General

  • Target

    dsE1122.rar

  • Size

    14.2MB

  • Sample

    240316-slqqhsde8t

  • MD5

    394f07bca7aaedfe23ad7dc24a68520b

  • SHA1

    e17adcc112d1d0ea8f71aedbdae528de4ed5c4fc

  • SHA256

    441116d55e97124a067207bf57483dd3462bccfb034e56c4152675b0dcb118e7

  • SHA512

    4834610ae95493a7e51e1493bf8c48e8e2bf8905d0b61af4b685c2b822ef22a78c9fd6cbbb188b20436a71f19972d9ebd211ccf0e75fc542d19f9340781c7eb3

  • SSDEEP

    393216:jBSYPG3rPQ2PUtOd37WjqC6tZ0ksxVmESyOcG7b/ZuHvWpbYqc7p:jQYyPDP2E0qCoZhLESyOf/YHvWOld

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___JXKZU_.txt

Family

cerber

Ransom Note
Hi, I'am CRBR ENCRYPTOR ;) ----- YOUR DOCUMENTS, PHOTOS, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ----- The only way to decrypt your files is to receive the private key and decryption program. To receive the private key and decryption program go to any decrypted folder, inside there is the special file (*_R_E_A_D___T_H_I_S_*) with complete instructions how to decrypt your files. If you cannot find any (*_R_E_A_D___T_H_I_S_*) file at your PC, follow the instructions below: ----- 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://xpcx6erilkjced3j.onion/58C6-B1BE-88C5-0098-9592 Note! This page is available via "Tor Browser" only. ----- Also you can use temporary addresses on your personal page without using "Tor Browser". ----- 1. http://xpcx6erilkjced3j.19kxwa.top/58C6-B1BE-88C5-0098-9592 2. http://xpcx6erilkjced3j.1eht65.top/58C6-B1BE-88C5-0098-9592 3. http://xpcx6erilkjced3j.1t2jhk.top/58C6-B1BE-88C5-0098-9592 4. http://xpcx6erilkjced3j.1e6ly3.top/58C6-B1BE-88C5-0098-9592 5. http://xpcx6erilkjced3j.16umxg.top/58C6-B1BE-88C5-0098-9592 ----- Note! These are temporary addresses! They will be available for a limited amount of time! -----
URLs

http://xpcx6erilkjced3j.onion/58C6-B1BE-88C5-0098-9592

http://xpcx6erilkjced3j.19kxwa.top/58C6-B1BE-88C5-0098-9592

http://xpcx6erilkjced3j.1eht65.top/58C6-B1BE-88C5-0098-9592

http://xpcx6erilkjced3j.1t2jhk.top/58C6-B1BE-88C5-0098-9592

http://xpcx6erilkjced3j.1e6ly3.top/58C6-B1BE-88C5-0098-9592

http://xpcx6erilkjced3j.16umxg.top/58C6-B1BE-88C5-0098-9592

Extracted

Path

C:\MSOCache\All Users\_HELP_INSTRUCTION.TXT

Ransom Note
!!INFORMATIONS!! All of your files are encrypted with RSA2048 and AES128 ciphers. More information about the RSA and AES can be found here: https://en.wikipedia.org/wiki/RSA_(cryptosystem) https://en.wikipedia.org/wiki/Advanced_Encryption_Standard Decrypting of your files is only possible with the private key and decrypt program, which is on our secret server. Follow these steps: 1. Download and install Tor Browser: https://www.torproject.org/download/download-easy.html 2. After a successful installation, run the browser and wait for initialization. 3. Type in the address bar: http://supportxxgbefd7c.onion/ 4. Follow the instructions on the site. !! Your DECRYPT-ID: df54997b-3754-4ca8-b3bd-47bf930a1567 !!
URLs

http://supportxxgbefd7c.onion/

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\N00fBwZXjOQTTX9M.hta

Ransom Note
<html> <head> <hta:application BORDER = "none" CAPTION = "No" CONTEXTMENU = "NO" INNERBORDER = "No" MAXIMIZEBUTTON = "No" MINIMIZEBUTTON = "No" NAVIGABLE = "No" SCROLL = "No" SCROLLFLAT = "No" SELECTION = "Yes" SHOWINTASKBAR = "No" SINGLEINSTANCE = "Yes" SYSMENU = "No"/> <style> body{ background-color:#000000; margin:0; } .vau{ margin:10px; height:520px; width:750px } .sc{ margin:1px 50px; font-size:40px; width:750px; height:30px; padding: 10px 20px 10px 20px; background-color:#000000; color:#e92124; font-family: Impact; text-transform: uppercase; text-align: center; } .sc1{ margin:1px 50px; font-size:20px; width: 750px; padding:20px; background-color:#000000; color: #e0dede; font-family: Georgia; text-align: left; } .gr{ margin: 10px 0px; color:#189f29; } .red{ margin: 10px 0px; color:#e92124; } .wh{ margin-top:0px; margin-bottom:10px; } .wt{ margin-top:10px; margin-bottom:0px; } </style> <meta http-equiv="Content-Type" content="text/html;charset=utf-8"/> <title>Notification</title> <script language="vbscript"> sub Window_Onload window.resizeTo 850,725 screenWidth = Document.ParentWindow.Screen.AvailWidth screenHeight = Document.ParentWindow.Screen.AvailHeight posLeft = (screenWidth - 850) / 2 posTop = (screenHeight - 725) / 2 window.moveTo posLeft, posTop end sub </script> </head> <body scroll="no"> <div class="vau"> <div class="sc"> All your files have been encrypted! </div> <div class="sc1"> <p class="wh">All of important data on this computer was encrypted with strong RSA-2048 algorithm due to the violation of the federal laws of the United States of America! (Article 1, Section 8, Clause 8; Article 202; Arcticle 210 of the Criminal Code of U.S.A. provides for a deprivation of liberty for four to twelve years.)</p> <b>Following violations were detected:</b><br /> Your IP adress was used to visit websites containing pornography, child pornography, zoophilia and child abuse!<br /> <p class="gr"><b>To unlock your files you have to pay the penalty!</b></p> <p class="red">You have only <b>96 hours</b> to recover your personal data! After this time your unique key will be deleted and file decryption will become impossible!</p> <p class="red">Each <b>12 hours</b> the payment size will be automatically increased by <b>100$</b>!</p> <p class="gr"><b>You must pay the penalty through the Bitcoin Wallet.</b></p> <p class="wt">To get your unique key and unlock files, you should send the following code:</p> <b class="gr">TAVOb1nrt0pLc0ui-67B38C0E52010C27</b><br /> to our agent e-mails:<br /> <b class="gr">[email protected]</b> or<br /> <b class="gr">[email protected]</b><br /> You will recieve all necessary instructions! </div> <div class="sc"> Hurry up or you will be arrested!!! </div> </div> </body> </html>
Emails

