Overview
overview
10Static
static
10001a09a29d...ad.exe
windows7-x64
10001e9cb57f...ea.exe
windows7-x64
300ace607a4...64.exe
windows7-x64
70a20f03af5...77.exe
windows7-x64
10a6c62c139...b8.exe
windows7-x64
60a747a5f77...c2.exe
windows7-x64
0b02c55fbb...c0.exe
windows7-x64
70b716abe15...7f.exe
windows7-x64
100b997e8b0d...46.exe
windows7-x64
100bb2957b2b...1e.exe
windows7-x64
100bd9556e36...74.exe
windows7-x64
30c0c9a19db...c1.exe
windows7-x64
100c7da4e446...86.exe
windows7-x64
100cad47e2df...6a.exe
windows7-x64
100cb554caaf...b2.exe
windows7-x64
100cbb472b55...43.exe
windows7-x64
100d25bbbeb6...09.exe
windows7-x64
100d9ea4a12d...0e.exe
windows7-x64
10dbfd3479c...8d.exe
windows7-x64
60ddcce08b7...35.exe
windows7-x64
60df9bd640a...72.exe
windows7-x64
0e52434683...e4.exe
windows7-x64
100e767dfa6d...e4.exe
windows7-x64
100e82ed8dab...a4.exe
windows7-x64
10e98661ea6...29.exe
windows7-x64
10e9f24d9b1...d5.exe
windows7-x64
100ec44257a6...68.exe
windows7-x64
100f18f6547a...57.exe
windows7-x64
100f3d700c95...90.exe
windows7-x64
100f54e0f3c3...36.exe
windows7-x64
10f5ace8adb...72.exe
windows7-x64
60fc4a985ae...f8.exe
windows7-x64
3General
-
Target
001.7z
-
Size
8.1MB
-
Sample
240713-lf62zsvgrm
-
MD5
e2281da459ccdedea13c7b9d1a1d6c65
-
SHA1
3260aecbc39e921d931c7650bc1e107bb3820c76
-
SHA256
8ff8af7b31fe7ed58b2afc1b556c635c2ccdf20bce7ca371897dea490a8b5027
-
SHA512
1cb4303730daee0114b14c5df0dab37bba4d3472ab8ef937faacb0f482579a5745606a35b91101068ccb8a1efa99938e2dd390b16dc51d04287b3930cae06cdd
-
SSDEEP
196608:sYpuCLugda7Vv3QctuLolkvSLLx5yU5+jC:jpuSugQd7Zlm0LzyU5r
Behavioral task
behavioral1
Sample
001a09a29deab5195eda46bad91e51b234655325b641e211ed8234e934956ead.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
001e9cb57f9e922d7b0d92ec43b8b5e376c5ab6e4ea827b84c76e13c994fbbea.exe
Resource
win7-20240708-en
Behavioral task
behavioral3
Sample
00ace607a44cbcd3e0bcdfb0a6b5f27c834fce66b95ee987c28eb651da9c2464.exe
Resource
win7-20240708-en
Behavioral task
behavioral4
Sample
0a20f03af50d14404b349279b3dc20886b1bf91419ede3f1b0c7fbdda579ae77.exe
Resource
win7-20240704-en
Behavioral task
behavioral5
Sample
0a6c62c139aa9baf898add2a10fada3d49f78b3089507b84e613868242e169b8.exe
Resource
win7-20240704-en
Behavioral task
behavioral6
Sample
0a747a5f771168c0c32e944da6d6d996f24284e4fb44eaea562b21266a9e3ac2.exe
Resource
win7-20240705-en
Behavioral task
behavioral7
Sample
0b02c55fbb40d7757b5808efe3fd1343f943bcefb92e0009689f4995e3eb26c0.exe
Resource
win7-20240705-en
Behavioral task
behavioral8
Sample
0b716abe15b17a114c2f12fab954c861f82165bb0868f863cfb8dc634f76be7f.exe
Resource
win7-20240708-en
Behavioral task
behavioral9
Sample
0b997e8b0d0ff6cc4e6f1919c6c0f3080eaa0d08c8fccdf50f7648bf05cca446.exe
Resource
win7-20240708-en
Behavioral task
behavioral10
Sample
0bb2957b2b8ed0a1c458da6edeaf5a48b2c1ecdd7d7ed33d00749ef1f5653b1e.exe
Resource
win7-20240708-en
Behavioral task
behavioral11
Sample
0bd9556e36c620bbedfafd2e76bb6703f069aa654e34008f2aef3b4a0ce6f874.exe
Resource
win7-20240708-en
Behavioral task
behavioral12
Sample
0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
Resource
win7-20240705-en
Behavioral task
behavioral13
Sample
0c7da4e446a97f08bbf6c0abe987810047163150d70f0a282c2f7cea674d7286.exe
Resource
win7-20240705-en
Behavioral task
behavioral14
Sample
