Overview
overview
10Static
static
7BitchTits ...P].exe
windows7-x64
7WannaFartCry.exe
windows7-x64
3Wannashiturself.exe
windows7-x64
10big FAT ti...RE.exe
windows7-x64
10big fat se...re.exe
windows7-x64
1bitch man ...re.exe
windows7-x64
8bro what t...at.dll
windows7-x64
7cocksucker...L].exe
windows7-x64
7fart poopy...re.exe
windows7-x64
7fart weewe...re.exe
windows7-x64
10farting po...re.exe
windows7-x64
10farty poo ...re.exe
windows7-x64
10fuck you.exe
windows7-x64
7large peni...24.exe
windows7-x64
niggaware ...29.exe
windows7-x64
10pee poo pi...re.exe
windows7-x64
10retard ransomware.exe
windows7-x64
1General
-
Target
Downloads.rar
-
Size
5.1MB
-
Sample
240720-rqnahs1bkm
-
MD5
15850e52e9c87dc6ede614c3e255165b
-
SHA1
e0c10e296fa4b59a52fb84777808f42e94468118
-
SHA256
5b731e23be406f4b0e0908bccfba25798fa5fff5695191de760fe385a538688b
-
SHA512
29600f8b4a293a4258ddb0770ad5454aedad030297c43793cc28e78b547fe2e9f491dffd0c4794cf9f6d44f5b4d57d427db098588ad0fcc51a9d2b60712b640c
-
SSDEEP
98304:DCH8UrY74ZQuvUNNFRkQDXR16JBF6S900Kiw3k6Qijbf5VVIMUxai:DCH8RpuvUD5DXmhJm06LfhIz
Behavioral task
behavioral1
Sample
BitchTits Ransomware [VIP].exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
WannaFartCry.exe
Resource
win7-20240704-en
Behavioral task
behavioral3
Sample
Wannashiturself.exe
Resource
win7-20240704-en
Behavioral task
behavioral4
Sample
big FAT tits RANSOMWARE.exe
Resource
win7-20240704-en
Behavioral task
behavioral5
Sample
big fat sexy dildo poop ransomware.exe
Resource
win7-20240708-en
Behavioral task
behavioral6
Sample
bitch man ransomware.exe
Resource
win7-20240708-en
Behavioral task
behavioral7
Sample
bro what the fuckkk ur seriously beliving that.dll
Resource
win7-20240704-en
Behavioral task
behavioral8
Sample
cocksucker ransomware [COOL].exe
Resource
win7-20240704-en
Behavioral task
behavioral9
Sample
fart poopy ransowmare.exe
Resource
win7-20240705-en
Behavioral task
behavioral10
Sample
fart weewee ransomware.exe
Resource
win7-20240708-en
Behavioral task
behavioral11
Sample
farting poop sex ransomware.exe
Resource
win7-20240708-en
Behavioral task
behavioral12
Sample
farty poo poo ransomware.exe
Resource
win7-20240705-en
Behavioral task
behavioral13
Sample
fuck you.exe
Resource
win7-20240705-en
Behavioral task
behavioral14
Sample
large penis ransomware 2024.exe
Resource
win7-20240704-en
Behavioral task
behavioral15
Sample
niggaware ransomware in 2029.exe
Resource
win7-20240704-en
Behavioral task
behavioral16
Sample
pee poo piss piss ransomware rare.exe
Resource
win7-20240705-en
Behavioral task
behavioral17
Sample
retard ransomware.exe
Resource
win7-20240705-en
Malware Config
Extracted
F:\$RECYCLE.BIN\S-1-5-21-2958949473-3205530200-1453100116-1000\GRTNMJFJ-MANUAL.txt
gandcrab
http://gandcrabmfe6mnef.onion/e6da197513c00a4
Extracted
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
