Overview
overview
10Static
static
10samples (2).zip
windows7-x64
1samples (2).zip
windows10-2004-x64
104035f6fdd...f9.exe
windows7-x64
904035f6fdd...f9.exe
windows10-2004-x64
70ed3c87ce3...07.exe
windows7-x64
40ed3c87ce3...07.exe
windows10-2004-x64
11ce291b079...c9.exe
windows7-x64
71ce291b079...c9.exe
windows10-2004-x64
130e66f95b4...49.exe
windows7-x64
830e66f95b4...49.exe
windows10-2004-x64
8335160bee7...cf.exe
windows7-x64
10335160bee7...cf.exe
windows10-2004-x64
103d7dd597a4...67.exe
windows7-x64
13d7dd597a4...67.exe
windows10-2004-x64
742dcc46f9d...46.exe
windows7-x64
942dcc46f9d...46.exe
windows10-2004-x64
84fcaca23e9...f2.exe
windows7-x64
104fcaca23e9...f2.exe
windows10-2004-x64
105994300c1c...a7.exe
windows7-x64
105994300c1c...a7.exe
windows10-2004-x64
9627a5569d4...e3.exe
windows7-x64
7627a5569d4...e3.exe
windows10-2004-x64
10kf12.pyc
windows7-x64
3kf12.pyc
windows10-2004-x64
163fa775052...2f.exe
windows7-x64
163fa775052...2f.exe
windows10-2004-x64
1645b8dfe73...79.exe
windows7-x64
1645b8dfe73...79.exe
windows10-2004-x64
164862ec699...1b.exe
windows7-x64
964862ec699...1b.exe
windows10-2004-x64
10741d75a02d...5e.exe
windows7-x64
10741d75a02d...5e.exe
windows10-2004-x64
10General
-
Target
samples (2).zip
-
Size
120.4MB
-
Sample
240101-slnwxsfeh4
-
MD5
aec75f441aa8bee97dde00cf38aa20b7
-
SHA1
df50a2ff2d2f0892bd9212ca6ebec02c8753c265
-
SHA256
44ee695b532eb984e46de29569ce35854b37d409efaabb6bcf9f5316e2b0546d
-
SHA512
e6fc8544f3840cc9bc5778baf9294f2df086ed793acd014a354300615fb82effa27bc3c77320d44e9a67404fd1ac7d06bd029829b40936fc9a38deaa46c6ca44
-
SSDEEP
3145728:VLfH9HbbMDj02Cdpnge0LREc1Z4sJCwZ3lehMSA/nSMBTlrdG:xP9HbbM0P0LLb0wxchfA/nSMBhg
Behavioral task
behavioral1
Sample
samples (2).zip
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
samples (2).zip
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
04035f6fdd921309391aef9c88e550d8b3d31c7a4ea80267cb436f491aedd1f9.exe
Resource
win7-20231129-en
Behavioral task
behavioral4
Sample
04035f6fdd921309391aef9c88e550d8b3d31c7a4ea80267cb436f491aedd1f9.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral5
Sample
0ed3c87ce3ae58f3dcbf46fa022acd3cbbe0b96af2e9f7a47eee0dd50af88507.exe
Resource
win7-20231215-en
Behavioral task
behavioral6
Sample
0ed3c87ce3ae58f3dcbf46fa022acd3cbbe0b96af2e9f7a47eee0dd50af88507.exe
Resource
win10v2004-20231222-en
Behavioral task
behavioral7
Sample
1ce291b079977e7a3f81c44b644fe1f63ae34a0a1a5c264e9f6085c184f7a1c9.exe
Resource
win7-20231129-en
Behavioral task
behavioral8
Sample
1ce291b079977e7a3f81c44b644fe1f63ae34a0a1a5c264e9f6085c184f7a1c9.exe
Resource
win10v2004-20231222-en
Behavioral task
behavioral9
Sample
30e66f95b46c8162c921648e31f8c4146ba3f0580f4e5aa3b4c4de18687f6a49.exe
