Overview

overview

10

Static

static

10

174ac08f7f...83.exe

windows7-x64

1

21697ff9c9...27.dll

windows7-x64

1

299baa160c...88.exe

windows7-x64

10

390f8ea304...a2.exe

windows7-x64

1

3d26ddb0a9...05.exe

windows7-x64

10

51308678ff...54.exe

windows7-x64

10

600db89be8...7f.exe

windows7-x64

1

6860173ca5...b1.dll

windows7-x64

1

6fd5bdcc62...34.exe

windows7-x64

10

87cee50a81...c7.exe

windows7-x64

10

93564e681c...ca.exe

windows7-x64

10

9c109b79da...97.exe

windows7-x64

10

9c8685a98f...7f.exe

windows7-x64

10

CrypMod.exe

windows7-x64

10

Fuck.exe

windows7-x64

10

Generic_Ransom_1.exe

windows7-x64

8

Genericcc.exe

windows7-x64

10

Gneeirc2.exe

windows7-x64

10

MyxaH.exe

windows7-x64

10

a1e86fc6cf...c2.exe

windows7-x64

1

add230a2e7...10.exe

windows7-x64

10

ae3a9c9cf9...b7.exe

windows7-x64

10

b878926219...be.exe

windows7-x64

7

c28384feb8...1a.exe

windows7-x64

10

cryptmod2.exe

windows7-x64

10

d041a11a04...a7.exe

windows7-x64

10

db3f0b9d66...0f.exe

windows7-x64

6

dcb283e040...ea.exe

windows7-x64

7

e54de5d857...f3.exe

windows7-x64

7

f14fd49537...19.exe

windows7-x64

1

f7ee55f157...ed.exe

windows7-x64

3

genenenrnenr.exe

windows7-x64

5

Sharing

Copy URL
Twitter E-mail

General

  • Target

    New folder (13).rar

  • Size

    5.3MB

  • Sample

    240326-q11g6abe63

  • MD5

    ee064dd6c224e77d73c08588c72fe38f

  • SHA1

    0be18fdd02f206fcf8fbb0693bc3778808051fdb

  • SHA256

    3526c74a22a6a7ff285bddc4a055d22e443bd2d9ceb47aa7bc20240256084787

  • SHA512

    c3b8a5347303c8121ed4884099a7ded0658196ebca8b19baf4c742bf79dfed61d4bc7e64fbb1e432cc726bc751b8880ce381dd971ebaf1415ede49e88e055522

  • SSDEEP

    98304:N7lNcNlD8XfLEFIkOuiScSKebhWgkVPaN8lxzF/QZQb5d5wdBQnYouCiU:N7K8PQyddSt/96SanNQOL5iaYoxp

Score
10/10
gandcrabmodiloadernetwiresodinokibi1349aspackv2backdoorbotnetevasionpersistenceransomwareratspywarestealertrojanupx

Malware Config

Extracted

Family

sodinokibi

Botnet

13

Campaign

49

Decoy

alaskaremote.com

epicjapanart.com

narca.net

mediahub.co.nz

mustangmarketinggroup.com

alcye.com

reygroup.pt

letterscan.de

jax-interim-and-projectmanagement.com

unislaw-narty.pl

justaroundthecornerpetsit.com

bescomedical.de

bertbutter.nl

parksideseniorliving.net

reputation-medical.online

biodentify.ai

polynine.com

nvisionsigns.com

luvbec.com

hospitalitytrainingsolutions.co.uk
Attributes
  • net

    false

  • pid

    13

  • prc

    mysql.exe

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    49

Extracted

Path

C:\MSOCache\XSOFCM-DECRYPT.txt

Ransom Note
---= GANDCRAB V5.0.4 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .XSOFCM The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/2a15b28b8fcd0c36 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAABqawWWP1YU/JOnhHpbdCE4BllDMwp4ruYsmWxp0YzLLP2hCDCrLAw5TlzjLFphNDCbDZ2I7X+9LFVPO5XguXsCrTIRpyCPhROsAdRYqw0GtA5IFlbofBM1wa25Bh/mjyk6dCyYsLymYxHp8cxeZTcoE6dPzFlZxXoFibrqYXLryq1QwCxvs/jeE6KlxoaALdAaYS6EaOGqb55pVN5Q5BDd4yp+R2tnHW7gzvJA78v7JOh9CvxT/jDiVlaxupl+kJv4VQg7jA0ouILCp9nPIO9CTLbJm+8cpulmFuXgNNAf+cd6Rpzo9C/NcXXuA85/k/G1iywY5agTxQVrKPmnyFULMNyrizP7o+sslmKcWx/Ihf1wqrM8NlSQSRwzQU3gDrsBSa0M2uP4DOY6N2mKPQAdFeaWk20ljOgzwdUM70bdY7VPzYiegaqBTJkln6g5oO+2E6a0CCJObz7yJVBEBTrPQpv6GYmuCCJ9u+JGx4kjsRpvS0lUEYSxe0wKIv/p/qINaVzjaenSGOHSeWtKgufaap9gJvVK6kmzFox7uawQeu3oOA2jdM4DhpetgUdNr2XyN5bVxT4oq+ansKxpTULb7eZHMTCedeOULXKPTcwbxHligmH0czG2CNSAUEPWRA5/7XJio73gu5lSrXgJXo57lYUlaPGa9oS93KV1o87dTxcCWcFlc1pmYhOsiDH0n/KeM2TGKjmgKjTa4Nt9qCTMvsZLzFRVHGIWdl3jVw4B6mGKSFtJy6mdOrn8qEePbvdwoMMXTePva94x0vgH72J9WnGWhQka50ezUc+6vcz1JVeHp8M/qR6ZD3COkv7rFVRTT9zmEVGcWxfeia5cbOGYrFDR0ZAk58L1Ox+G3gi+dFNAauKc+0rdVpONd4rEMmZsRQEETWQbQr4IFdWJ0zaNxUAhEf3+p0T5BLwi6IRg/KQZDPESHcnsSEygp7WAjVnxcjXNRzx2a0WDi175RIDYF6eJdWr4K4ziBFr/zfaJpiQlgk41bZ2d05GbT8x0UKPgoFZXBh/zDYE6I70ePx4t+zxrzgy1JELp/8w2lMZg+ENjCua7ydZ6i4dfwZhtxZf7rA0M/Z6OkMlO6Pw8T3tjJ/dZLVV/Giw9pn8MgSpz9C9Hlj5KY+fe3Dmu2yN5sq7fYme6VOiLKoYI28eGWvvOQDM9XrLM9Pgdjn+gf1dGj3tlvLhjEGe/pCTfjD93P7+bX8Ws/RmO1P3NvQ5F+k9eZZJGVUaaWfb4OhZXb7hJ0y0Rlxqjv6vYMHdw6mvEjWbOX5ltH/eTT+Yiql7bzDY2+qjiOKx7fPgD2en0ReJXsBduYLJg/GN5HE9TsKGtDlEf+73IYOL9sgeLoMxcxVYdo0edUJ+hrekzcot1Asto9RVAXruvLtU7Wanr7Oip6exFgkolgUbC7lkop4FKfd8BHCL4QgK5CoHncbBBtVPVZ5jcshK0ZowEzbQWVJ/3bc6ng7sd+5K3h7koLagP9PYfXa19XOxGiCwkFspTgPv4HsENL2MxFWc0HacCmfBpCstFnSMD+LPdes5FwBUT2IFLkysfAE1sQbObGduqSYQCyaZ9Rj5FrK6FVKtU3hqYLWeifzPess9uHw5A5Q7ejjYsYYVs1Z4Knnr8ZXcjOu1FQsLcasYy5ZEj1rMNRxvNMoihuJyTidsGezOTK/NU4T74eTV/O8cRbIQcTWhNyeuex6cFrCYQFSbnGjKV7ZnfxuKp+N+Wf0qs+LZY+7en/BKDMvQjFj1cRRry+EQzWYOjfJoezr0n8XAcT9Fcu+6zjCohRaNqoAut+oAhSrgts4U/FxkVM1pi75mmz4kZPT6JDucp6tqTu1QRcfDX9tpGeJS0d6eNIPuFp9LwutRriTl8aO2gH6+MpQPjYCbbP4fWjd6WMyIQ0a5UgP+Rg2lLC0CycxtM6kdtHsTNxbGRqZMJr2cPhbybCVIXuEsaA/zmOPOqyYZFY/FsVbD4xeBE1GKNl1RcKq2PUACX7VsRS3r4jNPMdP3KT5xPNN4g4wt0SmXWqZO9QXkENg9w+BONJv4PWN1qzHlzECLhZiPDqLJmEBN7RqYX0GHPzTEkJ59LHbGCFFl+T17PRexpzwfJgbSOWV0SsrAGOAYNnXuZ9kcrBMpST7Ivxn4bpViozgkED5oTnrSdq/kYti6pQcUzc7W0BD/bqx9vwJ6plT/JAqkmDijXpDo3JdX/9RvmMteWSFRb/0BQqs4fC0o6Mu4M9mjM0u6c= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- wfKD6iudumBkmpL8IRr4U4exEVaoOXLtwDwmOrT1y1YWvOiWMx5GYaRdvZZQTp9RrnYF7mpWorfTTGKHhh5qBJzzs9MC7736UkGSDDniUJJG8/LFF//kmGmoAZAGLo2j5/wd2UrxMJK+iqKhTkS3ArgAxrZOOOiXrbnhbWMkLHQnbYuWlMClYZxYU6SDxpopRo5r292AV1KIZBZV4APBuUHcKSIr2MWMI0O1MKIP2IpKLE2TS5wLmpQodXZhP6M/UPrO1sZzkDbgjYlAG3g8l65nVd0/CBUxKQ7KDJYrtX0vSmnFXg/ykfgtJNiwqfCnqbr85+Bi4bEjkUnB5eL2/2Q2Get0GtNYOlrQBnPtrRGFEdobpycE4oG4b6a1Y8ZyGoyp2Q2iuJRzTRoqGlPQJIAJppFrwNIoDBPOnKw+A+5ZALufjGEwg7NrKg3qxA9Kxg73ZivpDxFN3vzLMear1wIZLXRgRl+KCjmo1jngAX95mSffmizzQU1nmrIqlsew6HIMVY3pdDfwfAscdcBnP3FNhn9WQ3XC06ZCEvXtdUj8BYRMbJH8HpwOar+NRZwP9okRV/rusrPFzMH9O3YCh9gzrewdRb9tHf+DbmDW4OIcXpVeLdQr9FxhPlLL2u9gwWmeLQ4zxgtafmr5TWEPiWMEkrI= ---END PC DATA---
URLs

