General
-
Target
dsghdrdrdfhdfh.rar
-
Size
18.6MB
-
Sample
240326-veqhaaeg53
-
MD5
5cf63fe35f1e994c6b3f0a25c4b9f6ef
-
SHA1
482c6fbb6b70213376c40e1b2179484344915c02
-
SHA256
ee48174864ae0ef8c1e2da6b91b17c2f1df32195f69173adcc3013bf97c76ad5
-
SHA512
e178e5ea5609bd4636a8c464a36cffdb361d1d9c04f05477b153b2640142d914da8c7282fc610b3279dd1acfe521aec9cfb8d5dae8e4a70add244f61766a063d
-
SSDEEP
393216:sWeta0N6Fh4gSuTVGUYQW+GfB8a8lENPHeG7wW0rDEj/5TKPOB8:oNAz42/9GfBntHeG7wW0rDEj/FeOB8
Malware Config
Extracted
sodinokibi
23
1306
richardkershawwines.co.za
itheroes.dk
medicalsupportco.com
bakingismyyoga.com
goodherbalhealth.com
computer-place.de
cp-bap.de
ahgarage.com
tramadolhealth.com
liepertgrafikweb.at
cascinarosa33.it
opt4cdi.com
spartamovers.com
iactechnologies.net
projektparkiet.pl
carolynfriedlander.com
galaniuklaw.com
lovetzuchia.com
enactusnhlstenden.com
watchsale.biz
-
net
true
-
pid
23
-
prc
wordpa
synctime
onenote
excel
mydesktopqos
ocomm
msaccess
thebat
firefox
visio
steam
sql
isqlplussvc
dbeng50
winword
agntsvc
thunderbird
dbsnmp
ocssd
powerpnt
infopath
tbirdconfig
mspub
xfssvccon
oracle
encsvc
outlook
ocautoupds
mydesktopservice
sqbcoreservice
-
ransom_oneliner
All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions
-
ransom_template
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
-
sub
1306
-
svc
svc$
mepocs
vss
sophos
veeam
memtas
sql
backup
Extracted
C:\Users\Admin\Documents\READ_THIS_TO_DECRYPT.html
Extracted
C:\Users\Public\Desktop\README_LOCKED.txt
DharmaParrack@protonmail.com
wyattpettigrew8922555@mail.com
Extracted
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
3442516480@qq.com
1169309366@qq.com
Targets
-
-
Target
0383282038e4b6b1daa69a9b71bfff42b8091a4004bbe780c98239ada99f77bd.exe
-
Size
87KB
-
MD5
2f258b0a18c8ab5245ffbf8ba6e0087e
-
SHA1
aea8b95cd95d0b45721fe4f6bd4daff1feab8a57
-
SHA256
0383282038e4b6b1daa69a9b71bfff42b8091a4004bbe780c98239ada99f77bd
-
SHA512
ad25997e1acbc991c7cd95b99f2f854035f1f15aaa1eca84345ae78239deb6d02459318fdc7dd70049c6aae36bb762adfaa2d2c4d99ed29ae5eb5fdae9e06d6e
-
SSDEEP
1536:c9AvDKZdIoSYMYGvlpyORVjbiWPSt0odh6VgU75uzNrFVbKBbJaGxu2ksjrY:c9AvGZyo3MYmfxqOSjQVx4ZRoTaLaY
Score7/10-
Deletes itself
-
Adds Run key to start application
-
-
-
Target
082060e3320870d1d576083e0ee65c06a1104913ae866137f8ca45891c059a76.exe
-
Size
799KB
-
MD5
f6a8d7a4291c55020101d046371a8bda
-
SHA1
09b08e04ee85b26ba5297cf3156653909671da90
-
SHA256
082060e3320870d1d576083e0ee65c06a1104913ae866137f8ca45891c059a76
