Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

• • Target

    00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe

  • Size

    1.3MB

  • MD5

    b53d9a3861ba2e66a83ed1827aef11c8

  • SHA1

    e3d021ae61b901fc0e375269aeea8a956b5d170a

  • SHA256

    00faee82ab5b800cf6dbe97afd39790b856ad1ec25dc7ed8f798aca702bee7ad

  • SHA512

    c7478893531fbaf674dc90b404dada8ffefba4dfa2209063061a3c30df7992e3d95a9b5aa598ef2e5b6730fa961e44d15b70f5ea2075859ed8dfc528b1b5f434

  • SSDEEP

    24576:jnbkBTLZO5z2gux4qXrNuN6zZkMPPX47Ypk2z364swWUpZKfO+fIQ:jIBTL8HPq7NS6tY7Uzps6pZcfn

  Score

  10^/10

  evasionpersistenceransomwarespywarestealertrojan

  • Modifies WinLogon for persistence

    persistence

  • Modifies visibility of file extensions in Explorer

    evasion

  • UAC bypass

    evasiontrojan

  • Renames multiple (59) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Drops file in System32 directory

  behavioral1

• • Target

    0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe

  • Size

    2.0MB

  • MD5

    e32ef8a36b6a6c010b27a7871ebda037

  • SHA1

    0ea7d9bf90c5fc6bfadaf3c14e140fc9c9aa5361

  • SHA256

    0b8e9bc31964c9433bd5cc20e556cfd0590c3b17b0db23cdc3ad0547683f3820

  • SHA512

    e98f941c7be2c650de033048b8a9d4556da2204f9b0c90d399c981dcb9e215d5322a765884aad1a4e5b31b23227827cb21fd1ed5d3a79cc7f83226c07f579eb3

  • SSDEEP

    49152:pdGNHxQXLx6cHqNQDQg6nNw1WCj/vd2Xptvh4:pd0QXL/t

  Score

  10^/10

  evasionpersistencetrojan

  • Modifies WinLogon for persistence

    persistence

  • Modifies visibility of file extensions in Explorer

    evasion

  • UAC bypass

    evasiontrojan

  • Executes dropped EXE

  • Loads dropped DLL

  • Adds Run key to start application

    persistence

  • Drops file in System32 directory

  behavioral2

• • Target

    0c9fa52ace8019b43c91f4859ecddfde6705141b9283fef05c6c4c37a5c1777a.exe

  • Size

    596KB

  • MD5

    922b22f3be97b5974e317c5b55b07d15

  • SHA1

    96eef7001f9b555ac686a640e43a38cfbd963c4a

  • SHA256

    0c9fa52ace8019b43c91f4859ecddfde6705141b9283fef05c6c4c37a5c1777a

  • SHA512

    33a93de5d7e3927d3dd750dac4e12f9be5384ac2d5edbf8d5947708bdf18a7542e9fde3fb3dd526cd00e1973b18eb20b2793fe517469c831a39f7a5917d08179

  • SSDEEP

    12288:zbiqlq3Z3wSGTjDPOnpLWGJFFQgKzL+EFHUNrkqJgtK2b:zbNgd1wOpLWGF5C+EF0+qJgtZ

  Score

  7^/10

  • Drops startup file

  behavioral3

• • Target

    15f7ea290d832bc32ebf660690b42616264fc0be8969934c1f8d7e5a5d3cd18c.exe

  • Size

    473KB

  • MD5

    aadb6e0f1cc845e196570e800380fe85

  • SHA1

    72b088cf546c36b6dda67cfb430874f83645397f

  • SHA256

    15f7ea290d832bc32ebf660690b42616264fc0be8969934c1f8d7e5a5d3cd18c

  • SHA512

    55ba8c4734b9fb1c08b3c0be3c6c524a265aa1d3dc4a9f3a2f97f172c2913fc66ea7a002ad877d786e03db54b0a35f3244e9230c49fb30c6c6284404cffaf1b7

  • SSDEEP

    6144:ULIaDW2Dm6jNkcZjvw6RQVe0yV4JMaT710E5BmutiO3XwGk/Rz+wLefC9rB6uN:XaiajeUjvw6RQHVJMau43XwG25NW4rd

  Score

  10^/10

  modiloaderevasionpersistencetrojan

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader

  • Process spawned unexpected child process

    This typically indicates the parent process was compromised via an exploit or macro.

