cerber

Target

bc41543926dda3762ae39e35aba7a813_JaffaCakes118
Size

13.8MB
Sample

240620-b5v1xawemk
MD5

bc41543926dda3762ae39e35aba7a813
SHA1

81bf36d2c8c97901eb88133566838eba26d74138
SHA256

f255227fd45316c4681085f39e6da2f509af851f8cc2d2a84ea99c06b935ffe6
SHA512

29404267b0a85340a4b9e821aca8a37ee716532adb9626acc39941148c2e91f67022125a4db3d65468b6b564134bf9fa496252bd4d2aacda0be0fd54684c0291
SSDEEP

393216:LDZBIw5QnNtQs9HQYsiZfmu/GyBSye+tfLXSDOaC0zjLCrj:vlQnNSA1skfmkzdtfOi0jLA

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\_R_E_A_D___T_H_I_S___FILP_.hta

Family

cerber

Ransom Note

<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>CERBER RANSOMWARE: Instructions</title> <HTA:APPLICATION APPLICATIONNAME="4zv" SCROLL="yes" SINGLEINSTANCE="yes" WINDOWSTATE="maximize"> <style type="text/css"> a { color: #04a; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #222; font-family: "Lucida Sans Unicode", "Lucida Grande", sans-serif; font-size: 13pt; line-height: 19pt; } body, h1 { margin: 0; padding: 0; } hr { color: #bda; height: 2pt; margin: 1.5%; } h1 { color: #555; font-size: 14pt; } ol { padding-left: 2.5%; } ol li { padding-bottom: 13pt; } small { color: #555; font-size: 11pt; } ul { list-style-type: none; margin: 0; padding: 0; } .button { color: #04a; cursor: pointer; } .button:hover { text-decoration: underline; } .container { background-color: #fff; border: 2pt solid #c7c7c7; margin: 5%; min-width: 850px; padding: 2.5%; } .header { border-bottom: 2pt solid #c7c7c7; margin-bottom: 2.5%; padding-bottom: 2.5%; } .h { display: none; } .hr { background: #bda; display: block; height: 2pt; margin-top: 1.5%; margin-bottom: 1.5%; overflow: hidden; width: 100%; } .info { background-color: #efe; border: 2pt solid #bda; display: inline-block; padding: 1.5%; text-align: center; } .updating { color: red; display: none; padding-left: 35px; background: url("data:image/gif;base64,R0lGODlhGQAZAKIEAMzMzJmZmTMzM2ZmZgAAAAAAAAAAAAAAACH/C05FVFNDQVBFMi4wAwEAAAAh+QQFAAAEACwAAAAAGQAZAAADVki63P4wSEiZvLXemRf4yhYoQ0l9aMiVLISCDms+L/DIwwnfc+c3qZ9g6Hn5hkhF7YgUKI2dpvNpExJ/WKquSoMCvd9geDeuBpcuGFrcQWep5Df7jU0AACH5BAUAAAQALAoAAQAOABQAAAMwSLDU/iu+Gdl0FbTAqeXg5YCdSJCBuZVqKw5wC8/qHJv2IN+uKvytn9AnFBCHx0cCACH5BAUAAAQALAoABAAOABQAAAMzSLoEzrC5F9Wk9YK6Jv8gEYzgaH4myaVBqYbfIINyHdcDI+wKniu7YG+2CPI4RgFI+EkAACH5BAUAAAQALAQACgAUAA4AAAMzSLrcBNDJBeuUNd6WwXbWtwnkFZwMqUpnu6il06IKLChDrsxBGufAHW0C1IlwxeMieEkAACH5BAUAAAQALAEACgAUAA4AAAM0SLLU/lAtFquctk6aIe5gGA1kBpwPqVZn66hl1KINPDRB3sxAGufAHc0C1IkIxcARZ4QkAAAh+QQFAAAEACwBAAQADgAUAAADMUhK0vurSfiko8oKHC//yyCCYvmVI4cOZAq+UCCDcv3VM4cHCuDHOZ/wI/xxigDQMAEAIfkEBQAABAAsAQABAA4AFAAAAzNIuizOkLgZ13xraHVF1puEKWBYlUP1pWrLBLALz+0cq3Yg324PAUAXcNgaBlVGgPAISQAAIfkEBQAABAAsAQABABQADgAAAzRIujzOMBJHpaXPksAVHoogMlzpZWK6lF2UjgobSK9AtjSs7QTg8xCfELgQ/og9I1IxXCYAADs=") left no-repeat; } #change_language { float: right; } #change_language, #texts div { display: none; } </style> </head> <body> <div class="container"> <div class="header"> <a id="change_language" href="#" onclick="return changeLanguage1();" title="English">☑ English</a> <h1>CERBER RANSOMWARE</h1> Instructions </div> <div id="languages"> ☑ Select your language <ul> <li><a href="#" title="English" onclick="return sh_bl('en');">English</a></li> <li><a href="#" title="Arabic" onclick="return sh_bl('ar');">العربية</a></li> <li><a href="#" title="Chinese" onclick="return sh_bl('zh');">中文</a></li> <li><a href="#" title="Dutch" onclick="return sh_bl('nl');">Nederlands</a></li> <li><a href="#" title="French" onclick="return sh_bl('fr');">Français</a></li> <li><a href="#" title="German" onclick="return sh_bl('de');">Deutsch</a></li> <li><a href="#" title="Italian" onclick="return sh_bl('it');">Italiano</a></li> <li><a href="#" title="Japanese" onclick="return sh_bl('ja');">日本語</a></li> <li><a href="#" title="Korean" onclick="return sh_bl('ko');">한국어</a></li> <li><a href="#" title="Polish" onclick="return sh_bl('pl');">Polski</a></li> <li><a href="#" title="Portuguese" onclick="return sh_bl('pt');">Português</a></li> <li><a href="#" title="Spanish" onclick="return sh_bl('es');">Español</a></li> <li><a href="#" title="Turkish" onclick="return sh_bl('tr');">Türkçe</a></li> </ul> </div> <div id="texts"> <div id="en"> Can't yoKfGAkMu find the necessary files? Is the cknZontent of your files not readable? It is normal beBcause the files' names and the data in your files have been encrypQV4MAy37HAted by "Cex8rSFVTwrber Ransomware". It meXRyyweOans your files are NOT damage6d! Your files are modified only. This modification is reversible. Fofrom now it is not poss3ewTRHible to use your files until they will be decrypted. The only way to decuaBz2Xlhrypt your files safely is to buy the special decryption software "Cf7CuioIerber Decryptor". Any attempts to restqore your files with the thirJVXfA6xcnd-party software will be fatal for your files! <hr> You can proc5aecV8y6eed with purchasing of the decryption softwqBUare at your personal page: Ple97ase wait...