Resubmissions

13-07-2024 09:54

240713-lxcvgawdmn 10

13-07-2024 09:52

240713-lv46yawdkj 10

13-07-2024 09:46

240713-lrz3tayajc 10

General

  • Target

    New fol76der (2).7z

  • Size

    13.9MB

  • Sample

    240713-lxcvgawdmn

  • MD5

    98ceaf94ea13b449faa32b08b1b7ae12

  • SHA1

    746943a01e944ec3d80e469d3f17307194e972ee

  • SHA256

    0d9fcb8894240750cb5e4222ea78572aba6618eb5297c2069588ceb979d52d8b

  • SHA512

    d463c4ed99b7b687ad7fabeb8d4da68042cc1d495cc558fb5c8548efd19b1cae5b733192899de9dcb67417ca5bef3349945cef6e6fa9748d3f739a5f973bf05f

  • SSDEEP

    393216:nUwf43Cv30IES/FQeIrZ8ozAxcY04KZ7ZwMFniW:NbcQTILscY/KZ7biW

Malware Config

Extracted

Family

quasar

Attributes
  • reconnect_delay

    3000

Extracted

Path

C:\ProgramData\Microsoft\ClickToRun\ProductReleases\C68DE18F-1307-4A05-B9C1-59F89A4D8AE4\SkynetData.txt

Ransom Note
------------------------ ALL YOUR FILES ARE ENCRYPTED ------------------------ Don't worry, you can return all your files! All your files documents, photos, databases and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees do we give to you? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information Don't try to use third-party decrypt tools because it will destroy your files. Discount 50% available if you contact us first 24 hours. T0 get this software you need write on our e-mail: [email protected]

Extracted

Path

C:\RESTORE_FILES_INFO.txt

Ransom Note
What Happen to my computer? DONT USE GMAIL.COM FOR CONTACT US Your important files are encrypted. Many of your documents, photos, passwords, databases and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for way to recover your files , but do not waste your time. Nobody can recover your files without our decryption KEY (if somebody will tell that they can do it, they will also contact me and I will make the price so much expensive than if you contact directly). !!!THE DATARECOVERY COMPANIES JUST WANT YOUR MONEY!!! !!DATA RECOVERY COMPANIES WILL ONLY INCREASE THE DECRYPTION TIME!! Can i Recover My Files? Sure. We guarantee that you can recover all your files safely and easily But You have not so enough time . So If you want to decrypt all your data, you need to pay .As fast you pay as fast all of your data will be back as before encryption. Send e-mail to this address: [email protected] You have to pay for decryption in Bitcoins. ATTENTION Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. If you want to try datarecovery company just ask for testfile.They have to give it for you if they can do something. They will not. Key Identifier: dRvYcbNjYeNlBJSdlbUwD4wdas2qQui4amSsV6T0PUCmC/+uTR2uXk/5gNkx5NE5gDZBk6gpx6SSbTHzDbdIvVI2k4RowMueR6xsUcsxzC9dcnku6Z1djsOC7OE8VgeqyGlIqCKLXdavE+tpxkwuQQhlzdOIte1VqeJ7Y7X5jE6c8ekHy+pgjt2/gdCaqF0K+VLwjxxjJ4Lv9xRsX8dW0ud1jPIq9SANSjbPyP2MziDNid4+Xml5ObEQuRRUYpJRdFFDZdrTMSfLE7Ca3SPktrx/tIFHOdzpwzpnv+7LAPa5LAxiw6cTJq/KnIklv36rq4oL6Kir2C1S7bLqM5AKEaUJD5QQ6f2f92MeIybwHX/KfgnrHFwG7zbvoajq3WUSHbuy7UT7B4omfi/+cea2TeeNi87d/BKI3t36hOeXBvxz1TbqRUX2jwSDmTCcS899ROGKUSyK/YusmvGYuWHxY8G5ygYLmuZU0p0dXr1hY5/UdbBeQe2ZxlbBaeq2afFXnJ/wHnKq1LtH6OopWqk2vRBGeR1+VNvxRd+18qGxE/RrP7H2kmDgL0c8DqEwVrl/z3KGVhgl7yKY7hWxHLpjF3/+CDp3UBs7vmZKF+tu7HylRJPop9SbkquCB7DN9jwesxsNmoAv/qH6T7bfo0ESdZ7wKxI4zJQEGX5vB2+Jv5U=