  • Checks for common network interception software

    Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

    evasion

  • Looks for VirtualBox Guest Additions in registry

    evasion

  • Looks for VirtualBox drivers on disk

    evasion

  • ModiLoader Second Stage

  • Looks for VMWare Tools registry key

    evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Deletes itself

  • Adds Run key to start application

    persistence

  • Maps connected drives based on registry

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral4

• • Target

    1DD70E803623D5311B71129976710B11A8942D206A5D8D86CDF8417255F15725.exe

  • Size

    716KB

  • MD5

    cc3f68e8a50b05aa77d88b6119583b9e

  • SHA1

    71c7b93a8947265fe30e6928730504a5456ca788

  • SHA256

    1dd70e803623d5311b71129976710b11a8942d206a5d8d86cdf8417255f15725

  • SHA512

    e4fe7c8ec1d88c0bc81834de0a1212902849d7c9f6228e26fb8aaf3f046011f934d6de01becb339ab88169533ff8dc0d6fad7d6d7ff7e956e408242a21809e55

  • SSDEEP

    12288:ZMMpXKb0hNGh1kG0HWnAsaHy41Dxm1zRRaMMMMM2MMMMMu:ZMMpXS0hN0V0HYah1I1zRRaMMMMM2MMd

  Score

  10^/10

  aspackv2persistenceransomware

  • Modifies WinLogon for persistence

    persistence

  • Renames multiple (93) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware

  • ASPack v2.12-2.42

    Detects executables packed with ASPack v2.12-2.42

    aspackv2

  • Drops startup file

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory

  behavioral5

• • Target

    1E229029B2D3FF00EDDE061B1AAF470EE437FA8196D97FAD2C2C6C9EDE5B44DA.exe

  • Size

    1.9MB

  • MD5

    92318a59ed03b2d195a8d08befd0efbb

  • SHA1

    33c974d620ceede52581194ef99f3f57a9cd5d11

  • SHA256

    1e229029b2d3ff00edde061b1aaf470ee437fa8196d97fad2c2c6c9ede5b44da

  • SHA512

    ea57ebd9484ade992b5b7b1b1a43b84b5af37491b063de0718e3ae6897fa84f500194dc251f117d11a1361f3164eea11becddb394e697400b7eb1ea40c568230

  • SSDEEP

    24576:TAlFsCeXap8KGLTg/6PeXTAg6L+Gzt0DkyYz1/oM5i7eXTXbQ5MTjrp2WHa/1jlE:kICe+cmxj4LlWoB/oeDfF

  Score

  10^/10

  evasionpersistenceransomwarespywarestealertrojan

  • Modifies WinLogon for persistence

    persistence

  • Modifies visibility of file extensions in Explorer

    evasion

  • UAC bypass

    evasiontrojan

  • Renames multiple (59) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Drops file in System32 directory

  behavioral6

• • Target

    21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe

  • Size

    235KB

  • MD5

    fac89802b3db89ba74cf8891824af3d6

  • SHA1

    27b57dfdc8b1b265e3755cc0068be846c4c4981e

  • SHA256

    21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061

  • SHA512

    2c604a00446fe4901341a4c8093443cba06fc00ee90a946749c3b66b2205339850740406edd0553ef55a33573599c7e494eb1b0552395d1cd9e54a8d4268b3e5

  • SSDEEP

    3072:thrQ6J0Exp7gW31x+S/EkuIDNGqLW4t5P0tz/aMgb2JpL7Ag0FujYWkcv23nNT3I:tiHgpR31kS8kuIpW60tRPAOs3sc8

  Score

  10^/10

  persistenceransomware

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomware

  • Renames multiple (303) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware

  • Adds Run key to start application

    persistence

  • Drops desktop.ini file(s)

  • Sets desktop wallpaper using registry

    ransomware
  behavioral7

• • Target

    21e1bc4340221fbccee28d59333c20b20755e34e2f3391b90837172bd07fbf01.exe

  • Size

    708KB

  • MD5

    987a06a5c02be92cdeae2a99a408a716

  • SHA1

    31e4c64f1fcff7824b023e86482e75870389edef

  • SHA256

    21e1bc4340221fbccee28d59333c20b20755e34e2f3391b90837172bd07fbf01

  • SHA512

    90db12153f5abd1f8d20a89a473c46f0577ffc2c3a681f4f2bd68f53b8cd2d45c372bce6e0d11d2832ae223eebcb2b9a8a1dc806b5cd8a510134cad830c2596e