class="gr">[email protected]</b>

class="gr">[email protected]</b><br

URLs

http-equiv="Content-Type"

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\!#_READ_ME_#!.inf

Ransom Note
[WHAT HAPPENED] Your important files produced on this computer have been encrypted due a security problem If you want to restore them, write us to the e-mail: [email protected] You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. [FREE DECRYPTION AS GUARANTEE] Before paying you can send to us up to 3 files for free decryption. Please note that files must NOT contain valuable information and their total size must be less than 1Mb [HOW TO OBTAIN BITCOINS] The easiest way to buy bitcoin is LocalBitcoins site. You have to register, click Buy bitcoins and select the seller by payment method and price https://localbitcoins.com/buy_bitcoins [ATTENTION] Do not rename encrypted files Do not try to decrypt your data using third party software, it may cause permanent data loss If you not write on e-mail in 36 hours - your key has been deleted and you cant decrypt your files Your ID: vbOqyNvH4VULZd2hsEl2iWGl/YVDM6tHpGbaeO2zLu/Ao+69GggA733NfbhK02nyAKlue6+kF3bNAgmiep8XhXRXpm3vgDSucqbS9iFz+Fhkq281w7o1/PfV6HNmyOjjUSgJqGfFHrZzwxhcO7jhops/UfZ078q576qvh5lmRrI=

Extracted

Path

C:\vcredist2010_x86.log-MSI_vc_red.msi.txt.readme_txt

Ransom Note
YOUR COMPANY HAS BEEN SUCCESSFULLY PENETRATED! All files are encrypted. We accept only bitcoins to share the decryption software for your network. Also, we have gathered all your private sensitive data.So if you decide not to pay anytime soon, we would share it with media's. It may harm your business reputation and the company's capitalization fell sharply. Do not try to do it with 3rd-parties programs, files might be damaged then. Decrypting of your files is only possible with the special decryption software. To receive your private key and the decryption software please follow the link (using tor2web service): https://qmnmrba4s4a3py6z.onion.to/order/43e4593a-5dc7-11e7-8803-00163e417ea3 If this address is not available, follow these steps: 1. Download and install Tor Browser: https://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser and wait for initialization. 3. Type in the address bar: http://qmnmrba4s4a3py6z.onion/order/43e4593a-5dc7-11e7-8803-00163e417ea3 4. Follow the instructions on the site 5. This link is valid for 72 hours only. Afetr that period your local data would be lost completely. 6. Any questions: [email protected]
URLs

https://qmnmrba4s4a3py6z.onion.to/order/43e4593a-5dc7-11e7-8803-00163e417ea3

http://qmnmrba4s4a3py6z.onion/order/43e4593a-5dc7-11e7-8803-00163e417ea3

Extracted

Path

C:\IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT

Ransom Note
__________________________________________________________________________________________________ | | | *** IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS *** | |__________________________________________________________________________________________________| Your files are now encrypted! -----BEGIN PERSONAL IDENTIFIER----- pAQAAAAAAABql7S+JZSHD0NADANXUd2szqKt1lDA0=tQY9Ew9SPjvJ9SvrXhlcWbmn+rfONeyZTZhcVtfdpvWexN=EdRtaVlm8vZ RVR9qp=EgLSW3SF36vlnINQRj7gr1lgpspv0wQAqhNjewqavDitURj8tL2Tte+6bSVZcay3=hgs0quEm4HiSOJca1bSnfoC9KKIY VoqoeJteuvFdmg+iih23FJhUXYCbdnn5WFNxUInJc13a=Cfi0izubUm=f2vrQA2ZWJ6YwEG46pXsXQHf4v5xPS3bFD6Dae5PR0fB jhe76xNQGZrVYvmGJOnVHPjTOqNdSPewEM0R5Pd=8nSUKLaUG8Rp=6cMPsQAwISGBdnw7dsiqXq9d8PPtWus9hGQAu0lFBOY7nCO fBaOkbadByHKREs5skZRwYj+0FIFvHqFVa=yiLzOoGw6hSHgvPYGzCJtEqDqdSydTmlYQAdlA=OQHdjrSMX6Nar1jUDOW4raYTXC og4pIBqn8VmrxSMsHUWkU=m111N4EUAIsXUcCQvq4F03nVmUTwPAvxLQKGijrAiXDUP56vc9DvuFHXobet03kh5PtG0w5Le4=BC9 uURVBcOBMgDzIsBFaq+oIQJMR1Lf4mDLMVI2tAGnPh6b+cEDe2f9G+I3xB+7Cn8IsvUPYD5NSWYWFO6QM2+Z6BnJ3sF=ki=fTb+K lJgk52EFE+EQGhPvDRO53aFaecbIQqLQNJwt0GL6GK99Z7FGuEATxIsO8RRzC9L+yYb1NARNz7bARTvc0JD5K8RaEfYQa5p+82M6 gWHIuJKfC9lvp7pdX9lcwDE4=jq8=y1hEAIjwk0 -----END PERSONAL IDENTIFIER----- All your files have been encrypted due to a security problem with your PC. Now you should send us email with your personal identifier. This email will be as confirmation you are ready to pay for decryption key. You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. Contact us using this email address: [email protected] Free decryption as guarantee! Before paying you can send us up to 3 files for free decryption. The total size of files must be less than 10Mb (non archived), and files should not contain valuable information (databases, backups, large excel sheets, etc.). __________________________________________________________________________________________________ | | | How to obtain Bitcoins? | | | | * The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click | | 'Buy bitcoins', and select the seller by payment method and price: | | https://localbitcoins.com/buy_bitcoins | | * Also you can find other places to buy Bitcoins and beginners guide here: | | http://www.coindesk.com/information/how-can-i-buy-bitcoins | | | |__________________________________________________________________________________________________| __________________________________________________________________________________________________ | | | Attention! | | | | * Do not rename encrypted files. | | * Do not try to decrypt your data using third party software, it may cause permanent data loss. | | * Decryption of your files with the help of third parties may cause increased price | | (they add their fee to our) or you can become a victim of a scam. | | | |__________________________________________________________________________________________________|

