General
-
Target
RANSOMWARE11224.rar
-
Size
6.5MB
-
Sample
240717-zqkhmaydmq
-
MD5
6f34e6d90096072ff1a7fc295f2c8a17
-
SHA1
da305a3b884ea3acafcf1209ad24fc04f28bc7d3
-
SHA256
84bebbe2cc14519a656dd6ee54e892191872f7122ebf53ef6b2349a5218c11e1
-
SHA512
0ffa38a106c5ccdaa82b6a5a64b061bcf069125744d5c86cc800367c0d249885f725b89ebd27184bc66286590e2a6b9129d6614221c5cc7e6fe3cf1f2e7994f4
-
SSDEEP
196608:Wze5gvd12z//fon5Cvg/Hvq6t0Qp9DnaJJ3:uKgvdMs5PC6tZU1
Malware Config
Extracted
gozi
Extracted
C:\IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT
Extracted
C:\IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT
Extracted
C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___AS7OX5_.txt
cerber
http://xpcx6erilkjced3j.onion/EC0A-868E-EA4E-005C-9493
http://xpcx6erilkjced3j.1t2jhk.top/EC0A-868E-EA4E-005C-9493
http://xpcx6erilkjced3j.1e6ly3.top/EC0A-868E-EA4E-005C-9493
http://xpcx6erilkjced3j.1ewuh5.top/EC0A-868E-EA4E-005C-9493
http://xpcx6erilkjced3j.15ezkm.top/EC0A-868E-EA4E-005C-9493
http://xpcx6erilkjced3j.16umxg.top/EC0A-868E-EA4E-005C-9493
Extracted
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\_R_E_A_D___T_H_I_S___HMHY_.txt
cerber
http://xpcx6erilkjced3j.onion/4777-B407-78CB-005C-9E78
http://xpcx6erilkjced3j.1t2jhk.top/4777-B407-78CB-005C-9E78
http://xpcx6erilkjced3j.1e6ly3.top/4777-B407-78CB-005C-9E78
http://xpcx6erilkjced3j.1ewuh5.top/4777-B407-78CB-005C-9E78
http://xpcx6erilkjced3j.15ezkm.top/4777-B407-78CB-005C-9E78
http://xpcx6erilkjced3j.16umxg.top/4777-B407-78CB-005C-9E78
Extracted
C:\vcredist2010_x86.log-MSI_vc_red.msi.txt.readme_txt
https://qmnmrba4s4a3py6z.onion.to/order/43e4593a-5dc7-11e7-8803-00163e417ea3
http://qmnmrba4s4a3py6z.onion/order/43e4593a-5dc7-11e7-8803-00163e417ea3
Targets
-
-
Target
2272954a2c9f631b4f9c5f6d230287b0989ab3b512bb5f4a282214eadf42085a.exe
-
Size
299KB
-
MD5
2ad96b646ad5f323f0bef0bfb6b23ebb
-
SHA1
a8ac661b22bd557fe3dbff8f706cb5741d43ac67
-
SHA256
2272954a2c9f631b4f9c5f6d230287b0989ab3b512bb5f4a282214eadf42085a
-
SHA512
8959aebd064c488e7247604b7b30e8487ecc498695206173d1251eff565bd5bb3e8ee90ac22bb1250f78412bcabe9a57d930972d6d4fdd886eef0901d89b38a9
-
SSDEEP
6144:0gggrNE0oCD4IKXgWi2AL/Pe5f6LiJbfPcEfm0fg:G6DhfTR8C2JbMEfm0fg
Score10/10-
Gozi
Gozi is a well-known and widely distributed banking trojan.
