General
-
Target
Cat Research 2023-07-15.zip
-
Size
4.5MB
-
Sample
240101-q776kscacp
-
MD5
e56e18b0de08e733d57e92e6d033bf17
-
SHA1
0e8d037a03a1855b3614174ba7e1a98424314449
-
SHA256
ee65e9d7a7bc9d17e894e0b775fc0bbfb35e72c65c3d768e34bfe059d521cc16
-
SHA512
ea9ed41545b843b89d5638c59448d53cf0e20298f2fa09989898ba1771626ce71d1661782980c6a826c2eabe0bb55145df09f5ae87a412474992d7013257c15d
-
SSDEEP
98304:vampW+t8jmbIlfnE3+2mNntZaXItRbFLbf7jLxPbM0biQaMYQ/j/:vampW+6jmOlbNm4tRFLjLxjpso7
Malware Config
Extracted
C:\PerfLogs\readme.txt
http://paymen45oxzpnouz.onion/f9c90a087d
Extracted
F:\How_to_back_files.html
Extracted
C:\odt\How_to_back_files.html
Extracted
C:\PerfLogs\readme.txt
http://paymen45oxzpnouz.onion/74129a02f1
Extracted
C:\Users\Admin\Favorites\Links\How To Recover Encrypted Files.hta
class="mark">[email protected]</span>
Extracted
C:\Users\Admin\Downloads\How To Recover Encrypted Files.hta
class="mark">[email protected]</span>
Extracted
C:\$Recycle.Bin\readme.txt
http://paymen45oxzpnouz.onion/3a9577cf20
Targets
-
-
Target
323389cde5a3059c6c6e5c6c711d11e434a577b11dc07a9aeb7f8e1fb661ecf3
-
Size
1.4MB
-
MD5
b0b732188bc83ee4ad3b5e5b7dd34a26
-
SHA1
4c1e68eebda46ead2563192b137f42b7a976ed2b
-
SHA256
323389cde5a3059c6c6e5c6c711d11e434a577b11dc07a9aeb7f8e1fb661ecf3
-
SHA512
51f2328cdd77ff287814618c9cb617da0f2c2fa189f466a633adb80b10c1fe0b2eaddcb3dfb58df9344181294294485f4a7527c3e5dac5964f2054bf779746a4
-
SSDEEP
24576:l8ku9/++Rod4z2JOtqKf6bvkbRbEAsk7fQl7z:mkGi4DdRbdEAwl7z
Score1/10 -
-
-
Target
365712147d687fb2eb2d5cb612586c7d3d7364277441491a3ab379a4a1128ba7
-
Size
450KB
-
MD5
e70b33103c17c000ac11025d2d8e70a1
-
SHA1
df898d9d0e8e6f2d4eb5d4742d4c206092cdcb34
-
SHA256
365712147d687fb2eb2d5cb612586c7d3d7364277441491a3ab379a4a1128ba7
-
SHA512
632461a9c6bff4e013cf3e77a7262d1daaa8775156c61c70dab685ae59114b22d00a47a0214204f6c514c6be77ad5b0c371a889076072fdb1eaf574cb6d4c42c
-
SSDEEP
12288:krYn2GbqdcOuAKi1kcwyEOywAx1gT+yFCv6oE4E:kcNbqdFtVkcwyEOix1GtFCv6F4E
Score10/10-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (8412) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Drops desktop.ini file(s)
-
Drops file in System32 directory
-
-
-
Target
5474e75872eeb1e34cbe407c73409d4c65da7bd6aa9378b356bb3c12f316c506
-
Size
263KB
-
MD5
111e7dd338f7a7db306c95e05797747f
-
SHA1
aff72034cbbc21693425306ad42b1bb182582743
-
SHA256
5474e75872eeb1e34cbe407c73409d4c65da7bd6aa9378b356bb3c12f316c506
-
SHA512
215ee93c5faf2af3a55cceed281b56aecb5990baf4ae508f02eb481c7c22081f05b73a2657279205ff5d4edfc63722ea1405a9e8cdf65939021c9f052ffb6fec
-
SSDEEP
6144:jeHgRe/IfHES0cVZrDjuNywKGOCWVoYkNMbU:jeHgM4HxZG1KGjWVoVO
Score10/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
-
-
Target
out.upx
-
Size
436KB
-
MD5
aec0dac2b75880cd43dcf189fde97e42