-
SHA512
547ad8ac404e494cce474209ebfbe33a40b69feb59f564215622f479e98dd93699794f4950b05d21225af271c55987da24c68d7c4c172f1d99ba7050b7063888
-
SSDEEP
24576:Fpfzmg0hsVxPJHnhxqj/jELyOpQR2dnCy:FpfCHKrPFnh4jEWOpQEdnCy
Score10/10-
Drops startup file
-
-
-
Target
1035f1b289e6d88148431da56ed5fb3c3d251b51f38bfd498690537e57a3c8b8.exe
-
Size
504KB
-
MD5
175c2b3762da73b760ad22c807abb30e
-
SHA1
0496a10195a6902b0edd6702151e9d8168560dc9
-
SHA256
1035f1b289e6d88148431da56ed5fb3c3d251b51f38bfd498690537e57a3c8b8
-
SHA512
bec68fc1fffc7d0cf23e334cbbcdc8d50f7b7dc02e7642cdca7c43098c3f04053b5f9ef83f64c47873495f9bbe3d31a551bd93d9dddb510815e71d7f0f263bf8
-
SSDEEP
12288:lRhw8HEWVcLeRKJHNwTltsvPBApafDcWi5JOFRC:JrHVcLkKNNAtsnJfDclJOvC
Score6/10-
Adds Run key to start application
-
-
-
Target
24592b881440b004bfcc51692deef734babdfc0cd5719826bd05ae678584bfb9.exe
-
Size
91KB
-
MD5
4585ab21cda2fe423663d798a52baf9b
-
SHA1
b5a9b0c35d25b6a7d1b5478da55f571aece5f2d8
-
SHA256
24592b881440b004bfcc51692deef734babdfc0cd5719826bd05ae678584bfb9
-
SHA512
b46abc2df4abbd015bf8f11d3969aba34b94a7c3ed237abc0d99be2009fea6446c6a63e0a788d8e7dbfb0445b332ec956b35941c5bb1aaa0e2aa5ffc155bc6e4
-
SSDEEP
1536:rX3F7wWqPyIMNt6+4aQQg3dTXVyaH8g6C2zzl:rXxwOlLQLGahl6
Score3/10 -
-
-
Target
31459fd8f4ca241e9f2eedcaddf848d8be9eaa76f05102b30872eedbe6c250d2.exe
-
Size
2.2MB
-
MD5
03d64ab4dcf9d9d0f3f24472d237aee9
-
SHA1
a2894cf1bd5ef7fa1380e9ee3c2bedfb5081f737
-
SHA256
31459fd8f4ca241e9f2eedcaddf848d8be9eaa76f05102b30872eedbe6c250d2
-
SHA512
0451f87f2a91d693b3c2ccb69621f66c62b876185965071ea0998c3f76865fc32471d47fa042fd6aaf1adfbff84119ca4a8bed05389258875d40a3f0cfcf4c23
-
SSDEEP
49152:pySU2VbRPrGNWnTvtchcL6yUw4gZ2oe7yUF30kWc0vNa9:pyW3rE2FHL759caE
Score10/10-
Modifies WinLogon for persistence
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
-
-
Target
3216f3b1bf985c045c18f16e00abcec112149ce8ecad190c620500f5cefb59ae.exe
-
Size
59KB
-
MD5
a57a80c2652a1ac5552d22d92f568262
-
SHA1
f6b18c7dce9cbf8756a6b560efcdcaa724caccb8
-
SHA256
3216f3b1bf985c045c18f16e00abcec112149ce8ecad190c620500f5cefb59ae
-
SHA512
64576c1e390e217e6f17adb16ca1c9928e5bf415ed25ab8c5443cc15bfedcb2fa982273833255470724a5d6cb34f90e71bbbf0ce32b27fef480149dc997e77d1
-
SSDEEP
768:xMSbq5QPwmHyHlAYg2Nyg9F0bAVn0JX029+M1oXTjwcckibWU4btMRIJRS1TZpaD:Vbq5QSWYHiAB0JX3l9kcSSqfqZNxO
Score1/10 -
-
-
Target
43026556eaa76df4544dd37cc1f708eb3df18b7e33969042b343c2b8be4ff697.exe
-
Size
2KB
-
MD5
08e4257a3296bee5e99cda5dc55ec795