-
-
-
Target
72716d15ea7d118b8c99dbcb15114188abe468718c876ac52b0779161ef7e821.exe
-
Size
703KB
-
MD5
d7c62a22cc1a832ba2ce0bfd1c4f9e9c
-
SHA1
a484b5a49a5b94f045100dd5e659b9504ed99211
-
SHA256
72716d15ea7d118b8c99dbcb15114188abe468718c876ac52b0779161ef7e821
-
SHA512
7c036f46c6c5a34d991d277c3ecf3c8abdf3a70042c40aaa3c20ce2f3e02a5a63200530587c2980ba5e000a7f1394a33390e63ec53782892b27874e293dff1c6
-
SSDEEP
12288:Qu/mk3LQLwumO7mL945Hj1wcBsXcDBif+w+nstV7uikFg:5+WLQLP7mL9eDb+Msfsnstlubg
Score7/10-
Drops startup file
-
Drops desktop.ini file(s)
-
-
-
Target
Bit Paymer.exe
-
Size
92KB
-
MD5
998246bd0e51f9582b998ca514317c33
-
SHA1
5a2d799ac4cca8954fc117c7fb3e868f93c6f009
-
SHA256
d693c33dd550529f3634e3c7e53d82df70c9d4fbd0c339dbc1849ada9e539ea2
-
SHA512
773d9838be9c09bd43a22aa1eada8f623f95739b21828712236a4a209c6d9266647ef43592d072d68399224965253c37f9ce9ef36e46e8191169c03ac7789130
-
SSDEEP
1536:tacFdjxs2TlWlpnXv91nhixG8/lA5jG8387SpK6jXOMVHoi5e+vRb:taqJC6lWlpnXv7nhixhlAU83VwMCifvR
Score10/10-
Renames multiple (9958) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
-
-
Target
KeepCalm.exe
-
Size
218KB
-
MD5
f994759181fb964af17fab2f7994b9ca
-
SHA1
9ae72a3dc37955af7526fd8566698b7a97ed7cb0
-
SHA256
043969e70014662e6a8b90eaaec10f4b4064dc42c0aeba39639af82f11cbab7e
-
SHA512
c36ff4026879e6cbab1e95e8a8a9cc6dc8538de9fa5719625ddf5a9d578dda310325cbf1e44a2dddbc85f27521e7e736637bb102e1d230f861ecb8f2e0219188
-
SSDEEP
3072:Y9mM+lmsolAIrRuw+mqv9j1MWLQFidJM+lmsolAIrRuw+mqv9j1MWLQd:EF+lDAAJdi+lDAA
Score1/10 -
-
-
Target
LockedIn.exe
-
Size
650KB
-
MD5
e9e34a4dbf0c9fe5fb595b0282b0b4f0
-
SHA1
4f3f6bc4aff97eecb9ab52d47520e248c618da45
-
SHA256
613af1bf17a11dbf12849568ce08186cc4109a5cdb32d0bcce7c1bd81306f5c6
-
SHA512
b234f7a6fef8eb3153da20b1c9f668a8177e489817b1e7e36a572fbfc7dc3604f5cd509f5ff7087f4d3a2e3c1a5a0c7e93ae571be11c70732b1078ba8050a119
-
SSDEEP
12288:dl6aKEZf4r/s6IzjtyHQDWcFXXGmmBJ0d35O3CEkk4zglJaKfZf4m:dlNCr/sFFmmmHIpKCEx4sljCm
Score9/10-
Renames multiple (68) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
-
-
Target
NotPetya.dll
-
Size
353KB
-
MD5
71b6a493388e7d0b40c83ce903bc6b04
-
SHA1
34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d
-
SHA256
027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745
-
SHA512
072205eca5099d9269f358fe534b370ff21a4f12d7938d6d2e2713f69310f0698e53b8aff062849f0b2a521f68bee097c1840993825d2a5a3aa8cf4145911c6f
-
SSDEEP
6144:y/Bt80VmNTBo/x95ZjAetGDN3VFNq7pC+9OqFoK30b3ni5rdQY/CdUOs2:y/X4NTS/x9jNG+w+9OqFoK323qdQYKUG
Score10/10-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
mimikatz is an open source tool to dump credentials on Windows
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
-
-
Target
Purge.exe
-
Size
24KB
-
MD5
b02916e5c5215ef3ce25269c8d8afbe2
-
SHA1
7ea2e4eebea27ade84075a5bd47e048297377259
-
SHA256
b4e9d14e4ea8a1c459805ec46870f12a3e6ea3308864511a3d9c7af9fb841403
