Overview

overview

10

Static

static

10

samples (2) (2).zip

windows7-x64

1

samples (2) (2).zip

windows10-2004-x64

1

083e147374...08.exe

windows7-x64

8

083e147374...08.exe

windows10-2004-x64

8

12437a49d2...3d.exe

windows7-x64

7

12437a49d2...3d.exe

windows10-2004-x64

7

1945c44901...7e.exe

windows7-x64

9

1945c44901...7e.exe

windows10-2004-x64

10

2040fa2a3c...d4.exe

windows7-x64

1

2040fa2a3c...d4.exe

windows10-2004-x64

1

2b5109e9a2...d9.exe

windows7-x64

10

2b5109e9a2...d9.exe

windows10-2004-x64

10

3538750cfe...5f.exe

windows7-x64

10

3538750cfe...5f.exe

windows10-2004-x64

10

5d96952d47...5f.exe

windows7-x64

10

5d96952d47...5f.exe

windows10-2004-x64

10

63fb410fc5...22.exe

windows7-x64

7

63fb410fc5...22.exe

windows10-2004-x64

7

67beeb7a19...08.exe

windows7-x64

3

67beeb7a19...08.exe

windows10-2004-x64

1

6e5678ebd4...71.exe

windows7-x64

3

6e5678ebd4...71.exe

windows10-2004-x64

3

71506a3322...fb.exe

windows7-x64

10

71506a3322...fb.exe

windows10-2004-x64

10

734b9974ec...6d.exe

windows7-x64

10

734b9974ec...6d.exe

windows10-2004-x64

10

81a27b3dcf...40.exe

windows7-x64

9

81a27b3dcf...40.exe

windows10-2004-x64

10

a1bd0fa8ad...46.exe

windows7-x64

10

a1bd0fa8ad...46.exe

windows10-2004-x64

10

a465bc0871...e3.exe

windows7-x64

6

a465bc0871...e3.exe

windows10-2004-x64

6

Sharing

Copy URL
Twitter E-mail

General

  • Target

    samples (2) (2).zip

  • Size

    11.5MB

  • Sample

    240101-sladjafeg6

  • MD5

    3103452bf9094d6f3ec5ddee144b821a

  • SHA1

    1995b4171447b7e11302682b29c34bba4c5939f9

  • SHA256

    8ed183df76d08024f15e051f4f5711535dde6372ff4beafecfff07f82e846800

  • SHA512

    3559e9e28f7ba881207ba01fd0c2eedf29f91d88b7c44c938fbec73e756a39ab0e072f88072bb82365e7476f6247658f8d59147e64eee6fb825003085b4edb6f

  • SSDEEP

    196608:1g0w+y495NuivJ1dlbNm5IemCPIurAW58NFfApXHUxcSeVIDF/je3ZSEMIVab0gx:1g0w+F5NuivJFbN4mCz5Uip0OFVuepWn

Score
10/10
dharmadjvumedusalockerzgratagilenetdiscoveryevasionpersistenceransomwareratspywarestealer

Malware Config

Extracted

Family

djvu

C2

http://zexeq.com/lancer/get.php

http://acacaca.org/test1/get.php

http://zexeq.com/test1/get.php
Attributes
  • extension

    .qarj

  • offline_id

    VrBq0iLIRHjQLgVRLsN1WK8yFkTCRDCCvPkwnHt1

  • payload_url

    http://uaery.top/dl/build2.exe

    http://zexeq.com/files/1/build3.exe

  • ransomnote

    ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-zUVSNg4KRZ Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: support@freshmail.top Reserve e-mail address to contact us: datarestorehelp@airmail.cc Your personal ID: 0664Iopd

