Overview
overview
10Static
static
7Windows/000.exe
windows7-x64
Windows/000.exe
windows10-2004-x64
Windows/BUG32.exe
windows7-x64
Windows/BUG32.exe
windows10-2004-x64
Windows/Bonzify.exe
windows7-x64
8Windows/Bonzify.exe
windows10-2004-x64
8Windows/Em...99.exe
windows7-x64
5Windows/Em...99.exe
windows10-2004-x64
5Windows/Em...tr.exe
windows7-x64
1Windows/Em...tr.exe
windows10-2004-x64
1Windows/Em...al.exe
windows7-x64
5Windows/Em...al.exe
windows10-2004-x64
5Windows/Em...en.exe
windows7-x64
1Windows/Em...en.exe
windows10-2004-x64
1Windows/Em...hu.exe
windows7-x64
5Windows/Em...hu.exe
windows10-2004-x64
1Windows/Fa...ye.exe
windows7-x64
6Windows/Fa...ye.exe
windows10-2004-x64
6Windows/PC...er.exe
windows7-x64
1Windows/PC...er.exe
windows10-2004-x64
7Windows/Ra...ac.exe
windows7-x64
10Windows/Ra...ac.exe
windows10-2004-x64
Windows/Ra...it.exe
windows7-x64
10Windows/Ra...it.exe
windows10-2004-x64
10Windows/Ra...or.exe
windows7-x64
Windows/Ra...or.exe
windows10-2004-x64
Windows/Ra...on.exe
windows7-x64
10Windows/Ra...on.exe
windows10-2004-x64
7Windows/Ra...ye.exe
windows7-x64
10Windows/Ra...ye.exe
windows10-2004-x64
10Windows/Ra...Eye.js
windows7-x64
10Windows/Ra...Eye.js
windows10-2004-x64
10General
-
Target
Windows.zip
-
Size
31.7MB
-
Sample
240310-2zt5jade57
-
MD5
1834586b7e6f291ce278f36d25912667
-
SHA1
575659c4f36224e13388c8a48a5145d58dbc265f
-
SHA256
1473050bbfaaccabbc5429d25b37bbeaf0d73eb39706e9b01d88494704447ded
-
SHA512
e63c8d2af72da4636b3b466c0d84efdb02f465508a6caae39a0c18d7292cc4cb4834228d8728db2023abd7dbe8633e95e0e541055d2233855ab96f72edc6d10b
-
SSDEEP
786432:dQWBUeisS6Cv9xSkFwVB+x4aSbJ1EKAhiDB9+DZwX1TpIb86PR7:OCDg/v5FwVB+yfEAHWZATpIbBPR7
Behavioral task
behavioral1
Sample
Windows/000.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Windows/000.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
Windows/BUG32.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Windows/BUG32.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
Windows/Bonzify.exe
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
Windows/Bonzify.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
Windows/Email-Worm/Email-Worm.Win32.Happy99/Happy99.exe
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
Windows/Email-Worm/Email-Worm.Win32.Happy99/Happy99.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
Windows/Email-Worm/Email-Worm.Win32.Magistr/Magistr.exe
Resource
win7-20240215-en
Behavioral task
behavioral10
Sample
Windows/Email-Worm/Email-Worm.Win32.Magistr/Magistr.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral11
Sample
Windows/Email-Worm/Email-Worm.Win32.Maldal/Maldal.exe
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
Windows/Email-Worm/Email-Worm.Win32.Maldal/Maldal.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral13
Sample
Windows/Email-Worm/Email-Worm.Win32.MeltingScreen/MeltingScreen.exe
Resource
win7-20240220-en
Behavioral task
behavioral14
Sample
Windows/Email-Worm/Email-Worm.Win32.MeltingScreen/MeltingScreen.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral15
