cerber

Sharing

General

Target

dsE1122.rar
Size

14.2MB
Sample

240316-slqqhsde8t
MD5

394f07bca7aaedfe23ad7dc24a68520b
SHA1

e17adcc112d1d0ea8f71aedbdae528de4ed5c4fc
SHA256

441116d55e97124a067207bf57483dd3462bccfb034e56c4152675b0dcb118e7
SHA512

4834610ae95493a7e51e1493bf8c48e8e2bf8905d0b61af4b685c2b822ef22a78c9fd6cbbb188b20436a71f19972d9ebd211ccf0e75fc542d19f9340781c7eb3
SSDEEP

393216:jBSYPG3rPQ2PUtOd37WjqC6tZ0ksxVmESyOcG7b/ZuHvWpbYqc7p:jQYyPDP2E0qCoZhLESyOf/YHvWOld

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___JXKZU_.txt

Family

cerber

Ransom Note

Hi, I'am CRBR ENCRYPTOR ;) ----- YOUR DOCUMENTS, PHOTOS, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ----- The only way to decrypt your files is to receive the private key and decryption program. To receive the private key and decryption program go to any decrypted folder, inside there is the special file (*_R_E_A_D___T_H_I_S_*) with complete instructions how to decrypt your files. If you cannot find any (*_R_E_A_D___T_H_I_S_*) file at your PC, follow the instructions below: ----- 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://xpcx6erilkjced3j.onion/58C6-B1BE-88C5-0098-9592 Note! This page is available via "Tor Browser" only. ----- Also you can use temporary addresses on your personal page without using "Tor Browser". ----- 1. http://xpcx6erilkjced3j.19kxwa.top/58C6-B1BE-88C5-0098-9592 2. http://xpcx6erilkjced3j.1eht65.top/58C6-B1BE-88C5-0098-9592 3. http://xpcx6erilkjced3j.1t2jhk.top/58C6-B1BE-88C5-0098-9592 4. http://xpcx6erilkjced3j.1e6ly3.top/58C6-B1BE-88C5-0098-9592 5. http://xpcx6erilkjced3j.16umxg.top/58C6-B1BE-88C5-0098-9592 ----- Note! These are temporary addresses! They will be available for a limited amount of time! -----

URLs

http://xpcx6erilkjced3j.onion/58C6-B1BE-88C5-0098-9592

http://xpcx6erilkjced3j.19kxwa.top/58C6-B1BE-88C5-0098-9592

http://xpcx6erilkjced3j.1eht65.top/58C6-B1BE-88C5-0098-9592

http://xpcx6erilkjced3j.1t2jhk.top/58C6-B1BE-88C5-0098-9592

http://xpcx6erilkjced3j.1e6ly3.top/58C6-B1BE-88C5-0098-9592

http://xpcx6erilkjced3j.16umxg.top/58C6-B1BE-88C5-0098-9592

Extracted

Path

C:\MSOCache\All Users\_HELP_INSTRUCTION.TXT

Ransom Note

!!INFORMATIONS!! All of your files are encrypted with RSA2048 and AES128 ciphers. More information about the RSA and AES can be found here: https://en.wikipedia.org/wiki/RSA_(cryptosystem) https://en.wikipedia.org/wiki/Advanced_Encryption_Standard Decrypting of your files is only possible with the private key and decrypt program, which is on our secret server. Follow these steps: 1. Download and install Tor Browser: https://www.torproject.org/download/download-easy.html 2. After a successful installation, run the browser and wait for initialization. 3. Type in the address bar: http://supportxxgbefd7c.onion/ 4. Follow the instructions on the site. !! Your DECRYPT-ID: df54997b-3754-4ca8-b3bd-47bf930a1567 !!

URLs

http://supportxxgbefd7c.onion/

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\N00fBwZXjOQTTX9M.hta

Ransom Note

<html> <head> <hta:application BORDER = "none" CAPTION = "No" CONTEXTMENU = "NO" INNERBORDER = "No" MAXIMIZEBUTTON = "No" MINIMIZEBUTTON = "No" NAVIGABLE = "No" SCROLL = "No" SCROLLFLAT = "No" SELECTION = "Yes" SHOWINTASKBAR = "No" SINGLEINSTANCE = "Yes" SYSMENU = "No"/> <style> body{ background-color:#000000; margin:0; } .vau{ margin:10px; height:520px; width:750px } .sc{ margin:1px 50px; font-size:40px; width:750px; height:30px; padding: 10px 20px 10px 20px; background-color:#000000; color:#e92124; font-family: Impact; text-transform: uppercase; text-align: center; } .sc1{ margin:1px 50px; font-size:20px; width: 750px; padding:20px; background-color:#000000; color: #e0dede; font-family: Georgia; text-align: left; } .gr{ margin: 10px 0px; color:#189f29; } .red{ margin: 10px 0px; color:#e92124; } .wh{ margin-top:0px; margin-bottom:10px; } .wt{ margin-top:10px; margin-bottom:0px; } </style> <meta http-equiv="Content-Type" content="text/html;charset=utf-8"/> <title>Notification</title> <script language="vbscript"> sub Window_Onload window.resizeTo 850,725 screenWidth = Document.ParentWindow.Screen.AvailWidth screenHeight = Document.ParentWindow.Screen.AvailHeight posLeft = (screenWidth - 850) / 2 posTop = (screenHeight - 725) / 2 window.moveTo posLeft, posTop end sub </script> </head> <body scroll="no"> <div class="vau"> <div class="sc"> All your files have been encrypted! </div> <div class="sc1"> <p class="wh">All of important data on this computer was encrypted with strong RSA-2048 algorithm due to the violation of the federal laws of the United States of America! (Article 1, Section 8, Clause 8; Article 202; Arcticle 210 of the Criminal Code of U.S.A. provides for a deprivation of liberty for four to twelve years.)</p> <b>Following violations were detected:</b><br /> Your IP adress was used to visit websites containing pornography, child pornography, zoophilia and child abuse!<br /> <p class="gr"><b>To unlock your files you have to pay the penalty!</b></p> <p class="red">You have only <b>96 hours</b> to recover your personal data! After this time your unique key will be deleted and file decryption will become impossible!</p> <p class="red">Each <b>12 hours</b> the payment size will be automatically increased by <b>100$</b>!</p> <p class="gr"><b>You must pay the penalty through the Bitcoin Wallet.</b></p> <p class="wt">To get your unique key and unlock files, you should send the following code:</p> <b class="gr">TAVOb1nrt0pLc0ui-67B38C0E52010C27</b><br /> to our agent e-mails:<br /> <b class="gr">[email protected]</b> or<br /> <b class="gr">[email protected]</b><br /> You will recieve all necessary instructions! </div> <div class="sc"> Hurry up or you will be arrested!!! </div> </div> </body> </html>