-
SHA1
3159ec24c4e766ee8af2dfeda0e9d87e64e08139
-
SHA256
975bb21e0b4941b1569e968ff02b8969d53ec3e090cb3a3ae28ad629cfe2453a
-
SHA512
4bf22c844e7df5f06adc2273872216ce57881df0affe4ebacd82c8e59b911575cfe00138615ef25e83062aa5da050c5a306c9c1fafc752444396d712c9831920
-
SSDEEP
6144:i4nt4N8qyv/j2+9cN9VNzmjhlPhdUiWing72gF/qXIWHsTfoaaYt+2ZOtFEmv0L:dt4K/i+89E9Wing72gFtWW+gOEmM
Score3/10 -
-
-
Target
59c59ef90d1370297375d4e3195eabe2a031251bc939fae962a835d8336a8a4d
-
Size
477KB
-
MD5
ebbb782bafaa3ab64a3e4b006a698fe0
-
SHA1
2800cd4dd62ba63f38d0452bf80cb35b4359a3dd
-
SHA256
59c59ef90d1370297375d4e3195eabe2a031251bc939fae962a835d8336a8a4d
-
SHA512
cd6681d7987901eb27064c4a833052abccef60383f9b0e53360ae9e3e66a19d0d0405bdeb5a609c7d668aa8720eb49f5fc3f060920ec042ec6584eebfd9f09ae
-
SSDEEP
6144:ko4FuDncVzUJOH5bpX3Q92J6fHgaEFx9BQOJvZTsMJfOg2lOMxPEiarVb0J0:kzuwVzUW5bN3Y6LmO13Gg2IMyxrt0u
Score10/10-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (7191) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Drops desktop.ini file(s)
-
Drops file in System32 directory
-
-
-
Target
63fb410fc5267c61c5099927af714a8f5f4ba6dcdeeb1f297b022879767c7222
-
Size
924KB
-
MD5
ec9c3efe831aaa203058927df7de6138
-
SHA1
b77581e047551a70aaba0db7a57349136bd9e411
-
SHA256
63fb410fc5267c61c5099927af714a8f5f4ba6dcdeeb1f297b022879767c7222
-
SHA512
0d5aedcebaa660f345c549b9ae07b4d18fc01b563907b378c1cd905029bb0c6f6849e0f03c7c4a724c3448eb9c693138265a0b0129a298af3aada9bb0f447d6a
-
SSDEEP
12288:tZqu3sRwqpxGCMF3dera2ybCPWy5SqZWj+6GJZy82VS1ToBgdoByOHGae0r2ivr:B3yEoro2PEpUA
Score7/10-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
-
-
Target
9443472de461e9e7a9d7b7d89fa13815521db1ecebea5054643664953ee366e5
-
Size
102KB
-
MD5
9cea7a7505d2eff4b1109d0e70a52baf
-
SHA1
455fab0bf9e5f3e27c232aea89904c929db0a92b
-
SHA256
9443472de461e9e7a9d7b7d89fa13815521db1ecebea5054643664953ee366e5
-
SHA512
681fd65cb210f215db206f165e3a86ecc83285e928eab6e1660e33ea182f8b3059e1e68f9377faf47d2ccddad4c1b0019a4252febfb91b90b6f070d2ca0c7764
-
SSDEEP
1536:SeN+oVQkMaz9GRQl4g9FlpIm1QUnv2+qQl4g9FlpIm1i:hbVQkIg9FlCv3g9FlCJ
Score1/10 -
-
-
Target
97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d
-
Size
333KB
-
MD5
db88a1bd11ca3aab7a0890a10a10f45d
-
SHA1
0e01e118613962e364b76869bcfb9d26cf0a6505
-
SHA256
97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d
-
SHA512
b6e374ea42e023d973baa2c8c3ce8c34a7c8ffa1aefd52f787eb51f980e1e1f8c2c6081d90cd0cf1b15166b86ed57dc2d7b9adde5021dd00cc629f8aae8df023
-
SSDEEP
6144:YemY9cZrt2pF+M9htFl/1M0lpj9G/OaZE8ABInatk1:/9cm+M9vFl/1HrNInatk1
Score10/10-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit
-
Renames multiple (1351) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes System State backups
