Resubmissions

26-03-2024 14:35

240326-ryecksfd5y 10

26-03-2024 14:27

240326-rse2xsfb8y 10

General

  • Target

    New folder.rar

  • Size

    15.3MB

  • Sample

    240326-rse2xsfb8y

  • MD5

    6677e9a1e490857b5bdfb0744cd260fe

  • SHA1

    20a0692c3001f36c56f811d614dfbe6b2a0b5612

  • SHA256

    1cdf0dcd13a46906d73588a4f2ef20637d25706ce90b53a7b6f1701c28cb3596

  • SHA512

    52c80873ff9d70a2ef1669ccfb1f2e1cfeb2a521102d0b38164c88f680924b84560245c3104b6c7e742bd952617db405720f6b08f541d6c4cdf1c33a25478ab6

  • SSDEEP

    393216:NUYQW+GfB8a8lENPHeGcC6yz9Jp0tu/5TKP0Arl:y9GfBntHeO9Jpn/Fe0AR

Malware Config

Extracted

Path

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note
All your files have been encrypted! All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail [email protected] Write this ID in the title of your message D658F9CF In case of no answer in 24 hours write us to theese e-mails: [email protected] You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. Free decryption as guarantee Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/ Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Extracted

Path

C:\Users\Admin\Documents\READ_THIS_TO_DECRYPT.html

Ransom Note
<html> <head> <title>-</title> <style> html {font-family:Consolas;font-size:20px;background-color:lightgrey;} div{ margin:0 auto 15px auto; border:1px solid; background-color:grey;} p,h3{ text-align:center; color:white; } #R{background-color:darkred;} button{padding:10px 15px; margin:15px;} </style> </head> <body> <div> <h3>YOU PERSONAL FILES HAS BEEN ENCRYPTED</h3> <p>-</p> <p>Your data (photos, documents, databases etc.) have been encrypted with a private and unique key generated for this computer. This means that you will not be able to access your files anymore until they are decrypted. The privete key is stored in our servers and the only way to receive your key to decrypt your files is making a payment.</p> </div> <div> <p>The payment has to be done in Bitcoin to a unique address that we generated for you. Bitcoins are the virtual currency to make online payments. If you don't know how to get Bitcoins, you can click the button "How to buy Bitcoins" below and follow the instructions. If you have problem with this task use internet.</p> <p><abbr style="color:red;background-color:black;">You have only 1 week to submit the payment.</abbr> When this time ends, the unique key will be destroyed and you won't be able to recover your files anymore.</p> </div> <div id="R"><h3>YOUR UNIQUE KEY WILL BE DESTROYED IN 1 WEEK FROM ENCRYPTION!</h3></div> <div> <p>To recover your files, you must send 0.1 Bitcoins ( ~$37 ) to the next Bitcoin address:</p> <p><abbr style="background-color:white;font-size:35px;color:black;">15F5FM7qMhLQ44RDxuozbKRwSbHKmq7N39</abbr></p> <a target="_blank" href="https://bitcoin.org/en/getting-started"><button>How to buy Bitcoins #1</button></a> <a target="_blank" href="https://en.bitcoin.it/wiki/Buying_Bitcoins_(the_newbie_version)"><button>How to buy Bitcoins #2</button></a> </div> </body> </html>

Extracted

Path

C:\Users\Admin\Desktop\_READ_THI$_FILE_33QNII2_.txt

Ransom Note
CERBER RAN$OMWARE --- YOUR DOCUMENTS, PHOTOS, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! --- The only way to decrypt your files is to receive the private key and decryption program. To receive the private key and decryption program go to any decrypted folder, inside there is the special file (*_READ_THIS_FILE_*) with complete instructions how to decrypt your files. If you cannot find any (*_READ_THIS_FILE_*) file at your PC, follow the instructions below: --- 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://p27dokhpz2n7nvgr.onion/12EA-1E35-D050-0446-9493 Note! This page is available via "Tor Browser" only. --- Also you can use temporary addresses on your personal page without using "Tor Browser". --- 1. http://p27dokhpz2n7nvgr.1hpvzl.top/12EA-1E35-D050-0446-9493 2. http://p27dokhpz2n7nvgr.1pglcs.top/12EA-1E35-D050-0446-9493 3. http://p27dokhpz2n7nvgr.1cewld.top/12EA-1E35-D050-0446-9493 4. http://p27dokhpz2n7nvgr.1js3tl.top/12EA-1E35-D050-0446-9493 5. http://p27dokhpz2n7nvgr.1ajohk.top/12EA-1E35-D050-0446-9493 --- Note! These are temporary addresses! They will be available for a limited amount of time!
URLs

http://p27dokhpz2n7nvgr.onion/12EA-1E35-D050-0446-9493

http://p27dokhpz2n7nvgr.1hpvzl.top/12EA-1E35-D050-0446-9493

http://p27dokhpz2n7nvgr.1pglcs.top/12EA-1E35-D050-0446-9493

http://p27dokhpz2n7nvgr.1cewld.top/12EA-1E35-D050-0446-9493

http://p27dokhpz2n7nvgr.1js3tl.top/12EA-1E35-D050-0446-9493

http://p27dokhpz2n7nvgr.1ajohk.top/12EA-1E35-D050-0446-9493

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note
All your files have been encrypted! All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail [email protected] Write this ID in the title of your message 3C7AF601 In case of no answer in 24 hours write us to theese e-mails: [email protected] You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. Free decryption as guarantee Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/ Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Extracted