-
SHA1
74692d67a107153987756736a228ed85eb04dc5c
-
SHA256
43026556eaa76df4544dd37cc1f708eb3df18b7e33969042b343c2b8be4ff697
-
SHA512
6c7aa698d1b57f695a05074d0a93c0e68bd2ae4920662254fc1c44f0bf9a900a6f7d24accbe6a5a3abe9a41dfcb53d67c2eb27445e7907f24102c749a5519fed
Score1/10 -
-
-
Target
4499426b05f7f17b48d3aa805681c53aed09b5b48e25c9070c08dbfae464698b.exe
-
Size
73KB
-
MD5
2d5743583c728fbd8fb7ba4757bfa242
-
SHA1
1dcd28cae8261b32c8e395acd9979eb0286fefe0
-
SHA256
4499426b05f7f17b48d3aa805681c53aed09b5b48e25c9070c08dbfae464698b
-
SHA512
08ee4b4773de1e2c7fcd8f145358a4139c317b6d2cb36bdfdb6796c97aadc8390059a06213b47a37f8b8afe9817a9b4330ece66b9ee0267664e4a961b4f88c18
-
SSDEEP
1536:DuNDrexNkdfP7yaAxFDPyVqwzpzzzVOpN8sCDiP825lNA934:DYWk17yaAPbOqKVOMs+iP8SNM34
Score7/10-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
-
-
Target
79271d57c531c79536bc0be0d71e3a372bed9c10689257a7727475ab41e3e161.exe
-
Size
3.1MB
-
MD5
91e55c043a89444b7cdfb335d4e4a5ba
-
SHA1
d72203d462053c1636e20cf648669b040357d5db
-
SHA256
79271d57c531c79536bc0be0d71e3a372bed9c10689257a7727475ab41e3e161
-
SHA512
3f3efbb9928a8ffa683d2c528bc442545fb330fbf981ff639a581effc91569743258cbad88e9a2c8b6e66448e56af023213fc408ab66a6b53565a4e030a37777
-
SSDEEP
98304:DFkV34ua2ltBgzXU4Us1DgAtayHKlqo7/Whsg:Db0ltwzDtZHg7/Yx
Score7/10-
Executes dropped EXE
-
Loads dropped DLL
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
-
-
Target
843cd39e4f5024ef36fdc142bf2eb9d9dcc05f0b8f7f812d49ddac8a2bf83f29.exe
-
Size
396KB
-
MD5
17fcffdacf61a1ca1ad653e8dde6f158
-
SHA1
e2ae48fdaa5e93d48d3d2e6423b590f980878ecf
-
SHA256
843cd39e4f5024ef36fdc142bf2eb9d9dcc05f0b8f7f812d49ddac8a2bf83f29
-
SHA512
fc9387e4b89709fabcae6c8ee1de20c76400b8f650f081c72a76357fc1f083d03c36676e3c6aaa7798940be29db9321c8db2ea1ff68a08b320c2e982f98e0a8f
-
SSDEEP
6144:f2r8QKg8T+jIkoQNOymUjbdlG2VNr4GAtVAVjOgBwJ+Cqs9cLYhOC4oNzquAFA:fNr76jd3V8GAtUKg7Xs9ckaoAuA+
Score10/10-
Windows security bypass
-
Disables taskbar notifications via registry modification
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Windows security modification
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
-
-
Target
847001fe67b260c91fdc360297f6758598c41eb78fc4aae6adc4a4e2dd813b7e.exe
-
Size
108KB
-
MD5
eacdd9f959418d3f3e9be95de284d02a
-
SHA1
354fe59d35aef1dd07c3c1ef771b93a413f91e6b
-
SHA256
847001fe67b260c91fdc360297f6758598c41eb78fc4aae6adc4a4e2dd813b7e
-
SHA512