http://gandcrabmfe6mnef.onion/2a15b28b8fcd0c36

Extracted

Path

F:\$RECYCLE.BIN\S-1-5-21-3627615824-4061627003-3019543961-1000\AUJSLF-MANUAL.txt

Family

gandcrab

Ransom Note
---= GANDCRAB V5.2 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .AUJSLF The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/91eed623f5163c3 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAEFbtsqGHDxPasMOqEWr0MOuCvUhYBh7O0SDMpWeS2jiClK0ka8Z9sfJv5yg1q8zcuWzGj7Ufr8f3NkZge4OrdqtQag5CdkOYY8hXDcq9vX3i/hvs9VVzUO1Xm0GYsznc/n8BtNB83CD32AF13Jdi6QmlifwXT5ge3Y56KZi3XA3T3MAR68mgyw3ZQpfXhr0hLQc0FIOqknAx/nWyhhD82gu66oH4rUOAcdpIgXs4Low9NPYdSZc1UthRNQLbEMJa6bZWXo7x+I4na9+8i84GNs34SB+3b32hbU/cQDm6VoevG5gOCpJ8lB4ntfzHabaiMz/Uq8pS/7mIk2aMksvq1ZFvkThG0P4uF5UuQq+5g/XIWjmYMeZJDYHopziqz8o4CqQH+PMMHNqAhmD3dpf3kSEPlGbsHEbL8wtlXjzp+uIzwcDVcDg6GJNtRIyLelPLXxpy8sq49oVJrxlYI/v4eF1WWDNIJ/VkT3spT41ehaImcJeFes1JOiTh0izGQHVEF/y3b7/WQegk3pvOgPMYAHxmAKdfpjzCBpg/cgZpvvFib9qZBmmV34yz0OoByNj1qg47b84ubnQ4OEyDtVV+B6HxdI1N6kKWleUrCKE8i61WCzRNxrlIiFOUYnJspI1LlPlpVWmaybshCiFd5yE3T94lDAtXNhfUM3/A3048244/ejECQMTaxtB+fdol3+J8qwz6fPDwrruLi+2Er4AqkEZa+qS6xTX4DXwb6V1f/0xweP5OE8EPbeWsqbc7ZvuUOT92puSdJG+i+D4EP9XItgSmjiGUoKp9ppkdCgp4YZr5GtfFARAbAz1kC51OmDsQ5jtlflDYFuGWubSFuQuKBgXvvEH7cpiQGNScQ6BxfSO7ly28dEZ+/6zdv5LxJSnt/1roYB/76CT0E0kQaKhSzgXBjdztWPJdFJEVhXvYXuaoEZbMTlf6wZUMu67aZlQgolsIiRAslEuopKH5ESydT8OgqHkfTrXU2a3kkD1vpvfGsuxdKHAGPkVRa+mPydl3tlGvmmHGNweTuakJN7Z125L7SdqQtZYPvmME2sfcJExxFtj1CM+Jw2KSsSpriQDBO6TtAPWbK06M6aRg6gD2Fk383ZD1a1vaVqTqMQIZEfVRyrEfWoKTtHeuFBiBUnroZPYX81ffwThgVCS4MFkBaACOOrbnbm8RuQqfPg3TkNwbxRVL2iGr/c2H1wFng9LbQlQw+i2rW2oUFLB9P2axiRpy02uIzevulHuKh3JgXG5+1bQhFnM2owNj7O2CIZctIU7YTOTfpvDkdMTh6AA4Gb0don3CUGVIdFQ0hZwweBAA9bcuskIk2gIyxbQhmcjp2RFY8NE89EVt0hbJMXkzwCuwmhD4Hm99X+S/Bi2YI0M9fa8NuTQCwP48MRIFOA14d+n8ereEyjH7mRB/ixkhYpQIgvwAbBy+AQl5Kv9QomzaQTJ4p8leI4eFcgPhFSJfJ8mB9xnp1f9b1KA+orwAVZvbPxKVWmiWD3tsgZgFzF4klK7umauwp3hW65bBidKD++Gi/XT/SwC5tn9yRF2fbXvN2yp2uzZ2IBQybYYgLzCJ4CmoF7Ys61BLG7gCWl2rMJ1nRfOSx9mjPCvDh2/vUSM0b3XqxOOLhGZcIH4HZzgQANvzZbTOgBsjSsKehmdO5c0ovFHeQaFr+r3RNwkZCzqbQsJx/kvBlbRF9nuDC6BzWnsYy09feXFuIeGt+lA2PQSZou4l3MouPOqDedSIvxYBpxU/roJ2n9NY4wAQ8LcHfQdb0W38XtJz0PJ0O1fkkhq0Axmxi4aWdzqQjqhH00jAnuGJh/P4bdjF1Ybkm1fGXxag954CDBNxHcq13N4bWBBJFeBNiUOFICEUiRfebCpxmNdX4oIJIifKT/C3sSIOSp+eW7zCKymfA+pr8rFdITYkfTmcnc6uvmELt+AOFEbUEe0VkvFvkUy3fFS1P34v+xQliUWrtCoHOMwZsbewEnjcWp/JxcZkUfni0OQHPY1SyApeI10fm2tqd3eRjxInCATWNEjZEFRRdOUDo1Al6bBahcFjbs556IlFmdVzjJm7mBefbiA6orfdz42UPZmxehvKcSR/9fjlQ+djARoNRNgBzsXBW7HRKbhivkZYyxouTvAzJTs2z/UKMh9Q0LzGCPGUOnzsW3fcfd7RztPQhFKy3GDADRjc4xLrIPDGdTX9B2IQk3804QRU58SVuCDlXnb6DpgMSyJX96wiGpxmLdAWVQ= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- 7ftDEgLb/ZS0lcmZbHM61KDJ6AOtD78KkA7absMgUXYxWLsC+5+UYF9xVmDt9N/JOpDdAuaVt+DCRX/IKnQXQzua3LPyzokSUuglaqKXwabsGM4pXku5In6gtMQMqg7sgEh1XW1iPMFgiUj/s1LdWpJHdiPjMpn7rCZNO/A31mak0K8RefoREu3BxtlAsseHWfVIIKN0U4NnA3w0Ga7XDLlF3iOIB6ImYbF6Z/7MBN2mgBr2rZ2mU0R7+dxfWLoypoW25ypHEnKnMMuBl1Cmehqo5VrrnNSZu19KSVzOtTAymPz79ICyGBkpCKj0RQwVePfN00RSDyDEtO+JKNBZBiJqrMY9R7a3NLHNmdKRj0fTP9ry6vM9LODjDaPvr3tWv+YKTznJt/bAL0J01/eNSzezgKAqoTvFqJ2HPDmx5ShGudnoMloV6iCVyemoqB5vYrwArtgyoC8D1fqlVzmR7rN4cOwygU+wTkywb+cfzdw/LWqjqbjWwFvi9DPXKP+ghY2cWKz+6gkLvCeiiYFcEv1EtSM9ANLhxdQDIBf1BEGWyeuMbZ0J1h0/u+RWez0Et3TBCrbrZtdJPEKVLsosLrgbsAnNcG2VuLCZEZKsSbTenISaf0Ihb4k0t1Gacy3SiKIADBDFnYH2qA1whEaNxA== ---END PC DATA---
URLs