0cad47e2dfd2538735f7affa42f9aad5d7bf453d88dbeb901e9b06fcae871e6a.exe
Resource
win7-20240704-en
Behavioral task
behavioral15
Sample
0cb554caafe5c2d40c1f882ca04710752194ebf300e0050bd7b7511312ae61b2.exe
Resource
win7-20240704-en
Behavioral task
behavioral16
Sample
0cbb472b555d4cab454948ba900675db48b120afaedf246a14d87d970b233a43.exe
Resource
win7-20240708-en
Behavioral task
behavioral17
Sample
0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
Resource
win7-20240708-en
Behavioral task
behavioral18
Sample
0d9ea4a12d29d79b00bd3d0788f531642832b799bdc3baaebd0ee213cee4720e.exe
Resource
win7-20240705-en
Behavioral task
behavioral19
Sample
0dbfd3479cfaf0856eb8a75f0ad4fccb5fd6bd17164bcfa6a5a386ed7378958d.exe
Resource
win7-20240708-en
Behavioral task
behavioral20
Sample
0ddcce08b727ccbbae208459032f010956794a84b7f35e225b5bae927b0f6835.exe
Resource
win7-20240705-en
Behavioral task
behavioral21
Sample
0df9bd640ad5bb636095c524e54f9152bb84092889e720dcaa549e65dc3c1472.exe
Resource
win7-20240708-en
Behavioral task
behavioral22
Sample
0e524346835f7c208667a18699df3faf34fcf8a3cceab8a7418d3f88e87211e4.exe
Resource
win7-20240705-en
Behavioral task
behavioral23
Sample
0e767dfa6d7887e832225433ed8866195df94607ccb474868b9abbbf20843ae4.exe
Resource
win7-20240705-en
Behavioral task
behavioral24
Sample
0e82ed8dabc9bb697d3e2f7ba1ee8d5235d3501796fbc1cd79ccffe7df11d9a4.exe
Resource
win7-20240704-en
Behavioral task
behavioral25
Sample
0e98661ea680708e9bb55f32131f743811108e826b91cae99d69a8fc1856d429.exe
Resource
win7-20240704-en
Behavioral task
behavioral26
Sample
0e9f24d9b122f16a0817890872ab88e91cfddeaf1bac8a1e41a724f5eadd9ad5.exe
Resource
win7-20240704-en
Behavioral task
behavioral27
Sample
0ec44257a6b4c2827476bae68cd30ecd9ccfb9395dac3671df6a1b65f20fb268.exe
Resource
win7-20240705-en
Behavioral task
behavioral28
Sample
0f18f6547a1c8e86963a9e9f9dd9e6e42bd506de21c034ec884c3b55a789ac57.exe
Resource
win7-20240704-en
Behavioral task
behavioral29
Sample
0f3d700c95b21e5437c0aedb3cacd787ce6701c49180d8d564e4574dffc42190.exe
Resource
win7-20240705-en
Behavioral task
behavioral30
Sample
0f54e0f3c3408647bf9844f9d97b64dbc62278091280b3d7bf1db5bdde3fc436.exe
Resource
win7-20240705-en
Behavioral task
behavioral31
Sample
0f5ace8adbaf1f05d0f5765166537ff4b77ea9f038cffbc08c16afd4cc869972.exe
Resource
win7-20240704-en
Behavioral task
behavioral32
Sample
0fc4a985aed460862a8f70dd982fadbd65ea0ad88fb58ced2d909f4264ab98f8.exe
Resource
win7-20240708-en
Malware Config
Extracted
C:\info.hta
http://www.w3.org/TR/html4/strict.dtd'>
https://pidgin.im/download/windows/</li>
Extracted
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
Extracted
C:\ProgramData\RyukReadMe.txt
Extracted
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\How to Recovery.bat
33j4JbAEzZwWGgA2MxBARD7zprJuNDP2hP
Extracted
C:\Jjf2IQlAQ.README.txt
Targets
-
-
Target
001a09a29deab5195eda46bad91e51b234655325b641e211ed8234e934956ead.exe
-
Size
3.7MB
-
MD5
fcd18971f21cfd63598d5b3dec2b7a53
-
SHA1
8ad7f39746f236c606ebeaf1e085cadcaa7b35e5
-
SHA256
001a09a29deab5195eda46bad91e51b234655325b641e211ed8234e934956ead
-
SHA512
d344fb8164907c772e40721ae9d7485a68deb34366c3161fe7f08bf552286a1b3f5cdb46092e7d8646d7eff3556f3196bcacc0f0716c3a6d062fd212a9351cf4
-
SSDEEP
24576:eEtl9mRda12sX7B9NRdpkhtIShJVVTyJNPtz:9Es1R3DCjVyB
Score10/10-
Modifies WinLogon for persistence