Path

C:\Users\Public\Desktop\README_LOCKED.txt

Ransom Note
Greetings! There was a significant flaw in the security system of your company. You should be thankful that the flaw was exploited by serious people and not some rookies. They would have damaged all of your data by mistake or for fun. Your files are encrypted with the strongest military algorithms RSA4096 and AES-256. Without our special decoder it is impossible to restore the data. Attempts to restore your data with third party software as Photorec, RannohDecryptor etc. will lead to irreversible destruction of your data. To confirm our honest intentions. Send us 2-3 different random files and you will get them decrypted. It can be from different computers on your network to be sure that our decoder decrypts everything. Sample files we unlock for free (files should not be related to any kind of backups). We exclusively have decryption software for your situation DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME the encrypted files. DO NOT MOVE the encrypted files. This may lead to the impossibility of recovery of the certain files. The payment has to be made in Bitcoins. The final price depends on how fast you contact us. As soon as we receive the payment you will get the decryption tool and instructions on how to improve your systems security To get information on the price of the decoder contact us at: [email protected] [email protected]

Extracted

Path

C:\Users\Public\Desktop\README_LOCKED.txt

Ransom Note
Greetings! There was a significant flaw in the security system of your company. You should be thankful that the flaw was exploited by serious people and not some rookies. They would have damaged all of your data by mistake or for fun. Your files are encrypted with the strongest military algorithms RSA4096 and AES-256. Without our special decoder it is impossible to restore the data. Attempts to restore your data with third party software as Photorec, RannohDecryptor etc. will lead to irreversible destruction of your data. To confirm our honest intentions. Send us 2-3 different random files and you will get them decrypted. It can be from different computers on your network to be sure that our decoder decrypts everything. Sample files we unlock for free (files should not be related to any kind of backups). We exclusively have decryption software for your situation DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME the encrypted files. DO NOT MOVE the encrypted files. This may lead to the impossibility of recovery of the certain files. The payment has to be made in Bitcoins. The final price depends on how fast you contact us. As soon as we receive the payment you will get the decryption tool and instructions on how to improve your systems security To get information on the price of the decoder contact us at:

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note
All FILES ENCRYPTED "RSA1024" All YOUR FILES HAVE BEEN ENCRYPTED!!! IF YOU WANT TO RESTORE THEM, WRITE US TO THE E-MAIL [email protected] IN THE LETTER WRITE YOUR ID, YOUR ID 06B78492 IF YOU ARE NOT ANSWERED, WRITE TO EMAIL: [email protected] YOUR SECRET KEY WILL BE STORED ON A SERVER 7 DAYS, AFTER 7 DAYS IT MAY BE OVERWRITTEN BY OTHER KEYS, DON'T PULL TIME, WAITING YOUR EMAIL FREE DECRYPTION FOR PROOF You can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) DECRYPTION PROCESS: When you make sure of decryption possibility transfer the money to our bitcoin wallet. As soon as we receive the money we will send you: 1. Decryption program. 2. Detailed instruction for decryption. 3. And individual keys for decrypting your files. !WARNING! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Extracted

Path

C:\Program Files\Java\jdk1.7.0_80\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note
==== GERMAN ==== Alle Ihre Dateien, Dokumente, Fotos, Datenbanken und andere wichtige Dateien werden verschlusselt. Sie konnen es nicht selbst entschlusseln! Die einzige Methode Zum Wiederherstellen von Dateien muss ein eindeutiger privater Schlussel erworben werden. Nur wir konnen Ihnen diesen Schlussel geben und nur wir konnen Ihre Dateien wiederherstellen. Um sicher zu gehen, dass wir den Entschlusseler haben und er funktioniert, konnen Sie einen senden Senden Sie eine E-Mail an [email protected] oder [email protected] und entschlusseln Sie eine Datei kostenlos. Aber diese Datei sollte nicht wertvoll sein! Mochten Sie Ihre Dateien wirklich wiederherstellen? Schreiben Sie eine E-Mail an [email protected] [email protected] (reservieren) Ihre personliche ID: <! - ID -> Beachtung! * Benennen Sie verschlusselte Dateien nicht um. * Versuchen Sie nicht, Ihre Daten mit Software von Drittanbietern zu entschlusseln. Dies kann zu dauerhaftem Datenverlust fuhren. * Entschlusselung Ihrer Dateien mit Hilfe von Dritten moglich verursachen Sie erhohten Preis (sie addieren ihre Gebuhr zu unserem) oder Sie konnen Opfer eines Betrugs werden. ==== ENGLISH ==== All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email [email protected] or [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email [email protected] [email protected] (reserve) Your personal ID: 1DB76747-5F5B-890E-56B4-B35D45E3198E Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Extracted

