dharma

Sharing

General

Target

Downloads.rar
Size

5.1MB
Sample

240720-rqnahs1bkm
MD5

15850e52e9c87dc6ede614c3e255165b
SHA1

e0c10e296fa4b59a52fb84777808f42e94468118
SHA256

5b731e23be406f4b0e0908bccfba25798fa5fff5695191de760fe385a538688b
SHA512

29600f8b4a293a4258ddb0770ad5454aedad030297c43793cc28e78b547fe2e9f491dffd0c4794cf9f6d44f5b4d57d427db098588ad0fcc51a9d2b60712b640c
SSDEEP

98304:DCH8UrY74ZQuvUNNFRkQDXR16JBF6S900Kiw3k6Qijbf5VVIMUxai:DCH8RpuvUD5DXmhJm06LfhIz

Score

10^/10

Malware Config

Extracted

Path

F:\$RECYCLE.BIN\S-1-5-21-2958949473-3205530200-1453100116-1000\GRTNMJFJ-MANUAL.txt

Family

gandcrab

Ransom Note

---= GANDCRAB V5.2 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .GRTNMJFJ The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/e6da197513c00a4 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAMafOUG05DIOkMSEMcr5bJI53GEmQUpH0d/J1OLwKMjjRHnwCCiVCrXvyO1fWj41FEEkR37EiB4tyIYsQITi0BjS8Doz1VunVz7E+pNSMN1ZXf6Y8vYicIa36vQVqKQc33q9Ph35b593GH0X+XhIDB3M/mcEmoqpB9D8mHu6Uy+1hoZ3UeDYV3sJYqUl10sPWiI54XjLq96kCuk/8iI3XF0qpqVN3s81IdA2aENZ0oO4841j1oTfQ+g29EhrddaeUYtVnEM+uCqxFUSyOJVYeXYylgqSsFW5fW4+490UZdz080WQKPVU5sHNIEX6blQJZwMUVylRg5ypcdHyScHAG2whb0As5RiBpwhSE0Z9+Nkm3n6KKNKO/z1CnCV1Vilvui02Iq4p5te7juEyneBGDY1SM4Slba/GqEsrGahXNYUShJa0ONMAGf4g5b1o9Q46hvcsJ6wM0BAUWg/EiwFqTaxHR7ejXu0iZwOFBbBb+jomMkxLee3/Qqt9C5XN32FywzIcyh2v4NpaJxrDDjENHjRtFb3scxMiAIiV0XC8R84+6JdvRDSZatChAf3uhiJn1IfY0xVe062sopp+tZsffdzT64HnCR1QS2yOf/moXz5/o5uZ6WBUCxBVOWiASUu5/ua1PnjelQukf3cZtRuXk0/sZsxYyZvOJMgxOfR3bz9XRzQjzLfKuioxBa0iwFvMelAsvA4/1O3MYB7VBASQk8K4jcF1caZYQWA4OOEzw/GWwAesrLhr3n0gi7I4muosZHlAI8tMMLJSN95fACyLWWVkI8Q3GGGTJojQGEXTgFCJGtlqmGO0GjEBUFBzBShE5P1Mdsil+HvxmPY6hiGVGyzXScqpUc3fR757TCgokf9DvffTzipF0ogGhm/StgVhfmD1J7HUczFzKeTyF6KNcNyVQJlmyKoW4uPq14IzA8idx5YLSQ6VwI8/xg4DzoU+EBhl9rQbiErYoEtlnP/J7iVWkOcT4NTA8JMVnoj05u7FHr3hs/2ykfGPCdERP9bZSxnouW7QCRNATvx5474uW+j15kBPdYudyMTg7hku20WWaiTwDwy5zSqMUwaYEuXxsIe3Y0vpShujP04Mef7XOW/DQUNN69xyXILvd5TVQkmHQWsuMWNMgAnB8/C7hY1BkFfxTuwqKfOJBmDsBFVBMUgBEUA/klqhxmNN/Pp+Teux0TRKMZhHdpjLbrDhbQe1Omfu64jdME9J7fANkNH4RZMXJMV7Pcmnm8fpp24mXlBwy+F84N+Odh5emcMPawd03V6hxXMD3bGyFnagPVdzr3IVx+exnAikB+Dr3lnVRutr2Qd1sbvU9nFZSCl2VbyOtg1SJmxG05sVOt6HU7XupLsJL7DffCnP/SmKTMCIW9gZgsB+eX3p1MRbpk9POAyegpma6A3lNjY/pk+RYx3Vku3lzkFJ0J63V96HodTkFbIgllt86aO/iTnMojZzwWowfGwgdMPrpXzMxv70qH1fES6t0V2N02oiI1J0CJBOJiO0Vfq/yVXY0qLh7grP86Q1TbpaBxXVEycUEKwcjdC/xeMFIASJLmW0GWpWv148sgw49O6J8aeH2FKCR0g6ViVZtZoDic2xTJoTT7MjYCuvuOG3xO3OxiKfOqfv/0s/bh5+Qvf8TlE2FJuk5xu/cSxSNdE3nbAtCvXlnoSwr+BmKPSAtUhGSG4Ho5GgIqsr0rP1IN4ni/QYGN7nTcLvniinkUnQ1AlU2MI5QIeVrxITHZhPrvqNTOYvUTQ1AAF+FwYYvW+ad9bmUypjfvQF2p2LLAAmeag2p1McYhCYYQ1pYech5Wvxq1PWZE84+5dzlz70/1YIRLHD9Av2im0LdwdCttIZcDuhN6CrjuBm/Gj3duuPs9LwXpJI84/99Mt08/GN8F5P7KITy9veux87Qngxe3xkpiLqEL9nusqRUBh3VQKLS7BmVaCyeTVty2gxvAnk2Jpac8sMFrnfZfRg/ovyBMJlfUThW+c+m5sQ8lw+sW6nd44xr8WVMKo/kOjKkbrb3Gt5BKvNZso5ktC23jCAUKQ41p5L6XnCnfUTFDtYq1jRBAP6UbzkExwJX7SdhjScJahETXKgTj6Z0qHTFVCy8m9Ln+XL81roQnVVyXfjpyL22q1XKPJXbbNxSGcqYKD5u8qGAxU5pzfsRFKo9pbDwEcPNKgiXOjYe8vQ4LWCStfrwBNaywhZvXQMkVn7THgBhwb/Vg8v+S2z0Sd/f8h3yygeGcs= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- 7ftDEgLb/ZS0lcmZbHM61KDJ6AOtD78KkA7absMgUXYxWLsC+5+UYF9xVmDp9NTJMZDcAvSVv+DLRWrIKnQXQzua3LPyzokSUuglaqKXwabsGM4pXku5In6gtMQMqg7sgEh1XW1iPMFgiUj/s1LdWpJHdiPjMpn7rCZNO/A31mak0K8RefoREu3BxtlAsseHWfVIIKN0U4NnA3w0Ga7XDLlF3iOIB6ImYbF6Z/7MBN2mgBr2rZ2mU0R7+dxfWLoypoW25ypHEnKnMMuBl1Cmehqo5VrrnNSZu19KSVzOtTAymPz79ICyGBkpCKj0RQwVePfN00RSUyDDtO6JLNAMBi1qqcY7R+G3MrGfmdSRjEfRP93y6vM9LODjDaPvr3tWv+YKTznJt/bAL0J01/eNSzezgKAqoTvFqJ2HPDmx5ShGudnoMloV6iCVyemoqB5vY7wFrtkyqy8E1f2lXjmT7rN4cOwygU+wTkywb+cfzdw/LWqjqbjWwFvi9DPXKP+ghY2cWKz+6gkLvCeiiYFcEv1EtSM9ANLhxdQDIBf1BEGWyeuMbp0J1h0/u+RWez0Et3TBCrbrZtdJPEOVKsosLrgbsAnNcG2VuLCZEZKsSbTenISaf0Ihb4k0t1Gacy3SiKIADBDFnYH2qA1whEaNxA== ---END PC DATA---

URLs

http://gandcrabmfe6mnef.onion/e6da197513c00a4

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note

All your files have been encrypted! All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail [email protected] Write this ID in the title of your message 3F60CAD0 In case of no answer in 24 hours write us to theese e-mails: [email protected] You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. Free decryption as guarantee Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/ Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Targets

- Target
  
  BitchTits Ransomware [VIP].exe
- Size
  
  564KB
- MD5
  
  b0ab2ac4595df2a276f5485d549783a7
- SHA1
  
  383eca2859577e658d484084922dadf4191dd7c7
- SHA256
  
  d2a74e0837a55dbfeffd504b3fd0b2decc332d7c7724ed23b85266c95e0fac58
- SHA512
  
  3e134c8707e94b423dd7fc48056aaf9975fad406bfa12e061e749312b8507afd312cfe5e36500eb6239c9acf2842e552216162dff204c3b08a20a7b9b5528031
- SSDEEP
  
