Overview

overview

10

Static

static

10

084c57449c...0e.exe

windows7-x64

10

14b94844b9...c3.exe

windows7-x64

10

2daa514408...2e.exe

windows7-x64

10

2e6f094748...ec.exe

windows7-x64

2e96b55980...ea.exe

windows7-x64

1

34c392448f...ea.exe

windows7-x64

10

37d8add251...4c.exe

windows7-x64

10

3a72653053...59.exe

windows7-x64

10

49aca08f5b...24.exe

windows7-x64

10

4a2ad49c93...9f.exe

windows7-x64

3

5199b64b50...3c.exe

windows7-x64

55c30024ae...15.exe

windows7-x64

10

56f7b48f38...59.exe

windows7-x64

10

5a96b92938...a4.exe

windows7-x64

10

606b88fce1...c4.exe

windows7-x64

1

6bda9faf71...4b.exe

windows7-x64

10

71b46e95fb...a8.exe

windows7-x64

10

7d98972d5c...9c.exe

windows7-x64

9

87b9b910d5...cb.exe

windows7-x64

10

8958d7b8c5...e2.exe

windows7-x64

10

ab5be9e691...09.exe

windows7-x64

10

b228a698ee...c0.exe

windows7-x64

c864a70f78...1d.exe

windows7-x64

cfd5d9a4e6...f0.exe

windows7-x64

da6f543313...2e.exe

windows7-x64

6

e05323d9ca...62.exe

windows7-x64

1

e48bd2f16b...14.exe

windows7-x64

10

ecfb5c95d0...9d.exe

windows7-x64

10

f08c1c26d3...3f.exe

windows7-x64

6

f354148b5f...0f.exe

windows7-x64

6

f7caf7d69c...6a.exe

windows7-x64

10

fcb6844506...93.exe

windows7-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    533.7z

  • Size

    2.7MB

  • Sample

    240716-kt64gavakp

  • MD5

    7aded2388d27c5dc782dca435f160857

  • SHA1

    744f53fe1f4c7a43a82e1a942eb71f4175da8935

  • SHA256

    3730e9cba4a93bc985ef7cd2368ccbf5eccd4724f514b38b20e320e5553dd08d

  • SHA512

    518957e9248e65c5231e10c3977d01f7d3b4aa43f08b00c668be8501a88e06d1eaa2a5aaf976ab9caa1d2eacbc7a2029731d5a7054df230aaf93a79294d9083b

  • SSDEEP

    49152:BdRLSYLgm9h2iT/1Xd6STMtS07Cqjgfzj8flramouva2dd1ALRNyndSBSJQIQV:BdNtJPDJXd62MY50R+a5X1my8BSJQzV

Score
10/10
blackmatterchaosdharmagandcrablockbitmakopmimicmodiloadernefilimphobos512478c08dada2af19e49808fbda5b0bdefense_evasiondiscoveryevasionexecutionimpactpersistenceprivilege_escalationransomwarespywarestealerupx

Malware Config

Extracted

Family

blackmatter

Version

1.2

Botnet

512478c08dada2af19e49808fbda5b0b

Credentials
C2

https://paymenthacks.com

http://paymenthacks.com

https://mojobiden.com

http://mojobiden.com
Attributes
  • attempt_auth

    true

  • create_mutex

    true

  • encrypt_network_shares

    true

  • exfiltrate

    true

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Extracted

Path

C:\Users\Admin\Desktop\+README-WARNING+.txt

Ransom Note
::: Hey ::: Small FAQ: .1. Q: What's going on? A: Your files have been encrypted. The file structure was not affected, we did our best to prevent this from happening. .2. Q: How to recover files? A: If you want to decrypt your files, you will need to pay us. .3. Q: What about guarantees? A: It's just business. We are absolutely not interested in you and your transactions, except for profit. If we do not fulfill our work and obligations, no one will cooperate with us. It's not in our interest. To check the possibility of returning files, you can send us any 2 files with SIMPLE extensions (jpg, xls, doc, etc... not databases!) and small sizes (max 1 mb), we will decrypt them and send them back to you. This is our guarantee. .4. Q: How to contact you? A: You can write to us at our mailboxes: [email protected] .5. Q: How will the decryption process take place after payment? A: After payment, we will send you our scanner-decoder program and detailed instructions for use. With this program you will be able to decrypt all your encrypted files. .6. Q: If I don't want to pay bad people like you? A: If you do not cooperate with our service - it does not matter to us. But you will lose your time and data because only we have the private key. In practice, time is much more valuable than money. :::BEWARE::: DO NOT try to modify encrypted files yourself! If you try to use third party software to recover your data or antivirus solutions - back up all encrypted files! Any changes to the encrypted files may result in damage to the private key and, as a result, the loss of all data. Note: ::::::IF WE HAVE NOT RESPONSE YOU BY MAIL WITHIN 24 HOURS:::::: Spare contact for communication: If we have not answered your email within 24 hours, you can contact us via the free messenger qTox Download from the link https://tox.chat/download.html Next go qTox 64-bit after downloading the program, install it and go through a short registration. Our Tox ID 37CDA60B5B593473E120366CCF68A8C08F503880D2AE7F0F4161C2C9C0502C6304DDA2B19D8E
URLs

https://tox.chat/download.html

Extracted

Path

C:\Users\Public\Desktop\info.hta

Ransom Note
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01//EN' 'http://www.w3.org/TR/html4/strict.dtd'> <html> <head> <meta charset='windows-1251'> <title>encrypted</title> <HTA:APPLICATION ICON='msiexec.exe' SINGLEINSTANCE='yes' SysMenu="no"> <script language='JScript'> window.moveTo(50, 50); window.resizeTo(screen.width - 100, screen.height - 100); </script> <style type='text/css'> body { font: 15px Tahoma, sans-serif; margin: 10px; line-height: 25px; background: #EDEDED; } img { display:inline-block; } .bold { font-weight: bold; } .mark { background: #D0D0E8; padding: 2px 5px; } .header { text-align: center; font-size: 30px; line-height: 50px; font-weight: bold; margin-bottom:20px; } .info { background: #D0D0E8; border-left: 10px solid #00008B; } .alert { background: #FFE4E4; border-left: 10px solid #FF0000; } .private { border: 1px dashed #000; background: #FFFFEF; } .note { height: auto; padding-bottom: 1px; margin: 15px 0; } .note .title { font-weight: bold; text-indent: 10px; height: 30px; line-height: 30px; padding-top: 10px; } .note .mark { background: #A2A2B5; } .note ul { margin-top: 0; } .note pre { margin-left: 15px; line-height: 13px; font-size: 13px; } .footer { position:fixed; bottom:0; right:0; text-align: right; } </style> </head> <body> <div class='header'> <img src='data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEAAAABACAQAAAAAYLlVAAAABGdBTUEAALGPC/xhBQAAACBjSFJNAAB6JQAAgIMAAPn/AACA6QAAdTAAAOpgAAA6mAAAF2+SX8VGAAAAAmJLR0QA/4ePzL8AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQfjAwwMJwSFwIn8AAADNklEQVRo3u2ZTUhUURTHfzozmprmZ1pYEmkfJNEmiwwkSEyFECIQpEUboYhqFYHQXlcti9rUKldWBEUiuQpbtDDNzD5G8qM0HRXLRtO5LdJx3puPd++8+xyIztm88zgf/3veufeee18SdimDI1RxnL0U4gbAzxhDdPGCfpZs+49JWTTyFB8iAq8wTju1pDgXvopOliIGX+d57rHPieBuLvLNIvgaD1KvP/x1FiTDCwQTNOkFcJVfCuEFgq+c0he+minF8AJBH2WRnCUph8/nIZVhb2d5w1smEbjYSTn7SQ/TucsFlnWkPxBW6Xc4RkbIoHKooSNshsxRbT98Eb0mtyM04oqgmR6hUNvtrwrnWDa4nOVMVF0XLfw2aPuosBfezQPTmNpiVtFmnpj0W+wBKMFrcPeJ3RYWNfwwWHSSZgdAHX6Du5uWFpl0myqm1KiQrASgnNQQaZFOS4t5nhvkAnbZAbDHIE0wIGHzmsUQKdXkQwlACtsN8ijfJay8zBjkovgBbCLPlAG/hNUcswa5IH4Ayasdzxr5pBbWRRYMstGHYg04QAkH4FbQFSwTCKbdI7mzWVipbMceKtiCCFqO0OeY1caRbAaKOcgOCpQ+WWTyM8EwvfjkTfJoYZDFONqwaPyTHs7LbktlPNMYep2XuE22dfhsHjkS/i+3Wn/SK2EdoE72UeuyGH8rxbbLLjqlkRlb4TAzDo5fIJiOvRTnR+ju9VJuwveC/wASDsD+2h5KUyyQTVZiALzjFt3MsY16mtmqx2mt9BbUw4EQuzpGpVcCLQB8nDBZXmJFDoCeInzFS9ObxwzLmeoBMGA4/QBM4t1IAOHXDi7Zqwg9ACrCWotS8xnQWQCHOGsafzOFOhzLT8NxmoI3RZncULjG1ARA8DHYupxUucbUtxd4ghnw4JI30wdARHneMABx0j8FYD3xCkdefQByKFl9KsOjy6nKNBR0cZRCTjOk1JhrBCCY5r3pZtSS9bZkueSqmljVgPoPDa0Algk4HD8QG8AXph0G8Dk2AC89DgPosFKodvR83G/dtiRzTevtUChP0SCTpBQuM+bI6Bvk51gl96X/FFvzCh9oW0v+H2zO2tYtz/EgAAAAJXRFWHRkYXRlOmNyZWF0ZQAyMDE5LTAzLTEyVDEyOjM5OjA0KzAwOjAwG6lIYwAAACV0RVh0ZGF0ZTptb2RpZnkAMjAxOS0wMy0xMlQxMjozOTowNCswMDowMGr08N8AAAAASUVORK5CYII='> <div>All your files have been encrypted!</div> </div> <div class='bold'>All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail <span class='mark'>[email protected]</span></div> <div class='bold'>Write this ID in the title of your message <span class='mark'>F365D794-2803</span></div> <div class='bold'>In case of no answer in 24 hours write us to this e-mail:<span class='mark'>[email protected]</span></div> <div> You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files. </div> <div class='note info'> <div class='title'>Free decryption as guarantee</div> <ul>Before paying you can send us up to 5 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) </ul> </div> <div class='note info'> <div class='title'>How to obtain Bitcoins</div> <ul> The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. <br><a href='https://localbitcoins.com/buy_bitcoins'>https://localbitcoins.com/buy_bitcoins</a> <br> Also you can find other places to buy Bitcoins and beginners guide here: <br><a href='http://www.coindesk.com/information/how-can-i-buy-bitcoins/'>http://www.coindesk.com/information/how-can-i-buy-bitcoins/</a> </ul> </div> <div class='note alert'> <div class='title'>Attention!</div> <ul> <li>Do not rename encrypted files.</li> <li>Do not try to decrypt your data using third party software, it may cause permanent data loss.</li> <li>Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.</li> </ul> </div> </body> </html>
Emails