Path

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note
All your files have been encrypted! All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail [email protected] Write this ID in the title of your message D4457B8A In case of no answer in 24 hours write us to theese e-mails: [email protected] You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. Free decryption as guarantee Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/ Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Targets

    • Target

      081899c5257cdf6b27b238f9114b9151a755a2044cb463eb2214fa9101c4cd89.exe

    • Size

      24KB

    • MD5

      bdd728030128165279b3cadf246d495a

    • SHA1

      032479b1a1d4bb21fdd07736a8d4d9c5fa4a70c4

    • SHA256

      081899c5257cdf6b27b238f9114b9151a755a2044cb463eb2214fa9101c4cd89

    • SHA512

      8ead3841b4c7d5f56f6456ead428c5e43c748cc05252a7c119b3110143ab1c29c97e5e1779e53f26142cba48c17b04de259bb639d1a23b9ed315b7cbf7be9330

    • SSDEEP

      192:+W0UBkFvRFGHPQWT3e9+qQ/1/zJvZvdW9+2Cp92xR42eMX8:+WiFvROPQWa9+qQ/1qMyeMX

    Score
    1/10
    • Target

      082060e3320870d1d576083e0ee65c06a1104913ae866137f8ca45891c059a76.exe

    • Size

      799KB

    • MD5

      f6a8d7a4291c55020101d046371a8bda

    • SHA1

      09b08e04ee85b26ba5297cf3156653909671da90

    • SHA256

      082060e3320870d1d576083e0ee65c06a1104913ae866137f8ca45891c059a76

    • SHA512

      547ad8ac404e494cce474209ebfbe33a40b69feb59f564215622f479e98dd93699794f4950b05d21225af271c55987da24c68d7c4c172f1d99ba7050b7063888

    • SSDEEP

      24576:Fpfzmg0hsVxPJHnhxqj/jELyOpQR2dnCy:FpfCHKrPFnh4jEWOpQEdnCy

    Score
    10/10
    • Drops startup file

    • Target

      09d22d634084239df510d088dd1685886fdba2810df4067771142fb2204cef64.exe

    • Size

      108KB

    • MD5

      61d03ddc11ca4fc3e752abcb03bc53ed

    • SHA1

      a872988919744d81154025b1d17cab2bc70b8e99

    • SHA256

      09d22d634084239df510d088dd1685886fdba2810df4067771142fb2204cef64

    • SHA512

      1d0ed13686785e03d8ab33d879e6d949179bea7d7051525ffc55bf28896d0f6456e17295a9941e07d07ffbc13f138df99fa0871dd6e070da292dd221f7ca216b

    • SSDEEP

      1536:OTu/iJ0cjtqTgpdJEHlwKg2cxhDfiJ8xmeoBJIKs3Z3P4lGLD:4u0jtwaPBKg2ihjiJ8MeoBJIFZ3UyD

    Score
    1/10
    • Target

      1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe

    • Size

      2.2MB

    • MD5

      f5f2f6c370db4b38bdf8032ea3ef2a64

    • SHA1

      b5e188540539bc2b1d128f408160fa91e724c84b

    • SHA256

      1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4

    • SHA512

      f2216faac5d07fb2d6f3faf6cf1e18e94c0ada8aba35a8d2d8491efd1ada526d5358a592b6877a9783cc9b5e81dd54fec8b9969ffd650c0f8aff2e3243dbe18c

    • SSDEEP

      49152:UtAZanCoV4BdnctNbS/iXmYjlV8O7pzTs8OYFFxZbVybdXERd:9x6Mdn0p7pzTsQR

    Score
    8/10
    • Drops file in Drivers directory

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops file in System32 directory

    • Target

      20efc37efcb36bc4a7cdf75ff667d3193959bf1858a4c115fd4301ca11ce8ddb.exe

    • Size

      28KB

    • MD5

      07ce060934a9106a3e135c33ebd64e9e

    • SHA1

      e9d0fdb9d91ec314778f45065642066cbd4c575b

    • SHA256

      20efc37efcb36bc4a7cdf75ff667d3193959bf1858a4c115fd4301ca11ce8ddb

    • SHA512

      c3c17c911464deb7be6daf3339738fb53e89a93f0b58eb5971d6ffbbd7aced4d88ff61ab2ac973f8c1f6dafdf9e4dc505d17607b0b8b9be822b98b0b8a320f8a

    • SSDEEP

      192:EmUk5kULV+jC9LDADPF9+qQ/1nwzJvZvdW9+2Cp92xR43beMs7ui4jrh:EmFDR+jCpAJ9+qQ/1nZMHeMsCj

    Score
    6/10
    • Target

      23b5ce252f1cb3ff40a3bcb3ea53dd674175c3ad782b00e33ae45c8c87fa265b.exe

    • Size

      235KB

    • MD5

      fc7b0066d7d250b619a3c6c3ee1b22f9

    • SHA1

      f307dc2d7d41e5d2678144de98445fa3c14e7583

    • SHA256

      23b5ce252f1cb3ff40a3bcb3ea53dd674175c3ad782b00e33ae45c8c87fa265b

    • SHA512

      4178ac9a1e5e9f5817412de1ab210c1c95ebe1a47875f14844ff5e234191c2facaf8f7ae184c9fc33c334cdfa8615ccbdc8aaaac1d3aa6697d4ea49ef01aa1bd