rsa_pubkey.plain
rsa_pubkey.plain
rsa_pubkey.plain
rsa_pubkey.plain

Extracted

Path

C:\odt\How_to_back_files.html

Ransom Note
<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; word-break: break-all; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">12iec8udKAwgNDlfFlYWEh+E+2+3WkGCaBQIXbI3nXeVgc79eWg5to+G1mJCEkTNKkqRiaf3PAFkZbqRtTOUyUP0mo1xO6RSmnPtCZAEMDq/ibKF6RUrvTdRbS8wNFsr33whVLvoDm7z3uol/qDkqGGNqKMsPGo4nUlBZDbWnjLLcWt5k1Fv1owvqu80+jgN2Ni+8lUU2VQs01sCFzo6uh8L2jJc7iuxEKHI6KCKNmLjAY/xB8FyH6+8XpIQVW1vXYAikbJd0rj+U/iNOl5o3w8mrKRjy4hjMCXXT92+OD1bSvAVuAunYYNS/ikCV8r/+BOV5ZeU94VCCtg/+ydlibpI0v+D6436YR8QDQ0frejJC2JkYUGaUCZGG06DFQLzfpyoXnvsqVN8IUT8aYusv91R3Eed8sjZlsF2blnjSoCc7nRHMSpBzECp4G7+9jo25YfQliv3ko7VDrnIiPQHR1iq2fPl+xG9fBPl/F2c6A6g6+6vFUguahe+dydy8pLAvR22g+HOku57wTwnuL5K7jwGoXZ0O6pQADV/XMU4tTF4yeeQapBj33Fu+ZpzE9Q6wNaWmKRQMVO6qNXS/herMQZ5wtaUDz9uNMGNJASx4nY8JfcR7JMfz+e9z/hAoLmraKJxXxfRWfcOX0mIcECmVJqLe+raa7OBrnBL2S/4SQixrzlro7gPnFsYBJVj//ieyhvlZ8JnBs9ORDMP4vCm8rrLhG0iit8PPdmOoOZXYE4+eXDSquieeI43pNIts4yMbD4O1VHwDXpbw2YjGyFiWW43mBnYJn83VKP/QHhoIh4pGtuY2D0HzLMNYxJm20yMv5goLB8Uh0GgrakNHg+oQlfvkK0U2dgZHRjZWgf9c70FYlbSRTGGaHpavdD6Irkst/yLteNPvSurd4iN7AqxEbFq6HLIe5SBAnUiys4tWkNhOXu0udo6wvqYNiF7p2EavVDAF4774178VSY+DOl26GR/O5psN6QWqKutWyY9M8rDDfW6ttu72MJ21YbWenJ8g1TfG3nWNqtwdUWi5nMgohAXeY0uwV2TMZN4FiWpT8I1MpYhseA0AnJAVRI9wfYeUDekcFP5/tr2Q46/qTOSx+4E18mD0tffuxFypLFxWpio8NT0g52Hov5/W1XVWy45Fp+Kcp9fYH9uVtRMK0mRa25pQlnfq6W+iGbJvXTvKVRv1wXqVAE3kM6q1fdWC4Sqlx82YCG44AFF1g+lJHtKHQILE2acljG4+OGm6avagqOt7g8dxw0O3+oZEP7y4zpeEJ0F+EbDNbR4ZydRDvQ0SPhZKFqu7/K/MjyxHlI6ipZyca/wVMFHskQ1nRrvdduhKm2c3RiEktbT2JLHBzt9yCO6YWzsCHIpuRCod2YKX5USEfoGx2YCcYOns+1EHXw/5wghu47/9mgQeCBBu34KTmguKmZU5FfbNaRfUZ4CzAfVdF0QZ0EzQlFLss9zXpQntlz+si8xq+dPV7liwY9HYCn7IeqYZHyy2YhlWsPNY2oV95zI+D9M3+BA7zQPoTEig0iIAlxHb3id9awclf6jxLNCZTyLMMBlgDQijeT+9eKYMVe/H0QBdBFSqmV4tpwWoqLHlZhA4ypXwLWb+30eSNVXgKqC9Fvqx7n/gXgTeucQzHkgVThgdPqPHvtN4CQuC3t8Xh9FrjYK3W/DVzKXIu3yn1V3yGOsrpVyTe57VCw=</span> <br> <!-- !!! dont changing this !!! --> </div> </div> <!-- --> <div class="tabs"> <!--tab--> <div class="tab"> <div id="tab-content1" class="content"> <div class="text"> <!--text data --> <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br> <!--text data --> <hr> <b>Contact us for price and get decryption software.</b><br><br> <hr> <b>email:</b><br> <a href="ithelp011@decorous.cyou ">ithelp011@decorous.cyou </a> <br> <a href="ithelp011@decorous.cyou ">ithelp011@decorous.cyou </a> <br> <p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br> <b> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> </div> </div> </div> <!--tab--> <!--text data --> </div> </div> <!--tab--> </div> </div> </body> </html>
Emails

href="ithelp011@decorous.cyou

">ithelp011@decorous.cyou

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note
All your files have been encrypted! All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail GetDataBack@fros.cc Write this ID in the title of your message F3A6D0AA In case of no answer in 24 hours write us to theese e-mails: GetDataBack@fros.cc You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. Free decryption as guarantee Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/ Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Emails

