Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

• • Target

    084c57449c765416706301c723116da5073aa60da415c0eb3013239611135b0e.exe

  • Size

    49KB

  • MD5

    50248697e19117027d4823c6a3be6db5

  • SHA1

    fb81c35ffe11180c1d6269006db2fc775eec4741

  • SHA256

    084c57449c765416706301c723116da5073aa60da415c0eb3013239611135b0e

  • SHA512

    abc04de0ee5dfc9ca1afccc6b46f9bb4b56d3d9e9ec11165dfc9d3630a597e865941c2c33f4284807f155f69d8255ac3279c418f3bdb2a7f6b4e8678ba7fd6ed

  • SSDEEP

    768:acaQRffDB31aCytHLykiKPT3JATD2qBwV2ckjbnsb0Ah99De0YAD8hMWsddOC86t:acai318HxZATvnsblYO8hMWsdoC86+r

  Score

  10^/10

  defense_evasionexecutionimpactransomware

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution

  • Deletes backup catalog

    Uses wbadmin.exe to inhibit system recovery.

    ransomware

  • Legitimate hosting services abused for malware hosting/C2

  • Sets desktop wallpaper using registry

    ransomware
  behavioral1

• • Target

    14b94844b99ac43c014ea73c3400097e3239a7307d1618e84159a741ab0e8ac3.exe

  • Size

    87KB

  • MD5

    d77f7e460e5036f65677b24ed24c2dff

  • SHA1

    053afa00864c3c0c896e48be382436c417cabb34

  • SHA256

    14b94844b99ac43c014ea73c3400097e3239a7307d1618e84159a741ab0e8ac3

  • SHA512

    f447b9b9a60f7a6fddd137a228efc7c056b989c698c85c30e6eda7c3b3990fb7a82fe2387b8fb8ee38d21704f9924a989a2a87f1d34badf20a3c89a2b9dfe3b9

  • SSDEEP

    1536:1o2ECd3kfHr9PZAKodFF2QRa/oDc10QxsSmCDo/PjsXMbyxFmwYSDfgCso:1oWd3kfr9P5QRaADc17xAKRjFr4Lo

  Score

  10^/10

  chaosdefense_evasionevasionexecutionimpactransomwarespywarestealer

  • Chaos

    Ransomware family first seen in June 2021.

    ransomwarechaos

  • Chaos Ransomware

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution

  • Modifies boot configuration data using bcdedit

    ransomwareevasion

  • Deletes backup catalog

    Uses wbadmin.exe to inhibit system recovery.

    ransomware

  • Drops startup file

  • Executes dropped EXE

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Drops desktop.ini file(s)

  • Sets desktop wallpaper using registry

    ransomware
  behavioral2

• • Target

    2daa5144081dd288c1dc936ec27b1c8bd709633450ceb73f235fccd1c3d3c62e.exe

  • Size

    70KB

  • MD5

    193e702195e8ed5c50cc482569559462

  • SHA1

    47a5307b78fa2c60c20ce63c553aef4a6d5a3e1c

  • SHA256

    2daa5144081dd288c1dc936ec27b1c8bd709633450ceb73f235fccd1c3d3c62e

  • SHA512

    d5ae5a8bccfc08bc07834caaebaed7a6cde1911170eb8de99322bf15be3ad111b5042d6401dcb06e64a6a429eee19d964878089af205474b377b77627bb63a35

  • SSDEEP

    768:lXStkFWTBhyugDC60CPJkEBx9w7mSDh3vkkjvshT3ED18nv04ZPqpb348Uq1krHO:liMWV3gDCk6EBwT/kJbvkbuq1krj0z

  Score

  10^/10

  nefilimransomware

  • Nefilim

    Ransomware first seen in early 2020 which shares code with the Nemty family. Rewritten in Golang in July 2020.

    ransomwarenefilim

  • Renames multiple (183) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware

  • Deletes itself

  behavioral3

• • Target

    2e6f094748124800d8cf6bdb28bb8aa4caa066923cf3e9778dae8bcb2b6e85ec.exe

  • Size

    42KB

  • MD5

    790cd1ca1e1e862544d527a807a1e6b1

  • SHA1

    2ee282a9f6158b0e60bf338c1e354e4667bc36b4

  • SHA256

    2e6f094748124800d8cf6bdb28bb8aa4caa066923cf3e9778dae8bcb2b6e85ec

  • SHA512

    b1c3e537e30f7e8fb53a0303b446bd1c4171b967d2365509f9ecdefcc924ba2e58ff7b67c346f727ab0ec240e953b2a374eacf7cd38944e66aed529b5b00b20d