<a class="url" href="http://p27dokhpz2n7nvgr.12hygy.top/D232-7CE1-6CCB-0446-9BA2" target="_blank">http://p27dokhpz2n7nvgr.12hygy.top/D232-7CE1-6CCB-0446-9BA2</a><hr><a href="http://p27dokhpz2n7nvgr.14ewqv.top/D232-7CE1-6CCB-0446-9BA2" target="_blank">http://p27dokhpz2n7nvgr.14ewqv.top/D232-7CE1-6CCB-0446-9BA2</a><hr><a href="http://p27dokhpz2n7nvgr.14vvrc.top/D232-7CE1-6CCB-0446-9BA2" target="_blank">http://p27dokhpz2n7nvgr.14vvrc.top/D232-7CE1-6CCB-0446-9BA2</a><hr><a href="http://p27dokhpz2n7nvgr.129p1t.top/D232-7CE1-6CCB-0446-9BA2" target="_blank">http://p27dokhpz2n7nvgr.129p1t.top/D232-7CE1-6CCB-0446-9BA2</a><hr><a href="http://p27dokhpz2n7nvgr.1apgrn.top/D232-7CE1-6CCB-0446-9BA2" target="_blank">http://p27dokhpz2n7nvgr.1apgrn.top/D232-7CE1-6CCB-0446-9BA2</a> If tcuiohis page cannot be opened  cliZeck here  to get a new addrfECeBjRess of your personal page. If the addreD9bC6Uss of your personal page is the same as befoxt2Xare after you tried to get a new one, you cUuan try to get a new address in one hour. At thrBEis page you will receive the complete instr9Mq8cuctions how to buy the decryptiLron software for restoring all your files. Also at this page you will be able to resevFDttore any one file for free to be sure "Cerbe23lIRfBr Decryptor" will help you. <hr> If your per5UHP4sonal page is not availa1xjuUfkNLDble for a long period there is another way to open your personal page - instahZpwNllation and use of Tor Browser: <ol> <li>run your InteXzn9HtUC1Hrnet browser (if you do not know what it is run the Internet Explorer);</li> <li>entGer or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li> <li>wait for the site loadIzUdX6ing;</li> <li>on the site you will be offered to dobcRfpwnload Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>rucvOHKJZn Tor Browser;</li> <li>connect with the butt0NW9Bnecon "Connect" (if you use the English version);</li> <li>a normal Internet broJwser window will be opened after the initialization;</li> <li>type or copy the adduoEress http://p27dokhpz2n7nvgr.onion/D232-7CE1-6CCB-0446-9BA2 in this browser address bar;</li> <li>preqss ENTER;</li> <li>the site shoLqWuld be loaded; if for some reason the site is not loXhEsYsOTnmading wait for a moment and try again.</li> </ol> If you have any prSAoblems during installation or use of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=Install+Tor+Browser+Windows" target="_blank">https://www.youtube.com</a> and type request in the searcmLfh bar "Install Tor Browser Windows" and you will find a lot of training videos about Tor Browser installation and use. <hr> AdditCEpMzional information: You will fil0Hnd the instruvYcKtctions ("*_READ_THIS_FILE_*.hta") for rezSEKezINu1storing your files in any fNsolder with your encMMrypted files. The instraHCNFTjuctions "*_READ_THIS_FILE_*.hta" in the fsmcUmNolderps with your encryw6kdNppted files are not virvuses! The instrucryYtions "*_READ_THIS_FILE_*.hta" will heAvmlp you to decyNHLp9WFbrypt your files. Remembe7JB9dhsPr! The worst siytuation already happj4JfCened and now the future of your files deEpends on your determ2R20bgT4ination and speed of your actions. </div> <div id="ar" style="direction: rtl;"> لا يمكنك العثور على الملفات الضرورية؟ هل محتوى الملفات غير قابل للقراءة؟ هذا أمر طبيعي لأن أسماء الملفات والبيانات في الملفات قد تم تشفيرها بواسطة "Cerber Ransomware". وهذا يعني أن الملفات الخاصة بك ليست تالفة! فقد تم تعديل ملفاتك فقط. ويمكن التراجع عن هذا. ومن الآن فإنه لا يكن استخدام الملفات الخاصة بك حتى يتم فك تشفيرها. الطريقة الوحيدة لفك تشفير ملفاتك بأمان هو أن تشتري برنامج فك التشفير المتخصص "Cerber Decryptor". إن أية محاولات لاستعادة الملفات الخاصة بك بواسطة برامج من طرف ثالث سوف تكون مدمرة لملفاتك! <hr> يمكنك الشروع في شراء برنامج فك التشفير من صفحتك الشخصية: أرجو الإنتظار...<a class="url" href="http://p27dokhpz2n7nvgr.12hygy.top/D232-7CE1-6CCB-0446-9BA2" target="_blank">http://p27dokhpz2n7nvgr.12hygy.top/D232-7CE1-6CCB-0446-9BA2</a><hr><a href="http://p27dokhpz2n7nvgr.14ewqv.top/D232-7CE1-6CCB-0446-9BA2" target="_blank">http://p27dokhpz2n7nvgr.14ewqv.top/D232-7CE1-6CCB-0446-9BA2</a><hr><a href="http://p27dokhpz2n7nvgr.14vvrc.top/D232-7CE1-6CCB-0446-9BA2" target="_blank">http://p27dokhpz2n7nvgr.14vvrc.top/D232-7CE1-6CCB-0446-9BA2</a><hr><a href="http://p27dokhpz2n7nvgr.129p1t.top/D232-7CE1-6CCB-0446-9BA2" target="_blank">http://p27dokhpz2n7nvgr.129p1t.top/D232-7CE1-6CCB-0446-9BA2</a><hr><a href="http://p27dokhpz2n7nvgr.1apgrn.top/D232-7CE1-6CCB-0446-9BA2" target="_blank">http://p27dokhpz2n7nvgr.1apgrn.top/D232-7CE1-6CCB-0446-9BA2</a> في حالة تعذر فتح هذه الصفحة  انقر هنا  لإنشاء عنوان جديد لصفحتك الشخصية. في هذه الصفحة سوف تتلقى تعليمات كاملة حول كيفية شراء برنامج فك التشفير لاستعادة جميع الملفات الخاصة بك. في هذه الصفحة أيضًا سوف تتمكن من استعادة ملف واحد بشكل مجاني للتأكد من أن "Cerber Decryptor" سوف يساعدك. <hr> إذا كانت صفحتك الشخصية غير متاحة لفترة طويلة فإن ثمّة طريقة أخرى لفتح صفحتك الشخصية - تحميل واستخدام متصفح Tor: <ol> <li>قم بتشغيل متصفح الإنترنت الخاص بك (إذا كنت لا تعرف ما هو قم بتشغيل إنترنت إكسبلورر);</li> <li>قم بكتابة أو نسخ العنوان <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> إلى شريط العنوان في المستعرض الخاص بك ثم اضغط ENTER;</li> <li>انتظر لتحميل الموقع;</li> <li>سوف يعرض عليك الموقع تحميل متصفح Tor. قم بتحميله وتشغيله، واتبع تعليمات التثبيت، وانتظر حتى اكتمال التثبيت;</li> <li>قم بتشغيل متصفح Tor;</li> <li>اضغط على الزر "Connect" (إذا كنت تستخدم النسخة الإنجليزية);</li> <li>سوف تُفتح نافذة متصفح الإنترنت العادي بعد البدء;</li> <li>قم بكتابة أو نسخ العنوان http://p27dokhpz2n7nvgr.onion/D232-7CE1-6CCB-0446-9BA2 في شريط العنوان في المتصفح;</li> <li>اضغط ENTER;</li> <li>يجب أن يتم تحميل الموقع؛ إذا لم يتم تحميل الموقع لأي سبب، انتظر للحظة وحاول مرة أخرى.</li> </ol> إذا كان لديك أية مشكلات أثناء عملية التثبيت أو استخدام متصفح Tor، يُرجى زيارة <a href="https://www.youtube.com/results?search_query=Install+Tor+Browser+Windows" target="_blank">https://www.youtube.com</a> واكتب الطلب "install tor browser windows" أو "تثبيت نوافذ متصفح Tor" في شريط البحث، وسوف تجد الكثير من أشرطة الفيديو للتدريب حول تثبيت متصفح Tor واستخدامه. <hr> معلومات إضyuXافية: سm2KhpqpHوف تجد إرشادات استعادة الملفات الخاصة بك ("*_READ_THIS_FILE_*") في أي مجلد مع ملفاتك المشفرة. الإرشnWادات ("*_READ_THIS_FILE_*") الموجودة في المجلدات مع ملفاتك المشفرة ليست فيروسات والإرشادات ("*_READ_THIS_FILE_*") سوف تساعدك على فك تشفير الملفات الخاصة بك. تذكر أن أسوأ موfJقف قد حدث بالفعل، والآن مستقبل ملفاتك يعتمد على عزيمتك وسرعة الإجراءات الخاصة بك. </div> <div id="zh"> 您找不到所需的文件？ 您文件的内容无法阅读？ 这是正常的，因为您文件的文件名和数据已经被“Cerber Ransomware”加密了。 这意味着您的文件并没有损坏！您的文件只是被修改了，这个修改是可逆的，解密之前您无法使用�

