Overview
overview
10Static
static
77ev3n.exe
windows7-x64
7ev3n.exe
windows10-2004-x64
Annabelle.exe
windows7-x64
Annabelle.exe
windows10-2004-x64
BadRabbit.exe
windows7-x64
BadRabbit.exe
windows10-2004-x64
Birele.exe
windows10-2004-x64
10Cerber 5.exe
windows7-x64
10Cerber 5.exe
windows10-2004-x64
10Darkside.exe
windows7-x64
10Darkside.exe
windows10-2004-x64
10DeriaLock.exe
windows7-x64
7DeriaLock.exe
windows10-2004-x64
7General
-
Target
ransomwares.zip
-
Size
41.3MB
-
Sample
240315-1eyrjsde78
-
MD5
0908cba56879a32d2871d2eaf12b2af3
-
SHA1
27ccd746eb5da379c1df191b0d4660ef03c3f422
-
SHA256
9c9e87c0c492673453acb1a253c8ae23ee8245531c37d6ef8ead76b6e2d1562e
-
SHA512
c137a7d1b98063109b210b4aea9bcc6be141272fb8c41e84006e2a72f4ec218ecba4be9e56d3745679b5c3b8896ae592d2bd0205d37f3cf1d2dd717154618e0b
-
SSDEEP
786432:rwIy/mDZ1cxBmFr5f05W2vfQCRnOgiM34V5oW3EDS7rVuzNmWiN2sA1Vrm+Aj:rw8XyB65f05fv4CRjo7pUDYumQlvAj
Behavioral task
behavioral1
Sample
7ev3n.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
7ev3n.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
Annabelle.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Annabelle.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
BadRabbit.exe
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
BadRabbit.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral7
Sample
Birele.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral8
Sample
Cerber 5.exe
Resource
win7-20240221-en
Behavioral task
behavioral9
Sample
Cerber 5.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral10
Sample
Darkside.exe
Resource
win7-20240221-en
Behavioral task
behavioral11
Sample
Darkside.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral12
Sample
DeriaLock.exe
Resource
win7-20240221-en
Behavioral task
behavioral13
Sample
DeriaLock.exe
Resource
win10v2004-20240226-en
Malware Config
Extracted
C:\Users\Admin\README.7f69a103.TXT
darkside
http://darksidedxcftmqa.onion/polifilm/AWeu5Sv7zTTCTjZD8YkgoPRznfE5r7G-vbsXok9EvfiaNL_eDwRlgRMruMHisnEF
http://darksidfqzcuhtk2.onion/2AHUVJ3VGS97NUG5J5EYMQM5PJO77V9V0GDT3UYIJGFZUTOQRLUX593CQ2EZ2ZEH
Extracted
C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___CW0SLB_.txt
cerber
http://xpcx6erilkjced3j.onion/6E20-96B6-A2B0-0098-B89E
http://xpcx6erilkjced3j.1n5mod.top/6E20-96B6-A2B0-0098-B89E
http://xpcx6erilkjced3j.19kdeh.top/6E20-96B6-A2B0-0098-B89E
http://xpcx6erilkjced3j.1mpsnr.top/6E20-96B6-A2B0-0098-B89E
http://xpcx6erilkjced3j.18ey8e.top/6E20-96B6-A2B0-0098-B89E
http://xpcx6erilkjced3j.17gcun.top/6E20-96B6-A2B0-0098-B89E
Extracted
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\_R_E_A_D___T_H_I_S___PU7Y_.txt
cerber
http://xpcx6erilkjced3j.onion/FBFC-98AA-3A34-0098-B0FB
http://xpcx6erilkjced3j.1n5mod.top/FBFC-98AA-3A34-0098-B0FB
http://xpcx6erilkjced3j.19kdeh.top/FBFC-98AA-3A34-0098-B0FB
http://xpcx6erilkjced3j.1mpsnr.top/FBFC-98AA-3A34-0098-B0FB
http://xpcx6erilkjced3j.18ey8e.top/FBFC-98AA-3A34-0098-B0FB
http://xpcx6erilkjced3j.17gcun.top/FBFC-98AA-3A34-0098-B0FB
Targets
-
-
Target
7ev3n.exe
-
Size
315KB
-
MD5
9f8bc96c96d43ecb69f883388d228754
-
SHA1
61ed25a706afa2f6684bb4d64f69c5fb29d20953
-
SHA256
7d373ccb96d1dbb1856ef31afa87c2112a0c1795a796ab01cb154700288afec5
-
SHA512
550a891c1059f58aa983138caf65a7ea9c326cb1b94c15f3e7594128f6e9f1295b9c2dbc0925637dba7c94e938083fffc6a63dc7c2e5b1e247679931cce505c6
-
SSDEEP
6144:BswDdb2MemnBVlz0SoVbO4A6OA4Trl28TyT6llY1/I8cWJWlfTXv:BswRSslz0P1OdFXJlJ8buXv
Score10/10-
Modifies WinLogon for persistence
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
-
-
Target
Annabelle.exe
-
Size
15.9MB
-
MD5
0f743287c9911b4b1c726c7c7edcaf7d
-