  • SSDEEP

    768:zqj7UWPjjkzEr9npTQi/zRUNWv39Hf6F0BkfLSV3F8Ftqel59CHAOLw0:ej7ZjjkzEr9npj/WN4/6F0BkDSGtqeLm

  Score

  1^/10
  behavioral4

• • Target

    2e96b55980a827011a7e0784ab95dcee53958a1bb19f5397080a434041bbeeea.exe

  • Size

    2.0MB

  • MD5

    d42d34d87e404aa93862a40e997f8f6d

  • SHA1

    8ea71ea5177d46c9feea0e1cd19069a3441e1758

  • SHA256

    2e96b55980a827011a7e0784ab95dcee53958a1bb19f5397080a434041bbeeea

  • SHA512

    3d17176d804b555ff1ad180ec789c73012512bfa87732d39c9927a0b9a87051fb2e41923326cf12af3cfdaacee95ede6b63f704f565accebe4d5b08fd08ccb3f

  • SSDEEP

    24576:w/iIzkQF+KpPnF1Fx+CszLyQ9lkxIQVki//47JhUhio7Z6OI93lGFtPtnNON+IjE:whBPrElwNkto7VINlGFtPtnwjjOaHo

  Score

  1^/10
  behavioral5

• • Target

    34c392448fc0818278cd19bb0841adf573e967be8a0f73bb42bb367a5835b6ea.exe

  • Size

    92KB

  • MD5

    21c2b2d0bfc15b3d4bc72263f9db5547

  • SHA1

    9f65f98ae2b418425a1d98b8d86bef88edab4d7c

  • SHA256

    34c392448fc0818278cd19bb0841adf573e967be8a0f73bb42bb367a5835b6ea

  • SHA512

    aeeb64dc1130f6e5ccf6ab9abedf01e2a59e149f4897a44b02c32f816ddd1d1698a59447f7ce03dab966972f7714977b49f4b7e0fd258b0bedd936ac1926060a

  • SSDEEP

    1536:lBwl+KXpsqN5vlwWYyhY9S4AE4SLlaSXrgKcQ48bcWHpOZ2yr+e72eIGZZyb1j:vw+asqN5aW/hL6dhamQoBU4yTi17j

  Score

  10^/10

  dharmadefense_evasionexecutionimpactpersistenceransomwarespywarestealer

  • Dharma

    Dharma is a ransomware that uses security software installation to hide malicious activities.

    ransomwaredharma

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution

  • Renames multiple (316) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware

  • Drops startup file

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Drops desktop.ini file(s)

  • Drops file in System32 directory

  behavioral6

• • Target

    37d8add251cb4179224ebbc0e28f8d9e26b5e64bbaec37f26a996bf51556f04c.exe

  • Size

    1.3MB

  • MD5

    af24c3030002d1487c6455fdb1a09eec

  • SHA1

    72732ddefce71c13297df596267260a5d8e892f3

  • SHA256

    37d8add251cb4179224ebbc0e28f8d9e26b5e64bbaec37f26a996bf51556f04c

  • SHA512

    470a0cf695add143555eaa45f3fe5c462edb1cea2cd1589b19f55029b488fae58da2bd588bf79cdb16eeb4518bc7b7189eba764d611d008b1b27145ca0e8a2e3

  • SSDEEP

    24576:Auh7HYGSWwFda6lBbXUqcTGKcr5YrcRBlBnNmkE9pneHiAvuQnL1mp/DVmu6KUi0:Dhkkw7LNNmTDqnRmJDx61i0

  Score

  10^/10

  mimicevasionpersistenceprivilege_escalationransomwarespywarestealer

  • Detects Mimic ransomware

  • Mimic

    Ransomware family was first exploited in the wild in 2022.

    ransomwaremimic

  • Renames multiple (654) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware

  • Drops file in Drivers directory

  • Manipulates Digital Signatures

    Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

  • Modifies Windows Firewall

    evasion

  • Drops startup file

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Drops desktop.ini file(s)

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops autorun.inf file

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory

  behavioral7

• • Target

    3a7265305386f955adbeb6bd7c711f03395963ac36be82e5bb6b1d7b2034c859.exe

  • Size

    80KB

  • MD5

    e3269531cf93d040b08074bfb31b72a0

  • SHA1

    45b6d89dcea02cc90ae054d72ec80a2eb1036a7e

  • SHA256

    3a7265305386f955adbeb6bd7c711f03395963ac36be82e5bb6b1d7b2034c859

  • SHA512

    e4de5613557ff15f23e2c28763fee6443c81351401974389e1c01cb979efc81c0ff397b85ba3fc6f0204f7c5e0c7617617130d38b441748446e72a0fbb7a12b0

