Overview

overview

10

Static

static

10

02db3ec764...ce.exe

windows7-x64

09f27e0189...2e.exe

windows7-x64

5

0abe62de95...d2.exe

windows7-x64

7

13ad5c6c04...20.exe

windows7-x64

181d5a2aa3...54.exe

windows7-x64

7

19bdaadf42...ed.exe

windows7-x64

1

1f1cc17473...5e.exe

windows7-x64

8

1f4e927f6e...a4.exe

windows7-x64

222d06b236...66.exe

windows7-x64

8

23b5ce252f...5b.exe

windows7-x64

10

24ebe7609d...a9.exe

windows7-x64

6

25fcedbb8b...78.exe

windows7-x64

26f2bf1fc3...fe.exe

windows7-x64

32a22a65aa...2f.exe

windows7-x64

35fdad147c...8f.exe

windows7-x64

1

36bfd9f40c...07.exe

windows7-x64

1

39a6618795...45.exe

windows7-x64

1

3c8ac670d8...98.exe

windows7-x64

1

401beec1e5...c3.exe

windows7-x64

3

46c17836fd...b2.exe

windows7-x64

54edb6518a...9a.exe

windows7-x64

7

56ec95785f...a4.exe

windows7-x64

1

5c959580ad...bd.dll

windows7-x64

675e7e38d9...a8.exe

windows7-x64

9

6b4f6a820d...96.exe

windows7-x64

1

721ccbb780...29.exe

windows7-x64

3

75a9ade196...1d.exe

windows7-x64

10

7a2aa7c097...bd.exe

windows7-x64

1

87bcc495ec...65.exe

windows7-x64

8d11fa1067...54.exe

windows7-x64

7

97d846563e...3b.exe

windows7-x64

1

9e4e60ee2a...c6.exe

windows7-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    dsggggggggggg.rar

  • Size

    8.9MB

  • Sample

    240326-vebzwseg39

  • MD5

    dbec78bdbaba117fd6b57a0ce38693ed

  • SHA1

    1349841ca7396fcb7ec485d73472eb0c99c754c7

  • SHA256

    92e5a2fb9c2403bcdfffc5d91c7cc959da76e0ddd843b2d43a8a3a858f9c90a6

  • SHA512

    e1b3cccf152e030dbd678b4be1dc3f540d4cedf84bbdc6af9a1cae59c46689179bbf45ba2ff49652d14373c94228d132a557b1abb0bf04b434305ac196c407e0

  • SSDEEP

    196608:T30YHEGK6uym+Nky87wjLVjYQ6JaGJIMwF9ksMQkhXap1GVnJ2/aHkOt2b:FJ/ky7PVJAVwF9khXm1GVnJaOt8

Score
10/10
dharmasodinokibi33429aspackv2evasionpersistenceransomwarespywarestealerupx

Malware Config

Extracted

Family

sodinokibi

Botnet

33

Campaign

429

Decoy

rvside.com

tzn.nu

parentsandkids.com

ayudaespiritualtamara.com

universelle.fr

mamajenedesigns.com

buerocenter-butzbach-werbemittel.de

janellrardon.com

katherinealy.com

hm-com.com

the-beauty-guides.com

queertube.net

mneti.ru

bohrlochversicherung.info

rino-gmbh.com

karelinjames.com

janasfokus.com

skolaprome.eu

verbouwingsdouche.nl

dogsunlimitedguide.com
Attributes
  • net

    true

  • pid

    33

  • prc

    dbsnmp.exe

    mspub.exe

    encsvc.exe

    sqbcoreservice.exe

    infopath.exe

    firefoxconfig.exe

    sqlwriter.exe

    isqlplussvc.exe

    ocautoupds.exe

    winword.exe

    steam.exe

    mydesktopservice.exe

    msftesql.exe

    ocomm.exe

    synctime.exe

    mysqld_nt.exe

    sqlbrowser.exe

    tbirdconfig.exe

    powerpnt.exe

    wordpad.exe

    outlook.exe

    thebat.exe

    sqlservr.exe

    ocssd.exe

    thebat64.exe

    msaccess.exe

    visio.exe

    sqlagent.exe

    excel.exe

    dbeng50.exe

    agntsvc.exe

    mydesktopqos.exe

    thunderbird.exe

    mysqld.exe

    oracle.exe

    mysqld_opt.exe

    xfssvccon.exe

    onenote.exe

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    429

Extracted

Path

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note
All your files have been encrypted! All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail admin@fentex.net Write this ID in the title of your message 314ECD0A In case of no answer in 24 hours write us to theese e-mails: admin@fentex.world You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. Free decryption as guarantee Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/ Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Emails