Extracted

Path

C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___031I3MLW_.txt

Family

cerber

Ransom Note
Hi, I'am CRBR ENCRYPTOR ;) ----- YOUR DOCUMENTS, PHOTOS, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ----- The only way to decrypt your files is to receive the private key and decryption program. To receive the private key and decryption program go to any decrypted folder, inside there is the special file (*_R_E_A_D___T_H_I_S_*) with complete instructions how to decrypt your files. If you cannot find any (*_R_E_A_D___T_H_I_S_*) file at your PC, follow the instructions below: ----- 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://xpcx6erilkjced3j.onion/CE03-CAEC-9154-005C-9F96 Note! This page is available via "Tor Browser" only. ----- Also you can use temporary addresses on your personal page without using "Tor Browser". ----- 1. http://xpcx6erilkjced3j.1t2jhk.top/CE03-CAEC-9154-005C-9F96 2. http://xpcx6erilkjced3j.1e6ly3.top/CE03-CAEC-9154-005C-9F96 3. http://xpcx6erilkjced3j.1ewuh5.top/CE03-CAEC-9154-005C-9F96 4. http://xpcx6erilkjced3j.15ezkm.top/CE03-CAEC-9154-005C-9F96 5. http://xpcx6erilkjced3j.16umxg.top/CE03-CAEC-9154-005C-9F96 ----- Note! These are temporary addresses! They will be available for a limited amount of time! -----
URLs

http://xpcx6erilkjced3j.onion/CE03-CAEC-9154-005C-9F96

http://xpcx6erilkjced3j.1t2jhk.top/CE03-CAEC-9154-005C-9F96

http://xpcx6erilkjced3j.1e6ly3.top/CE03-CAEC-9154-005C-9F96

http://xpcx6erilkjced3j.1ewuh5.top/CE03-CAEC-9154-005C-9F96

http://xpcx6erilkjced3j.15ezkm.top/CE03-CAEC-9154-005C-9F96

http://xpcx6erilkjced3j.16umxg.top/CE03-CAEC-9154-005C-9F96

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\!#_READ_ME_#!.inf

Ransom Note
[WHAT HAPPENED] Your important files produced on this computer have been encrypted due a security problem If you want to restore them, write us to the e-mail: [email protected] You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. [FREE DECRYPTION AS GUARANTEE] Before paying you can send to us up to 3 files for free decryption. Please note that files must NOT contain valuable information and their total size must be less than 1Mb [HOW TO OBTAIN BITCOINS] The easiest way to buy bitcoin is LocalBitcoins site. You have to register, click Buy bitcoins and select the seller by payment method and price https://localbitcoins.com/buy_bitcoins [ATTENTION] Do not rename encrypted files Do not try to decrypt your data using third party software, it may cause permanent data loss If you not write on e-mail in 36 hours - your key has been deleted and you cant decrypt your files Your ID: fdsbgz3Ni64477+GRkfIwvXExOmlgszS05/hgVf9+o7kcuXvygISrX/k87Jz/jmyMo1SwhmTH9gxxM4Utl5TzC8TAYfK2vHO7XBqfvBg5IogM2+AHXEchZiMWY5NoqgzF4qrEAye/qfeO7GqcfMnjfut3xPIQG/yIa/688I1/wM=

Extracted

Family

gozi

Targets

    • Target

      00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe

    • Size

      1.3MB

    • MD5

      b53d9a3861ba2e66a83ed1827aef11c8

    • SHA1

      e3d021ae61b901fc0e375269aeea8a956b5d170a

    • SHA256

      00faee82ab5b800cf6dbe97afd39790b856ad1ec25dc7ed8f798aca702bee7ad

    • SHA512

      c7478893531fbaf674dc90b404dada8ffefba4dfa2209063061a3c30df7992e3d95a9b5aa598ef2e5b6730fa961e44d15b70f5ea2075859ed8dfc528b1b5f434

    • SSDEEP

      24576:jnbkBTLZO5z2gux4qXrNuN6zZkMPPX47Ypk2z364swWUpZKfO+fIQ:jIBTL8HPq7NS6tY7Uzps6pZcfn

    • Modifies WinLogon for persistence

    • Modifies visibility of file extensions in Explorer

    • UAC bypass

    • Renames multiple (59) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops file in System32 directory

    • Target

      0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe

    • Size

      2.0MB

    • MD5

      e32ef8a36b6a6c010b27a7871ebda037

    • SHA1

      0ea7d9bf90c5fc6bfadaf3c14e140fc9c9aa5361

    • SHA256

      0b8e9bc31964c9433bd5cc20e556cfd0590c3b17b0db23cdc3ad0547683f3820

    • SHA512

      e98f941c7be2c650de033048b8a9d4556da2204f9b0c90d399c981dcb9e215d5322a765884aad1a4e5b31b23227827cb21fd1ed5d3a79cc7f83226c07f579eb3