  • SSDEEP

    1536:NE+VYVYMC2F7Aoter2j1lYgpM2HT02F4mHI5PsOqy:2+G3eaj0g+2HT025Hs

  Score

  10^/10

  blackmatterransomwareupx

  • BlackMatter Ransomware

    BlackMatter ransomware group claims to be Darkside and REvil succesor.

    ransomwareblackmatter

  • Renames multiple (175) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Sets desktop wallpaper using registry

    ransomware

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral8

• • Target

    49aca08f5b259860364fc224601a944aa17161bb1da688e24621038457472d24.exe

  • Size

    44KB

  • MD5

    7977bc8781a00875b4d465bc2a90d5d4

  • SHA1

    9f4b2858edcff694fee76636bf8cf33a366fc237

  • SHA256

    49aca08f5b259860364fc224601a944aa17161bb1da688e24621038457472d24

  • SHA512

    245d65b9301b759097cded2a2f078e4e41c7b68e303a71fccd465a6fa230b48e13e571c4e57e03710934a5e6b9536ed634e0edc502ba35433b02147760e5f05b

  • SSDEEP

    768:0AxEin+Z8W9KCZLhaY4m9lUOmMayPpfHlynRUhMgAA9dEmCJ:7xESW9KC1hxJ9lJPQLH

  Score

  10^/10

  chaosdefense_evasionevasionexecutionimpactpersistenceransomwarespywarestealer

  • Chaos

    Ransomware family first seen in June 2021.

    ransomwarechaos

  • Chaos Ransomware

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution

  • Modifies boot configuration data using bcdedit

    ransomwareevasion

  • Deletes backup catalog

    Uses wbadmin.exe to inhibit system recovery.

    ransomware

  • Disables Task Manager via registry modification

    evasion

  • Drops startup file

  • Executes dropped EXE

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Drops desktop.ini file(s)

  • Sets desktop wallpaper using registry

    ransomware
  behavioral9

• • Target

    4a2ad49c934f9ae6ca6b5d0c7cc34f5e12d349640012fa8cf8eb7e2d3acd6c9f.exe

  • Size

    1.9MB

  • MD5

    4f85eec9e23dc664c814cea272dcd5b8

  • SHA1

    4eda594a01aee9622604924ffecfa9dbd6135bc0

  • SHA256

    4a2ad49c934f9ae6ca6b5d0c7cc34f5e12d349640012fa8cf8eb7e2d3acd6c9f

  • SHA512

    97fdf815bb43f7fbfff03b6ca9e7a94d72a17faa0667091951b0be2a1ea3757f6f051e16c9a583f808b5df3fcbea525c570729b120499d1a47c530c7f179db18

  • SSDEEP

    12288:6s2cBCtdB3+j+3EEQ5NX2l0Y/iaJDdI+VrzrzzczNzzE:6s2Jtn3aOEN5NX2l0Y/iaJDn

  Score

  3^/10
  behavioral10

• • Target

    5199b64b50f678d75f85cb0c3ac97d7df67f23471815e21236b1a790d008fe3c.exe

  • Size

    54KB

  • MD5

    1f6297e052951ae79aaec997dbb202d4

  • SHA1

    ab27665f5b886bf553b2c9a91c65e2abca5c1d01

  • SHA256

    5199b64b50f678d75f85cb0c3ac97d7df67f23471815e21236b1a790d008fe3c

  • SHA512

    4cf533b824503cd1783f583c9f100e67f84578afac31b7b2b1c23192f4504d457ae7f522d53c40b62b59daafd5ad92580a9b67baad612f20f74d6712c8e94e00

  • SSDEEP

    768:/z7z/zxACAm8YHxxSoxS1RKRQGdGGdnQN4L6hhho9h9qfP821824x:/zp8dGdGGde4L67q9h9qfETXx

  Score

  1^/10
  behavioral11

• • Target

    55c30024aed833336eb4720a1a4a40c78496efb27b3c4d5c3f1d1b5935c12715.exe

  • Size

    56KB

  • MD5

    4ab785bba778bd582b33baeac2cc9c22

  • SHA1

    23db0ae4d5b7b4fe8698583e25e50e1b89cf9411

  • SHA256

    55c30024aed833336eb4720a1a4a40c78496efb27b3c4d5c3f1d1b5935c12715

  • SHA512

    916cc0d2e0e623a897d4d515e2148c0b08dd3c308b27b53032def045eafbd625ac2031fd5713e055f4f323a840ed534aaaa5da06586928cc2dbafb46cb276955