admin@fentex.net

admin@fentex.world

Targets

    • Target

      02db3ec76453f4a8ed495b9befac3ce2d51ef58c22d167e25a20bd050f5094ce.exe

    • Size

      61KB

    • MD5

      f0655fadef3b8c56c4f3ccffe7edad36

    • SHA1

      9f8d6bccd8f849e1f8d29e8eb38d1a858ffa5dff

    • SHA256

      02db3ec76453f4a8ed495b9befac3ce2d51ef58c22d167e25a20bd050f5094ce

    • SHA512

      e50b62ab81dcb4bfd6434c535f24c8d2d894d15c5c98fe8cff34feeda9e275af10e6cdf54c856bac6f0f974ee05376d242144313ce364fec5938b55e4a247c8b

    • SSDEEP

      1536:U/8d0VuncA9V7fom4C3XnyGrM6HWs4Q/pPLqva:l0VuncA9Vpl3XHMGph3

    Score
    7/10
    persistence

    • Deletes itself

    • Adds Run key to start application

      persistence
    behavioral1

    • Target

      09f27e01898779236a9f31185667b9f4a97dd1f30c972386fd995502acfb992e.exe

    • Size

      233KB

    • MD5

      5bc13179adf4c341be9717bef93ebe50

    • SHA1

      7eb8902c5f090c39812d48b2e50e1eb1aef88173

    • SHA256

      09f27e01898779236a9f31185667b9f4a97dd1f30c972386fd995502acfb992e

    • SHA512

      af545babbcc73c5cd993c3a53921aa482c7068af029b2de38c4ffb7828ff0942676d7502579f721c8c52cd8f66bb26eb225b49de6c3a5c0ad221cf2e3a50e498

    • SSDEEP

      6144:POsIgB2ASQSFOqE0Wqaemzj+99nEmy3Kf6rTwk:PCgB9SULgv6j+fnE0fs

    Score
    5/10

    • Suspicious use of SetThreadContext

    behavioral2

    • Target

      0abe62de95ad966482f445504eb8a385afb8e4b4ba5a36ea34fce13b3da3dad2.exe

    • Size

      721KB

    • MD5

      0e95f96d4c8e49913f6883184c1bdeb2

    • SHA1

      c0f16161b25591b3ac98f1b11a5809c03cc367cf

    • SHA256

      0abe62de95ad966482f445504eb8a385afb8e4b4ba5a36ea34fce13b3da3dad2

    • SHA512

      791415eee323e69f08bed3a5bc88ffe7067ddc5d38253d76016ade60912a60a0e9c15be691bdbbe5b76870940168fd4896c91bbb9ac8f6eb4e4c0ea291e219bc

    • SSDEEP

      12288:2fdUPwYvdhrrQ4hQnWWKlFZugHicEwtnDJydj3PP7qzPhEJwBw9FA5kD76H:EUPh3Q4unoAaRcrU5WwBSFR70

    Score
    7/10
    upx

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral3

    • Target

      13ad5c6c04c32e246dba78cf2e3737470af66b0b73553ab8f025ade626b8a120.exe

    • Size

      46KB

    • MD5

      d48aeac430e7a71d766d99cbe983ffcb

    • SHA1

      bede4570886ef435dc7ec27f4caebbd3180a5ee5

    • SHA256

      13ad5c6c04c32e246dba78cf2e3737470af66b0b73553ab8f025ade626b8a120

    • SHA512

      58f088823547fc1dcb0211396b2cac2708e434e05fcf64ebf7af8cdbafb5ec2b0cc6b8732a32e7c1836ac4021ad1bdb0740bb76e51637dbb72b180f2e7b7b2f1

    • SSDEEP

      768:n95rEUR7jA2RLs89oEd5aYmz22HRjIiuFxN/iJh1gOWgqtCK/Q/nGqSF:/w0jA2/9Zmz7H1qPN/iJhaDYG8npSF

    Score
    7/10
    upx

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral4

    • Target

      181d5a2aa39493c50bc73723047157d843ecbc22d7cb56766eb737f529910854.exe

    • Size

      199KB

    • MD5

      e8256882e6768c9917c262708c3cef2d

    • SHA1

      372c33bf0889221b4596a1aa4a4f21c95a4c19fe

    • SHA256

      181d5a2aa39493c50bc73723047157d843ecbc22d7cb56766eb737f529910854

    • SHA512

      027c5785a444a158bab6776761433ea77a5e7a0bbd3addaf18464abeb375e3d8d30993518fff61f90464241f8eef1a79fdad8ebc74b951ba92e4f6b7ca08a676