GetDataBack@fros.cc

Extracted

Path

C:\Read_Me!_.txt

Ransom Note
All Your Files Encrypted And Sensitive Data Downloaded (Financial Documents,Contracts,Invoices etc.. ). To Get Decryption Tools You Should Buy Our Decrption Tools And Then We Will Send You Decryption Tools And Delete Your Sensitive Data From Our Servers. If Payment Is Not Made We have to Publish Your Sensitive Data If Necessary Sell Them And Send Them To Your Competitors And After A While Our Servers Will Remove Your Decrypion Keys From Servers. Your Files Encrypted With Strongest Encryption Algorithm So Without Our Decryption Tools Nobody Can't Help You So Do Not Waste Your Time In Vain! Your ID: Ll8Oqk Email Address: redem.mikhail17662@gmail.com In Case Of Problem With First Email Write Us E-mail At : Dor.file@bk.ru Send Your ID In Email And Check Spam Folder. This Is Just Business To Get Benefits, If Do Not Contact Us After 48 Hours Decryption Price Will x2. What Guarantee Do We Give You ? You Should Send Some Encrypted Files To Us For Decryption Test. ---------------------------------------------------------------------- Attention! Do Not Edit Or Rename Encrypted Files. Do Not Try To Decrypt Files By Third-Party Or Data Recovery Softwares It May Damage Files. In Case Of Trying To Decrypt Files With Third-Party Sofwares,This May Make The Decryption Harder So Prices Will Be Rise. ---------------------------------------------------------------------- How To Buy Bitcoin : Buy Bitcoin Instructions At LocalBitcoins : https://localbitcoins.com/guides/how-to-buy-bitcoins Buy Bitcoin Instructions At Coindesk And Get More Info By Searching At Google : https://www.coindesk.com/learn/how-can-i-buy-bitcoin/
Emails

redem.mikhail17662@gmail.com

Dor.file@bk.ru

Targets

    • Target

      samples (2) (2).zip

    • Size

      11.5MB

    • MD5

      3103452bf9094d6f3ec5ddee144b821a

    • SHA1

      1995b4171447b7e11302682b29c34bba4c5939f9

    • SHA256

      8ed183df76d08024f15e051f4f5711535dde6372ff4beafecfff07f82e846800

    • SHA512

      3559e9e28f7ba881207ba01fd0c2eedf29f91d88b7c44c938fbec73e756a39ab0e072f88072bb82365e7476f6247658f8d59147e64eee6fb825003085b4edb6f

    • SSDEEP

      196608:1g0w+y495NuivJ1dlbNm5IemCPIurAW58NFfApXHUxcSeVIDF/je3ZSEMIVab0gx:1g0w+F5NuivJFbN4mCz5Uip0OFVuepWn

    Score
    1/10
    behavioral1behavioral2

    • Target

      083e147374de04930caa882acaeda6df4821b75f869edb7386281f684e573c08

    • Size

      1.2MB

    • MD5

      26d35ecbbd980c6d2863a61914c4a1bb

    • SHA1

      ce2da4baff59602905fd75d10f3ac6ac2e235337

    • SHA256

      083e147374de04930caa882acaeda6df4821b75f869edb7386281f684e573c08

    • SHA512

      b192b0ee326dbb690c850832e76cd31257a47f819abaa0700647be022cb340297ad4a7496b352596715425a60aa60e7f001313ee08639d748c2c453ab79e8107

    • SSDEEP

      24576:h6FBigtov3pjeA+07ASgSl+YYxJuWMvV36/K+VLebSKLvBTyPj+dyqGgM0b1:2Bi53w3eqi+mfJujkyqGgHx

