General

  • Target

    Ransomware.zip

  • Size

    42.1MB

  • Sample

    240302-yztxzsgh6x

  • MD5

    1b1712d0f4cf97cdb10f7817fbe37628

  • SHA1

    c6245e74e10ef228ccbd9bdb97ae26f8bb24b2be

  • SHA256

    b7eb20bcbe42e9f14f813a19e07aea6482c7df7faf90054f27cda4dcfc28723c

  • SHA512

    8a75634e543f18197eb89b4062bd9089c385326caf70275a1c82af779822f6311e5281ee1688b34d0ca02ae3cdca68ec6113b8c8fe1561ace9081d3a425310da

  • SSDEEP

    786432:jSLN4jiwEj7mKm+hsZ7DYfzMRzZH27sgTQB8x4aSbJCUEKAhiDB9+DZwX1TpIb8Y:GLuY6KyHiz6ZH27xTQB8yAUEAHWZATpY

Malware Config

Extracted

Family

metasploit

Version

windows/single_exec

Targets

    • Target

      716335ba5cd1e7186c40295b199190e2b6655e48f1c1cbe12139ba67faa5e1ac.exe

    • Size

      15.9MB

    • MD5

      0f743287c9911b4b1c726c7c7edcaf7d

    • SHA1

      9760579e73095455fcbaddfe1e7e98a2bb28bfe0

    • SHA256

      716335ba5cd1e7186c40295b199190e2b6655e48f1c1cbe12139ba67faa5e1ac

    • SHA512

      2a6dd6288303700ef9cb06ae1efeb1e121c89c97708e5ecd15ed9b2a35d0ecff03d8da58b30daeadad89bd38dc4649521ada149fb457408e5a2bdf1512f88677

    • SSDEEP

      393216:UMwm0qBknxdEX+LbMUgoSZmWSmh4aaRN22ChHCMNku1y:UMcKX+Lbjgd7W1RNVC9ku1

    • Modifies WinLogon for persistence

    • Modifies Windows Defender Real-time Protection settings

    • UAC bypass

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Disables RegEdit via registry modification

    • Disables Task Manager via registry modification

    • Disables use of System Restore points

    • Modifies Windows Firewall

    • Sets file execution options in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Target

      Ransomware/Annabelle Ransomware/716335ba5cd1e7186c40295b199190e2b6655e48f1c1cbe12139ba67faa5e1ac.exe

    • Size

      15.9MB

    • MD5

      0f743287c9911b4b1c726c7c7edcaf7d

    • SHA1

      9760579e73095455fcbaddfe1e7e98a2bb28bfe0

    • SHA256

      716335ba5cd1e7186c40295b199190e2b6655e48f1c1cbe12139ba67faa5e1ac

    • SHA512

      2a6dd6288303700ef9cb06ae1efeb1e121c89c97708e5ecd15ed9b2a35d0ecff03d8da58b30daeadad89bd38dc4649521ada149fb457408e5a2bdf1512f88677

    • SSDEEP

      393216:UMwm0qBknxdEX+LbMUgoSZmWSmh4aaRN22ChHCMNku1y:UMcKX+Lbjgd7W1RNVC9ku1

    • Modifies WinLogon for persistence

    • Modifies Windows Defender Real-time Protection settings

    • UAC bypass

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Disables RegEdit via registry modification

    • Disables Task Manager via registry modification

    • Disables use of System Restore points

    • Modifies Windows Firewall

    • Sets file execution options in registry

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Target

      BadRabbit.exe

    • Size

      431KB

    • MD5

      fbbdc39af1139aebba4da004475e8839

    • SHA1

      de5c8d858e6e41da715dca1c019df0bfb92d32c0

    • SHA256

      630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da

    • SHA512

      74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87

    • SSDEEP

      12288:BHNTywFAvN86pLbqWRKHZKfErrZJyZ0yqsGO3XR63:vT56NbqWRwZaEr3yt2O3XR63

    • BadRabbit

      Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.

    • Mimikatz

      mimikatz is an open source tool to dump credentials on Windows.

    • mimikatz is an open source tool to dump credentials on Windows

    • Executes dropped EXE

    • Loads dropped DLL

    • Target

      Ransomware/BadRabbit Ransomware/BadRabbit.exe

    • Size

      431KB

    • MD5

      fbbdc39af1139aebba4da004475e8839

    • SHA1

      de5c8d858e6e41da715dca1c019df0bfb92d32c0

    • SHA256

      630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da

    • SHA512

      74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87

    • SSDEEP

      12288:BHNTywFAvN86pLbqWRKHZKfErrZJyZ0yqsGO3XR63:vT56NbqWRwZaEr3yt2O3XR63

    • BadRabbit

      Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.