    • SSDEEP

      1536:4qGun0JrSDnvjrueHapXUCVCTI8ti+HVSkKgxG/rVeKSetKPeZQbSLze5CJV8ocP:jGu0Snrrf6RUNRdKkGTgKJF82D3noQS

    Score
    7/10
    upx

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral5

    • Target

      19bdaadf42c44a28941ff6ecea6925de28caf172acb131085d93c7e56ac5fded.exe

    • Size

      108KB

    • MD5

      77b799f6b7b0608f5f982b4293e2c83a

    • SHA1

      5610203a50fe15bdfdfef30c65d1b514b51a6378

    • SHA256

      19bdaadf42c44a28941ff6ecea6925de28caf172acb131085d93c7e56ac5fded

    • SHA512

      06459232277410fd575ee69988e48a3731433da79fc5c15dc71abbd9c682eddc84ddee56646dff50c804defaa1c1bbb86f4edf6da6a33a4889295220ab446e52

    • SSDEEP

      1536:OTu/CJ0cjtqTgpdJEHlwKg2cxhDfiJ8xmeoBJIKs3Z3P4lGLH:4uUjtwaPBKg2ihjiJ8MeoBJIFZ3UyH

    Score
    1/10
    behavioral6

    • Target

      1f1cc1747387db85919ee8af854dd1afe5239b34a1cdc98c5cea347de804205e.exe

    • Size

      485KB

    • MD5

      2e52852b91e569a1f4e411a8c53b53a9

    • SHA1

      a8db86abb40156bacdb8512765795888126ab4a1

    • SHA256

      1f1cc1747387db85919ee8af854dd1afe5239b34a1cdc98c5cea347de804205e

    • SHA512

      c6894ecbc22570b0275d495e6c8c4d311fa05b5008627358a0904d2d1038fef219ce7854507f4805f86b97c9bcf112e2ab736774405affd2fd85f912c65e15b4

    • SSDEEP

      12288:eHeftpmVKeKUVjYE+d5nbIZDkR6d0gDEpU:/1pte9a5bm66d

    Score
    8/10
    evasionpersistence

    • Disables Task Manager via registry modification

      evasion

    • Adds Run key to start application

      persistence
    behavioral7

    • Target

      1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe

    • Size

      2.2MB

    • MD5

      f5f2f6c370db4b38bdf8032ea3ef2a64

    • SHA1

      b5e188540539bc2b1d128f408160fa91e724c84b

    • SHA256

      1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4

    • SHA512

      f2216faac5d07fb2d6f3faf6cf1e18e94c0ada8aba35a8d2d8491efd1ada526d5358a592b6877a9783cc9b5e81dd54fec8b9969ffd650c0f8aff2e3243dbe18c

    • SSDEEP

      49152:UtAZanCoV4BdnctNbS/iXmYjlV8O7pzTs8OYFFxZbVybdXERd:9x6Mdn0p7pzTsQR

    Score
    8/10
    persistencespywarestealer

    • Drops file in Drivers directory

    • Modifies Installed Components in the registry

      persistence

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops file in System32 directory

    behavioral8

    • Target

      222d06b23600bbd1fd66b6649618e5f3a7f4d81fcb8dfd961680d949aea31a66.exe

    • Size

      44KB

    • MD5

      50314317a8b81f235ec751167716512a

    • SHA1

      9e7c1b9d1525571bcf0ca164b67bac0bf230ff5f

    • SHA256

      222d06b23600bbd1fd66b6649618e5f3a7f4d81fcb8dfd961680d949aea31a66

    • SHA512

      a6fcf2b91a6d7618e18f2fdcd73854c65416a5f2cf1c6f31896f203e3b478b038f50c758b373979c1fe5a61d39f09a084e5f3e2348870f36abd435ae59ff7607

    • SSDEEP

      384:pnuOsXXDJ2XVnVpYSlLf45iQfr4948DSamC1CgAOasx:pnuOaX12XVB5GamC1Cgp

    Score
    8/10
    persistence

    • Drops file in Drivers directory

    • Adds Run key to start application

      persistence
    behavioral9

    • Target

      23b5ce252f1cb3ff40a3bcb3ea53dd674175c3ad782b00e33ae45c8c87fa265b.exe

    • Size

      235KB

    • MD5

      fc7b0066d7d250b619a3c6c3ee1b22f9

    • SHA1

      f307dc2d7d41e5d2678144de98445fa3c14e7583

    • SHA256

      23b5ce252f1cb3ff40a3bcb3ea53dd674175c3ad782b00e33ae45c8c87fa265b

    • SHA512

      4178ac9a1e5e9f5817412de1ab210c1c95ebe1a47875f14844ff5e234191c2facaf8f7ae184c9fc33c334cdfa8615ccbdc8aaaac1d3aa6697d4ea49ef01aa1bd