    Score
    8/10
    evasion

    • Modifies Windows Firewall

      evasion

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral3behavioral4

    • Target

      12437a49d298941af8d087a1ff478a68ab4c312654153e17d598ff1c87be6b3d

    • Size

      426KB

    • MD5

      11db0fc2064d7c858067b99b413e357b

    • SHA1

      dbfe691315009c224e3b826dfb89ac7d910a7f08

    • SHA256

      12437a49d298941af8d087a1ff478a68ab4c312654153e17d598ff1c87be6b3d

    • SHA512

      120153a24b079eda7a55f97b31a7827f34ee8e6a69593180f0588ebc38efcee6c7a90131af366f9c0ce55288247bf4b6ab5fd9541ed365370f1f42c279ab93d8

    • SSDEEP

      12288:qntVoEco+qy0h6/id8Mq560WjLM7Ti/L6tdEyvIG9ij8e:mVdcvr0hCoV8OjvUdEyvItjd

    Score
    7/10

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    behavioral5behavioral6

    • Target

      1945c44901e7aa9dd5b6e7e6e07a777d57f7e76120a3ca5a46a0f983d30ce37e

    • Size

      640KB

    • MD5

      fb702537f0c25b34cc2b3dfb69025a85

    • SHA1

      eb8cae72ffd5361a977e186cb78fc64055748f00

    • SHA256

      1945c44901e7aa9dd5b6e7e6e07a777d57f7e76120a3ca5a46a0f983d30ce37e

    • SHA512

      94d2a4d9a5c689c13934bd9d2f236a421a63e90fcf6d3dd7362cbe7c64e1faacb68412b92ce743ee49e4e8adf4f91a495ccd8d0d3605e464bfccb26f31d1b843

    • SSDEEP

      12288:Z2X8+SnYa6TF42coyaLlGSDVmcUjErioq8iHiB6k:cM+SnAF4Uyycj24Hs6k

    Score
    10/10
    ransomwaredharmapersistencespywarestealer

    • Dharma

      Dharma is a ransomware that uses security software installation to hide malicious activities.

      ransomwaredharma

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Renames multiple (495) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Drops file in System32 directory

    behavioral7behavioral8

    • Target

      2040fa2a3c5b16d74442d41d224a6ab16e0290a30f0535b18cb50de6a59686d4

    • Size

      400KB

    • MD5

      f9665d07df05a0a7c2c6f4019d1bba20

    • SHA1

      778f8bb7ba91ddf0ac9b12052d046d7f975e671a

    • SHA256

      2040fa2a3c5b16d74442d41d224a6ab16e0290a30f0535b18cb50de6a59686d4

    • SHA512

      cab4dae8b8534af781357df20e3f2d9522247d9b37c1afe72831b551cc218eb060fb1a7cceb158406d4d512879d06da5c9144a348a0bff077fe4f1ab20762cf8

    • SSDEEP

      6144:GCpNiYHtZHYdNsToSRBoptYASydR1wWhz:THiYwvUxRBn4dHz

    Score
    1/10
    behavioral10behavioral9

    • Target

      2b5109e9a249a795a412a3961aae3e5b576a233d9681f5ec0b4d88ce009b6ed9

    • Size

      701KB

    • MD5

      6741d5aef031c6b1e51f386fefc1225e

    • SHA1

      95ea397aed18143bc18da02c21e693c44e373f90

    • SHA256

      2b5109e9a249a795a412a3961aae3e5b576a233d9681f5ec0b4d88ce009b6ed9

    • SHA512

      90034da6a496dfcf2b7227b2aa585983cbe80f9a69586743eb219035c1bdab59eaa912139de0e576db2194383f1c70e16042736c1a593fd7e7a4ea93d515df5d

    • SSDEEP

      12288:ZohXTLkKkP0rRl6CRHCwWshS7JUc9ouDCwI/d9V5qyBmPjCkuYDaFB:ZYTLG2U/wWRVUYoUCwCVdmr7uma

    Score
    10/10
    djvudiscoverypersistenceransomware

    • Detected Djvu ransomware

    • Djvu Ransomware

      Ransomware which is a variant of the STOP family.