class='mark'>[email protected]</span></div>

class='mark'>[email protected]</span></div>
URLs

http://www.w3.org/TR/html4/strict.dtd'>

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\+README-WARNING+.txt

Ransom Note
::: Greetings ::: Little FAQ: .1. Q: Whats Happen? A: Your files have been encrypted. The file structure was not damaged, we did everything possible so that this could not happen. .2. Q: How to recover files? A: If you wish to decrypt your files you will need to pay us. .3. Q: What about guarantees? A: Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests. To check the ability of returning files, you can send to us any 2 files with SIMPLE extensions(jpg,xls,doc, etc... not databases!) and low sizes(max 1 mb), we will decrypt them and send back to you. That is our guarantee. .4. Q: How to contact with you? A: You can write us to our mailbox: [email protected] .5. Q: How will the decryption process proceed after payment? A: After payment we will send to you our scanner-decoder program and detailed instructions for use. With this program you will be able to decrypt all your encrypted files. .6. Q: If I don�t want to pay bad people like you? A: If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause only we have the private key. In practice - time is much more valuable than money. :::BEWARE::: DON'T try to change encrypted files by yourself! If you will try to use any third party software for restoring your data or antivirus solutions - please make a backup for all encrypted files! Any changes in encrypted files may entail damage of the private key and, as result, the loss all data.

Extracted

Path

C:\info.hta

Ransom Note
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01//EN' 'http://www.w3.org/TR/html4/strict.dtd'> <html> <head> <meta charset='windows-1251'> <title>encrypted</title> <HTA:APPLICATION ICON='msiexec.exe' SINGLEINSTANCE='yes' SysMenu="no"> <script language='JScript'> window.moveTo(50, 50); window.resizeTo(screen.width - 100, screen.height - 100); </script> <style type='text/css'> body { font: 15px Tahoma, sans-serif; margin: 10px; line-height: 25px; background: #EDEDED; } img { display:inline-block; } .bold { font-weight: bold; } .mark { background: #D0D0E8; padding: 2px 5px; } .header { text-align: center; font-size: 30px; line-height: 50px; font-weight: bold; margin-bottom:20px; } .info { background: #D0D0E8; border-left: 10px solid #00008B; } .alert { background: #FFE4E4; border-left: 10px solid #FF0000; } .private { border: 1px dashed #000; background: #FFFFEF; } .note { height: auto; padding-bottom: 1px; margin: 15px 0; } .note .title { font-weight: bold; text-indent: 10px; height: 30px; line-height: 30px; padding-top: 10px; } .note .mark { background: #A2A2B5; } .note ul { margin-top: 0; } .note pre { margin-left: 15px; line-height: 13px; font-size: 13px; } .footer { position:fixed; bottom:0; right:0; text-align: right; } </style> </head> <body> <div class='header'> <img src='data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEAAAABACAQAAAAAYLlVAAAABGdBTUEAALGPC/xhBQAAACBjSFJNAAB6JQAAgIMAAPn/AACA6QAAdTAAAOpgAAA6mAAAF2+SX8VGAAAAAmJLR0QA/4ePzL8AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQfjAwwMJwSFwIn8AAADNklEQVRo3u2ZTUhUURTHfzozmprmZ1pYEmkfJNEmiwwkSEyFECIQpEUboYhqFYHQXlcti9rUKldWBEUiuQpbtDDNzD5G8qM0HRXLRtO5LdJx3puPd++8+xyIztm88zgf/3veufeee18SdimDI1RxnL0U4gbAzxhDdPGCfpZs+49JWTTyFB8iAq8wTju1pDgXvopOliIGX+d57rHPieBuLvLNIvgaD1KvP/x1FiTDCwQTNOkFcJVfCuEFgq+c0he+minF8AJBH2WRnCUph8/nIZVhb2d5w1smEbjYSTn7SQ/TucsFlnWkPxBW6Xc4RkbIoHKooSNshsxRbT98Eb0mtyM04oqgmR6hUNvtrwrnWDa4nOVMVF0XLfw2aPuosBfezQPTmNpiVtFmnpj0W+wBKMFrcPeJ3RYWNfwwWHSSZgdAHX6Du5uWFpl0myqm1KiQrASgnNQQaZFOS4t5nhvkAnbZAbDHIE0wIGHzmsUQKdXkQwlACtsN8ijfJay8zBjkovgBbCLPlAG/hNUcswa5IH4Ayasdzxr5pBbWRRYMstGHYg04QAkH4FbQFSwTCKbdI7mzWVipbMceKtiCCFqO0OeY1caRbAaKOcgOCpQ+WWTyM8EwvfjkTfJoYZDFONqwaPyTHs7LbktlPNMYep2XuE22dfhsHjkS/i+3Wn/SK2EdoE72UeuyGH8rxbbLLjqlkRlb4TAzDo5fIJiOvRTnR+ju9VJuwveC/wASDsD+2h5KUyyQTVZiALzjFt3MsY16mtmqx2mt9BbUw4EQuzpGpVcCLQB8nDBZXmJFDoCeInzFS9ObxwzLmeoBMGA4/QBM4t1IAOHXDi7Zqwg9ACrCWotS8xnQWQCHOGsafzOFOhzLT8NxmoI3RZncULjG1ARA8DHYupxUucbUtxd4ghnw4JI30wdARHneMABx0j8FYD3xCkdefQByKFl9KsOjy6nKNBR0cZRCTjOk1JhrBCCY5r3pZtSS9bZkueSqmljVgPoPDa0Algk4HD8QG8AXph0G8Dk2AC89DgPosFKodvR83G/dtiRzTevtUChP0SCTpBQuM+bI6Bvk51gl96X/FFvzCh9oW0v+H2zO2tYtz/EgAAAAJXRFWHRkYXRlOmNyZWF0ZQAyMDE5LTAzLTEyVDEyOjM5OjA0KzAwOjAwG6lIYwAAACV0RVh0ZGF0ZTptb2RpZnkAMjAxOS0wMy0xMlQxMjozOTowNCswMDowMGr08N8AAAAASUVORK5CYII='> <div>All your files have been encrypted!</div> </div> <div class='bold'>All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail <span class='mark'>[email protected]</span></div> <div class='bold'>Write this ID in the title of your message <span class='mark'>66C147AB-3321</span></div> <div class='bold'>In case of no answer in 24 hours write us to this e-mail:<span class='mark'>[email protected]</span></div> <div class='bold'>If there is no response from our mail, you can install the Jabber client and write to us in support of <span class='mark'>[email protected]</span> </div> <div> You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files. </div> <div class='note info'> <div class='title'>Free decryption as guarantee</div> <ul>Before paying you can send us up to 3 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) </ul> </div> <div class='note info'> <div class='title'>How to obtain Bitcoins</div> <ul> The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. <br><a href='https://localbitcoins.com/buy_bitcoins'>https://localbitcoins.com/buy_bitcoins</a> <br> Also you can find other places to buy Bitcoins and beginners guide here: <br><a href='http://www.coindesk.com/information/how-can-i-buy-bitcoins/'>http://www.coindesk.com/information/how-can-i-buy-bitcoins/</a> </ul> </div> <div class='title'>Jabber client installation instructions:</div> <div class='note info'> <ul> <li>Download the jabber (Pidgin) client from https://pidgin.im/download/windows/</li> <li>After installation, the Pidgin client will prompt you to create a new account.</li> <li>Click "Add"</li><li>In the "Protocol" field, select XMPP</li> <li>In "Username" - come up with any name</li> <li>In the field "domain" - enter any jabber-server, there are a lot of them, for example - exploit.im</li> <li>Create a password</li><li>At the bottom, put a tick "Create account"</li> <li>Click add</li> <li>If you selected "domain" - exploit.im, then a new window should appear in which you will need to re-enter your data:</li> <ul> <li>User</li> <li>password</li> <li>You will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below)</li> </ul> <li>If you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - <a href = "https://www.youtube.com/results?search_query=pidgin+jabber+install">https://www.youtube.com/results?search_query=pidgin+jabber+install</a></li> </ul> </div> <div class='note alert'> <div class='title'>Attention!</div> <ul> <li>Do not rename encrypted files.</li> <li>Do not try to decrypt your data using third party software, it may cause permanent data loss.</li> <li>Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.</li> </ul> </div> </body> </html>
Emails