-
SHA512
c84cd98801dbc515f8e800c5fae57158d4167347c2267f1decbf37e98819b2bc1e9439eacec71eaad1c6ece62bf468b21db9cc53e6568cc73499595b1935296e
-
SSDEEP
384:lMX3iNFRHDy0nxaP/JqiKV+aQlSp591U7qO7o4FQcc4KVOJ5ogxlwAx9sLtsNtt7:qHitm/JqiO+aB5s7qOUvOJ5ogDrCO8tm
Score1/10 -
-
-
Target
Scarab.exe
-
Size
342KB
-
MD5
6899003aaa63ab4397f9e32e0a1daf43
-
SHA1
c22272ff0944d127992b393562871473b23ef8ea
-
SHA256
53f73dc2e8af9c059136029b3b535e885d4452d3375586eb9a0336d7a389aad5
-
SHA512
d8895f96e12d1b0b5907f7b1e7b976a37ff0cbe6db929cfbea5c931d905fb8269dc91bf44db83743920b63affc64ba88a0933d3111bc68f71ee266971b91b6bc
-
SSDEEP
6144:zmTLRf45/wAfqj6pjohSws+wZQtmk6LnAlnZ:eq5/tyjMLd+Rtmkc0
Score10/10-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (234) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
a631ad1b1a59001a5f594880c6ae3337bda98f8ce3bb46cd7a9de0b35cd2bc4b.exe
-
Size
272KB
-
MD5
cb4ef16070b2dec59effcdb4a2134a83
-
SHA1
c9fcc72c08eece9ca0beb2a3d3801bbfffcb6196
-
SHA256
a631ad1b1a59001a5f594880c6ae3337bda98f8ce3bb46cd7a9de0b35cd2bc4b
-
SHA512
be87293a1b9537d54780639006b6e7a6048755064ca4e78cc295ae1b6263ab4d511e4f720f2687a55372da10e8fd67a47bb091bd5357c50045690936b2411091
-
SSDEEP
6144:1xIPLPHOoW/EHVDJSBD94vqW6Q65Ln1ZEVNl999999999999999999999POU:+DHOVcHVDJMgX6Qu0V
Score6/10-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
-
-
Target
a9053a3a52113698143a2b9801509c68d0d8b4b8208da453f0974547df0931bc.exe
-
Size
703KB
-
MD5
43478841baa4b8754f75516220e33ac3
-
SHA1
2585a613129d7e3dbff3eb16b10ce3fe940c99a3
-
SHA256
a9053a3a52113698143a2b9801509c68d0d8b4b8208da453f0974547df0931bc
-
SHA512
9441209433e2d3d49012431011048cd33a7ce980482658a0b1e2ccd3baa70524d2585901b6130d4644d7ca0139d881a9f11a933949ed39ad805a147694b37f87
-
SSDEEP
12288:C6JZ+UD5+1fpL2ikTgmPb2EdVu/BdmSHqDd6bhW2RJV7uikFg:JEUD52fpL2bgmSEds/BnKQPlubg
Score7/10-
Drops startup file
-
Drops desktop.ini file(s)
-
-
-
Target
b764629e1f43851daf984c9372422b65ddceae28f83d6211873f4c8f8672c41c.exe
-
Size
3.6MB
-
MD5
ef29f0f2a7b98ea19767b8ae66d1ffb8
-
SHA1
093b3916ee1bea0442278d0aa87be5703207e627
-
SHA256
b764629e1f43851daf984c9372422b65ddceae28f83d6211873f4c8f8672c41c
-
SHA512
9ab431d19633ed54dc1cc8bc4e511cabcfcba56ee0ff30197f5bd7aca07b33f2b605ab17f07fba066f5c910903f27bb04f4eb04cbed539af783564bbeba2c80e
-
SSDEEP
98304:yDqPoBhhRxcSUDk36SAEdhvxWa9P59Uc/Jf:yDqPSxcxk3ZAEUadv1
Score10/10-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3251) amount of remote hosts
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE
-
Creates a large amount of network flows
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory
-
-
-
Target
cf89f70633865aa06123062a7dc51f8158905afb4b00f6f3597de3edfba97c5c.exe
-
Size
322KB
-
MD5
3f4e0582663260629e1046d300bfd47c
-
SHA1
05d4b2e99a8ad0436cb5d9066987eb0df0321250
-
SHA256