      ransomwaredjvu

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral11behavioral12

    • Target

      3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f

    • Size

      332KB

    • MD5

      7286267a7eeaf2c3122635c5edb71e84

    • SHA1

      d342d986442a20453d3c9a438766758301d88d4e

    • SHA256

      3538750cfe06d8fe364bc4f396229bfd08c9856f17477b0f8444d35a7f89775f

    • SHA512

      8567661bc656edbacd0ca59f1d1b38cad7c3101d8d06772ae1eba9828792327cbc6b4254e5e61d2b190f4f4350c6288ac2e5c811f7a4ed0c38bc4be8ccf636f0

    • SSDEEP

      6144:0LI9sGqBET+/evZ9zgDU/JSrJyhSdDXR0sVWorEriYtkD:d9JL+/eh90DU/JYUh01YtkD

    Score
    10/10
    evasionransomware

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Renames multiple (4395) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Deletes System State backups

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral13behavioral14

    • Target

      5d96952d473d386285f01726073d8f1ec46c983fe4c9d657babe9272330d655f

    • Size

      732KB

    • MD5

      9346199aa06d8fa74051e98b06cd3d26

    • SHA1

      9020c5dbcb80340517916272f2479001b2bfdff3

    • SHA256

      5d96952d473d386285f01726073d8f1ec46c983fe4c9d657babe9272330d655f

    • SHA512

      a7e4b195c6eefa011b729deb32ffe533ef61bb2126e68272cba26ec8b2fc49b3e75327abb9f916530db911a1b7854020234300a02c87c65d6cd89b661ce18f58

    • SSDEEP

      12288:FEIJVxZIpeKXqWdXoeSPEWOSNXCdepyeEPbObcy9BwoWNffeKuIhQ+0F:F3VxZIprXqWdXoDPEWO8XCdebcONXwoy

    Score
    10/10
    djvudiscoveryransomwarepersistence

    • Detected Djvu ransomware

    • Djvu Ransomware

      Ransomware which is a variant of the STOP family.

      ransomwaredjvu

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Modifies file permissions

      discovery

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral15behavioral16

    • Target

      63fb410fc5267c61c5099927af714a8f5f4ba6dcdeeb1f297b022879767c7222

    • Size

      924KB

    • MD5

      ec9c3efe831aaa203058927df7de6138

    • SHA1

      b77581e047551a70aaba0db7a57349136bd9e411

    • SHA256

      63fb410fc5267c61c5099927af714a8f5f4ba6dcdeeb1f297b022879767c7222

    • SHA512

      0d5aedcebaa660f345c549b9ae07b4d18fc01b563907b378c1cd905029bb0c6f6849e0f03c7c4a724c3448eb9c693138265a0b0129a298af3aada9bb0f447d6a

    • SSDEEP

      12288:tZqu3sRwqpxGCMF3dera2ybCPWy5SqZWj+6GJZy82VS1ToBgdoByOHGae0r2ivr:B3yEoro2PEpUA

    Score
    7/10
    persistencespywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence
    behavioral17behavioral18

    • Target

      67beeb7a196a91ffdb77af4e53143e75a157ea6cf3432a2e14e1c55d11ef2f08

    • Size

      416KB

    • MD5

      bd4ea1c3cb843597d5b3a560f95840bb

    • SHA1

      f81c504435d27e6a502acee3d1834121517ea194

    • SHA256

      67beeb7a196a91ffdb77af4e53143e75a157ea6cf3432a2e14e1c55d11ef2f08

    • SHA512

      7ac8ef4f1f6f9aab30ea183e5377b6bdd617f7c18af86cdde4da8f2e8528835faf659b9fad8b8bffc22b98b4659967f013155c257feedddfaf9b332dd77c565a

    • SSDEEP

      3072:1VAz+HYRuV4ek4gX/am6/iQ0ET1fY/Tnib6qICONXvm0JZxkW5QGmwFp+1mSZoNJ:7c+HY0n/p0VTJq+9wm0sfi4J

    Score
    3/10
    behavioral19behavioral20

    • Target

      6e5678ebd457353b7c095af806f92b5f54341bbfa2c8d3f5ab03b84483013271

    • Size

      578KB

    • MD5

      e7818e26919dc4f84c6ac683f78eba88

    • SHA1

      47456d3f78c33e67b6d366bbff5c3896e5925527

    • SHA256

      6e5678ebd457353b7c095af806f92b5f54341bbfa2c8d3f5ab03b84483013271

    • SHA512

      95fff6c2e9428aa088f3c5565fbc52af14e53c2b58e402983947af0be3334618082775e78fd7901c8ec7b7556bda5bc9551a339ceaf2ecd651b160e3edc3b8f7