  • SSDEEP

    12288:VROJm7hOOdN2++KEjDz/lnp2WBILtj+fITU4Td9T31r6U2dEV7uikFg:VROJ8hjkLKgP/n2WaLtj+fINR979N/l/

  Score

  7^/10

  • Drops startup file

  behavioral8

• • Target

    2272954a2c9f631b4f9c5f6d230287b0989ab3b512bb5f4a282214eadf42085a.exe

  • Size

    299KB

  • MD5

    2ad96b646ad5f323f0bef0bfb6b23ebb

  • SHA1

    a8ac661b22bd557fe3dbff8f706cb5741d43ac67

  • SHA256

    2272954a2c9f631b4f9c5f6d230287b0989ab3b512bb5f4a282214eadf42085a

  • SHA512

    8959aebd064c488e7247604b7b30e8487ecc498695206173d1251eff565bd5bb3e8ee90ac22bb1250f78412bcabe9a57d930972d6d4fdd886eef0901d89b38a9

  • SSDEEP

    6144:0gggrNE0oCD4IKXgWi2AL/Pe5f6LiJbfPcEfm0fg:G6DhfTR8C2JbMEfm0fg

  Score

  10^/10

  gozibankerisfbtrojan

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  behavioral9

• • Target

    2C3542B5D9AB4EED2DD88CD74A02236A944AFD76E8717F65DCD544912229CA85.exe

  • Size

    10KB

  • MD5

    ffb938c96bb741d2d1dcc05930072926

  • SHA1

    643508e98cd746eb91adb0b3a0096ff3d7497dad

  • SHA256

    2c3542b5d9ab4eed2dd88cd74a02236a944afd76e8717f65dcd544912229ca85

  • SHA512

    09c63015e0a6f1c97f657106d01c7a5399686039f75ccbd9a097544d458edee3ca094b24c1d075658bd34ef332deee5736711f0ac6f7ea273baa42dda5c18215

  • SSDEEP

    192:xjpBKnwR27YRs/5+K/OUzbx/wz93ADv8Ei:NunwR2JQKZx/wz93ADUv

  Score

  7^/10

  • Executes dropped EXE

  • Loads dropped DLL

  behavioral10

• • Target

    3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe

  • Size

    390KB

  • MD5

    08109df08fa4a035c59d56d1e6c5baf4

  • SHA1

    bec86bce6f6963d0cc69c441c6d5fb6d04d3a833

  • SHA256

    3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338

  • SHA512

    61e6cc3e94ddb7a980bfb0a2e5e5ffeeb5414c9e2ef3e42551820017dbedab5cccdd8ece1fed2ca057e240bdb7836663a7f9be28f1bb9136da972750caf59704

  • SSDEEP

    12288:s8TC7FeAA9IsQwycG888888888888W88888888888E7xCYsdG:s8TygVinw1Z7xCZdG

  Score

  10^/10

  cerberdiscoveryevasionransomware

  • Cerber

    Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

    ransomwarecerber

  • Blocklisted process makes network request

  • Contacts a large (1095) amount of remote hosts

    This may indicate a network scan to discover remotely running services.

    discovery

  • Modifies Windows Firewall

    evasion

  • Deletes itself

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory

  • Sets desktop wallpaper using registry

    ransomware
  behavioral11

• • Target

    3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe

  • Size

    947KB

  • MD5

    39217b125403ff7c755622ef9bbef974

  • SHA1

    9fc607b7c17919c83999bdd119e9cd6bf413101a

  • SHA256

    3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816

  • SHA512

    1252ea94931eaf4426ca1eb94a070645238775c447a09286109fe894c569de29ca502882a0fa34e97e09109c43c486a3aa32081e3a3afef0b6557db59c71fc50

  • SSDEEP

    12288:3+Zn/gJtKaNIBpB+iMMOD30ZnZ47m0T3JF9j3GOF0l7B2FzqL2aZa7rf58bs:3+RYeaNILZi/JDLG60y1aZvs

  Score

  10^/10

  troldeshpersistenceransomwaretrojanupx

  • Troldesh, Shade, Encoder.858

    Troldesh is a ransomware spread by malspam.