Extracted

Path

C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta

Ransom Note
What Happen to my computer? DONT USE GMAIL.COM FOR CONTACT US Your important files are encrypted. Many of your documents, photos, passwords, databases and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for way to recover your files , but do not waste your time. Nobody can recover your files without our decryption KEY (if somebody will tell that they can do it, they will also contact me and I will make the price so much expensive than if you contact directly). !!!THE DATARECOVERY COMPANIES JUST WANT YOUR MONEY!!! !!DATA RECOVERY COMPANIES WILL ONLY INCREASE THE DECRYPTION TIME!! Can i Recover My Files? Sure. We guarantee that you can recover all your files safely and easily But You have not so enough time . So If you want to decrypt all your data, you need to pay .As fast you pay as fast all of your data will be back as before encryption. Send e-mail to this address: [email protected] You have to pay for decryption in Bitcoins. ATTENTION Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. If you want to try datarecovery company just ask for testfile.They have to give it for you if they can do something. They will not. Key Identifier: dRvYcbNjYeNlBJSdlbUwD4wdas2qQui4amSsV6T0PUCmC/+uTR2uXk/5gNkx5NE5gDZBk6gpx6SSbTHzDbdIvVI2k4RowMueR6xsUcsxzC9dcnku6Z1djsOC7OE8VgeqyGlIqCKLXdavE+tpxkwuQQhlzdOIte1VqeJ7Y7X5jE6c8ekHy+pgjt2/gdCaqF0K+VLwjxxjJ4Lv9xRsX8dW0ud1jPIq9SANSjbPyP2MziDNid4+Xml5ObEQuRRUYpJRdFFDZdrTMSfLE7Ca3SPktrx/tIFHOdzpwzpnv+7LAPa5LAxiw6cTJq/KnIklv36rq4oL6Kir2C1S7bLqM5AKEaUJD5QQ6f2f92MeIybwHX/KfgnrHFwG7zbvoajq3WUSHbuy7UT7B4omfi/+cea2TeeNi87d/BKI3t36hOeXBvxz1TbqRUX2jwSDmTCcS899ROGKUSyK/YusmvGYuWHxY8G5ygYLmuZU0p0dXr1hY5/UdbBeQe2ZxlbBaeq2afFXnJ/wHnKq1LtH6OopWqk2vRBGeR1+VNvxRd+18qGxE/RrP7H2kmDgL0c8DqEwVrl/z3KGVhgl7yKY7hWxHLpjF3/+CDp3UBs7vmZKF+tu7HylRJPop9SbkquCB7DN9jwesxsNmoAv/qH6T7bfo0ESdZ7wKxI4zJQEGX5vB2+Jv5U=

Extracted

Family

quasar

Version

1.4.0.0

Botnet

Office04

C2

67.213.221.18:7812

Mutex

KFoYp486ql6lO6U0qI

Attributes
  • encryption_key

    OtItMK9boIZNOQTejUzg

  • install_name

    Windows Security.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Windows Update

  • subdirectory

    Windows Services

Extracted

Path

C:\Users\Admin\Documents\PLEASEREAD.txt

Ransom Note
WELCOME, DODO has returned AGAIN. Your files have been encrypted and you won't be able to decrypt them. You can buy decryption software from us, this software will allow you to recover all of your data and remove the ransomware from your computer. The price of the software is $15. Payment can be made in Bitcoin or XMR. How do I pay, where do I get Bitcoin or XMR? Purchasing cryptocurrency varies from country to country, you are best advised to do a quick google search yourself to find out how to buy Bitcoin or XMR. Payment information: send $15, to one of our addresses, then send us email with payment confirmation and you'll get the decryption software in email. Email Address : [email protected] BTC address: bc1qsht77cpgw7kv420r4secmu88g34wvn96dsyc5s XMR address: 44GUTQ7WqysSjLDCXfTnsYLCVJNGp67AECA9kTrAvjYCNz3ScZkYXZKP2EbR3DfbXPUYw6bMkaBuYCd6PdJCYngr4WtCeFt

Extracted

Path

C:\Users\Admin\Documents\read_it.txt

Ransom Note
TuRKey_RanSOmWarE All of your files have been encrypted Your computer was infected with a ransomware virus. Your files have been encrypted and you won't be able to decrypt them without our help.What can I do to get my files back?You can buy our special decryption software, this software will allow you to recover all of your data and remove the ransomware from your computer.The price for the software is $500. Payment can be made in Bitcoin only. How do I pay, where do I get Bitcoin? Purchasing Bitcoin varies from country to country, you are best advised to do a quick google search yourself to find out how to buy Bitcoin. Many of our customers have reported these sites to be fast and reliable: Coinmama - hxxps://www.coinmama.com Bitpanda - hxxps://www.bitpanda.com Payment informationAmount: 0,022 BTC Bitcoin Address: bc1qxwnqayk77nha5509swmclfzgkas6gc9t8xjj64

Extracted

Path

C:\Users\Admin\Desktop\read_it.txt

Family

chaos

Ransom Note
----> Chaos is multi language ransomware. Translate your note to any language <---- All of your files have been encrypted Your computer was infected with a ransomware virus. Your files have been encrypted and you won't be able to decrypt them without our help.What can I do to get my files back?You can buy our special decryption software, this software will allow you to recover all of your data and remove the ransomware from your computer.The price for the software is $1,500. Payment can be made in Bitcoin only. How do I pay, where do I get Bitcoin? Purchasing Bitcoin varies from country to country, you are best advised to do a quick google search yourself to find out how to buy Bitcoin. Many of our customers have reported these sites to be fast and reliable: Coinmama - hxxps://www.coinmama.com Bitpanda - hxxps://www.bitpanda.com Payment informationAmount: 0.1473766 BTC Bitcoin Address: bc1qlnzcep4l4ac0ttdrq7awxev9ehu465f2vpt9x0

Extracted

Path

C:\Users\Admin\Desktop\read_me.txt

Family

chaos

Ransom Note
----> Chaos is multi language ransomware. Translate your note to any language <---- All of your files have been encrypted Your computer was infected with a ransomware virus. Your files have been encrypted and you won't be able to decrypt them without our help.What can I do to get my files back?You can buy our special decryption software, this software will allow you to recover all of your data and remove the ransomware from your computer.The price for the software is $1,500. Payment can be made in Bitcoin only. How do I pay, where do I get Bitcoin? Purchasing Bitcoin varies from country to country, you are best advised to do a quick google search yourself to find out how to buy Bitcoin. Many of our customers have reported these sites to be fast and reliable: Coinmama - hxxps://www.coinmama.com Bitpanda - hxxps://www.bitpanda.com Payment informationAmount: 0.1473766 BTC Bitcoin Address: bc1qlnzcep4l4ac0ttdrq7awxev9ehu465f2vpt9x0