    • SSDEEP

      49152:pdGNHxQXLx6cHqNQDQg6nNw1WCj/vd2Xptvh4:pd0QXL/t

    • Modifies WinLogon for persistence

    • Modifies visibility of file extensions in Explorer

    • UAC bypass

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Drops file in System32 directory

    • Target

      0c9fa52ace8019b43c91f4859ecddfde6705141b9283fef05c6c4c37a5c1777a.exe

    • Size

      596KB

    • MD5

      922b22f3be97b5974e317c5b55b07d15

    • SHA1

      96eef7001f9b555ac686a640e43a38cfbd963c4a

    • SHA256

      0c9fa52ace8019b43c91f4859ecddfde6705141b9283fef05c6c4c37a5c1777a

    • SHA512

      33a93de5d7e3927d3dd750dac4e12f9be5384ac2d5edbf8d5947708bdf18a7542e9fde3fb3dd526cd00e1973b18eb20b2793fe517469c831a39f7a5917d08179

    • SSDEEP

      12288:zbiqlq3Z3wSGTjDPOnpLWGJFFQgKzL+EFHUNrkqJgtK2b:zbNgd1wOpLWGF5C+EF0+qJgtZ

    Score
    7/10
    • Drops startup file

    • Target

      15f7ea290d832bc32ebf660690b42616264fc0be8969934c1f8d7e5a5d3cd18c.exe

    • Size

      473KB

    • MD5

      aadb6e0f1cc845e196570e800380fe85

    • SHA1

      72b088cf546c36b6dda67cfb430874f83645397f

    • SHA256

      15f7ea290d832bc32ebf660690b42616264fc0be8969934c1f8d7e5a5d3cd18c

    • SHA512

      55ba8c4734b9fb1c08b3c0be3c6c524a265aa1d3dc4a9f3a2f97f172c2913fc66ea7a002ad877d786e03db54b0a35f3244e9230c49fb30c6c6284404cffaf1b7

    • SSDEEP

      6144:ULIaDW2Dm6jNkcZjvw6RQVe0yV4JMaT710E5BmutiO3XwGk/Rz+wLefC9rB6uN:XaiajeUjvw6RQHVJMau43XwG25NW4rd

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Checks for common network interception software

      Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

    • Looks for VirtualBox Guest Additions in registry

    • Looks for VirtualBox drivers on disk

    • ModiLoader Second Stage

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Deletes itself

    • Adds Run key to start application

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • Target

      1DD70E803623D5311B71129976710B11A8942D206A5D8D86CDF8417255F15725.exe

    • Size

      716KB

    • MD5

      cc3f68e8a50b05aa77d88b6119583b9e

    • SHA1

      71c7b93a8947265fe30e6928730504a5456ca788

    • SHA256

      1dd70e803623d5311b71129976710b11a8942d206a5d8d86cdf8417255f15725

    • SHA512

      e4fe7c8ec1d88c0bc81834de0a1212902849d7c9f6228e26fb8aaf3f046011f934d6de01becb339ab88169533ff8dc0d6fad7d6d7ff7e956e408242a21809e55

    • SSDEEP

      12288:ZMMpXKb0hNGh1kG0HWnAsaHy41Dxm1zRRaMMMMM2MMMMMu:ZMMpXS0hN0V0HYah1I1zRRaMMMMM2MMd

    • Modifies WinLogon for persistence

    • Renames multiple (93) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Drops startup file

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

    • Target

      1E229029B2D3FF00EDDE061B1AAF470EE437FA8196D97FAD2C2C6C9EDE5B44DA.exe

    • Size

      1.9MB

    • MD5

      92318a59ed03b2d195a8d08befd0efbb

    • SHA1

      33c974d620ceede52581194ef99f3f57a9cd5d11

    • SHA256

      1e229029b2d3ff00edde061b1aaf470ee437fa8196d97fad2c2c6c9ede5b44da

    • SHA512

      ea57ebd9484ade992b5b7b1b1a43b84b5af37491b063de0718e3ae6897fa84f500194dc251f117d11a1361f3164eea11becddb394e697400b7eb1ea40c568230

    • SSDEEP

      24576:TAlFsCeXap8KGLTg/6PeXTAg6L+Gzt0DkyYz1/oM5i7eXTXbQ5MTjrp2WHa/1jlE:kICe+cmxj4LlWoB/oeDfF

    • Modifies WinLogon for persistence

    • Modifies visibility of file extensions in Explorer

    • UAC bypass

    • Renames multiple (59) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops file in System32 directory

    • Target

      21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe

    • Size

      235KB

    • MD5

      fac89802b3db89ba74cf8891824af3d6

    • SHA1

      27b57dfdc8b1b265e3755cc0068be846c4c4981e

    • SHA256

      21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061

    • SHA512

      2c604a00446fe4901341a4c8093443cba06fc00ee90a946749c3b66b2205339850740406edd0553ef55a33573599c7e494eb1b0552395d1cd9e54a8d4268b3e5

    • SSDEEP

      3072:thrQ6J0Exp7gW31x+S/EkuIDNGqLW4t5P0tz/aMgb2JpL7Ag0FujYWkcv23nNT3I:tiHgpR31kS8kuIpW60tRPAOs3sc8

    Score
    10/10
    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Renames multiple (303) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Sets desktop wallpaper using registry