Extracted

Path

C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\_R_E_A_D___T_H_I_S___CZ8VU6_.txt

Family

cerber

Ransom Note

CERBER RANSOMWARE ----- YOUR DOCUMENTS, PH0TOS, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ----- The only way to decrypt y0ur files is to receive the private key and decryption program. To receive the private key and decryption program go to any decrypted folder, inside there is the special file (*_READ_THIS_FILE_*) with complete instructions how to decrypt your files. If you cannot find any (*_READ_THIS_FILE_*) file at your PC, follow the instructions below: ----- 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://p27dokhpz2n7nvgr.onion/D232-7CE1-6CCB-0446-9BA2 Note! This page is available via "Tor Browser" only. ----- Also you can use temporary addresses on your personal page without using "Tor Browser". ----- 1. http://p27dokhpz2n7nvgr.12hygy.top/D232-7CE1-6CCB-0446-9BA2 2. http://p27dokhpz2n7nvgr.14ewqv.top/D232-7CE1-6CCB-0446-9BA2 3. http://p27dokhpz2n7nvgr.14vvrc.top/D232-7CE1-6CCB-0446-9BA2 4. http://p27dokhpz2n7nvgr.129p1t.top/D232-7CE1-6CCB-0446-9BA2 5. http://p27dokhpz2n7nvgr.1apgrn.top/D232-7CE1-6CCB-0446-9BA2 ----- Note! These are temporary addresses! They will be available for a limited amount of time! -----