http://gandcrabmfe6mnef.onion/91eed623f5163c3

Extracted

Path

C:\MSOCache\All Users\HOW DECRIPT FILES.hta

Ransom Note
<html> <head> <meta charset = 'windows-1251'> <title> HOW TO DECRYPT YOUR FILES</title> <HTA:APPLICATION ICON = 'mstsc.exe' SINGLEINSTANCE = 'yes'> <script language = 'JScript'> window.moveTo(50, 50); window.resizeTo(screen.width - 100, screen.height - 100); </script> <style type = 'text/css'> body { font: 15px Tahoma, sans-serif; margin: 10px; line-height: 25px; background-color: #C1AB8F; } .bold { font-weight: bold; } .xx { border: 1px dashed #000; background: #E3D5F1; } .mark { background: #D0D0E8; padding: 2px 5px; } .header { font-size: 30px; height: 50px; line-height: 50px; font-weight: bold; border-bottom: 10px solid #D0D0E8; } .info { background: #D0D0E8; border-left: 10px solid #00008B; } .alert { background: #FFE4E4; border-left: 10px solid #FF0000; } .private { border: 1px dashed #000; background: #FFFFEF; } .note { height: auto; padding-bottom: 1px; margin: 15px 0; } .note.title { font-weight: bold; text-indent: 10px; height: 30px; line-height: 30px; padding-top: 10px; } .note.mark { background: #A2A2B5; } .note ul { margin-top: 0; } .note pre { margin-left: 15px; line-height: 13px; font-size: 13px; } </style> </head> <body> <div class='header'>Your files are encrypted!</div> <div class='note private'> <div class='title'>Your personal ID</div> <pre>DIP3BHRQCUJVLLOMTEO42H4F5JEA5DVTEYIDCBAT</pre> </div> <div class='bold'> <div align = 'left'> Discovered a serious vulnerability in your network security. </div> </div> <div class='bold'>No data was stolen and no one will be able to do it while they are encrypted.</div> <div class='bold'>For you we have automatic decryptor and instructions for remediation.</div> <div> <h2 align = 'left' > How to get the automatic decryptor:</h2> <div class='bold' align='left'>1) 0.14 BTC</div> <div class='note xx'> <div align = 'left' > </div> <div align='left'> <strong> &nbsp Buy BTC on one of these sites:</strong> </div> <div align = 'left'> <ol> <li><strong><a href='https://localbitcoins.com'>https://localbitcoins.com</a></strong></li> <li><strong><a href = 'https://www.coinbase.com' > https://www.coinbase.com</a></strong></li> <li><strong><a href = 'https://xchange.cc' > https://xchange.cc</a></strong></li> </ol> </div> <div align = 'left'> <div class='bold' align='left'> &nbsp bitcoin adress for pay:<br> </div> </div> <div class='bold' align='left'> &nbsp 14vo2jGKGemxwWKySqPKJ2kTh4MoboqAbG</div> <div align = 'left' ><strong> &nbsp Send 0.14 BTC</strong></div> </div> <div> </div> <div class='bold'><p>2) Send screenshot of payment to<span class='mark'>sequre@tuta.io</span>. In the letter include your personal ID(look at the beginning of this document).</p> </div> <div class='bold'> <p>3) You will receive automatic decryptor and all files will be restored</p> </div> <div><p>* To be sure in getting the decryption, you can send one file(less than 10MB) to<span class='mark'>sequre@tuta.io</span> In the letter include your personal ID(look at the beginning of this document). But this action will increase the cost of the automatic decryptor on 0.01 btc... </p> </div> <div class='note alert'> <div class='title'>Attention!</div> <ul><li>No Payment = No decryption</li> <li>You really get the decryptor after payment</li> <li>Do not attempt to remove the program or run the anti-virus tools</li> <li>Attempts to self-decrypting files will result in the loss of your data</li> <li>Decoders other users are not compatible with your data, because each user's unique encryption key</li> <li>If you can't send a message, try to write with the other e-mail address, for example register mail.india.com </li> </ul> </div> </body> </html>
Emails

class='mark'>sequre@tuta.io</span>

URLs

https://xchange.cc

https://xchange.cc</a></strong></li>

Extracted

Family

netwire

C2

nsa.read-books.org:3300

Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • offline_keylogger

    true

  • password

    Password

  • registry_autorun

    false

  • use_mutex

    false

Extracted

Path

C:\Users\Default\95d8232k5x-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 95d8232k5x. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/04F1766F84D4E61F 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/04F1766F84D4E61F Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: kPNqHlYmOC2lvLTdXXlBDVZPUgiNyAmicnQmAlhYAhHN8+cnueQRCdu42Of4Lbkx H5M+9UCqQfc4XZ/Fq4mRATOXvtttowFQXn+e8ePI8YOq/e978aHun1nDjdNzZ94h enhCOXUFlpGYb7i/DwJZGlcHtqAg4xgocBepCvYdVKMYgewzG2lDDpADvFM4vyOE pVwZL+LVDYfvdnFts/L0Bf7HOxi/tDh/9Xly9YK1hkdJI8uxhu+UbOarL+8db7Pt todMWQhO+ENAWQWQu5wbY4thKQOipKI7jLW3dPKhfKNkTssINIH6h2sOUzWcTZv5 bNwypBqRJ7zAa+l9vKhKE5zW7EbBpNjeZKsQPvL7oYV+g9W/+1EBIfkwcBJlgXxG AIZnujExt96H7QSW9qdLDp+jqIbnCrzdgOH1XK8HeVUzXOaGcMmdMTvjU5+GQl24 B8hgNDGMUWY07tom8FngyAe2iPllclhzFg71C3Px5VfaVHQZCkjuoTLjXoOOBg5M yU3QOTHOhCuQzdJltReETKY5RAwXf11B8qolmeKELe+/2NR9z0yf3gP36m14EA9N 0TMVe75hENrKKSzRhDAcIeMYVyhY89JJqDQeJXmtAm6VxuaOO3dJ79+v2Alw/QGF 6xYpjIo/StjND9ukWRVadz2BlRqhu/mlGFJlh8B8LKtX/lo1t2w/YejHZx/Ze6zL LnTlbiTIg/7w7DgonwJlYz3hsrAPT8FYE0+DyVL67Pd6wv/+Gnj1jV4n5ZNpyWIe W/SRyyJlKQlo5x/KCHyaCMFdbMAeUN2xJNwUuQMIUD11+vYzrq48WfYPyvxx2mNx H5Z+EM9dgeffU6QfpxuwevOsHTd58WAf5GK/BS6vcka4oI7+UwcemiGkTGT376io mGKHXau5sSR6ejHXSzxr8sXx5g4vQZWd+q3o97jg5njZBFj8o+DP7tJPiJael2eP eLtofaWmY5JtrrDqOLU253PsU6gDMOluI7L3A/OEdn4qy+jz2bkwox7Cvb7izbM5 Wyd22ilOtOwb8suukV1bOgS7IC9tDt/1G/qenGYEhfBTZ9Znl61iW9l/uWK44Z2x Yq9+puI2FeBbcErwNjkQ47+4QK+7Bo+0xSSMerNjZ2KV/Iev4vj2Ibsupj1m0v5v ZA8mEktQGZJHLWIxfgLBExZh2e7X3dQwBn8= Extension name: 95d8232k5x ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/04F1766F84D4E61F