    • Mimikatz

      mimikatz is an open source tool to dump credentials on Windows.

    • mimikatz is an open source tool to dump credentials on Windows

    • Executes dropped EXE

    • Loads dropped DLL

    • Target

      tunamor.exe

    • Size

      71KB

    • MD5

      e9fdc21bd273444925a4512166188e5b

    • SHA1

      e398138686eedcd8ef9de5342025f7118e120cdf

    • SHA256

      78972cdde1a038f249b481ea2c4b172cc258aa294440333e9c46dcb3fbed5815

    • SHA512

      64989534f56fcd70f3ff08bb47a331d5624fc1e3b387420a885d6f32a537e05182de8c5890612cde03fdd312ad101955674d7455c84b900bf7eed97b402a2b08

    • SSDEEP

      768:Uv3mq1oJQpwvZlXhVkcDsaoi9P9TJKvaoStYARRQwfwiIySf4BtIl82+hE8x:YmqMQoXhVN4aooJhDCSeyxel82WNx

    Score
    6/10
    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Target

      Ransomware/Monster Ransomware (second new version)/tunamor.exe

    • Size

      71KB

    • MD5

      e9fdc21bd273444925a4512166188e5b

    • SHA1

      e398138686eedcd8ef9de5342025f7118e120cdf

    • SHA256

      78972cdde1a038f249b481ea2c4b172cc258aa294440333e9c46dcb3fbed5815

    • SHA512

      64989534f56fcd70f3ff08bb47a331d5624fc1e3b387420a885d6f32a537e05182de8c5890612cde03fdd312ad101955674d7455c84b900bf7eed97b402a2b08

    • SSDEEP

      768:Uv3mq1oJQpwvZlXhVkcDsaoi9P9TJKvaoStYARRQwfwiIySf4BtIl82+hE8x:YmqMQoXhVN4aooJhDCSeyxel82WNx

    Score
    6/10
    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Target

      XMoon.exe

    • Size

      669KB

    • MD5

      a690cce59e21f5198ca304243b084f9e

    • SHA1

      8aeb0b106dd21e2afb50c3f7ae78ca4f8f4b29c5

    • SHA256

      ea0a5854aa6e91ebe816d256f34f820697a92d86b4f81e8855c84daeed40b9d4

    • SHA512

      9e0eebf53d0ea424ae9aeb0da2e27e5be75391a5be2945d29137da12baff32184df3a223692bbabb4b64350d902bd6847284d982e62313f3402035e842f4b758

    • SSDEEP

      12288:X6Wq4aaE6KwyF5L0Y2D1PqL6eqhBkEFY9ddNdzYaTW3aSDcyImRlL7zo:1thEVaPqL6JkF9YaTLSigL7c

    • UAC bypass

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

    • Target

      Ransomware/Monster Ransomware/XMoon.exe

    • Size

      669KB

    • MD5

      a690cce59e21f5198ca304243b084f9e

    • SHA1

      8aeb0b106dd21e2afb50c3f7ae78ca4f8f4b29c5

    • SHA256

      ea0a5854aa6e91ebe816d256f34f820697a92d86b4f81e8855c84daeed40b9d4

    • SHA512

      9e0eebf53d0ea424ae9aeb0da2e27e5be75391a5be2945d29137da12baff32184df3a223692bbabb4b64350d902bd6847284d982e62313f3402035e842f4b758

    • SSDEEP

      12288:X6Wq4aaE6KwyF5L0Y2D1PqL6eqhBkEFY9ddNdzYaTW3aSDcyImRlL7zo:1thEVaPqL6JkF9YaTLSigL7c

    • UAC bypass

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

    • Target

      GoldenEye.exe

    • Size

      254KB

    • MD5

      e3b7d39be5e821b59636d0fe7c2944cc

    • SHA1

      00479a97e415e9b6a5dfb5d04f5d9244bc8fbe88

    • SHA256

      389a7d395492c2da6f8abf5a8a7c49c3482f7844f77fe681808c71e961bcae97

    • SHA512

      8f977c60658063051968049245512b6aea68dd89005d0eefde26e4b2757210e9e95aabcef9aee173f57614b52cfbac924d36516b7bc7d3a5cc67daae4dee3ad5