8e3770e6e0dd33e2ae54c9af0c5c01c5e0bd5d85e37ea5e4c9afadf297f9027e1b6b0b32d872ffa3b928478d7c0601b465fa5ea414dee10ddc51c8c83323d17a
-
SSDEEP
3072:ouvZ0rga0R246JaNR0r3PhVuCx9JNI22N:ouRIcVX2hEXFN
Score1/10 -
-
-
Target
902f0cb92e46d9d3028a9e5b52975f66142648ac90007032aafa9b1e2b5263ad.exe
-
Size
1.1MB
-
MD5
f5573049a6c06fdd4a36c605e57fc5f3
-
SHA1
92f53f1e87779527e630c597b372b77ca31d2bc7
-
SHA256
902f0cb92e46d9d3028a9e5b52975f66142648ac90007032aafa9b1e2b5263ad
-
SHA512
f910b65546e299ca632cddad23edd0996353e7ea75353ed4d4dd08fa63eede08acf482bdac82f236527d5deb379ae12666d3d9f8452862ae7969f3dac83fb13a
-
SSDEEP
24576:r96pOf9VtVLmZ3CJAt7xZdAUs2A8mtEv3mdBNSlhxg/SZbMehi9B4fJjAO3b/QEs:BSqvS1eZakbTytZid
Score1/10 -
-
-
Target
994d02364001319f2a3fd9318a2f760c79d7dcfddb177940e22cb60765992094.exe
-
Size
480KB
-
MD5
f82cff1f8a3de8a8f891d5ac74bf2ff7
-
SHA1
25cf77395ad767f7a960871b45ced08c3815bc00
-
SHA256
994d02364001319f2a3fd9318a2f760c79d7dcfddb177940e22cb60765992094
-
SHA512
3b40046214798f839331a823df55642112cd9a359fbd9ac3ba954175ec7bc4bb577448741ad6f119375dc336128901de1c60927e27aa0710c751896217bed4c3
-
SSDEEP
12288:vVJNnVy735dQvVxWMvzNlvbbr0oJC3gwN:N7ydQvV8OvvbbLC3g
Score1/10 -
-
-
Target
a006d20ea64758a5219d6a8833a593d99b47c2301e17be2e07593c1565de086b.exe
-
Size
604KB
-
MD5
f593184675ecb76af217a216138609e2
-
SHA1
999c45d495231ae4fb4b9768028759273e0e28b5
-
SHA256
a006d20ea64758a5219d6a8833a593d99b47c2301e17be2e07593c1565de086b
-
SHA512
3f4ea7ad5379f46a1517db38673159c02614ecff990c424f7e39156b908da3cd291a29971990349025416f6266792fb217376be37a90bdd79a78caf7a5249cfe
-
SSDEEP
12288:m8n+q7BpMZ5ztVYnLZj2Cr8Yo+JLya0fcn+Xh3pRz3aMNtziG9wX:JjiQLgCrXo+JL6C+RZVt5M
Score3/10 -
-
-
Target
aaf476e09142ae0b67a0696e3c5d202cda7081c9365f352cfb82068a80e265d5.exe
-
Size
460KB
-
MD5
e9b4b4f0f35d3757aff629ef0b55ea94
-
SHA1
c1bd6213615ddc18dbf62b78d3b408116e677bef
-
SHA256
aaf476e09142ae0b67a0696e3c5d202cda7081c9365f352cfb82068a80e265d5
-
SHA512
993e3177d9f5c82ce2d70e6bb71b92597eadfa28e0c81cb354427788d18fd15b82080b454da2ef5c2c539af796bf0be533c2d82f5666ecf6209963c34484fe07
-
SSDEEP
6144:AZHeftvB2cAVK0SWVfW5/fOflYvlBU1y0+ogBequWaj8vlLpy5NfW5fFckuzqwky:EHeftJmVKeKURgDuWG5NKNKk/q
Score8/10-
Disables Task Manager via registry modification
-
-
-
Target
abb979296b15798893029044f06c97a2e98f4ec044c0c34ac27a0dd6bb0b0ff1.exe
-
Size
59KB
-
MD5
dc19a7e07efe444f97cb045e72492eaa
-
SHA1
3ed8226d1ec92c861d470477556f016a4f9d59e6
-
SHA256
abb979296b15798893029044f06c97a2e98f4ec044c0c34ac27a0dd6bb0b0ff1
-
SHA512