    ransomwaretrojantroldesh

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Adds Run key to start application

    persistence

  • Drops file in System32 directory

  behavioral12

• • Target

    41c53e90f0861b068eaa512edff28a586128f808b437122399347bcb3774914a.exe

  • Size

    27KB

  • MD5

    b0492e56e1246873173e8f7d32f8a278

  • SHA1

    b31e8e98a4b570f739dd1e1098f4e593f930f450

  • SHA256

    41c53e90f0861b068eaa512edff28a586128f808b437122399347bcb3774914a

  • SHA512

    fa078565f4eab7b1a618dff2182ac0f630f32a151fdbb5c3d73d1544cc4371d283cc76f597dde990eaa9e389355aca9c73cd1e8b3087b769340f3b9642642979

  • SSDEEP

    384:U0Ne12bO+rTx8S0VL+5ka0OXE8vDIXam7JV4DXi4EECyBsnK/8kHaHKczlyDqq:612hTa7JULXEfXamDIy4HBs7HKwQx

  Score

  10^/10

  evasionpersistenceransomware

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomware

  • Stops running service(s)

    evasion

  • Executes dropped EXE

  • Loads dropped DLL

  • Adds Run key to start application

    persistence

  • Drops desktop.ini file(s)

  behavioral13

• • Target

    467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe

  • Size

    363KB

  • MD5

    36a0cefeb8b0a606358142d4140ea7cf

  • SHA1

    03ce13b4f60d2fc632b67b41b82b5e8cfaf9939f

  • SHA256

    467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be

  • SHA512

    63304f3ddca578beac157197581e6a2a762d9cf1fb08fa6ae85dcdc26340ae64badb0f4a9cb47521315c366b70bd0cf89bf1b72be29f89e2d91504cec7ca9093

  • SSDEEP

    6144:VEwaWsAzrp8viKgjdCU641BHoKIPi2CRp2pFSnfJxLw/mq3pT+Qrm9m7s:G9UjdtzIKl2YY3SRxLw/BT+X

  Score

  10^/10

  evasionransomwareupx

  • Process spawned unexpected child process

    This typically indicates the parent process was compromised via an exploit or macro.

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomware

  • Modifies boot configuration data using bcdedit

    ransomwareevasion

  • Deletes itself

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext

  behavioral14

• • Target

    5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe

  • Size

    236KB

  • MD5

    6aa5d9b03d34c87026ac11a6f30524fe

  • SHA1

    c0c532d64bc1d16aeb12ea58c9e94c48eb3d64d4

  • SHA256

    5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0

  • SHA512

    1e0cdbfd5399c03e6db32b309d38f56dc0761d6a9d2319c712f771fecc9fec8aac0c2dd2ee00e4674b26168265558e4d02a810a6326c73e36a1e453ecc394069

  • SSDEEP

    3072:A2XIX/5EEAmkN7HqOaeV/RPMObiZif2fXSF9uvm8dDuCb4NeIAg0Fuj3RK3o1yL:AliN3qO1hR0UiZi+fC+iAObo41I

  Score

  10^/10

  persistenceransomware

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomware

  • Renames multiple (267) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware

  • Adds Run key to start application

    persistence

  • Drops desktop.ini file(s)

  • Sets desktop wallpaper using registry

    ransomware
  behavioral15

• • Target

    712affaa8b84e8fb7d4e71feb6c1074185bc43b5a2f265fbfb248f7ed40a5489 (1).exe

  • Size

    1.7MB

  • MD5

    1c526b6bd496e217833972f77a235928

  • SHA1

    49dde9bf9e2f11abf13dc55cbf901af49e575bc1

  • SHA256

    712affaa8b84e8fb7d4e71feb6c1074185bc43b5a2f265fbfb248f7ed40a5489

  • SHA512

    884b01546adc3c64ec04cc5856fdd7ce5f851dea2eb4066ea398dfeb62a23eab14a592e7be4f286625cd94b3c8b6254d3646eb05ddf0d6a70aa160e7e2cba2a8

  • SSDEEP

    24576:lTnv8YkXw+xfggJJmlm5SJPC/QMyKesckckSZahVY06uIxf+ubfOLVU:J0Husckc4Y0/IACmL2

  Score

  1^/10
  behavioral16

• • Target

    72716d15ea7d118b8c99dbcb15114188abe468718c876ac52b0779161ef7e821.exe

  • Size

    703KB

  • MD5

    d7c62a22cc1a832ba2ce0bfd1c4f9e9c

  • SHA1

    a484b5a49a5b94f045100dd5e659b9504ed99211

  • SHA256

    72716d15ea7d118b8c99dbcb15114188abe468718c876ac52b0779161ef7e821

  • SHA512

    7c036f46c6c5a34d991d277c3ecf3c8abdf3a70042c40aaa3c20ce2f3e02a5a63200530587c2980ba5e000a7f1394a33390e63ec53782892b27874e293dff1c6