    • SSDEEP

      3072:BS4er0KRFMyC4FtM/LMZaIfhhM35E8/OZZe6WXVDhjt6SeFUkgYF6UTcysS:BShA40/haM3hGEphsxUYF6Ecyx

    Score
    10/10
    dharmapersistenceransomwarespywarestealer

    • Dharma

      Dharma is a ransomware that uses security software installation to hide malicious activities.

      ransomwaredharma

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Renames multiple (314) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Drops file in System32 directory

    behavioral10

    • Target

      24ebe7609d56c62fca780bf5ef346aa91c0412418f1f85d591005b4509bcbca9.exe

    • Size

      216KB

    • MD5

      c5bd56403a710b54acf45483e472d41f

    • SHA1

      16f7d8a390e1bdd8072bc4691a54cf78a96c766c

    • SHA256

      24ebe7609d56c62fca780bf5ef346aa91c0412418f1f85d591005b4509bcbca9

    • SHA512

      ee38902086ef3cd15e0a7a6957a81d193b4eb426d4c3975da3edfb0f3a9f23a9c1f6ce3596caab9264e4587dddedd4dac632ecc3af2cffd9efd788a4f2c4cf76

    • SSDEEP

      6144:c+8RKiCp4GLorsohtjigvBrHMZtV6MTU9EWv:c+wjqYswjpZHlM6l

    Score
    6/10
    persistence
    behavioral11

    • Target

      25fcedbb8b0ae97c1e9b7b56e0ce3511976661bbdcf075dfed18b36a58ab5d78.exe

    • Size

      391KB

    • MD5

      84d366939817b2ac8cd4bbe26741a88b

    • SHA1

      93dc4616bce186d2fb8fbb4f86045739901f995f

    • SHA256

      25fcedbb8b0ae97c1e9b7b56e0ce3511976661bbdcf075dfed18b36a58ab5d78

    • SHA512

      f301b70f56725763f735a843ace508110355e7e9f6415cef73e0eac490894e6a6aa3aec388f172fcf89e876315fdeadab3bd023c19039f7b9b7e8ebe453303f1

    • SSDEEP

      12288:7gLumXPr0Pi+pwkSY+58QLSyJ/xaZnnJoOmCOF+cJxKxw+:kCmXT0PiB9Ck/xadJQ9Jf+

    Score
    1/10
    behavioral12

    • Target

      26f2bf1fc3ee321d48dce649fae9951220f0f640c69d5433850b469115c144fe.exe

    • Size

      138KB

    • MD5

      410e395600c291c59d8c9b93fa82a7f3

    • SHA1

      2e385e8b8ceb01c9e638f8a95889b571d31aef41

    • SHA256

      26f2bf1fc3ee321d48dce649fae9951220f0f640c69d5433850b469115c144fe

    • SHA512

      dbd819999d7eaf436ca2bd157c41232663f9cf7a551aa39d9cd319c79d7a02e2d5c803c19df5b4deb0e44cb7300b496942ecb7378b282c6aa86f0c9800883597

    • SSDEEP

      1536:6A8tAHVHDHGH1UtxtP3qjcHNxK9kluXCDZjaAdTXQxXdW+moSpRGGkICS4AHrCjh:xVxbK1UtxtPqmNfYd2rGGflrC95rR

    Score
    1/10
    behavioral13

    • Target

      32a22a65aa2666a6a34f0be77cb6bd3f275bcd1e1c54ad49e187984d76f49e2f.exe

    • Size

      2KB

    • MD5

      06129baf1db8277a1eadbfaf361986f3

    • SHA1

      a5947297bbcfdfa826c7eeb1f68a8d4a8951ead5

    • SHA256

      32a22a65aa2666a6a34f0be77cb6bd3f275bcd1e1c54ad49e187984d76f49e2f

    • SHA512

      7d8ad9ae8364529168242ff339bbad56d15365aa217c2cede99d1bca8f5a68910512b1368240fae5b10b1c4614561d6b41cb5af8fd9b4685ee34b7de5ba6fb81