Targets

    • Target

      0778d2ae6074545731b471360877b58c89ba0aaca6a0ffdb25694340c910cc93.exe

    • Size

      328KB

    • MD5

      b00f66d6e5f0c0daa86a03f1106920f8

    • SHA1

      f7444b3934ce61c65c658a06c3a98aa9f08729e6

    • SHA256

      0778d2ae6074545731b471360877b58c89ba0aaca6a0ffdb25694340c910cc93

    • SHA512

      da18b638ec68a706a92d06551eed74afaa9da3a3d1f7e11361b50413c06b26fd5df862fb36a8e4290c3a8dead12fcfb8692d2a0e667bcf3355a614efdc9a0899

    • SSDEEP

      6144:eGEjbL0hiIO18+LDCvzCnQHw67feMv8KiPuTL94:eZJIOG+vCvnJ8tPuF4

    • Chaos

      Ransomware family first seen in June 2021.

    • Chaos Ransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies boot configuration data using bcdedit

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

    • Disables Task Manager via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Target

      2005110ee806a4fb40e00fe6c76af3527e3d66cd828723ee39529942812b8924.exe

    • Size

      1.9MB

    • MD5

      f0fd67c94f25de71c2fcdff4af0d2889

    • SHA1

      2f4884f4e241d0bda353dc074ea1752e0b79af8c

    • SHA256

      2005110ee806a4fb40e00fe6c76af3527e3d66cd828723ee39529942812b8924

    • SHA512

      13986923eaef12dcbe1a0ce71ca47829ab1209df761c077c83981685fa61d01320372fb9a68d5b6622b597f443dccb125a2033aaf82857c873b1ec2b3e5ebdb0

    • SSDEEP

      24576:6SndG2iSNjN2w9Os9cRfO/d8mT6c6aVqwPhUMelv1:/fJqsgXmgyJP

    • Chaos

      Ransomware family first seen in June 2021.

    • Chaos Ransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies boot configuration data using bcdedit

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Sets desktop wallpaper using registry

    • Target

      290072a9e1cf3872487cf586a592be534abc894d20ffd1121fe8338f1b52b451.exe

    • Size

      3.8MB

    • MD5

      3566f930e73eacee6933e672c1085d98

    • SHA1

      d6c5408fabbf943721946073c80049c3c65f8c8d

    • SHA256

      290072a9e1cf3872487cf586a592be534abc894d20ffd1121fe8338f1b52b451

    • SHA512

      09e5edcc5fe7a8e6dac63690eb1c8674541993c5a10130db7ed3cee90d802705dc07a0b13612c6326b9462145dcac35e136b12555096e0ee8577e00c3aab69af

    • SSDEEP

      24576:TbnWYoXXBzGmL53TaX+vnyuNMOCig82RfVL0K1RWLghaPZUwB74amJl4aOLW6u3r:/W3XXBzhaWBq8Yy8kZmzJ/m

    • Chaos

      Ransomware family first seen in June 2021.

    • Chaos Ransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies boot configuration data using bcdedit

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Sets desktop wallpaper using registry

    • Target

      3998d0e987accc2837c6bf87fdb2796d0170ae2a79383b78fd778531410e337f.exe

    • Size

      153KB

    • MD5

      4c19104c6df0817095be0846b1607de6

    • SHA1

      ae3bf7a043cb10e8b206261af6af1558fc3d518b

    • SHA256

      3998d0e987accc2837c6bf87fdb2796d0170ae2a79383b78fd778531410e337f

    • SHA512

      d1ac86c12068192fe1dafd16a6c73e1dbabf0be5ca8c59ba3eeb6290c6061a207c0f91b77f42b190d4f8ebdee4a33a7dc596c7883c451cb039c3c2a0f37e8e4c

    • SSDEEP

      3072:o3kkKmAr9iVE3E04sMsXVpBWwLJwvkywY2ZDja9eIBdvhGkJJ9QuxIMb68J5K:y8r9it04XYVBIkNYcaeUvkkD9QRMb6

    • Chaos

      Ransomware family first seen in June 2021.

    • Chaos Ransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies boot configuration data using bcdedit

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Sets desktop wallpaper using registry

    • Target

      435844f4e1a57fbfa40edf039ac0b29fab6c4115adbaba2ff2907c921a6aac2b.exe

    • Size

      1.1MB

    • MD5

      75ad544ceac0f47859e0f5417b950889

    • SHA1

      5e4976f34abe798ec40087d4a4831e60040cd7dc

    • SHA256

      435844f4e1a57fbfa40edf039ac0b29fab6c4115adbaba2ff2907c921a6aac2b

    • SHA512

      cd9b17097d4f3d878966ef3f6f8269db3cf96ae517d593b3521761de4ee0fc3b8c8a2e1f603b90ffe73f6426bd5648f9d2f0dbecf6904f96568909745cb9db95

    • SSDEEP

      24576:BiIxSqmMEiPPHxXaUHtauiIxLmKPPH3paUS:NSqmKPvxqUHIOLmKPvgUS

    Score
    3/10
    • Target

      495fbfecbcadb103389cc33828db139fa6d66bece479c7f70279834051412d72.exe

    • Size

      2.6MB

    • MD5

      9756b1c7d0001100fdde3efefb7e086f

    • SHA1

      55de88118fe8abefb29dec765df7f78785908621

    • SHA256

      495fbfecbcadb103389cc33828db139fa6d66bece479c7f70279834051412d72

    • SHA512

      d9497cd0af40cc3149db52aee1ba333e8261232ff00e6e7208eaac639fba533d6931828823c3c3211bddf083260904d77d595d877070eb218075b1f631e13f07