Sample
Windows/Email-Worm/Email-Worm.Win32.Pikachu/Pikachu.exe
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
Windows/Email-Worm/Email-Worm.Win32.Pikachu/Pikachu.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral17
Sample
Windows/Fake GoldenEye/FakeGoldenEye.exe
Resource
win7-20240221-en
Behavioral task
behavioral18
Sample
Windows/Fake GoldenEye/FakeGoldenEye.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral19
Sample
Windows/PCToaster/PCToaster.exe
Resource
win7-20240215-en
Behavioral task
behavioral20
Sample
Windows/PCToaster/PCToaster.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral21
Sample
Windows/Ransomware/Annabelle Ransomware/716335ba5cd1e7186c40295b199190e2b6655e48f1c1cbe12139ba67faa5e1ac.exe
Resource
win7-20240221-en
Behavioral task
behavioral22
Sample
Windows/Ransomware/Annabelle Ransomware/716335ba5cd1e7186c40295b199190e2b6655e48f1c1cbe12139ba67faa5e1ac.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral23
Sample
Windows/Ransomware/BadRabbit Ransomware/BadRabbit.exe
Resource
win7-20231129-en
Behavioral task
behavioral24
Sample
Windows/Ransomware/BadRabbit Ransomware/BadRabbit.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral25
Sample
Windows/Ransomware/Monster Ransomware (second new version)/tunamor.exe
Resource
win7-20240221-en
Behavioral task
behavioral26
Sample
Windows/Ransomware/Monster Ransomware (second new version)/tunamor.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral27
Sample
Windows/Ransomware/Monster Ransomware/XMoon.exe
Resource
win7-20240221-en
Behavioral task
behavioral28
Sample
Windows/Ransomware/Monster Ransomware/XMoon.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral29
Sample
Windows/Ransomware/Trojan.Ransom.GoldenEye/GoldenEye.exe
Resource
win7-20240221-en
Behavioral task
behavioral30
Sample
Windows/Ransomware/Trojan.Ransom.GoldenEye/GoldenEye.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral31
Sample
Windows/Ransomware/Trojan.Ransom.GoldenEye/GoldenEye.js
Resource
win7-20240221-en
Behavioral task
behavioral32
Sample
Windows/Ransomware/Trojan.Ransom.GoldenEye/GoldenEye.js
Resource
win10v2004-20240226-en
Malware Config
Extracted
metasploit
windows/single_exec
Targets
-
-
Target
Windows/000.exe
-
Size
6.7MB
-
MD5
d5671758956b39e048680b6a8275e96a
-
SHA1
33c341130bf9c93311001a6284692c86fec200ef
-
SHA256
4a900b344ef765a66f98cf39ac06273d565ca0f5d19f7ea4ca183786155d4a47
-
SHA512
972e89ed8b7b4d75df0a05c53e71fb5c29edaa173d7289656676b9d2a1ed439be1687beddc6fb1fbf068868c3da9c3d2deb03b55e5ab5e7968858b5efc49fbe7
-
SSDEEP
3072:V3LA1++iCeFj0im6X/AXpT8vVMCcHVcdhghUuzzo9Y:lLJlC6j0CX4XmvWHVcd62uo9
Score8/10-
Disables Task Manager via registry modification
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Modifies WinLogon
-
Sets desktop wallpaper using registry
-
-
-
Target
Windows/BUG32.exe
-
Size
3.0MB
-
MD5
149cc2ec1900cb778afb50d8026eadf5
-
SHA1
a7bc1bbc7bdc970757ec369ef0b51dc53989f131
-
SHA256