  6144:/slLxiHV+n32Z6kus2jmjvHBYJLxskckBUIrb271uvERPh5qe7/JFB7XYdjSYGiB:ue4GZ6Kjvmdnb2hpRP2e7/JFTD1Ut3
Score

7^/10

persistence upx
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1
- Target
  
  WannaFartCry.exe
- Size
  
  393KB
- MD5
  
  49e98ce0148d7cd9a847066fa683ac6e
- SHA1
  
  8a1c2fb6384005d4949c2315187db81f6a990328
- SHA256
  
  852fc68a02012fe8d0973ea9be8baa401d1be37c403697ee769c68bfad73c563
- SHA512
  
  4f967c5e59ac18c5db6fcef62f8d88dfcbd327c795c99fae7b05743d07d02f8dd18f48113bc42b0382e174b322626353c3b240f9e350e4736766abdcb27f055f
- SSDEEP
  
  12288:28n+q7BpMZ5ztVYnLZj2Cr8Yo+JLya0fcn+u:ZjiQLgCrXo+JL6C+u
Score

3^/10
behavioral2
- Target
  
  Wannashiturself.exe
- Size
  
  396KB
- MD5
  
  c419d3769a7b6c21e039a2f8bf3b8a7e
- SHA1
  
  710aae63e6b98e54f7269305e0d8d45defb9292f
- SHA256
  
  a64b4ec712a97ddc55f187cdd899ce00b3283992cbfa91d9e88647e61f62f693
- SHA512
  
  e7ded4bd334922752e3dc244c150ce05afc8c7ea3a90624d98ed89d003a8a47ab156c1f58ff58a4268b2fef8952f2651a4b6cd2b1952e7dd8a01126c1f065de8
- SSDEEP
  
  6144:A4nR2vxBCQjXJeKA7Eqe+D5IXo5IbFKVGW2QamiglBsvJR7M3imZIQ90:b2bCwXke+DuXrpGdPI7M/o
Score

10^/10

discovery evasion persistence trojan
- Windows security bypass
  evasion trojan
- Disables taskbar notifications via registry modification
  evasion
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral3
- Target
  
  big FAT tits RANSOMWARE.exe
- Size
  
  1.6MB
- MD5
  
  6750c55843b503be8d3c8fafa9229a15
- SHA1
  
  6c1e35a314b760103465c6b8b295697de12f2654
- SHA256
  
  43d4ddb608614be57f034aaa0fce1fb801a284057b6141a0713f6e698a064bdc
- SHA512
  
  4a11450e628f3a3f3f8c205100c1a21fe9df5848f7eee0d317fd406d83ac53b8ff0c4a9f4dd8113cac6adae55b131b1e9bb2eace9fef0ff9e15e267fc4f4ce3a
- SSDEEP
  
  24576:atgZUgpG9t9x4iK7Dkv5lskkcv/8IIh8Tg6qpX103LNkVIgAoeLZfmSXm:aCZHitwiKUwtm8IKkgA7olAoedfTm
Score

10^/10

troldesh discovery persistence ransomware spyware stealer trojan upx
- Troldesh, Shade, Encoder.858
  Troldesh is a ransomware spread by malspam.
  ransomware trojan troldesh
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral4
- Target
  
  big fat sexy dildo poop ransomware.exe
- Size
  
  1.1MB
- MD5
  
  365c420055e65efc397235b48a937354
- SHA1
  
  1fa4f99856a1f4b34e916c5c38d7919b993787a1
- SHA256
  
  1ba17c343abc3076637a5b744c02920058116a7ea88e7476912aa69162963243
- SHA512
  
  bde2ae9b1f7dcfc0d51d0e423ec6c156217b5fd7756fb690761b7aaa8f2e4131a1ce5a2ae5b751b29e63ecb55c950683c4cb58287796b3fbb9c29c8bab02d840
- SSDEEP
  