URLs

http://p27dokhpz2n7nvgr.onion/D232-7CE1-6CCB-0446-9BA2

http://p27dokhpz2n7nvgr.12hygy.top/D232-7CE1-6CCB-0446-9BA2

http://p27dokhpz2n7nvgr.14ewqv.top/D232-7CE1-6CCB-0446-9BA2

http://p27dokhpz2n7nvgr.14vvrc.top/D232-7CE1-6CCB-0446-9BA2

http://p27dokhpz2n7nvgr.129p1t.top/D232-7CE1-6CCB-0446-9BA2

http://p27dokhpz2n7nvgr.1apgrn.top/D232-7CE1-6CCB-0446-9BA2

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://french-cooking.com/myguy.exe

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\!satana!.txt

Ransom Note

You had bad luck.There was crypting of all your files in a FS bootkit virus <!SATANA!> To decrypt you need send on this E-mail: [email protected] your private code: 0520F875B250E63BDE30224DA2DD0CDB and pay on a Bitcoin Wallet: XtmxHRo8xkvaJ9FdNumLUARqsWvETHGCG5 total 0,5 btc After that during 1 - 2 days the software will be sent to you - decryptor - and the necessary instructions. All changes in hardware configurations of your computer can make the decryption of your files absolutely impossible! Decryption of your files is possible only on your PC! Recovery is possible during 7 days, after which the program - decryptor - can not ask for the necessary signature from a public certificate server. Please contact via e-mail, which you can find as yet in the form of a text document in a folder with encrypted files, as well as in the name of all encrypted files.If you do not appreciate your files we recommend you format all your disks and reinstall the system. Read carefully this warning as it is no longer able to see at startup of the computer. We remind once again- it is all serious! Do not touch the configuration of your computer! E-mail: [email protected] - this is our mail CODE: 0520F875B250E63BDE30224DA2DD0CDB this is code; you must send BTC: XtmxHRo8xkvaJ9FdNumLUARqsWvETHGCG5 here need to pay 0,5 bitcoins How to pay on the Bitcoin wallet you can easily find on the Internet. Enter your unlock code, obtained by E-mail here and press "ENTER" to continue the normal download on your computer. Good luck! May God help you! <!SATANA!>

Emails

[email protected]

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

Targets

- Target
  
  Documents/Ransomware.Cerber/cerber.exe
- Size
  
  604KB
- MD5
  
  8b6bc16fd137c09a08b02bbe1bb7d670
- SHA1
  
  c69a0f6c6f809c01db92ca658fcf1b643391a2b7
- SHA256
  
  e67834d1e8b38ec5864cfa101b140aeaba8f1900a6e269e6a94c90fcbfe56678
- SHA512
  
  b53d2cc0fe5fa52262ace9f6e6ea3f5ce84935009822a3394bfe49c4d15dfeaa96bfe10ce77ffa93dbf81e5428122aa739a94bc709f203bc346597004fd75a24
- SSDEEP
  
  6144:yYghlI5/u8f1mr+4RJ99MpDa52RX5wRDhOOU0qsR:yYKlYmDXEpDHRXP01
Score

10^/10

cerber discovery evasion persistence privilege_escalation ransomware
- Cerber
  Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
  ransomware cerber
- Contacts a large (1107) amount of remote hosts
  This may indicate a network scan to discover remotely running services.
  discovery
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
  ransomware
behavioral1
- Target
  
  Documents/Ransomware.Cryptowall/cryptowall.exe
- Size
  
  240KB
- MD5
  
  47363b94cee907e2b8926c1be61150c7
- SHA1
  
  ca963033b9a285b8cd0044df38146a932c838071
- SHA256
  
  45317968759d3e37282ceb75149f627d648534c5b4685f6da3966d8f6fca662d
- SHA512
  
  93dfaafc183360829448887a112dd49c90ec5fe50dcd7c7bbc06c1c8daa206eeea5577f726d906446322c731d0520e93700d5ff9cefd730fba347c72b7325068
- SSDEEP
  
  3072:xkeyloECBch6ZCGBGSmHJ0y5lj6jdojK7+MGOXpXx8z3Lp7Yoq:xGlnCIwMpj6ijKfxx8z3F0V
Score

3^/10
behavioral2
- Target
  
  Documents/Ransomware.Jigsaw/jigsaw
- Size
  
  283KB
- MD5
  
  2773e3dc59472296cb0024ba7715a64e
- SHA1
  
  27d99fbca067f478bb91cdbcb92f13a828b00859
- SHA256
  
  3ae96f73d805e1d3995253db4d910300d8442ea603737a1428b613061e7f61e7
- SHA512
  
  6ef530b209f8ec459cca66dbf2c31ec96c5f7d609f17fa3b877d276968032fbc6132ea4a45ed1450fb6c5d730a7c9349bf4481e28befaea6b119ec0ded842262
- SSDEEP
  
  6144:7fukPLPvucHiQQQ4uuy9ApZbZWxcZt+kTfMLJTOAZiYSXjjeqXus:7fu5cCT7yYlWi8kTfMLJTOAZiYSXjyqX
Score