http://decryptor.top/04F1766F84D4E61F

Extracted

Path

F:\$RECYCLE.BIN\S-1-5-21-2297530677-1229052932-2803917579-1000\ODSWC-DECRYPT.txt

Ransom Note
---= GANDCRAB V5.0.4 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .ODSWC The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/4634d3d6159b2403 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAD/gWs/D/E+nPcRmr1kn/CtKN7TROxbN7EbCrZmYjBqejaxj726ppZozOaEyJpesHY9Tc/vOKNTCP9d1MpGcLZBBMktqnC7FgNfVMrYhUWtP7c58kJbKsGTvDVwnEkOja5aAatVlDLpfzd4hiIl77aYha8fWk6i2FYm6AKJEiZ4PvqUm2SZkntznOKA4iGXwErQ6Uq2epnHrfnzpSzuB4QEZ796OLh5SLGOrD5hK/MkI0ui6qkNhTTAk5r14f/Ufax8jGMFlbkkKjBt20gQh9Zm61eZjC2S1QiFJomQw/UrdUAK0d6Iw1ERJ02eZxUFKHR15N48pTm40bmyEX38ql1f4YWnF3BQsjZDSwNgQCFiLTS+4aiHJkG/TyfIPThT+++gyTr4CIiwVLpas9RQoo66q+5uE0tLB7SdkjRqo17f3hEACusc5TlGP26OenYtYHS4lYlXJPBqzB6/NKunQC4ViJeFkYhRKyx54bIupwEyeju6abH+sfhUA7+9kzvdM/yvfuNGutIzpP48EsjwnQMINz36lrSgWLwemQJHnOVeZ/0tpJDUCboh4G0u7zjG3v2DjdIAmj+UDpm2CRx9VLfPDkdDh8kGpSUyhgpyuyZQgh2eZxfVFkeEZIjWME08EwmfWDDn9ek0/nModotqvxs0ptfk8cHFpTrCDrvxOsnUQDFiBwGLQv/BKPMVEGXt6NGK4NPAX9BJN5HUq8LSEEYYtlijQzFT2RTDK7+syBAOSC9eXssGMbCYiy0ACt3wObMYOeUMkHXT7VsQiB+xhQVt78kMYcsEw4CmoPqf6qiVNgVMR+/3i28An1/G9hJ1eAIa2830deJ9ueb/LF1mqg+zOQxOvzTPWAIMsMaVEcro3y7lUBnyXuVSLNEMXtiYk1Wuyad7ZWQ2apBVboAHu7EyGShVSGjw79Lz2MkRjDGASOUbo9gvVPd0xJYxqQcGSo+hF5UtA8IjJbFWs+JDvR/e5GrSr+8flPcuOq1nO+RCTr80G03WAp6m8YfpUGRqS4IAgivzyMCUT5gZqjX/5Cey5mAAjuRdlsZMYBgC2gEDYU/cZjwq1K/PPPy+xlUGrnebYvpz1llro7AK/Xk1X0BDc5avv+fC1C52QXfnC8ztIxNR9Baw3wH1nlsxOQoBHaHugNC47zVNiD8cKbnNtFI081pzIOHvkmfwQinD9Z+FWjEVm09snDnndUkWv3BNsb1yRDrKHrnjJzecXDvzHOMJ/gprZI7PNjghaANkpQGyJmIG3VlfPbY0twXSsg5spuAUDSbtFDuel8XaIZ0kr1iJyKYhfwT6PKFIOdnU1qUUr+vj9vvpXyLFSXux93BqnUe4MCgXqTeCfsyrbkMYl0EBgR1+lqFuBDHHSu6kpa84ze4M2qHpto9vVm3gKVd063z1CqpmC4Ia0vNOkq5F4l4JAKchHdxd0PkI5ujxM7jTV/HPwaXXU6x2lJvrDmo8/vO9Zwnf4bF0yl79cQ/Cdf7a02ZEsGsgPnElZQfNjBjXWRtEuunL2VLNEXxQe8+gXA09x/NXzSd/5jEk8d8+Ji9fpkWku4oCDdzSeoZlWGBELQScGzBfiKd48Vp02RBlvAwTH+hmsEEdMsJKyD1Pv7Qa7978XwlMWFFVdFxkMXD+y4CsNwrhvSlL114QP3GrXJPKn8rF0NDhprYHne5bF8p3dd8TLlFVzMhjRDXgCIJMNG0viPk1lX6jqDWCmlYeZ+qid/4rFRJJVq7cwFfdR4QljEs9MatmziOsy9FvOyUON/Hl5ibw+yD8DIB/K8ViH25tta3O/7Hjt2PpsVMsWuA6C8XGcARLiXKMvz7FxILGLOQ5A2SuJCG+Nusk2itGUIK2OniFRYU+vzpmHi6GyGVwGslgVDxhwa5zpZJuRsbxOCPO38pqd16IgjFGVHyTIUzuwEOW7F5s0hxAMioYKe5Fk6/LhjpA8Ly4OhsGaop4jcCIw0o/be+yWHHicPELZNLOe2VlEKv2ecaR4g6TM/cFUGwbX0CyX8GSI6X+DDr4SdiaUt0IvkrJoWgUifLBk3f52tzSb1FIvcie2eYUw1hlQ67d9du5qRAeBh9dSRwBA7Umb2/ViKS8Ul0xaSOvAgNn1yB5GS0YkyDM8H5DkfJ6eZG1Ml7inn8zSO0MnJAF3JfkB59cPWM1Ks6hoiDwF+2p+0GrRpyakbfvfrPT+44iSS6QvnqhGo4YipzsUgbYxu1XT4wxtrY6fWnmfHXTuYDqTdG8= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- wfKD6iudumBkmpL8IRr4U4exEVaoOXLtwDwmOrT1y1YWvOiWMx5GYaRdvZZfTpxRq3YT7npWrLfXTHSHhh5qBJzzs9MC7736UkGSDDniUJJG8/LFF//kmGmoAZAGLo2j5/wd2UrxMJK+iqKhTkS3ArgAxrZOOOiXrbnhbWMkLHQnbYuWlMClYZxYU6SDxpopRo5r292AV1KIZBZV4APBuUHcKSIr2MWMI0O1MKIP2IpKLE2TS5wLmpQodXZhP6M/UPrO1sZzkDbgjYlAG3g8l65nVd0/CBUxKQ7KDJYrtX0vSmnFXg/ykfgtJNiwqfCnqbr85+Bi57F0kUvB5OLw/2U2ResgGtpYaVqKBnXtrxHSEdkboicE4oG4b6a1Y8ZyGoyp2Q2iuJRzTRoqGlPQJIAJppFrwNIoDBPOnKw+A+5ZALufjGEwg7NrKg3qxA9Kxg73ZivpDxFN3vzLMear1wIZLXRgRl+KCjmo1jngAX95mSffmizzQU1nmrIqlsew6HIMVY3pdDfwfAscdcBnP3FNhn9WQ3XC06ZCEvXtdUj8BYRMbJHzHp0Oar+NRZwP9okRV/rusrPFzMP9PXYFh9gzrewdRb9tHf+DbmDW4OIcXpVeLdQr9FxhPlLL2u9gwWmeLQ4zxgtafmr5TWEPiWMEkrI= ---END PC DATA---
URLs

http://gandcrabmfe6mnef.onion/4634d3d6159b2403

Targets

    • Target

      174ac08f7fd9c8486511122f2b8c730018c68d4492bf58840f7dbe5338072883.exe

    • Size

      163KB

    • MD5

      3f2003b1f21f3fe386f1904b602b7bda

    • SHA1

      b796cb31384bd373b0b78ce8f2f4ffaec8f3dd43

    • SHA256

      174ac08f7fd9c8486511122f2b8c730018c68d4492bf58840f7dbe5338072883

    • SHA512

      e98138e04eece0404f720f2ac489b2771314f30888e148f58a2edaa64cf23da51a033837412ce0a76831fe054e8cc69971d28d44538ac4c87c9d9980e43bd367