  • SSDEEP

    1536:bNeRBl5PT/rx1mzwRMSTdLpJyCfPAIotcQ:bQRrmzwR5JyNO

  Score

  10^/10

  phobosdefense_evasionevasionexecutionimpactpersistenceprivilege_escalationransomwarespywarestealer

  • Phobos

    Phobos ransomware appeared at the beginning of 2019.

    ransomwarephobos

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution

  • Modifies boot configuration data using bcdedit

    ransomwareevasion

  • Renames multiple (312) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware

  • Deletes backup catalog

    Uses wbadmin.exe to inhibit system recovery.

    ransomware

  • Modifies Windows Firewall

    evasion

  • Drops startup file

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Drops desktop.ini file(s)

  behavioral12

• • Target

    56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe

  • Size

    42KB

  • MD5

    abb04a0418be9cc4618f393d7fc9d76b

  • SHA1

    dbe3b07ab1383e4d693bb6cab17ad8a7c1c5cd7b

  • SHA256

    56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659

  • SHA512

    f7bce71f01ffae675a8b8a23a8f2e4d162ccefc349beadb84ffcca890dc68ed636acf4f7d694145c779125078f6634f30aed5f5651ee6c12dc4768f7c0a0f47b

  • SSDEEP

    768:QO1oR/8VS1RzK4wbs+D/SIJX+ZZ1SQQwZuIOPzDsHw67ZY23IWSjNV:QgS1FKnDtkuImsHw6V73ejNV

  Score

  10^/10

  defense_evasionexecutionimpactransomwarespywarestealer

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution

  • Renames multiple (8307) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware

  • Deletes backup catalog

    Uses wbadmin.exe to inhibit system recovery.

    ransomware

  • Deletes itself

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Legitimate hosting services abused for malware hosting/C2

  • Sets desktop wallpaper using registry

    ransomware
  behavioral13

• • Target

    5a96b929383817aa298eec8cca019bcd984fcd71dd8ee353541392c1082756a4.exe

  • Size

    57KB

  • MD5

    a6092621b7db8dc1f2c1f93a9a7ced9f

  • SHA1

    d4fd035605baa14375c9a59a93849b959df36bc4

  • SHA256

    5a96b929383817aa298eec8cca019bcd984fcd71dd8ee353541392c1082756a4

  • SHA512

    380318805a8fbed4b6e4a1270c697116de2b5a562bace4ab857e653dae5b319a5ace3a90c02f3235d6a95eec996a6632335c01df55136f051c13a01b82a5f4a4

  • SSDEEP

    1536:RNeRBl5PT/rx1mzwRMSTdLpJOycgw04NxJ:RQRrmzwR5Jhcg74L

  Score

  10^/10

  phobosdefense_evasionevasionexecutionimpactpersistenceprivilege_escalationransomwarespywarestealer

  • Phobos

    Phobos ransomware appeared at the beginning of 2019.

    ransomwarephobos

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution

  • Modifies boot configuration data using bcdedit

    ransomwareevasion

  • Renames multiple (313) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware

  • Deletes backup catalog

    Uses wbadmin.exe to inhibit system recovery.

    ransomware

  • Modifies Windows Firewall

    evasion

  • Drops startup file

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Drops desktop.ini file(s)

  behavioral14

• • Target

    606b88fce1441e6d83e1fb2ba1b511e4a9e68f7fc01c55b7c53e08fd28f9a0c4.exe

  • Size

    362KB

  • MD5

    7c3f60037ac11106ab2994058cc553c9

  • SHA1

    1a7c827670c46bdc90691605f974e7d7a0941fb1

  • SHA256

    606b88fce1441e6d83e1fb2ba1b511e4a9e68f7fc01c55b7c53e08fd28f9a0c4

  • SHA512

    c1e2e4bde4b1a4a739ba9408b90b4e088cd7a55f1b7595f99154a6aa0ce98ac0543f8f629aece802f21856301bac6e1b0c497eb8ea46fc0f5ba5c0afec04ae45

  • SSDEEP

    6144:aNkgpZOuI7Am6xeTH2kxEiG68N/xc2iPpz1TumNf/qP+7WzQ9qsNlN:rgXOvIUTVmxUP7lqP+6zL2

  Score

  1^/10
  behavioral15

• • Target

    6bda9faf719bb7a55e822667d909086193d323d8fa06b1a3d62437fcf6a9e24b.exe

  • Size

    71KB

  • MD5

    8f033c07f57f8ce2e62e3a327f423d55

  • SHA1

    57ac411652d7b1d9accaa8a1af5f4b6a45ef7448

  • SHA256

    6bda9faf719bb7a55e822667d909086193d323d8fa06b1a3d62437fcf6a9e24b

  • SHA512

    f3712e7d5d55b27a4c20de07cce136e6d58ce62fa146d29b34dece6248e4456139703c50df10cb318346311cfeee0a8449d49163e821744efcde3ecfe8b880df