-
Renames multiple (91) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops autorun.inf file
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in System32 directory
-
-
-
Target
001e9cb57f9e922d7b0d92ec43b8b5e376c5ab6e4ea827b84c76e13c994fbbea.exe
-
Size
155KB
-
MD5
b549a40b7426410c3cc3145e56ac24ed
-
SHA1
a5a2722ff785eb08c543f316fb3ec93272f55674
-
SHA256
001e9cb57f9e922d7b0d92ec43b8b5e376c5ab6e4ea827b84c76e13c994fbbea
-
SHA512
0cb1449f646ba2339b53e8ea9ec7074766ccd288b2facb59377452365aa57a7867bd22b2f66e3a6591e704bd376bfe5b771bd9b903f1cb8ac48f00836adc85e9
-
SSDEEP
3072:S5K/B0toLbQSNJhlxwsx89TSdBgjMqqDL2/TOKOPG:ScytwbtcTTSdBgQqqDL6SKT
Score3/10 -
-
-
Target
00ace607a44cbcd3e0bcdfb0a6b5f27c834fce66b95ee987c28eb651da9c2464.exe
-
Size
4.2MB
-
MD5
98d4a021d297fc479a7badbb378907a0
-
SHA1
ff8fa169a1727ad4529f0e9ab957bb3a3a119b40
-
SHA256
00ace607a44cbcd3e0bcdfb0a6b5f27c834fce66b95ee987c28eb651da9c2464
-
SHA512
df158667cdc3f78cebf48397dd0a48aa66d928b8e74e10d28e96be88cbceaad3604fd9e1ca9d7091407b267548d02d268a4c75af6315b53470a761808aad826b
-
SSDEEP
98304:oXB4uluJRmMg6QWlIpgi0rHqsih/mCqJ4B4uluP:ovsJR0TW6yiIKRhzqOsP
Score7/10-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
-
-
Target
0a20f03af50d14404b349279b3dc20886b1bf91419ede3f1b0c7fbdda579ae77.exe
-
Size
16.0MB
-
MD5
f89692198bfc2d2c0f96ae539f1f20ff
-
SHA1
5000a45154ae471680f586b51cc2996e3ab8e65a
-
SHA256
0a20f03af50d14404b349279b3dc20886b1bf91419ede3f1b0c7fbdda579ae77
-
SHA512
270bdd5b60b68ff612aacd8f1c8edc7383c431307a7a41372b787dc5d0d8e9befe953b784476ac3bcfdf63b2c90d1371b77f46ac8008076240aef5e00e1185c4
-
SSDEEP
3072:S5K/B0toLOSNJmlxwsx89TSdBgjMqqDL2/TOK21Gl:ScytwbFTTSdBgQqqDL6SKZ
Score1/10 -
-
-
Target
0a6c62c139aa9baf898add2a10fada3d49f78b3089507b84e613868242e169b8.exe
-
Size
70KB
-
MD5
b9bb0a0cff8d16143c50af7c71b22f5d
-
SHA1
89dc77a9ef0294b99ce849c2145f9d5139025480
-
SHA256
0a6c62c139aa9baf898add2a10fada3d49f78b3089507b84e613868242e169b8
-
SHA512
d1da8fa0267b5efbfb0c1d94ac1fc1813f41e0cea062b9c10ee9b6a123afc5d496729d63a7b5a27d931f638ddc8b9ad89b2c3049e0603a9b23405a07cd81c1be
-
SSDEEP
1536:zZZZZZZZZZZZZpXzzzzzzzzzzzzADypczUk+lkZJngWMqqU+2bbbAV2/S2OvvdZl:id5BJHMqqDL2/Ovvdr
Score6/10-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
-
-
Target
0a747a5f771168c0c32e944da6d6d996f24284e4fb44eaea562b21266a9e3ac2.exe
-
Size
92KB
-
MD5
07a14116ac737b484efd8184ee716109
-
SHA1
18a51e12e7f37dd04429482e219883bb044e2e42
-
SHA256
0a747a5f771168c0c32e944da6d6d996f24284e4fb44eaea562b21266a9e3ac2
-
SHA512
4a7f8ff122a06d9159f89a3b570de49b84e31cca11dd2324784e37d4926a021e365981d2300bfb767ca49edae22820c94ebb911b3b21615fc009318c752602d2
-
SSDEEP
1536:tBwl+KXpsqN5vlwWYyhY9S4Acc+zVDSmrJA0OGfzbrB5e:Hw+asqN5aW/hLpwpHTe
Score1/10 -
-
-
Target
0b02c55fbb40d7757b5808efe3fd1343f943bcefb92e0009689f4995e3eb26c0.exe
-
Size
10.0MB
-
MD5
ae3a625b9d6bf29b465d56502b22b7b1
-
SHA1
232d769ae3b52efe6c2cf831cc2880bca34d44f2
-
SHA256
0b02c55fbb40d7757b5808efe3fd1343f943bcefb92e0009689f4995e3eb26c0
-
SHA512
bc607a19544ab5d85956605917dd82baf3ebb620c036a7716cc970719b328892964aa1a3312c3864845756b38664d3e7b1a51bb54c7cae7d31d22cd4087a1390
-
SSDEEP
49152:FwaYoE4htZYBl+OHJ1V4dYFgZPsv97H4numCM1+7:SaYoE4htZ2p8dfZPs54numh1+
Score7/10 -
-
-
Target
0b716abe15b17a114c2f12fab954c861f82165bb0868f863cfb8dc634f76be7f.exe
-
Size
22KB
-