Emails

class="gr">[email protected]</b>

class="gr">[email protected]</b><br

URLs

http-equiv="Content-Type"

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\!#_READ_ME_#!.inf

Ransom Note

[WHAT HAPPENED] Your important files produced on this computer have been encrypted due a security problem If you want to restore them, write us to the e-mail: [email protected] You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. [FREE DECRYPTION AS GUARANTEE] Before paying you can send to us up to 3 files for free decryption. Please note that files must NOT contain valuable information and their total size must be less than 1Mb [HOW TO OBTAIN BITCOINS] The easiest way to buy bitcoin is LocalBitcoins site. You have to register, click Buy bitcoins and select the seller by payment method and price https://localbitcoins.com/buy_bitcoins [ATTENTION] Do not rename encrypted files Do not try to decrypt your data using third party software, it may cause permanent data loss If you not write on e-mail in 36 hours - your key has been deleted and you cant decrypt your files Your ID: vbOqyNvH4VULZd2hsEl2iWGl/YVDM6tHpGbaeO2zLu/Ao+69GggA733NfbhK02nyAKlue6+kF3bNAgmiep8XhXRXpm3vgDSucqbS9iFz+Fhkq281w7o1/PfV6HNmyOjjUSgJqGfFHrZzwxhcO7jhops/UfZ078q576qvh5lmRrI=

Emails

[email protected]

Extracted

Path

C:\vcredist2010_x86.log-MSI_vc_red.msi.txt.readme_txt

Ransom Note

YOUR COMPANY HAS BEEN SUCCESSFULLY PENETRATED! All files are encrypted. We accept only bitcoins to share the decryption software for your network. Also, we have gathered all your private sensitive data.So if you decide not to pay anytime soon, we would share it with media's. It may harm your business reputation and the company's capitalization fell sharply. Do not try to do it with 3rd-parties programs, files might be damaged then. Decrypting of your files is only possible with the special decryption software. To receive your private key and the decryption software please follow the link (using tor2web service): https://qmnmrba4s4a3py6z.onion.to/order/43e4593a-5dc7-11e7-8803-00163e417ea3 If this address is not available, follow these steps: 1. Download and install Tor Browser: https://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser and wait for initialization. 3. Type in the address bar: http://qmnmrba4s4a3py6z.onion/order/43e4593a-5dc7-11e7-8803-00163e417ea3 4. Follow the instructions on the site 5. This link is valid for 72 hours only. Afetr that period your local data would be lost completely. 6. Any questions: [email protected]

Emails

[email protected]

URLs

https://qmnmrba4s4a3py6z.onion.to/order/43e4593a-5dc7-11e7-8803-00163e417ea3

http://qmnmrba4s4a3py6z.onion/order/43e4593a-5dc7-11e7-8803-00163e417ea3

Extracted

Path

C:\IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT

Ransom Note

__________________________________________________________________________________________________ | | | *** IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS *** | |__________________________________________________________________________________________________| Your files are now encrypted! -----BEGIN PERSONAL IDENTIFIER----- pAQAAAAAAABql7S+JZSHD0NADANXUd2szqKt1lDA0=tQY9Ew9SPjvJ9SvrXhlcWbmn+rfONeyZTZhcVtfdpvWexN=EdRtaVlm8vZ RVR9qp=EgLSW3SF36vlnINQRj7gr1lgpspv0wQAqhNjewqavDitURj8tL2Tte+6bSVZcay3=hgs0quEm4HiSOJca1bSnfoC9KKIY VoqoeJteuvFdmg+iih23FJhUXYCbdnn5WFNxUInJc13a=Cfi0izubUm=f2vrQA2ZWJ6YwEG46pXsXQHf4v5xPS3bFD6Dae5PR0fB jhe76xNQGZrVYvmGJOnVHPjTOqNdSPewEM0R5Pd=8nSUKLaUG8Rp=6cMPsQAwISGBdnw7dsiqXq9d8PPtWus9hGQAu0lFBOY7nCO fBaOkbadByHKREs5skZRwYj+0FIFvHqFVa=yiLzOoGw6hSHgvPYGzCJtEqDqdSydTmlYQAdlA=OQHdjrSMX6Nar1jUDOW4raYTXC og4pIBqn8VmrxSMsHUWkU=m111N4EUAIsXUcCQvq4F03nVmUTwPAvxLQKGijrAiXDUP56vc9DvuFHXobet03kh5PtG0w5Le4=BC9 uURVBcOBMgDzIsBFaq+oIQJMR1Lf4mDLMVI2tAGnPh6b+cEDe2f9G+I3xB+7Cn8IsvUPYD5NSWYWFO6QM2+Z6BnJ3sF=ki=fTb+K lJgk52EFE+EQGhPvDRO53aFaecbIQqLQNJwt0GL6GK99Z7FGuEATxIsO8RRzC9L+yYb1NARNz7bARTvc0JD5K8RaEfYQa5p+82M6 gWHIuJKfC9lvp7pdX9lcwDE4=jq8=y1hEAIjwk0 -----END PERSONAL IDENTIFIER----- All your files have been encrypted due to a security problem with your PC. Now you should send us email with your personal identifier. This email will be as confirmation you are ready to pay for decryption key. You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. Contact us using this email address: [email protected] Free decryption as guarantee! Before paying you can send us up to 3 files for free decryption. The total size of files must be less than 10Mb (non archived), and files should not contain valuable information (databases, backups, large excel sheets, etc.). __________________________________________________________________________________________________ | | | How to obtain Bitcoins? | | | | * The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click | | 'Buy bitcoins', and select the seller by payment method and price: | | https://localbitcoins.com/buy_bitcoins | | * Also you can find other places to buy Bitcoins and beginners guide here: | | http://www.coindesk.com/information/how-can-i-buy-bitcoins | | | |__________________________________________________________________________________________________| __________________________________________________________________________________________________ | | | Attention! | | | | * Do not rename encrypted files. | | * Do not try to decrypt your data using third party software, it may cause permanent data loss. | | * Decryption of your files with the help of third parties may cause increased price | | (they add their fee to our) or you can become a victim of a scam. | | | |__________________________________________________________________________________________________|