    • SSDEEP

      3072:BS4er0KRFMyC4FtM/LMZaIfhhM35E8/OZZe6WXVDhjt6SeFUkgYF6UTcysS:BShA40/haM3hGEphsxUYF6Ecyx

    • Dharma

      Dharma is a ransomware that uses security software installation to hide malicious activities.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Renames multiple (314) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Target

      35fdad147c2ab2c36dd7fd1ad1ae26b80be6c501bb22120b741be3ab34be168f.exe

    • Size

      542KB

    • MD5

      ce29783e7465bd57067f67afba0f996f

    • SHA1

      c6d5bc37d17d43a1cdb17d39e46b8f3d61d46578

    • SHA256

      35fdad147c2ab2c36dd7fd1ad1ae26b80be6c501bb22120b741be3ab34be168f

    • SHA512

      b92a1bdb77f05c5a6cf0b883bb2b4205c6d3a97dce1e6f82a102d6e6fcba1a025d3953ed7f3ef9268f6383a7cd2f6af2de37fec736eb4d77aff40b12a901c0be

    • SSDEEP

      12288:5Pi8GS/emxzM+fElwVCqCJbDj9//k/rTcPcYYYgYYYYYYYgYYYYYYgYYYYYYYgYh:5PBNz3fyDj9//k//IcqHDC

    Score
    1/10
    • Target

      36bfd9f40ce0043c878b28ca80dda5315cf681215baf4e1d539456d89b907807.exe

    • Size

      108KB

    • MD5

      82bccb8988fd54529192665fa974f056

    • SHA1

      2b83f745d8424b7ad6e8012da3260dbf0663ce3c

    • SHA256

      36bfd9f40ce0043c878b28ca80dda5315cf681215baf4e1d539456d89b907807

    • SHA512

      95d9996d65f4bd0ac2ad7d6c2ab3089e1101c9d0a22b304e2380512428b21767bd6c53bbaa3b3c3afc778c98be1d32ceac5331d2c85db64e7f80a78777a4f8a9

    • SSDEEP

      1536:8tu/uJ0cjtqTgpdJEHlwKg2cxhDfiJ8Xm3oBJIKs3Z3P4lGLc:0uAjtwaPBKg2ihjiJ8W3oBJIFZ3Uyc

    Score
    1/10
    • Target

      56ec95785f91418751ad5788f9076af108ae19e03d2e0c0551ae8f8d8f5acba4.exe

    • Size

      526KB

    • MD5

      00d374f3142e46c53e621504e020dd86

    • SHA1

      49c55f442702c3d96bf507f369676a54315851d0

    • SHA256

      56ec95785f91418751ad5788f9076af108ae19e03d2e0c0551ae8f8d8f5acba4

    • SHA512

      169149b510a6c502f90b18d518f10c7f0f1c7e426d62b2e90b8adfa87d76a0d1d8b819305fdb75231ac80d5fcac1dcf7982ed9e493f22dcf12ae203a0960edb9

    • SSDEEP

      12288:oOfgiGHObrYmluIhccUnj9//k/rTcPcYYYgYYYYYYYgYYYYYYgYYYYYYYgYYYYYV:oOwGrv4j9//k//IcV4h

    Score
    1/10
    • Target

      675e7e38d969e9c0af164337a180b2941d4a676b7e0c345da1de1b2d42ed31a8.exe

    • Size

      1.3MB

    • MD5

      d30cc3d50062b47585d8e9216f5974c4

    • SHA1

      86ab16232bdff82807eb09e9dae5ae7dec26685f

    • SHA256

      675e7e38d969e9c0af164337a180b2941d4a676b7e0c345da1de1b2d42ed31a8

    • SHA512

      8fa7e529f58deb6c2b89c3bf3ceb04ca036e00ac694767b64625258fe39d3911d42ae9d5baf0d0089e06c936458fcacd0e6e56b8a7cba4a91084d66a5717bce6

    • SSDEEP

      24576:bk70TrcblhbE+twWvKItnEi9RlyjACUxar1BjjxhXQdT6lRDmkTyi:bkQTAMGwAFv9yjJZrYURDdH

    • Renames multiple (18637) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Drops file in Drivers directory

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops file in System32 directory

    • Target

      6b4df381119ee2beac0fb75184addb6cdd045ddd5e0fa09365a51331a484cd7a.exe

    • Size

      697KB

    • MD5

      91bb19ac797d238209b681a872b90dfb

    • SHA1

      c817513d79e95e78969fd7db001197058a43dbb8

    • SHA256

      6b4df381119ee2beac0fb75184addb6cdd045ddd5e0fa09365a51331a484cd7a

    • SHA512

      71eab624027b40a141800b9e4d242d52bb1613e2e7fef083bf742034639434c369dffe648b9d0728c09d91aec121cc8acf861fecd248f6529a396766cbd905de

    • SSDEEP

      12288:K1C9axRKZndwSrZvQH0dy05EQB4RpwxKxOl5/xVvuY6lMwWFQw1ybgRRBo/tPamR:QC9YRgdwSBk0dy05jBmuS4DmYBSoP94a