Resource
win7-20231215-en
Behavioral task
behavioral10
Sample
30e66f95b46c8162c921648e31f8c4146ba3f0580f4e5aa3b4c4de18687f6a49.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral11
Sample
335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
Resource
win7-20231215-en
Behavioral task
behavioral12
Sample
335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral13
Sample
3d7dd597a465d5275ef31d9e4f9dd80ed4de6139a1b3707cb3b0ffa068595567.exe
Resource
win7-20231215-en
Behavioral task
behavioral14
Sample
3d7dd597a465d5275ef31d9e4f9dd80ed4de6139a1b3707cb3b0ffa068595567.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral15
Sample
42dcc46f9d6e6e8efe3f95bc09dbdfb6206a52a4347dbb652f315cec483a2046.exe
Resource
win7-20231215-en
Behavioral task
behavioral16
Sample
42dcc46f9d6e6e8efe3f95bc09dbdfb6206a52a4347dbb652f315cec483a2046.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral17
Sample
4fcaca23e9cfb7e5448f41bb520c9c35c68fd795ac6b3707d0c64cf92738acf2.exe
Resource
win7-20231215-en
Behavioral task
behavioral18
Sample
4fcaca23e9cfb7e5448f41bb520c9c35c68fd795ac6b3707d0c64cf92738acf2.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral19
Sample
5994300c1c7d099bec13d2a6aec942a6a866966e9545773d3fbe26cc5e308da7.exe
Resource
win7-20231215-en
Behavioral task
behavioral20
Sample
5994300c1c7d099bec13d2a6aec942a6a866966e9545773d3fbe26cc5e308da7.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral21
Sample
627a5569d47d6c66be6888e4f68f0a50e491404a08da1a7d9242c2d29e3e8ee3.exe
Resource
win7-20231215-en
Behavioral task
behavioral22
Sample
627a5569d47d6c66be6888e4f68f0a50e491404a08da1a7d9242c2d29e3e8ee3.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral23
Sample
kf12.pyc
Resource
win7-20231129-en
Behavioral task
behavioral24
Sample
kf12.pyc
Resource
win10v2004-20231222-en
Behavioral task
behavioral25
Sample
63fa775052a5c7258d44a00d9f2b4a9263f96fb7c61778cbb1ba9102fed2082f.exe
Resource
win7-20231129-en
Behavioral task
behavioral26
Sample
63fa775052a5c7258d44a00d9f2b4a9263f96fb7c61778cbb1ba9102fed2082f.exe
Resource
win10v2004-20231222-en
Behavioral task
behavioral27
Sample
645b8dfe73255d9e5be6e778292f3dde84ff8c5918a044ae42bcace0fe9ca279.exe
Resource
win7-20231215-en
Behavioral task
behavioral28
Sample
645b8dfe73255d9e5be6e778292f3dde84ff8c5918a044ae42bcace0fe9ca279.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral29
Sample
64862ec69991a7d454c3ea3a0c3a8f1cc9c80192078740b9c753abbf1b7bef1b.exe
Resource
win7-20231129-en
Behavioral task
behavioral30
Sample
64862ec69991a7d454c3ea3a0c3a8f1cc9c80192078740b9c753abbf1b7bef1b.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral31
Sample
741d75a02d0c4974968f0738a8b67104e1c24a58143b73b5ed1c25ac023b695e.exe
Resource