Emails

[email protected]

Extracted

Path

C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___031I3MLW_.txt

Family

cerber

Ransom Note

Hi, I'am CRBR ENCRYPTOR ;) ----- YOUR DOCUMENTS, PHOTOS, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ----- The only way to decrypt your files is to receive the private key and decryption program. To receive the private key and decryption program go to any decrypted folder, inside there is the special file (*_R_E_A_D___T_H_I_S_*) with complete instructions how to decrypt your files. If you cannot find any (*_R_E_A_D___T_H_I_S_*) file at your PC, follow the instructions below: ----- 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://xpcx6erilkjced3j.onion/CE03-CAEC-9154-005C-9F96 Note! This page is available via "Tor Browser" only. ----- Also you can use temporary addresses on your personal page without using "Tor Browser". ----- 1. http://xpcx6erilkjced3j.1t2jhk.top/CE03-CAEC-9154-005C-9F96 2. http://xpcx6erilkjced3j.1e6ly3.top/CE03-CAEC-9154-005C-9F96 3. http://xpcx6erilkjced3j.1ewuh5.top/CE03-CAEC-9154-005C-9F96 4. http://xpcx6erilkjced3j.15ezkm.top/CE03-CAEC-9154-005C-9F96 5. http://xpcx6erilkjced3j.16umxg.top/CE03-CAEC-9154-005C-9F96 ----- Note! These are temporary addresses! They will be available for a limited amount of time! -----

URLs

http://xpcx6erilkjced3j.onion/CE03-CAEC-9154-005C-9F96

http://xpcx6erilkjced3j.1t2jhk.top/CE03-CAEC-9154-005C-9F96

http://xpcx6erilkjced3j.1e6ly3.top/CE03-CAEC-9154-005C-9F96

http://xpcx6erilkjced3j.1ewuh5.top/CE03-CAEC-9154-005C-9F96

http://xpcx6erilkjced3j.15ezkm.top/CE03-CAEC-9154-005C-9F96

http://xpcx6erilkjced3j.16umxg.top/CE03-CAEC-9154-005C-9F96

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\!#_READ_ME_#!.inf

Ransom Note

[WHAT HAPPENED] Your important files produced on this computer have been encrypted due a security problem If you want to restore them, write us to the e-mail: [email protected] You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. [FREE DECRYPTION AS GUARANTEE] Before paying you can send to us up to 3 files for free decryption. Please note that files must NOT contain valuable information and their total size must be less than 1Mb [HOW TO OBTAIN BITCOINS] The easiest way to buy bitcoin is LocalBitcoins site. You have to register, click Buy bitcoins and select the seller by payment method and price https://localbitcoins.com/buy_bitcoins [ATTENTION] Do not rename encrypted files Do not try to decrypt your data using third party software, it may cause permanent data loss If you not write on e-mail in 36 hours - your key has been deleted and you cant decrypt your files Your ID: fdsbgz3Ni64477+GRkfIwvXExOmlgszS05/hgVf9+o7kcuXvygISrX/k87Jz/jmyMo1SwhmTH9gxxM4Utl5TzC8TAYfK2vHO7XBqfvBg5IogM2+AHXEchZiMWY5NoqgzF4qrEAye/qfeO7GqcfMnjfut3xPIQG/yIa/688I1/wM=

Emails

[email protected]

Extracted

Family

gozi

Targets

- Target
  
  00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
- Size
  
  1.3MB
- MD5
  
  b53d9a3861ba2e66a83ed1827aef11c8
- SHA1
  
  e3d021ae61b901fc0e375269aeea8a956b5d170a
- SHA256
  
  00faee82ab5b800cf6dbe97afd39790b856ad1ec25dc7ed8f798aca702bee7ad
- SHA512
  
  c7478893531fbaf674dc90b404dada8ffefba4dfa2209063061a3c30df7992e3d95a9b5aa598ef2e5b6730fa961e44d15b70f5ea2075859ed8dfc528b1b5f434
- SSDEEP
  
  24576:jnbkBTLZO5z2gux4qXrNuN6zZkMPPX47Ypk2z364swWUpZKfO+fIQ:jIBTL8HPq7NS6tY7Uzps6pZcfn
Score