  24576:yxAQJ89kVyjJRGqHT3+nLmuqennVUHY2Xa3411TokYv+:y1Sk+GqHT+nLmknyK3SkkW+
Score

1^/10
behavioral5
- Target
  
  bitch man ransomware.exe
- Size
  
  54KB
- MD5
  
  5d55ed9e61bbd72c30793c5db6c4e2c0
- SHA1
  
  cad90549d832bf16e8bd15e9613800cdee495bbd
- SHA256
  
  b74b57fc010ceb1457978ca8d089c880fe854d112a1fb20f931718f4d77f1513
- SHA512
  
  0d72487a19773bb674b22a22b67d30d5e7349108a9bff46ff521ad99547ff590e933300ca38bc8c3517d8a1fbc65cff64dbf949492efb0c69012bd86791607ba
- SSDEEP
  
  1536:u3kgIekvc/f/tugCsxPSEAyZhuKuJmUJoKg1Wai:YbIekQHZBhuKjU+KgM
Score

8^/10

defense_evasion persistence spyware stealer
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Drops file in Drivers directory
- Deletes itself
- Drops startup file
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
  defense_evasion
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
behavioral6
- Target
  
  bro what the fuckkk ur seriously beliving that.exe
- Size
  
  123KB
- MD5
  
  21147329bec4cbc1c6fce80297974696
- SHA1
  
  c8c0065c7fc7336cef5bb2f4368724b36d7e4fa7
- SHA256
  
  e5209b13acdaff500e51c049a436710dd794ea027286b0a6c7c41426471194c2
- SHA512
  
  f025948a3d8086e2ef8834d8d29fd3d717f2500d071e4a0f47db5cba1f01214e8b15e392e2e0a0925767b21e630edfea92bee5653297e2beacabfc1a0e23bc50
- SSDEEP
  
  3072:K7dDRBM7qvXAv/8low26slwGNktA8o1QI3:M7uqfs8lo9quktA8VU
Score

7^/10

upx
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral7
- Target
  
  cocksucker ransomware [COOL].exe
- Size
  
  378KB
- MD5
  
  232fa9e369270ad2400f147358106f84
- SHA1
  
  652c7b72f2de9ac2b6a38f61bbab56c31cd4f56b
- SHA256
  
  eb08cd98561489036e4f156b1cf30312358a455a076396a1244a940cf91172ca
- SHA512
  
  088f6945749499224678e34624e8d91a8853bf574d3bfeb4b745b62a4c0198457272458491ff28b33dfa2bf88e0981db3314633d0dac1a242add86137b82b334
- SSDEEP
  
  6144:Dp7/yjcX8JtYa0exxWT+9g7jyOhM+9bHUm4pZdjBto+VXaWLtBLNKdeoS:djlX5asT6g7fhMjm43dzo+QOB1oS
Score

7^/10

persistence upx
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
behavioral8
- Target
  
  fart poopy ransowmare.exe
- Size
  
  59KB
- MD5
  
  f522150465f8568398eee5d89f4edc1c
- SHA1
  
  17ba3eb1274df0036f26835b21f26035c22aaf26
- SHA256
  
  e80ec6b586096c75c5811ab5049f356330d1b63a8acf18a1be413f1405415ec8
- SHA512
  
  99c57559f4f1332253ce0417cae2e142565adda08ffc446d82bf38e28f3d599f8863970598352b40d65f62d355cae5572e48e24b4ba777347f05a90941569eaf
- SSDEEP
  
  768:2FoWTi7VKJKT0OWs5TtWERYImI7YSNyPtGJiIf6hYyIGfMrSnshKubehypRl4TM0:ybT0QRs5TQxUGwf6bsr5Sh2Rl4h5z
Score

7^/10

upx
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral9
- Target
  
  fart weewee ransomware.exe
- Size
  
  135KB
- MD5
  
  9086042b51122885883c927e612a5191
- SHA1
  
  98dbe208dc906f5dcc17b66aa8fde46a711c6715
- SHA256
  
  e0b0694554714b0f33f4e5fa6014d5419ff92831812390f840b0f75efd3b0ef0
- SHA512
  
  d3a9d532ca2e578cd277ee452f05800e748cec5864a0d67b9c2ce876be45c9929d2c14bca2c0da9c1df10737b9d9cab4b4002c22930e62004f2ee15d8e375253
- SSDEEP
  