  • SSDEEP

    12288:Qu/mk3LQLwumO7mL945Hj1wcBsXcDBif+w+nstV7uikFg:5+WLQLP7mL9eDb+Msfsnstlubg

  Score

  7^/10

  • Drops startup file

  behavioral17

• • Target

    8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe

  • Size

    1020KB

  • MD5

    496f86f951e1dbd3c4534d51a5297668

  • SHA1

    1199c5f30f5724841905cbdb9787649d15aae3d5

  • SHA256

    8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621

  • SHA512

    382abc596081ca5d0fdea39b12afe433e446cd50f59e4abca818162d96e46465beb1cda631109083071e7c050af6bfcf867be41d02c1e2ebe5dd99f61f45d510

  • SSDEEP

    24576:es0fVWVbd8fKT0KqTAFFCa/2yDEmdvAkomBbOsn51D:es0fVWVR8fKTeU1imBbl51D

  Score

  10^/10

  troldeshpersistenceransomwaretrojanupx

  • Troldesh, Shade, Encoder.858

    Troldesh is a ransomware spread by malspam.

    ransomwaretrojantroldesh

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Adds Run key to start application

    persistence
  behavioral18

• • Target

    Bit Paymer.exe

  • Size

    92KB

  • MD5

    998246bd0e51f9582b998ca514317c33

  • SHA1

    5a2d799ac4cca8954fc117c7fb3e868f93c6f009

  • SHA256

    d693c33dd550529f3634e3c7e53d82df70c9d4fbd0c339dbc1849ada9e539ea2

  • SHA512

    773d9838be9c09bd43a22aa1eada8f623f95739b21828712236a4a209c6d9266647ef43592d072d68399224965253c37f9ce9ef36e46e8191169c03ac7789130

  • SSDEEP

    1536:tacFdjxs2TlWlpnXv91nhixG8/lA5jG8387SpK6jXOMVHoi5e+vRb:taqJC6lWlpnXv7nhixhlAU83VwMCifvR

  Score

  10^/10

  persistenceransomwarespywarestealer

  • Renames multiple (9901) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Drops desktop.ini file(s)

  behavioral19

• • Target

    KeepCalm.exe

  • Size

    218KB

  • MD5

    f994759181fb964af17fab2f7994b9ca

  • SHA1

    9ae72a3dc37955af7526fd8566698b7a97ed7cb0

  • SHA256

    043969e70014662e6a8b90eaaec10f4b4064dc42c0aeba39639af82f11cbab7e

  • SHA512

    c36ff4026879e6cbab1e95e8a8a9cc6dc8538de9fa5719625ddf5a9d578dda310325cbf1e44a2dddbc85f27521e7e736637bb102e1d230f861ecb8f2e0219188

  • SSDEEP

    3072:Y9mM+lmsolAIrRuw+mqv9j1MWLQFidJM+lmsolAIrRuw+mqv9j1MWLQd:EF+lDAAJdi+lDAA

  Score

  1^/10
  behavioral20

• • Target

    LockedIn.exe

  • Size

    650KB

  • MD5

    e9e34a4dbf0c9fe5fb595b0282b0b4f0

  • SHA1

    4f3f6bc4aff97eecb9ab52d47520e248c618da45

  • SHA256

    613af1bf17a11dbf12849568ce08186cc4109a5cdb32d0bcce7c1bd81306f5c6

  • SHA512

    b234f7a6fef8eb3153da20b1c9f668a8177e489817b1e7e36a572fbfc7dc3604f5cd509f5ff7087f4d3a2e3c1a5a0c7e93ae571be11c70732b1078ba8050a119

  • SSDEEP

    12288:dl6aKEZf4r/s6IzjtyHQDWcFXXGmmBJ0d35O3CEkk4zglJaKfZf4m:dlNCr/sFFmmmHIpKCEx4sljCm

  Score

  1^/10
  behavioral21

• • Target

    Purge.exe

  • Size

    24KB

  • MD5

    b02916e5c5215ef3ce25269c8d8afbe2

  • SHA1

    7ea2e4eebea27ade84075a5bd47e048297377259

  • SHA256

    b4e9d14e4ea8a1c459805ec46870f12a3e6ea3308864511a3d9c7af9fb841403

  • SHA512

    c84cd98801dbc515f8e800c5fae57158d4167347c2267f1decbf37e98819b2bc1e9439eacec71eaad1c6ece62bf468b21db9cc53e6568cc73499595b1935296e