10^/10

evasion persistence ransomware spyware stealer trojan
- Modifies WinLogon for persistence
  persistence
- Modifies visibility of file extensions in Explorer
  evasion
- UAC bypass
  evasion trojan
- Renames multiple (59) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral1
- Target
  
  0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe
- Size
  
  2.0MB
- MD5
  
  e32ef8a36b6a6c010b27a7871ebda037
- SHA1
  
  0ea7d9bf90c5fc6bfadaf3c14e140fc9c9aa5361
- SHA256
  
  0b8e9bc31964c9433bd5cc20e556cfd0590c3b17b0db23cdc3ad0547683f3820
- SHA512
  
  e98f941c7be2c650de033048b8a9d4556da2204f9b0c90d399c981dcb9e215d5322a765884aad1a4e5b31b23227827cb21fd1ed5d3a79cc7f83226c07f579eb3
- SSDEEP
  
  49152:pdGNHxQXLx6cHqNQDQg6nNw1WCj/vd2Xptvh4:pd0QXL/t
Score

10^/10

evasion persistence trojan
- Modifies WinLogon for persistence
  persistence
- Modifies visibility of file extensions in Explorer
  evasion
- UAC bypass
  evasion trojan
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral2
- Target
  
  0c9fa52ace8019b43c91f4859ecddfde6705141b9283fef05c6c4c37a5c1777a.exe
- Size
  
  596KB
- MD5
  
  922b22f3be97b5974e317c5b55b07d15
- SHA1
  
  96eef7001f9b555ac686a640e43a38cfbd963c4a
- SHA256
  
  0c9fa52ace8019b43c91f4859ecddfde6705141b9283fef05c6c4c37a5c1777a
- SHA512
  
  33a93de5d7e3927d3dd750dac4e12f9be5384ac2d5edbf8d5947708bdf18a7542e9fde3fb3dd526cd00e1973b18eb20b2793fe517469c831a39f7a5917d08179
- SSDEEP
  
  12288:zbiqlq3Z3wSGTjDPOnpLWGJFFQgKzL+EFHUNrkqJgtK2b:zbNgd1wOpLWGF5C+EF0+qJgtZ
Score

7^/10
- Drops startup file
behavioral3
- Target
  
  15f7ea290d832bc32ebf660690b42616264fc0be8969934c1f8d7e5a5d3cd18c.exe
- Size
  
  473KB
- MD5
  
  aadb6e0f1cc845e196570e800380fe85
- SHA1
  
  72b088cf546c36b6dda67cfb430874f83645397f
- SHA256
  
  15f7ea290d832bc32ebf660690b42616264fc0be8969934c1f8d7e5a5d3cd18c
- SHA512
  
  55ba8c4734b9fb1c08b3c0be3c6c524a265aa1d3dc4a9f3a2f97f172c2913fc66ea7a002ad877d786e03db54b0a35f3244e9230c49fb30c6c6284404cffaf1b7
- SSDEEP
  
  6144:ULIaDW2Dm6jNkcZjvw6RQVe0yV4JMaT710E5BmutiO3XwGk/Rz+wLefC9rB6uN:XaiajeUjvw6RQHVJMau43XwG25NW4rd
Score

10^/10

modiloader evasion persistence trojan
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Checks for common network interception software
  Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
  evasion
- Looks for VirtualBox Guest Additions in registry
  evasion
- Looks for VirtualBox drivers on disk
  evasion
- ModiLoader Second Stage
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Deletes itself
- Adds Run key to start application
  persistence
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral4
- Target
  
  1DD70E803623D5311B71129976710B11A8942D206A5D8D86CDF8417255F15725.exe
- Size
  
  716KB
- MD5
  
  cc3f68e8a50b05aa77d88b6119583b9e
- SHA1
  
  71c7b93a8947265fe30e6928730504a5456ca788
- SHA256
  
  1dd70e803623d5311b71129976710b11a8942d206a5d8d86cdf8417255f15725
- SHA512
  
  e4fe7c8ec1d88c0bc81834de0a1212902849d7c9f6228e26fb8aaf3f046011f934d6de01becb339ab88169533ff8dc0d6fad7d6d7ff7e956e408242a21809e55
- SSDEEP
  
  12288:ZMMpXKb0hNGh1kG0HWnAsaHy41Dxm1zRRaMMMMM2MMMMMu:ZMMpXS0hN0V0HYah1I1zRRaMMMMM2MMd
Score

10^/10

aspackv2 persistence ransomware
- Modifies WinLogon for persistence
  persistence
- Renames multiple (93) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Drops startup file
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
- Drops file in System32 directory
behavioral5
- Target
  
  1E229029B2D3FF00EDDE061B1AAF470EE437FA8196D97FAD2C2C6C9EDE5B44DA.exe
- Size
  
  1.9MB
- MD5
  
  92318a59ed03b2d195a8d08befd0efbb
- SHA1
  
  33c974d620ceede52581194ef99f3f57a9cd5d11
- SHA256
  
  1e229029b2d3ff00edde061b1aaf470ee437fa8196d97fad2c2c6c9ede5b44da
- SHA512
  
  ea57ebd9484ade992b5b7b1b1a43b84b5af37491b063de0718e3ae6897fa84f500194dc251f117d11a1361f3164eea11becddb394e697400b7eb1ea40c568230
- SSDEEP
  
  24576:TAlFsCeXap8KGLTg/6PeXTAg6L+Gzt0DkyYz1/oM5i7eXTXbQ5MTjrp2WHa/1jlE:kICe+cmxj4LlWoB/oeDfF
Score

