Overview

overview

10

Static

static

3

Ransomware.7ev3n.exe

windows10-2004-x64

Ransomware...it.exe

windows10-2004-x64

10

Ransomware...us.exe

windows10-2004-x64

10

Ransomware...er.exe

windows10-2004-x64

10

Resubmissions

24-02-2024 15:44

240224-s6pzqafh53 10

24-02-2024 14:06

240224-relmjsdh45 10

24-02-2024 11:48

240224-nyvssabe4w 3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    MalwareCollection-master.zip

  • Size

    57.3MB

  • Sample

    240224-relmjsdh45

  • MD5

    b59aed5137772e644e29ad334dba17e0

  • SHA1

    a2e545bbe058bddee0f7af68e21c3471d4abc3ab

  • SHA256

    c6a916c33096cd488ca57c28863c433cf5279128aa50ea156761bab6444f4937

  • SHA512

    daaa8ff6ddb53cb2c3c0218f73be43807982b13f0b5893a322bdd719e0f208b7b98586d0516b04e2e0f36c7dea45dde3fa8423c421f7d82cb9dbb14e3cede525

  • SSDEEP

    1572864:9j/A/cygNPTitKk8Gq4+/34speZ0jqmhkv71Cg8a6Egs5:Z/ZygNPTitKkRqh/34sprj3q1C31Egs5

Score
10/10
badrabbitcryptolockerdharmamimikatzevasionpersistenceransomwarespywarestealertrojan

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note
All your files have been encrypted! All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail coronavirus@qq.com Write this ID in the title of your message F5048EBE In case of no answer in 24 hours write us to theese e-mails: coronavirus@qq.com You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. Free decryption as guarantee Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/ Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Emails

coronavirus@qq.com

Targets

    • Target

      Ransomware.7ev3n.exe

    • Size

      315KB

    • MD5

      9f8bc96c96d43ecb69f883388d228754

    • SHA1

      61ed25a706afa2f6684bb4d64f69c5fb29d20953

    • SHA256

      7d373ccb96d1dbb1856ef31afa87c2112a0c1795a796ab01cb154700288afec5

    • SHA512

      550a891c1059f58aa983138caf65a7ea9c326cb1b94c15f3e7594128f6e9f1295b9c2dbc0925637dba7c94e938083fffc6a63dc7c2e5b1e247679931cce505c6

    • SSDEEP

      6144:BswDdb2MemnBVlz0SoVbO4A6OA4Trl28TyT6llY1/I8cWJWlfTXv:BswRSslz0P1OdFXJlJ8buXv

    Score
    10/10
    evasionpersistencetrojan
    behavioral1

    • Target

      Ransomware.BadRabbit.exe

    • Size

      431KB

    • MD5

      fbbdc39af1139aebba4da004475e8839

    • SHA1

      de5c8d858e6e41da715dca1c019df0bfb92d32c0

    • SHA256

      630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da

    • SHA512

      74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87

    • SSDEEP

      12288:BHNTywFAvN86pLbqWRKHZKfErrZJyZ0yqsGO3XR63:vT56NbqWRwZaEr3yt2O3XR63

    Score
    10/10
    badrabbitmimikatzransomware

    • BadRabbit

      Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.

      ransomwarebadrabbit

    • Mimikatz

      mimikatz is an open source tool to dump credentials on Windows.

      mimikatz

    • mimikatz is an open source tool to dump credentials on Windows

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral2

    • Target

      Ransomware.CoronaVirus.exe

    • Size

      1.0MB

    • MD5

      055d1462f66a350d9886542d4d79bc2b

    • SHA1

      f1086d2f667d807dbb1aa362a7a809ea119f2565

    • SHA256

      dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0

    • SHA512

      2c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1

    • SSDEEP

      24576:FRYz/ERA0eMuWfHvgPw/83JI8CorP9qY0:FE/yADMuYvgP93JIc2

    Score
    10/10
    dharmapersistenceransomwarespywarestealer

    • Dharma

      Dharma is a ransomware that uses security software installation to hide malicious activities.

      ransomwaredharma

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Renames multiple (494) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Drops file in System32 directory

    behavioral3

    • Target

      Ransomware.CryptoLocker.exe

    • Size

      338KB

    • MD5

      04fb36199787f2e3e2135611a38321eb

    • SHA1

      65559245709fe98052eb284577f1fd61c01ad20d

    • SHA256

      d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9

    • SHA512

      533d6603f6e2a77bd1b2c6591a135c4717753d53317c1be06e43774e896d9543bcd0ea6904a0688aa84b2d8424641d68994b1e7dc4aa46d66c36feecb6145444

    • SSDEEP

      6144:sWmw0EuCN0pLWgTO3x5N22vWvLRKKAX5l++SybIvC:sWkEuCaNT85I2vCMX5l+ZRv

    Score
    10/10
    cryptolockerpersistenceransomware
    behavioral4

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

2
T1053

Persistence

Boot or Logon Autostart Execution

4
T1547

Registry Run Keys / Startup Folder

3
T1547.001

Winlogon Helper DLL

1
T1547.004

Scheduled Task/Job

2
T1053

Privilege Escalation

Boot or Logon Autostart Execution

4
T1547

Registry Run Keys / Startup Folder

3
T1547.001

Winlogon Helper DLL

1
T1547.004

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Scheduled Task/Job

2
T1053

Defense Evasion

Modify Registry

5
T1112

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Indicator Removal

2
T1070

File Deletion

2
T1070.004

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2
T1490

Resource Development

Reconnaissance

Tasks