    • SSDEEP

      6144:ZVKpftK2A7ey6z20IJH4tsqtHJWj7pLoNam7nxDrMQW3dLG5wCNcKR4ce4NLfHxH:9R7eVI4tscJWC5Bq3d65wC8TO

    Score
    3/10
    behavioral21behavioral22

    • Target

      71506a3322b0e0bc6fc2c1a1f0ac844a82a8c3fbbfeb4e6452013b4ade7610fb

    • Size

      597KB

    • MD5

      ee754ea777505e2fd2870afb325f50e8

    • SHA1

      be8724e9bd48665ae0c6eedbaf8de23e5987dc45

    • SHA256

      71506a3322b0e0bc6fc2c1a1f0ac844a82a8c3fbbfeb4e6452013b4ade7610fb

    • SHA512

      a6b4acf8c94f1284458a950582ef18adfeac1496e26f537ea21c22f3574b3cffa48e547ea1b9804c45633e12b53c3f1ac1e2d536e150c84ddcbfc9223f525d85

    • SSDEEP

      12288:td5UKfiOLkxMAgyJ/4zBSqGuKCYminksnkyr2OMnVVs4OgcwdPsc:X5LAHPDuKC8n/dCD9Zsc

    Score
    10/10
    dharmazgratpersistenceransomwarerat

    • Detect ZGRat V2

    • Dharma

      Dharma is a ransomware that uses security software installation to hide malicious activities.

      ransomwaredharma

    • ZGRat

      ZGRat is remote access trojan written in C#.

      ratzgrat

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Renames multiple (312) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Drops startup file

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral23behavioral24

    • Target

      734b9974ec7f673460deb7ae17af4eed0ad6fae862f0765068430050fc44d66d

    • Size

      804KB

    • MD5

      3bf9acee0ccca5d14b24d3d148e9e77d

    • SHA1

      e8f53145aad88480e9a055a4549aa5eaa631a51c

    • SHA256

      734b9974ec7f673460deb7ae17af4eed0ad6fae862f0765068430050fc44d66d

    • SHA512

      0a5bdab9e3c2aaf835d2263f4658a5c0e5021eed402e976d0e7e89dab41416ba3cd5767980396d769d0f6a993d5f0ff3294dcdfc7189c45480ef7a366961a63e

    • SSDEEP

      12288:miDzq+QQi5v6xH8HeYkqBeJEk3QgO92TWQunZxpFremjq8txlr:Hzq+Q3F6xHAJkEkAd9cuZfTO8Rr

    Score
    10/10
    djvudiscoverypersistenceransomware

    • Detected Djvu ransomware

    • Djvu Ransomware

      Ransomware which is a variant of the STOP family.

      ransomwaredjvu

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral25behavioral26

    • Target

      81a27b3dcfbd52ceb68043465a9aaa3ff6a2e4d04e487197bb23db5c76eec740

    • Size

      1.1MB

    • MD5

      7d1c7ce6a2f202bb5df3f45c7f62bac3

    • SHA1

      50a9f5b3130b14d5a18b418e9c355586eaecf4fb

    • SHA256

      81a27b3dcfbd52ceb68043465a9aaa3ff6a2e4d04e487197bb23db5c76eec740

    • SHA512

      48b20444b0d72a37ecbed0969e2a9d9be3efc51d75e1283bc755cad10068fb40055430dc1fc4b295aae3d31d71de86d84b4f1c29da8636a3ef0baf014eaf82cd

    • SSDEEP

      24576:RsBH9jqVwCwh/RICu4upRwIzAKXRYVN2uaj7MM1By+hm:uH9jJ9RspRwIDRiJak2By+hm

    Score
    10/10
    ransomwareevasion

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies Windows Firewall

      evasion

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    behavioral27behavioral28