10^/10

evasion persistence ransomware spyware stealer trojan
- Modifies WinLogon for persistence
  persistence
- Modifies visibility of file extensions in Explorer
  evasion
- UAC bypass
  evasion trojan
- Renames multiple (59) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral6
- Target
  
  21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe
- Size
  
  235KB
- MD5
  
  fac89802b3db89ba74cf8891824af3d6
- SHA1
  
  27b57dfdc8b1b265e3755cc0068be846c4c4981e
- SHA256
  
  21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061
- SHA512
  
  2c604a00446fe4901341a4c8093443cba06fc00ee90a946749c3b66b2205339850740406edd0553ef55a33573599c7e494eb1b0552395d1cd9e54a8d4268b3e5
- SSDEEP
  
  3072:thrQ6J0Exp7gW31x+S/EkuIDNGqLW4t5P0tz/aMgb2JpL7Ag0FujYWkcv23nNT3I:tiHgpR31kS8kuIpW60tRPAOs3sc8
Score

10^/10

persistence ransomware
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Renames multiple (303) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
  ransomware
behavioral7
- Target
  
  21e1bc4340221fbccee28d59333c20b20755e34e2f3391b90837172bd07fbf01.exe
- Size
  
  708KB
- MD5
  
  987a06a5c02be92cdeae2a99a408a716
- SHA1
  
  31e4c64f1fcff7824b023e86482e75870389edef
- SHA256
  
  21e1bc4340221fbccee28d59333c20b20755e34e2f3391b90837172bd07fbf01
- SHA512
  
  90db12153f5abd1f8d20a89a473c46f0577ffc2c3a681f4f2bd68f53b8cd2d45c372bce6e0d11d2832ae223eebcb2b9a8a1dc806b5cd8a510134cad830c2596e
- SSDEEP
  
  12288:VROJm7hOOdN2++KEjDz/lnp2WBILtj+fITU4Td9T31r6U2dEV7uikFg:VROJ8hjkLKgP/n2WaLtj+fINR979N/l/
Score

7^/10
- Drops startup file
behavioral8
- Target
  
  2272954a2c9f631b4f9c5f6d230287b0989ab3b512bb5f4a282214eadf42085a.exe
- Size
  
  299KB
- MD5
  
  2ad96b646ad5f323f0bef0bfb6b23ebb
- SHA1
  
  a8ac661b22bd557fe3dbff8f706cb5741d43ac67
- SHA256
  
  2272954a2c9f631b4f9c5f6d230287b0989ab3b512bb5f4a282214eadf42085a
- SHA512
  
  8959aebd064c488e7247604b7b30e8487ecc498695206173d1251eff565bd5bb3e8ee90ac22bb1250f78412bcabe9a57d930972d6d4fdd886eef0901d89b38a9
- SSDEEP
  
  6144:0gggrNE0oCD4IKXgWi2AL/Pe5f6LiJbfPcEfm0fg:G6DhfTR8C2JbMEfm0fg
Score

10^/10

gozi banker isfb trojan
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
behavioral9
- Target
  
  2C3542B5D9AB4EED2DD88CD74A02236A944AFD76E8717F65DCD544912229CA85.exe
- Size
  
  10KB
- MD5
  
  ffb938c96bb741d2d1dcc05930072926
- SHA1
  
  643508e98cd746eb91adb0b3a0096ff3d7497dad
- SHA256
  
  2c3542b5d9ab4eed2dd88cd74a02236a944afd76e8717f65dcd544912229ca85
- SHA512
  
  09c63015e0a6f1c97f657106d01c7a5399686039f75ccbd9a097544d458edee3ca094b24c1d075658bd34ef332deee5736711f0ac6f7ea273baa42dda5c18215
- SSDEEP
  
  192:xjpBKnwR27YRs/5+K/OUzbx/wz93ADv8Ei:NunwR2JQKZx/wz93ADUv
Score

7^/10
- Executes dropped EXE
- Loads dropped DLL
behavioral10
- Target
  
  3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
- Size
  
  390KB
- MD5
  
  08109df08fa4a035c59d56d1e6c5baf4
- SHA1
  
  bec86bce6f6963d0cc69c441c6d5fb6d04d3a833
- SHA256
  
  3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338
- SHA512
  
  61e6cc3e94ddb7a980bfb0a2e5e5ffeeb5414c9e2ef3e42551820017dbedab5cccdd8ece1fed2ca057e240bdb7836663a7f9be28f1bb9136da972750caf59704
- SSDEEP
  
  12288:s8TC7FeAA9IsQwycG888888888888W88888888888E7xCYsdG:s8TygVinw1Z7xCZdG
Score

10^/10

cerber discovery evasion ransomware
- Cerber
  Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
  ransomware cerber
- Blocklisted process makes network request
- Contacts a large (1095) amount of remote hosts
  This may indicate a network scan to discover remotely running services.
  discovery
- Modifies Windows Firewall
  evasion
- Deletes itself
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
- Sets desktop wallpaper using registry
  ransomware
behavioral11
- Target
  
  3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe
- Size
  
  947KB
- MD5
  
  39217b125403ff7c755622ef9bbef974
- SHA1
  
  9fc607b7c17919c83999bdd119e9cd6bf413101a
- SHA256
  
  3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816
- SHA512
  
  1252ea94931eaf4426ca1eb94a070645238775c447a09286109fe894c569de29ca502882a0fa34e97e09109c43c486a3aa32081e3a3afef0b6557db59c71fc50
- SSDEEP
  
  12288:3+Zn/gJtKaNIBpB+iMMOD30ZnZ47m0T3JF9j3GOF0l7B2FzqL2aZa7rf58bs:3+RYeaNILZi/JDLG60y1aZvs
Score