class='mark'>[email protected]</span></div>

class='mark'>[email protected]</span></div>

class='mark'>[email protected]</span>
URLs

http://www.w3.org/TR/html4/strict.dtd'>

https://pidgin.im/download/windows/</li>

Extracted

Path

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Restore_Files.html

Ransom Note
<p style='text-align: center;'><img src='https://odkrywcyplanet.pl/wp-content/uploads/2020/05/galaktyka-Cosmos-Redshift-7.jpg' alt='' width='235' height='167' /></p> <p style='text-align: center;'>A S T R A L O C K E R 2.0</p> <p style='text-align: center;'>&nbsp;</p> <p style='text-align: center;'><span class='Y2IQFc' lang='en'>What happened?</span><br />----------------------------------------------<br />All Your files has been succesfully<span style='background-color: #ffffff; color: #000000;'> <strong>encrypted</strong></span> due to security problem with Your PC.</p> <p style='text-align: center;'>All Your backups are deleted, or encrypted.</p> <p style='text-align: center;'>Can I recover my files?<br />----------------------------------------------<br />Sure! But You need special decryptor for that.<br />If You want to recover Your files, you need to cooperate.</p> <p style='text-align: center;'>What can I do to get my files back?<br />----------------------------------------------<br />You can buy my decryption software, this software will allow you to recover all of your data and remove the ransomware from your computer.<br />The price for the software is about 50$ (USD). Payment can be made in Monero, or Bitcoin (Cryptocurrency) only.</p> <p style='text-align: center;'>What guarantees?<br />----------------------------------------------<br />I value my reputation. If i do not do my work and liabilities, nobody will pay me. This is not in my interests.<br />All my decryption software is perfectly tested and will decrypt your data.</p> <p style='text-align: center;'>How do I pay, where do I get Monero or Bitcoin?<br />----------------------------------------------<br />Purchasing Monero or Bitcoin varies by country, it's best to do a quick google search yourself to learn how to buy Monero or Bitcoin. You need to pay 50$ in Bitcoin or Monero.</p> <p style='text-align: center;'>You can buy Bitcoin here:<br />https://localbitcoins.com/</p> <p style='text-align: center;'>Where i can pay?<br />----------------------------------------------<br />Monero Address:<br />48CEU93NRDqCmH3qfksLRLeQJ9mjbFCUXEyZkStiRDWtDodmAtd7voHF1sHa17MgmoYmMoErrJstV6nC1DqYoKxT38r6TUh<br />Bitcoin Addres:<br />bc1qpawwquwas0gd88u66hgxp222p52madqp5lk5xw</p> <p style='text-align: center;'>Contact<br />----------------------------------------------<br />After payment contact:<br />[email protected]<br />and send Your <strong>personal ID</strong> with transaction ID (if you are paying with Bitcoin)</p> <p style='text-align: center;'>Warning! If you report these emails, they may be suspended and NOBODY gets help.<br />It is in Your INTEREST to get the decryptor.</p> <p style='text-align: center;'>Your personal ID is:<br /><strong>ID12_Yashma</strong></p> <p style='text-align: center;'>1)Don't change the extension of the files. You will harm the files.<br />2)Don't move encrypted files.<br />3)<strong>Don't try to recover files by Yourself.</strong> This is impossible. Your files are encrypted with Curve25519 encryption algorithm, You can't decrypt files without private key.<br />4)Don't report to authoritaries. If You do it, key will be deleted, and Your files will be encrypted forever.</p> <p style='text-align: center;'>5)The price will be lower if you email me within 24 hours after encrypting your files.</p>
Emails