SHA1
9760579e73095455fcbaddfe1e7e98a2bb28bfe0
-
SHA256
716335ba5cd1e7186c40295b199190e2b6655e48f1c1cbe12139ba67faa5e1ac
-
SHA512
2a6dd6288303700ef9cb06ae1efeb1e121c89c97708e5ecd15ed9b2a35d0ecff03d8da58b30daeadad89bd38dc4649521ada149fb457408e5a2bdf1512f88677
-
SSDEEP
393216:UMwm0qBknxdEX+LbMUgoSZmWSmh4aaRN22ChHCMNku1y:UMcKX+Lbjgd7W1RNVC9ku1
Score10/10-
Modifies WinLogon for persistence
-
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Disables use of System Restore points
-
Modifies Windows Firewall
-
Sets file execution options in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
-
-
Target
BadRabbit.exe
-
Size
431KB
-
MD5
fbbdc39af1139aebba4da004475e8839
-
SHA1
de5c8d858e6e41da715dca1c019df0bfb92d32c0
-
SHA256
630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
-
SHA512
74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87
-
SSDEEP
12288:BHNTywFAvN86pLbqWRKHZKfErrZJyZ0yqsGO3XR63:vT56NbqWRwZaEr3yt2O3XR63
Score10/10-
BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
-
mimikatz is an open source tool to dump credentials on Windows
-
Executes dropped EXE
-
Loads dropped DLL
-
Drops desktop.ini file(s)
-
-
-
Target
Birele.exe
-
Size
116KB
-
MD5
41789c704a0eecfdd0048b4b4193e752
-
SHA1
fb1e8385691fa3293b7cbfb9b2656cf09f20e722
-
SHA256
b2dcfdf9e7b09f2aa5004668370e77982963ace820e7285b2e264a294441da23
-
SHA512
76391ac85fdc3be75441fcd6e19bed08b807d3946c7281c647f16a3be5388f7be307e6323fac8502430a4a6d800d52a88709592a49011ecc89de4f19102435ea
-
SSDEEP
3072:pYV/aVHN9ySTn34w33FVTyuGAxsvBLSqAKZqoqrxy031l3y:8adNlltyu3Pa5gr33
Score10/10-
Modifies WinLogon for persistence
-
Adds Run key to start application
-
-
-
Target
Cerber 5.exe
-
Size
313KB
-
MD5
fe1bc60a95b2c2d77cd5d232296a7fa4
-
SHA1
c07dfdea8da2da5bad036e7c2f5d37582e1cf684
-
SHA256
b3e1e9d97d74c416c2a30dd11858789af5554cf2de62f577c13944a19623777d
-
SHA512
266c541a421878e1e175db5d94185c991cec5825a4bc50178f57264f3556080e6fe984ed0380acf022ce659aa1ca46c9a5e97efc25ff46cbfd67b9385fd75f89
-
SSDEEP
6144:nl578cxdGY87FohbnmM2i8ito7wTmCbL94KCT3OAmK:nl59zH8MiM2z+NLQBN
Score10/10-
Blocklisted process makes network request
-
Contacts a large (1094) amount of remote hosts
This may indicate a network scan to discover remotely running services.
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory
-
Sets desktop wallpaper using registry
-
-
-
Target
Darkside.exe
-
Size
59KB
-
MD5
cfcfb68901ffe513e9f0d76b17d02f96
-
SHA1
766b30e5a37d1bc8d8fe5c7cacc314504a44ac1f
-
SHA256
17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61
-
SHA512
0d26fa9478f4626107e38c570d1bae1049b744181cf0395d95fb07675575ca393d88d4783bf31bdf11bef1da5648a5a53a6d95b21492f96b4de35c0ec323ae0c
-
SSDEEP
768:9jjV7Iax7F3DS4/S96/P3rsAc4ci5pwwX5+R4VYY23W5:vx7Fu4/i6/P3rlckx5+R4VDZ5
Score10/10-
DarkSide
Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
-
Renames multiple (172) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Sets desktop wallpaper using registry
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
DeriaLock.exe
-
Size
484KB
-
MD5
0a7b70efba0aa93d4bc0857b87ac2fcb
-
SHA1
01a6c963b2f5f36ff21a1043587dcf921ae5f5cd
-
SHA256
4f5bff64160044d9a769ab277ff85ba954e2a2e182c6da4d0672790cf1d48309
-
SHA512
2033f9637b8d023242c93f54c140dd561592a3380a15a9fdc8ebfa33385ff4fc569d66c846a01b4ac005f0521b3c219e87f4b1ed2a83557f9d95fa066ad25e14
-
SSDEEP
6144:lqHKx3YCgy8HmmjJpnVhvLqCO3bLinIz1wASx:lqHoyHNj/nVhvLcyII
Score7/10-
Drops startup file
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify System Firewall
1Disable or Modify Tools
2Indicator Removal
2File Deletion
2Modify Registry
9Subvert Trust Controls
1Install Root Certificate
1