Extracted

Extracted

Extracted

Extracted

Extracted

• • Target

    samples4.zip

  • Size

    11.3MB

  • MD5

    78d1b2d2d33dbdee8a68614849da921e

  • SHA1

    c80d3a41878f8b776daeb5c706ecc4586f754a94

  • SHA256

    7ae4167445cef80f080de5b84c6490a61c1834aa1e05fce43e611c5d054da858

  • SHA512

    2bf4a6aa22954efdb5699299034a9a1bf5086634baaab14acc5e0904d3d38bab3a8e566f1f699340f99d71b128bd3d22df2b2a83d076ea0f031cd4c3b00b93c4

  • SSDEEP

    196608:iVPPnUoLLj3r94fPEC+uCSzmmGgQvFm69unI3xefV/EgOgm53FVvrYn/ushuMMof:cPPnUiD9QmJgKFKn9fV/EgOg61VMfYMj

  Score

  1^/10
  behavioral1behavioral2

• • Target

    0e60d49a967599fab179f8c885d91db25016be996d66a4e00cbb197e5085efa4/0e60d49a967599fab179f8c885d91db25016be996d66a4e00cbb197e5085efa4

  • Size

    255KB

  • MD5

    1933fed76a030529b141d032c0620117

  • SHA1

    c55c60a23f5110e0b45fc02a09c4a64d3094809a

  • SHA256

    0e60d49a967599fab179f8c885d91db25016be996d66a4e00cbb197e5085efa4

  • SHA512

    b153383ebd9919ff293896381d89a895c58985eef60f67803a4276026631184f4d85c19e9ea06351efb7230226b18ed9a17b533fb602e10ded518a7bd090dcfe

  • SSDEEP

    3072:iBWxT8JtvyAuX3CGun8r8206BretpJwIiymE9xTRVhGT4z106OKclYQO565tgPYs:iBxrKA4CGu8V0tl9zVhM49OxlYQ8fD3

  Score

  10^/10

  ransomware

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomware

  • Renames multiple (141) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware

  • Deletes itself

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  behavioral3behavioral4

• • Target

    1ce5dd21fbff44289d22647277a94f2611ee661cdcab323548caa0a7082ddc7d/1ce5dd21fbff44289d22647277a94f2611ee661cdcab323548caa0a7082ddc7d

  • Size

    919KB

  • MD5

    28e242e4680d33a2757aa2353cb84f8d

  • SHA1

    6b949c3f919d530410beb7082a41e1f30bc5ea3e

  • SHA256

    1ce5dd21fbff44289d22647277a94f2611ee661cdcab323548caa0a7082ddc7d

  • SHA512

    c00ce7ff6bc841533f3b18b3de8e864dc34e3370912b3bfc924b31e51e505b19422c61685d606861fdd7b25e6ba7a97aa42a7dd0d4bf18bc24863ec09b3d54e2

  • SSDEEP

    24576:PYl48Rnd+xEhyXOmBjuGh3HZDCixvP/Fg:+N5d+GhoOSVh3FCkvP/

  Score

  10^/10

  ransomware

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself

  • Drops desktop.ini file(s)

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory

  • Sets desktop wallpaper using registry

    ransomware
  behavioral5behavioral6

• • Target

    3c73425d026a172779c8ffc5e338afbf6e66f1ad3020a11c2bece4658fcb28fc/3c73425d026a172779c8ffc5e338afbf6e66f1ad3020a11c2bece4658fcb28fc

  • Size

    213KB

  • MD5

    045ffadc2fda21d2cd8e2fc37e9557c9

  • SHA1

    85fce2c0d66c852e9b7b326198da0cfb9f31fc54

  • SHA256

    3c73425d026a172779c8ffc5e338afbf6e66f1ad3020a11c2bece4658fcb28fc

  • SHA512

    7233efe7849edd61163d0656f1a732760f7b649f38b94cb7d8eef0e30450013d684a5b4241a1708d734c5a5ef6ce26d5cf1bdc3ccd6002d3edfc6a51e9698452