    • SSDEEP

      49152:kNJLuf3HJrb/TfvO90d7HjmAFd4A64nsfJjogr1n3wSmZD1UCu5ErgXpS/IXF+9c:Tf3SvEoDY95e

    Score
    1/10
    • Target

      542c157186bae766dd3e2df424e9c25251d71086b99cc9df121bc9bf50462688.exe

    • Size

      341KB

    • MD5

      ffdefa247d3bb4429558e8b334f4f2ae

    • SHA1

      af9f3af31889b55552a5721244184d0a115be74c

    • SHA256

      542c157186bae766dd3e2df424e9c25251d71086b99cc9df121bc9bf50462688

    • SHA512

      0f4b5534179a690bbaa5333fbf4b11e881d2b60c37f3ade95ebf6b481bbf58b76a17bf4945883babadd8b5b9681c4710ddb2ab4380cd27cf73430e8609d0b9d7

    • SSDEEP

      6144:Drbwc9N+fwvDIK9LpXXXXXXXXXXXXXXXXQGuFFM5:dWwbLpXXXXXXXXXXXXXXXX5uw5

    • Chaos

      Ransomware family first seen in June 2021.

    • Chaos Ransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies boot configuration data using bcdedit

    • Renames multiple (195) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

    • Disables Task Manager via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Sets desktop wallpaper using registry

    • Target

      561d7f05055800d3eb9d9e150969e2c84a71dc82a362fb3e1a224af420e53b35.exe

    • Size

      240KB

    • MD5

      66e01e1ac0e274c1b4d909e70668a6ad

    • SHA1

      fe5a8fa628bbf960010c28625aa58e87d2800978

    • SHA256

      561d7f05055800d3eb9d9e150969e2c84a71dc82a362fb3e1a224af420e53b35

    • SHA512

      39ebdc7542e255ca9f47d9730fa2fc36e29719a84894522c71a5dcfc9da757563b1b47e3d72ab58db94cfe11d3efc37046f833ce5c03b3f0f3ac309eadc39474

    • SSDEEP

      3072:Rmrhm1eibcR+uiUg6p4FLlG4tlL/+mmCSHFZxoHEo3m:REgoZiZhLlG4immCm

    • Target

      617364875d331ab132bac1e63fb9b5a00ac5a33a22b93749dd6ee384ed435dbb.exe

    • Size

      304KB

    • MD5

      b634be3c5eb62c87ebbf90f655581e96

    • SHA1

      089c2c51a4768925cf5dd0e88726d8a88e861795

    • SHA256

      617364875d331ab132bac1e63fb9b5a00ac5a33a22b93749dd6ee384ed435dbb

    • SHA512

      090e9dbd685b31818a0a157b042d042e519a43008e4b94ddacf479b34c3c24de7b938a8baf51a8bc0bb3a11a6852ca6ad95988b75c77fa82aef30f7fd8e062fe

    • SSDEEP

      3072:6SuVNqRgZRUA0S9tRtd6V+h8Rtt05NkkbjyGez1c:6SaNFZRdnxS++rt07kkbmt+

    Score
    3/10
    • Target

      6312ac91761037de7a7afc7323671a004db71b31a69499178437bdf939fa9dd8.exe

    • Size

      400KB

    • MD5

      47e14a46326791625b67704d4329bed6

    • SHA1

      01e0e607678a36d8e7e23d1fb11f8d7aa2c20581

    • SHA256

      6312ac91761037de7a7afc7323671a004db71b31a69499178437bdf939fa9dd8

    • SHA512

      e979fb4537a7fadbc6583a5cd537ce533111ea4a596bd8486b9fbf551ed7b390271a6218ccf71cd052d4270c1fe1957ec0aae4527c9613a0cdbc0e24641a19a2

    • SSDEEP

      6144:cMr9/U806q0jnjCyc1rIGruapfd7ggZqLuID/pFZwVZ3j:a806qwjCycpIGRpfd8cqCITpFZwD3

    • Chaos

      Ransomware family first seen in June 2021.

    • Chaos Ransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies boot configuration data using bcdedit

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Sets desktop wallpaper using registry

    • Target

      63545fa195488ff51955f09833332b9660d18f8afb16bdf579134661962e548a.exe

    • Size

      390KB

    • MD5

      5b7e6e352bacc93f7b80bc968b6ea493

    • SHA1

      e686139d5ed8528117ba6ca68fe415e4fb02f2be

    • SHA256

      63545fa195488ff51955f09833332b9660d18f8afb16bdf579134661962e548a

    • SHA512

      9d24af0cb00fb8a5e61e9d19cd603b5541a22ae6229c2acf498447e0e7d4145fee25c8ab9d5d5f18f554e6cbf8ca56b7ca3144e726d7dfd64076a42a25b3dfb6

    • SSDEEP

      12288:ef/X4NTS/x9jNG+w+9OqFoK323qdQYKU3:EXATS/x9jNg+95vdQa

    • Mimikatz

      mimikatz is an open source tool to dump credentials on Windows.