    Score
    7/10
    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      6b4f6a820d415a88ee156607b13450cbe0bedad4eb05961c55f5926f86262296.exe

    • Size

      27KB

    • MD5

      4b95790314f5e5e7ab6027f3afed48ae

    • SHA1

      1bbbc30e0fdc7190d8948716ca8d373788c90ce4

    • SHA256

      6b4f6a820d415a88ee156607b13450cbe0bedad4eb05961c55f5926f86262296

    • SHA512

      380a9bfd525ad558964f444220cf5ac4a9d3add159abd5c0451ca2b1d8bf57d2acf6d0eb8a1ec4b1451b28db10574b2fb66bda0e2f8ed066d4d5aac0dd9c8a2c

    • SSDEEP

      768:ZtVdJkn3Iwk9qg47OxpySkH/U3ITmcemeZFFtbwN4ykQo:ZtBk3I7LhB3PcedFtMOykQo

    Score
    1/10
    • Target

      721ccbb780b308c6c40817749b6764ad06cd2e56389bba1618a0dadc362d6429.exe

    • Size

      556KB

    • MD5

      4a8228f5109bc509936eb5286d86322a

    • SHA1

      36f1b50c1df1249e816944d0288604336d2b7a1e

    • SHA256

      721ccbb780b308c6c40817749b6764ad06cd2e56389bba1618a0dadc362d6429

    • SHA512

      6013d5daaef69c99d61afb30aa273413eebe9b5b8fe0055d879ee236817d3cb4a9d3bdb82553c8cd3f6e725bd99a076389a94a8ec8d6b0da66fc17b0fb7a1164

    • SSDEEP

      6144:f5bnFDjbS20Bbdh1bBbp20Btedh16IqDAYQ+:fTDwicAYp

    Score
    3/10
    • Target

      75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe

    • Size

      306KB

    • MD5

      1eac69691e05297182ea6642746d53f6

    • SHA1

      749f19b262849158df6d29f26043e1a845da102e

    • SHA256

      75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d

    • SHA512

      8ac6625fa10b3d2126a6498af2790a52bb626fef74b4abf05ce869f0e3b2d41fa78915b469529c67531937093e6385634985e792f4c04edac5f0b69a489d5c39

    • SSDEEP

      3072:J86Kas04uVswV5Him+xfleiJfz/4B7zspXGwtI57T+YG4tGSGbwySvB5KpzeLrqK:ChatLSeoQ7Rwu57C0bNyKgpGR

    • Dharma

      Dharma is a ransomware that uses security software installation to hide malicious activities.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Renames multiple (319) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Drops file in System32 directory

    • Target

      79271d57c531c79536bc0be0d71e3a372bed9c10689257a7727475ab41e3e161.exe

    • Size

      3.1MB

    • MD5

      91e55c043a89444b7cdfb335d4e4a5ba

    • SHA1

      d72203d462053c1636e20cf648669b040357d5db

    • SHA256

      79271d57c531c79536bc0be0d71e3a372bed9c10689257a7727475ab41e3e161

    • SHA512

      3f3efbb9928a8ffa683d2c528bc442545fb330fbf981ff639a581effc91569743258cbad88e9a2c8b6e66448e56af023213fc408ab66a6b53565a4e030a37777

    • SSDEEP

      98304:DFkV34ua2ltBgzXU4Us1DgAtayHKlqo7/Whsg:Db0ltwzDtZHg7/Yx

    Score
    7/10
    • Executes dropped EXE

    • Loads dropped DLL

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Target

      *.*/update.exe

    • Size

      744KB

    • MD5

      288ad7c14b2e9cbfc8432d3d41d62164

    • SHA1

      2138ba33796ed343fb01c03f4abfdbed30bfe151

    • SHA256

      7e24716b753efa564cf6ace4abbe687a2ede68180140e4aaab8279b3328ababe

    • SHA512

      6f045adea1a9d4c1a0ec414a77c1611687a7ec4ed23ffc1fda426a396ca4244f5b212a1189dc6fb804268a5d29cec3226ccd6d3418e7e5a9923cb0733caac70c

    • SSDEEP

      12288:Yzki5f8eM8n7X0tYAY4+5684WFh5ecvSrW3yNdkeemwtuS9:OkE8eJnL02AYw84Wj5evNl0u

    Score
    6/10
    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Target

      *.*/˫ǩ.bat

    • Size

      100B

    • MD5

      b2c8d1f31c73f52c275393f231e3843e

    • SHA1

      debbc8e818ab2acc8f12b08930315c894e7efde8

    • SHA256

      77badaf1d085e90578b76cd1fafb252e13d4074f643b7d43cbee38580d7dee24

    • SHA512

      0268085427d632fe4fec8e7702da5b7715a2ecc13f9ddda86f02f965c3745872e53325d12cb48ab7797bebce4b76203e3edc2631c6dacf3417a91a6c00841de6

