General

  • Target

    Windows.zip

  • Size

    31.7MB

  • Sample

    240310-2zt5jade57

  • MD5

    1834586b7e6f291ce278f36d25912667

  • SHA1

    575659c4f36224e13388c8a48a5145d58dbc265f

  • SHA256

    1473050bbfaaccabbc5429d25b37bbeaf0d73eb39706e9b01d88494704447ded

  • SHA512

    e63c8d2af72da4636b3b466c0d84efdb02f465508a6caae39a0c18d7292cc4cb4834228d8728db2023abd7dbe8633e95e0e541055d2233855ab96f72edc6d10b

  • SSDEEP

    786432:dQWBUeisS6Cv9xSkFwVB+x4aSbJ1EKAhiDB9+DZwX1TpIb86PR7:OCDg/v5FwVB+yfEAHWZATpIbBPR7

Malware Config

Extracted

Family

metasploit

Version

windows/single_exec

Targets

    • Target

      Windows/000.exe

    • Size

      6.7MB

    • MD5

      d5671758956b39e048680b6a8275e96a

    • SHA1

      33c341130bf9c93311001a6284692c86fec200ef

    • SHA256

      4a900b344ef765a66f98cf39ac06273d565ca0f5d19f7ea4ca183786155d4a47

    • SHA512

      972e89ed8b7b4d75df0a05c53e71fb5c29edaa173d7289656676b9d2a1ed439be1687beddc6fb1fbf068868c3da9c3d2deb03b55e5ab5e7968858b5efc49fbe7

    • SSDEEP

      3072:V3LA1++iCeFj0im6X/AXpT8vVMCcHVcdhghUuzzo9Y:lLJlC6j0CX4XmvWHVcd62uo9

    • Disables Task Manager via registry modification

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Modifies WinLogon

    • Sets desktop wallpaper using registry

    • Target

      Windows/BUG32.exe

    • Size

      3.0MB

    • MD5

      149cc2ec1900cb778afb50d8026eadf5

    • SHA1

      a7bc1bbc7bdc970757ec369ef0b51dc53989f131

    • SHA256

      817a695e53a1d6e24f2c701751b4d18468f20698f30fada420dfba6e21a09797

    • SHA512

      d617654478beb6325d86c108cddaff8f8d658a235d26b8e0282ed85dca826bdb62b0b67e749c7cd421dbae1d98084220e2f4d5779badb8fd7ab07ff333a35553

    • SSDEEP

      49152:Or2U5IahDUGN97rkqOAackLjQ0rZEAh3oA6wHE+K60Kk0aCLkfAZKt0OJTcL:4H2ahFNNrg3QbQoA6wHEnFN4IJu

    • Modifies WinLogon for persistence

    • UAC bypass

    • Renames multiple (136) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Blocklisted process makes network request

    • Disables RegEdit via registry modification

    • Disables Task Manager via registry modification

    • Modifies Installed Components in the registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Modifies system executable filetype association

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Target

      Windows/Bonzify.exe

    • Size

      6.4MB

    • MD5

      9c352d2ce0c0bdc40c72f52ce3480577

    • SHA1

      bd4c956186f33c92eb4469f7e5675510d0790e99

    • SHA256

      d7e6580054525d3f21f86edfc9f30b7a75ffa829a1eb67ee3cab33f0040dba4e

    • SHA512

      c1926d59272df0e049467f4497bcc3631bbc1aa5337e87f4af31bfdba60c9ef460e394380024ffa7e71fef8938761d48d75e9dc93dc7529d2b9c8c638dddae92

    • SSDEEP

      196608:/dAMaWetTeAkLIdx751qFTkub//73lc6u7b5VJ2Yx5xIdk3:naWedh+Idx75QYub//73lc6u7bLMYxD

    Score
    8/10
    • Possible privilege escalation attempt

    • Modifies file permissions

    • Target

      Windows/Email-Worm/Email-Worm.Win32.Happy99/Happy99.exe

    • Size

      9KB

    • MD5

      02dd0eaa9649a11e55fa5467fa4b8ef8

    • SHA1

      a4a945192cb730634168f79b6e4cd298dbe3d168

    • SHA256

      4ebe3e1af5e147c580ecce052fe7d7d0219d5e5a2f5e6d8a7f7291735923db18

    • SHA512

      3bf69de674737ca15d6ff7ce73396194f3631dc4b8d32cc570adeeacdc210acee50fd64c97172ce7cc77f166c681d2ccd55955b3aca9188813b7ff6f49280441