    • mimikatz is an open source tool to dump credentials on Windows

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Target

      6555038a04997404d48cf866ebb81f134082ef1613408779cf2a589068312a42.exe

    • Size

      97KB

    • MD5

      b5de1cca5ec8047847717b01c268509a

    • SHA1

      c463d7aa1e69a591ef75db3f0e4b08dcc2901c1e

    • SHA256

      6555038a04997404d48cf866ebb81f134082ef1613408779cf2a589068312a42

    • SHA512

      a28cc345e4cbff344ec0aef7cdfe231ae9b1ac3f99a5dae6d9aa3f807fe3da9cf64b826bf1b72f3a697a13089d8370d42dbd60ea79e1a0469508647185dd80c9

    • SSDEEP

      3072:YrnY2lU8KdD5/Ut6VToG9o+8DtRzpytcpRf9EI4Ixe:/fNdO7f9T4Ix

    • Disables service(s)

    • Renames multiple (193) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Modifies file permissions

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Target

      677393ff5efc9f6f050b4b5ed62579f2f050eeec53e7a17cb51c31c148546f59.exe

    • Size

      426KB

    • MD5

      b532d352685523141305fa9135192256

    • SHA1

      fa0e364afa99bca61d747e23a04eddc5b10ffdb2

    • SHA256

      677393ff5efc9f6f050b4b5ed62579f2f050eeec53e7a17cb51c31c148546f59

    • SHA512

      16fd0ff50df7aefed9ebb4e221b86bd72e6e73c9b761216f37f7c26d328ca577e58d70e68b249cfe873e6073a5d258bcb4a88d4214bade8817de9b7376e09eda

    • SSDEEP

      6144:LL0IMdpqDpE9TWvZqtMNXzhTqm8jjyhNYIa/19zTD8WGLA+m4dZvR5SE+v8BW5:LfrDp6TgZqtklvNiHPD8WS8yBb8

    Score
    1/10
    • Target

      680caf0e30b204544971d053b635ed0e3f1dee3332d9eab8a08b3f04cd7ecd75.exe

    • Size

      439KB

    • MD5

      8f808bb54b422500304dfc68b87198fc

    • SHA1

      24ebeb615f0bdcaa3980722100d6fc42111b62ec

    • SHA256

      680caf0e30b204544971d053b635ed0e3f1dee3332d9eab8a08b3f04cd7ecd75

    • SHA512

      46ce4cde81607819e360b0efc424c4b5602c7515661a88e6a0d66cd9e88dcc68219f0a85200e6c40cc34bcac0e5ab652e6db4b4b1c1b913ad351061dae880e99

    • SSDEEP

      6144:vwLRSjIXAnZQel5w7T4P5Kq+SMv0VGb7bDcllbkuVB8:v/4AZrg7g9zVGkllbko

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Target

      70192d461c98da3d6d9734663dfee8d121b2739e9868f28b1fa67794ba3c9a8b.exe

    • Size

      155KB

    • MD5

      179b38c276e09d3b8a79854ba7232094

    • SHA1

      bc218f468367b4cf127b10a02d2a62f28f35216a

    • SHA256

      70192d461c98da3d6d9734663dfee8d121b2739e9868f28b1fa67794ba3c9a8b

    • SHA512

      367c52c5f8ed2166f3d1e6edf564feefa50f46b8bbdbe1b3ab7007eec02db9d4a806e2f32757ea349a86fded9d4586ff0ae5c8e2403f2ace84083dc05253fad7

    • SSDEEP

      3072:S5K/B0toLQSNJwlxwsx89TSdBgjMqqDL2/TOKyRG:ScytwtLTTSdBgQqqDL6SKN

    Score
    3/10
    • Target

      76199c26622c58fa0a22355d710ef06d86e3cce56def3d9a3c38ea395e48066d.exe

    • Size

      362KB

    • MD5

      e52021298206c71590c27392abb94691

    • SHA1

      9f9dbed14bee77d30afe99fc7a395259a9cded27

    • SHA256

      76199c26622c58fa0a22355d710ef06d86e3cce56def3d9a3c38ea395e48066d

    • SHA512

      50408bf9c4276a4683a1e8bcbea142347dd82b20c21398c16391203dbb68094cb9198e9a9dc68bac7f81c54c27b71b1f0aa2478db1af339e4e1cc3dc7c7a7667

    • SSDEEP

      6144:xii9gD+iITRy1fGN/ekNymaSszzRm663xjxc6BN/47Ar68SdQtqcK7:Hgi/GfGpJCR+3547Ar6tdb/

    Score
    3/10
    • Target

      8727091cbb89e5e31eeb2503ffaa242601c8840eee0973fd62fedf1b4b58ab44.exe

    • Size

      953KB

    • MD5

      adb3dde4a25e596c16ced4cdfc6ff8dd

    • SHA1

      7934e6bc9489933c0af8dfe7bdff482fc6759bdc

    • SHA256

      8727091cbb89e5e31eeb2503ffaa242601c8840eee0973fd62fedf1b4b58ab44

    • SHA512

      f14c27892ed4d11bdd46a130abc7fa40ae8c4577bcd45c3af7c5928b82f27c3646b906fda880e5c9df623071edaab8de82fd46af8f3194f33d7d46c2c3d1d587

    • SSDEEP

      12288:vEPMLC814R2hig4tHkg2W+AU+R2TjsPvEpv8LpgUO4EP3SL98l0zmWHQuTwYzzjc:/ztQE1ov2AZ9HjkftWy3P

    • Chaos

      Ransomware family first seen in June 2021.