cf89f70633865aa06123062a7dc51f8158905afb4b00f6f3597de3edfba97c5c
-
SHA512
b12505249227706b22e054d47d99d4b770a958875fb5eddb9a254ec06353415f00379383a091932ed70a1bcac14a9f8113f0221abed3c6211e6b7fe1f6fe1e81
-
SSDEEP
6144:2FexvJFSPxQksREdUZo64wHijE77BoLUbeKMazza722uutBq3:2FyJWQkX/njG7BSEeKMazzaqRut4
Score3/10 -
-
-
Target
e951e82867a4f3af5a34b714571e9acf99cca794c4ed1895c9025a642d5d4350.exe
-
Size
2.2MB
-
MD5
52cae327d2b2fef71f1af28e15a2811c
-
SHA1
62b516f72b03515078cb89cbecaa4522726e79d4
-
SHA256
e951e82867a4f3af5a34b714571e9acf99cca794c4ed1895c9025a642d5d4350
-
SHA512
6daabedfc0accba661c84155ea449b0cdd8819378de9c102da07631390a7a9c1fc7ee1fb71505bfb4dfb974f71696ff57bf376184934bfa230d572400bfb422a
-
SSDEEP
24576:d/2jBNbRL7T3QeFlUp1BcKZbn30QYKr5kw4AMMtG3oirCM/e52bZDHwSuQWTsFNz:d/yb9dw5dirCM/cIHnksFsK971
Score1/10 -
-
-
Target
fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe
-
Size
121KB
-
MD5
eac0a08470ee67c63b14ae2ce7f6aa61
-
SHA1
285c0163376d5d9a5806364411652fe73424d571
-
SHA256
fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7
-
SHA512
f3fd7eeae18843d049443f0d5e818302eb3b3f73ad85e26c01e1ddc0a102a0a22b065afe01879aafc95ff3a2d15b5c302394bd03d91e6c4401648cd4222bddc5
-
SSDEEP
1536:3THoX8wNjiMsyPcjgbKx534oU6Llg/iLBkZhifkdol9LYuVF5yZbn:DjksYKx5o3Slg/itMg8+LYu9ubn
Score9/10-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Stops running service(s)
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Suspicious use of SetThreadContext
-
-
-
Target
fc184274ad3908021e4c8ef28f35dc77447ed6457375d2a4e7b411955e042527.exe
-
Size
268KB
-
MD5
d3fdd9807a32f5c27c14879336762119
-
SHA1
73132972d130adb7106e6b9319b21856434eff65
-
SHA256
fc184274ad3908021e4c8ef28f35dc77447ed6457375d2a4e7b411955e042527
-
SHA512
87468ab4136f449cab6e3689b4460de6dc59421ad20ce8208e251b3e4ef63f4ac281288ec51a35469e2473328de8b45b487cd72f40ba72d304a44b89a99a7a80
-
SSDEEP
6144:IXJ6Mv/PMB5lZOx4ccuiA8HYVVo7bBPxwdNaLvo:KJf/kBrZOxfwAsYVVoZZwdNaE
Score10/10-
Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
-
Blocklisted process makes network request
-
Contacts a large (1095) amount of remote hosts
This may indicate a network scan to discover remotely running services.
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Drops startup file
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory
-
Sets desktop wallpaper using registry
-
MITRE ATT&CK Enterprise v15
Execution
Scheduled Task/Job
1Scheduled Task
1System Services
1Service Execution
1Windows Management Instrumentation
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Access Token Manipulation
1Create Process with Token
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Access Token Manipulation
1Create Process with Token
1Direct Volume Access
1Impair Defenses
2Disable or Modify System Firewall
1Indicator Removal
2File Deletion
2Modify Registry
3Pre-OS Boot
1Bootkit
1