    • SSDEEP

      3072:iTAjnioLO7WpLyLNZMcPSK7BaZ0NwAWMGc0HfmY4KsyyOiy12KJ3I4YgTl:i6nrD0ZMcPBAL7c0fTHs+2sYXg

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    • Executes dropped EXE

    • Loads dropped DLL

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Target

      GoldenEye.js

    • Size

      365KB

    • MD5

      c4e9fc349d5c8b24c0ddb1533de2c16b

    • SHA1

      147e938bd06709b3c20eea4ac461093d573be037

    • SHA256

      28fd3a1d9087d7b103b7f6cfca002798b6365fe6ebcc66fa02dbb4a9e6378e71

    • SHA512

      fd0cf6f434e665aabc91f6095394a08483990c12a0b6ad3a1bd820b740af0ddbc02bc0a2592be429c7488b3cd2889afad8f758b4258009dfe51e9faac76842be

    • SSDEEP

      6144:Jnm5mwYxm+DzkzFIDIWCy49ezGywT7PDSzT3enlJ1BJ0exGqkIb1Taha6e2T6Huv:FnaIEWeqWdnlhJ+eHHu+1Qk3C+MAQ

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Target

      Ransomware/Trojan.Ransom.GoldenEye/GoldenEye.exe

    • Size

      254KB

    • MD5

      e3b7d39be5e821b59636d0fe7c2944cc

    • SHA1

      00479a97e415e9b6a5dfb5d04f5d9244bc8fbe88

    • SHA256

      389a7d395492c2da6f8abf5a8a7c49c3482f7844f77fe681808c71e961bcae97

    • SHA512

      8f977c60658063051968049245512b6aea68dd89005d0eefde26e4b2757210e9e95aabcef9aee173f57614b52cfbac924d36516b7bc7d3a5cc67daae4dee3ad5

    • SSDEEP

      3072:iTAjnioLO7WpLyLNZMcPSK7BaZ0NwAWMGc0HfmY4KsyyOiy12KJ3I4YgTl:i6nrD0ZMcPBAL7c0fTHs+2sYXg

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    • Executes dropped EXE

    • Loads dropped DLL

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Target

      Ransomware/Trojan.Ransom.GoldenEye/GoldenEye.js

    • Size

      365KB

    • MD5

      c4e9fc349d5c8b24c0ddb1533de2c16b

    • SHA1

      147e938bd06709b3c20eea4ac461093d573be037

    • SHA256

      28fd3a1d9087d7b103b7f6cfca002798b6365fe6ebcc66fa02dbb4a9e6378e71

    • SHA512

      fd0cf6f434e665aabc91f6095394a08483990c12a0b6ad3a1bd820b740af0ddbc02bc0a2592be429c7488b3cd2889afad8f758b4258009dfe51e9faac76842be

    • SSDEEP

      6144:Jnm5mwYxm+DzkzFIDIWCy49ezGywT7PDSzT3enlJ1BJ0exGqkIb1Taha6e2T6Huv:FnaIEWeqWdnlhJ+eHHu+1Qk3C+MAQ

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Target

      NotPetya.exe

    • Size

      390KB

    • MD5

      b6cc1e4052f613e15a8b05439f5877b4

    • SHA1

      9bb3cb5080ae18985d93a28faeca6ae06d768b21

    • SHA256

      e2ea7f9581a7e1386fc6601d1421e1194373c1c891f2d406de6d49810fcc7737

    • SHA512

      cd48f448cd355a1463ca090d8ad47100596e1ed1a1a771f26c672406669433e9d9d915268def0aad844511f65a3c69fbb3ab2e2dc610ecc0f66a8524a6a8ea73

    • SSDEEP

      12288:rF/X4NTS/x9jNG+w+9OqFoK323qdQYKU3:BXATS/x9jNg+95vdQa

    • Mimikatz

      mimikatz is an open source tool to dump credentials on Windows.

    • mimikatz is an open source tool to dump credentials on Windows

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Target

      Ransomware/Trojan.Ransom.NotPetya/NotPetya.exe

    • Size

      390KB

    • MD5

      b6cc1e4052f613e15a8b05439f5877b4

    • SHA1

      9bb3cb5080ae18985d93a28faeca6ae06d768b21

    • SHA256

      e2ea7f9581a7e1386fc6601d1421e1194373c1c891f2d406de6d49810fcc7737

    • SHA512

      cd48f448cd355a1463ca090d8ad47100596e1ed1a1a771f26c672406669433e9d9d915268def0aad844511f65a3c69fbb3ab2e2dc610ecc0f66a8524a6a8ea73

    • SSDEEP

      12288:rF/X4NTS/x9jNG+w+9OqFoK323qdQYKU3:BXATS/x9jNg+95vdQa

    • Mimikatz

      mimikatz is an open source tool to dump credentials on Windows.