10^/10

jigsaw persistence ransomware spyware stealer
- Jigsaw Ransomware
  Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.
  ransomware jigsaw
- Renames multiple (3817) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
behavioral3
- Target
  
  Documents/Ransomware.Locky/Locky
- Size
  
  180KB
- MD5
  
  b06d9dd17c69ed2ae75d9e40b2631b42
- SHA1
  
  b606aaa402bfe4a15ef80165e964d384f25564e4
- SHA256
  
  bc98c8b22461a2c2631b2feec399208fdc4ecd1cd2229066c2f385caa958daa3
- SHA512
  
  8e54aca4feb51611142c1f2bf303200113604013c2603eea22d72d00297cb1cb40a2ef11f5129989cd14f90e495db79bffd15bd6282ff564c4af7975b1610c1c
- SSDEEP
  
  3072:gzWgfLlUc7CIJ1tkZaQyjhOosc8MKi6KDXnLCtyAR0u1cZ86:gdLl4wkZa/UDiD7ukst1H6
Score

10^/10

locky ransomware
- Locky
  Ransomware strain released in 2016, with advanced features like anti-analysis.
  ransomware locky
behavioral4
- Target
  
  Documents/Ransomware.Mamba/131.exe
- Size
  
  2.3MB
- MD5
  
  409d80bb94645fbc4a1fa61c07806883
- SHA1
  
  4080bb3a28c2946fd9b72f6b51fe15de74cbb1e1
- SHA256
  
  2ecc525177ed52c74ddaaacd47ad513450e85c01f2616bf179be5b576164bf63
- SHA512
  
  a99a2f17d9fbb1da9fb993b976df63afa74317666eca46d1f04e7e6e24149547d1ac7210f673caeae9b23a900528ad6ad0a7b98780eff458d3d505029a06e9ba
- SSDEEP
  
  49152:XM16E7qUoM5NWX7DP+1egOhcraQzK6j97V:c16/rM5oW1ZrRz
Score

1^/10
behavioral5
- Target
  
  Documents/Ransomware.Matsnu/Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .com_
- Size
  
  102KB
- MD5
  
  1b2d2a4b97c7c2727d571bbf9376f54f
- SHA1
  
  1fc29938ec5c209ba900247d2919069b320d33b0
- SHA256
  
  7634433f8fcf4d13fb46d680802e48eeb160e0f51e228cae058436845976381e
- SHA512
  
  506fc96423e5e2e38078806591e09a6eb3cf924eb748af528f7315aa0b929890823798a3ef2a5809c14023c3ff8a3db36277bc90c7b099218422aafa4e0c2ee0
- SSDEEP
  
  1536:jj+Rj1lGIXKSmE17v97yiqHGMRPtbsLW8/V2k12v1/BDxVyCfCrCAc:jjw6Sf0iqmMnb2W02v3mCf4Nc
Score

3^/10
behavioral6
- Target
  
  Documents/Ransomware.Petrwrap/Ransomware.Petrwrap/027cc450ef5f8c5f653329641ec1fed9.exe
- Size
  
  353KB
- MD5
  
  71b6a493388e7d0b40c83ce903bc6b04
- SHA1
  
  34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d
- SHA256
  
  027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745
- SHA512
  
  072205eca5099d9269f358fe534b370ff21a4f12d7938d6d2e2713f69310f0698e53b8aff062849f0b2a521f68bee097c1840993825d2a5a3aa8cf4145911c6f
- SSDEEP
  
  6144:y/Bt80VmNTBo/x95ZjAetGDN3VFNq7pC+9OqFoK30b3ni5rdQY/CdUOs2:y/X4NTS/x9jNG+w+9OqFoK323qdQYKUG
Score

10^/10

mimikatz bootkit persistence spyware stealer
- Mimikatz
  mimikatz is an open source tool to dump credentials on Windows.
  mimikatz
- mimikatz is an open source tool to dump credentials on Windows
- Deletes itself
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
behavioral7
- Target
  
  027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745_98STJd8lju.bin
- Size
  
  353KB
- MD5
  
  71b6a493388e7d0b40c83ce903bc6b04
- SHA1
  
  34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d
- SHA256
  
  027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745
- SHA512
  
  072205eca5099d9269f358fe534b370ff21a4f12d7938d6d2e2713f69310f0698e53b8aff062849f0b2a521f68bee097c1840993825d2a5a3aa8cf4145911c6f
- SSDEEP
  
  6144:y/Bt80VmNTBo/x95ZjAetGDN3VFNq7pC+9OqFoK30b3ni5rdQY/CdUOs2:y/X4NTS/x9jNG+w+9OqFoK323qdQYKUG
Score

10^/10

mimikatz bootkit persistence spyware stealer
- Mimikatz
  mimikatz is an open source tool to dump credentials on Windows.
  mimikatz
- mimikatz is an open source tool to dump credentials on Windows
- Deletes itself
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
behavioral8
- Target
  
  ee29b9c01318a1e23836b949942db14d4811246fdae2f41df9f0dcd922c63bc6.bin
- Size
  
  13KB
- MD5
  
  0487382a4daf8eb9660f1c67e30f8b25
- SHA1
  
  736752744122a0b5ee4b95ddad634dd225dc0f73
- SHA256
  
  ee29b9c01318a1e23836b949942db14d4811246fdae2f41df9f0dcd922c63bc6
- SHA512
  
  e1e7d81d54efd526139ea8ac792ed2035c8e70f040319c0b65f723431d31077c7a6927553890c99151f2354f51c4020ed94e0e2e5d56386c2fc4828e95869106
- SSDEEP
  