  • SSDEEP

    768:zncoLkaCbCq2l52DbnoPV0Yglwlu1y7e7th3BuItxn:QoLkaCb12l0DbCV6Wqyixn

  Score

  10^/10

  chaosdefense_evasionevasionexecutionimpactpersistenceransomwarespywarestealer

  • Chaos

    Ransomware family first seen in June 2021.

    ransomwarechaos

  • Chaos Ransomware

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution

  • Modifies boot configuration data using bcdedit

    ransomwareevasion

  • Deletes backup catalog

    Uses wbadmin.exe to inhibit system recovery.

    ransomware

  • Disables Task Manager via registry modification

    evasion

  • Drops startup file

  • Executes dropped EXE

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Drops desktop.ini file(s)

  behavioral16

• • Target

    71b46e95fba31267475537a338f49ce1cd0bc56c0f15346b05b673051cbe90a8.exe

  • Size

    57KB

  • MD5

    8f7bc58c754d6fb7bb0b31fe8a5821e3

  • SHA1

    f2dccd378d7be5e6bddbf133a78369fdc800432b

  • SHA256

    71b46e95fba31267475537a338f49ce1cd0bc56c0f15346b05b673051cbe90a8

  • SHA512

    765be9549ed493432dc4945f1987982254b25308cc3b757ef1eca23b75517adc7ea4fe10f0aaafc35dd021bcba668d9f3a8e5a9e70ffc5e50ddfae3c014f28e3

  • SSDEEP

    1536:vNeRBl5PT/rx1mzwRMSTdLpJ//OGCDmR+53H:vQRrmzwR5JLCKyX

  Score

  10^/10

  phobosdefense_evasionevasionexecutionimpactpersistenceprivilege_escalationransomwarespywarestealer

  • Phobos

    Phobos ransomware appeared at the beginning of 2019.

    ransomwarephobos

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution

  • Modifies boot configuration data using bcdedit

    ransomwareevasion

  • Renames multiple (307) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware

  • Deletes backup catalog

    Uses wbadmin.exe to inhibit system recovery.

    ransomware

  • Modifies Windows Firewall

    evasion

  • Drops startup file

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Drops desktop.ini file(s)

  behavioral17

• • Target

    7d98972d5c78e1d4969da76856d6818942b606c267efa67fd31d39ae77497e9c.exe

  • Size

    894KB

  • MD5

    ec8fef72a73ff94440235fc1b3f3f690

  • SHA1

    e651cd12a2493b9c2d7ebd8287a2fd29b8f4cd9c

  • SHA256

    7d98972d5c78e1d4969da76856d6818942b606c267efa67fd31d39ae77497e9c

  • SHA512

    b62f2f518f4ed3d74d96551a8c7431d50bd3349221b4b01dded18a270cbdbd1441f13f3eef7a6cc0db4aad200f1cf2babeb8e937edf8827faa7a03e4b59a35f2

  • SSDEEP

    12288:d31hZus7pQqiiyuuFuawu2zhjWBv4+1FMUUfW75CXQKXTZ1VG:1r1S+NjWx4+1SWV6Q4n

  Score

  9^/10

  defense_evasionexecutionimpactpersistenceransomwarespywarestealer

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution

  • Renames multiple (9652) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware

  • Executes dropped EXE

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Drops desktop.ini file(s)

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  behavioral18

• • Target

    87b9b910d5d5a053e3b39989cc6fd51601abdaea207a26c765f21f43a4cd4dcb.exe

  • Size

    79KB

  • MD5

    c8579ccb6690e1f2102f9ba887c12f9e

  • SHA1

    e8e46e3f88011aa43c90cde3c9945e3508986a25

  • SHA256

    87b9b910d5d5a053e3b39989cc6fd51601abdaea207a26c765f21f43a4cd4dcb

  • SHA512

    f579e9b39400a0b3879dc8a1c41bd829d8f6b399d9d0a97302f7157a76f036ede5e4391eeb12bd2285a7f523969d572a92f482cf415ed2fb023d96d745f82244

  • SSDEEP

    1536:hxpkWBeG/vEbKsrQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2Xsf8:/BeQsKsrQLOJgY8Zp8LHD4XWaNH71dLH

  Score

  10^/10

  defense_evasionexecutionimpactransomware

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution

  • Renames multiple (219) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  behavioral19