win7-20231215-en
Behavioral task
behavioral32
Sample
741d75a02d0c4974968f0738a8b67104e1c24a58143b73b5ed1c25ac023b695e.exe
Resource
win10v2004-20231215-en
Malware Config
Extracted
C:\Program Files\Google\Chrome\Application\#NOBAD_README#.rtf
InkognitoMan@tutamail.com\par
InkognitoMan@firemail.cc\par
https://bitmsg.me
https://bitmsg.me/users/sign_up
https://bitmsg.me/users/sign_in
Extracted
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\#NOBAD_README#.rtf
InkognitoMan@tutamail.com\par
InkognitoMan@firemail.cc\par
https://bitmsg.me
https://bitmsg.me/users/sign_up
https://bitmsg.me/users/sign_in
Extracted
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\HOW TO RESTORE YOUR HGJZITLXE FILES.TXT
candice.wood@post.cz
candice.wood@swisscows.email
Extracted
C:\Users\Admin\3D Objects\read_it.txt
blackbastabaalransomware@protonmail.com
Targets
-
-
Target
samples (2).zip
-
Size
120.4MB
-
MD5
aec75f441aa8bee97dde00cf38aa20b7
-
SHA1
df50a2ff2d2f0892bd9212ca6ebec02c8753c265
-
SHA256
44ee695b532eb984e46de29569ce35854b37d409efaabb6bcf9f5316e2b0546d
-
SHA512
e6fc8544f3840cc9bc5778baf9294f2df086ed793acd014a354300615fb82effa27bc3c77320d44e9a67404fd1ac7d06bd029829b40936fc9a38deaa46c6ca44
-
SSDEEP
3145728:VLfH9HbbMDj02Cdpnge0LREc1Z4sJCwZ3lehMSA/nSMBTlrdG:xP9HbbM0P0LLb0wxchfA/nSMBhg
Score1/10 -
-
-
Target
04035f6fdd921309391aef9c88e550d8b3d31c7a4ea80267cb436f491aedd1f9
-
Size
2.1MB
-
MD5
e4bf35b81bfaa0e789ad9461dbacb542
-
SHA1
dcf7b855b2c3516a6b88a410ef5b44a2c650f62d
-
SHA256
04035f6fdd921309391aef9c88e550d8b3d31c7a4ea80267cb436f491aedd1f9
-
SHA512
6635342515a01acde48792cb362dc9e5bd7ffc4fe6a9b8b2fdb0d6c8758d79db847daf28e2fe700a898425214d95d2707337c900c695a47cfd9dada946adf64d
-
SSDEEP
49152:Iw80cTsjkWanAlfiebWlHcA+G6HYaqK3hUQrObmyPYjR+:Z8sjkrgWezG6lh73jR+
Score9/10-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
-
-
Target
0ed3c87ce3ae58f3dcbf46fa022acd3cbbe0b96af2e9f7a47eee0dd50af88507
-
Size
2.9MB
-
MD5
ec2a8d8f7853397f86a4c96fdbe01b19
-
SHA1
daaeb314219acb7f10268512c8358a6941d53da3
-
SHA256
0ed3c87ce3ae58f3dcbf46fa022acd3cbbe0b96af2e9f7a47eee0dd50af88507
-
SHA512
f75ee827b41ff1783208f3116130b8c29c958059f589b8df4d423896bafa24f4aae5a19a990271a2caf98880772b23ad719c7c141b8e1ea6f0e1eda58f0a4e68
-
SSDEEP
49152:yKRy/NLHsvdoewagi6rndXTrKdRRzsdydWLToel51txKRy/N:yKRshsdo/PrndXTrKdRRwZLJl3KRs
Score4/10 -
-
-
Target
1ce291b079977e7a3f81c44b644fe1f63ae34a0a1a5c264e9f6085c184f7a1c9
-
Size
5.3MB
-
MD5
393247c068ff136a28c6ef99a0e004ad
-
SHA1
d1acbc1d3f796745de7fdb65fe290f2876bf38cd
-
SHA256
1ce291b079977e7a3f81c44b644fe1f63ae34a0a1a5c264e9f6085c184f7a1c9
-
SHA512
6bd2bf2f9c1e89e77d4365c73cb9e13782b2055dd7e5b6d54bc45265349e8d569fe7036c99f582ee47d9d6b8a41bc8eb02524baba8ed9c7d69975c27169b5afe