Extracted

Path

C:\info.hta

Ransom Note
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01//EN' 'http://www.w3.org/TR/html4/strict.dtd'> <html> <head> <meta charset='windows-1251'> <title>encrypted</title> <HTA:APPLICATION ICON='msiexec.exe' SINGLEINSTANCE='yes' SysMenu="no"> <script language='JScript'> window.moveTo(50, 50); window.resizeTo(screen.width - 100, screen.height - 100); </script> <style type='text/css'> body { font: 15px Tahoma, sans-serif; margin: 10px; line-height: 25px; background: #EDEDED; } img { display:inline-block; } .bold { font-weight: bold; } .mark { background: #D0D0E8; padding: 2px 5px; } .header { text-align: center; font-size: 30px; line-height: 50px; font-weight: bold; margin-bottom:20px; } .info { background: #D0D0E8; border-left: 10px solid #00008B; } .alert { background: #FFE4E4; border-left: 10px solid #FF0000; } .private { border: 1px dashed #000; background: #FFFFEF; } .note { height: auto; padding-bottom: 1px; margin: 15px 0; } .note .title { font-weight: bold; text-indent: 10px; height: 30px; line-height: 30px; padding-top: 10px; } .note .mark { background: #A2A2B5; } .note ul { margin-top: 0; } .note pre { margin-left: 15px; line-height: 13px; font-size: 13px; } .footer { position:fixed; bottom:0; right:0; text-align: right; } </style> </head> <body> <div class='header'> <img src='data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEAAAABACAQAAAAAYLlVAAAABGdBTUEAALGPC/xhBQAAACBjSFJNAAB6JQAAgIMAAPn/AACA6QAAdTAAAOpgAAA6mAAAF2+SX8VGAAAAAmJLR0QA/4ePzL8AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQfjAwwMJwSFwIn8AAADNklEQVRo3u2ZTUhUURTHfzozmprmZ1pYEmkfJNEmiwwkSEyFECIQpEUboYhqFYHQXlcti9rUKldWBEUiuQpbtDDNzD5G8qM0HRXLRtO5LdJx3puPd++8+xyIztm88zgf/3veufeee18SdimDI1RxnL0U4gbAzxhDdPGCfpZs+49JWTTyFB8iAq8wTju1pDgXvopOliIGX+d57rHPieBuLvLNIvgaD1KvP/x1FiTDCwQTNOkFcJVfCuEFgq+c0he+minF8AJBH2WRnCUph8/nIZVhb2d5w1smEbjYSTn7SQ/TucsFlnWkPxBW6Xc4RkbIoHKooSNshsxRbT98Eb0mtyM04oqgmR6hUNvtrwrnWDa4nOVMVF0XLfw2aPuosBfezQPTmNpiVtFmnpj0W+wBKMFrcPeJ3RYWNfwwWHSSZgdAHX6Du5uWFpl0myqm1KiQrASgnNQQaZFOS4t5nhvkAnbZAbDHIE0wIGHzmsUQKdXkQwlACtsN8ijfJay8zBjkovgBbCLPlAG/hNUcswa5IH4Ayasdzxr5pBbWRRYMstGHYg04QAkH4FbQFSwTCKbdI7mzWVipbMceKtiCCFqO0OeY1caRbAaKOcgOCpQ+WWTyM8EwvfjkTfJoYZDFONqwaPyTHs7LbktlPNMYep2XuE22dfhsHjkS/i+3Wn/SK2EdoE72UeuyGH8rxbbLLjqlkRlb4TAzDo5fIJiOvRTnR+ju9VJuwveC/wASDsD+2h5KUyyQTVZiALzjFt3MsY16mtmqx2mt9BbUw4EQuzpGpVcCLQB8nDBZXmJFDoCeInzFS9ObxwzLmeoBMGA4/QBM4t1IAOHXDi7Zqwg9ACrCWotS8xnQWQCHOGsafzOFOhzLT8NxmoI3RZncULjG1ARA8DHYupxUucbUtxd4ghnw4JI30wdARHneMABx0j8FYD3xCkdefQByKFl9KsOjy6nKNBR0cZRCTjOk1JhrBCCY5r3pZtSS9bZkueSqmljVgPoPDa0Algk4HD8QG8AXph0G8Dk2AC89DgPosFKodvR83G/dtiRzTevtUChP0SCTpBQuM+bI6Bvk51gl96X/FFvzCh9oW0v+H2zO2tYtz/EgAAAAJXRFWHRkYXRlOmNyZWF0ZQAyMDE5LTAzLTEyVDEyOjM5OjA0KzAwOjAwG6lIYwAAACV0RVh0ZGF0ZTptb2RpZnkAMjAxOS0wMy0xMlQxMjozOTowNCswMDowMGr08N8AAAAASUVORK5CYII='> <div>All your files have been encrypted!</div> </div> <div class='bold'>All of your files have been encrypted. If you want to restore them, write to us by e-mail: <span class='mark'>[email protected]</span></div> <div class='bold'>Write this ID in the title of your message <span class='mark'>8513BF88-3387</span></div> <div class='bold'>To increase the likelihood of receiving a response to your request, also duplicate your letters to the following e-mails:<span class='mark'>[email protected]</span> or [email protected]</div> <div class='bold'>For quick and convenient feedback, write to the online operator in the Wire messenger: <span class='mark'><a href='https://t.me/@zexor'>zexor</a></span>&ensp;(The username of the Wire account must be exactly the same as above,beware of fake accounts.)</div> <div class='bold'>You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files.</span></div> <div class='note info'> <div class='title'>Free decryption as guarantee</div> <ul>Before paying you can send us up to 3 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) </ul> </div> <div class='note info'> <div class='title'>How to obtain Bitcoins</div> <ul> The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. <br><a href='https://localbitcoins.com/buy_bitcoins'>https://localbitcoins.com/buy_bitcoins</a> <br> Also you can find other places to buy Bitcoins and beginners guide here: <br><a href='http://www.coindesk.com/information/how-can-i-buy-bitcoins/'>http://www.coindesk.com/information/how-can-i-buy-bitcoins/</a> </ul> </div> <div class='note alert'> <div class='title'>Attention!</div> <ul> <li>To get guaranteed assistance in decrypting your files, please contact only the contacts indicated in this note, otherwise we are not responsible for the decryption!</li> <li>Do not rename encrypted files.</li> <li>Do not try to decrypt your data using third-party software, as this may result in irreversible data loss.</li> <li>Decrypting your files with the help of third parties may increase the price (they add their fee to ours) or you risk losing money without receiving files decryption in return.</li> <li>!!! When contacting third parties, we do not give a guarantee for decryption of your files !!!</li> </ul> </div> </body> </html>
Emails

class='mark'>[email protected]</span></div>

class='mark'>[email protected]</span>

[email protected]</div>
URLs

http://www.w3.org/TR/html4/strict.dtd'>

Extracted

Path

C:\Users\Admin\Contacts\How To Restore Your Files.txt

Ransom Note
----------- [ Hello! ] -------------> ******BY ANUBIZ LOCKER****** What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted from your network and copied. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - a universal decoder. This program will restore your entire network. Follow our instructions below and you will recover all your data. If you continue to ignore this for a long time, we will start reporting the hack to mainstream media and posting your data to the dark web. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. How to contact us? ---------------------------------------------- Using EMAIL: 1) Open your mail 2) Write this ID in the title of your message: kFdfAV0C4B 3) Write us: [email protected] !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!

Extracted

Path

C:\Users\Admin\Documents\read_it.txt

Family

chaos

Ransom Note
----> Chaos is multi language ransomware. Translate your note to any language <---- All of your files have been encrypted Your computer was infected with a ransomware virus. Your files have been encrypted and you won't be able to decrypt them without our help.What can I do to get my files back?You can buy our special decryption software, this software will allow you to recover all of your data and remove the ransomware from your computer.The price for the software is $1,500. Payment can be made in Bitcoin only. How do I pay, where do I get Bitcoin? Purchasing Bitcoin varies from country to country, you are best advised to do a quick google search yourself to find out how to buy Bitcoin. Many of our customers have reported these sites to be fast and reliable: Coinmama - hxxps://www.coinmama.com Bitpanda - hxxps://www.bitpanda.com Payment informationAmount: 0.1473766 BTC Bitcoin Address: bc1qlnzcep4l4ac0ttdrq7awxev9ehu465f2vpt9x0

Extracted

Family

blackmatter

Version

1.2

Targets

    • Target

      084c57449c765416706301c723116da5073aa60da415c0eb3013239611135b0e.exe

    • Size

      49KB

    • MD5

      50248697e19117027d4823c6a3be6db5

    • SHA1

      fb81c35ffe11180c1d6269006db2fc775eec4741

    • SHA256

      084c57449c765416706301c723116da5073aa60da415c0eb3013239611135b0e

    • SHA512

      abc04de0ee5dfc9ca1afccc6b46f9bb4b56d3d9e9ec11165dfc9d3630a597e865941c2c33f4284807f155f69d8255ac3279c418f3bdb2a7f6b4e8678ba7fd6ed

    • SSDEEP

      768:acaQRffDB31aCytHLykiKPT3JATD2qBwV2ckjbnsb0Ah99De0YAD8hMWsddOC86t:acai318HxZATvnsblYO8hMWsdoC86+r

    Score
    10/10
    defense_evasionexecutionimpactransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Legitimate hosting services abused for malware hosting/C2

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1

    • Target

      14b94844b99ac43c014ea73c3400097e3239a7307d1618e84159a741ab0e8ac3.exe

    • Size

      87KB

    • MD5

      d77f7e460e5036f65677b24ed24c2dff

    • SHA1

      053afa00864c3c0c896e48be382436c417cabb34

    • SHA256

      14b94844b99ac43c014ea73c3400097e3239a7307d1618e84159a741ab0e8ac3

    • SHA512

      f447b9b9a60f7a6fddd137a228efc7c056b989c698c85c30e6eda7c3b3990fb7a82fe2387b8fb8ee38d21704f9924a989a2a87f1d34badf20a3c89a2b9dfe3b9

    • SSDEEP

      1536:1o2ECd3kfHr9PZAKodFF2QRa/oDc10QxsSmCDo/PjsXMbyxFmwYSDfgCso:1oWd3kfr9P5QRaADc17xAKRjFr4Lo

    Score
    10/10
    chaosdefense_evasionevasionexecutionimpactransomwarespywarestealer

    • Chaos

      Ransomware family first seen in June 2021.

      ransomwarechaos

    • Chaos Ransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    • Sets desktop wallpaper using registry

      ransomware
    behavioral2

    • Target

      2daa5144081dd288c1dc936ec27b1c8bd709633450ceb73f235fccd1c3d3c62e.exe

    • Size

      70KB

    • MD5

      193e702195e8ed5c50cc482569559462

    • SHA1

      47a5307b78fa2c60c20ce63c553aef4a6d5a3e1c

    • SHA256

      2daa5144081dd288c1dc936ec27b1c8bd709633450ceb73f235fccd1c3d3c62e

    • SHA512

      d5ae5a8bccfc08bc07834caaebaed7a6cde1911170eb8de99322bf15be3ad111b5042d6401dcb06e64a6a429eee19d964878089af205474b377b77627bb63a35