    • Target

      21e1bc4340221fbccee28d59333c20b20755e34e2f3391b90837172bd07fbf01.exe

    • Size

      708KB

    • MD5

      987a06a5c02be92cdeae2a99a408a716

    • SHA1

      31e4c64f1fcff7824b023e86482e75870389edef

    • SHA256

      21e1bc4340221fbccee28d59333c20b20755e34e2f3391b90837172bd07fbf01

    • SHA512

      90db12153f5abd1f8d20a89a473c46f0577ffc2c3a681f4f2bd68f53b8cd2d45c372bce6e0d11d2832ae223eebcb2b9a8a1dc806b5cd8a510134cad830c2596e

    • SSDEEP

      12288:VROJm7hOOdN2++KEjDz/lnp2WBILtj+fITU4Td9T31r6U2dEV7uikFg:VROJ8hjkLKgP/n2WaLtj+fINR979N/l/

    Score
    7/10
    • Drops startup file

    • Target

      2272954a2c9f631b4f9c5f6d230287b0989ab3b512bb5f4a282214eadf42085a.exe

    • Size

      299KB

    • MD5

      2ad96b646ad5f323f0bef0bfb6b23ebb

    • SHA1

      a8ac661b22bd557fe3dbff8f706cb5741d43ac67

    • SHA256

      2272954a2c9f631b4f9c5f6d230287b0989ab3b512bb5f4a282214eadf42085a

    • SHA512

      8959aebd064c488e7247604b7b30e8487ecc498695206173d1251eff565bd5bb3e8ee90ac22bb1250f78412bcabe9a57d930972d6d4fdd886eef0901d89b38a9

    • SSDEEP

      6144:0gggrNE0oCD4IKXgWi2AL/Pe5f6LiJbfPcEfm0fg:G6DhfTR8C2JbMEfm0fg

    Score
    10/10
    • Gozi

      Gozi is a well-known and widely distributed banking trojan.

    • Target

      2C3542B5D9AB4EED2DD88CD74A02236A944AFD76E8717F65DCD544912229CA85.exe

    • Size

      10KB

    • MD5

      ffb938c96bb741d2d1dcc05930072926

    • SHA1

      643508e98cd746eb91adb0b3a0096ff3d7497dad

    • SHA256

      2c3542b5d9ab4eed2dd88cd74a02236a944afd76e8717f65dcd544912229ca85

    • SHA512

      09c63015e0a6f1c97f657106d01c7a5399686039f75ccbd9a097544d458edee3ca094b24c1d075658bd34ef332deee5736711f0ac6f7ea273baa42dda5c18215

    • SSDEEP

      192:xjpBKnwR27YRs/5+K/OUzbx/wz93ADv8Ei:NunwR2JQKZx/wz93ADUv

    Score
    7/10
    • Executes dropped EXE

    • Loads dropped DLL

    • Target

      3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe

    • Size

      390KB

    • MD5

      08109df08fa4a035c59d56d1e6c5baf4

    • SHA1

      bec86bce6f6963d0cc69c441c6d5fb6d04d3a833

    • SHA256

      3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338

    • SHA512

      61e6cc3e94ddb7a980bfb0a2e5e5ffeeb5414c9e2ef3e42551820017dbedab5cccdd8ece1fed2ca057e240bdb7836663a7f9be28f1bb9136da972750caf59704

    • SSDEEP

      12288:s8TC7FeAA9IsQwycG888888888888W88888888888E7xCYsdG:s8TygVinw1Z7xCZdG

    • Cerber

      Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

    • Blocklisted process makes network request

    • Contacts a large (1095) amount of remote hosts

      This may indicate a network scan to discover remotely running services.

    • Modifies Windows Firewall

    • Deletes itself

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

    • Target

      3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe

    • Size

      947KB

    • MD5

      39217b125403ff7c755622ef9bbef974

    • SHA1

      9fc607b7c17919c83999bdd119e9cd6bf413101a

    • SHA256

      3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816

    • SHA512

      1252ea94931eaf4426ca1eb94a070645238775c447a09286109fe894c569de29ca502882a0fa34e97e09109c43c486a3aa32081e3a3afef0b6557db59c71fc50

    • SSDEEP

      12288:3+Zn/gJtKaNIBpB+iMMOD30ZnZ47m0T3JF9j3GOF0l7B2FzqL2aZa7rf58bs:3+RYeaNILZi/JDLG60y1aZvs

    • Troldesh, Shade, Encoder.858

      Troldesh is a ransomware spread by malspam.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Drops file in System32 directory

    • Target

      41c53e90f0861b068eaa512edff28a586128f808b437122399347bcb3774914a.exe

    • Size

      27KB

    • MD5

      b0492e56e1246873173e8f7d32f8a278

    • SHA1

      b31e8e98a4b570f739dd1e1098f4e593f930f450

    • SHA256

      41c53e90f0861b068eaa512edff28a586128f808b437122399347bcb3774914a

    • SHA512

      fa078565f4eab7b1a618dff2182ac0f630f32a151fdbb5c3d73d1544cc4371d283cc76f597dde990eaa9e389355aca9c73cd1e8b3087b769340f3b9642642979

    • SSDEEP

      384:U0Ne12bO+rTx8S0VL+5ka0OXE8vDIXam7JV4DXi4EECyBsnK/8kHaHKczlyDqq:612hTa7JULXEfXamDIy4HBs7HKwQx

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Stops running service(s)

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Target

      467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe

    • Size

      363KB

    • MD5

      36a0cefeb8b0a606358142d4140ea7cf

    • SHA1

      03ce13b4f60d2fc632b67b41b82b5e8cfaf9939f

    • SHA256

      467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be

    • SHA512

      63304f3ddca578beac157197581e6a2a762d9cf1fb08fa6ae85dcdc26340ae64badb0f4a9cb47521315c366b70bd0cf89bf1b72be29f89e2d91504cec7ca9093

    • SSDEEP

      6144:VEwaWsAzrp8viKgjdCU641BHoKIPi2CRp2pFSnfJxLw/mq3pT+Qrm9m7s:G9UjdtzIKl2YY3SRxLw/BT+X

    Score
    10/10
    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies boot configuration data using bcdedit