817a695e53a1d6e24f2c701751b4d18468f20698f30fada420dfba6e21a09797
-
SHA512
d617654478beb6325d86c108cddaff8f8d658a235d26b8e0282ed85dca826bdb62b0b67e749c7cd421dbae1d98084220e2f4d5779badb8fd7ab07ff333a35553
-
SSDEEP
49152:Or2U5IahDUGN97rkqOAackLjQ0rZEAh3oA6wHE+K60Kk0aCLkfAZKt0OJTcL:4H2ahFNNrg3QbQoA6wHEnFN4IJu
Score10/10-
Modifies WinLogon for persistence
-
Renames multiple (136) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Blocklisted process makes network request
-
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Modifies Installed Components in the registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Modifies system executable filetype association
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
-
-
Target
Windows/Bonzify.exe
-
Size
6.4MB
-
MD5
9c352d2ce0c0bdc40c72f52ce3480577
-
SHA1
bd4c956186f33c92eb4469f7e5675510d0790e99
-
SHA256
d7e6580054525d3f21f86edfc9f30b7a75ffa829a1eb67ee3cab33f0040dba4e
-
SHA512
c1926d59272df0e049467f4497bcc3631bbc1aa5337e87f4af31bfdba60c9ef460e394380024ffa7e71fef8938761d48d75e9dc93dc7529d2b9c8c638dddae92
-
SSDEEP
196608:/dAMaWetTeAkLIdx751qFTkub//73lc6u7b5VJ2Yx5xIdk3:naWedh+Idx75QYub//73lc6u7bLMYxD
-
Possible privilege escalation attempt
-
Modifies file permissions
-
-
-
Target
Windows/Email-Worm/Email-Worm.Win32.Happy99/Happy99.exe
-
Size
9KB
-
MD5
02dd0eaa9649a11e55fa5467fa4b8ef8
-
SHA1
a4a945192cb730634168f79b6e4cd298dbe3d168
-
SHA256
4ebe3e1af5e147c580ecce052fe7d7d0219d5e5a2f5e6d8a7f7291735923db18
-
SHA512
3bf69de674737ca15d6ff7ce73396194f3631dc4b8d32cc570adeeacdc210acee50fd64c97172ce7cc77f166c681d2ccd55955b3aca9188813b7ff6f49280441
-
SSDEEP
192:nR81cIkA5Dbaj/CaFx40Z9HnLH8bzTbjt5BNUFO:RycyhqN4u9HnLH8bnbjtpl
Score5/10-
Drops file in System32 directory
-
-
-
Target
Windows/Email-Worm/Email-Worm.Win32.Magistr/Magistr.exe
-
Size
107KB
-
MD5
9890349fe3c68f5923b29347bba021a4
-
SHA1
fa080a50486b205b75833a6b5c9505abb1e3b4df
-
SHA256
068f2ee28af7645dbf2a1684f0a5fc5ccb6aa1027f71da4468e0cba56c65e058
-
SHA512
aedd86837987cbe8c0b1cf3b4ca0c3a875e4cc9bcc8097c160d0d6070427ad9e1d871d5339ea95cc03499c39a6536b5a6b6d43372a49eeaf2e87bf755a3d3367
-
SSDEEP
3072:pRr1m0iQwTlFiIoXTLDCLLUsgULFsfMGdd64:Lk0LCwIi3DMUwFNGd04
Score1/10 -
-
-
Target
Windows/Email-Worm/Email-Worm.Win32.Maldal/Maldal.exe
-
Size
80KB
-
MD5
cbcd34a252a7cf61250b0f7f1cba3382
-
SHA1
152f224d66555dd49711754bf4e29a17f4706332
-
SHA256
abac285f290f0cfcd308071c9dfa9b7b4b48d10b4a3b4d75048804e59a447787
-
SHA512
09fdcb04707a3314e584f81db5210b2390f4c3f5efa173539f9d248db48ae26b3a8b240cf254561b0ecb764f6b04bb4c129832c6502d952d1960e443371ce2a9
-
SSDEEP
1536:wh6S2wzALFx8hkMsiUmxi6QPitAKQjY8c4B5h:dS212xlQvKCYx4B
Score5/10-
Drops file in System32 directory
-
-
-
Target
Windows/Email-Worm/Email-Worm.Win32.MeltingScreen/MeltingScreen.exe
-
Size
17KB
-
MD5
4784e42c3b15d1a141a5e0c8abc1205c
-
SHA1
48c958deba25a4763ef244ac87e87983c6534179
-
SHA256
9d355e4f9a51536b05269f696b304859155985957ba95eb575f3f38c599d913c
-
SHA512