MD5
bffd46a9c588683c66b6f4c0dba865c7
-
SHA1
ac4eb4cdc14f374935a8cd72976da47bd941dbb1
-
SHA256
0b716abe15b17a114c2f12fab954c861f82165bb0868f863cfb8dc634f76be7f
-
SHA512
bf2bdd9dc55d548e4b0c0e381095a405e4639a3d94028e4a9212aaffd4f17f43313c1056dcc0f1da9a56edd90f8e93d03aad2497063e80701af5759e97fccfd6
-
SSDEEP
384:m3Mg/bqo2CGVdKXqpVOjuwzUbJlr91CQJc3zDeN:Uqo2RnKXqpIjKtlr9AXeN
Score10/10-
Chaos Ransomware
-
Renames multiple (206) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops startup file
-
Executes dropped EXE
-
Drops desktop.ini file(s)
-
-
-
Target
0b997e8b0d0ff6cc4e6f1919c6c0f3080eaa0d08c8fccdf50f7648bf05cca446.exe
-
Size
58KB
-
MD5
d458a2f85bc1330f13acccd63d88d015
-
SHA1
2604402597e41faa97db737fe0fb4166864752ad
-
SHA256
0b997e8b0d0ff6cc4e6f1919c6c0f3080eaa0d08c8fccdf50f7648bf05cca446
-
SHA512
5e89c3541022d31df8d7d2b15522734649796428ba6842182ab59988d3ea5679e1f8b2903b4e7646785c46c8d41b5e99031a4875a340e9be84362b63797e1c99
-
SSDEEP
1536:hNeRBl5PT/rx1mzwRMSTdLpJ5mwnf+viID/:hQRrmzwR5JUD/
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit
-
Renames multiple (317) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Modifies Windows Firewall
-
Drops startup file
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
-
-
Target
0bb2957b2b8ed0a1c458da6edeaf5a48b2c1ecdd7d7ed33d00749ef1f5653b1e.exe
-
Size
88KB
-
MD5
bcf73d0b807d66634d7d25f399fa8ffe
-
SHA1
3db3790b46e2d430374f6c40e7ce25e633696b75
-
SHA256
0bb2957b2b8ed0a1c458da6edeaf5a48b2c1ecdd7d7ed33d00749ef1f5653b1e
-
SHA512
0750fe4212f1bc7a16a426f6c363797e926656f7f27cc2bc5d5f624a436b3a075263ca29fa609696d7ef2d18b79ef7da4998c75a36c9bda2bd2beb456ae08f31
-
SSDEEP
768:Hqo2MgNp4wBAQr9uNev2SU2Ip4jBqltCF0AxEjenoB69+Fx:Ko2g0AQr9usv2SFHBWAxEjc+
-
Chaos Ransomware
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit
-
Renames multiple (208) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops startup file
-
Executes dropped EXE
-
Drops desktop.ini file(s)
-
-
-
Target
0bd9556e36c620bbedfafd2e76bb6703f069aa654e34008f2aef3b4a0ce6f874.exe
-
Size
155KB
-
MD5
6827dfd481743d41ed35fb36740c0db7
-
SHA1
a3739fad76445b8e95970a7ae1638b8e7377c99d
-
SHA256
0bd9556e36c620bbedfafd2e76bb6703f069aa654e34008f2aef3b4a0ce6f874
-
SHA512
9a149ba007eb8f7b6160f5637d578dcc8b28d3bc36e8cb78d354a96b726431202a8d6230599bf28528cefb9cb2567b0eaf2ded3cfb4cda3a8996166f7a6cd5a4
-
SSDEEP
3072:l5K/B0toLQSNJ7lZHQsozTS+SMqqDL2/TrK/uG:lcytwtJ1yTS+xqqDL6HKX
Score3/10 -
-
-
Target
0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
-
Size
97KB
-
MD5
8881f3e50b9f1bcb315769e24b76a3cc
-
SHA1
f6f21445663a197b8f88a7a2fdbc4cbe2bf3be51
-
SHA256
0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1
-
SHA512
dde4d848499dd0eb92982358ad2990a82c22e2c1738a0387ca03dfadfd602b9fe429570815acf648aebc11e5337b1bc44b77e58f4aabd2f9ca5be88f6a34111b
-
SSDEEP
1536:JxqjQ+P04wsmJCf5HqwoOFcqZNeRBl5PT/rx1mzwRMSTdLpJ1M:sr85CfxbtcSQRrmzwR5JS
-
Detect Neshta payload
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit
-
Renames multiple (329) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Modifies Windows Firewall
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies system executable filetype association
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
-
-
Target
0c7da4e446a97f08bbf6c0abe987810047163150d70f0a282c2f7cea674d7286.exe
-
Size
3.1MB
-
