wskqTQNhMxETZWr6PEwnAdlN3MBDCAZp4Y4/e66:5QYiupWDLce

    Score
    10/10
    evasionpersistence
    behavioral31

    • Target

      fb861230c088dd68f1a6c782e9ad0b44a1831ccc29c0516635cc4b3de2a91a01

    • Size

      224KB

    • MD5

      8e2ba1ae04b7eebbbfbfdf292b876ed3

    • SHA1

      9bd3229a0cff8e7bbe6e5020765776f06c48e725

    • SHA256

      fb861230c088dd68f1a6c782e9ad0b44a1831ccc29c0516635cc4b3de2a91a01

    • SHA512

      dbb7fd54ba05891698fe7a496dcf51b08ff82ceef7015000260a9d61c9525bed218cabf56642578d58e8adffdc7c658bc0f35316cb3a81b7358ea21200b0c5e3

    • SSDEEP

      6144:vCycg6P9CmZ3gcOofnxPl3sdO94SJJ+invrK9:vCycgR+3VtbDJJ1nzK

    Score
    3/10
    behavioral32

MITRE ATT&CK Enterprise v15

Tasks

static1

upx33360gandcrabsodinokibi
Score
10/10

behavioral1

upx
Score
7/10

behavioral2

upx
Score
7/10

behavioral3

Score
1/10

behavioral4

Score
3/10

behavioral5

persistence
Score
6/10

behavioral6

persistenceupx
Score
10/10

behavioral7

persistence
Score
7/10

behavioral8

Score
1/10

behavioral9

persistence
Score
6/10

behavioral10

adwarestealer
Score
6/10

behavioral11

persistence
Score
8/10

behavioral12

sodinokibiransomware
Score
10/10

behavioral13

Score
1/10

behavioral14

modiloaderevasionpersistencetrojan
Score
10/10

behavioral15

Score
5/10

behavioral16

discoverypersistence
Score
7/10

behavioral17

Score
3/10

behavioral18

ransomwarespywarestealerupx
Score
9/10

behavioral19

persistenceupx
Score
8/10

behavioral20

Score
1/10

behavioral21

persistence
Score
10/10

behavioral22

Score
3/10

behavioral23

upx
Score
7/10

behavioral24

persistence
Score
6/10

behavioral25

persistence
Score
10/10

behavioral26

persistence
Score
7/10

behavioral27

Score
1/10

behavioral28

spywarestealerupx
Score
7/10

behavioral29

persistence
Score
10/10

behavioral30

lockyransomware
Score
10/10

behavioral31

evasionpersistence
Score
10/10

behavioral32

Score
3/10