Targets
-
-
Target
BitchTits Ransomware [VIP].exe
-
Size
564KB
-
MD5
b0ab2ac4595df2a276f5485d549783a7
-
SHA1
383eca2859577e658d484084922dadf4191dd7c7
-
SHA256
d2a74e0837a55dbfeffd504b3fd0b2decc332d7c7724ed23b85266c95e0fac58
-
SHA512
3e134c8707e94b423dd7fc48056aaf9975fad406bfa12e061e749312b8507afd312cfe5e36500eb6239c9acf2842e552216162dff204c3b08a20a7b9b5528031
-
SSDEEP
6144:/slLxiHV+n32Z6kus2jmjvHBYJLxskckBUIrb271uvERPh5qe7/JFB7XYdjSYGiB:ue4GZ6Kjvmdnb2hpRP2e7/JFTD1Ut3
Score7/10-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
WannaFartCry.exe
-
Size
393KB
-
MD5
49e98ce0148d7cd9a847066fa683ac6e
-
SHA1
8a1c2fb6384005d4949c2315187db81f6a990328
-
SHA256
852fc68a02012fe8d0973ea9be8baa401d1be37c403697ee769c68bfad73c563
-
SHA512
4f967c5e59ac18c5db6fcef62f8d88dfcbd327c795c99fae7b05743d07d02f8dd18f48113bc42b0382e174b322626353c3b240f9e350e4736766abdcb27f055f
-
SSDEEP
12288:28n+q7BpMZ5ztVYnLZj2Cr8Yo+JLya0fcn+u:ZjiQLgCrXo+JL6C+u
Score3/10 -
-
-
Target
Wannashiturself.exe
-
Size
396KB
-
MD5
c419d3769a7b6c21e039a2f8bf3b8a7e
-
SHA1
710aae63e6b98e54f7269305e0d8d45defb9292f
-
SHA256
a64b4ec712a97ddc55f187cdd899ce00b3283992cbfa91d9e88647e61f62f693
-
SHA512
e7ded4bd334922752e3dc244c150ce05afc8c7ea3a90624d98ed89d003a8a47ab156c1f58ff58a4268b2fef8952f2651a4b6cd2b1952e7dd8a01126c1f065de8
-
SSDEEP
6144:A4nR2vxBCQjXJeKA7Eqe+D5IXo5IbFKVGW2QamiglBsvJR7M3imZIQ90:b2bCwXke+DuXrpGdPI7M/o
Score10/10-
Disables taskbar notifications via registry modification
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
-
-
Target
big FAT tits RANSOMWARE.exe
-
Size
1.6MB
-
MD5
6750c55843b503be8d3c8fafa9229a15
-
SHA1
6c1e35a314b760103465c6b8b295697de12f2654
-
SHA256
43d4ddb608614be57f034aaa0fce1fb801a284057b6141a0713f6e698a064bdc
-
SHA512
4a11450e628f3a3f3f8c205100c1a21fe9df5848f7eee0d317fd406d83ac53b8ff0c4a9f4dd8113cac6adae55b131b1e9bb2eace9fef0ff9e15e267fc4f4ce3a
-
SSDEEP
24576:atgZUgpG9t9x4iK7Dkv5lskkcv/8IIh8Tg6qpX103LNkVIgAoeLZfmSXm:aCZHitwiKUwtm8IKkgA7olAoedfTm
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-
-
-
Target
big fat sexy dildo poop ransomware.exe
-
Size
1.1MB
-
MD5
365c420055e65efc397235b48a937354
-
SHA1
1fa4f99856a1f4b34e916c5c38d7919b993787a1
-
SHA256
1ba17c343abc3076637a5b744c02920058116a7ea88e7476912aa69162963243
-
SHA512
bde2ae9b1f7dcfc0d51d0e423ec6c156217b5fd7756fb690761b7aaa8f2e4131a1ce5a2ae5b751b29e63ecb55c950683c4cb58287796b3fbb9c29c8bab02d840
-
SSDEEP
24576:yxAQJ89kVyjJRGqHT3+nLmuqennVUHY2Xa3411TokYv+:y1Sk+GqHT+nLmknyK3SkkW+
Score1/10 -
-
-
Target
bitch man ransomware.exe
-
Size
54KB
-
MD5
5d55ed9e61bbd72c30793c5db6c4e2c0
-
SHA1
cad90549d832bf16e8bd15e9613800cdee495bbd
-
SHA256
b74b57fc010ceb1457978ca8d089c880fe854d112a1fb20f931718f4d77f1513
-
SHA512
0d72487a19773bb674b22a22b67d30d5e7349108a9bff46ff521ad99547ff590e933300ca38bc8c3517d8a1fbc65cff64dbf949492efb0c69012bd86791607ba