943c597fb766a3ad840975ed9197569cb8fcb27e8f7964f5e9f6b66ddf3653c316c9dd28ff5723e789aa8910f14185a0868da92e93bef4ebc36b098687518bf3
-
SSDEEP
1536:I0WP1ktawb9iV21ecrAYB3YuDBn1sYfI:IPcj+puDB1sYw
Score7/10-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
-
-
Target
b630f84b4573831a769170ce7efe73a107b7cd457f499d29fbb622db5c717086.exe
-
Size
152KB
-
MD5
1ac1e1a7ab3f8e707afe7144429cb601
-
SHA1
b97fed5590be56cf247c9ca17a0fcd9100b54cdc
-
SHA256
b630f84b4573831a769170ce7efe73a107b7cd457f499d29fbb622db5c717086
-
SHA512
f927474e1b25692a603c4c8c8ed354a6a3cd41f99af5bdb26454accd14260e3fa42c37d83ef54451af8e2bb01bdc4c5f70a29378faf0912a35ee31f5bc04eb8f
-
SSDEEP
3072:92DA1C344e9/4O1qRmcCBF8X3w0gH/4CMc8TBoIzmoAzSCzpLToYi:92YC3Re9/lymcCHLTH/Kc4BoJzhLD
Score1/10 -
-
-
Target
bd37f1c8f1a0b1333df616db123305e9c138eb3331c1fd66907d4e9df93a4a8e.exe
-
Size
356KB
-
MD5
4c6e0d9f6bf86311b01656b13b383e1c
-
SHA1
f69f1a80dbce8d1cfed654d22af8435240c23dd6
-
SHA256
bd37f1c8f1a0b1333df616db123305e9c138eb3331c1fd66907d4e9df93a4a8e
-
SHA512
7ccb67cd228fae172016c8e56a2f5193f7c4efbfe76b045dbafc3cc0fbc1892c2991c6f7acbe2201728b5a007058bfe32c5bb3761589fc5b96804e82bcb0e5ff
-
SSDEEP
6144:L1+5xWbgYAsrXqqULirNP1BX79FuOxij5GpuSkh9MmwNWfGy6AiDHN:L1/gYvprNPjLnxqs0twN7SEN
Score1/10 -
-
-
Target
c086172b03dbcdc6a782dfbbbf1b6b7f71551bc0d10e1044fcd3c7e880e83a77.exe
-
Size
392KB
-
MD5
5aa283477dee06012b7cf3272b3617d4
-
SHA1
a56749e2b405ba5f9539d785340fba1cee2dbbe9
-
SHA256
c086172b03dbcdc6a782dfbbbf1b6b7f71551bc0d10e1044fcd3c7e880e83a77
-
SHA512
a9233017351fe0757232cb7594d08300672ce3fa927cbdcf0ec5b1cef9425aa7b2e1fbf22239d1fc311d70994cf7cb3d3d13eef4d6a836af88e226f512e77222
-
SSDEEP
6144:O6ittMEfv0StbaV3jjb8TyD3cX5d+sF+TDa4ZUb5dR3vwxKO9jqs:OXsSMlXbQX5dT0DRE5T4x
Score10/10-
Windows security bypass
-
Disables taskbar notifications via registry modification
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Windows security modification
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
-
-
Target
c2a620243b8c161336d68aaccbb7972f083b3e8e30e0fcfaaf9413e46bcbf1bb.exe
-
Size
2KB
-
MD5
043a425c7a4343ecdd5f2afa920186cd
-
SHA1
540aa408c1444b014a105a2afaea49999d92d5f6
-
SHA256
c2a620243b8c161336d68aaccbb7972f083b3e8e30e0fcfaaf9413e46bcbf1bb
-
SHA512
da6258e96e56b8af935a7098b52e357e2a50837ef53ac06619030eacef5a86fbe6f9e6747b7c4441690b42114ab0602df7fede33b5f2362f2b0e204694cc7197
Score1/10 -
-
-
Target
c3705bab837f5e68ab54a026bf6d23b454f9e6273c919f4d9c43db7c9c37a43b.exe
-
Size
695KB
-