    • Chaos Ransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies boot configuration data using bcdedit

    • Renames multiple (178) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Sets desktop wallpaper using registry

    • Target

      91450f9e8aeb0361867cdefc0bb7e5bad8941b5081db549d34a91072df4db5dc.exe

    • Size

      53KB

    • MD5

      c5b0f786fe68a4312307535890ba01e4

    • SHA1

      ca15010a195cdfdf0af95f2c2543930311142994

    • SHA256

      91450f9e8aeb0361867cdefc0bb7e5bad8941b5081db549d34a91072df4db5dc

    • SHA512

      b510164ff1c47c198945ab51d8fa2b9d77ebf44b817286c031514554273f7b7d82a85f8932c2b33bd564e7a86277f056689cd33603b5b1d52a37c39dad6b8b55

    • SSDEEP

      1536:zNPTkHhFRy2/NSTEj1FVl1Ft9N1FVl1FVFS0TztlY27VqmSVzyqYvd0bRPp24dfv:hIHhFR//NSTXYztlY27VqmSVzyqYvd0j

    Score
    9/10
    • Renames multiple (87) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Target

      93386ea79c58a95c033e66da99d155264f0028a43973a9a4496f3fc8c89db0b9.exe

    • Size

      361KB

    • MD5

      7be37dff77a6257da2b430ab7c483612

    • SHA1

      028356262caa0076adb3c0a0ad87e4418d386ec8

    • SHA256

      93386ea79c58a95c033e66da99d155264f0028a43973a9a4496f3fc8c89db0b9

    • SHA512

      09dae1c1cb5b07dd4099d21db53f3d08a5ac354777086e666bd872532a37539a67455c35768e78cfc4e181f03bd67ba546aace35d2b50c7aa68a2433c317634a

    • SSDEEP

      3072:6pbgo3vg+rJrkQVOUPrxLExK08A+MQ20AFHxH32Hdxkq51:Ubf3vg+rOgOyrNEI3AxQUHK

    Score
    6/10
    • Legitimate hosting services abused for malware hosting/C2

    • Target

      942bc9e43e40e01694365aced2331634257727783353c7d49d940abcc215a17c.exe

    • Size

      286KB

    • MD5

      ca1c3c08b1291ee31fb47f039ad08129

    • SHA1

      629446ad19eb04f6edb8c576bf007facf4ff249c

    • SHA256

      942bc9e43e40e01694365aced2331634257727783353c7d49d940abcc215a17c

    • SHA512

      e1b49a9738d44666dd93f248844e6bfb331db16c171f05af8333852a99e9c335c527effab61e8de796bed9d9199dfccc9c8f0199fc0eb5998eec9e758bb272fa

    • SSDEEP

      384:123MLWHn3kIt/F6Y0p9dpTWJpr91CznHZN0eNQ6Jki2xC5:En3kIX6rp9j+pr9inHD0eNh5

    • Chaos

      Ransomware family first seen in June 2021.

    • Chaos Ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Target

      ac7a29cb82b7b3e50d8aaa0da5e431f0b466de07dad241e5b6090cf71963e3b8.exe

    • Size

      325KB

    • MD5

      9a4827a78e363d84ea0e334e842ab039

    • SHA1

      a0d222d2fd9cf90a47a134ef571232ee482a45f7

    • SHA256

      ac7a29cb82b7b3e50d8aaa0da5e431f0b466de07dad241e5b6090cf71963e3b8

    • SHA512

      0f20fbf72e254155f0b2403488f5d8262c98138335380f3267afed6b79b91f2c9198924853dccb5b60bc9075876a700e12fc7b8509075bdb3b13776d3514ad0c

    • SSDEEP

      6144:9dCr9fPhxhdsVFGEeRJk8nrKfQhCd/hAxno0yu:TEhxbsVFGEeRJk8mQE7Axqu

    • Chaos

      Ransomware family first seen in June 2021.

    • Chaos Ransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies boot configuration data using bcdedit

    • Renames multiple (217) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Sets desktop wallpaper using registry

    • Target

      baa851154b7492b20ea71c068f77e7e2b91d347fb97e5e05999af153e3fd0f1f.exe

    • Size

      35KB

    • MD5

      d7a77d7d1657b93fc7270895e86dff74

    • SHA1

      700448723acc915ad6ec8d7f9009f9305f642818

    • SHA256

      baa851154b7492b20ea71c068f77e7e2b91d347fb97e5e05999af153e3fd0f1f

    • SHA512

      7d90dff4e81e8ad2dcb75c5ac58f875a332e62db9654d89261013007c5211f5a4dcf208fda5e13f1d5220e179cd557cf8212314578ec03691a3b0dfb6843137b

    • SSDEEP

      768:sn3kIE69pYIlfr9ixbceEz0pmc+33t7gG:a3kIr3fr9ivEzog39

    • Chaos

      Ransomware family first seen in June 2021.

    • Chaos Ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Target

      bb5ca9d8de51734dbd14dc081c7c892d819cd14fafd7ccd62849d70f9e679369.exe

    • Size

      205KB

    • MD5

      62e53bc5aa5f2a70a54e328bff51505f

    • SHA1

      e7deceee97a09d539d81eb91f988ece5e2a2ff51

    • SHA256

      bb5ca9d8de51734dbd14dc081c7c892d819cd14fafd7ccd62849d70f9e679369

    • SHA512

      a676dd284188271be1760ed1edd3320341713662aba1c615481f256007e614e58756a7b6a565beed777230c2ae829c561e3bf3510921ad6495d3776cfdfaa793

    • SSDEEP

      6144:+B4mr9NzqHW7V5V9w/UIRZizI1aqebq/lsyp:+B40qHW7nU/pZmiXqy

    • Chaos

      Ransomware family first seen in June 2021.