    Score
    1/10
    behavioral14

    • Target

      35fdad147c2ab2c36dd7fd1ad1ae26b80be6c501bb22120b741be3ab34be168f.exe

    • Size

      542KB

    • MD5

      ce29783e7465bd57067f67afba0f996f

    • SHA1

      c6d5bc37d17d43a1cdb17d39e46b8f3d61d46578

    • SHA256

      35fdad147c2ab2c36dd7fd1ad1ae26b80be6c501bb22120b741be3ab34be168f

    • SHA512

      b92a1bdb77f05c5a6cf0b883bb2b4205c6d3a97dce1e6f82a102d6e6fcba1a025d3953ed7f3ef9268f6383a7cd2f6af2de37fec736eb4d77aff40b12a901c0be

    • SSDEEP

      12288:5Pi8GS/emxzM+fElwVCqCJbDj9//k/rTcPcYYYgYYYYYYYgYYYYYYgYYYYYYYgYh:5PBNz3fyDj9//k//IcqHDC

    Score
    1/10
    behavioral15

    • Target

      36bfd9f40ce0043c878b28ca80dda5315cf681215baf4e1d539456d89b907807.exe

    • Size

      108KB

    • MD5

      82bccb8988fd54529192665fa974f056

    • SHA1

      2b83f745d8424b7ad6e8012da3260dbf0663ce3c

    • SHA256

      36bfd9f40ce0043c878b28ca80dda5315cf681215baf4e1d539456d89b907807

    • SHA512

      95d9996d65f4bd0ac2ad7d6c2ab3089e1101c9d0a22b304e2380512428b21767bd6c53bbaa3b3c3afc778c98be1d32ceac5331d2c85db64e7f80a78777a4f8a9

    • SSDEEP

      1536:8tu/uJ0cjtqTgpdJEHlwKg2cxhDfiJ8Xm3oBJIKs3Z3P4lGLc:0uAjtwaPBKg2ihjiJ8W3oBJIFZ3Uyc

    Score
    1/10
    behavioral16

    • Target

      39a6618795b858d4f9a976c203bb9bee199db3555b9583b308954ccc09cffc45.exe

    • Size

      81KB

    • MD5

      4823da39673471b5d911fc04d3cfae23

    • SHA1

      c2dc50705c66a3aa34b854d0a2ad621ceb2d61ca

    • SHA256

      39a6618795b858d4f9a976c203bb9bee199db3555b9583b308954ccc09cffc45

    • SHA512

      4f45d679b6eff80aa20780c3ecec76bc5eac6d13d446e33214a76f534cdfc36a232d20cf0a32283faef6f5483f97e731aa0ee53c78596b7565e6bf05204ec620

    • SSDEEP

      1536:lmqEEmpTRPx6/gnTGpx8NWa5gtYJ9z4LNks5:Ix64TWKP5nJ9yv

    Score
    1/10
    behavioral17

    • Target

      3c8ac670d8c920170dd431a5a08cbefd62a98e369eb552acbc04a0eeb2f2a198.exe

    • Size

      6.1MB

    • MD5

      a7fd9237c2c3f2047ba9a1614fefc049

    • SHA1

      b560fe4756954b602a93b83b5d675153d1e9fd30

    • SHA256

      3c8ac670d8c920170dd431a5a08cbefd62a98e369eb552acbc04a0eeb2f2a198

    • SHA512

      90818b6cfcb238def0b05d95e42d93c26352c9dbbd5235f0c29e989da3d4e561b021e3ab14a832cf38793be11827b3030d82e3f15bf665ce07b4705250951377

    • SSDEEP

      98304:PKArHESq9v29PYHOwMbX9hVXm9iQXohcP3FNv25UiwAY0eMP+Ibt2CTUCqV:PJHELv2RxJWYQscPHv2KXqZbPTwV

    Score
    1/10
    behavioral18

    • Target

      401beec1e5e07bfe7d0ebf18d9219f4f0a504284b6f9aab664e8af6e8bef31c3.exe

    • Size

      275KB

    • MD5

      98b582a9ea877a60a74bd8801e47984c

    • SHA1

      c9295fa9d5d9996b6426e6d01e98fd77de4f4aac

    • SHA256

      401beec1e5e07bfe7d0ebf18d9219f4f0a504284b6f9aab664e8af6e8bef31c3

    • SHA512

      4e34c7bfac089b11683763c064a33ca582091afab79fa82612c482fb46945b155bc16783282b472e2efa6d42bcabbf1bce4059e1a97cb678f96e607b9c325008