    • SSDEEP

      1536:WKmTnl2YvQZS/6+U5aHQa1RRh1tvxeznqPhcHCH3yXCyK+:WKmTnl2WQS1U5aHQuRRh1tvxezq0w3y

    Score
    1/10
    behavioral1

    • Target

      21697ff9c9b2ad4fb91d805cd139175a4ff8fbddf1fdff52c9dd8eee78612b27.exe

    • Size

      453KB

    • MD5

      862cf65eca1cf1395e947222b6258fb8

    • SHA1

      78872ba55112d4381a26543b87f2558b475fcf37

    • SHA256

      21697ff9c9b2ad4fb91d805cd139175a4ff8fbddf1fdff52c9dd8eee78612b27

    • SHA512

      e56ed23f230de3e879586d95de32f16c19b1dc26cae13e040c123290a7bb268563ccb9101ab81cdf9fdfc23bca6574230ed484f9914ae0b48ab5065d74ef1f01

    • SSDEEP

      3072:a/Q5Y48JB8FmHTafIa+XiRKCPqp2Jda45+8BSf6/yEhA/a9rwV:2QwzFa+XigCPycda4U88f6/ywAi9k

    Score
    1/10
    behavioral2

    • Target

      299baa160cc77a615a22266ea21c1eabc357ade95901e569d82731ba44309f88.exe

    • Size

      357KB

    • MD5

      ec3f1de3d4cbf11a03d8b009e304670b

    • SHA1

      09e5d173dac5fc4afd3954017b39375f00f32ebe

    • SHA256

      299baa160cc77a615a22266ea21c1eabc357ade95901e569d82731ba44309f88

    • SHA512

      e78a3724a53a780a7ee85ceabd325dbb778b0d2dc7ac13b5ba8e0b5698eaafbbe22bb2edff78324ec86c97e7749ae92b77f675bb9259a7287ec031f0ba293a67

    • SSDEEP

      6144:x5mYqVMTMrX5MvgEJBe/OtpgJwOEV71iR4K/Rlxz7WAkDNoIpa4d46/:xjqVOMrXWvgEfe0UwtoZ7JkD84K

    Score
    10/10
    persistence

    • Modifies WinLogon for persistence

      persistence

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral3

    • Target

      390f8ea3044007611ebadad5352708aa3d0df0872b4550100f439a0aad7213a2.exe

    • Size

      34KB

    • MD5

      24de130fc752a95c45989f0552956be2

    • SHA1

      f0981e152f2a13a972c92e10fa88bdb3817e449b

    • SHA256

      390f8ea3044007611ebadad5352708aa3d0df0872b4550100f439a0aad7213a2

    • SHA512

      25518f56b78b0be316b29946fbac3d5d50a6580c8cdc1a1e92d9236f066b198c23708a20199a4b7f69bba8e8ac2e81340789799f26659d1f81c9402a494b81c6

    • SSDEEP

      768:7gs3plhY5bDZZnD7MJ+D7YC+t3XgxHjMzn9ygvtbx2ha5n:Es3plahDZFD7++/YC+Rgi9ygV0K

    Score
    1/10
    behavioral4

    • Target

      3d26ddb0a96c825ff98a6b6456bf52dab1a896da2a8690a041524a6c82213a05.exe

    • Size

      267KB

    • MD5

      6d4c037eb8ba3f50e55f5a1f0d8a59d2

    • SHA1

      7a91a47cfdc65fe7463eef406c15877ee194a2a2

    • SHA256

      3d26ddb0a96c825ff98a6b6456bf52dab1a896da2a8690a041524a6c82213a05

    • SHA512

      1de971175cff40a906c6fb5bd6aa40007b7acb8698b5d38c858108ad2ff45be60cfa28227beabab4b70a0bff46caecb1284c1c72e23446051d6949b811073608

    • SSDEEP

      6144:o603faijWMA7PaSLeVHYjsNw9ENcBegswERi1umU:2vVvaPaSLwDqMcBePwERi1s

    Score
    10/10
    modiloaderpersistencetrojanupx

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

      trojanmodiloader

    • ModiLoader Second Stage

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence
    behavioral5

    • Target

      51308678ff4559482f32fc2138d4134b412ab75977c19003bd6a7209b3c1cb54.exe

    • Size

      374KB

    • MD5

      4cdf272264c0a1ac4ece4df6f1da1402

    • SHA1

      b75672a775a6ded522c8b3f294fd323819e1ac30

    • SHA256

      51308678ff4559482f32fc2138d4134b412ab75977c19003bd6a7209b3c1cb54

    • SHA512

      d08e14f704de9238190d1955bee6378e8e0223cf581c42df605a4000f4ccb72c5187d9a60bec58d6ece9ab76538d88e2a072526f6e16515c351ab010d6e24103

    • SSDEEP

      6144:VaLnnkc+VVufoje7H4p7ai1sNBG40os/b1iTBdl7yAOxckNM9VN:VaTneVw7Yp31sNqos/BiTTl7yNa

    Score
    10/10
    persistence
    behavioral6

    • Target

      600db89be8dbd50e60c620ea147688cea7d512b1dc545a6b95fe41f0dfeca57f.exe

    • Size

      48KB

    • MD5

      3663358301ea6c5d5b3d5781278c7463

    • SHA1

      13bde896d7d7873360bef334459430b3080abb8e

    • SHA256

      600db89be8dbd50e60c620ea147688cea7d512b1dc545a6b95fe41f0dfeca57f

    • SHA512

      0115d0681659ccd9915f2bda2bf58104954c7077192a64172f6015543cf0f2b2cef0660786536de9429cbc6c8ea159c22ea58970ff426f65ee09375f7a654806

    • SSDEEP

      768:C1IWBH0x4CL/C6SVk86TjZELLtiPdSWaP6laZ950yjT:44yj6PyNiPo2m57H

    Score
    1/10
    behavioral7

    • Target

      6860173ca54b7e763cc667ac54435f1a18a821e09453b9e41556b6c2e9323eb1.exe

    • Size

      19KB

    • MD5

      1dc214e694aa0bea8649d840581c07b5

    • SHA1

      4d905f6faddbac18fa5a9b9926c4853ccda2a165

    • SHA256

      6860173ca54b7e763cc667ac54435f1a18a821e09453b9e41556b6c2e9323eb1

    • SHA512

      035620842a278ed03cae8d9f1dd749eee54f0aa00357b2d5df5e91f91c04cc7184d2fd3b8e0ba60bc6216097ef5689e5e9cd856bd09a0c60d105a4c091823543

    • SSDEEP

      384:FsAHwKr2eLG2ydifQuvREasXLmQLFRkoC/kDKqdojB8/c:FsxKr2eLG2ydifQuvREawLnL7C/qKty

    Score
    1/10
    behavioral8

    • Target

      6fd5bdcc625d735f67f0ad4cacd06feb2ae20a2ec7626ff91fbd1848d1173d34.exe

    • Size

      197KB

    • MD5

      f54bf8a9ac0619ebb290f76affd35624

    • SHA1

      0a9ad51006dab3b145c2ba65f93e7548d5f61691

    • SHA256

      6fd5bdcc625d735f67f0ad4cacd06feb2ae20a2ec7626ff91fbd1848d1173d34

    • SHA512

      97276d801d46e59b36f222ae2054f43dd96a326669955062b2282673993308db1f682038796e7b6dd11debd93734a6362a2778dbcad9f3942654e6cafbad705c

    • SSDEEP

      3072:mBL85NXa8SH2sNladJHHfcukDkdrvRk+j1HBoftYzeZG5+76gkXRkT:jrRSHKHfcukMrvX6VIeZc26XXRkT

    Score
    10/10
    modiloaderpersistencetrojanupx

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

      trojanmodiloader

    • ModiLoader Second Stage

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral9

    • Target

      87cee50a81408e14f015d7507a87950e678742ba78015fd65d24f9934d22c9c7.exe

    • Size

      155KB

    • MD5

      cc3031638f4aef9c8d4062bb3103140b

    • SHA1

      2f4628c65da5ad001953468c294550b32cca9124

    • SHA256

      87cee50a81408e14f015d7507a87950e678742ba78015fd65d24f9934d22c9c7

    • SHA512

      939c12b95db960d6c03a879a4ead4e19adcc82c3410d711ed6f955e812eddd86046e3760334843fbc3a22b850dca7878dcbfa6a7e3aa19c9958d5870d13af0cf