MD5
76b466c9387684239681d8774bb5956b
-
SHA1
ed773e756932dc3af27e235b4bf7993781665a92
-
SHA256
0c7da4e446a97f08bbf6c0abe987810047163150d70f0a282c2f7cea674d7286
-
SHA512
d6b83126b27532e56c39b7253668a4540baf29916105955937132c01fc11096b297f7abe545094823cac2c0e65fcf2282997e1bdb594d6fe99a342812d9bf42c
-
SSDEEP
12288:sp4pNfz3ymJnJ8QCFkxCaQTOlPes5Z76k/L/KB8NIpYJTCihq82WFpXKEVFA2MCe:eEtl9mRda12sX7hKB8NIyXbacAfF
Score10/10-
Modifies WinLogon for persistence
-
Renames multiple (91) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops autorun.inf file
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in System32 directory
-
-
-
Target
0cad47e2dfd2538735f7affa42f9aad5d7bf453d88dbeb901e9b06fcae871e6a.exe
-
Size
3.2MB
-
MD5
debf24ccdc00420e4a88454338f1c726
-
SHA1
1674f180860cbe61b1cfc30c48582461ead73347
-
SHA256
0cad47e2dfd2538735f7affa42f9aad5d7bf453d88dbeb901e9b06fcae871e6a
-
SHA512
7cc073387610f5a993ec53857563946b7779111a62c80aad338b0ebce8fe437bcaaf71767815aa439ad0f848b288b6d2f36b4543c42e25f048a9a3cd4689ac48
-
SSDEEP
12288:sp4pNfz3ymJnJ8QCFkxCaQTOlPes5Z76k/L/KB8NIpYJTCihq82WFpXKEVFA2MCw:eEtl9mRda12sX7hKB8NIyXbacAfR
Score10/10-
Modifies WinLogon for persistence
-
Renames multiple (91) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops autorun.inf file
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in System32 directory
-
-
-
Target
0cb554caafe5c2d40c1f882ca04710752194ebf300e0050bd7b7511312ae61b2.exe
-
Size
2.4MB
-
MD5
a949330481ec49db59a0406c4deebee4
-
SHA1
f2c8921b8acf3779f05679f51c279c120fb48919
-
SHA256
0cb554caafe5c2d40c1f882ca04710752194ebf300e0050bd7b7511312ae61b2
-
SHA512
13763fa20ad8fb76fc86168fe5c2fed13b76eb4831a251cb1c43431d03e43f6f14b89372d24137883717e15f3d14b8e7e7c651ae99364a35d6966a01a50bfb14
-
SSDEEP
12288:sp4pNfz3ymJnJ8QCFkxCaQTOlPes5Z76k/L/KB8NIpYJTCihq82WFpXKEVFA2MCL:eEtl9mRda12sX7hKB8NIyXbacAfU
Score10/10-
Modifies WinLogon for persistence
-
Renames multiple (91) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops autorun.inf file
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in System32 directory
-
-
-
Target
0cbb472b555d4cab454948ba900675db48b120afaedf246a14d87d970b233a43.exe
-
Size
92KB
-
MD5
a0dd1dfbac4b2aaed94b2065a9c9f30c
-
SHA1
b797000407eb333dc80777dd088204179b62fb5c
-
SHA256
0cbb472b555d4cab454948ba900675db48b120afaedf246a14d87d970b233a43
-
SHA512
13949bcbd0a6d7efee4e466f9f8818bd4b0643f8bc1116cd302b9b72808dbe018e30aa36d1edd4474ebf590d5d29438247f391988b6b2b5a5188d79a47ae1229
-
SSDEEP
1536:mBwl+KXpsqN5vlwWYyhY9S4AQp27xRgjGri0wEeKirLWP6d7cH:Qw+asqN5aW/hL+pwl2RsivPd
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (324) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops startup file
-
Loads dropped DLL
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory
-
-
-
Target
0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
-
Size
885KB
-
MD5
6a5bf25ff4f72ebca91280ffda057260
-
SHA1
722063331acdbfc93ccbfacbec045800a835dd9e
-
SHA256
0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09
-
SHA512
64d6f8fe84882bb5b835388461e2f662d58b8b69ca6314869e4e4bd29496f4ae2d2bda5afa82cbfc6a29d563368343da1b19431fc24ec5261618a424543bce42
-
SSDEEP
12288:Qm+PiUwyM02Jl5YqWYgeWYg955/155/0QebUlAAsrsKCQoZRn6X:Q5iUtklagQKUKRrsKCQON6
-
Clears Windows event logs
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit
-
Renames multiple (8366) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Disables Task Manager via registry modification
-
Disables taskbar notifications via registry modification
-
Disables use of System Restore points
-
Drops startup file
-
Modifies file permissions
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Power Settings
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
Hide Artifacts: Hidden Files and Directories
-
-
-
Target
0d9ea4a12d29d79b00bd3d0788f531642832b799bdc3baaebd0ee213cee4720e.exe
-
Size
362KB
-
MD5
ef1bff9e70e5cb2362ed58479484eab0
-
SHA1
f5625e3928bde215cc03b2c9ad1c9b131627a1ca
-
SHA256
0d9ea4a12d29d79b00bd3d0788f531642832b799bdc3baaebd0ee213cee4720e
-
SHA512
cc25dadb8de2bd7c1b8e97459ced2701adea2cc4daab54a7d1695bf86aa448e6f5b9c3914e7bd8c8facc5c2bc260da4f1efdaac5d7efc720db1139bedad05b3d
-
SSDEEP
6144:NqRfEPqxpc7xSPyRft/C0kbxuci4CdlzRepmnlhT5gtU/zPFVUuQtqWg2:ZqxpCxSa1t8alz6mnrzPFiuHK
Score1/10 -
-
-
Target
0dbfd3479cfaf0856eb8a75f0ad4fccb5fd6bd17164bcfa6a5a386ed7378958d.exe
-
Size
217KB
-
MD5
e307123c3012248c4f7eac48b5c803c0
-
SHA1
13cad899944c5267b1de0aecd6a6964c3e2696c2
-
SHA256
0dbfd3479cfaf0856eb8a75f0ad4fccb5fd6bd17164bcfa6a5a386ed7378958d
-
SHA512
c8e6b07a9dda7e71417f185a723b9874e7564379184c744f547f32a6108f18d18e0e81c9cd5520e1bbb0c98453484dfec92b041323c7e67eb64da9edbcb08e63
-
SSDEEP
3072:phXD6M9my8NbPYOBLujYx5I8XDZW0956w/J+UdSZWD/rcV9YHcqM3:phT6+mntYOJ9FR60hd/D/rcV9c
Score6/10-
Adds Run key to start application
-
Sets desktop wallpaper using registry
-
-
-
Target
0ddcce08b727ccbbae208459032f010956794a84b7f35e225b5bae927b0f6835.exe
-
Size
70KB
-
MD5
7bd74c234b2b0a783340f7bc8f273c84
-
SHA1
5b55082a53e2f2cf5c4badf8e93da0717bd90f67
-
SHA256
0ddcce08b727ccbbae208459032f010956794a84b7f35e225b5bae927b0f6835
-
SHA512
82d49384f879c42ed41a208e6ebcef990abda1ca3de1a83e683c1ee718c6c0c72f833027d4c57ef2f6dc4e5b9cf7f481dc0051ce093a4b347e40e02d1a712817
-
SSDEEP
1536:hZZZZZZZZZZZZpXzzzzzzzzzzzzADypczUk+lkZJngWMqqU+2bbbAV2/S2OvvdZl:Id5BJHMqqDL2/Ovvdr
Score6/10-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
-
-
Target
0df9bd640ad5bb636095c524e54f9152bb84092889e720dcaa549e65dc3c1472.exe
-
Size
1.9MB
-
MD5
bca775f0297bc8138b54f182d1e6aed2
-
SHA1
31351fe925ce97d44fb1a779b391a76e6859da6b
-
SHA256
0df9bd640ad5bb636095c524e54f9152bb84092889e720dcaa549e65dc3c1472
-
SHA512
1f817242b47e645826c43c296a849d80dc29a2ac33beaff7a96604b5a96fe64cf34eef7b300ba110b1c265332b6150ed8dafa66b60dd602c176d023d63e65136
-
SSDEEP
24576:CSndG2iSNjN2w9Os9cRfO/d8mT6c6aVqwPhUMel842:HfJqsgXmgyJPu2
Score1/10 -
-
-
Target
0e524346835f7c208667a18699df3faf34fcf8a3cceab8a7418d3f88e87211e4.exe
-
Size
2.8MB
-
MD5
efe70e514cf869d4b46cee676c74ba2e
-
SHA1
2d00e444cc2f1bd39952f830bc471be100e2b0d5
-
SHA256
0e524346835f7c208667a18699df3faf34fcf8a3cceab8a7418d3f88e87211e4
-
SHA512
868a5c96d3b692779502ad2e28260a17a4af247b2e8140753032285971455d8a178cc48b3ffc9f92a48671bd42c3b696cdf2f343239b78a4b77a09696f9bf7cb
-
SSDEEP
24576:BS4lQMNWi3VesNY8106qPN4K3P0QcejoMZLyiTtiFfkOfE/S:BSy6PX3PpM+P5IdIS
-
Chaos Ransomware
-
Detect Neshta payload
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Disables Task Manager via registry modification
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies system executable filetype association