    • Deletes itself

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of SetThreadContext

    • Target

      5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe

    • Size

      236KB

    • MD5

      6aa5d9b03d34c87026ac11a6f30524fe

    • SHA1

      c0c532d64bc1d16aeb12ea58c9e94c48eb3d64d4

    • SHA256

      5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0

    • SHA512

      1e0cdbfd5399c03e6db32b309d38f56dc0761d6a9d2319c712f771fecc9fec8aac0c2dd2ee00e4674b26168265558e4d02a810a6326c73e36a1e453ecc394069

    • SSDEEP

      3072:A2XIX/5EEAmkN7HqOaeV/RPMObiZif2fXSF9uvm8dDuCb4NeIAg0Fuj3RK3o1yL:AliN3qO1hR0UiZi+fC+iAObo41I

    Score
    10/10
    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Renames multiple (267) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Sets desktop wallpaper using registry

    • Target

      712affaa8b84e8fb7d4e71feb6c1074185bc43b5a2f265fbfb248f7ed40a5489 (1).exe

    • Size

      1.7MB

    • MD5

      1c526b6bd496e217833972f77a235928

    • SHA1

      49dde9bf9e2f11abf13dc55cbf901af49e575bc1

    • SHA256

      712affaa8b84e8fb7d4e71feb6c1074185bc43b5a2f265fbfb248f7ed40a5489

    • SHA512

      884b01546adc3c64ec04cc5856fdd7ce5f851dea2eb4066ea398dfeb62a23eab14a592e7be4f286625cd94b3c8b6254d3646eb05ddf0d6a70aa160e7e2cba2a8

    • SSDEEP

      24576:lTnv8YkXw+xfggJJmlm5SJPC/QMyKesckckSZahVY06uIxf+ubfOLVU:J0Husckc4Y0/IACmL2

    Score
    1/10
    • Target

      72716d15ea7d118b8c99dbcb15114188abe468718c876ac52b0779161ef7e821.exe

    • Size

      703KB

    • MD5

      d7c62a22cc1a832ba2ce0bfd1c4f9e9c

    • SHA1

      a484b5a49a5b94f045100dd5e659b9504ed99211

    • SHA256

      72716d15ea7d118b8c99dbcb15114188abe468718c876ac52b0779161ef7e821

    • SHA512

      7c036f46c6c5a34d991d277c3ecf3c8abdf3a70042c40aaa3c20ce2f3e02a5a63200530587c2980ba5e000a7f1394a33390e63ec53782892b27874e293dff1c6

    • SSDEEP

      12288:Qu/mk3LQLwumO7mL945Hj1wcBsXcDBif+w+nstV7uikFg:5+WLQLP7mL9eDb+Msfsnstlubg

    Score
    7/10
    • Drops startup file

    • Target

      8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe

    • Size

      1020KB

    • MD5

      496f86f951e1dbd3c4534d51a5297668

    • SHA1

      1199c5f30f5724841905cbdb9787649d15aae3d5

    • SHA256

      8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621

    • SHA512

      382abc596081ca5d0fdea39b12afe433e446cd50f59e4abca818162d96e46465beb1cda631109083071e7c050af6bfcf867be41d02c1e2ebe5dd99f61f45d510

    • SSDEEP

      24576:es0fVWVbd8fKT0KqTAFFCa/2yDEmdvAkomBbOsn51D:es0fVWVR8fKTeU1imBbl51D

    • Troldesh, Shade, Encoder.858

      Troldesh is a ransomware spread by malspam.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Target

      Bit Paymer.exe

    • Size

      92KB

    • MD5

      998246bd0e51f9582b998ca514317c33

    • SHA1

      5a2d799ac4cca8954fc117c7fb3e868f93c6f009

    • SHA256

      d693c33dd550529f3634e3c7e53d82df70c9d4fbd0c339dbc1849ada9e539ea2

    • SHA512

      773d9838be9c09bd43a22aa1eada8f623f95739b21828712236a4a209c6d9266647ef43592d072d68399224965253c37f9ce9ef36e46e8191169c03ac7789130

    • SSDEEP

      1536:tacFdjxs2TlWlpnXv91nhixG8/lA5jG8387SpK6jXOMVHoi5e+vRb:taqJC6lWlpnXv7nhixhlAU83VwMCifvR

    • Renames multiple (9901) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Target

      KeepCalm.exe

    • Size

      218KB

    • MD5

      f994759181fb964af17fab2f7994b9ca

    • SHA1

      9ae72a3dc37955af7526fd8566698b7a97ed7cb0

    • SHA256

      043969e70014662e6a8b90eaaec10f4b4064dc42c0aeba39639af82f11cbab7e

    • SHA512

      c36ff4026879e6cbab1e95e8a8a9cc6dc8538de9fa5719625ddf5a9d578dda310325cbf1e44a2dddbc85f27521e7e736637bb102e1d230f861ecb8f2e0219188

    • SSDEEP

      3072:Y9mM+lmsolAIrRuw+mqv9j1MWLQFidJM+lmsolAIrRuw+mqv9j1MWLQd:EF+lDAAJdi+lDAA

    Score
    1/10
    • Target

      LockedIn.exe

    • Size

      650KB

    • MD5

      e9e34a4dbf0c9fe5fb595b0282b0b4f0

    • SHA1

      4f3f6bc4aff97eecb9ab52d47520e248c618da45

    • SHA256

      613af1bf17a11dbf12849568ce08186cc4109a5cdb32d0bcce7c1bd81306f5c6

    • SHA512

      b234f7a6fef8eb3153da20b1c9f668a8177e489817b1e7e36a572fbfc7dc3604f5cd509f5ff7087f4d3a2e3c1a5a0c7e93ae571be11c70732b1078ba8050a119