-
SSDEEP
98304:Puzw2CTViOip5X+MHsMgBXN2/H4QJP6u822wpXJun9TLrynQnI1:PuzITVb0OysM49vgPCMJwHy/
Score7/10 -
-
-
Target
30e66f95b46c8162c921648e31f8c4146ba3f0580f4e5aa3b4c4de18687f6a49
-
Size
1.2MB
-
MD5
9d43722941309d477e25b7d48b085d00
-
SHA1
79793205208d8679b1d1dfe06475a4e52c8b1846
-
SHA256
30e66f95b46c8162c921648e31f8c4146ba3f0580f4e5aa3b4c4de18687f6a49
-
SHA512
7f2e8a7c38776c1b3c2898b9c7367f51060b4a6ca1385314fd2da417cfe2d18a84f6891dfe18ef28e477037ed84eb2fbbecbeef294751cff0de52ea6c9566efd
-
SSDEEP
24576:K6FBigVov3pjeA+07ASgSl+YYxJuWMvV36/K+VLebSKLvBTyPj+dyqG2W0b1:7Bi53w3eqi+mfJujkyqG29x
Score8/10-
Modifies Windows Firewall
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
-
-
Target
335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf
-
Size
3.7MB
-
MD5
9c7e90d7637277bb4f4985405eb0ace9
-
SHA1
5b0899d790eb4a37260e5d9b8a2ad3f2ada55b1d
-
SHA256
335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf
-
SHA512
7b57021edfa1108558c2d02df0600de55fd9338dfebc044c03dc677072975acc216a0374cff270d9d75f20e5b92b252f75b2ad3b94f603e7a09f69c14ca888d9
-
SSDEEP
98304:Pvqlou/EtfzJS+1S6+T9aLcNvvj5Pudln7QktFJLRyC2hVW13:w/Q7I+T8aLcNvvjQn7QkjFkDVW
-
Matrix Ransomware
Targeted ransomware with information collection and encryption functionality.
-
Modifies boot configuration data using bcdedit
-
Drops file in Drivers directory
-
Sets service image path in registry
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies file permissions
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry
-
-
-
Target
3d7dd597a465d5275ef31d9e4f9dd80ed4de6139a1b3707cb3b0ffa068595567
-
Size
3.1MB
-
MD5
3e24d064025ec20d6a8e8bae1d19ecdb
-
SHA1
aaf26fd22d5cab24dda2923b7ba6b131772b3a68
-
SHA256
3d7dd597a465d5275ef31d9e4f9dd80ed4de6139a1b3707cb3b0ffa068595567
-
SHA512
02eeddcb6d33dada9214503ab460d409ba429dfb00c756722188e2b7b9a65dd054a0bdacf45613ef3d6aa9524f256da155e33daf94eade384dc94f7716724896
-
SSDEEP
49152:yAqPm6R8fkBn5GSOsnvjXo2KzB931XYPy:0O6R8fklXo2KzBHX
-
-
-
Target
42dcc46f9d6e6e8efe3f95bc09dbdfb6206a52a4347dbb652f315cec483a2046
-
Size
1.2MB
-
MD5
85f7df557b52cfb4850dbdd5040417f6
-
SHA1
4773ecc3311a02f7a9851ef8721c2ab6e903ea78
-
SHA256
42dcc46f9d6e6e8efe3f95bc09dbdfb6206a52a4347dbb652f315cec483a2046
-
SHA512
ff2dc51db02259df61c70985140ae8f65690fc910ecc6161f65f71208a0ee0bacc7bd6df5dbc7802fa4cb4ce03968f52e3bf949c21b24a0fc543c6e473d686f1
-
SSDEEP
24576:f6FBigwov3pjeA+07ASgSl+YYxJuWMvV36/K+VLebSKLvBTyPj+dyqGYV0b1:YBiI3w3eqi+mfJujkyqGY2x
Score9/10-
Renames multiple (167) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Modifies Windows Firewall
-
Drops desktop.ini file(s)
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
-
-
Target
4fcaca23e9cfb7e5448f41bb520c9c35c68fd795ac6b3707d0c64cf92738acf2