d63d20a38602d4d228367b6596454a0f5b2884c831e3a95237d23b882abd624de59ea47835636b06a96e216f1decf8c468caacd45e5d3b16a5eb9e87bc69eb97
-
SSDEEP
384:eHsipOITNe52uuCiuhwYW5t/QS5uoIjkg:PivNZuhi+wYW5toBoB
Score1/10 -
-
-
Target
Windows/Email-Worm/Email-Worm.Win32.Pikachu/Pikachu.exe
-
Size
32KB
-
MD5
715614e09261b39dfa439fa1326c0cec
-
SHA1
52d118a34da7f5037cde04c31ff491eb25933b18
-
SHA256
e1dfc005d5403fb2f356276f0abe19df68249ce10e5035450926d56c2f8d3652
-
SHA512
fe905c388b0711f54941076a29b11f2b605655b4a3f409d9f0f077f2fe91f241401035310daa490afb6df50a6deff5456be5ee86984e7b9069506efa07af51ae
-
SSDEEP
384:JuttXvHydgJdONTjJJbIR1ozOtEZcrkTuztHTYhEWS6uyd:JaXfy2dmjJJcAaDkTEdjR6uy
Score5/10-
Drops file in System32 directory
-
-
-
Target
Windows/Fake GoldenEye/FakeGoldenEye.exe
-
Size
76KB
-
MD5
26758407117c78422332c443ca7ed21d
-
SHA1
9ab022e854166f4ec567d2ed4cf15880c13b3d95
-
SHA256
2900dcc4246afc601ada049b127c4344fa917acf1689a6a4748ee72f93f503ed
-
SHA512
ddbc118d3124508e4a9493b0d55eced154ae41c641f852f49b7f2b72fb9770d5af7ccf913b65e87bd9d66a4e0064d47bebd62e38cc03953c30d48ece13d501ee
-
SSDEEP
1536:5GIHamLYZy4hk7CR8yrO1gStZ6PjydhiAphYjy:rRfi88OOKZSjioJjy
Score6/10-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
-
-
Target
Windows/PCToaster/PCToaster.exe
-
Size
411KB
-
MD5
04251a49a240dbf60975ac262fc6aeb7
-
SHA1
e211ca63af2ab85ffab1e5fbbdf28a4ef8f77de0
-
SHA256
85a58aa96dccd94316a34608ba996656a22c8158d5156b6e454d9d69e6ff38c3
-
SHA512
3422a231e1dadb68d3567a99d46791392ecf5883fd3bbc2cae19a595364dac46e4b2712db70b61b488937d906413d39411554034ffd3058389700a93c17568d2
-
SSDEEP
3072:quJFS5Aqu+WwjxeI/0gVnfKl0FA+aPobO24yNz88iu8vDYHTlI5EJD5Hbibfd6PK:/JM0mCsWq1/qpz+nF5c
Score7/10-
Modifies file permissions
-
-
-
Target
Windows/Ransomware/Annabelle Ransomware/716335ba5cd1e7186c40295b199190e2b6655e48f1c1cbe12139ba67faa5e1ac.exe
-
Size
15.9MB
-
MD5
0f743287c9911b4b1c726c7c7edcaf7d
-
SHA1
9760579e73095455fcbaddfe1e7e98a2bb28bfe0
-
SHA256
716335ba5cd1e7186c40295b199190e2b6655e48f1c1cbe12139ba67faa5e1ac
-
SHA512
2a6dd6288303700ef9cb06ae1efeb1e121c89c97708e5ecd15ed9b2a35d0ecff03d8da58b30daeadad89bd38dc4649521ada149fb457408e5a2bdf1512f88677
-
SSDEEP
393216:UMwm0qBknxdEX+LbMUgoSZmWSmh4aaRN22ChHCMNku1y:UMcKX+Lbjgd7W1RNVC9ku1
Score10/10-
Modifies WinLogon for persistence
-
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Disables use of System Restore points
-
Modifies Windows Firewall
-
Sets file execution options in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
-
-
Target
Windows/Ransomware/BadRabbit Ransomware/BadRabbit.exe
-
Size
431KB
-
MD5
fbbdc39af1139aebba4da004475e8839
-
SHA1
de5c8d858e6e41da715dca1c019df0bfb92d32c0
-
SHA256
630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
-
SHA512
74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87
-
SSDEEP
12288:BHNTywFAvN86pLbqWRKHZKfErrZJyZ0yqsGO3XR63:vT56NbqWRwZaEr3yt2O3XR63
Score10/10-
BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
-
mimikatz is an open source tool to dump credentials on Windows
-
Executes dropped EXE
-
Loads dropped DLL