  192:ScIsmNvaHz65bP/U/njs3NH0Z0UvDVE6Az6XVHBycT6iLMUpJ2seCYHlfeb:SPXTmnjs3BU9A27BNLMUTb
Score

3^/10

execution
behavioral9
- Target
  
  fe2e5d0543b4c8769e401ec216d78a5a3547dfd426fd47e097df04a5f7d6d206_OFkNP1kKL9.bin
- Size
  
  6KB
- MD5
  
  415fe69bf32634ca98fa07633f4118e1
- SHA1
  
  101cc1cb56c407d5b9149f2c3b8523350d23ba84
- SHA256
  
  fe2e5d0543b4c8769e401ec216d78a5a3547dfd426fd47e097df04a5f7d6d206
- SHA512
  
  e40ad6adcbdfc47ebf0745aed10a5c6c64d5759a0164dbd7ffb64439deffe710c26a8fd91e8d205f3b2f0c417d70d4e82d5f91874bc6f8bbc9ff123b72c2e692
- SSDEEP
  
  48:3aT4qf+8xWmXLEEPjH3UNTaOOHG0WomFS/bOhkWTl:3w/xWjFazGMrzQ
Score

1^/10
behavioral10
- Target
  
  Documents/Ransomware.Petrwrap/Ransomware.Petrwrap/myguy.hta
- Size
  
  13KB
- MD5
  
  0487382a4daf8eb9660f1c67e30f8b25
- SHA1
  
  736752744122a0b5ee4b95ddad634dd225dc0f73
- SHA256
  
  ee29b9c01318a1e23836b949942db14d4811246fdae2f41df9f0dcd922c63bc6
- SHA512
  
  e1e7d81d54efd526139ea8ac792ed2035c8e70f040319c0b65f723431d31077c7a6927553890c99151f2354f51c4020ed94e0e2e5d56386c2fc4828e95869106
- SSDEEP
  
  192:ScIsmNvaHz65bP/U/njs3NH0Z0UvDVE6Az6XVHBycT6iLMUpJ2seCYHlfeb:SPXTmnjs3BU9A27BNLMUTb
Score

10^/10

execution
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral11
- Target
  
  Documents/Ransomware.Petrwrap/Ransomware.Petrwrap/svchost.exe
- Size
  
  704KB
- MD5
  
  d2ec63b63e88ece47fbaab1ca22da1ef
- SHA1
  
  dd52fcc042a44a2af9e43c15a8e520b54128cdc8
- SHA256
  
  e5c643f1d8ecc0fd739d0bbe4a1c6c7de2601d86ab0fff74fd89c40908654be5
- SHA512
  
  89d9e63d5f3b34be3d25317933031815a42c039fbee30ce8c86f8b1b7c6ca9ccfc8731da99b9246381a2c05a95ada423f4944ff72111eb0451a44e9dcb3e053e
- SSDEEP
  
  12288:rue4X2Uz0DsetgxLdsCHvX8XYJWs6XS1bFLDw1P86jZpMV7uikFg:v+2UzSgxLdsCHmQb6XSbFLDs06jZulus
Score

7^/10
- Drops startup file
- Drops desktop.ini file(s)
behavioral12
- Target
  
  Documents/Ransomware.Petya/Ransomware.Petya/26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739.exe
- Size
  
  225KB
- MD5
  
  af2379cc4d607a45ac44d62135fb7015
- SHA1
  
  39b6d40906c7f7f080e6befa93324dddadcbd9fa
- SHA256
  
  26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739
- SHA512
  
  69899c47d0b15f92980f79517384e83373242e045ca696c6e8f930ff6454219bf609e0d84c2f91d25dfd5ef3c28c9e099c4a3a918206e957be806a1c2e0d3e99
- SSDEEP
  
  6144:DCyjXhd1mialK+qoNr8PxtZE6x5v+k6f:rjXhd8ZlKOrMZE6x5b6f
Score

6^/10

bootkit persistence
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
behavioral13
- Target
  
  Documents/Ransomware.Petya/Ransomware.Petya/4c1dc737915d76b7ce579abddaba74ead6fdb5b519a1ea45308b8c49b950655c.bin
- Size
  
  788KB
- MD5
  
  a92f13f3a1b3b39833d3cc336301b713
- SHA1
  
  d1c62ac62e68875085b62fa651fb17d4d7313887
- SHA256
  
  4c1dc737915d76b7ce579abddaba74ead6fdb5b519a1ea45308b8c49b950655c
- SHA512
  
  361a5199b5a6321d88f6e7b66eaad3756b4ea7a706fa9dbbe3ffe29217f673d12dd1200e05f96c2175feffc6fecc7f09fda4dd6bfa0ce7bef3d9372f6a534920
- SSDEEP
  
  24576:z0wz1d5bAbWhrc56zQ9T4Ole+5PIuklOjB:Hd5Vhr4IMTbeGPJHjB
Score

6^/10

bootkit persistence
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
behavioral14
- Target
  
  Documents/Ransomware.Radamant/Ransomware.Radamant/DUMP_00A10000-00A1D000.exe.ViR
- Size
  
  52KB
- MD5
  
  6152709e741c4d5a5d793d35817b4c3d
- SHA1
  
  05ae9c76f8f85ad2247c06d26a88bbbcfff4d62e
- SHA256
  
  2c4c8066a1a7dfdf42c57ff4f9016f1ba05bcb004ff8b0ffc0989165d2ad30e2
- SHA512
  
  1e5ebd53ac942b0f06f759f936efebeeb9a74062647cd978d5112720f772f607b12ee20c02ab838104a7a947fef2fde79b0db944286d8daf2e6e6d16e10b9390
- SSDEEP
  