MD5
400ba7e90298222949036c3e0fd12dd3
-
SHA1
6b9ee72e913a789737b9ef65e8d42b6b58828e79
-
SHA256
c3705bab837f5e68ab54a026bf6d23b454f9e6273c919f4d9c43db7c9c37a43b
-
SHA512
67d02601e7fe5f2c526eb6b25adddd2a4d8f4761d41bc467b441a3a50431960a59ed20226d319476f1488a4a80cc82a04036655f226c2a46363793011beab0ed
-
SSDEEP
12288:m8n+q7BpMZ5ztVYnLZj2Cr8Yo+JLya0fcn+Xh3pRz3aMNtziG9wnYMs:JjiQLgCrXo+JL6C+RZVt56YM
Score1/10 -
-
-
Target
c97d9bbc80b573bdeeda3812f4d00e5183493dd0d5805e2508728f65977dda15.exe
-
Size
1.2MB
-
MD5
e11502659f6b5c5bd9f78f534bc38fea
-
SHA1
b5fd5c913de8cbb8565d3c7c67c0fbaa4090122b
-
SHA256
c97d9bbc80b573bdeeda3812f4d00e5183493dd0d5805e2508728f65977dda15
-
SHA512
86c8d4556c9e0b7d60ccbfee430eb322388449506ab515549cb8d2785582671f2dc2d2a3bd9daded9853caa8bf94d9f92603a3bc527172a85dc7a83d701f7fd0
-
SSDEEP
24576:645Rt4El7fc/TFJzjJUgrrCq5sNIwQsUGy1q7a9DlIACTp+kqGslRG:Rjt4El7fc/TFJWstwQsPdSDuACTpqhG
Score10/10-
LockerGoga
LockerGoga is a ransomware that is primarily used in targeted, disruptive attacks.
-
Renames multiple (6678) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s)
-
-
-
Target
cad20feffc7b67e394cb667c56211449ccc9c474583e4feacb5c2461dd002c5d.exe
-
Size
267KB
-
MD5
54b101c34309faa7dd58dd249b1c8103
-
SHA1
c46268590157f04fbecf35db3c7b5a854fbc1536
-
SHA256
cad20feffc7b67e394cb667c56211449ccc9c474583e4feacb5c2461dd002c5d
-
SHA512
44d9291407177c429da7e0d5c8ffd7eb1040c1b666d951329edb1ad3c98d68bee62fa73c0374c296374362793c2f9334ff16ee0e040b7b99b11bdc283b2885e1
-
SSDEEP
3072:4vDNI+KjNTjuO8zYkS6P+pmjVItNz/jO71r06JvJiPn29D+55HSk99XJcTphigTe:023jNWspjNHSk7uXCRzl5R/ca
Score5/10-
Suspicious use of SetThreadContext
-
-
-
Target
d01b92a1d7e00f34549ee537989890699c7ac34c929ea381a4289e49e2d0e4c4.exe
-
Size
164KB
-
MD5
0801f10ec6451719bde73ad22de88d5a
-
SHA1
9bf9b111da0fdba83ce65a883248a0ea9e26a455
-
SHA256
d01b92a1d7e00f34549ee537989890699c7ac34c929ea381a4289e49e2d0e4c4
-
SHA512
10311c679c46dfe31815c63df41e6a06f04b03ce2050b3065675fd973e7af27d52dcbea7df74c2baa92344a8b2533c5799508926825a3ea3671097544efedee0
-
SSDEEP
1536:WvbSZWtDvM7wIjCEZQ5yyw1oDpP+pfICS4A++GbvF0qcX8opz25maL3SUtNDWyPB:1WhoCE3yw1oVj5DJtOicNDWEzZ9dckwK
Score6/10-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
-
-
Target
d2a120aa4a8aeb87408828d4e7e0da615cb83e32ca5fccc79eee70bca3ea4d78.exe
-
Size
190KB
-
MD5
0333e4014e84e0cd41a4be7fab09926b
-
SHA1
2e84153ec64edadca3ac7a9b847eb6c651396525
-
SHA256
d2a120aa4a8aeb87408828d4e7e0da615cb83e32ca5fccc79eee70bca3ea4d78