    • SSDEEP

      6144:nJ0A05mRGeqkY3BKMkDz9sxH16UWJbyBycqYY:nb05mR2kMKxBsxHvETcqYY

    Score
    3/10
    behavioral19

    • Target

      46c17836fd2d65343ca0d1adae5fa3209a1f2a128736c81f5d7d40fe7ee608b2.exe

    • Size

      2KB

    • MD5

      07d1e5468b822c78ebae8005d28b6e09

    • SHA1

      26db60f2cea54232ad9b1a4ec73d6bdf4798696c

    • SHA256

      46c17836fd2d65343ca0d1adae5fa3209a1f2a128736c81f5d7d40fe7ee608b2

    • SHA512

      30886be9e0f8680f24eb8f0832c070208c4b2e26a2736135add17d6297c82cbe0259fc3bd154ea0a4f6eaaf9e60d1303764834ab197dfd71a7d7997a679cbd57

    Score
    1/10
    behavioral20

    • Target

      54edb6518a4ba6561d14cfc2875b281f3a9a87aca7d839c5bc814ef5e6a0229a.exe

    • Size

      440KB

    • MD5

      1102ea7e0dec7b0517794d52cfb4399e

    • SHA1

      a491e5d98994c0846572b94757b434e20b661270

    • SHA256

      54edb6518a4ba6561d14cfc2875b281f3a9a87aca7d839c5bc814ef5e6a0229a

    • SHA512

      40b1e1e8db8ccd116000d6295144fd36adfdb99c9d2586309ccb2e5c4707b32b308d9cce14962af97d70489de4e29a8e64ed0104a3cac6e30523f8a18d5e7fef

    • SSDEEP

      12288:4Ah8QauYUJe5SQvfP9zv6lTA1DknB1gSpxsQcXYCUtt:4AKQnYf5pXPd61AyL4HYCOt

    Score
    7/10
    upx

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral21

    • Target

      56ec95785f91418751ad5788f9076af108ae19e03d2e0c0551ae8f8d8f5acba4.exe

    • Size

      526KB

    • MD5

      00d374f3142e46c53e621504e020dd86

    • SHA1

      49c55f442702c3d96bf507f369676a54315851d0

    • SHA256

      56ec95785f91418751ad5788f9076af108ae19e03d2e0c0551ae8f8d8f5acba4

    • SHA512

      169149b510a6c502f90b18d518f10c7f0f1c7e426d62b2e90b8adfa87d76a0d1d8b819305fdb75231ac80d5fcac1dcf7982ed9e493f22dcf12ae203a0960edb9

    • SSDEEP

      12288:oOfgiGHObrYmluIhccUnj9//k/rTcPcYYYgYYYYYYYgYYYYYYgYYYYYYYgYYYYYV:oOwGrv4j9//k//IcV4h

    Score
    1/10
    behavioral22

    • Target

      5c959580adf1fbdfea872ece4d29ee6a8319a88273a9923988ef8be4197833bd.exe

    • Size

      161KB

    • MD5

      3a54e0c4d396020138af9ca801dbe28c

    • SHA1

      5b1d56afb3080979918881f39068bcabc4ed7c42

    • SHA256

      5c959580adf1fbdfea872ece4d29ee6a8319a88273a9923988ef8be4197833bd

    • SHA512

      a5969ae88fddf490701c887a42b2101d253838e2e144ac944af278d370e392f58cd68e6db47c43ab2a04740d2e44a1d1e5bc444a953339112fcc32ee6722668d

    • SSDEEP

      1536:7mseS0rh3UharM4WHMnEA0tepkq8e7Pbi4eTMluxtXDCntTnICS4ADEqIvdb3G6V:tsM4oA0tCHLbi4eTMlwDCnuSqeF3Gj

    Score
    1/10
    behavioral23

    • Target

      675e7e38d969e9c0af164337a180b2941d4a676b7e0c345da1de1b2d42ed31a8.exe

    • Size

      1.3MB

    • MD5

      d30cc3d50062b47585d8e9216f5974c4

    • SHA1

      86ab16232bdff82807eb09e9dae5ae7dec26685f

    • SHA256

      675e7e38d969e9c0af164337a180b2941d4a676b7e0c345da1de1b2d42ed31a8

    • SHA512

      8fa7e529f58deb6c2b89c3bf3ceb04ca036e00ac694767b64625258fe39d3911d42ae9d5baf0d0089e06c936458fcacd0e6e56b8a7cba4a91084d66a5717bce6

    • SSDEEP

      24576:bk70TrcblhbE+twWvKItnEi9RlyjACUxar1BjjxhXQdT6lRDmkTyi:bkQTAMGwAFv9yjJZrYURDdH

    Score
    9/10
    persistenceransomwarespywarestealer

    • Renames multiple (292) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence
    behavioral24