10^/10

troldesh persistence ransomware trojan upx
- Troldesh, Shade, Encoder.858
  Troldesh is a ransomware spread by malspam.
  ransomware trojan troldesh
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral12
- Target
  
  41c53e90f0861b068eaa512edff28a586128f808b437122399347bcb3774914a.exe
- Size
  
  27KB
- MD5
  
  b0492e56e1246873173e8f7d32f8a278
- SHA1
  
  b31e8e98a4b570f739dd1e1098f4e593f930f450
- SHA256
  
  41c53e90f0861b068eaa512edff28a586128f808b437122399347bcb3774914a
- SHA512
  
  fa078565f4eab7b1a618dff2182ac0f630f32a151fdbb5c3d73d1544cc4371d283cc76f597dde990eaa9e389355aca9c73cd1e8b3087b769340f3b9642642979
- SSDEEP
  
  384:U0Ne12bO+rTx8S0VL+5ka0OXE8vDIXam7JV4DXi4EECyBsnK/8kHaHKczlyDqq:612hTa7JULXEfXamDIy4HBs7HKwQx
Score

10^/10

evasion persistence ransomware
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Stops running service(s)
  evasion
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
behavioral13
- Target
  
  467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe
- Size
  
  363KB
- MD5
  
  36a0cefeb8b0a606358142d4140ea7cf
- SHA1
  
  03ce13b4f60d2fc632b67b41b82b5e8cfaf9939f
- SHA256
  
  467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be
- SHA512
  
  63304f3ddca578beac157197581e6a2a762d9cf1fb08fa6ae85dcdc26340ae64badb0f4a9cb47521315c366b70bd0cf89bf1b72be29f89e2d91504cec7ca9093
- SSDEEP
  
  6144:VEwaWsAzrp8viKgjdCU641BHoKIPi2CRp2pFSnfJxLw/mq3pT+Qrm9m7s:G9UjdtzIKl2YY3SRxLw/BT+X
Score

10^/10

evasion ransomware upx
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Deletes itself
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Suspicious use of SetThreadContext
behavioral14
- Target
  
  5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe
- Size
  
  236KB
- MD5
  
  6aa5d9b03d34c87026ac11a6f30524fe
- SHA1
  
  c0c532d64bc1d16aeb12ea58c9e94c48eb3d64d4
- SHA256
  
  5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0
- SHA512
  
  1e0cdbfd5399c03e6db32b309d38f56dc0761d6a9d2319c712f771fecc9fec8aac0c2dd2ee00e4674b26168265558e4d02a810a6326c73e36a1e453ecc394069
- SSDEEP
  
  3072:A2XIX/5EEAmkN7HqOaeV/RPMObiZif2fXSF9uvm8dDuCb4NeIAg0Fuj3RK3o1yL:AliN3qO1hR0UiZi+fC+iAObo41I
Score

10^/10

persistence ransomware
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Renames multiple (267) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
  ransomware
behavioral15
- Target
  
  712affaa8b84e8fb7d4e71feb6c1074185bc43b5a2f265fbfb248f7ed40a5489 (1).exe
- Size
  
  1.7MB
- MD5
  
  1c526b6bd496e217833972f77a235928
- SHA1
  
  49dde9bf9e2f11abf13dc55cbf901af49e575bc1
- SHA256
  
  712affaa8b84e8fb7d4e71feb6c1074185bc43b5a2f265fbfb248f7ed40a5489
- SHA512
  
  884b01546adc3c64ec04cc5856fdd7ce5f851dea2eb4066ea398dfeb62a23eab14a592e7be4f286625cd94b3c8b6254d3646eb05ddf0d6a70aa160e7e2cba2a8
- SSDEEP
  
  24576:lTnv8YkXw+xfggJJmlm5SJPC/QMyKesckckSZahVY06uIxf+ubfOLVU:J0Husckc4Y0/IACmL2
Score

1^/10
behavioral16
- Target
  
  72716d15ea7d118b8c99dbcb15114188abe468718c876ac52b0779161ef7e821.exe
- Size
  
  703KB
- MD5
  
  d7c62a22cc1a832ba2ce0bfd1c4f9e9c
- SHA1
  
  a484b5a49a5b94f045100dd5e659b9504ed99211
- SHA256
  
  72716d15ea7d118b8c99dbcb15114188abe468718c876ac52b0779161ef7e821
- SHA512
  
  7c036f46c6c5a34d991d277c3ecf3c8abdf3a70042c40aaa3c20ce2f3e02a5a63200530587c2980ba5e000a7f1394a33390e63ec53782892b27874e293dff1c6
- SSDEEP
  
  12288:Qu/mk3LQLwumO7mL945Hj1wcBsXcDBif+w+nstV7uikFg:5+WLQLP7mL9eDb+Msfsnstlubg
Score

7^/10
- Drops startup file
behavioral17
- Target
  
  8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe
- Size
  
  1020KB
- MD5
  
  496f86f951e1dbd3c4534d51a5297668
- SHA1
  
  1199c5f30f5724841905cbdb9787649d15aae3d5
- SHA256
  
  8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621
- SHA512
  
  382abc596081ca5d0fdea39b12afe433e446cd50f59e4abca818162d96e46465beb1cda631109083071e7c050af6bfcf867be41d02c1e2ebe5dd99f61f45d510
- SSDEEP
  
  24576:es0fVWVbd8fKT0KqTAFFCa/2yDEmdvAkomBbOsn51D:es0fVWVR8fKTeU1imBbl51D
Score

10^/10

troldesh persistence ransomware trojan upx
- Troldesh, Shade, Encoder.858
  Troldesh is a ransomware spread by malspam.
  ransomware trojan troldesh
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
behavioral18
- Target
  