Uses wbadmin.exe to inhibit system recovery.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
-
-
Target
a0f5def5aaaefa3ae538da9c643a5e381ea89cdee3e451ab1d0c52181d758593
-
Size
41KB
-
MD5
a06225459ff7b32f1408726f5d8007cf
-
SHA1
db14f8b54194f41383a0a0b1f181020d93774268
-
SHA256
a0f5def5aaaefa3ae538da9c643a5e381ea89cdee3e451ab1d0c52181d758593
-
SHA512
0401e6423b359020161c26c9583d55007b00de451831e9523d752941d9815f63cd74f7cd649da4232070a2dbef2c9e584bf62a3d656532cdc2d32a06d8d305e5
-
SSDEEP
768:lL+ntTLPgn6CI1uGukUcjI2Hp9xG6e7j6oERZVvrd7SRBl+Lkl+XkvDuQndwjv:lwtTLEtI1RUcdJ861s0cJdw
Score1/10 -
-
-
Target
abfe4422828c6515e7b53c50a8f07dda0169f4ee34173357b6fa35b06fe144b1
-
Size
352KB
-
MD5
04f36999713a138ebde1adbdd7aa01f6
-
SHA1
a3c66353d9ea491f96dc63f0e9d8cb0878e1123d
-
SHA256
abfe4422828c6515e7b53c50a8f07dda0169f4ee34173357b6fa35b06fe144b1
-
SHA512
484ea18d1ed358156058d185b46a9e0caf4a44a710e638a75109996e1a974b935b3f3a0fdf5c04d2c64ec1d7e2f8fac28e2a0cf09461bc881e21f9b19c329fa6
-
SSDEEP
768:GoXcYoibzZl5KMIjz9ofRouZ1OTgggggggggggggggggggggggggggggggggggg3:G4Tb55oua8byL76qXXZ5oulx3yzFH+
Score1/10 -
-
-
Target
b21f34ecfa7135153d506b3fde2a0d0bd23b44eccedc635cbfa474e321040273
-
Size
352KB
-
MD5
4f88b5e510ecbd0adefdfc87c552289c
-
SHA1
047ec67b8e3c001086284d7176b2d239db565fb5
-
SHA256
b21f34ecfa7135153d506b3fde2a0d0bd23b44eccedc635cbfa474e321040273
-
SHA512
75b86d6de4bec5285559f7e9a0dbf46df48dbdf78386023e5f8668a7814bc1db5322d8bf9d306cfd65175112b94366641d671175d59d3edacc3d2b2ba802f348
-
SSDEEP
6144:X9PrHO8306KFnBCzDIZXY3HJmui45mkA2/1:drHBpgkDuoEuXbJ
Score9/10-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (112) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
-
-
Target
b4b97aa67e2fbfa344053be1c101cbd6560b0a5cfe2de8e2e637ba90c4df2ca9
-
Size
667KB
-
MD5
c6dbf15baa48e2ffac11c419513ce890
-
SHA1
3ea88a0037805607f0d08f5be4a813378708c00a
-
SHA256
b4b97aa67e2fbfa344053be1c101cbd6560b0a5cfe2de8e2e637ba90c4df2ca9
-
SHA512
83e927ebb7605ad96e906f14581118ffdfdd4d9322dba93f6ac453daea28cdfbc1ec37296144f661404d98cdd125eb3fa1c53fdea6b4a3eb56eea592e334697c
-
SSDEEP
12288:GmudacqGbVLzCG1L6MfYBwe56n4NDkfvowfuUWCdiQM0gDbBho0dcv124VVkmTBO:08GbJzj1GCe56n4Fkfvow2U/FMN7hdcU
Score1/10 -
-
-
Target
svchost.exe
-
Size
1.4MB
-
MD5
1e56e3201f99af1f63c3b95b6d05d64f
-
SHA1
f5d32ac198ed52ded940ff5fffb1f513bb2b607f
-
SHA256
b8e40563f749016a1557ea461198661f501eadddba50d6528ffe4e9c52664666
-
SHA512
36b77e56cf6d5c07a6a62cb5ff21e3316db2a70d4c285649cdc48d6403b8eb27c8c01b483f9bff135e92ea66e203871e783231f4938af1202e51389006c13f83
-
SSDEEP
24576:Wmchf1ZHB7TZqSsulRicD2fdxs1isw/c169CDX/S6o1JLax:WVfvDqSsu2cAdxvvE0ADS
Score9/10-
Clears Windows event logs
-
Creates a large amount of network flows
This may indicate a network scan to discover remotely running services.