    • Target

      6b4f6a820d415a88ee156607b13450cbe0bedad4eb05961c55f5926f86262296.exe

    • Size

      27KB

    • MD5

      4b95790314f5e5e7ab6027f3afed48ae

    • SHA1

      1bbbc30e0fdc7190d8948716ca8d373788c90ce4

    • SHA256

      6b4f6a820d415a88ee156607b13450cbe0bedad4eb05961c55f5926f86262296

    • SHA512

      380a9bfd525ad558964f444220cf5ac4a9d3add159abd5c0451ca2b1d8bf57d2acf6d0eb8a1ec4b1451b28db10574b2fb66bda0e2f8ed066d4d5aac0dd9c8a2c

    • SSDEEP

      768:ZtVdJkn3Iwk9qg47OxpySkH/U3ITmcemeZFFtbwN4ykQo:ZtBk3I7LhB3PcedFtMOykQo

    Score
    1/10
    behavioral25

    • Target

      721ccbb780b308c6c40817749b6764ad06cd2e56389bba1618a0dadc362d6429.exe

    • Size

      556KB

    • MD5

      4a8228f5109bc509936eb5286d86322a

    • SHA1

      36f1b50c1df1249e816944d0288604336d2b7a1e

    • SHA256

      721ccbb780b308c6c40817749b6764ad06cd2e56389bba1618a0dadc362d6429

    • SHA512

      6013d5daaef69c99d61afb30aa273413eebe9b5b8fe0055d879ee236817d3cb4a9d3bdb82553c8cd3f6e725bd99a076389a94a8ec8d6b0da66fc17b0fb7a1164

    • SSDEEP

      6144:f5bnFDjbS20Bbdh1bBbp20Btedh16IqDAYQ+:fTDwicAYp

    Score
    3/10
    behavioral26

    • Target

      75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe

    • Size

      306KB

    • MD5

      1eac69691e05297182ea6642746d53f6

    • SHA1

      749f19b262849158df6d29f26043e1a845da102e

    • SHA256

      75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d

    • SHA512

      8ac6625fa10b3d2126a6498af2790a52bb626fef74b4abf05ce869f0e3b2d41fa78915b469529c67531937093e6385634985e792f4c04edac5f0b69a489d5c39

    • SSDEEP

      3072:J86Kas04uVswV5Him+xfleiJfz/4B7zspXGwtI57T+YG4tGSGbwySvB5KpzeLrqK:ChatLSeoQ7Rwu57C0bNyKgpGR

    Score
    10/10
    dharmapersistenceransomware

    • Dharma

      Dharma is a ransomware that uses security software installation to hide malicious activities.

      ransomwaredharma

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Renames multiple (54) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Drops startup file

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Drops file in System32 directory

    behavioral27

    • Target

      7a2aa7c097a2e48184694d2d70027f7ac4081db7c6d555324aa5f060a37800bd.exe

    • Size

      4KB

    • MD5

      cb9673affdd82b6cdc52a86ea35fb981

    • SHA1

      81b07ad0550e3694954cccfad9f69b0d8e92c1bf

    • SHA256

      7a2aa7c097a2e48184694d2d70027f7ac4081db7c6d555324aa5f060a37800bd

    • SHA512

      f534b110e1916dc94048fee3452e627d90c2deba08e967731efa4a66b8d2d5370461c08d4ecb001149881990d2a0c9d76c6829c04ffcd42f127ad77f5afe56fc

    • SSDEEP

      48:6vvFoDOy13Ihf9hy7yR2EUEM8bVB4JWkzHUBUuq:VWf9hymR2EUcBWHz0uf

    Score
    1/10
    behavioral28

    • Target

      87bcc495ec10c56b860450897f03869b74c66c2a2bd336d4fff67d2d777ad865.exe

    • Size

      460KB

    • MD5

      bf2930daa322a99e99951225f6da2d5c

    • SHA1

      8ae776a5120e0faa683dbb04e4a18c8fc5d3c916

    • SHA256

      87bcc495ec10c56b860450897f03869b74c66c2a2bd336d4fff67d2d777ad865

    • SHA512

      c35dfff04680bda112beda135ec5ec655709da5f29b16a213d98bfacf75a3b6ca1f23e0fcd3392dccc4eb60e0293e48e5bc8742222ea8bb576ce7fa9176bb10b

    • SSDEEP

      6144:b9t+Pt/xpwV60yGNLnvWJ/fOPVYvFRE1iU+YQBO6uWaD8vlLZyBbd/2Zf1s0uDG7:b+PtJWV6GvKExQDuWmJdq9GksM