  768:UR/FcohAQFBY4JzKNkN3QZ0gGINlVOWcm:U1PhAQztJWNeCVOWc
Score

7^/10

persistence upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral15
- Target
  
  Supplementary Agreement 26_01_2016.scr
- Size
  
  91KB
- MD5
  
  b0625408735468e40f4af9472afcb35a
- SHA1
  
  ae8afddc982abc163147fc47bfd30f2340c56086
- SHA256
  
  9842ac7705c39546d9e153b5e014c16df061f306fd2b1904368cf8f503f4204c
- SHA512
  
  49e96828e92f142fb55fd301f9855a3965c2dc9e933e50eed0d7d9634771f3201a34704ceba419b5b941dd089306fa91aec36a841665ccc7abe649b95dd1e6ec
- SSDEEP
  
  1536:Rr346DHQyoOhwRY35OSmoKM+bBcql/UxyQKs1OiYI/3lHEKIp0+cNFyV:R86LaGccOSLK9qqli1aKKHcNe
Score

3^/10
behavioral16
- Target
  
  Documents/Ransomware.Rex/WTEpZSFwgb
- Size
  
  7.3MB
- MD5
  
  5bd44a35094fe6f7794d895122ddfa62
- SHA1
  
  98172e49c3d5d70ffdcefd071f9762c58430a393
- SHA256
  
  762a4f2bf5ea4ff72fce674da1adf29f0b9357be18de4cd992d79198c56bb514
- SHA512
  
  4033c7335a44a7536a3980aad8cf18ff6336186d71dd7b7f02c3d5c93001ed974285fe9fbbf783bc0abac3e3b3581993ad6d2ac285249aa24b0aafa261f74de8
- SSDEEP
  
  49152:mNLLdMtTbVDtCsN5laK2BfCDvI7ZR9kAs5dkPjU2NhYCWpdLJaDSfUGZnh7X3cM9:mNlMt1tCsN5LGfCL7ATfscS8QhXP
Score

1^/10
behavioral17
- Target
  
  Documents/Ransomware.Satana/Ransomware.Satana/683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.bin
- Size
  
  49KB
- MD5
  
  46bfd4f1d581d7c0121d2b19a005d3df
- SHA1
  
  5b063298bbd1670b4d39e1baef67f854b8dcba9d
- SHA256
  
  683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96
- SHA512
  
  b52aa090f689765d099689700be7e18922137e7a860a00113e3f72aa6553e94a870bbb741e52de9617506a236a2a59198fb224fcd128576d76642eec9d715df5
- SSDEEP
  
  768:AbFw10RFnAwJM7MiqwecUaX5h4IuCdYa+XLXTGY1idL2WYiwtDj:Apw10vnAOIUaJh4IXdWXLXTWLfuFj
Score

5^/10
- Suspicious use of SetThreadContext
behavioral18
- Target
  
  Documents/Ransomware.Satana/Ransomware.Satana/unpacked.mem
- Size
  
  72KB
- MD5
  
  108756f41d114eb93e136ba2feb838d0
- SHA1
  
  8c6b51923ee7da2f4642c7717db95fbb77d96164
- SHA256
  
  b38b4c1dcf6d6ecd1bbfc236b43c37c18044c2f42f11e5088384f4bd0751929c
- SHA512
  
  d13183e8ba4689475b0cb3f5cc7acbfba34a1ba661eb5988984647c2bd3e561cfa03f6267f60ae9fb2ca0783f26c105cdbcfc89def598c48968febef23c21aaa
- SSDEEP
  
  768:F9NJK3qZRhxXHIQBsLL16BKc+bBQZ/UMc2:rXzXol6cc+lQZMMc2
Score

10^/10

satana bootkit persistence ransomware
- Satana
  Ransomware family which also encrypts the system's Master Boot Record (MBR).
  ransomware satana
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
behavioral19
- Target
  
  Documents/Ransomware.TeslaCrypt/Ransomware.TeslaCrypt/3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370
- Size
  
  284KB
- MD5
  
  209a288c68207d57e0ce6e60ebf60729
- SHA1
  
  e654d39cd13414b5151e8cf0d8f5b166dddd45cb
- SHA256
  
  3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370
- SHA512
  
  ce4a7e42738154183fc53702f0841dfd4ad1eb0567b13cc1ff0909f1d330e9cd2fb994375efc6f02e7eddaaae1f465ff93458412143266afdaff1c6bf6477fc3
- SSDEEP
  
  3072:rYXT8PUsMNL8V4tD2My/JAAbQoM29wlV58lbNnolY7VgsYiVTPtiTu/q:rowUsML8g2j0o9wb0bNoaKsYImui
Score

9^/10

persistence ransomware spyware stealer
- Renames multiple (3999) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Drops file in Drivers directory
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Sets desktop wallpaper using registry
  ransomware
behavioral20
- Target
  
  Documents/Ransomware.TeslaCrypt/Ransomware.TeslaCrypt/51B4EF5DC9D26B7A26E214CEE90598631E2EAA67
- Size
  
  257KB
- MD5
  
  6e080aa085293bb9fbdcc9015337d309
- SHA1
  
  51b4ef5dc9d26b7a26e214cee90598631e2eaa67
- SHA256
  
  9b462800f1bef019d7ec00098682d3ea7fc60e6721555f616399228e4e3ad122
- SHA512
  
  4e173fb5287c7ea8ff116099ec1a0599b37f743f8b798368319b5960af38e742124223dfd209457665b701e9efc6e76071fa2513322b232ac50ddad21fcebe77
- SSDEEP
  