    • SSDEEP

      768:lXStkFWTBhyugDC60CPJkEBx9w7mSDh3vkkjvshT3ED18nv04ZPqpb348Uq1krHO:liMWV3gDCk6EBwT/kJbvkbuq1krj0z

    Score
    10/10
    nefilimransomware

    • Nefilim

      Ransomware first seen in early 2020 which shares code with the Nemty family. Rewritten in Golang in July 2020.

      ransomwarenefilim

    • Renames multiple (183) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Deletes itself

    behavioral3

    • Target

      2e6f094748124800d8cf6bdb28bb8aa4caa066923cf3e9778dae8bcb2b6e85ec.exe

    • Size

      42KB

    • MD5

      790cd1ca1e1e862544d527a807a1e6b1

    • SHA1

      2ee282a9f6158b0e60bf338c1e354e4667bc36b4

    • SHA256

      2e6f094748124800d8cf6bdb28bb8aa4caa066923cf3e9778dae8bcb2b6e85ec

    • SHA512

      b1c3e537e30f7e8fb53a0303b446bd1c4171b967d2365509f9ecdefcc924ba2e58ff7b67c346f727ab0ec240e953b2a374eacf7cd38944e66aed529b5b00b20d

    • SSDEEP

      768:zqj7UWPjjkzEr9npTQi/zRUNWv39Hf6F0BkfLSV3F8Ftqel59CHAOLw0:ej7ZjjkzEr9npj/WN4/6F0BkDSGtqeLm

    Score
    1/10
    behavioral4

    • Target

      2e96b55980a827011a7e0784ab95dcee53958a1bb19f5397080a434041bbeeea.exe

    • Size

      2.0MB

    • MD5

      d42d34d87e404aa93862a40e997f8f6d

    • SHA1

      8ea71ea5177d46c9feea0e1cd19069a3441e1758

    • SHA256

      2e96b55980a827011a7e0784ab95dcee53958a1bb19f5397080a434041bbeeea

    • SHA512

      3d17176d804b555ff1ad180ec789c73012512bfa87732d39c9927a0b9a87051fb2e41923326cf12af3cfdaacee95ede6b63f704f565accebe4d5b08fd08ccb3f

    • SSDEEP

      24576:w/iIzkQF+KpPnF1Fx+CszLyQ9lkxIQVki//47JhUhio7Z6OI93lGFtPtnNON+IjE:whBPrElwNkto7VINlGFtPtnwjjOaHo

    Score
    1/10
    behavioral5

    • Target

      34c392448fc0818278cd19bb0841adf573e967be8a0f73bb42bb367a5835b6ea.exe

    • Size

      92KB

    • MD5

      21c2b2d0bfc15b3d4bc72263f9db5547

    • SHA1

      9f65f98ae2b418425a1d98b8d86bef88edab4d7c

    • SHA256

      34c392448fc0818278cd19bb0841adf573e967be8a0f73bb42bb367a5835b6ea

    • SHA512

      aeeb64dc1130f6e5ccf6ab9abedf01e2a59e149f4897a44b02c32f816ddd1d1698a59447f7ce03dab966972f7714977b49f4b7e0fd258b0bedd936ac1926060a

    • SSDEEP

      1536:lBwl+KXpsqN5vlwWYyhY9S4AE4SLlaSXrgKcQ48bcWHpOZ2yr+e72eIGZZyb1j:vw+asqN5aW/hL6dhamQoBU4yTi17j

    Score
    10/10
    dharmadefense_evasionexecutionimpactpersistenceransomwarespywarestealer

    • Dharma

      Dharma is a ransomware that uses security software installation to hide malicious activities.

      ransomwaredharma

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Renames multiple (316) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Drops file in System32 directory

    behavioral6

    • Target

      37d8add251cb4179224ebbc0e28f8d9e26b5e64bbaec37f26a996bf51556f04c.exe

    • Size

      1.3MB

    • MD5

      af24c3030002d1487c6455fdb1a09eec

    • SHA1

      72732ddefce71c13297df596267260a5d8e892f3

    • SHA256

      37d8add251cb4179224ebbc0e28f8d9e26b5e64bbaec37f26a996bf51556f04c

    • SHA512

      470a0cf695add143555eaa45f3fe5c462edb1cea2cd1589b19f55029b488fae58da2bd588bf79cdb16eeb4518bc7b7189eba764d611d008b1b27145ca0e8a2e3

    • SSDEEP

      24576:Auh7HYGSWwFda6lBbXUqcTGKcr5YrcRBlBnNmkE9pneHiAvuQnL1mp/DVmu6KUi0:Dhkkw7LNNmTDqnRmJDx61i0

    Score
    10/10
    mimicevasionpersistenceprivilege_escalationransomwarespywarestealer

    • Detects Mimic ransomware

    • Mimic

      Ransomware family was first exploited in the wild in 2022.

      ransomwaremimic

    • Renames multiple (654) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Drops file in Drivers directory

    • Manipulates Digital Signatures

      Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

    • Modifies Windows Firewall

      evasion

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

    behavioral7

    • Target

      3a7265305386f955adbeb6bd7c711f03395963ac36be82e5bb6b1d7b2034c859.exe

    • Size

      80KB

    • MD5

      e3269531cf93d040b08074bfb31b72a0

    • SHA1

      45b6d89dcea02cc90ae054d72ec80a2eb1036a7e

    • SHA256

      3a7265305386f955adbeb6bd7c711f03395963ac36be82e5bb6b1d7b2034c859

    • SHA512

      e4de5613557ff15f23e2c28763fee6443c81351401974389e1c01cb979efc81c0ff397b85ba3fc6f0204f7c5e0c7617617130d38b441748446e72a0fbb7a12b0

    • SSDEEP

      1536:NE+VYVYMC2F7Aoter2j1lYgpM2HT02F4mHI5PsOqy:2+G3eaj0g+2HT025Hs

    Score
    10/10
    blackmatterransomwareupx

    • BlackMatter Ransomware

      BlackMatter ransomware group claims to be Darkside and REvil succesor.

      ransomwareblackmatter

    • Renames multiple (175) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral8

    • Target

      49aca08f5b259860364fc224601a944aa17161bb1da688e24621038457472d24.exe

    • Size

      44KB

    • MD5

      7977bc8781a00875b4d465bc2a90d5d4

    • SHA1

      9f4b2858edcff694fee76636bf8cf33a366fc237

    • SHA256

      49aca08f5b259860364fc224601a944aa17161bb1da688e24621038457472d24

    • SHA512

      245d65b9301b759097cded2a2f078e4e41c7b68e303a71fccd465a6fa230b48e13e571c4e57e03710934a5e6b9536ed634e0edc502ba35433b02147760e5f05b

    • SSDEEP

      768:0AxEin+Z8W9KCZLhaY4m9lUOmMayPpfHlynRUhMgAA9dEmCJ:7xESW9KC1hxJ9lJPQLH

    Score
    10/10
    chaosdefense_evasionevasionexecutionimpactpersistenceransomwarespywarestealer

    • Chaos

      Ransomware family first seen in June 2021.

      ransomwarechaos

    • Chaos Ransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Disables Task Manager via registry modification

      evasion

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Sets desktop wallpaper using registry

      ransomware
    behavioral9

    • Target

      4a2ad49c934f9ae6ca6b5d0c7cc34f5e12d349640012fa8cf8eb7e2d3acd6c9f.exe

    • Size

      1.9MB

    • MD5

      4f85eec9e23dc664c814cea272dcd5b8

    • SHA1

      4eda594a01aee9622604924ffecfa9dbd6135bc0

    • SHA256

      4a2ad49c934f9ae6ca6b5d0c7cc34f5e12d349640012fa8cf8eb7e2d3acd6c9f

    • SHA512

      97fdf815bb43f7fbfff03b6ca9e7a94d72a17faa0667091951b0be2a1ea3757f6f051e16c9a583f808b5df3fcbea525c570729b120499d1a47c530c7f179db18