    • SSDEEP

      3072:SqhFvhfBQBlLY6hiYbeRMj9JVHThG0HWZlOOPIdLEvJxBroBXPVNPHUWt7outd:SqhFHAYwiYbuu93HThvulZPgLAxB0BXL

    Score
    10/10
    persistenceupx

    • Modifies WinLogon for persistence

      persistence

    • Deletes itself

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral10

    • Target

      93564e681c3b63f14bfb67df98f5461917c447f343770a3a944ab251c4dac5ca.exe

    • Size

      324KB

    • MD5

      7f2e755385cce6862a68d60053d4ad64

    • SHA1

      bb7ab43a8537b4aa019f4873bbfa27fa9721c945

    • SHA256

      93564e681c3b63f14bfb67df98f5461917c447f343770a3a944ab251c4dac5ca

    • SHA512

      3e549a4527a1b4d82313436af4d2858566e2611034970fddaa21cae4e1cc22c1c3ea864751ad409d014e67ec35f0faaee08c25bb25684ba3e0d2f72da43aae28

    • SSDEEP

      6144:KWw1sSGm39FkhqL58C14Aox2hK/bbeLjbBmnZxl0FRqfcCiUUqq6YYjYzwTRoSM:Kbdb39mhC8CyTbytgiyUhUUqq6rjdRoS

    Score
    10/10
    persistenceupx

    • Modifies WinLogon for persistence

      persistence

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    behavioral11

    • Target

      9c109b79dae8527b370cc0b91d5822f4a69b3acda284c361b310e18738ec5a97.exe

    • Size

      165KB

    • MD5

      e3566b5bad34be0acd68d975274f48f0

    • SHA1

      b4a8116598f602486598ba4b4e41fa82fe41b763

    • SHA256

      9c109b79dae8527b370cc0b91d5822f4a69b3acda284c361b310e18738ec5a97

    • SHA512

      ac8da074e8f6d5ed1d1f012d9cec9d38a17e3d28ae13527394f719ab045e3f92f9ad99978a982edd5377ec9102c747e00ad55011e7d47179af2c7188cf060d60

    • SSDEEP

      3072:xJ60eHr2T1ds7Z2gcsRxAHxZbL4W9qZVLzbce2liSsU5t9rL+Au9TGLyPl:xJh42T1dMZ2gcok3lazbX2zJ+bxN9

    Score
    10/10
    evasionpersistence

    • Modifies WinLogon for persistence

      persistence

    • Disables Task Manager via registry modification

      evasion

    • Modifies WinLogon

      persistence

    • Suspicious use of SetThreadContext

    behavioral12

    • Target

      9c8685a98f9be3a699ea95314449fd90fbaeac3e587efdfcb0c495621e7b087f.exe

    • Size

      57KB

    • MD5

      2ddb9321572e375dfeccceaa606f57f6

    • SHA1

      d37068c9be009dfc7af9712abafa5c738da30492

    • SHA256

      9c8685a98f9be3a699ea95314449fd90fbaeac3e587efdfcb0c495621e7b087f

    • SHA512

      ba31c0d8fc5f7cbd2506c6b3ceb362992bba02620a650d15d36a01278b40716690ac6532fb6e0c31fc390264f40b37709910b51517dca1912f4771c5f7dba32e

    • SSDEEP

      1536:m0dPL1G+r31JLduRROT999+kD/J+AaCer+nouy85:miDBtuHU999vgAaUout

    Score
    10/10
    evasionpersistencespywarestealertrojanupx

    • Modifies firewall policy service

      evasion

    • Modifies security service

      evasion

    • Modifies visibility of file extensions in Explorer

      evasion

    • Modifies visiblity of hidden/system files in Explorer

      evasion

    • UAC bypass

      evasiontrojan

    • Windows security bypass

      evasiontrojan

    • Disables RegEdit via registry modification

      evasion

    • Disables Task Manager via registry modification

      evasion

    • Drops file in Drivers directory

    • Sets file execution options in registry

      persistence

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan
    behavioral13

    • Target

      CrypMod.exe

    • Size

      594KB

    • MD5

      bdc7130f8edce09b538b6ec22ea7a1aa

    • SHA1

      254bc06fcd8d5929a9cec304cec82951ba46f1a0

    • SHA256

      a5f611374478e11c51e8d7017dd7995a23ecec2f14ad48f8466dcf52d1f575d2

    • SHA512

      d054c46c77566fa22ad4e8bfa9585be860873f838da32a2e7ce2d44ac1d85941fe1e3e02920b544f653b5939b802e40407c5f0c27de58a73d94e392ad7058cc5

    • SSDEEP

      12288:me/nu8i7TZz5/c+K5lCT26pOhiR1O6sve2kC8T5J:me//2TZzLwCT26pOhG1Cve24T

    Score
    10/10
    gandcrabbackdoorransomwarespywarestealer

    • Gandcrab

      Gandcrab is a Trojan horse that encrypts files on a computer.

      ransomwarebackdoorgandcrab

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Renames multiple (312) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware
    behavioral14

    • Target

      Fuck.exe

    • Size

      168KB

    • MD5

      d1c616cf0fd1eb61164e9091cad354c5

    • SHA1

      444539834e496f04cf9c07594645ca252f3b52a8

    • SHA256

      b5a2fe5b87deed18b789929faaa7601771de63dfe6a670d09224aa57ebe8c6b9

    • SHA512

      441477d5a429dad3e499e943c8dfb54ad673320eed81f4fec00b3798839b3bb296c446354d5e1f46ec52aa278417011ab8ae7f374df1347e341e46243276af00

    • SSDEEP

      3072:B36NS6YsVsI11Tl2JD5wMPm+RY8RvPCdSGk8RQcj2Er:B3H6TsuzYGMgWcSE

    Score
    10/10
    gandcrabbackdoorransomwarespywarestealer

    • Gandcrab

      Gandcrab is a Trojan horse that encrypts files on a computer.

      ransomwarebackdoorgandcrab

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Renames multiple (311) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware
    behavioral15

    • Target

      Generic_Ransom_1.exe

    • Size

      1.8MB

    • MD5

      84b51ee1b45d26e08c525d9c87a4945a

    • SHA1

      04d9559bb0ed6e964b05d1583a7410eca837f1cf

    • SHA256

      debfd1fb34df5c7047c3c8837cdda27b59e6044934447a8bb6878344847b74d8

    • SHA512

      d3a4c07119ce03d1199ed2e6fb98b1504c171fe1d8ce1d71c33e2f2562ad0149e4fd5018ae837d9500761ad3d73f30c48d8c44d72438b048c8fd5f914d3549c9

    • SSDEEP

      24576:sVLOUsdmcKn0RVIC0GN9eyS7QPkIIgmWmQL3taRHLM36T22CKRJqNE4u6FOcnDs7:stJ6F7PN3taRHwe3clnBowQg7K

    Score
    8/10
    persistence

    • Registers new Print Monitor

      persistence

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral16

    • Target

      Genericcc.exe

    • Size

      293KB

    • MD5

      dbc292a2292c6061700236830d45ca91

    • SHA1

      fcdfba4b95c145a715209d694639de6be0478f6b

    • SHA256

      e60fc4473ada26f3a8d2dd5c5f226441073bf86737e271f6f2ec61324ef9ab60

    • SHA512

      551e097fb31a5e7a6b6ecf602f7ae8cb63dc620940fe47b003ebcafcedbfdb391731cfce399b48111ee9524f2272f53eb4076c84f65e377336930fd6b3c3e0fe

    • SSDEEP

      6144:6qcbmoTtMUxxzP75a2eoEnnZcYupty6DPlQ82hmbN:6NTTyUX/5a2NGZcTs6DPlahmbN

    Score
    10/10
    aspackv2persistence

    • Modifies WinLogon for persistence

      persistence

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Drops file in System32 directory

    behavioral17

    • Target

      Gneeirc2.exe

    • Size

      110KB

    • MD5

      c35506bd3fedad57e7f1ea975ebcaec5

    • SHA1

      0977676ae8c8716824a13037c7eb4c7b95c58ae7

    • SHA256

      208cca124ddafe35a122f6bdd36191151a2730b4e1051804d5f68d0cb4b44145

    • SHA512

      adbc0991a10ce0fd293f3706583f44bd0805a97e10e45da896bcb2eb3cbc507eaeb711f2ff98df941d12aba9804fccc5c6a1948991fd278736360acd9b411b51