    Score
    1/10
    • Target

      847001fe67b260c91fdc360297f6758598c41eb78fc4aae6adc4a4e2dd813b7e.exe

    • Size

      108KB

    • MD5

      eacdd9f959418d3f3e9be95de284d02a

    • SHA1

      354fe59d35aef1dd07c3c1ef771b93a413f91e6b

    • SHA256

      847001fe67b260c91fdc360297f6758598c41eb78fc4aae6adc4a4e2dd813b7e

    • SHA512

      8e3770e6e0dd33e2ae54c9af0c5c01c5e0bd5d85e37ea5e4c9afadf297f9027e1b6b0b32d872ffa3b928478d7c0601b465fa5ea414dee10ddc51c8c83323d17a

    • SSDEEP

      3072:ouvZ0rga0R246JaNR0r3PhVuCx9JNI22N:ouRIcVX2hEXFN

    Score
    1/10
    • Target

      97d846563e9c5da173d27fd11a6f182709c665dba0cb3f85a882c7b3e9cd9a3b.exe

    • Size

      36KB

    • MD5

      01856e8de8d99253aabe0c1ccf925b08

    • SHA1

      217d1d9c07dd817bb39a000943f27991cbe5aab9

    • SHA256

      97d846563e9c5da173d27fd11a6f182709c665dba0cb3f85a882c7b3e9cd9a3b

    • SHA512

      03ff6abdb978d749467a24a63b21dd1e6e77cffcdd7bccf86516a66d7e053d13f76ab19179e9a331f85d32d9405f14ab8a19b756aff4c642a4ca0c7d4402d21d

    • SSDEEP

      768:0gi4r/1iRHq5pTV6xo/SIx+637kc/+ZKWb57zlARngZy:0vZQ/6xo/SIxL7T+Z5KgZy

    Score
    1/10
    • Target

      9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe

    • Size

      314KB

    • MD5

      f93ecc98e4c4659023b81397578201e3

    • SHA1

      8c6ce5195b39239d219da8de3b4e757204f75f07

    • SHA256

      9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a

    • SHA512

      6835d190e85fa196e325d5b9e9833f88b22348b5e7dad7fe10aa2b065c66e61342cbf31fb8a4c1b5761a9f72b2f55d7eaeab9f8ee411ade6090327268a85a039

    • SSDEEP

      6144:N/ox45SkZNudlSP7VeJCaYAbjJF7UjWDvtlP8A2KoGFn6NHCcWITEYlxHt9Nqw:NgScC03SPxSlYMF7UjWDvzPh2eFnDcWg

    • Blocklisted process makes network request

    • Contacts a large (1091) amount of remote hosts

      This may indicate a network scan to discover remotely running services.

    • Modifies Windows Firewall

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

    • Suspicious use of SetThreadContext

    • Target

      9da42140cab695b77cde560dd1109d2b96d263e25c21bba0e70604f0717bf270.exe

    • Size

      616KB

    • MD5

      41b91df596878223773cdc49bbee2324

    • SHA1

      48d0647e2e29256d8969dbb7d8edb03297d01ada

    • SHA256

      9da42140cab695b77cde560dd1109d2b96d263e25c21bba0e70604f0717bf270

    • SHA512

      ff555049812608cb33cd7dcacf1102a920f531281aa60d36e8463f9c48023c856bf0243c25671ac709d8a5dfac5ab1a421606dd3f576472b4ec145b647fae30c

    • SSDEEP

      12288:bnE+Yfz3OlZUW+7xsvceR0KtjYx1xS0v:bEBr3qZlCxarj8xS0v

    Score
    6/10
    • Target

      ac7da11c38cce3b21137e629d76614f6350cbc96db41bede9029c83d9dfa98e2.exe

    • Size

      211KB

    • MD5

      ef8ab6db9a96b461f429f9f15b573164

    • SHA1

      ac600bb15b21910c0fb6618825358ed6c60c037f

    • SHA256

      ac7da11c38cce3b21137e629d76614f6350cbc96db41bede9029c83d9dfa98e2

    • SHA512

      14a3b15ceef007915a558b48740f98a7a6335d42cfcc6498b2fb3ee40ff2e15496d4fdec0351f48cee36947e1ec981190721a877b8406a10456709d21be07a3e

    • SSDEEP

      3072:b0WFcoAWykGuyF9ImZNI9UkwvYxzqea5KC7s7TJ:bfLXyL5F9XZNIsvYv

    • Dharma

      Dharma is a ransomware that uses security software installation to hide malicious activities.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Renames multiple (317) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Drops file in System32 directory

    • Target

      b3489810af4e4d0d953eb438e3550ace5d52a5c8818a6cae7af6d30ba5482e5f.exe

    • Size

      24KB

    • MD5

      b6d25a5629221041e857266b9188ea3b

    • SHA1

      6df3a7a3ed5c6a6349a791b72783b32c460c8417

    • SHA256

      b3489810af4e4d0d953eb438e3550ace5d52a5c8818a6cae7af6d30ba5482e5f

    • SHA512

      bd40d5683d78d21a296677915c3417713134414059efd6865a23d8fe83465c813c696ca2d1b94e8e1ea03c7740c176e77f7b0c7c5b523eddedd43149cdc295a2