  Bit Paymer.exe
- Size
  
  92KB
- MD5
  
  998246bd0e51f9582b998ca514317c33
- SHA1
  
  5a2d799ac4cca8954fc117c7fb3e868f93c6f009
- SHA256
  
  d693c33dd550529f3634e3c7e53d82df70c9d4fbd0c339dbc1849ada9e539ea2
- SHA512
  
  773d9838be9c09bd43a22aa1eada8f623f95739b21828712236a4a209c6d9266647ef43592d072d68399224965253c37f9ce9ef36e46e8191169c03ac7789130
- SSDEEP
  
  1536:tacFdjxs2TlWlpnXv91nhixG8/lA5jG8387SpK6jXOMVHoi5e+vRb:taqJC6lWlpnXv7nhixhlAU83VwMCifvR
Score

10^/10

persistence ransomware spyware stealer
- Renames multiple (9901) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
behavioral19
- Target
  
  KeepCalm.exe
- Size
  
  218KB
- MD5
  
  f994759181fb964af17fab2f7994b9ca
- SHA1
  
  9ae72a3dc37955af7526fd8566698b7a97ed7cb0
- SHA256
  
  043969e70014662e6a8b90eaaec10f4b4064dc42c0aeba39639af82f11cbab7e
- SHA512
  
  c36ff4026879e6cbab1e95e8a8a9cc6dc8538de9fa5719625ddf5a9d578dda310325cbf1e44a2dddbc85f27521e7e736637bb102e1d230f861ecb8f2e0219188
- SSDEEP
  
  3072:Y9mM+lmsolAIrRuw+mqv9j1MWLQFidJM+lmsolAIrRuw+mqv9j1MWLQd:EF+lDAAJdi+lDAA
Score

1^/10
behavioral20
- Target
  
  LockedIn.exe
- Size
  
  650KB
- MD5
  
  e9e34a4dbf0c9fe5fb595b0282b0b4f0
- SHA1
  
  4f3f6bc4aff97eecb9ab52d47520e248c618da45
- SHA256
  
  613af1bf17a11dbf12849568ce08186cc4109a5cdb32d0bcce7c1bd81306f5c6
- SHA512
  
  b234f7a6fef8eb3153da20b1c9f668a8177e489817b1e7e36a572fbfc7dc3604f5cd509f5ff7087f4d3a2e3c1a5a0c7e93ae571be11c70732b1078ba8050a119
- SSDEEP
  
  12288:dl6aKEZf4r/s6IzjtyHQDWcFXXGmmBJ0d35O3CEkk4zglJaKfZf4m:dlNCr/sFFmmmHIpKCEx4sljCm
Score

1^/10
behavioral21
- Target
  
  Purge.exe
- Size
  
  24KB
- MD5
  
  b02916e5c5215ef3ce25269c8d8afbe2
- SHA1
  
  7ea2e4eebea27ade84075a5bd47e048297377259
- SHA256
  
  b4e9d14e4ea8a1c459805ec46870f12a3e6ea3308864511a3d9c7af9fb841403
- SHA512
  
  c84cd98801dbc515f8e800c5fae57158d4167347c2267f1decbf37e98819b2bc1e9439eacec71eaad1c6ece62bf468b21db9cc53e6568cc73499595b1935296e
- SSDEEP
  
  384:lMX3iNFRHDy0nxaP/JqiKV+aQlSp591U7qO7o4FQcc4KVOJ5ogxlwAx9sLtsNtt7:qHitm/JqiO+aB5s7qOUvOJ5ogDrCO8tm
Score

1^/10
behavioral22
- Target
  
  Scarab.exe
- Size
  
  342KB
- MD5
  
  6899003aaa63ab4397f9e32e0a1daf43
- SHA1
  
  c22272ff0944d127992b393562871473b23ef8ea
- SHA256
  
  53f73dc2e8af9c059136029b3b535e885d4452d3375586eb9a0336d7a389aad5
- SHA512
  
  d8895f96e12d1b0b5907f7b1e7b976a37ff0cbe6db929cfbea5c931d905fb8269dc91bf44db83743920b63affc64ba88a0933d3111bc68f71ee266971b91b6bc
- SSDEEP
  
  6144:zmTLRf45/wAfqj6pjohSws+wZQtmk6LnAlnZ:eq5/tyjMLd+Rtmkc0
Score

10^/10

persistence ransomware
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Renames multiple (162) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral23
- Target
  
  a631ad1b1a59001a5f594880c6ae3337bda98f8ce3bb46cd7a9de0b35cd2bc4b.exe
- Size
  
  272KB
- MD5
  
  cb4ef16070b2dec59effcdb4a2134a83
- SHA1
  
  c9fcc72c08eece9ca0beb2a3d3801bbfffcb6196
- SHA256
  
  a631ad1b1a59001a5f594880c6ae3337bda98f8ce3bb46cd7a9de0b35cd2bc4b
- SHA512
  
  be87293a1b9537d54780639006b6e7a6048755064ca4e78cc295ae1b6263ab4d511e4f720f2687a55372da10e8fd67a47bb091bd5357c50045690936b2411091
- SSDEEP
  
  6144:1xIPLPHOoW/EHVDJSBD94vqW6Q65Ln1ZEVNl999999999999999999999POU:+DHOVcHVDJMgX6Qu0V
Score

6^/10
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral24
- Target
  
  a9053a3a52113698143a2b9801509c68d0d8b4b8208da453f0974547df0931bc.exe
- Size
  
  703KB
- MD5
  
  43478841baa4b8754f75516220e33ac3
- SHA1
  
  2585a613129d7e3dbff3eb16b10ce3fe940c99a3
- SHA256
  
  a9053a3a52113698143a2b9801509c68d0d8b4b8208da453f0974547df0931bc
- SHA512
  
  9441209433e2d3d49012431011048cd33a7ce980482658a0b1e2ccd3baa70524d2585901b6130d4644d7ca0139d881a9f11a933949ed39ad805a147694b37f87
- SSDEEP
  