    • SSDEEP

      12288:6s2cBCtdB3+j+3EEQ5NX2l0Y/iaJDdI+VrzrzzczNzzE:6s2Jtn3aOEN5NX2l0Y/iaJDn

    Score
    3/10
    behavioral10

    • Target

      5199b64b50f678d75f85cb0c3ac97d7df67f23471815e21236b1a790d008fe3c.exe

    • Size

      54KB

    • MD5

      1f6297e052951ae79aaec997dbb202d4

    • SHA1

      ab27665f5b886bf553b2c9a91c65e2abca5c1d01

    • SHA256

      5199b64b50f678d75f85cb0c3ac97d7df67f23471815e21236b1a790d008fe3c

    • SHA512

      4cf533b824503cd1783f583c9f100e67f84578afac31b7b2b1c23192f4504d457ae7f522d53c40b62b59daafd5ad92580a9b67baad612f20f74d6712c8e94e00

    • SSDEEP

      768:/z7z/zxACAm8YHxxSoxS1RKRQGdGGdnQN4L6hhho9h9qfP821824x:/zp8dGdGGde4L67q9h9qfETXx

    Score
    1/10
    behavioral11

    • Target

      55c30024aed833336eb4720a1a4a40c78496efb27b3c4d5c3f1d1b5935c12715.exe

    • Size

      56KB

    • MD5

      4ab785bba778bd582b33baeac2cc9c22

    • SHA1

      23db0ae4d5b7b4fe8698583e25e50e1b89cf9411

    • SHA256

      55c30024aed833336eb4720a1a4a40c78496efb27b3c4d5c3f1d1b5935c12715

    • SHA512

      916cc0d2e0e623a897d4d515e2148c0b08dd3c308b27b53032def045eafbd625ac2031fd5713e055f4f323a840ed534aaaa5da06586928cc2dbafb46cb276955

    • SSDEEP

      1536:bNeRBl5PT/rx1mzwRMSTdLpJyCfPAIotcQ:bQRrmzwR5JyNO

    Score
    10/10
    phobosdefense_evasionevasionexecutionimpactpersistenceprivilege_escalationransomwarespywarestealer

    • Phobos

      Phobos ransomware appeared at the beginning of 2019.

      ransomwarephobos

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Renames multiple (312) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Modifies Windows Firewall

      evasion

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    behavioral12

    • Target

      56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe

    • Size

      42KB

    • MD5

      abb04a0418be9cc4618f393d7fc9d76b

    • SHA1

      dbe3b07ab1383e4d693bb6cab17ad8a7c1c5cd7b

    • SHA256

      56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659

    • SHA512

      f7bce71f01ffae675a8b8a23a8f2e4d162ccefc349beadb84ffcca890dc68ed636acf4f7d694145c779125078f6634f30aed5f5651ee6c12dc4768f7c0a0f47b

    • SSDEEP

      768:QO1oR/8VS1RzK4wbs+D/SIJX+ZZ1SQQwZuIOPzDsHw67ZY23IWSjNV:QgS1FKnDtkuImsHw6V73ejNV

    Score
    10/10
    defense_evasionexecutionimpactransomwarespywarestealer

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Renames multiple (8307) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Legitimate hosting services abused for malware hosting/C2

    • Sets desktop wallpaper using registry

      ransomware
    behavioral13

    • Target

      5a96b929383817aa298eec8cca019bcd984fcd71dd8ee353541392c1082756a4.exe

    • Size

      57KB

    • MD5

      a6092621b7db8dc1f2c1f93a9a7ced9f

    • SHA1

      d4fd035605baa14375c9a59a93849b959df36bc4

    • SHA256

      5a96b929383817aa298eec8cca019bcd984fcd71dd8ee353541392c1082756a4

    • SHA512

      380318805a8fbed4b6e4a1270c697116de2b5a562bace4ab857e653dae5b319a5ace3a90c02f3235d6a95eec996a6632335c01df55136f051c13a01b82a5f4a4

    • SSDEEP

      1536:RNeRBl5PT/rx1mzwRMSTdLpJOycgw04NxJ:RQRrmzwR5Jhcg74L

    Score
    10/10
    phobosdefense_evasionevasionexecutionimpactpersistenceprivilege_escalationransomwarespywarestealer

    • Phobos

      Phobos ransomware appeared at the beginning of 2019.

      ransomwarephobos

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Renames multiple (313) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Modifies Windows Firewall

      evasion

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    behavioral14

    • Target

      606b88fce1441e6d83e1fb2ba1b511e4a9e68f7fc01c55b7c53e08fd28f9a0c4.exe

    • Size

      362KB

    • MD5

      7c3f60037ac11106ab2994058cc553c9

    • SHA1

      1a7c827670c46bdc90691605f974e7d7a0941fb1

    • SHA256

      606b88fce1441e6d83e1fb2ba1b511e4a9e68f7fc01c55b7c53e08fd28f9a0c4

    • SHA512

      c1e2e4bde4b1a4a739ba9408b90b4e088cd7a55f1b7595f99154a6aa0ce98ac0543f8f629aece802f21856301bac6e1b0c497eb8ea46fc0f5ba5c0afec04ae45

    • SSDEEP

      6144:aNkgpZOuI7Am6xeTH2kxEiG68N/xc2iPpz1TumNf/qP+7WzQ9qsNlN:rgXOvIUTVmxUP7lqP+6zL2

    Score
    1/10
    behavioral15

    • Target

      6bda9faf719bb7a55e822667d909086193d323d8fa06b1a3d62437fcf6a9e24b.exe

    • Size

      71KB

    • MD5

      8f033c07f57f8ce2e62e3a327f423d55

    • SHA1

      57ac411652d7b1d9accaa8a1af5f4b6a45ef7448

    • SHA256

      6bda9faf719bb7a55e822667d909086193d323d8fa06b1a3d62437fcf6a9e24b

    • SHA512

      f3712e7d5d55b27a4c20de07cce136e6d58ce62fa146d29b34dece6248e4456139703c50df10cb318346311cfeee0a8449d49163e821744efcde3ecfe8b880df

    • SSDEEP

      768:zncoLkaCbCq2l52DbnoPV0Yglwlu1y7e7th3BuItxn:QoLkaCb12l0DbCV6Wqyixn

    Score
    10/10
    chaosdefense_evasionevasionexecutionimpactpersistenceransomwarespywarestealer

    • Chaos

      Ransomware family first seen in June 2021.

      ransomwarechaos

    • Chaos Ransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Disables Task Manager via registry modification

      evasion

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    behavioral16

    • Target

      71b46e95fba31267475537a338f49ce1cd0bc56c0f15346b05b673051cbe90a8.exe

    • Size

      57KB

    • MD5

      8f7bc58c754d6fb7bb0b31fe8a5821e3

    • SHA1

      f2dccd378d7be5e6bddbf133a78369fdc800432b

    • SHA256

      71b46e95fba31267475537a338f49ce1cd0bc56c0f15346b05b673051cbe90a8

    • SHA512

      765be9549ed493432dc4945f1987982254b25308cc3b757ef1eca23b75517adc7ea4fe10f0aaafc35dd021bcba668d9f3a8e5a9e70ffc5e50ddfae3c014f28e3

    • SSDEEP

      1536:vNeRBl5PT/rx1mzwRMSTdLpJ//OGCDmR+53H:vQRrmzwR5JLCKyX

    Score
    10/10
    phobosdefense_evasionevasionexecutionimpactpersistenceprivilege_escalationransomwarespywarestealer

    • Phobos

      Phobos ransomware appeared at the beginning of 2019.

      ransomwarephobos

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Renames multiple (307) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Modifies Windows Firewall

      evasion

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    behavioral17

    • Target

      7d98972d5c78e1d4969da76856d6818942b606c267efa67fd31d39ae77497e9c.exe

    • Size

      894KB

    • MD5

      ec8fef72a73ff94440235fc1b3f3f690

    • SHA1

      e651cd12a2493b9c2d7ebd8287a2fd29b8f4cd9c

    • SHA256

      7d98972d5c78e1d4969da76856d6818942b606c267efa67fd31d39ae77497e9c

    • SHA512

      b62f2f518f4ed3d74d96551a8c7431d50bd3349221b4b01dded18a270cbdbd1441f13f3eef7a6cc0db4aad200f1cf2babeb8e937edf8827faa7a03e4b59a35f2

    • SSDEEP

      12288:d31hZus7pQqiiyuuFuawu2zhjWBv4+1FMUUfW75CXQKXTZ1VG:1r1S+NjWx4+1SWV6Q4n

    Score
    9/10
    defense_evasionexecutionimpactpersistenceransomwarespywarestealer

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Renames multiple (9652) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral18