  • SSDEEP

    768:ZzCQUwJLKh1hn49V/KmhP1ypZr1hn49V/KmdP1ywZc:bA1hn4HmR1hn4HP+

  Score

  6^/10

  • Drops desktop.ini file(s)

  behavioral7behavioral8

• • Target

    5df6314b5c6f6bd151a5fda104d32655c5bd8153be922b80069b22f1c1de9db3/5df6314b5c6f6bd151a5fda104d32655c5bd8153be922b80069b22f1c1de9db3

  • Size

    4.5MB

  • MD5

    407ba61bab1c10cabf0b5a7c40d43041

  • SHA1

    82d180dc50763c6a71f8449ef44e467afbc09e74

  • SHA256

    5df6314b5c6f6bd151a5fda104d32655c5bd8153be922b80069b22f1c1de9db3

  • SHA512

    73bd51f5885587ec5c930d4ab0cd543b9b0479304c4a3c03d73abdd7b064a2ec4e8b01af45f7517072ce12daa2cfb679589603060438bfafa331a0b66b926f4a

  • SSDEEP

    98304:BD9WybBsIt6XW7JD9ENTPZsz3yilw5OLEvvybN/aBDPsfut6e:BxWaBhP719CCzC2EO4vvyb5a1mu0e

  Score

  10^/10

  dharmaevasionpersistenceransomwarespywarestealer

  • Dharma

    Dharma is a ransomware that uses security software installation to hide malicious activities.

    ransomwaredharma

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomware

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • Renames multiple (314) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Drops startup file

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Drops desktop.ini file(s)

  • Drops file in System32 directory

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral10behavioral9

• • Target

    5ee5166c02636f294fb8f6da69d5c0ae893a1c4694ae1bcc3753b497598121a0/5ee5166c02636f294fb8f6da69d5c0ae893a1c4694ae1bcc3753b497598121a0

  • Size

    2.2MB

  • MD5

    71a4ba0fe0bc0cb450b8966cb585f757

  • SHA1

    eccb76a942b3359d8dbf4c12e6bc3be0c8627eca

  • SHA256

    5ee5166c02636f294fb8f6da69d5c0ae893a1c4694ae1bcc3753b497598121a0

  • SHA512

    5748e02e83ea32118013741680be6e2eea398b05cde8c359e0db9126175ce63a4890e7ca654e5a5930970889aa2598c650395972107d41522e55207dd5460c01

  • SSDEEP

    12288:QnQY+2XG1Inz4vM/nlBKSduzxx73zDJnaPxMrFHQJGTTqTdd1o/CMj:QbGOnbzuHT5naPxUHQATTqzi/Cu

  Score

  10^/10

  ctblockerransomware

  • CTB-Locker

    Ransomware family which uses Tor to hide its C2 communications.

    ransomwarectblocker

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomware

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Drops desktop.ini file(s)

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory

  • Sets desktop wallpaper using registry

    ransomware
  behavioral11behavioral12

• • Target

    5f7cdd8c28daba74fd96c1aa9de6d920b026dcea5b596e7e145ffe11c5a4cb8e/5f7cdd8c28daba74fd96c1aa9de6d920b026dcea5b596e7e145ffe11c5a4cb8e

  • Size

    5.8MB

  • MD5

    bee46db93df737c15c59a6e1fd132954

  • SHA1

    680c46e55f600933fa0b5658f27f60bc336fcc96

  • SHA256

    5f7cdd8c28daba74fd96c1aa9de6d920b026dcea5b596e7e145ffe11c5a4cb8e

  • SHA512

    69f253a708bbc9adbd4cd909ec1999e9bff0b2423e0b3c59eb760b73f19bdbdd77f0ead4d35afd70bc2925ef3928a76fbac7c5a504f5792e6a661081a1ef9871

  • SSDEEP

    98304:GMe3NP8k6r0Cx2MQkxvJrUTjOaBTbRlNIyJM+DP1zgFcqtZs:+O4FMQk2jVBXRHIL+psfs

  Score

  7^/10

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  behavioral13behavioral14