  • SSDEEP

    384:lMX3iNFRHDy0nxaP/JqiKV+aQlSp591U7qO7o4FQcc4KVOJ5ogxlwAx9sLtsNtt7:qHitm/JqiO+aB5s7qOUvOJ5ogDrCO8tm

  Score

  1^/10
  behavioral22

• • Target

    Scarab.exe

  • Size

    342KB

  • MD5

    6899003aaa63ab4397f9e32e0a1daf43

  • SHA1

    c22272ff0944d127992b393562871473b23ef8ea

  • SHA256

    53f73dc2e8af9c059136029b3b535e885d4452d3375586eb9a0336d7a389aad5

  • SHA512

    d8895f96e12d1b0b5907f7b1e7b976a37ff0cbe6db929cfbea5c931d905fb8269dc91bf44db83743920b63affc64ba88a0933d3111bc68f71ee266971b91b6bc

  • SSDEEP

    6144:zmTLRf45/wAfqj6pjohSws+wZQtmk6LnAlnZ:eq5/tyjMLd+Rtmkc0

  Score

  10^/10

  persistenceransomware

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomware

  • Renames multiple (162) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware

  • Deletes itself

  • Executes dropped EXE

  • Loads dropped DLL

  • Adds Run key to start application

    persistence

  • Suspicious use of SetThreadContext

  behavioral23

• • Target

    a631ad1b1a59001a5f594880c6ae3337bda98f8ce3bb46cd7a9de0b35cd2bc4b.exe

  • Size

    272KB

  • MD5

    cb4ef16070b2dec59effcdb4a2134a83

  • SHA1

    c9fcc72c08eece9ca0beb2a3d3801bbfffcb6196

  • SHA256

    a631ad1b1a59001a5f594880c6ae3337bda98f8ce3bb46cd7a9de0b35cd2bc4b

  • SHA512

    be87293a1b9537d54780639006b6e7a6048755064ca4e78cc295ae1b6263ab4d511e4f720f2687a55372da10e8fd67a47bb091bd5357c50045690936b2411091

  • SSDEEP

    6144:1xIPLPHOoW/EHVDJSBD94vqW6Q65Ln1ZEVNl999999999999999999999POU:+DHOVcHVDJMgX6Qu0V

  Score

  6^/10

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  behavioral24

• • Target

    a9053a3a52113698143a2b9801509c68d0d8b4b8208da453f0974547df0931bc.exe

  • Size

    703KB

  • MD5

    43478841baa4b8754f75516220e33ac3

  • SHA1

    2585a613129d7e3dbff3eb16b10ce3fe940c99a3

  • SHA256

    a9053a3a52113698143a2b9801509c68d0d8b4b8208da453f0974547df0931bc

  • SHA512

    9441209433e2d3d49012431011048cd33a7ce980482658a0b1e2ccd3baa70524d2585901b6130d4644d7ca0139d881a9f11a933949ed39ad805a147694b37f87

  • SSDEEP

    12288:C6JZ+UD5+1fpL2ikTgmPb2EdVu/BdmSHqDd6bhW2RJV7uikFg:JEUD52fpL2bgmSEds/BnKQPlubg

  Score

  7^/10

  • Drops startup file

  behavioral25

• • Target

    b764629e1f43851daf984c9372422b65ddceae28f83d6211873f4c8f8672c41c.exe

  • Size

    3.6MB

  • MD5

    ef29f0f2a7b98ea19767b8ae66d1ffb8

  • SHA1

    093b3916ee1bea0442278d0aa87be5703207e627

  • SHA256

    b764629e1f43851daf984c9372422b65ddceae28f83d6211873f4c8f8672c41c

  • SHA512

    9ab431d19633ed54dc1cc8bc4e511cabcfcba56ee0ff30197f5bd7aca07b33f2b605ab17f07fba066f5c910903f27bb04f4eb04cbed539af783564bbeba2c80e

  • SSDEEP

    98304:yDqPoBhhRxcSUDk36SAEdhvxWa9P59Uc/Jf:yDqPSxcxk3ZAEUadv1

  Score

  10^/10

  wannacrydiscoveryransomwareworm

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry

  • Contacts a large (3259) amount of remote hosts

    This may indicate a network scan to discover remotely running services.