    • SSDEEP

      1536:vAakOZurAqbsvCFWc1dIgF/q52677fqdmT7K:vAa+rAqQufK7WET2

    Score
    10/10
    persistenceransomwarespywarestealer

    • Drops file in Drivers directory

    • Manipulates Digital Signatures

      Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

    • Modifies Installed Components in the registry

      persistence

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

    behavioral18

    • Target

      MyxaH.exe

    • Size

      286KB

    • MD5

      86d543779889aa512f7395edece0d852

    • SHA1

      9b657e8ee0075ebf0cd48cea54b4628f06cdfd1c

    • SHA256

      e6087745223ce9ce7de8b4c18c2d141ed9057d9088b7faf77473953a921cbb73

    • SHA512

      51310d932e8eacba62c2647a39394c33427044d907bffdf3c63c982b49048848d3e77bdf9e5500a64d52b0cc93e447a9b7ba70ebbc97ad4713fc3d80f1bba76b

    • SSDEEP

      6144:smGIhLaUrYyu2Pcyl+lxnHFCGcjN+c+iUri27J5P/Xj2qQ:73bzuPHj5Hria7z2qQ

    Score
    10/10
    netwirebotnetratstealer

    • NetWire RAT payload

      rat

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

      botnetstealernetwire

    • Loads dropped DLL

    behavioral19

    • Target

      a1e86fc6cfb129a978b7de1f8b773f766640e50874d8989999be2c55c6d022c2.exe

    • Size

      350KB

    • MD5

      77cdacf274d43d2a1e1b6d82cc2350f6

    • SHA1

      eb49f61e80ae9c58f5d2a4ee4aedf14ac022b9c5

    • SHA256

      a1e86fc6cfb129a978b7de1f8b773f766640e50874d8989999be2c55c6d022c2

    • SHA512

      1afa8783f4176dba9afbcd6ad86edc1a8cd34f03d341f0745c63e5ea5008a7e68be87d05055495dcbc7383c3d17871b453dd440059716ae11bfa83057d882f85

    • SSDEEP

      3072:kLQBOJeFK/MtgYcjuwiBrqg0Q+KUYN3PSe57vsR1pEzm43vHG/b1K+wk:kskQK/JdRios/UOPSe570Szp3ujN

    Score
    1/10
    behavioral20

    • Target

      add230a2e7aabf2ea909f641894d9febc6673cf23623a00ce3f47bc73ec9b310.exe

    • Size

      157KB

    • MD5

      4bd82da426f6b59e08b40044adb5a3d2

    • SHA1

      097db21cb36c15979730a775ac6bad1240d75275

    • SHA256

      add230a2e7aabf2ea909f641894d9febc6673cf23623a00ce3f47bc73ec9b310

    • SHA512

      77dc3f9089bb1877defa28e39a9c3a615efed7975dbbe3a4d3af942a450776cf2935d164059d2519aa2d5105ab06106c39431e4baba82c42c3f2cbacfb82b630

    • SSDEEP

      3072:wi8Iy8EytSLbi4eTMlwDCnuZ3j9ifgwbDJ1fMP:B8IUykbnWJZ3jkflJ1fM

    Score
    10/10
    sodinokibiransomware

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Renames multiple (167) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware
    behavioral21

    • Target

      ae3a9c9cf994b6f1967aee6a31f13796e0f59d4c2bd22865e24f2babf2043bb7.exe

    • Size

      8KB

    • MD5

      5ebcd7121459a0fe3155f9f6f63a1a6a

    • SHA1

      edb50b9de18115b11dabe9941f5b8becf36c9999

    • SHA256

      ae3a9c9cf994b6f1967aee6a31f13796e0f59d4c2bd22865e24f2babf2043bb7

    • SHA512

      c8994370f6af18855851879ced2456f9c87b6c6c5f4e7bee048fafea5cbbcc17b8f91ad06c8617b7a04ecad70eb9d22babdd8a3fe0fae7269490a0beac714a00

    • SSDEEP

      96:WQ48k/t9wUnsggfHGyK0/Dia4QJT9hHKwCSJAPVj3BiiZD43EXYUHvh/F:z4p/t9/UuyrL54QdAPfdGle5F

    Score
    10/10
    evasionpersistenceupx

    • Modifies security service

      evasion

    • Modifies Installed Components in the registry

      persistence

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    behavioral22

    • Target

      b878926219059096382653b807efb9476435cc6d3401667c502d2c7bb2f6d7be.exe

    • Size

      161KB

    • MD5

      ba6e3d454c86502e413c299303686cab

    • SHA1

      8ffa2398965a1ad4503566e07e0a8cea4cd168e4

    • SHA256

      b878926219059096382653b807efb9476435cc6d3401667c502d2c7bb2f6d7be

    • SHA512

      b0035f23c520f8f84b88498fcb3945e4b7edf1f7713de9837ed9a4c02443d0bbec3200dbece3671d866803bf7ac07a4d7116afc89b619767dea6e71e91c4a1df

    • SSDEEP

      3072:a1mDHCjYBNCERkjlK7Xa3mUrvwF+OPgAwVbAtOP+uLXD8Ku7IhhV6u:FOjkCE/a3mmvwFavV/L4Kq4e

    Score
    7/10
    upx

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Suspicious use of SetThreadContext

    behavioral23

    • Target

      c28384feb8d622682c10e81da44448c226638a7fed9b531ab7a5f652c55b3e1a.exe

    • Size

      248KB

    • MD5

      d3e517e198379ed5b8faf580bef47961

    • SHA1

      5daf25a32e1a3f8dbbf14d488487c0175d266d60

    • SHA256

      c28384feb8d622682c10e81da44448c226638a7fed9b531ab7a5f652c55b3e1a

    • SHA512

      3902b8f850c5d1242840f7c61d38b677a7d98356097c939dd2f06ed9d18f1391784775ca213b1d3cf5a1e661f2d79a14f250bbfb8202124646ac89e451b0d162

    • SSDEEP

      6144:5Qscj0zoT9nfNARb+m4hOZTIpZh3usSoSVGM:yQzoT9fNAcmeV4xoS

    Score
    10/10
    persistenceupx

    • Modifies WinLogon for persistence

      persistence

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    behavioral24

    • Target

      cryptmod2.exe

    • Size

      532KB

    • MD5

      6d497a11457912bff6d4b92b5e383037

    • SHA1

      d8e41fdc4acc037ac3f4155321b62e9e14fd9220

    • SHA256

      f6e4a44a1c6bd6a79041746337fbba4e725abb70afb48d676a60dd3ba0c5c65f

    • SHA512

      1f72e2b6182debbb0a46ee08d944cf67b6cc19f89be6e614b27b4bd7156865f32db56c6eac1f619a84072afb126e30537759382e7a299d04ac347efffa8af78a

    • SSDEEP

      12288:T0HVVyZ0fNuTJHLvpkMPrQ4YVZq3Yu8/Cv9qFe4K:TKHcTFLvprs4YVcIu8sl4K

    Score
    10/10
    gandcrabbackdoorransomwarespywarestealer

    • Gandcrab

      Gandcrab is a Trojan horse that encrypts files on a computer.

      ransomwarebackdoorgandcrab

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Renames multiple (267) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware
    behavioral25

    • Target

      d041a11a04bba9142ee44712a53c8e94bccefeefe1d382ac35171518cd6b64a7.exe

    • Size

      242KB

    • MD5

      3cea112008870b0f75a3e707281ca483

    • SHA1

      3119927821ea72c74022b5b4d8d749bdeb467bfa

    • SHA256

      d041a11a04bba9142ee44712a53c8e94bccefeefe1d382ac35171518cd6b64a7

    • SHA512

      e0c187c0acf772b4808eabdc792e2d4598ec206ffd76df3b04d6e4aa2f263aa39b6ff19fafb81499685c16cde7e5b8e1f15858e1f99cbf292bb20145e8fb7ff1

    • SSDEEP

      6144:fkY8lsGOLp9DJKnDNdVRQnTDwd7x/t8mRaYESWPXgLgadXoSAj:LUsG+3JYbnQnTDwfVFsuWPEgkoSO