-
Size
4.7MB
-
MD5
e86893b92eca6e8dfbcfb9bbc08ee973
-
SHA1
acaf1392ea344a074cd4dd47faa6a7e1530747f3
-
SHA256
4fcaca23e9cfb7e5448f41bb520c9c35c68fd795ac6b3707d0c64cf92738acf2
-
SHA512
24f258fb7f088b9c139ef83dd90c63248eee3e85b871841406765386dad20e48d2b8cdd19a0e165e10ff5eeb4494bafd3c84989f3f73112c1273399f7b23f635
-
SSDEEP
98304:0s7ZE5JsxXe8NpqBjkZxHJMAM0hsEfIOC34SSPl0V1Eo7N3grvl0iqN+XW0FUlK0:0srXe8NEMMAZhsXOCYe3P7NuI4WHlK8
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Renames multiple (201) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops startup file
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Drops file in System32 directory
-
-
-
Target
5994300c1c7d099bec13d2a6aec942a6a866966e9545773d3fbe26cc5e308da7
-
Size
4.8MB
-
MD5
5a3c5576c359ce4f40b3274209db2e76
-
SHA1
8d38f1c0953013d623bea6d6f6f47d5a0c7027f9
-
SHA256
5994300c1c7d099bec13d2a6aec942a6a866966e9545773d3fbe26cc5e308da7
-
SHA512
a9780e15702531d22a7088bb1de49c083499244819732f07c7a1c22bea00aa3592231766adae42ea8f980896a659a46a51a58e4e366a35e327f9d788ff88e5eb
-
SSDEEP
49152:Dc2Ee3ScTnrb/T5vO90dL3BmAFd4A64nsfJG0CJZGSUeU/o/ZsPfNW7Ew5EzUgr0:73l8ZSUOyaEUVHB72INLu6SZJZ
Score10/10-
Clears Windows event logs
-
Stops running service(s)
-
-
-
Target
627a5569d47d6c66be6888e4f68f0a50e491404a08da1a7d9242c2d29e3e8ee3
-
Size
31.9MB
-
MD5
446fb9d942879e16c30b4cdd4cfca25f
-
SHA1
15db57519b54475ca7961a558806c6c49df85d5a
-
SHA256
627a5569d47d6c66be6888e4f68f0a50e491404a08da1a7d9242c2d29e3e8ee3
-
SHA512
14ec30f91f678fe0ae4b3d681389f4f5a5a01ea2b0cfaf7835025206bde8589f78e3a3a1308089c3331d650ee539ed9dbe723ca7edc72cb3b1996ef7b1d0ad6f
-
SSDEEP
786432:k+yF8WWxUdUd1LRphkc3FphBWGlso5EYW8GUCUEDDu4Kucccd8:WF8WWxUUddRzFphBZd5E7UCpDfm
Score10/10-
Renames multiple (2426) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Disables cmd.exe use via registry modification
-
Drops startup file
-
Loads dropped DLL
-
-
-
Target
kf12.pyc
-
Size
21KB
-
MD5
fec35c2b1a1da26cff18b89c0a687b4d
-
SHA1
32444072a2558f1e11964ad40974dbb9d0369d69
-
SHA256
7d8be3ab49fc7b8eb2c762a702d1b0c4702f02d62f534631c5e4258f64f88130
-
SHA512
f4d812ab23b285ff17686cc03e15bdb348b1eefe89848a1b24dc5d63715fbe82f9f8f2cf83037baa113b94526f97161644484ef4a68cbd43010b016b440aade8
-
SSDEEP
384:KXGa/jX2Fu1fC1t8jUG3keIkfkRkBk6k6k6keke4kzkNkZk6k6k6kekrkzkNklkQ:K2a/jX1fWeTMueFFFJeDAKmFFFJIAKSQ
Score3/10 -
-
-
Target
63fa775052a5c7258d44a00d9f2b4a9263f96fb7c61778cbb1ba9102fed2082f
-
Size
7.2MB
-
MD5
14d4bc13a12f8243383756de92529d6d
-
SHA1
54b8fc5de74856d90cad60da8cc41b98940e6a15
-
SHA256
63fa775052a5c7258d44a00d9f2b4a9263f96fb7c61778cbb1ba9102fed2082f
-
SHA512
bbf499f3c3c20d5fe4310995edff3955365398923e6131cb318ee3cd762e034cd798e826bae00a680053846ef2a50c5f153bdb4d2d8cbc93688b9f8a8cf5b55a