    • Target

      87b9b910d5d5a053e3b39989cc6fd51601abdaea207a26c765f21f43a4cd4dcb.exe

    • Size

      79KB

    • MD5

      c8579ccb6690e1f2102f9ba887c12f9e

    • SHA1

      e8e46e3f88011aa43c90cde3c9945e3508986a25

    • SHA256

      87b9b910d5d5a053e3b39989cc6fd51601abdaea207a26c765f21f43a4cd4dcb

    • SHA512

      f579e9b39400a0b3879dc8a1c41bd829d8f6b399d9d0a97302f7157a76f036ede5e4391eeb12bd2285a7f523969d572a92f482cf415ed2fb023d96d745f82244

    • SSDEEP

      1536:hxpkWBeG/vEbKsrQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2Xsf8:/BeQsKsrQLOJgY8Zp8LHD4XWaNH71dLH

    Score
    10/10
    defense_evasionexecutionimpactransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Renames multiple (219) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral19

    • Target

      8958d7b8c51215d6a27444b2760f1ce843a414d380052e6e71c2af6e9ab69ce2.exe

    • Size

      959KB

    • MD5

      734f101d7a5822e1bf2c66e398ab8c45

    • SHA1

      cafb5d0e3db6804693e8461b32abf678e8c70f3d

    • SHA256

      8958d7b8c51215d6a27444b2760f1ce843a414d380052e6e71c2af6e9ab69ce2

    • SHA512

      63cf6ae43a26ce38c062ec69bbc084ba3e8777d3f6f574e6a0a09242cacb46989d01c1dcb32943692c47361f8d6fb8e5009a4cc917a80ffa567cb2a853f1a2fb

    • SSDEEP

      24576:uLjr3s2nScu1i1tz3f++5kRzFxk7rMxNeR1R9qpd2F:Ujrc2So1Ff+B3k796Q

    Score
    10/10
    lockbitdefense_evasiondiscoveryevasionexecutionimpactpersistenceransomware

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

      ransomwarelockbit

    • Creates a large amount of network flows

      This may indicate a network scan to discover remotely running services.

      discovery

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral20

    • Target

      ab5be9e6911b43f0974e01dabec772b968274d9b5ea39ba2ad7cd294056e5d09.exe

    • Size

      88KB

    • MD5

      56299609780e2286ccc2cf5857d531e8

    • SHA1

      ef7baf17905784df491641906645f00f73eff1d1

    • SHA256

      ab5be9e6911b43f0974e01dabec772b968274d9b5ea39ba2ad7cd294056e5d09

    • SHA512

      a44053d0c810448adddcd17e51682e43d51710de948644c82a141a1a8104cacedd44a274f13ea79de89f5cdfbb0e436791565baad1552d9853a5a94b446398cb

    • SSDEEP

      1536:7vie0XQsxILOW3Sm9S4AndhgXCpC1VYEzcM5BD11e0z:OeBsxInSNnhgX4CzwM

    Score
    10/10
    dharmadefense_evasionexecutionimpactpersistenceransomwarespywarestealer

    • Dharma

      Dharma is a ransomware that uses security software installation to hide malicious activities.

      ransomwaredharma

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Renames multiple (322) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    behavioral21

    • Target

      b228a698ee826b42e19307f2d34c2620819a67a0e98fd2af08aae570b8178cc0.exe

    • Size

      65KB

    • MD5

      1f31e5377d64f9f26c12f3b7a5545c16

    • SHA1

      b54fdfadaa8c9eec27f2f48e462bde898383f0ba

    • SHA256

      b228a698ee826b42e19307f2d34c2620819a67a0e98fd2af08aae570b8178cc0

    • SHA512

      ff6d85ed6be933d5c90dc8a2554cdc69eeb00f1dbc20a6016ec4813feb9310eab25e93071f93f1d65f1f7453f65d5a830e8e7ff9b1d0846fe969b55a2a340129

    • SSDEEP

      768:5PuzmZ5OzkfCQxmGgV5YlpJ6RIDWeRdppvO/9rjca9zsUKh51zb2Z:5PEz5Qxd6m3WIw9oh5B2Z

    Score
    1/10
    behavioral22

    • Target

      c864a70f78fb972f505ae5b13c0ad984e64c547194beb258926bb4c323fac31d.exe

    • Size

      67KB

    • MD5

      5854152baa338613d80ee24af054cfbe

    • SHA1

      2f779048a40cb601af32fe70188c9d3e53e71efe

    • SHA256

      c864a70f78fb972f505ae5b13c0ad984e64c547194beb258926bb4c323fac31d

    • SHA512

      55572a3e99a5ee08dd1319ad565584a4d6680a0aaf50819228c6ec7ab0b6a509dba25de539213e9f3b5bb6e3720344db4d26e52f0fe08c028511f9830f552b18

    • SSDEEP

      768:RVel5lzkfCQxmGgV5YlpJ6RIDWeRdppvO/9rjca9fsUKhnLZbp:Rcz5Qxd6m3WIw9EhX

    Score
    1/10
    behavioral23

    • Target

      cfd5d9a4e67799f2428c6071dcc13fcf726f49ec3e706f0302b4592a3a0a08f0.exe

    • Size

      68KB

    • MD5

      5de719d56f38039bb9c915d689a5a4da

    • SHA1

      f46d4ed9851b0980d5a9139defd456a58c6aaaaa

    • SHA256

      cfd5d9a4e67799f2428c6071dcc13fcf726f49ec3e706f0302b4592a3a0a08f0

    • SHA512

      48756ac79f23cb26620ff135fe93a87768cf9a02b941ade68e3e27981adc8431f76d58aa057525de88742c7ec900b4ea02c52abb3889cd176a3ae14e956dc678

    • SSDEEP

      768:oY53/zkfCQxmGgV5YlpJ6RIDWeRdppvO/9rjca9nsUKhK:B/z5Qxd6m3WIw9MhK

    Score
    1/10
    behavioral24

    • Target

      da6f543313480695aab95a5e685741a8d185fba0600363f74063eb1cda0f672e.exe

    • Size

      117KB

    • MD5

      bca754bd6e7b4c7b23e17d0244e425d0

    • SHA1

      257cef8651509e1e33d95b07d5a7b07fcf1f6f4f

    • SHA256

      da6f543313480695aab95a5e685741a8d185fba0600363f74063eb1cda0f672e

    • SHA512

      02cab68478ad9b3c14336d2178a642d27b7ca3af6beb9ecfbddd8f6c5641164d0728df9821e5c59385831cb63178e7837670f779b81a66e079ada5cb66eac7d4

    • SSDEEP

      3072:xd5BJOoMqqDL2/OvvdHv3uqz3++OAYWgO:xdJODqqDL6gvdHveqi+GWgO

    Score
    6/10
    persistence

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral25

    • Target

      e05323d9ca6df47d9add5b2f757ea2490ebd11dfe1b56b82a9e93ba9d814e162.exe

    • Size

      195KB

    • MD5

      ed9150c61fd66757f5dc1357c1384617

    • SHA1

      220466f711e96f202c107d4ed05ffe837c1099a3

    • SHA256

      e05323d9ca6df47d9add5b2f757ea2490ebd11dfe1b56b82a9e93ba9d814e162

    • SHA512

      4690335470be0512010db4b4ffde42043602fdff9587ecc930fbbcec694bf934e7c140ccdec4e8c7aa3d1aff97940ee4c75ba27a71ee29a3c3fc5cf873154fd4

    • SSDEEP

      3072:Jquj3THroBGHnTKslI0rjxHTgLcbE/6i6e1eXC/T9CJg29LV4q9/:B3THkBGHTKLMtHTd4/UbXUT9X2rP9

    Score
    1/10
    behavioral26

    • Target

      e48bd2f16b53a3630f3fca69d0d236d15bc23b08754d980bd29b15841b0fdf14.exe

    • Size

      137KB

    • MD5

      9b02b542834573f9502ca83719a73a01

    • SHA1

      f3bc7cf16eec977772455f3fce87fed505fb18e3

    • SHA256

      e48bd2f16b53a3630f3fca69d0d236d15bc23b08754d980bd29b15841b0fdf14

    • SHA512

      290c7a5bfc921817d1803ddbe8dd07210301082498945bcabdb597368f92c6fc1050cefec514e6d250571cb4afd6427d8e4ab7cd15d7a46a44cb088cd4d1b031

    • SSDEEP

      3072:Eoy7AHYqr9ACDYVbu4sijUtSWnFA22WnVaxs2gzx+IjBz2:0mr9AHVycjUgWnFAGms2gzoch

    Score
    10/10
    chaosdefense_evasionevasionexecutionimpactransomwarespywarestealer

    • Chaos

      Ransomware family first seen in June 2021.