  6144:xy+als+0nIycigV5cbEo6dZbBODPIsjQ/UFsYW:xy+aCFnIycigVSbObBODTMUd
Score

1^/10
behavioral21
- Target
  
  Documents/Ransomware.TeslaCrypt/Ransomware.TeslaCrypt/E906FA3D51E86A61741B3499145A114E9BFB7C56
- Size
  
  261KB
- MD5
  
  6d3d62a4cff19b4f2cc7ce9027c33be8
- SHA1
  
  e906fa3d51e86a61741b3499145a114e9bfb7c56
- SHA256
  
  afaba2400552c7032a5c4c6e6151df374d0e98dc67204066281e30e6699dbd18
- SHA512
  
  973643639cb02491b86d5b264ee8118a67d8a83453307aea95de2f4c6aa55819d37730c41dc3338116ebe86f9a4f2bba7d9537ea744ae08b9755f05c15153fad
- SSDEEP
  
  6144:93g0BQG+aZiycigV5bbEo6dZbBODPIsjQ/UFsYWo:93g0OGjZiycigVRbObBODTMUdj
Score

1^/10
behavioral22
- Target
  
  Documents/Ransomware.Vipasana/Ransomware.Vipasana/0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab
- Size
  
  370KB
- MD5
  
  2aea3b217e6a3d08ef684594192cafc8
- SHA1
  
  3a0b855dd052b2cdc6453f6cbdb858c7b55762b0
- SHA256
  
  0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab
- SHA512
  
  ea83fcb7465e48445f2213028713c4048ac575b9c2f7458a014c495bddb280be553a22b1056284efad7dd55c2a7837096755206581c67bb0183e4ac42160011a
- SSDEEP
  
  6144:oRzMgpY8bXFHW1FbwwEHidUoagoW2C9cuqBGI4Zq6mYlG8+rNfNQFoQGt485VY:uDRbXFHW1+K2UWBGIymY/+rheFOv
Score

8^/10

persistence ransomware spyware stealer
- Drops file in Drivers directory
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Sets desktop wallpaper using registry
  ransomware
behavioral23
- Target
  
  Documents/Ransomware.Vipasana/Ransomware.Vipasana/c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a
- Size
  
  370KB
- MD5
  
  a890e2f924dea3cb3e46a95431ffae39
- SHA1
  
  35719ee58a5771156bc956bcf1b5c54ac3391593
- SHA256
  
  c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a
- SHA512
  
  664fb8075712912be30185d17d912dae148e778627e852affe1b1080bb9c8d5917e7b3c1d194e62ac6919c16235754f776523ba7ce95af38be86b61cc3e3d162
- SSDEEP
  
  6144:KRzMgpY8bXFHW1FbwwEHidUoagoW2C9cuqBGI4Zq6mYN8+G5l9PAzJdVeO2Ui:sDRbXFHW1+K2UWBGIymYG+i9A+ONi
Score

8^/10

persistence ransomware spyware stealer
- Drops file in Drivers directory
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Sets desktop wallpaper using registry
  ransomware
behavioral24
- Target
  
  Documents/Ransomware.Vipasana/Ransomware.Vipasana/e49778d20a2f9b1f8b00ddd24b6bcee81af381ed02cfe0a3c9ab3111cda5f573
- Size
  
  329KB
- MD5
  
  adb5c262ca4f95fee36ae4b9b5d41d45
- SHA1
  
  cdbe420609fec04ddf3d74297fc2320b6a8a898e
- SHA256
  
  e49778d20a2f9b1f8b00ddd24b6bcee81af381ed02cfe0a3c9ab3111cda5f573
- SHA512
  
  dad3541217a7f1fde669441a3f987794ee58ae44e7899d7ed5ebdf59e8174e2924441ea8474701908071df74479a4f928b673c2d9086c67078a2a861b61ba754
- SSDEEP
  
  6144:TRzMgpY8bXFHW1FbwwEHidUoagoW2C9cuqBGI4Zq6mYN8+N6MSiF0Q5XNN:pDRbXFHW1+K2UWBGIymYG+zn
Score

8^/10

persistence ransomware spyware stealer
- Drops file in Drivers directory
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Sets desktop wallpaper using registry
  ransomware
behavioral25
- Target
  
  ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
- Size
  
  3.4MB
- MD5
  
  84c82835a5d21bbcf75a61706d8ab549
- SHA1
  
  5ff465afaabcbf0150d1a3ab2c2e74f3a4426467
- SHA256
  
  ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
- SHA512
  
  90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244
- SSDEEP
  
  98304:QqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2g3x:QqPe1Cxcxk3ZAEUadzR8yc4gB
Score

10^/10

wannacry defense_evasion discovery execution impact persistence ransomware spyware stealer worm
- Wannacry
  WannaCry is a ransomware cryptoworm.
  ransomware worm wannacry
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- File and Directory Permissions Modification: Windows File and Directory Permissions Modification
  defense_evasion
- Sets desktop wallpaper using registry
  ransomware
behavioral26
- Target
  
  Documents/Ransomware.WannaCry/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
- Size
  
  3.4MB
- MD5
  
  84c82835a5d21bbcf75a61706d8ab549
- SHA1
  
  5ff465afaabcbf0150d1a3ab2c2e74f3a4426467
- SHA256
  
  ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
- SHA512
  
  90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244
- SSDEEP
  
  98304:QqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2g3x:QqPe1Cxcxk3ZAEUadzR8yc4gB
Score

10^/10

wannacry defense_evasion discovery execution impact persistence ransomware spyware stealer worm
- Wannacry
  WannaCry is a ransomware cryptoworm.
  ransomware worm wannacry
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- File and Directory Permissions Modification: Windows File and Directory Permissions Modification
  defense_evasion
- Sets desktop wallpaper using registry
  ransomware
behavioral27