    • mimikatz is an open source tool to dump credentials on Windows

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Target

      Ransomware/Trojan.Ransom.PetrWrap/Trojan.Ransom.PetrWrap

    • Size

      473KB

    • MD5

      17c25c8a7c141195ee887de905f33d7b

    • SHA1

      7fa8079e8dca773574d01839efc623d3cd8e6a47

    • SHA256

      e079fa28ea51fa98644164caf585ae3231d25372fccca1245902fb57488d4660

    • SHA512

      de95f18101b99d159fe459c5e5651e0db2b1c76e02c9c2741bfd920decc970abc6dc0b41651be0471b4c7c3deb8b5e9a6e956c6515f268f9dfee7b76087a1e2b

    • SSDEEP

      12288:ZPaAhutLwUVsvLPcFZXYl0oIZdm9n50DNq:ZPjutLRuvLPcX8mC5S

    Score
    1/10
    • Target

      Ransomware/Trojan.Ransom.PetrWrap/Trojan.Ransom.PetrWrap(Patched)

    • Size

      473KB

    • MD5

      f9dc218f57d7ecf5a8664a6561a59a2e

    • SHA1

      f9e15d4799c382a00b17c322826c0fbee7a7014b

    • SHA256

      bb990e2307c5f1143f3b8fabd77e62a2754c25b1de45636b93b6c87d1dc12784

    • SHA512

      00c3e39687bcd9951d63adb521c096120d1c81521bb56615b32c42a0f5126f31fea023a173a95230a0d1e74056cd84baad29ffd7615409ff8b07640c550d955a

    • SSDEEP

      12288:9PaAhutLwUVsvLPcFZXYl0oIZdm9n50DNx:9PjutLRuvLPcX8mC5S

    Score
    6/10
    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

MITRE ATT&CK Enterprise v15

Tasks

static1

upx
Score
7/10

behavioral1

evasionpersistenceransomwaretrojan
Score
10/10

behavioral2

evasionpersistenceransomwaretrojan
Score
10/10

behavioral3

evasionpersistenceransomwaretrojan
Score
10/10

behavioral4

Score
1/10

behavioral5

badrabbitmimikatzransomware
Score
10/10

behavioral6

badrabbitmimikatzransomware
Score
10/10

behavioral7

badrabbitmimikatzransomware
Score
10/10

behavioral8

badrabbitmimikatzransomware
Score
10/10

behavioral9

bootkitpersistence
Score
6/10

behavioral10

bootkitpersistence
Score
6/10

behavioral11

bootkitpersistence
Score
6/10

behavioral12

bootkitpersistence
Score
6/10

behavioral13

evasionransomwaretrojanupx
Score
10/10

behavioral14

ransomwareupx
Score
7/10

behavioral15

evasionransomwaretrojanupx
Score
10/10

behavioral16

ransomwareupx
Score
7/10

behavioral17

metasploitbackdoorbootkitpersistencetrojan
Score
10/10

behavioral18

metasploitbackdoorbootkitpersistencetrojan
Score
10/10

behavioral19

metasploitbackdoorbootkitpersistencetrojan
Score
10/10

behavioral20

metasploitbackdoorbootkitpersistencetrojan
Score
10/10

behavioral21

metasploitbackdoorbootkitpersistencetrojan
Score
10/10

behavioral22

metasploitbackdoorbootkitpersistencetrojan
Score
10/10

behavioral23

metasploitbackdoorbootkitpersistencetrojan
Score
10/10

behavioral24

metasploitbackdoorbootkitpersistencetrojan
Score
10/10

behavioral25

mimikatzbootkitpersistencespywarestealer
Score
10/10

behavioral26

mimikatzbootkitpersistencespywarestealer
Score
10/10

behavioral27

mimikatzbootkitpersistencespywarestealer
Score
10/10

behavioral28

mimikatzbootkitpersistencespywarestealer
Score
10/10

behavioral29

Score
1/10

behavioral30

Score
1/10

behavioral31

bootkitpersistence
Score
6/10

behavioral32

Score
3/10