-
SSDEEP
1536:u3kgIekvc/f/tugCsxPSEAyZhuKuJmUJoKg1Wai:YbIekQHZBhuKjU+KgM
Score8/10-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Drops file in Drivers directory
-
Deletes itself
-
Drops startup file
-
Executes dropped EXE
-
Impair Defenses: Safe Mode Boot
-
Loads dropped DLL
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory
-
-
-
Target
bro what the fuckkk ur seriously beliving that.exe
-
Size
123KB
-
MD5
21147329bec4cbc1c6fce80297974696
-
SHA1
c8c0065c7fc7336cef5bb2f4368724b36d7e4fa7
-
SHA256
e5209b13acdaff500e51c049a436710dd794ea027286b0a6c7c41426471194c2
-
SHA512
f025948a3d8086e2ef8834d8d29fd3d717f2500d071e4a0f47db5cba1f01214e8b15e392e2e0a0925767b21e630edfea92bee5653297e2beacabfc1a0e23bc50
-
SSDEEP
3072:K7dDRBM7qvXAv/8low26slwGNktA8o1QI3:M7uqfs8lo9quktA8VU
Score7/10 -
-
-
Target
cocksucker ransomware [COOL].exe
-
Size
378KB
-
MD5
232fa9e369270ad2400f147358106f84
-
SHA1
652c7b72f2de9ac2b6a38f61bbab56c31cd4f56b
-
SHA256
eb08cd98561489036e4f156b1cf30312358a455a076396a1244a940cf91172ca
-
SHA512
088f6945749499224678e34624e8d91a8853bf574d3bfeb4b745b62a4c0198457272458491ff28b33dfa2bf88e0981db3314633d0dac1a242add86137b82b334
-
SSDEEP
6144:Dp7/yjcX8JtYa0exxWT+9g7jyOhM+9bHUm4pZdjBto+VXaWLtBLNKdeoS:djlX5asT6g7fhMjm43dzo+QOB1oS
Score7/10-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
-
-
Target
fart poopy ransowmare.exe
-
Size
59KB
-
MD5
f522150465f8568398eee5d89f4edc1c
-
SHA1
17ba3eb1274df0036f26835b21f26035c22aaf26
-
SHA256
e80ec6b586096c75c5811ab5049f356330d1b63a8acf18a1be413f1405415ec8
-
SHA512
99c57559f4f1332253ce0417cae2e142565adda08ffc446d82bf38e28f3d599f8863970598352b40d65f62d355cae5572e48e24b4ba777347f05a90941569eaf
-
SSDEEP
768:2FoWTi7VKJKT0OWs5TtWERYImI7YSNyPtGJiIf6hYyIGfMrSnshKubehypRl4TM0:ybT0QRs5TQxUGwf6bsr5Sh2Rl4h5z
Score7/10 -
-
-
Target
fart weewee ransomware.exe
-
Size
135KB
-
MD5
9086042b51122885883c927e612a5191
-
SHA1
98dbe208dc906f5dcc17b66aa8fde46a711c6715
-
SHA256
e0b0694554714b0f33f4e5fa6014d5419ff92831812390f840b0f75efd3b0ef0
-
SHA512
d3a9d532ca2e578cd277ee452f05800e748cec5864a0d67b9c2ce876be45c9929d2c14bca2c0da9c1df10737b9d9cab4b4002c22930e62004f2ee15d8e375253
-
SSDEEP
3072:HH6/kaUyjMV8VTBXz7q/DcNymNtqJ75rjQQwpFtlfhj9A5Sb:nm1jMer2VmNz/FLJj96
Score10/10-
Modifies WinLogon for persistence
-
Impair Defenses: Safe Mode Boot
-
Modifies WinLogon
-
-
-
Target
farting poop sex ransomware.exe
-
Size
190KB
-
MD5
2bebc43247cc29bc75e91f0f6f5eb05e
-
SHA1
b11e21dc35751a26fbc8304187b663ee3ae15676
-
SHA256
a1c01cc7189609f84e71d6758c5837fc118ce3d0ed05b009fc29d90e59cc6fd3
-
SHA512
ffc07134cb26836c245b2d3d2dfb4bad35d2893d72cf41f179fbc6aba31475fb727d0462ea2f77f7d31da5ce94930017ffa30d92ccbfdaf4f8144fc87f28440f
-
SSDEEP
3072:8hZQj6bmfjN9StAd1YO8sKI+Lj+dW4LBIxB+NK6AK89:56eNYI1YO89fnhgK6BY