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Creates new service(s)
-
Stops running service(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
-
-
Target
b8ce0174783c9c7ec30f96f8857c356e61365562463457d3ef0d1f62f4d302a8
-
Size
245KB
-
MD5
78db42a978dbaeec6b87e718b0e00160
-
SHA1
226616df9b26e9ca327805755b75813ad67c1f3f
-
SHA256
b8ce0174783c9c7ec30f96f8857c356e61365562463457d3ef0d1f62f4d302a8
-
SHA512
8a8a29eb8679512ab214d16b3e207a4545dbd63a8410ce41eef8d2c249131a5947a157344932b6041feb3084ad14d437627d754a34b977a6c2f71159a54b2b5c
-
SSDEEP
6144:ZU1aQUdyXTFDhznLOoAM4zkw7nMnp5PdleQRWsvBoCRt7Y0x:ZUQd4TFJLOolqk/72QksvBBt7Y0
Score9/10-
Renames multiple (196) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
-
-
Target
bbb46278959b4628106319457405a8cc04681c82c2c8afa30475d50ed63417f2
-
Size
131KB
-
MD5
6dd2b52d5af3fb6591d52a695a09d025
-
SHA1
9ec21f57bf3f524dccca9e78f95974c7e4951785
-
SHA256
bbb46278959b4628106319457405a8cc04681c82c2c8afa30475d50ed63417f2
-
SHA512
5a0c63c6163df1315a24bca6307aedec584a563fac17f7f3ab7e8f7fd57f189fd9db8dcb1d53b9f756ec7f7c721041958925202ab43868bfc57ddb2d3b3cd59a
-
SSDEEP
3072:oZIzt7KLtx3kaKP/V0ZLKaQvPS5rrT0tYHJdP73wJOvpPX7:oezNqTADa5rrTLJFcJ8P
Score1/10 -
-
-
Target
bdf06acf03785275d01d4135b432b56b31c7f352f9be3cf8eca00286251aa163
-
Size
41KB
-
MD5
ef51aa91d5cbed5f57b85571b528bf7e
-
SHA1
fbaaac20cff25f931c3480165ebf3b7ee9f7e4b3
-
SHA256
bdf06acf03785275d01d4135b432b56b31c7f352f9be3cf8eca00286251aa163
-
SHA512
c84fb47cc627c5148841b7a2a72abe17aabd18d449a2f46a6a538ef27a2de7a753c8431c5a0930502ea26ed60fea77310436e812e0c494e9523370aabf64fea5
-
SSDEEP
768:BL+ntTLPgnHCI1uGukUcjI2Hp9xG6e7j6oERZVvrd7SRBl+Lkl+XkvDgYGZwRSAb:BwtTLEiI1RUcdJ861s0cgBZwMH
Score1/10 -
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Defense Evasion
Impair Defenses
1Indicator Removal
4File Deletion
3Modify Registry
3