-
-
-
Target
Windows/Ransomware/Monster Ransomware (second new version)/tunamor.exe
-
Size
71KB
-
MD5
e9fdc21bd273444925a4512166188e5b
-
SHA1
e398138686eedcd8ef9de5342025f7118e120cdf
-
SHA256
78972cdde1a038f249b481ea2c4b172cc258aa294440333e9c46dcb3fbed5815
-
SHA512
64989534f56fcd70f3ff08bb47a331d5624fc1e3b387420a885d6f32a537e05182de8c5890612cde03fdd312ad101955674d7455c84b900bf7eed97b402a2b08
-
SSDEEP
768:Uv3mq1oJQpwvZlXhVkcDsaoi9P9TJKvaoStYARRQwfwiIySf4BtIl82+hE8x:YmqMQoXhVN4aooJhDCSeyxel82WNx
Score6/10-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
-
-
Target
Windows/Ransomware/Monster Ransomware/XMoon.exe
-
Size
669KB
-
MD5
a690cce59e21f5198ca304243b084f9e
-
SHA1
8aeb0b106dd21e2afb50c3f7ae78ca4f8f4b29c5
-
SHA256
ea0a5854aa6e91ebe816d256f34f820697a92d86b4f81e8855c84daeed40b9d4
-
SHA512
9e0eebf53d0ea424ae9aeb0da2e27e5be75391a5be2945d29137da12baff32184df3a223692bbabb4b64350d902bd6847284d982e62313f3402035e842f4b758
-
SSDEEP
12288:X6Wq4aaE6KwyF5L0Y2D1PqL6eqhBkEFY9ddNdzYaTW3aSDcyImRlL7zo:1thEVaPqL6JkF9YaTLSigL7c
Score10/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory
-
Sets desktop wallpaper using registry
-
-
-
Target
Windows/Ransomware/Trojan.Ransom.GoldenEye/GoldenEye.exe
-
Size
254KB
-
MD5
e3b7d39be5e821b59636d0fe7c2944cc
-
SHA1
00479a97e415e9b6a5dfb5d04f5d9244bc8fbe88
-
SHA256
389a7d395492c2da6f8abf5a8a7c49c3482f7844f77fe681808c71e961bcae97
-
SHA512
8f977c60658063051968049245512b6aea68dd89005d0eefde26e4b2757210e9e95aabcef9aee173f57614b52cfbac924d36516b7bc7d3a5cc67daae4dee3ad5
-
SSDEEP
3072:iTAjnioLO7WpLyLNZMcPSK7BaZ0NwAWMGc0HfmY4KsyyOiy12KJ3I4YgTl:i6nrD0ZMcPBAL7c0fTHs+2sYXg
Score10/10-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Executes dropped EXE
-
Loads dropped DLL
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
-
-
Target
Windows/Ransomware/Trojan.Ransom.GoldenEye/GoldenEye.js
-
Size
365KB
-
MD5
c4e9fc349d5c8b24c0ddb1533de2c16b
-
SHA1
147e938bd06709b3c20eea4ac461093d573be037
-
SHA256
28fd3a1d9087d7b103b7f6cfca002798b6365fe6ebcc66fa02dbb4a9e6378e71
-
SHA512
fd0cf6f434e665aabc91f6095394a08483990c12a0b6ad3a1bd820b740af0ddbc02bc0a2592be429c7488b3cd2889afad8f758b4258009dfe51e9faac76842be
-
SSDEEP
6144:Jnm5mwYxm+DzkzFIDIWCy49ezGywT7PDSzT3enlJ1BJ0exGqkIb1Taha6e2T6Huv:FnaIEWeqWdnlhJ+eHHu+1Qk3C+MAQ
Score10/10-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
5Registry Run Keys / Startup Folder
3Winlogon Helper DLL
2Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Change Default File Association
1Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
5Registry Run Keys / Startup Folder
3Winlogon Helper DLL
2Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Change Default File Association
1Scheduled Task/Job
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1File and Directory Permissions Modification
1Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
3Disable or Modify System Firewall
1Disable or Modify Tools
2Indicator Removal
2File Deletion
2Modify Registry
12Pre-OS Boot
1Bootkit
1