    • SSDEEP

      12288:dl6aKEZf4r/s6IzjtyHQDWcFXXGmmBJ0d35O3CEkk4zglJaKfZf4m:dlNCr/sFFmmmHIpKCEx4sljCm

    Score
    1/10
    • Target

      Purge.exe

    • Size

      24KB

    • MD5

      b02916e5c5215ef3ce25269c8d8afbe2

    • SHA1

      7ea2e4eebea27ade84075a5bd47e048297377259

    • SHA256

      b4e9d14e4ea8a1c459805ec46870f12a3e6ea3308864511a3d9c7af9fb841403

    • SHA512

      c84cd98801dbc515f8e800c5fae57158d4167347c2267f1decbf37e98819b2bc1e9439eacec71eaad1c6ece62bf468b21db9cc53e6568cc73499595b1935296e

    • SSDEEP

      384:lMX3iNFRHDy0nxaP/JqiKV+aQlSp591U7qO7o4FQcc4KVOJ5ogxlwAx9sLtsNtt7:qHitm/JqiO+aB5s7qOUvOJ5ogDrCO8tm

    Score
    1/10
    • Target

      Scarab.exe

    • Size

      342KB

    • MD5

      6899003aaa63ab4397f9e32e0a1daf43

    • SHA1

      c22272ff0944d127992b393562871473b23ef8ea

    • SHA256

      53f73dc2e8af9c059136029b3b535e885d4452d3375586eb9a0336d7a389aad5

    • SHA512

      d8895f96e12d1b0b5907f7b1e7b976a37ff0cbe6db929cfbea5c931d905fb8269dc91bf44db83743920b63affc64ba88a0933d3111bc68f71ee266971b91b6bc

    • SSDEEP

      6144:zmTLRf45/wAfqj6pjohSws+wZQtmk6LnAlnZ:eq5/tyjMLd+Rtmkc0

    Score
    10/10
    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Renames multiple (162) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

    • Target

      a631ad1b1a59001a5f594880c6ae3337bda98f8ce3bb46cd7a9de0b35cd2bc4b.exe

    • Size

      272KB

    • MD5

      cb4ef16070b2dec59effcdb4a2134a83

    • SHA1

      c9fcc72c08eece9ca0beb2a3d3801bbfffcb6196

    • SHA256

      a631ad1b1a59001a5f594880c6ae3337bda98f8ce3bb46cd7a9de0b35cd2bc4b

    • SHA512

      be87293a1b9537d54780639006b6e7a6048755064ca4e78cc295ae1b6263ab4d511e4f720f2687a55372da10e8fd67a47bb091bd5357c50045690936b2411091

    • SSDEEP

      6144:1xIPLPHOoW/EHVDJSBD94vqW6Q65Ln1ZEVNl999999999999999999999POU:+DHOVcHVDJMgX6Qu0V

    Score
    6/10
    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Target

      a9053a3a52113698143a2b9801509c68d0d8b4b8208da453f0974547df0931bc.exe

    • Size

      703KB

    • MD5

      43478841baa4b8754f75516220e33ac3

    • SHA1

      2585a613129d7e3dbff3eb16b10ce3fe940c99a3

    • SHA256

      a9053a3a52113698143a2b9801509c68d0d8b4b8208da453f0974547df0931bc

    • SHA512

      9441209433e2d3d49012431011048cd33a7ce980482658a0b1e2ccd3baa70524d2585901b6130d4644d7ca0139d881a9f11a933949ed39ad805a147694b37f87

    • SSDEEP

      12288:C6JZ+UD5+1fpL2ikTgmPb2EdVu/BdmSHqDd6bhW2RJV7uikFg:JEUD52fpL2bgmSEds/BnKQPlubg

    Score
    7/10
    • Drops startup file

    • Target

      b764629e1f43851daf984c9372422b65ddceae28f83d6211873f4c8f8672c41c.exe

    • Size

      3.6MB

    • MD5

      ef29f0f2a7b98ea19767b8ae66d1ffb8

    • SHA1

      093b3916ee1bea0442278d0aa87be5703207e627

    • SHA256

      b764629e1f43851daf984c9372422b65ddceae28f83d6211873f4c8f8672c41c

    • SHA512

      9ab431d19633ed54dc1cc8bc4e511cabcfcba56ee0ff30197f5bd7aca07b33f2b605ab17f07fba066f5c910903f27bb04f4eb04cbed539af783564bbeba2c80e

    • SSDEEP

      98304:yDqPoBhhRxcSUDk36SAEdhvxWa9P59Uc/Jf:yDqPSxcxk3ZAEUadv1

    • Wannacry

      WannaCry is a ransomware cryptoworm.

    • Contacts a large (3259) amount of remote hosts

      This may indicate a network scan to discover remotely running services.

    • Executes dropped EXE

    • Creates a large amount of network flows

      This may indicate a network scan to discover remotely running services.

    • Drops file in System32 directory

    • Target

      cf89f70633865aa06123062a7dc51f8158905afb4b00f6f3597de3edfba97c5c.exe

    • Size

      322KB

    • MD5

      3f4e0582663260629e1046d300bfd47c

    • SHA1

      05d4b2e99a8ad0436cb5d9066987eb0df0321250

    • SHA256

      cf89f70633865aa06123062a7dc51f8158905afb4b00f6f3597de3edfba97c5c

    • SHA512

      b12505249227706b22e054d47d99d4b770a958875fb5eddb9a254ec06353415f00379383a091932ed70a1bcac14a9f8113f0221abed3c6211e6b7fe1f6fe1e81

    • SSDEEP

      6144:2FexvJFSPxQksREdUZo64wHijE77BoLUbeKMazza722uutBq3:2FyJWQkX/njG7BSEeKMazzaqRut4