      ransomwarechaos

    • Chaos Ransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Renames multiple (239) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    • Sets desktop wallpaper using registry

      ransomware
    behavioral27

    • Target

      ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe

    • Size

      52KB

    • MD5

      ba9210de03de945901f02792f7994871

    • SHA1

      20c4569cbb6f2650b02f6a5257faa8a8dfb298bd

    • SHA256

      ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d

    • SHA512

      277d26eea627b3da26664aaa4f72a7b79cd50311e45c59333563b4f58b76e6562cbaa1d55127c69d0830864721efa890fa824e1be381cca5e84bddc98f2b44d0

    • SSDEEP

      1536:EJJRZQJes5b0k5bbyu6hXOKJrkH6sNNW:oJRa4kLmNVOKJIasNE

    Score
    10/10
    defense_evasionevasionexecutionimpactpersistenceransomware
    behavioral28

    • Target

      f08c1c26d375f6881990756e39208017b02af75fca0ebddb72f5e5c14e20363f.exe

    • Size

      70KB

    • MD5

      4784fae86332064057d0ab8b73a1b67e

    • SHA1

      f38b61a64119b8b1c2562ca8a6416a2b0c7528b8

    • SHA256

      f08c1c26d375f6881990756e39208017b02af75fca0ebddb72f5e5c14e20363f

    • SHA512

      62312d637d0feda0f565841274ecff5f07cfada08d7a899d68deb314f52d9d5e64733ba6a8fae7b979625b0302e9f270419cf1801239cf597c5af19b47aaf686

    • SSDEEP

      1536:1ZZZZZZZZZZZZpXzzzzzzzzzzzzADypczUk+lkZJngWMqqU+2bbbAV2/S2OvvdZl:kd5BJHMqqDL2/Ovvdr

    Score
    6/10
    persistence

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral29

    • Target

      f354148b5f0eab5af22e8152438468ae8976db84c65415d3f4a469b35e31710f.exe

    • Size

      217KB

    • MD5

      406cf11bdb84c3eae3e61f66ea596a46

    • SHA1

      b6acd4fd42b3dca2c2cb75faf48025c2f4880184

    • SHA256

      f354148b5f0eab5af22e8152438468ae8976db84c65415d3f4a469b35e31710f

    • SHA512

      c34a97b5d2854d862ca165136269302cda613833d83b8c9ec1d72774dd8717b5174a3077b69654435459a94d2d3f1111b9b3973bb3ab35c8826075fca0e126af

    • SSDEEP

      3072:PhXD6M9my8NbPYOBLujYx5I8XDZW0956w/J+UdSZWa/rnV9Yxcqz3:PhT6+mntYOJ9FR60hd/a/rnV9q

    Score
    6/10
    persistenceransomware
    behavioral30

    • Target

      f7caf7d69cef15d5c3b9983513e4e40edc3a31c5ead4139bc41d1500442a966a.exe

    • Size

      152KB

    • MD5

      b7d9639f1f70059d9249516c0d03abc0

    • SHA1

      0e5e147a78296405fd52008d8dbe30997bb6aa88

    • SHA256

      f7caf7d69cef15d5c3b9983513e4e40edc3a31c5ead4139bc41d1500442a966a

    • SHA512

      ff373e11c67de45cb606b67a9ac107b0e12fcb7b40be609ac38bed2f917b8951479a2f63eb75dceb2c44711e9b1aa75444c2d51ace1b9421d906e69f51c0b6da

    • SSDEEP

      3072:n6glyuxE4GsUPnliByocWepzSL6OuWnuxWWKoa2d:n6gDBGpvEByocWe0GZ

    Score
    10/10
    lockbitransomwarespywarestealer

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

      ransomwarelockbit

    • Renames multiple (328) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral31

    • Target

      fcb68445068ebf4cd526d316622f9aa3e8065f9a9f42e5330f66f5cb160be393.exe

    • Size

      426KB

    • MD5

      1a5f7a43dd60834fe1395bce342d62dd

    • SHA1

      89a3709f3ffdbe31d9a01f17cba207cbc2cb5e46

    • SHA256

      fcb68445068ebf4cd526d316622f9aa3e8065f9a9f42e5330f66f5cb160be393

    • SHA512

      5b75aff679513a9c692143c30023c5075e052d7782174532f28791d90a156338b9c377f9a92af926f5acef57147cb01da10acbb5fdbd94effbb17b4e04ba6caa

    • SSDEEP

      12288:jRTGcFnqBvJ0vekmSg4Tjh7bA8v7jQVr65uxjjNQUeCij8:jRTG4AvJ0WkmSg4Tjh7bA8v7jQVr60x/

    Score
    1/10
    behavioral32

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Replication Through Removable Media

1
T1091

Execution

Windows Management Instrumentation

15
T1047

Command and Scripting Interpreter

9
T1059

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

13
T1547

Registry Run Keys / Startup Folder

13
T1547.001

Create or Modify System Process

4
T1543

Windows Service

4
T1543.003

Event Triggered Execution

4
T1546

Netsh Helper DLL

4
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

13
T1547

Registry Run Keys / Startup Folder

13
T1547.001

Create or Modify System Process

4
T1543

Windows Service

4
T1543.003

Event Triggered Execution

4
T1546

Netsh Helper DLL

4
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Indicator Removal

39
T1070

File Deletion

39
T1070.004

Modify Registry

28
T1112

Direct Volume Access

15
T1006

Impair Defenses

4
T1562

Disable or Modify System Firewall

4
T1562.004

Credential Access

Unsecured Credentials

13
T1552

Credentials In Files

13
T1552.001

Discovery

System Information Discovery

25
T1082

Query Registry

17
T1012

Remote System Discovery

2
T1018

Peripheral Device Discovery

6
T1120

Network Service Discovery

1
T1046

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Data from Local System

13
T1005

Exfiltration

Command and Control

Web Service

2
T1102

Impact

Inhibit System Recovery

48
T1490

Defacement

8
T1491

Resource Development

Reconnaissance

Tasks

static1

upx512478c08dada2af19e49808fbda5b0bmakopchaosnefilimmimicblackmattermodiloadergandcrablockbit
Score
10/10

behavioral1

defense_evasionexecutionimpactransomware
Score
10/10

behavioral2

chaosdefense_evasionevasionexecutionimpactransomwarespywarestealer
Score
10/10

behavioral3

nefilimransomware
Score
10/10

behavioral4

Score
1/10

behavioral5

Score
1/10

behavioral6

dharmadefense_evasionexecutionimpactpersistenceransomwarespywarestealer
Score
10/10

behavioral7

mimicevasionpersistenceprivilege_escalationransomwarespywarestealer
Score
10/10

behavioral8

blackmatterransomwareupx
Score
10/10

behavioral9

chaosdefense_evasionevasionexecutionimpactpersistenceransomwarespywarestealer
Score
10/10

behavioral10

Score
3/10

behavioral11

Score
1/10

behavioral12

phobosdefense_evasionevasionexecutionimpactpersistenceprivilege_escalationransomwarespywarestealer
Score
10/10

behavioral13

defense_evasionexecutionimpactransomwarespywarestealer
Score
10/10

behavioral14

phobosdefense_evasionevasionexecutionimpactpersistenceprivilege_escalationransomwarespywarestealer
Score
10/10

behavioral15

Score
1/10

behavioral16

chaosdefense_evasionevasionexecutionimpactpersistenceransomwarespywarestealer
Score
10/10

behavioral17

phobosdefense_evasionevasionexecutionimpactpersistenceprivilege_escalationransomwarespywarestealer
Score
10/10

behavioral18

defense_evasionexecutionimpactpersistenceransomwarespywarestealer
Score
9/10

behavioral19

defense_evasionexecutionimpactransomware
Score
10/10

behavioral20

lockbitdefense_evasiondiscoveryevasionexecutionimpactpersistenceransomware
Score
10/10

behavioral21

dharmadefense_evasionexecutionimpactpersistenceransomwarespywarestealer
Score
10/10

behavioral22

Score
1/10

behavioral23

Score
1/10

behavioral24

Score
1/10

behavioral25

persistence
Score
6/10

behavioral26

Score
1/10

behavioral27

chaosdefense_evasionevasionexecutionimpactransomwarespywarestealer
Score
10/10

behavioral28

defense_evasionevasionexecutionimpactpersistenceransomware
Score
10/10

behavioral29

persistence
Score
6/10

behavioral30

persistenceransomware
Score
6/10

behavioral31

lockbitransomwarespywarestealer
Score
10/10

behavioral32

Score
1/10