    Score
    8/10
    evasion

    • Disables Task Manager via registry modification

      evasion
    behavioral29

    • Target

      8d11fa106742bd9038bf92ed3b3912b51f9b768ebd85b380081f61940fd92754.exe

    • Size

      124KB

    • MD5

      602fa1f399796b7de5a1c8a6fb8b6b66

    • SHA1

      4aece2d7564579f5927d5bb728d2367d5e4288c3

    • SHA256

      8d11fa106742bd9038bf92ed3b3912b51f9b768ebd85b380081f61940fd92754

    • SHA512

      af3930df70e56024cd304b76c9f2a27d1c24d3033504fbfe812476fa0585e84912919c3b9ad9540f13ea2cdeaed150ea4dff205587ec79ed85e902d8d0f4128c

    • SSDEEP

      3072:1y5+cyL8M/crrTRCbXdPI7YqZivjlR4Zby:1NgM/MrGdgO

    Score
    7/10
    upx

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral30

    • Target

      97d846563e9c5da173d27fd11a6f182709c665dba0cb3f85a882c7b3e9cd9a3b.exe

    • Size

      36KB

    • MD5

      01856e8de8d99253aabe0c1ccf925b08

    • SHA1

      217d1d9c07dd817bb39a000943f27991cbe5aab9

    • SHA256

      97d846563e9c5da173d27fd11a6f182709c665dba0cb3f85a882c7b3e9cd9a3b

    • SHA512

      03ff6abdb978d749467a24a63b21dd1e6e77cffcdd7bccf86516a66d7e053d13f76ab19179e9a331f85d32d9405f14ab8a19b756aff4c642a4ca0c7d4402d21d

    • SSDEEP

      768:0gi4r/1iRHq5pTV6xo/SIx+637kc/+ZKWb57zlARngZy:0vZQ/6xo/SIxL7T+Z5KgZy

    Score
    1/10
    behavioral31

    • Target

      9e4e60ee2a8a8ce65072e3aa9b648d4e8ff45474a41d374126f3c045901550c6.exe

    • Size

      202KB

    • MD5

      b3cc04eac72aca2c23989d65ba0e1547

    • SHA1

      c79584523f978085fe5eec0730118212cab4fcb5

    • SHA256

      9e4e60ee2a8a8ce65072e3aa9b648d4e8ff45474a41d374126f3c045901550c6

    • SHA512

      ebea0d6af15fcca8646b1e1692f52d9aa3ecd1ca33bb1f7eeb0453f1311536bb0d0b7c3c8e6e199aadfc1ae2954b0aad15abb2d2d3b3f7bf5ea8ee01414aac0f

    • SSDEEP

      6144:qv7rhkKYs1pKlCqLi4JH7GEG0C8i/KZWyV:w7rhk8WWulC8ia1V

    Score
    3/10
    behavioral32

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

8
T1547

Registry Run Keys / Startup Folder

8
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

8
T1547

Registry Run Keys / Startup Folder

8
T1547.001

Defense Evasion

Modify Registry

12
T1112

Indicator Removal

4
T1070

File Deletion

4
T1070.004

Credential Access

Unsecured Credentials

3
T1552

Credentials In Files

3
T1552.001

Discovery

System Information Discovery

7
T1082

Query Registry

2
T1012

Lateral Movement

Collection

Data from Local System

3
T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

4
T1490

Resource Development

Reconnaissance

Tasks

static1

upxaspackv233429sodinokibi
Score
10/10

behavioral1

persistence
Score
7/10

behavioral2

Score
5/10

behavioral3

upx
Score
7/10

behavioral4

upx
Score
7/10

behavioral5

upx
Score
7/10

behavioral6

Score
1/10

behavioral7

evasionpersistence
Score
8/10

behavioral8

persistencespywarestealer
Score
8/10

behavioral9

persistence
Score
8/10

behavioral10

dharmapersistenceransomwarespywarestealer
Score
10/10

behavioral11

persistence
Score
6/10

behavioral12

Score
1/10

behavioral13

Score
1/10

behavioral14

Score
1/10

behavioral15

Score
1/10

behavioral16

Score
1/10

behavioral17

Score
1/10

behavioral18

Score
1/10

behavioral19

Score
3/10

behavioral20

Score
1/10

behavioral21

upx
Score
7/10

behavioral22

Score
1/10

behavioral23

Score
1/10

behavioral24

persistenceransomwarespywarestealer
Score
9/10

behavioral25

Score
1/10

behavioral26

Score
3/10

behavioral27

dharmapersistenceransomware
Score
10/10

behavioral28

Score
1/10

behavioral29

evasion
Score
8/10

behavioral30

upx
Score
7/10

behavioral31

Score
1/10

behavioral32

Score
3/10