  3072:HH6/kaUyjMV8VTBXz7q/DcNymNtqJ75rjQQwpFtlfhj9A5Sb:nm1jMer2VmNz/FLJj96
Score

10^/10

defense_evasion persistence
- Modifies WinLogon for persistence
  persistence
- Impair Defenses: Safe Mode Boot
  defense_evasion
- Modifies WinLogon
  persistence
behavioral10
- Target
  
  farting poop sex ransomware.exe
- Size
  
  190KB
- MD5
  
  2bebc43247cc29bc75e91f0f6f5eb05e
- SHA1
  
  b11e21dc35751a26fbc8304187b663ee3ae15676
- SHA256
  
  a1c01cc7189609f84e71d6758c5837fc118ce3d0ed05b009fc29d90e59cc6fd3
- SHA512
  
  ffc07134cb26836c245b2d3d2dfb4bad35d2893d72cf41f179fbc6aba31475fb727d0462ea2f77f7d31da5ce94930017ffa30d92ccbfdaf4f8144fc87f28440f
- SSDEEP
  
  3072:8hZQj6bmfjN9StAd1YO8sKI+Lj+dW4LBIxB+NK6AK89:56eNYI1YO89fnhgK6BY
Score

10^/10

gandcrab backdoor defense_evasion execution impact ransomware spyware stealer
- Gandcrab
  Gandcrab is a Trojan horse that encrypts files on a computer.
  ransomware backdoor gandcrab
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Renames multiple (277) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Sets desktop wallpaper using registry
  ransomware
behavioral11
- Target
  
  farty poo poo ransomware.exe
- Size
  
  218KB
- MD5
  
  9b20e48b731d1a78ffce07e1b4dfb7c0
- SHA1
  
  031e4932fc6da1cabde7735280b09b897719ba29
- SHA256
  
  f4b60e17e83f037c811ee111e21964cd772a817186324987fe5033420233ec43
- SHA512
  
  e59ecaf97a277aa46af7f027a5f9806b2c42a8b9555eb2db1475c25bccc50fb46621727ee2ba98590da3c2cff424557e0dd0803551a6dc8a399470cae5b56b8c
- SSDEEP
  
  3072:knUdM17tCgrmcEwBnJWJ9IHfYCeNpD/cgjj9w7BT0cfWjE39mbo:kl9tCMmFGJWgHfYpDkgjeJWjuIb
Score

10^/10

dharma defense_evasion execution impact persistence ransomware spyware stealer
- Dharma
  Dharma is a ransomware that uses security software installation to hide malicious activities.
  ransomware dharma
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Renames multiple (319) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Drops file in System32 directory
behavioral12
- Target
  
  fuck you.exe
- Size
  
  370KB
- MD5
  
  b8d68920aeadab481011b4f4519a8d39
- SHA1
  
  6284d4a622115d6721678e1204e7f4477575e2ae
- SHA256
  
  0159d20f5ea1df6d03d6cff8729b7e90e064ceb7caf05b6c0ce220d8bbdf38b2
- SHA512
  
  a03a3e6a6426aa472c71b605a57868a40119fa6dd5bbcee8100133b07995fcd7d364c5fc671f6b4e6cac77ebda4f8a1078b91d174946424404370f8358d1db9f
- SSDEEP
  
  6144:v0hwqmfHn/RN16uuToftAMs62LCkDnQ0eDQjizMVCiEzlc7R/0AnwWOwbITaxoSa:vwmP/xETSm1DhQeiiEzW/tvVwCoSa
Score

7^/10

persistence upx
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
behavioral13
- Target
  
  large penis ransomware 2024.exe
- Size
  
  63KB
- MD5
  
  26c694b48cd31b6d72b80600a628a9bb
- SHA1
  
  7f49fae234ece4eaa6e24bb036e22f5bf9695af5
- SHA256
  
  58a7fb4318058b3408693e6d1358b2f95dd00d8774f897464fbde3094c00de41
- SHA512
  
  bbd57471cdc48110380a275c765f4f730daf294b2e78d18f3bdda7337ae6e156b164fd6f495a374eaf5bceb8b21c7f5070e6549fd1a34be2a0511d7fef5f0394
- SSDEEP
  
  1536:X2raMo+pQDwUmjBl96LG9psn/yJo3XWHVmcuuIYWtJULLLES:GrRo+pEwU096KJvmTJULLLES
Score

7^/10

persistence
- Deletes itself
- Adds Run key to start application
  persistence
behavioral14
- Target
  
  niggaware ransomware in 2029.exe
- Size
  
  396KB
- MD5
  
  6bea20141f31c1f027e325d631dd7416
- SHA1
  
  306060f6d99d2d39dccbca0877725cc88a098651
- SHA256
  
  54924abbcd3589b5758a4efb30be4e910488365230f24a97b2d642e699ff4fdc
- SHA512
  
  00fb5f0fd5c746edf5441f7e6eddb7dff3fd04b4886c4e0a1349af8be76fced72658a48d96962a3de22612b87fb9b126b5429f0d527a12db7709428a8cdb9bc3
- SSDEEP
  