    • SSDEEP

      192:nR81cIkA5Dbaj/CaFx40Z9HnLH8bzTbjt5BNUFO:RycyhqN4u9HnLH8bnbjtpl

    Score
    5/10
    • Drops file in System32 directory

    • Target

      Windows/Email-Worm/Email-Worm.Win32.Magistr/Magistr.exe

    • Size

      107KB

    • MD5

      9890349fe3c68f5923b29347bba021a4

    • SHA1

      fa080a50486b205b75833a6b5c9505abb1e3b4df

    • SHA256

      068f2ee28af7645dbf2a1684f0a5fc5ccb6aa1027f71da4468e0cba56c65e058

    • SHA512

      aedd86837987cbe8c0b1cf3b4ca0c3a875e4cc9bcc8097c160d0d6070427ad9e1d871d5339ea95cc03499c39a6536b5a6b6d43372a49eeaf2e87bf755a3d3367

    • SSDEEP

      3072:pRr1m0iQwTlFiIoXTLDCLLUsgULFsfMGdd64:Lk0LCwIi3DMUwFNGd04

    Score
    1/10
    • Target

      Windows/Email-Worm/Email-Worm.Win32.Maldal/Maldal.exe

    • Size

      80KB

    • MD5

      cbcd34a252a7cf61250b0f7f1cba3382

    • SHA1

      152f224d66555dd49711754bf4e29a17f4706332

    • SHA256

      abac285f290f0cfcd308071c9dfa9b7b4b48d10b4a3b4d75048804e59a447787

    • SHA512

      09fdcb04707a3314e584f81db5210b2390f4c3f5efa173539f9d248db48ae26b3a8b240cf254561b0ecb764f6b04bb4c129832c6502d952d1960e443371ce2a9

    • SSDEEP

      1536:wh6S2wzALFx8hkMsiUmxi6QPitAKQjY8c4B5h:dS212xlQvKCYx4B

    Score
    5/10
    • Drops file in System32 directory

    • Target

      Windows/Email-Worm/Email-Worm.Win32.MeltingScreen/MeltingScreen.exe

    • Size

      17KB

    • MD5

      4784e42c3b15d1a141a5e0c8abc1205c

    • SHA1

      48c958deba25a4763ef244ac87e87983c6534179

    • SHA256

      9d355e4f9a51536b05269f696b304859155985957ba95eb575f3f38c599d913c

    • SHA512

      d63d20a38602d4d228367b6596454a0f5b2884c831e3a95237d23b882abd624de59ea47835636b06a96e216f1decf8c468caacd45e5d3b16a5eb9e87bc69eb97

    • SSDEEP

      384:eHsipOITNe52uuCiuhwYW5t/QS5uoIjkg:PivNZuhi+wYW5toBoB

    Score
    1/10
    • Target

      Windows/Email-Worm/Email-Worm.Win32.Pikachu/Pikachu.exe

    • Size

      32KB

    • MD5

      715614e09261b39dfa439fa1326c0cec

    • SHA1

      52d118a34da7f5037cde04c31ff491eb25933b18

    • SHA256

      e1dfc005d5403fb2f356276f0abe19df68249ce10e5035450926d56c2f8d3652

    • SHA512

      fe905c388b0711f54941076a29b11f2b605655b4a3f409d9f0f077f2fe91f241401035310daa490afb6df50a6deff5456be5ee86984e7b9069506efa07af51ae

    • SSDEEP

      384:JuttXvHydgJdONTjJJbIR1ozOtEZcrkTuztHTYhEWS6uyd:JaXfy2dmjJJcAaDkTEdjR6uy

    Score
    5/10
    • Drops file in System32 directory

    • Target

      Windows/Fake GoldenEye/FakeGoldenEye.exe

    • Size

      76KB

    • MD5

      26758407117c78422332c443ca7ed21d

    • SHA1

      9ab022e854166f4ec567d2ed4cf15880c13b3d95

    • SHA256

      2900dcc4246afc601ada049b127c4344fa917acf1689a6a4748ee72f93f503ed

    • SHA512

      ddbc118d3124508e4a9493b0d55eced154ae41c641f852f49b7f2b72fb9770d5af7ccf913b65e87bd9d66a4e0064d47bebd62e38cc03953c30d48ece13d501ee