    Score
    1/10
    • Target

      e951e82867a4f3af5a34b714571e9acf99cca794c4ed1895c9025a642d5d4350.exe

    • Size

      2.2MB

    • MD5

      52cae327d2b2fef71f1af28e15a2811c

    • SHA1

      62b516f72b03515078cb89cbecaa4522726e79d4

    • SHA256

      e951e82867a4f3af5a34b714571e9acf99cca794c4ed1895c9025a642d5d4350

    • SHA512

      6daabedfc0accba661c84155ea449b0cdd8819378de9c102da07631390a7a9c1fc7ee1fb71505bfb4dfb974f71696ff57bf376184934bfa230d572400bfb422a

    • SSDEEP

      24576:d/2jBNbRL7T3QeFlUp1BcKZbn30QYKr5kw4AMMtG3oirCM/e52bZDHwSuQWTsFNz:d/yb9dw5dirCM/cIHnksFsK971

    Score
    1/10
    • Target

      fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe

    • Size

      121KB

    • MD5

      eac0a08470ee67c63b14ae2ce7f6aa61

    • SHA1

      285c0163376d5d9a5806364411652fe73424d571

    • SHA256

      fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7

    • SHA512

      f3fd7eeae18843d049443f0d5e818302eb3b3f73ad85e26c01e1ddc0a102a0a22b065afe01879aafc95ff3a2d15b5c302394bd03d91e6c4401648cd4222bddc5

    • SSDEEP

      1536:3THoX8wNjiMsyPcjgbKx534oU6Llg/iLBkZhifkdol9LYuVF5yZbn:DjksYKx5o3Slg/itMg8+LYu9ubn

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Stops running service(s)

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Suspicious use of SetThreadContext

    • Target

      fc184274ad3908021e4c8ef28f35dc77447ed6457375d2a4e7b411955e042527.exe

    • Size

      268KB

    • MD5

      d3fdd9807a32f5c27c14879336762119

    • SHA1

      73132972d130adb7106e6b9319b21856434eff65

    • SHA256

      fc184274ad3908021e4c8ef28f35dc77447ed6457375d2a4e7b411955e042527

    • SHA512

      87468ab4136f449cab6e3689b4460de6dc59421ad20ce8208e251b3e4ef63f4ac281288ec51a35469e2473328de8b45b487cd72f40ba72d304a44b89a99a7a80

    • SSDEEP

      6144:IXJ6Mv/PMB5lZOx4ccuiA8HYVVo7bBPxwdNaLvo:KJf/kBrZOxfwAsYVVoZZwdNaE

    • Cerber

      Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

    • Blocklisted process makes network request

    • Contacts a large (1095) amount of remote hosts

      This may indicate a network scan to discover remotely running services.

    • Modifies Windows Firewall

    • Deletes itself

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Replication Through Removable Media

1
T1091

Persistence

Boot or Logon Autostart Execution

16
T1547

Registry Run Keys / Startup Folder

12
T1547.001

Winlogon Helper DLL

4
T1547.004

Create or Modify System Process

4
T1543

Windows Service

4
T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

16
T1547

Registry Run Keys / Startup Folder

12
T1547.001

Winlogon Helper DLL

4
T1547.004

Abuse Elevation Control Mechanism

3
T1548

Bypass User Account Control

3
T1548.002

Create or Modify System Process

4
T1543

Windows Service

4
T1543.003

Defense Evasion

Modify Registry

35
T1112

Hide Artifacts

4
T1564

Hidden Files and Directories

4
T1564.001

Abuse Elevation Control Mechanism

3
T1548

Bypass User Account Control

3
T1548.002

Impair Defenses

7
T1562

Disable or Modify Tools

3
T1562.001

Disable or Modify System Firewall

2
T1562.004

Virtualization/Sandbox Evasion

3
T1497

Indicator Removal

12
T1070

File Deletion

12
T1070.004

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Unsecured Credentials

3
T1552

Credentials In Files

3
T1552.001

Discovery

Query Registry

11
T1012

System Information Discovery

31
T1082

Software Discovery

1
T1518

Virtualization/Sandbox Evasion

3
T1497

File and Directory Discovery

1
T1083

Peripheral Device Discovery

6
T1120

Network Service Discovery

4
T1046

Remote System Discovery

5
T1018

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Data from Local System

3
T1005

Impact

Inhibit System Recovery

13
T1490

Defacement

4
T1491

Service Stop

2
T1489

Tasks

static1

aspackv2
Score
7/10

behavioral1

evasionpersistenceransomwarespywarestealertrojan
Score
10/10

behavioral2

evasionpersistencetrojan
Score
10/10

behavioral3

Score
7/10

behavioral4

modiloaderevasionpersistencetrojan
Score
10/10

behavioral5

aspackv2persistenceransomware
Score
10/10

behavioral6

evasionpersistenceransomwarespywarestealertrojan
Score
10/10

behavioral7

persistenceransomware
Score
10/10

behavioral8

Score
7/10

behavioral9

gozibankerisfbtrojan
Score
10/10

behavioral10

Score
7/10

behavioral11

cerberdiscoveryevasionransomware
Score
10/10

behavioral12

troldeshpersistenceransomwaretrojanupx
Score
10/10

behavioral13

evasionpersistenceransomware
Score
10/10

behavioral14

evasionransomwareupx
Score
10/10

behavioral15

persistenceransomware
Score
10/10

behavioral16

Score
1/10

behavioral17

Score
7/10

behavioral18

troldeshpersistenceransomwaretrojanupx
Score
10/10

behavioral19

persistenceransomwarespywarestealer
Score
10/10

behavioral20

Score
1/10

behavioral21

Score
1/10

behavioral22

Score
1/10

behavioral23

persistenceransomware
Score
10/10

behavioral24

Score
6/10

behavioral25

Score
7/10

behavioral26

wannacrydiscoveryransomwareworm
Score
10/10

behavioral27

Score
1/10

behavioral28

Score
1/10

behavioral29

evasionpersistenceransomware
Score
9/10

behavioral30

cerberdiscoveryevasionransomware
Score
10/10