  12288:TfTkNEWWcfMjzcR8eN565iIfhEl08V6pCo:jTkuQMDecG0cZo
Score

10^/10

discovery evasion persistence trojan
- Windows security bypass
  evasion trojan
- Disables taskbar notifications via registry modification
  evasion
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral15
- Target
  
  pee poo piss piss ransomware rare.exe
- Size
  
  418KB
- MD5
  
  afe081816b33e7d8bdff7f7291fa3718
- SHA1
  
  b05d2d80f846e95d70463b3096e7412575c5ce54
- SHA256
  
  acee7b1fe33cae78353a100855e4da887599a504833f47c185373ed079529374
- SHA512
  
  91604a604d3acccddbbec61854bba80756aea78341c098a66982a4c4c6c0ac3bdf09132b527caaaedceedb4f70539c6df7cc2dd7f029bb1ccb0695c535397c72
- SSDEEP
  
  12288:I8y5iDtzoYgveS30QRuWlG9GDnH+9XUmwP:IDcCvegHEymw
Score

10^/10

persistence
- Modifies WinLogon for persistence
  persistence
- Drops file in System32 directory
behavioral16
- Target
  
  retard ransomware.exe
- Size
  
  4KB
- MD5
  
  7db10af5b15842d4201c86c566143849
- SHA1
  
  126731d10e41f887dd3c22a96f780ff52f9982d8
- SHA256
  
  0c1a54cf85222b5228ed637d46bdc611fc3f5ca834f5561c6dc8b5ed50ddb8f0
- SHA512
  
  fe5ffdfe2abdc279d4dcb12ebe270c6bd438f0d63aaea4a655444f6c767ee75ec2bd4a08e561b3475ecebabeb8e9a45aa43126b4922a9bb5b76e58e2e25a47f7
- SSDEEP
  
  48:6vKjorOy13Ihf9hy7yR2ETEM8wjklCBUuq:MWf9hymR2ETcwAEuf
Score

1^/10
behavioral17

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Direct Volume Access

T1006

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Safe Mode Boot

T1562.009

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

Sharing

General

Malware Config

Extracted

Extracted

Targets

Executes dropped EXE

Loads dropped DLL

UPX packed file

Adds Run key to start application

Suspicious use of SetThreadContext

Windows security bypass

Disables taskbar notifications via registry modification

Deletes itself

Executes dropped EXE

Loads dropped DLL

Windows security modification

Adds Run key to start application

Checks installed software on the system

Troldesh, Shade, Encoder.858

Reads user/profile data of web browsers

UPX packed file

Adds Run key to start application

Checks installed software on the system

Suspicious use of SetThreadContext

Boot or Logon Autostart Execution: Active Setup

Drops file in Drivers directory

Deletes itself

Drops startup file

Executes dropped EXE

Impair Defenses: Safe Mode Boot

Loads dropped DLL

Reads user/profile data of web browsers

Adds Run key to start application

Drops desktop.ini file(s)

Enumerates connected drives

Drops file in System32 directory

UPX packed file

Deletes itself

Executes dropped EXE

Loads dropped DLL

UPX packed file

Adds Run key to start application

UPX packed file

Modifies WinLogon for persistence

Impair Defenses: Safe Mode Boot

Modifies WinLogon

Gandcrab

Deletes shadow copies

Renames multiple (277) files with added filename extension

Drops startup file

Reads user/profile data of web browsers

Enumerates connected drives

Sets desktop wallpaper using registry

Deletes shadow copies

Renames multiple (319) files with added filename extension

Drops startup file

Reads user/profile data of web browsers

Adds Run key to start application

Drops desktop.ini file(s)

Drops file in System32 directory

Deletes itself

Executes dropped EXE

Loads dropped DLL

UPX packed file

Adds Run key to start application

Deletes itself

Adds Run key to start application

Windows security bypass

Disables taskbar notifications via registry modification

Deletes itself

Executes dropped EXE

Loads dropped DLL

Windows security modification

Adds Run key to start application

Checks installed software on the system

Modifies WinLogon for persistence

Drops file in System32 directory

MITRE ATT&CK Enterprise v15