-
SHA512
d9838b90083625939c644a3b80ad820cbbc5991669ac499612f82e301c553f235743cfd35a2a87cd63e7b6bedf3f57b0bd42e88ef9d9450e9d868b95ec8e6c33
-
SSDEEP
3072:3bXCLlcSmk8NNFLehmqbayd4yCVY16YAaMDJvKqJHTwqlQNNJE5AkqA:3byLlcq8tYZbay6Y0YgDdKUHThKNI
Score10/10-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (317) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops startup file
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Drops file in System32 directory
-
-
-
Target
d9f7e34bf8a82e137d47849c6397b51a5c127af99c4a843f8f8223687a05daf1.exe
-
Size
347KB
-
MD5
42696d4882efdf06a79068d7c22eaa5b
-
SHA1
e66fde04247efae9e4c94b2eacfb504fba02c573
-
SHA256
d9f7e34bf8a82e137d47849c6397b51a5c127af99c4a843f8f8223687a05daf1
-
SHA512
226831e511a589a2a79a108aac7ef80696b831534c0b556f627b6be6ce7c1b445167b4b081e226967a13db97bee287edc02d623be9c6373027cba4cbc3f651d2
-
SSDEEP
3072:kLQBOJeFK/MtgYcjuwiBrqg0Q+KUYN3PSe57vsR1pEzm43vHeQXTHl:kskQK/JdRios/UOPSe570Szp3mQXx
Score1/10 -
-
-
Target
da45ff208be5e193a3da424f6025a3b257dff0c67fab84bd6a9028862fd5cb95.exe
-
Size
47KB
-
MD5
bd149d3a77edd144e2ce2a716bbe3a53
-
SHA1
fc80e031574033cd57127bec9089dfecfe56bf99
-
SHA256
da45ff208be5e193a3da424f6025a3b257dff0c67fab84bd6a9028862fd5cb95
-
SHA512
26d0a9684066746fc8e2232a460a1259659ad2cf7d9c491232c6609857a20e160143167155cab2acc74285a162daabd2fa35d9e6008d75083605f941ea98b249
-
SSDEEP
768:AMFk4Ow7hmjQsDSw/Xzqn7JmfCRQqK3KQe8AbE+KElIS4hEYgOcWSRsx8Db:AzB8sQ7w/qdbQ1aQE2OqELOcWssx
Score7/10-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application
-
-
-
Target
dd0d00fec6564d52ad291e8f8a99e981a31ba5fbb623076e8e2864f4591e9bc8.exe
-
Size
1.7MB
-
MD5
d4b12487470460653459a54769e974e2
-
SHA1
f879a01a2a5d337b97d14c31294e0384bc0ff649
-
SHA256
dd0d00fec6564d52ad291e8f8a99e981a31ba5fbb623076e8e2864f4591e9bc8
-
SHA512
cdf8f5810a3f8c379030bd4a1686afd9bd6adefefce642ff088c7f0330ee6434120fa1ee90070341c2b1b6990b56005134fd2a71bf0fc29559547bc08c38dbc5
-
SSDEEP
49152:nyZOP+5jUgyNvtchcL6yUw4gZ2oe7yUFqm:nyZO0CFHL7Y
Score10/10-
Modifies WinLogon for persistence
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
-
-
Target
e8ae1656c225e8de8e57983db87738630d70036aae6cf1c2b486084edb4aa4dc.exe
-
Size
180KB
-
MD5
fb30134f51e0558818038737ede9a1b0
-
SHA1
d364682050a1635182dc5abdfb1cc4174b8e333f
-
SHA256
e8ae1656c225e8de8e57983db87738630d70036aae6cf1c2b486084edb4aa4dc
-
SHA512
60db80ab100ed48f9764a560333bf19feb54232e4b4ebc2244f5eb32eb2092e97d61d912f7cc5b96c54ffbe40d1fd7b116b2724178f0f4e847ce2772e84e550f