    • SSDEEP

      768:rAOGBmheJi070Y2DJ/Zpu6WYcFIl0XeF2lG+eJ6eygjaPbpUvdykQo:bo7KJOCOfGj6eaPbpUFykQo

    Score
    1/10
    • Target

      bf11915a5a5f8e1de827676250505e7f503c0744da757f8290f077d3d5d81655.exe

    • Size

      28KB

    • MD5

      180ad8f1024b334c7966180afa953266

    • SHA1

      7680011d67a7a7299ade6878255b1f7883a50cd9

    • SHA256

      bf11915a5a5f8e1de827676250505e7f503c0744da757f8290f077d3d5d81655

    • SHA512

      a661e2489775e08fc3a433e722fa014e85517ab87645ea9fa3d72c405b81d05a40dc3c02ed10579e8996e20bd4e22da936b02a846e2ea8c1d88621fbfcc7655e

    • SSDEEP

      192:7h89oTi6J4SaQPlRgspuml9+qQ/1/wzJvZvdW9+2Cp92xR4KyAzeMg/Qq7t/u/N:18EheSaQtRgWl9+qQ/1/ZMyeMm/O

    Score
    6/10
    • Target

      c453aa991f1fb96ec3aebf334f8d9f5a5256dcdf90e697a007575771705be23e.exe

    • Size

      28KB

    • MD5

      7fc30b3540428adc624a060b9005d575

    • SHA1

      8a08667b8c0bceb82502e55848ca4e4f69326217

    • SHA256

      c453aa991f1fb96ec3aebf334f8d9f5a5256dcdf90e697a007575771705be23e

    • SHA512

      6fb43ccd2c6698dc027c48cf61d7b40b9faccbaa717c14eef207d4312ab9eb9497af6ae70191021bf3166d6bf703a248d509b327d4b05b126449e87a0cae7cc2

    • SSDEEP

      384:NZMO4CXWoRNt7oAbiKuWiO9fjQ/1/ZMzUFeM/Dd:NJ4CGoRNPGG8/96UUcDd

    Score
    6/10
    • Target

      c97d9bbc80b573bdeeda3812f4d00e5183493dd0d5805e2508728f65977dda15.exe

    • Size

      1.2MB

    • MD5

      e11502659f6b5c5bd9f78f534bc38fea

    • SHA1

      b5fd5c913de8cbb8565d3c7c67c0fbaa4090122b

    • SHA256

      c97d9bbc80b573bdeeda3812f4d00e5183493dd0d5805e2508728f65977dda15

    • SHA512

      86c8d4556c9e0b7d60ccbfee430eb322388449506ab515549cb8d2785582671f2dc2d2a3bd9daded9853caa8bf94d9f92603a3bc527172a85dc7a83d701f7fd0

    • SSDEEP

      24576:645Rt4El7fc/TFJzjJUgrrCq5sNIwQsUGy1q7a9DlIACTp+kqGslRG:Rjt4El7fc/TFJWstwQsPdSDuACTpqhG

    • LockerGoga

      LockerGoga is a ransomware that is primarily used in targeted, disruptive attacks.

    • Renames multiple (3721) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Target

      cfe55dc501afeb1e83c683ec596be33878597e8d318f8e9739557af1f208b348.exe

    • Size

      48KB

    • MD5

      84ff01e9ca8fec60ba0c7715ca378336

    • SHA1

      8bafa6673b762145b008496467a9ad8cfc18e4b9

    • SHA256

      cfe55dc501afeb1e83c683ec596be33878597e8d318f8e9739557af1f208b348

    • SHA512

      668be10b19fd0f47a0409ab0d46b5d078122eeb602452c37bee27970495ec9b8ae20e598b4a4d530a976dc80948be0f6d50e6fec78303941f4bf40df180e4ed6

    • SSDEEP

      768:NZ/MQ+jmgyuQY6y4ViNpc3ayjctUp79Glm:N5MUo4qK3wlm

    Score
    6/10
    • Target

      d2a120aa4a8aeb87408828d4e7e0da615cb83e32ca5fccc79eee70bca3ea4d78.exe

    • Size

      190KB

    • MD5

      0333e4014e84e0cd41a4be7fab09926b

    • SHA1

      2e84153ec64edadca3ac7a9b847eb6c651396525

    • SHA256

      d2a120aa4a8aeb87408828d4e7e0da615cb83e32ca5fccc79eee70bca3ea4d78

    • SHA512

      d9838b90083625939c644a3b80ad820cbbc5991669ac499612f82e301c553f235743cfd35a2a87cd63e7b6bedf3f57b0bd42e88ef9d9450e9d868b95ec8e6c33

    • SSDEEP

      3072:3bXCLlcSmk8NNFLehmqbayd4yCVY16YAaMDJvKqJHTwqlQNNJE5AkqA:3byLlcq8tYZbay6Y0YgDdKUHThKNI