    • Chaos Ransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies boot configuration data using bcdedit

    • Renames multiple (217) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Target

      c15e2ffa84d30fa17e9c61c19cde98b22ac6e259ec16b68a9927bed13a0aec07.exe

    • Size

      89KB

    • MD5

      77bd76f4e4b9481432022ab3b10c89c0

    • SHA1

      8213a974f617ee9b191e605856e776ab96ff4382

    • SHA256

      c15e2ffa84d30fa17e9c61c19cde98b22ac6e259ec16b68a9927bed13a0aec07

    • SHA512

      ad30bb25260f959f2d3db823b2ca65b06cdfa6dc5d27527b053e4b5526ed6363519e6fd137c33f53371d8d4df2bcd6ac49aeab2631b106c891db41d0478e70ce

    • SSDEEP

      768:yuqo2ptMp1g4+kR7Er9jJxbXeqxSIHTe9dLTdp:yto2ug417Er9jJsqjHs1

    • Chaos

      Ransomware family first seen in June 2021.

    • Chaos Ransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies boot configuration data using bcdedit

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Target

      c743ba08610d442531bb897a35748ba6fe897e730cea6e29377ba21141901326.exe

    • Size

      164KB

    • MD5

      a881838937a145cab27e5c9b439a1ff5

    • SHA1

      4cac0241e3d0e1636a174134a623a879adb2a86b

    • SHA256

      c743ba08610d442531bb897a35748ba6fe897e730cea6e29377ba21141901326

    • SHA512

      888a3f2f45cdc81bc766c66079e250100a3d0641883ecbcf2bcf6deec1ad7c7b2d0e96e466a2b64ae5867afb3c75071763b408250f190a60f69f79a502b5c604

    • SSDEEP

      1536:muW0xpn7JWWkH7Jx1Q3j1OefTixyvYZKmWuz82HnJq0Wm03O8gOo:s0TIVAJOHxyCKmW12q0WmG4

    Score
    1/10
    • Target

      cfda742c2de7706171af64a89806656a107069e1677aa4ce0583e696f954fde5.exe

    • Size

      125KB

    • MD5

      a0f62032cb73a15dd8f3d3165e29cbe5

    • SHA1

      099e4d118e111e8fdf0d2ad1fba8e62b7edf80f1

    • SHA256

      cfda742c2de7706171af64a89806656a107069e1677aa4ce0583e696f954fde5

    • SHA512

      96e6ecd312cc6f44091a177865c87ba03ad7009f373195c8a0c73c9fd39030a785c34e80d203d5382082d496e6ccfc9356bea6c30da46ca296ac82a6c071c70e

    • SSDEEP

      768:qn3kIQok/p54NwJfKXRu+r9iPe+FdbJVqB+QPE2IikqKs:Q3kInkH42IU+r9i2+F1Jok

    • Chaos

      Ransomware family first seen in June 2021.

    • Chaos Ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Target

      d1d74ec1039ff5aab99faf99bf70fb07f6b4c763a0c2fbc08b702ec9dcb03834.exe

    • Size

      10.9MB

    • MD5

      a82df55a03a3dc038985a30f797cef24

    • SHA1

      fd30147c88f65ee9c83da7fc98c75c02a2fa7b8f

    • SHA256

      d1d74ec1039ff5aab99faf99bf70fb07f6b4c763a0c2fbc08b702ec9dcb03834

    • SHA512

      d587cb272e28d8142a1e62fb926637c9b3be348984f17afa390b29fe04c726286de95a2f881b22b187881d2e1a440306306cb91ce16f1cdfb1f6fc5c368194b9

    • SSDEEP

      98304:xnwgVIXh9xYacrRyyVyGHAeBSut+aFNnLlPLeqNZ8hY/LKbxabdDkEduupRlQgWm:u/YaolX+aFFLlPKQ8hY/RkQWslX4ge+

    Score
    1/10
    • Target

      d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9.exe

    • Size

      338KB

    • MD5

      04fb36199787f2e3e2135611a38321eb

    • SHA1

      65559245709fe98052eb284577f1fd61c01ad20d

    • SHA256

      d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9

    • SHA512

      533d6603f6e2a77bd1b2c6591a135c4717753d53317c1be06e43774e896d9543bcd0ea6904a0688aa84b2d8424641d68994b1e7dc4aa46d66c36feecb6145444

    • SSDEEP

      6144:sWmw0EuCN0pLWgTO3x5N22vWvLRKKAX5l++SybIvC:sWkEuCaNT85I2vCMX5l+ZRv

    • Target

      daa41f52309815eff99483c87788bfb56b8576f15eaad42cd5b06bb3cf0cccde.exe

    • Size

      1.9MB

    • MD5

      93d4eb996675019ed856d0b8c5c46515

    • SHA1

      a9f67e260a098a55252f0eba7b9333c1cf5b8374

    • SHA256

      daa41f52309815eff99483c87788bfb56b8576f15eaad42cd5b06bb3cf0cccde

    • SHA512

      518d24574201e262fc31c1ec6ea07af1285ba4f93805e34f9e8cee472376a7cc5f597020dc702ea165c159c5abc6ae91209dce8250f90766ffc3410615cc1e91

    • SSDEEP

      24576:tnxLSUXY7WSIGgjlvYaxKMiZA+yH6uw1ECvGX6H7O3YpPNaG:txOUpSIZZv1xim+y6HLOO3

    • Renames multiple (8720) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Possible privilege escalation attempt

    • Deletes itself

    • Executes dropped EXE

    • Modifies file permissions

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops file in System32 directory