    • SSDEEP

      1536:5GIHamLYZy4hk7CR8yrO1gStZ6PjydhiAphYjy:rRfi88OOKZSjioJjy

    Score
    6/10
    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Target

      Windows/PCToaster/PCToaster.exe

    • Size

      411KB

    • MD5

      04251a49a240dbf60975ac262fc6aeb7

    • SHA1

      e211ca63af2ab85ffab1e5fbbdf28a4ef8f77de0

    • SHA256

      85a58aa96dccd94316a34608ba996656a22c8158d5156b6e454d9d69e6ff38c3

    • SHA512

      3422a231e1dadb68d3567a99d46791392ecf5883fd3bbc2cae19a595364dac46e4b2712db70b61b488937d906413d39411554034ffd3058389700a93c17568d2

    • SSDEEP

      3072:quJFS5Aqu+WwjxeI/0gVnfKl0FA+aPobO24yNz88iu8vDYHTlI5EJD5Hbibfd6PK:/JM0mCsWq1/qpz+nF5c

    Score
    7/10
    • Target

      Windows/Ransomware/Annabelle Ransomware/716335ba5cd1e7186c40295b199190e2b6655e48f1c1cbe12139ba67faa5e1ac.exe

    • Size

      15.9MB

    • MD5

      0f743287c9911b4b1c726c7c7edcaf7d

    • SHA1

      9760579e73095455fcbaddfe1e7e98a2bb28bfe0

    • SHA256

      716335ba5cd1e7186c40295b199190e2b6655e48f1c1cbe12139ba67faa5e1ac

    • SHA512

      2a6dd6288303700ef9cb06ae1efeb1e121c89c97708e5ecd15ed9b2a35d0ecff03d8da58b30daeadad89bd38dc4649521ada149fb457408e5a2bdf1512f88677

    • SSDEEP

      393216:UMwm0qBknxdEX+LbMUgoSZmWSmh4aaRN22ChHCMNku1y:UMcKX+Lbjgd7W1RNVC9ku1

    • Modifies WinLogon for persistence

    • Modifies Windows Defender Real-time Protection settings

    • UAC bypass

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Disables RegEdit via registry modification

    • Disables Task Manager via registry modification

    • Disables use of System Restore points

    • Modifies Windows Firewall

    • Sets file execution options in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Target

      Windows/Ransomware/BadRabbit Ransomware/BadRabbit.exe

    • Size

      431KB

    • MD5

      fbbdc39af1139aebba4da004475e8839

    • SHA1

      de5c8d858e6e41da715dca1c019df0bfb92d32c0

    • SHA256

      630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da

    • SHA512

      74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87

    • SSDEEP

      12288:BHNTywFAvN86pLbqWRKHZKfErrZJyZ0yqsGO3XR63:vT56NbqWRwZaEr3yt2O3XR63

    • BadRabbit

      Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.

    • Mimikatz

      mimikatz is an open source tool to dump credentials on Windows.

    • mimikatz is an open source tool to dump credentials on Windows

    • Executes dropped EXE

    • Loads dropped DLL

    • Target

      Windows/Ransomware/Monster Ransomware (second new version)/tunamor.exe

    • Size

      71KB

    • MD5

      e9fdc21bd273444925a4512166188e5b

    • SHA1

      e398138686eedcd8ef9de5342025f7118e120cdf

    • SHA256

      78972cdde1a038f249b481ea2c4b172cc258aa294440333e9c46dcb3fbed5815

    • SHA512

      64989534f56fcd70f3ff08bb47a331d5624fc1e3b387420a885d6f32a537e05182de8c5890612cde03fdd312ad101955674d7455c84b900bf7eed97b402a2b08

    • SSDEEP

      768:Uv3mq1oJQpwvZlXhVkcDsaoi9P9TJKvaoStYARRQwfwiIySf4BtIl82+hE8x:YmqMQoXhVN4aooJhDCSeyxel82WNx

    Score
    6/10
    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Target

      Windows/Ransomware/Monster Ransomware/XMoon.exe

    • Size

      669KB

    • MD5

      a690cce59e21f5198ca304243b084f9e

    • SHA1

      8aeb0b106dd21e2afb50c3f7ae78ca4f8f4b29c5

    • SHA256

      ea0a5854aa6e91ebe816d256f34f820697a92d86b4f81e8855c84daeed40b9d4

    • SHA512

      9e0eebf53d0ea424ae9aeb0da2e27e5be75391a5be2945d29137da12baff32184df3a223692bbabb4b64350d902bd6847284d982e62313f3402035e842f4b758