-
SSDEEP
98304:1VRCs/IYJ5dqZqbKW9oNV8xOerpA8sNqdKe+GCsJ+JjhLeA6dw3:1Vt/TqcbKLpea8s3XsJ+Jjd
Score1/10 -
-
-
Target
645b8dfe73255d9e5be6e778292f3dde84ff8c5918a044ae42bcace0fe9ca279
-
Size
2.4MB
-
MD5
38529ecca6f8857442331c40e1bd5f9d
-
SHA1
37fe11751277dd8cc889e0c05d7fde88b98aa67c
-
SHA256
645b8dfe73255d9e5be6e778292f3dde84ff8c5918a044ae42bcace0fe9ca279
-
SHA512
a837e6f5452c939f7a7dcf16613fab486bb584c20aeb3121748d1dae731c4161a19ea2f9863bf621dc8c61101860b3ebfb3c4a780c8f1c07bd1ad59c90540d4a
-
SSDEEP
49152:hxFNFf4ZjhxNdNGa5YLuOARYNdNXc0xI5mmswos1:hxF7Q3xDAa5qARYDS0xIg
Score1/10 -
-
-
Target
64862ec69991a7d454c3ea3a0c3a8f1cc9c80192078740b9c753abbf1b7bef1b
-
Size
1.7MB
-
MD5
2b34badcdfb0921ee43548475c0ec5bb
-
SHA1
2cfe28584ae7649e3fe0ae150bfe49f7eabc6cf9
-
SHA256
64862ec69991a7d454c3ea3a0c3a8f1cc9c80192078740b9c753abbf1b7bef1b
-
SHA512
c31ac862ac9211821332aa8fd03110ca3ef89304fead4a900d2190c4a3950d2d6e5704b06ab3edf2ea6c6d3b9c225e5220e62496dc42948ec6125618924f880c
-
SSDEEP
24576:++H1KCVkwjVSjdao2bwzUaSze1AeHm/gcgX+7waf7gm7yZADfBFdOgSeiseIK1S3:399byqze1I3o+rH+MFdOsZvShn9T
Score10/10-
Modifies boot configuration data using bcdedit
-
Disables Task Manager via registry modification
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Sets desktop wallpaper using registry
-
-
-
Target
741d75a02d0c4974968f0738a8b67104e1c24a58143b73b5ed1c25ac023b695e
-
Size
2.4MB
-
MD5
675716e76d329c21fd1c8584c4bbf4e0
-
SHA1
3f31361a356346980a458f72639b167f8557d997
-
SHA256
741d75a02d0c4974968f0738a8b67104e1c24a58143b73b5ed1c25ac023b695e
-
SHA512
33990b75e05409956567e2c417c4af3cefed346d18b1c990651ba9ae55f4c41e448f48e708ebb3f0a47dd2f95a648d99fa49b1f53bd68275754a98662451b75e
-
SSDEEP
49152:T1qnoAYJ+dAyibulZllnhELJPA2GINhptUhwRVmif4lqKw1UWHgCw8SbdkYMy:pMoAYJlyi8WBAypSQVf4l21xw80ke
-
Detected Xorist Ransomware
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Renames multiple (2144) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops file in Drivers directory
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Adds Run key to start application
-
Drops file in System32 directory
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
5Registry Run Keys / Startup Folder
5Create or Modify System Process
3Windows Service
3Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
5Registry Run Keys / Startup Folder
5Create or Modify System Process
3Windows Service
3Scheduled Task/Job
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Indicator Removal
13File Deletion
12Modify Registry
10File and Directory Permissions Modification
1Impair Defenses
2Disable or Modify Tools
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Virtualization/Sandbox Evasion
1