    • Target

      a1bd0fa8ada1da0181b8d108ca72a41795b55060613e0182f2cbbc592f857f46

    • Size

      740KB

    • MD5

      b0475c2ee7b9c7f2ed5a8d6d8a8c4b5d

    • SHA1

      18845f37a2ffa83d62eed48f608019b1200f5ee2

    • SHA256

      a1bd0fa8ada1da0181b8d108ca72a41795b55060613e0182f2cbbc592f857f46

    • SHA512

      6b860b7e7ed3f2e459e825df5e4c7d2e571c1b6dd922d8b57aeda1842463f66742e7365687ec45bc348efdde27441960f04e42b94e796fa80ef9383a7ad0cc47

    • SSDEEP

      12288:aSVJ90fbghORSIZgVf4wYDfpCwmx1jGHL+gQqGjcj366YEwrJUDHeW9:aSVGbghTVf5FXqIqGjcj36gYnW9

    Score
    10/10
    djvudiscoverypersistenceransomware

    • Detected Djvu ransomware

    • Djvu Ransomware

      Ransomware which is a variant of the STOP family.

      ransomwaredjvu

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral29behavioral30

    • Target

      a465bc08714bc760130a3f150a704df2f08af083b2aaf0c931e714019f3769e3

    • Size

      408KB

    • MD5

      39b1a5e9d1c343a1a2a29247f9ec5699

    • SHA1

      5e6f9e075d196de2613f8023a672f1e72fce331e

    • SHA256

      a465bc08714bc760130a3f150a704df2f08af083b2aaf0c931e714019f3769e3

    • SHA512

      b4611ded931f492d28d6da42062d891483656e6b5983e349e54b3dfb200f43c29bef3f5b53b13c3e18d449f1b0ab0c2859235411b9287b37439b83be2aa91688

    • SSDEEP

      12288:jueNLldLN97ji4pSc9B/CfvgLMfedSaPLaz7hyViDK:juqldL/3da9fqhaz74V

    Score
    6/10
    persistence
    behavioral31behavioral32

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

4
T1053

Command and Scripting Interpreter

1
T1059

Persistence

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Boot or Logon Autostart Execution

8
T1547

Registry Run Keys / Startup Folder

8
T1547.001

Scheduled Task/Job

4
T1053

Privilege Escalation

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Boot or Logon Autostart Execution

8
T1547

Registry Run Keys / Startup Folder

8
T1547.001

Scheduled Task/Job

4
T1053

Defense Evasion

Indicator Removal

9
T1070

File Deletion

9
T1070.004

Modify Registry

12
T1112

File and Directory Permissions Modification

4
T1222

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

System Information Discovery

14
T1082

Query Registry

6
T1012

Peripheral Device Discovery

2
T1120

Process Discovery

1
T1057

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

10
T1490

Resource Development

Reconnaissance

Tasks

static1

agilenetmedusalocker
Score
10/10

behavioral1

Score
1/10

behavioral2

Score
1/10

behavioral3

evasion
Score
8/10

behavioral4

evasion
Score
8/10

behavioral5

Score
7/10

behavioral6

Score
7/10

behavioral7

ransomware
Score
9/10

behavioral8

dharmapersistenceransomwarespywarestealer
Score
10/10

behavioral9

Score
1/10

behavioral10

Score
1/10

behavioral11

djvudiscoverypersistenceransomware
Score
10/10

behavioral12

djvudiscoverypersistenceransomware
Score
10/10

behavioral13

evasionransomware
Score
10/10

behavioral14

evasionransomware
Score
10/10

behavioral15

djvudiscoveryransomware
Score
10/10

behavioral16

djvudiscoverypersistenceransomware
Score
10/10

behavioral17

persistencespywarestealer
Score
7/10

behavioral18

persistencespywarestealer
Score
7/10

behavioral19

Score
3/10

behavioral20

Score
1/10

behavioral21

Score
3/10

behavioral22

Score
3/10

behavioral23

dharmazgratpersistenceransomwarerat
Score
10/10

behavioral24

dharmazgratpersistenceransomwarerat
Score
10/10

behavioral25

djvudiscoverypersistenceransomware
Score
10/10

behavioral26

djvudiscoverypersistenceransomware
Score
10/10

behavioral27

ransomware
Score
9/10

behavioral28

evasionransomware
Score
10/10

behavioral29

djvudiscoverypersistenceransomware
Score
10/10

behavioral30

djvudiscoverypersistenceransomware
Score
10/10

behavioral31

persistence
Score
6/10

behavioral32

persistence
Score
6/10