-
SSDEEP
3072:qe3VbrfXktqKtl9CuglSCPTU15Y2Gh3hNyCd6U/5Nzc527JsM:qe3tGwuu6GVN/rQE7JsM
Score5/10-
Suspicious use of SetThreadContext
-
-
-
Target
ed09a020459f1b059bba72c76cd00520c119903b0f8b9fe316a83ced5d66ad0d.exe
-
Size
566KB
-
MD5
b1b840a11642b166ac97fe2aea762504
-
SHA1
8e52bd5c7455af60d04f123e05291cf7c73fe0fd
-
SHA256
ed09a020459f1b059bba72c76cd00520c119903b0f8b9fe316a83ced5d66ad0d
-
SHA512
4d64b1e8b5c7ed6ae818921384e79cc114e0413e8bb36d9f07c30fd85c92b6d1ffca3c31bd4ea2e9a07ef70e96af02ebfa30e4ba57541dd9de16eeafc534c14e
-
SSDEEP
12288:e8X3nehEBFf/Fv5gld3IUhghyUbaW41hD:eg32EPVgIGghyman1
Score7/10-
Loads dropped DLL
-
Installs/modifies Browser Helper Object
BHOs are DLL modules which act as plugins for Internet Explorer.
-
-
-
Target
f0c292785905838d08b27bb99ab260b43fd8de580de80017fdaaab3c3d53d8a6.exe
-
Size
7.0MB
-
MD5
3beee8d7f55cd8298fcb009aa6ef6aae
-
SHA1
672a992ea934a0cba07ca07b80b62493e95c584d
-
SHA256
f0c292785905838d08b27bb99ab260b43fd8de580de80017fdaaab3c3d53d8a6
-
SHA512
12bd64d10620c1952127c125e7beb21b3727d8afb6440d48058785267b227a534ee6112d84372749496481cb6edb5c90eeb159689b443fe0f10f4a9202a83a5f
-
SSDEEP
196608:gUWfTu5s5E6s6eLL1mkJ2Z9Jq5dOYo+SJVTXOD0ch:gUWfTuK5E6s6sBmKk9JMo5/eN
Score9/10-
Renames multiple (60) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
ACProtect 1.3x - 1.4x DLL software
Detects file using ACProtect software.
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
-
-
Target
f3771ca98b3a07606cda74128da5d4292572919418f3045196ea245ef63e9150.exe
-
Size
127KB
-
MD5
8ad03e12a10e43d3876f369e9020a8ec
-
SHA1
f267d02e5ee3d5b164afeb38a98feed14e662272
-
SHA256
f3771ca98b3a07606cda74128da5d4292572919418f3045196ea245ef63e9150
-
SHA512
670cfd2d600a1d2f7ea09893d8d89b46ec4acf80438c456bb18a097c335310ea2629493aeda2de7f832d37a19349cd3d4b785c28306bdab85bd9e281d6039d16
-
SSDEEP
3072:j3B9oal6OPHo2tQJz37JrwkFfzA2pg/w:j3oGLPvQhJckZzA/w
Score8/10-
Drops file in Drivers directory
-
Deletes itself
-
Executes dropped EXE
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
10Registry Run Keys / Startup Folder
8Winlogon Helper DLL
2Pre-OS Boot
1Bootkit
1Browser Extensions
1Privilege Escalation
Boot or Logon Autostart Execution
10Registry Run Keys / Startup Folder
8Winlogon Helper DLL
2Defense Evasion
Modify Registry
20Subvert Trust Controls
1Install Root Certificate
1Pre-OS Boot
1Bootkit
1Impair Defenses
4Disable or Modify Tools
4Indicator Removal
2File Deletion
2