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Sets desktop wallpaper using registry
-
-
-
Target
0e767dfa6d7887e832225433ed8866195df94607ccb474868b9abbbf20843ae4.exe
-
Size
6.4MB
-
MD5
2f15750b2abd86157c676cd18987c3c9
-
SHA1
709ac17f0844f0eccd1d2ec5e75ffbd84b29cc74
-
SHA256
0e767dfa6d7887e832225433ed8866195df94607ccb474868b9abbbf20843ae4
-
SHA512
757919fd463a1e3fcb49af9dd3cf1b1d33d144ee34814cb9d0d18cac3ed9a873fcc0825dc4c75748f0f89ebe87c59b03445477e0415c09622e38632d7c5d8c58
-
SSDEEP
6144:YE9l9yzqIYVTH5DgSg8ajldktM0XXrs2QhMV9qb:YibLgPluxQhMb
Score10/10-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies file permissions
-
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
-
Drops file in System32 directory
-
-
-
Target
0e82ed8dabc9bb697d3e2f7ba1ee8d5235d3501796fbc1cd79ccffe7df11d9a4.exe
-
Size
362KB
-
MD5
3c13842d28a4e2577c6c0e5bd65228b6
-
SHA1
32c9462b0805f0622dd81ec1a890553db96607ab
-
SHA256
0e82ed8dabc9bb697d3e2f7ba1ee8d5235d3501796fbc1cd79ccffe7df11d9a4
-
SHA512
5f91303cdf4c7f276ad1b5e2888a4be07ed9ae3958e8ffe0412ab0f49d528dbccb6f4cf7270df75ba22cc4de65208aec08c6379d34b45f33650dc4e8bf656e34
-
SSDEEP
6144:gAwjJA2gls1IVOkZiWaiUzz9m/nSenhb9oSJwIB/QXwPihQpqAuk:XwVALu2zm90n3nBQXwKhv8
Score1/10 -
-
-
Target
0e98661ea680708e9bb55f32131f743811108e826b91cae99d69a8fc1856d429.exe
-
Size
31.5MB
-
MD5
6569fd60f73e5705f4c28ab59d86fb39
-
SHA1
7159be53512f91b2aeabe5c15a54d95955eb4d6a
-
SHA256
0e98661ea680708e9bb55f32131f743811108e826b91cae99d69a8fc1856d429
-
SHA512
9fc0dcd04779bb99569449dab031513d4404e3ef15d7d0db988bf9537bf1945f72bd83a5768ccc494d013f16c47e0c0a95a12c2258b33ea1bcc4cfe1e93ead4f
-
SSDEEP
6144:ScytwbnTTSdBgQqqDL6SK+iZz+FF4X4sYN+Qaf3AVwbLW:vyinTqn6r+iZz+v4+9M
Score1/10 -
-
-
Target
0e9f24d9b122f16a0817890872ab88e91cfddeaf1bac8a1e41a724f5eadd9ad5.exe
-
Size
146KB
-
MD5
c4944d000475c9c6b515e030b59652c9
-
SHA1
eaf2695c872913f35a450b11a7b5f58d848d0735
-
SHA256
0e9f24d9b122f16a0817890872ab88e91cfddeaf1bac8a1e41a724f5eadd9ad5
-
SHA512
e41e21ef56cb097c78b7b8a48d54e9d611e863da5a15d14d8fb11c7975348c71708ccb9d491f00a682874dd6667fa2252ba3568b3d06fa2c2600648838d080fd
-
SSDEEP
1536:KzICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xDmi3rNHUmVNypY2hamdb2SxsUyz:5qJogYkcSNm9V7DmCymVoRwmd/qT
Score10/10-
Renames multiple (189) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Drops desktop.ini file(s)
-
Sets desktop wallpaper using registry
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
0ec44257a6b4c2827476bae68cd30ecd9ccfb9395dac3671df6a1b65f20fb268.exe
-
Size
2.8MB
-
MD5
dc2906e5bcdea645e2339b9f74027a20
-
SHA1
26f846b2ea394b0005f2254fb6d56d5534f467d8
-
SHA256
0ec44257a6b4c2827476bae68cd30ecd9ccfb9395dac3671df6a1b65f20fb268
-
SHA512
6e28b4e954eaa3f246ef334cd4adfd9e9af49e7fc782cf254b5934c93423b93b113195d8f98bad46587a5dca0e876f5888559bcd486c9599ae7e4fc13c47d100
-
SSDEEP
12288:sp4pNfz3ymJnJ8QCFkxCaQTOlPes5Z76k/L/KB8NIpYJTCihq82WFpXKEVFA2MCo:eEtl9mRda12sX7hKB8NIyXbacAfT
Score10/10-
Modifies WinLogon for persistence
-
Renames multiple (91) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops autorun.inf file
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in System32 directory
-
-
-
Target
0f18f6547a1c8e86963a9e9f9dd9e6e42bd506de21c034ec884c3b55a789ac57.exe
-
Size
23KB
-
MD5
4cc6ec4d961a14c4fc4b45dfe939ca00
-
SHA1
7a115dcc3ca91877b70de091b122259503d7109f
-