    discovery

  • Executes dropped EXE

  • Creates a large amount of network flows

    This may indicate a network scan to discover remotely running services.

    discovery

  • Drops file in System32 directory

  behavioral26

• • Target

    cf89f70633865aa06123062a7dc51f8158905afb4b00f6f3597de3edfba97c5c.exe

  • Size

    322KB

  • MD5

    3f4e0582663260629e1046d300bfd47c

  • SHA1

    05d4b2e99a8ad0436cb5d9066987eb0df0321250

  • SHA256

    cf89f70633865aa06123062a7dc51f8158905afb4b00f6f3597de3edfba97c5c

  • SHA512

    b12505249227706b22e054d47d99d4b770a958875fb5eddb9a254ec06353415f00379383a091932ed70a1bcac14a9f8113f0221abed3c6211e6b7fe1f6fe1e81

  • SSDEEP

    6144:2FexvJFSPxQksREdUZo64wHijE77BoLUbeKMazza722uutBq3:2FyJWQkX/njG7BSEeKMazzaqRut4

  Score

  1^/10
  behavioral27

• • Target

    e951e82867a4f3af5a34b714571e9acf99cca794c4ed1895c9025a642d5d4350.exe

  • Size

    2.2MB

  • MD5

    52cae327d2b2fef71f1af28e15a2811c

  • SHA1

    62b516f72b03515078cb89cbecaa4522726e79d4

  • SHA256

    e951e82867a4f3af5a34b714571e9acf99cca794c4ed1895c9025a642d5d4350

  • SHA512

    6daabedfc0accba661c84155ea449b0cdd8819378de9c102da07631390a7a9c1fc7ee1fb71505bfb4dfb974f71696ff57bf376184934bfa230d572400bfb422a

  • SSDEEP

    24576:d/2jBNbRL7T3QeFlUp1BcKZbn30QYKr5kw4AMMtG3oirCM/e52bZDHwSuQWTsFNz:d/yb9dw5dirCM/cIHnksFsK971

  Score

  1^/10
  behavioral28

• • Target

    fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe

  • Size

    121KB

  • MD5

    eac0a08470ee67c63b14ae2ce7f6aa61

  • SHA1

    285c0163376d5d9a5806364411652fe73424d571

  • SHA256

    fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7

  • SHA512

    f3fd7eeae18843d049443f0d5e818302eb3b3f73ad85e26c01e1ddc0a102a0a22b065afe01879aafc95ff3a2d15b5c302394bd03d91e6c4401648cd4222bddc5

  • SSDEEP

    1536:3THoX8wNjiMsyPcjgbKx534oU6Llg/iLBkZhifkdol9LYuVF5yZbn:DjksYKx5o3Slg/itMg8+LYu9ubn

  Score

  9^/10

  evasionpersistenceransomware

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomware

  • Stops running service(s)

    evasion

  • Executes dropped EXE

  • Loads dropped DLL

  • Adds Run key to start application

    persistence

  • Drops desktop.ini file(s)

  • Suspicious use of SetThreadContext

  behavioral29

• • Target

    fc184274ad3908021e4c8ef28f35dc77447ed6457375d2a4e7b411955e042527.exe

  • Size

    268KB

  • MD5

    d3fdd9807a32f5c27c14879336762119

  • SHA1

    73132972d130adb7106e6b9319b21856434eff65

  • SHA256

    fc184274ad3908021e4c8ef28f35dc77447ed6457375d2a4e7b411955e042527

  • SHA512

    87468ab4136f449cab6e3689b4460de6dc59421ad20ce8208e251b3e4ef63f4ac281288ec51a35469e2473328de8b45b487cd72f40ba72d304a44b89a99a7a80

  • SSDEEP

    6144:IXJ6Mv/PMB5lZOx4ccuiA8HYVVo7bBPxwdNaLvo:KJf/kBrZOxfwAsYVVoZZwdNaE

  Score

  10^/10

  cerberdiscoveryevasionransomware

  • Cerber

    Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

    ransomwarecerber

  • Blocklisted process makes network request

  • Contacts a large (1095) amount of remote hosts

    This may indicate a network scan to discover remotely running services.

    discovery

  • Modifies Windows Firewall

    evasion

  • Deletes itself

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory

  • Sets desktop wallpaper using registry

    ransomware
  behavioral30