• • Target

    8958d7b8c51215d6a27444b2760f1ce843a414d380052e6e71c2af6e9ab69ce2.exe

  • Size

    959KB

  • MD5

    734f101d7a5822e1bf2c66e398ab8c45

  • SHA1

    cafb5d0e3db6804693e8461b32abf678e8c70f3d

  • SHA256

    8958d7b8c51215d6a27444b2760f1ce843a414d380052e6e71c2af6e9ab69ce2

  • SHA512

    63cf6ae43a26ce38c062ec69bbc084ba3e8777d3f6f574e6a0a09242cacb46989d01c1dcb32943692c47361f8d6fb8e5009a4cc917a80ffa567cb2a853f1a2fb

  • SSDEEP

    24576:uLjr3s2nScu1i1tz3f++5kRzFxk7rMxNeR1R9qpd2F:Ujrc2So1Ff+B3k796Q

  Score

  10^/10

  lockbitdefense_evasiondiscoveryevasionexecutionimpactpersistenceransomware

  • Lockbit

    Ransomware family with multiple variants released since late 2019.

    ransomwarelockbit

  • Creates a large amount of network flows

    This may indicate a network scan to discover remotely running services.

    discovery

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution

  • Modifies boot configuration data using bcdedit

    ransomwareevasion

  • Adds Run key to start application

    persistence

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral20

• • Target

    ab5be9e6911b43f0974e01dabec772b968274d9b5ea39ba2ad7cd294056e5d09.exe

  • Size

    88KB

  • MD5

    56299609780e2286ccc2cf5857d531e8

  • SHA1

    ef7baf17905784df491641906645f00f73eff1d1

  • SHA256

    ab5be9e6911b43f0974e01dabec772b968274d9b5ea39ba2ad7cd294056e5d09

  • SHA512

    a44053d0c810448adddcd17e51682e43d51710de948644c82a141a1a8104cacedd44a274f13ea79de89f5cdfbb0e436791565baad1552d9853a5a94b446398cb

  • SSDEEP

    1536:7vie0XQsxILOW3Sm9S4AndhgXCpC1VYEzcM5BD11e0z:OeBsxInSNnhgX4CzwM

  Score

  10^/10

  dharmadefense_evasionexecutionimpactpersistenceransomwarespywarestealer

  • Dharma

    Dharma is a ransomware that uses security software installation to hide malicious activities.

    ransomwaredharma

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution

  • Renames multiple (322) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware

  • Drops startup file

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Drops desktop.ini file(s)

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory

  behavioral21

• • Target

    b228a698ee826b42e19307f2d34c2620819a67a0e98fd2af08aae570b8178cc0.exe

  • Size

    65KB

  • MD5

    1f31e5377d64f9f26c12f3b7a5545c16

  • SHA1

    b54fdfadaa8c9eec27f2f48e462bde898383f0ba

  • SHA256

    b228a698ee826b42e19307f2d34c2620819a67a0e98fd2af08aae570b8178cc0

  • SHA512

    ff6d85ed6be933d5c90dc8a2554cdc69eeb00f1dbc20a6016ec4813feb9310eab25e93071f93f1d65f1f7453f65d5a830e8e7ff9b1d0846fe969b55a2a340129

  • SSDEEP

    768:5PuzmZ5OzkfCQxmGgV5YlpJ6RIDWeRdppvO/9rjca9zsUKh51zb2Z:5PEz5Qxd6m3WIw9oh5B2Z

  Score

  1^/10
  behavioral22

• • Target

    c864a70f78fb972f505ae5b13c0ad984e64c547194beb258926bb4c323fac31d.exe

  • Size

    67KB

  • MD5

    5854152baa338613d80ee24af054cfbe

  • SHA1

    2f779048a40cb601af32fe70188c9d3e53e71efe

  • SHA256

    c864a70f78fb972f505ae5b13c0ad984e64c547194beb258926bb4c323fac31d

  • SHA512

    55572a3e99a5ee08dd1319ad565584a4d6680a0aaf50819228c6ec7ab0b6a509dba25de539213e9f3b5bb6e3720344db4d26e52f0fe08c028511f9830f552b18