SHA256
0f18f6547a1c8e86963a9e9f9dd9e6e42bd506de21c034ec884c3b55a789ac57
-
SHA512
9bcdb453be961b88ae3a85a9d68e8f2e8ea6394e27641a46f4a28c9b56133cf97f5cf74699feab475563f5e9617120dffa944c8d3554d06749071e104cd237fd
-
SSDEEP
384:m3Mg/bqo2uda2duoiXslkpaDKB+98SJer91CCob5LeU:Uqo2ka2kAkpaDuNGer9pobJeU
-
Chaos Ransomware
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit
-
Drops startup file
-
Executes dropped EXE
-
Drops desktop.ini file(s)
-
-
-
Target
0f3d700c95b21e5437c0aedb3cacd787ce6701c49180d8d564e4574dffc42190.exe
-
Size
1.9MB
-
MD5
2c6f8e680a400cb2b5426090ccbdea93
-
SHA1
47a691c438547b27fac9896f3783026d8be4dbe9
-
SHA256
0f3d700c95b21e5437c0aedb3cacd787ce6701c49180d8d564e4574dffc42190
-
SHA512
48a70440e4009c4ab2a913ee3b9dc24b73ab4413cc82f5e8194f1cca87ead356de1de90c461c9109afa5f690cb0c9365f49a5ea83f54b4ad97c4287346237f03
-
SSDEEP
24576:CSndG2iSNjN2w9Os9cRfO/d8mT6c6aVqwPhUMel84Mn:HfJqsgXmgyJPu
-
Chaos Ransomware
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit
-
Drops startup file
-
Executes dropped EXE
-
Drops desktop.ini file(s)
-
Sets desktop wallpaper using registry
-
-
-
Target
0f54e0f3c3408647bf9844f9d97b64dbc62278091280b3d7bf1db5bdde3fc436.exe
-
Size
362KB
-
MD5
21ba47cee02f4b2fa523f4acc81539d0
-
SHA1
fa0a9c6a10aa5cb581cd9422afeb9dcf739c414c
-
SHA256
0f54e0f3c3408647bf9844f9d97b64dbc62278091280b3d7bf1db5bdde3fc436
-
SHA512
b0e27054b3d37b6e558bee48690af6f1f694e806789d530d66ea84b64e085606c08ae1674b94991c895e187ff44915f3c369f4392684eb908267d21ee7bd3bf0
-
SSDEEP
6144:QlgEenwKdnC0rrdGSkFFMMy0qzpBMYlDB/PA1K/Nk6F3wYQRq83a:xEsbE0rRQep5lxN3FAYHd
Score1/10 -
-
-
Target
0f5ace8adbaf1f05d0f5765166537ff4b77ea9f038cffbc08c16afd4cc869972.exe
-
Size
70KB
-
MD5
6933fffefd94b7e16bcb04a498c82da6
-
SHA1
6f4f45bdba6379f7df52326f8754995c28a9b335
-
SHA256
0f5ace8adbaf1f05d0f5765166537ff4b77ea9f038cffbc08c16afd4cc869972
-
SHA512
71588385c4f48942ad88f6dffdedbe5e3c76b6b79adadb7621bcc60406b3d4930e109efa56ea6b9fbe44a4ef9ecdaff93a51ab9de4ccdd6c15d52ec8dc85a1c9
-
SSDEEP
1536:RZZZZZZZZZZZZpXzzzzzzzzzzzzADypczUk+lkZJngWMqqU+2bbbAV2/S2OvvdZl:4d5BJHMqqDL2/Ovvdr
Score6/10-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
-
-
Target
0fc4a985aed460862a8f70dd982fadbd65ea0ad88fb58ced2d909f4264ab98f8.exe
-
Size
155KB
-
MD5
6dc42bf3bdd770e5506c5f5a51472e4a
-
SHA1
643765b078c8fb6ea6b6cb664c78d49244dd1921
-
SHA256
0fc4a985aed460862a8f70dd982fadbd65ea0ad88fb58ced2d909f4264ab98f8
-
SHA512
a80d6fbeaedf1b77db531c87c19e795c9cfe69081e48120f2540d29d36ef683c1d023d6662dd99be3a5f24a1bab770f690dcf0d59a6378cbd4a6b72cf040e9ee
-
SSDEEP
3072:l5K/B0toLVSNJrlZHQsozTS+SMqqDL2/TrKnFG:lcytwIJ1yTS+xqqDL6HKI
Score3/10 -
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1Scheduled Task/Job
1Scheduled Task
1System Services
1Service Execution
1Windows Management Instrumentation
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
2Change Default File Association
1Netsh Helper DLL
1Power Settings
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
2Change Default File Association
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Direct Volume Access
1File and Directory Permissions Modification
2Windows File and Directory Permissions Modification
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Disable or Modify System Firewall
1Indicator Removal
4File Deletion
3Modify Registry
5