    • Target

      ed12ea76d03b8255f361975cebd5c579491dacc60c52e03373e7bf509523820a.exe

    • Size

      458KB

    • MD5

      72ea584eebe5705ea1fd5a02dbfe86a1

    • SHA1

      f6d6cdef7eb41e9c201ee52832036bd8a68d0e44

    • SHA256

      ed12ea76d03b8255f361975cebd5c579491dacc60c52e03373e7bf509523820a

    • SHA512

      e928592dd7061388957c3f1acc82dfd8e105de486e8cbd4835029f7d302f71dcdcb8d9dfd0b2a5b53fbd2679dcc6f8559487e1e5767d26431fc67348d1f4ab08

    • SSDEEP

      12288:GJaHnpS22Yh6Nesa6rZvvihw61SLQkY5Pa1uLkB3gE88uY2:DpSosXaYhVZVMVm2

    • Chaos

      Ransomware family first seen in June 2021.

    • Chaos Ransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies boot configuration data using bcdedit

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Sets desktop wallpaper using registry

    • Target

      f062577b6879fb42fbf7fef1c2a21f96d4d372f1424c1c77f255d13fb60bfae0.exe

    • Size

      205KB

    • MD5

      2430019335d88321467e82ab8f51546b

    • SHA1

      7d233a893492e0efd4d7e919941325b5d44abeb7

    • SHA256

      f062577b6879fb42fbf7fef1c2a21f96d4d372f1424c1c77f255d13fb60bfae0

    • SHA512

      6ee56eabe77caf05bde12e9e8fbe97703cccee33cfbe09c38e0a0a397a3f93221751bbcd2ad2261f6a11839ef2741689478578ed3cd9ae2d781c3fffee3c2e7b

    • SSDEEP

      6144:+B4Ir9NzqHW7V5V9w/UIRZizI1aqebq/lsyp:+B4uqHW7nU/pZmiXqy

    • Chaos

      Ransomware family first seen in June 2021.

    • Chaos Ransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies boot configuration data using bcdedit

    • Renames multiple (237) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Target

      f244a04265405ae8295551a1324c6dc3162d611b4a152658096d675a31a57d35.exe

    • Size

      3.8MB

    • MD5

      15995b0b1fc5dd82f1c3ba1b7b40c5d4

    • SHA1

      3b6a4a5b8b1107854e35b01cd28b4cce7a003413

    • SHA256

      f244a04265405ae8295551a1324c6dc3162d611b4a152658096d675a31a57d35

    • SHA512

      4ebe82a5d5d499eab10c9049647283976d95f102b24b2113bd59309ea107fb6cf8671640651e7d7cf13435e516c6d2dcbfe3a2fc8a8ed917398b3d86f6a77781

    • SSDEEP

      49152:aApBOr1sU6uEgjhlOCDw8mEFAuYg2OWpTMqBx+fdTmG2Y4MT9ffD+CzKcbmoivTN:

    • UAC bypass

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

MITRE ATT&CK Enterprise v15

Tasks

static1

pyinstallerchaosmodiloaderquasargandcrab
Score
10/10

behavioral1

chaosdefense_evasionevasionexecutionimpactpersistenceransomwarespywarestealer
Score
10/10

behavioral2

chaosdefense_evasionevasionexecutionimpactransomwarespywarestealer
Score
10/10

behavioral3

chaosdefense_evasionevasionexecutionimpactransomwarespywarestealer
Score
10/10

behavioral4

chaosdefense_evasionevasionexecutionimpactransomwarespywarestealer
Score
10/10

behavioral5

Score
3/10

behavioral6

Score
1/10

behavioral7

chaosdefense_evasionevasionexecutionimpactransomwarespywarestealer
Score
10/10

behavioral8

wannacryransomwareworm
Score
10/10

behavioral9

Score
3/10

behavioral10

chaosdefense_evasionevasionexecutionimpactransomwarespywarestealer
Score
10/10

behavioral11

mimikatzbootkitpersistencespywarestealer
Score
10/10

behavioral12

discoveryevasionexecutionpersistenceprivilege_escalationransomware
Score
10/10

behavioral13

Score
1/10

behavioral14

quasaroffice04spywaretrojan
Score
10/10

behavioral15

Score
3/10

behavioral16

Score
3/10

behavioral17

chaosdefense_evasionevasionexecutionimpactransomwarespywarestealer
Score
10/10

behavioral18

ransomware
Score
9/10

behavioral19

Score
6/10

behavioral20

chaosransomwarespywarestealer
Score
10/10

behavioral21

chaosdefense_evasionevasionexecutionimpactransomwarespywarestealer
Score
10/10

behavioral22

chaosransomwarespywarestealer
Score
10/10

behavioral23

chaosdefense_evasionevasionexecutionimpactransomwarespywarestealer
Score
10/10

behavioral24

chaosdefense_evasionevasionexecutionimpactransomwarespywarestealer
Score
10/10

behavioral25

Score
1/10

behavioral26

chaosransomwarespywarestealer
Score
10/10

behavioral27

Score
1/10

behavioral28

cryptolockerpersistenceransomware
Score
10/10

behavioral29

discoveryexploitpersistenceransomwarespywarestealer
Score
9/10

behavioral30

chaosdefense_evasionevasionexecutionimpactransomwarespywarestealer
Score
10/10

behavioral31

chaosdefense_evasionevasionexecutionimpactransomwarespywarestealer
Score
10/10

behavioral32

evasionexecutionpersistenceprivilege_escalationtrojan
Score
10/10