    • SSDEEP

      12288:X6Wq4aaE6KwyF5L0Y2D1PqL6eqhBkEFY9ddNdzYaTW3aSDcyImRlL7zo:1thEVaPqL6JkF9YaTLSigL7c

    • UAC bypass

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

    • Target

      Windows/Ransomware/Trojan.Ransom.GoldenEye/GoldenEye.exe

    • Size

      254KB

    • MD5

      e3b7d39be5e821b59636d0fe7c2944cc

    • SHA1

      00479a97e415e9b6a5dfb5d04f5d9244bc8fbe88

    • SHA256

      389a7d395492c2da6f8abf5a8a7c49c3482f7844f77fe681808c71e961bcae97

    • SHA512

      8f977c60658063051968049245512b6aea68dd89005d0eefde26e4b2757210e9e95aabcef9aee173f57614b52cfbac924d36516b7bc7d3a5cc67daae4dee3ad5

    • SSDEEP

      3072:iTAjnioLO7WpLyLNZMcPSK7BaZ0NwAWMGc0HfmY4KsyyOiy12KJ3I4YgTl:i6nrD0ZMcPBAL7c0fTHs+2sYXg

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    • Executes dropped EXE

    • Loads dropped DLL

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Target

      Windows/Ransomware/Trojan.Ransom.GoldenEye/GoldenEye.js

    • Size

      365KB

    • MD5

      c4e9fc349d5c8b24c0ddb1533de2c16b

    • SHA1

      147e938bd06709b3c20eea4ac461093d573be037

    • SHA256

      28fd3a1d9087d7b103b7f6cfca002798b6365fe6ebcc66fa02dbb4a9e6378e71

    • SHA512

      fd0cf6f434e665aabc91f6095394a08483990c12a0b6ad3a1bd820b740af0ddbc02bc0a2592be429c7488b3cd2889afad8f758b4258009dfe51e9faac76842be

    • SSDEEP

      6144:Jnm5mwYxm+DzkzFIDIWCy49ezGywT7PDSzT3enlJ1BJ0exGqkIb1Taha6e2T6Huv:FnaIEWeqWdnlhJ+eHHu+1Qk3C+MAQ

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

MITRE ATT&CK Enterprise v15

Tasks

static1

upx
Score
7/10

behavioral1

evasionpersistenceransomware
Score
8/10

behavioral2

evasionpersistenceransomware
Score
8/10

behavioral3

evasionpersistenceransomwarespywarestealertrojan
Score
10/10

behavioral4

evasionpersistenceransomwarespywarestealertrojan
Score
10/10

behavioral5

discoveryexploit
Score
8/10

behavioral6

discoveryexploit
Score
8/10

behavioral7

Score
5/10

behavioral8

Score
5/10

behavioral9

Score
1/10

behavioral10

Score
1/10

behavioral11

Score
5/10

behavioral12

Score
5/10

behavioral13

Score
1/10

behavioral14

Score
1/10

behavioral15

Score
5/10

behavioral16

Score
1/10

behavioral17

bootkitpersistence
Score
6/10

behavioral18

bootkitpersistence
Score
6/10

behavioral19

Score
1/10

behavioral20

discovery
Score
7/10

behavioral21

evasionpersistenceransomwaretrojan
Score
10/10

behavioral22

evasionpersistenceransomwaretrojan
Score
10/10

behavioral23

badrabbitmimikatzransomware
Score
10/10

behavioral24

badrabbitmimikatzransomware
Score
10/10

behavioral25

bootkitpersistence
Score
6/10

behavioral26

bootkitpersistence
Score
6/10

behavioral27

evasionransomwaretrojanupx
Score
10/10

behavioral28

ransomwareupx
Score
7/10

behavioral29

metasploitbackdoorbootkitpersistencetrojan
Score
10/10

behavioral30

metasploitbackdoorbootkitpersistencetrojan
Score
10/10

behavioral31

metasploitbackdoorbootkitpersistencetrojan
Score
10/10

behavioral32

metasploitbackdoorbootkitpersistencetrojan
Score
10/10