    Score
    10/10
    persistenceupx

    • Modifies WinLogon for persistence

      persistence

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    behavioral26

    • Target

      db3f0b9d66482afc1f2328f7eee8a8cc57ce03e19a4325e50d239203a4d17e0f.exe

    • Size

      188KB

    • MD5

      4f92d8fccd5ade0673aadefea9f04f44

    • SHA1

      927bd3212787d5ded2a21301d1f483203b23de29

    • SHA256

      db3f0b9d66482afc1f2328f7eee8a8cc57ce03e19a4325e50d239203a4d17e0f

    • SHA512

      fe029565179ee63dc1416fe8f739248ad510f7ec4d54f4ea863541f874af86a9ddd768d999b8c29c15dfd7732ce9d0e9b07230d5523b62bc4defe317fa3c8bab

    • SSDEEP

      3072:E2sAaxYA5sKkzigXD0+H4gQU3YZA3vX5/exte:uAzzXF/r

    Score
    6/10
    persistence

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral27

    • Target

      dcb283e040d84bf1a86b381bfb0ce6b8dc070b58ba5d3150eed9cb7becf769ea.exe

    • Size

      112KB

    • MD5

      c835d22fdb3c6981ce4b103bddf5e992

    • SHA1

      f33af47012692e3cd18b0224e78637325113772e

    • SHA256

      dcb283e040d84bf1a86b381bfb0ce6b8dc070b58ba5d3150eed9cb7becf769ea

    • SHA512

      a66405cb2ed2c4fb211d95e216aebf894c88bfee461484bb3d4f846ee0e0aedaa8e92aed5b19fc05d52653e60f148fc49a911c9381a5555a8237e277d88f7b4e

    • SSDEEP

      3072:lqkp02Jksl00uL14yNYRDJWN9udpsL04lwT8:82Y0u6yNY23+c3CQ

    Score
    7/10

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral28

    • Target

      e54de5d857ff16efd72ff0223235826494147444538f725f6977ca892282e7f3.exe

    • Size

      55KB

    • MD5

      7d4ef2a82587ae1bddeb41529560f6f0

    • SHA1

      9c97a609d0ed9cbc5a3e7c40fb9dce196c63c82a

    • SHA256

      e54de5d857ff16efd72ff0223235826494147444538f725f6977ca892282e7f3

    • SHA512

      1b333e8704b0afbcd2282ab1d6b9c5bc75e5be0f133a57b01da57bbb1dbfb3429eaa7f6eacdc048646476bf44799add0358c5cc82e2fd60006b4b0682a746491

    • SSDEEP

      1536:NVok6yvYSerI7XB0EiV5vpl1N5lJeltvW:roklxkI7XB0EAf1PeltvW

    Score
    7/10
    persistenceupx

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence
    behavioral29

    • Target

      f14fd49537695f6e33bd102633b0737a2713df3197e36b7cdb176bc8683f6919.exe

    • Size

      13KB

    • MD5

      77f38a73c7c99d1ffbdc62361a4c34b9

    • SHA1

      669eaa55c605e63a97ba4e944c0832a7c7602c85

    • SHA256

      f14fd49537695f6e33bd102633b0737a2713df3197e36b7cdb176bc8683f6919

    • SHA512

      6a0caf648b6806de6553154039cdf739603be03dab2878d73bc3cfd6eac1bc4ecae716b5f1bd2a2304f214a5bb0b6c01aa509f606d367c847f1f119a416ababd

    • SSDEEP

      384:O2wcl2mx1mbMz1YCRJwiQ+EYE4JqP6ySqH9:Rw2QkhRJwiQtYE4XySqH

    Score
    1/10
    behavioral30

    • Target

      f7ee55f1571b1a082a8e61811811009b02e5b0d651bd7c3f8d29ca16ef1e14ed.exe

    • Size

      284KB

    • MD5

      1bb03d2ed04d84232c79e2cb8bc9bb16

    • SHA1

      0680e85a0edbf41816791ca8b0704cf74c362cde

    • SHA256

      f7ee55f1571b1a082a8e61811811009b02e5b0d651bd7c3f8d29ca16ef1e14ed

    • SHA512

      78aecaa2c5cf9c00ef15a6940908468f8318d0f5f7b38dc2c54a5d0d344a0196e3004ff7dc8ab3f19fb29508029a676944561202139efd0b0c1a22dbc0bbceea

    • SSDEEP

      6144:SMXLW0lA/pXoXA9OZyRQAXFMdJ2d3ReNPMV3r5ZloYO9+i7UOuZYhYDlVoS:TiQA/pYgHHX3hxV3rtPJi6XoS

    Score
    3/10
    behavioral31

    • Target

      genenenrnenr.exe

    • Size

      808KB

    • MD5

      e49c40f6a69af400f2e11dd8fe6604dd

    • SHA1

      56107d38cc5a94c67bdb92aa7566768b8e82b1f2

    • SHA256

      b4c2ffccfe807167860d70ea95cde0390f2dc4220992d272497ced04afb97edd

    • SHA512

      80f782bf58a405559a1140be30838b7d46ddca5423d9001cb1f87005e0e46e2a6e20ae3229bd095e86d8f2fbc30020a7be8f08c7f47f095247168424b2412e28

    • SSDEEP

      12288:oTsKNGpaBPxBlvdtsYuj+Ue8vQjY7heDHcMicoXfC/ye:YNG+PxvU3tvQweDHydqJ

    Score
    5/10

    • Drops file in System32 directory

    behavioral32

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Replication Through Removable Media

1
T1091

Execution

Persistence

Boot or Logon Autostart Execution

22
T1547

Registry Run Keys / Startup Folder

13
T1547.001

Winlogon Helper DLL

9
T1547.004

Create or Modify System Process

3
T1543

Windows Service

3
T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

22
T1547

Registry Run Keys / Startup Folder

13
T1547.001

Winlogon Helper DLL

9
T1547.004

Create or Modify System Process

3
T1543

Windows Service

3
T1543.003

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Defense Evasion

Modify Registry

48
T1112

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

3
T1562

Disable or Modify Tools

3
T1562.001

Indicator Removal

6
T1070

File Deletion

6
T1070.004

Subvert Trust Controls

2
T1553

Install Root Certificate

2
T1553.004

Credential Access

Unsecured Credentials

5
T1552

Credentials In Files

5
T1552.001

Discovery

System Information Discovery

24
T1082

Query Registry

11
T1012

Peripheral Device Discovery

5
T1120

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Data from Local System

5
T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

6
T1490

Defacement

4
T1491

Resource Development

Reconnaissance

Tasks

static1

aspackv2upx1349sodinokibi
Score
10/10

behavioral1

Score
1/10

behavioral2

Score
1/10

behavioral3

persistence
Score
10/10

behavioral4

Score
1/10

behavioral5

modiloaderpersistencetrojanupx
Score
10/10

behavioral6

persistence
Score
10/10

behavioral7

Score
1/10

behavioral8

Score
1/10

behavioral9

modiloaderpersistencetrojanupx
Score
10/10

behavioral10

persistenceupx
Score
10/10

behavioral11

persistenceupx
Score
10/10

behavioral12

evasionpersistence
Score
10/10

behavioral13

evasionpersistencespywarestealertrojanupx
Score
10/10

behavioral14

gandcrabbackdoorransomwarespywarestealer
Score
10/10

behavioral15

gandcrabbackdoorransomwarespywarestealer
Score
10/10

behavioral16

persistence
Score
8/10

behavioral17

aspackv2persistence
Score
10/10

behavioral18

persistenceransomwarespywarestealer
Score
10/10

behavioral19

netwirebotnetratstealer
Score
10/10

behavioral20

Score
1/10

behavioral21

sodinokibiransomware
Score
10/10

behavioral22

evasionpersistenceupx
Score
10/10

behavioral23

upx
Score
7/10

behavioral24

persistenceupx
Score
10/10

behavioral25

gandcrabbackdoorransomwarespywarestealer
Score
10/10

behavioral26

persistenceupx
Score
10/10

behavioral27

persistence
Score
6/10

behavioral28

Score
7/10

behavioral29

persistenceupx
Score
7/10

behavioral30

Score
1/10

behavioral31

Score
3/10

behavioral32

Score
5/10