  • SSDEEP

    768:RVel5lzkfCQxmGgV5YlpJ6RIDWeRdppvO/9rjca9fsUKhnLZbp:Rcz5Qxd6m3WIw9EhX

  Score

  1^/10
  behavioral23

• • Target

    cfd5d9a4e67799f2428c6071dcc13fcf726f49ec3e706f0302b4592a3a0a08f0.exe

  • Size

    68KB

  • MD5

    5de719d56f38039bb9c915d689a5a4da

  • SHA1

    f46d4ed9851b0980d5a9139defd456a58c6aaaaa

  • SHA256

    cfd5d9a4e67799f2428c6071dcc13fcf726f49ec3e706f0302b4592a3a0a08f0

  • SHA512

    48756ac79f23cb26620ff135fe93a87768cf9a02b941ade68e3e27981adc8431f76d58aa057525de88742c7ec900b4ea02c52abb3889cd176a3ae14e956dc678

  • SSDEEP

    768:oY53/zkfCQxmGgV5YlpJ6RIDWeRdppvO/9rjca9nsUKhK:B/z5Qxd6m3WIw9MhK

  Score

  1^/10
  behavioral24

• • Target

    da6f543313480695aab95a5e685741a8d185fba0600363f74063eb1cda0f672e.exe

  • Size

    117KB

  • MD5

    bca754bd6e7b4c7b23e17d0244e425d0

  • SHA1

    257cef8651509e1e33d95b07d5a7b07fcf1f6f4f

  • SHA256

    da6f543313480695aab95a5e685741a8d185fba0600363f74063eb1cda0f672e

  • SHA512

    02cab68478ad9b3c14336d2178a642d27b7ca3af6beb9ecfbddd8f6c5641164d0728df9821e5c59385831cb63178e7837670f779b81a66e079ada5cb66eac7d4

  • SSDEEP

    3072:xd5BJOoMqqDL2/OvvdHv3uqz3++OAYWgO:xdJODqqDL6gvdHveqi+GWgO

  Score

  6^/10

  persistence

  • Adds Run key to start application

    persistence

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  behavioral25

• • Target

    e05323d9ca6df47d9add5b2f757ea2490ebd11dfe1b56b82a9e93ba9d814e162.exe

  • Size

    195KB

  • MD5

    ed9150c61fd66757f5dc1357c1384617

  • SHA1

    220466f711e96f202c107d4ed05ffe837c1099a3

  • SHA256

    e05323d9ca6df47d9add5b2f757ea2490ebd11dfe1b56b82a9e93ba9d814e162

  • SHA512

    4690335470be0512010db4b4ffde42043602fdff9587ecc930fbbcec694bf934e7c140ccdec4e8c7aa3d1aff97940ee4c75ba27a71ee29a3c3fc5cf873154fd4

  • SSDEEP

    3072:Jquj3THroBGHnTKslI0rjxHTgLcbE/6i6e1eXC/T9CJg29LV4q9/:B3THkBGHTKLMtHTd4/UbXUT9X2rP9

  Score

  1^/10
  behavioral26

• • Target

    e48bd2f16b53a3630f3fca69d0d236d15bc23b08754d980bd29b15841b0fdf14.exe

  • Size

    137KB

  • MD5

    9b02b542834573f9502ca83719a73a01

  • SHA1

    f3bc7cf16eec977772455f3fce87fed505fb18e3

  • SHA256

    e48bd2f16b53a3630f3fca69d0d236d15bc23b08754d980bd29b15841b0fdf14

  • SHA512

    290c7a5bfc921817d1803ddbe8dd07210301082498945bcabdb597368f92c6fc1050cefec514e6d250571cb4afd6427d8e4ab7cd15d7a46a44cb088cd4d1b031

  • SSDEEP

    3072:Eoy7AHYqr9ACDYVbu4sijUtSWnFA22WnVaxs2gzx+IjBz2:0mr9AHVycjUgWnFAGms2gzoch

  Score

  10^/10

  chaosdefense_evasionevasionexecutionimpactransomwarespywarestealer

  • Chaos

    Ransomware family first seen in June 2021.

    ransomwarechaos

  • Chaos Ransomware

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution

  • Modifies boot configuration data using bcdedit

    ransomwareevasion

  • Renames multiple (239) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware

  • Deletes backup catalog

    Uses wbadmin.exe to inhibit system recovery.

    ransomware

  • Drops startup file

  • Executes dropped EXE

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Drops desktop.ini file(s)

  • Sets desktop wallpaper using registry

    ransomware
  behavioral27

• • Target

    ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe

  • Size

    52KB

  • MD5

    ba9210de03de945901f02792f7994871

  • SHA1

    20c4569cbb6f2650b02f6a5257faa8a8dfb298bd

  • SHA256

    ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d

  • SHA512

    277d26eea627b3da26664aaa4f72a7b79cd50311e45c59333563b4f58b76e6562cbaa1d55127c69d0830864721efa890fa824e1be381cca5e84bddc98f2b44d0