    • Dharma

      Dharma is a ransomware that uses security software installation to hide malicious activities.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Renames multiple (317) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Target

      db97db6b0367434c2170eb34f828ec6b99032a4722ea55dc14a72883d8af1c1b.exe

    • Size

      28KB

    • MD5

      af62cca39cdf2faa1a3e9b422afee8b9

    • SHA1

      5714a48c24d79cf820c98ec3575ef4f0b7b7c921

    • SHA256

      db97db6b0367434c2170eb34f828ec6b99032a4722ea55dc14a72883d8af1c1b

    • SHA512

      c7ad2ef82f1f1a23ffa5ebcba8efca1dc8aa788847cab8d2693cf082f85e2e87979b92c559c69e60bc119929912c105e40c00aa9fe2f09d1cf8ad9e8fc3c4d13

    • SSDEEP

      192:0P9IGUkZxXgGEmqnpbXf206LF9+qQ/1nwzJvZvdW9+2Cp92xR4qVeMNazlQF9gR:nGlJEmqx2029+qQ/1nZM2eMNazWm

    Score
    6/10
    • Target

      dc276b7ca4a980cf487b73b4ef9c40fb93f1b00b5c757a726057ab21a0372ecf.exe

    • Size

      478KB

    • MD5

      1575ea1792ec080b7825066f02a5dddc

    • SHA1

      e647358f934f78866d1f97079f66c46448efd2f0

    • SHA256

      dc276b7ca4a980cf487b73b4ef9c40fb93f1b00b5c757a726057ab21a0372ecf

    • SHA512

      1e492379bea54ccc2db48b1bd2ded0d77470ae960a6f78e681647526b29152a4a1ca27acca9c7181477af3c19a4e4eac0182a259fd32893b33b33f40fe14e120

    • SSDEEP

      12288:RDVeMVRoTGavS3bRmuAyEzHU4tmo1BaKBiNr:pVeMVRo/W9mu3EzHU4co1BaKc

    • Buran

      Ransomware-as-a-service based on the VegaLocker family first identified in 2019.

    • Clears Windows event logs

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Renames multiple (7242) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Target

      e714a8c576d7e04c2a8c6f4f8aa6627543524e61f4e3fc402a24d6981bad03a4.exe

    • Size

      44KB

    • MD5

      f385069ebb01e0bbcff4abdbbe5e6a8e

    • SHA1

      f2b48673e4c70e72e1f34cd88614cc0d5594fa94

    • SHA256

      e714a8c576d7e04c2a8c6f4f8aa6627543524e61f4e3fc402a24d6981bad03a4

    • SHA512

      d814e8112c283fa9e3fc33f54db2dc2d80e19b448d1e0d012a2838505a7af75d0814f9199462cb5a51e9fc055f30762af8830a730907f32ec66f9403b2c968d3

    • SSDEEP

      768:cKLuj2C0bJjtAgLHL3GUME2ctbTn/YcaPC:eQtAqe2TnuK

    Score
    1/10
    • Target

      f0c292785905838d08b27bb99ab260b43fd8de580de80017fdaaab3c3d53d8a6.exe

    • Size

      7.0MB

    • MD5

      3beee8d7f55cd8298fcb009aa6ef6aae

    • SHA1

      672a992ea934a0cba07ca07b80b62493e95c584d

    • SHA256

      f0c292785905838d08b27bb99ab260b43fd8de580de80017fdaaab3c3d53d8a6

    • SHA512

      12bd64d10620c1952127c125e7beb21b3727d8afb6440d48058785267b227a534ee6112d84372749496481cb6edb5c90eeb159689b443fe0f10f4a9202a83a5f

    • SSDEEP

      196608:gUWfTu5s5E6s6eLL1mkJ2Z9Jq5dOYo+SJVTXOD0ch:gUWfTuK5E6s6sBmKk9JMo5/eN

    Score
    7/10
    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks

static1

upxpyinstaller
Score
10/10

behavioral1

Score
1/10

behavioral2

ransomware
Score
10/10

behavioral3

Score
1/10

behavioral4

spywarestealer
Score
8/10

behavioral5

persistence
Score
6/10

behavioral6

dharmapersistenceransomwarespywarestealer
Score
10/10

behavioral7

Score
1/10

behavioral8

Score
1/10

behavioral9

Score
1/10

behavioral10

persistenceransomwarespywarestealer
Score
9/10

behavioral11

upx
Score
7/10

behavioral12

Score
1/10

behavioral13

Score
3/10

behavioral14

dharmapersistenceransomwarespywarestealer
Score
10/10

behavioral15

bootkitpersistence
Score
7/10

behavioral16

bootkitpersistence
Score
6/10

behavioral17

Score
1/10

behavioral18

Score
1/10

behavioral19

Score
1/10

behavioral20

discoveryevasionransomwareupx
Score
10/10

behavioral21

persistence
Score
6/10

behavioral22

dharmapersistenceransomwarespywarestealer
Score
10/10

behavioral23

Score
1/10

behavioral24

persistence
Score
6/10

behavioral25

persistence
Score
6/10

behavioral26

lockergogabankerransomwarespywarestealertrojan
Score
10/10

behavioral27

persistence
Score
6/10

behavioral28

dharmapersistenceransomwarespywarestealer
Score
10/10

behavioral29

persistence
Score
6/10

behavioral30

buranevasionpersistenceransomware
Score
10/10

behavioral31

Score
1/10

behavioral32

spywarestealerupx
Score
7/10