  12288:C6JZ+UD5+1fpL2ikTgmPb2EdVu/BdmSHqDd6bhW2RJV7uikFg:JEUD52fpL2bgmSEds/BnKQPlubg
Score

7^/10
- Drops startup file
behavioral25
- Target
  
  b764629e1f43851daf984c9372422b65ddceae28f83d6211873f4c8f8672c41c.exe
- Size
  
  3.6MB
- MD5
  
  ef29f0f2a7b98ea19767b8ae66d1ffb8
- SHA1
  
  093b3916ee1bea0442278d0aa87be5703207e627
- SHA256
  
  b764629e1f43851daf984c9372422b65ddceae28f83d6211873f4c8f8672c41c
- SHA512
  
  9ab431d19633ed54dc1cc8bc4e511cabcfcba56ee0ff30197f5bd7aca07b33f2b605ab17f07fba066f5c910903f27bb04f4eb04cbed539af783564bbeba2c80e
- SSDEEP
  
  98304:yDqPoBhhRxcSUDk36SAEdhvxWa9P59Uc/Jf:yDqPSxcxk3ZAEUadv1
Score

10^/10

wannacry discovery ransomware worm
- Wannacry
  WannaCry is a ransomware cryptoworm.
  ransomware worm wannacry
- Contacts a large (3259) amount of remote hosts
  This may indicate a network scan to discover remotely running services.
  discovery
- Executes dropped EXE
- Creates a large amount of network flows
  This may indicate a network scan to discover remotely running services.
  discovery
- Drops file in System32 directory
behavioral26
- Target
  
  cf89f70633865aa06123062a7dc51f8158905afb4b00f6f3597de3edfba97c5c.exe
- Size
  
  322KB
- MD5
  
  3f4e0582663260629e1046d300bfd47c
- SHA1
  
  05d4b2e99a8ad0436cb5d9066987eb0df0321250
- SHA256
  
  cf89f70633865aa06123062a7dc51f8158905afb4b00f6f3597de3edfba97c5c
- SHA512
  
  b12505249227706b22e054d47d99d4b770a958875fb5eddb9a254ec06353415f00379383a091932ed70a1bcac14a9f8113f0221abed3c6211e6b7fe1f6fe1e81
- SSDEEP
  
  6144:2FexvJFSPxQksREdUZo64wHijE77BoLUbeKMazza722uutBq3:2FyJWQkX/njG7BSEeKMazzaqRut4
Score

1^/10
behavioral27
- Target
  
  e951e82867a4f3af5a34b714571e9acf99cca794c4ed1895c9025a642d5d4350.exe
- Size
  
  2.2MB
- MD5
  
  52cae327d2b2fef71f1af28e15a2811c
- SHA1
  
  62b516f72b03515078cb89cbecaa4522726e79d4
- SHA256
  
  e951e82867a4f3af5a34b714571e9acf99cca794c4ed1895c9025a642d5d4350
- SHA512
  
  6daabedfc0accba661c84155ea449b0cdd8819378de9c102da07631390a7a9c1fc7ee1fb71505bfb4dfb974f71696ff57bf376184934bfa230d572400bfb422a
- SSDEEP
  
  24576:d/2jBNbRL7T3QeFlUp1BcKZbn30QYKr5kw4AMMtG3oirCM/e52bZDHwSuQWTsFNz:d/yb9dw5dirCM/cIHnksFsK971
Score

1^/10
behavioral28
- Target
  
  fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe
- Size
  
  121KB
- MD5
  
  eac0a08470ee67c63b14ae2ce7f6aa61
- SHA1
  
  285c0163376d5d9a5806364411652fe73424d571
- SHA256
  
  fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7
- SHA512
  
  f3fd7eeae18843d049443f0d5e818302eb3b3f73ad85e26c01e1ddc0a102a0a22b065afe01879aafc95ff3a2d15b5c302394bd03d91e6c4401648cd4222bddc5
- SSDEEP
  
  1536:3THoX8wNjiMsyPcjgbKx534oU6Llg/iLBkZhifkdol9LYuVF5yZbn:DjksYKx5o3Slg/itMg8+LYu9ubn
Score

9^/10

evasion persistence ransomware
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Stops running service(s)
  evasion
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
behavioral29
- Target
  
  fc184274ad3908021e4c8ef28f35dc77447ed6457375d2a4e7b411955e042527.exe
- Size
  
  268KB
- MD5
  
  d3fdd9807a32f5c27c14879336762119
- SHA1
  
  73132972d130adb7106e6b9319b21856434eff65
- SHA256
  
  fc184274ad3908021e4c8ef28f35dc77447ed6457375d2a4e7b411955e042527
- SHA512
  
  87468ab4136f449cab6e3689b4460de6dc59421ad20ce8208e251b3e4ef63f4ac281288ec51a35469e2473328de8b45b487cd72f40ba72d304a44b89a99a7a80
- SSDEEP
  
  6144:IXJ6Mv/PMB5lZOx4ccuiA8HYVVo7bBPxwdNaLvo:KJf/kBrZOxfwAsYVVoZZwdNaE
Score

10^/10

cerber discovery evasion ransomware
- Cerber
  Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
  ransomware cerber
- Blocklisted process makes network request
- Contacts a large (1095) amount of remote hosts
  This may indicate a network scan to discover remotely running services.
  discovery
- Modifies Windows Firewall
  evasion
- Deletes itself
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
- Sets desktop wallpaper using registry
  ransomware
behavioral30