  • SSDEEP

    1536:EJJRZQJes5b0k5bbyu6hXOKJrkH6sNNW:oJRa4kLmNVOKJIasNE

  Score

  10^/10

  defense_evasionevasionexecutionimpactpersistenceransomware

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution

  • Modifies boot configuration data using bcdedit

    ransomwareevasion

  • Disables Task Manager via registry modification

    evasion

  • Deletes itself

  • Adds Run key to start application

    persistence

  • Drops desktop.ini file(s)

  behavioral28

• • Target

    f08c1c26d375f6881990756e39208017b02af75fca0ebddb72f5e5c14e20363f.exe

  • Size

    70KB

  • MD5

    4784fae86332064057d0ab8b73a1b67e

  • SHA1

    f38b61a64119b8b1c2562ca8a6416a2b0c7528b8

  • SHA256

    f08c1c26d375f6881990756e39208017b02af75fca0ebddb72f5e5c14e20363f

  • SHA512

    62312d637d0feda0f565841274ecff5f07cfada08d7a899d68deb314f52d9d5e64733ba6a8fae7b979625b0302e9f270419cf1801239cf597c5af19b47aaf686

  • SSDEEP

    1536:1ZZZZZZZZZZZZpXzzzzzzzzzzzzADypczUk+lkZJngWMqqU+2bbbAV2/S2OvvdZl:kd5BJHMqqDL2/Ovvdr

  Score

  6^/10

  persistence

  • Adds Run key to start application

    persistence

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  behavioral29

• • Target

    f354148b5f0eab5af22e8152438468ae8976db84c65415d3f4a469b35e31710f.exe

  • Size

    217KB

  • MD5

    406cf11bdb84c3eae3e61f66ea596a46

  • SHA1

    b6acd4fd42b3dca2c2cb75faf48025c2f4880184

  • SHA256

    f354148b5f0eab5af22e8152438468ae8976db84c65415d3f4a469b35e31710f

  • SHA512

    c34a97b5d2854d862ca165136269302cda613833d83b8c9ec1d72774dd8717b5174a3077b69654435459a94d2d3f1111b9b3973bb3ab35c8826075fca0e126af

  • SSDEEP

    3072:PhXD6M9my8NbPYOBLujYx5I8XDZW0956w/J+UdSZWa/rnV9Yxcqz3:PhT6+mntYOJ9FR60hd/a/rnV9q

  Score

  6^/10

  persistenceransomware

  • Adds Run key to start application

    persistence

  • Sets desktop wallpaper using registry

    ransomware
  behavioral30

• • Target

    f7caf7d69cef15d5c3b9983513e4e40edc3a31c5ead4139bc41d1500442a966a.exe

  • Size

    152KB

  • MD5

    b7d9639f1f70059d9249516c0d03abc0

  • SHA1

    0e5e147a78296405fd52008d8dbe30997bb6aa88

  • SHA256

    f7caf7d69cef15d5c3b9983513e4e40edc3a31c5ead4139bc41d1500442a966a

  • SHA512

    ff373e11c67de45cb606b67a9ac107b0e12fcb7b40be609ac38bed2f917b8951479a2f63eb75dceb2c44711e9b1aa75444c2d51ace1b9421d906e69f51c0b6da

  • SSDEEP

    3072:n6glyuxE4GsUPnliByocWepzSL6OuWnuxWWKoa2d:n6gDBGpvEByocWe0GZ

  Score

  10^/10

  lockbitransomwarespywarestealer

  • Lockbit

    Ransomware family with multiple variants released since late 2019.

    ransomwarelockbit

  • Renames multiple (328) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware

  • Deletes itself

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Drops desktop.ini file(s)

  • Sets desktop wallpaper using registry

    ransomware

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral31

• • Target

    fcb68445068ebf4cd526d316622f9aa3e8065f9a9f42e5330f66f5cb160be393.exe

  • Size

    426KB

  • MD5

    1a5f7a43dd60834fe1395bce342d62dd

  • SHA1

    89a3709f3ffdbe31d9a01f17cba207cbc2cb5e46

  • SHA256

    fcb68445068ebf4cd526d316622f9aa3e8065f9a9f42e5330f66f5cb160be393

  • SHA512

    5b75aff679513a9c692143c30023c5075e052d7782174532f28791d90a156338b9c377f9a92af926f5acef57147cb01da10acbb5fdbd94effbb17b4e04ba6caa

  • SSDEEP

    12288:jRTGcFnqBvJ0vekmSg4Tjh7bA8v7jQVr65uxjjNQUeCij8:jRTG4AvJ0WkmSg4Tjh7bA8v7jQVr60x/

  Score

  1^/10
  behavioral32