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (277) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops startup file
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry
-
-
-
Target
farty poo poo ransomware.exe
-
Size
218KB
-
MD5
9b20e48b731d1a78ffce07e1b4dfb7c0
-
SHA1
031e4932fc6da1cabde7735280b09b897719ba29
-
SHA256
f4b60e17e83f037c811ee111e21964cd772a817186324987fe5033420233ec43
-
SHA512
e59ecaf97a277aa46af7f027a5f9806b2c42a8b9555eb2db1475c25bccc50fb46621727ee2ba98590da3c2cff424557e0dd0803551a6dc8a399470cae5b56b8c
-
SSDEEP
3072:knUdM17tCgrmcEwBnJWJ9IHfYCeNpD/cgjj9w7BT0cfWjE39mbo:kl9tCMmFGJWgHfYpDkgjeJWjuIb
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (319) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops startup file
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Drops file in System32 directory
-
-
-
Target
fuck you.exe
-
Size
370KB
-
MD5
b8d68920aeadab481011b4f4519a8d39
-
SHA1
6284d4a622115d6721678e1204e7f4477575e2ae
-
SHA256
0159d20f5ea1df6d03d6cff8729b7e90e064ceb7caf05b6c0ce220d8bbdf38b2
-
SHA512
a03a3e6a6426aa472c71b605a57868a40119fa6dd5bbcee8100133b07995fcd7d364c5fc671f6b4e6cac77ebda4f8a1078b91d174946424404370f8358d1db9f
-
SSDEEP
6144:v0hwqmfHn/RN16uuToftAMs62LCkDnQ0eDQjizMVCiEzlc7R/0AnwWOwbITaxoSa:vwmP/xETSm1DhQeiiEzW/tvVwCoSa
Score7/10-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
-
-
Target
large penis ransomware 2024.exe
-
Size
63KB
-
MD5
26c694b48cd31b6d72b80600a628a9bb
-
SHA1
7f49fae234ece4eaa6e24bb036e22f5bf9695af5
-
SHA256
58a7fb4318058b3408693e6d1358b2f95dd00d8774f897464fbde3094c00de41
-
SHA512
bbd57471cdc48110380a275c765f4f730daf294b2e78d18f3bdda7337ae6e156b164fd6f495a374eaf5bceb8b21c7f5070e6549fd1a34be2a0511d7fef5f0394
-
SSDEEP
1536:X2raMo+pQDwUmjBl96LG9psn/yJo3XWHVmcuuIYWtJULLLES:GrRo+pEwU096KJvmTJULLLES
Score7/10-
Deletes itself
-
Adds Run key to start application
-
-
-
Target
niggaware ransomware in 2029.exe
-
Size
396KB
-
MD5
6bea20141f31c1f027e325d631dd7416
-
SHA1
306060f6d99d2d39dccbca0877725cc88a098651
-
SHA256
54924abbcd3589b5758a4efb30be4e910488365230f24a97b2d642e699ff4fdc
-
SHA512
00fb5f0fd5c746edf5441f7e6eddb7dff3fd04b4886c4e0a1349af8be76fced72658a48d96962a3de22612b87fb9b126b5429f0d527a12db7709428a8cdb9bc3
-
SSDEEP
12288:TfTkNEWWcfMjzcR8eN565iIfhEl08V6pCo:jTkuQMDecG0cZo
Score10/10-
Disables taskbar notifications via registry modification
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
-
-
Target
pee poo piss piss ransomware rare.exe
-
Size
418KB
-
MD5
afe081816b33e7d8bdff7f7291fa3718
-
SHA1
b05d2d80f846e95d70463b3096e7412575c5ce54
-
SHA256
acee7b1fe33cae78353a100855e4da887599a504833f47c185373ed079529374
-
SHA512
91604a604d3acccddbbec61854bba80756aea78341c098a66982a4c4c6c0ac3bdf09132b527caaaedceedb4f70539c6df7cc2dd7f029bb1ccb0695c535397c72
-
SSDEEP
12288:I8y5iDtzoYgveS30QRuWlG9GDnH+9XUmwP:IDcCvegHEymw
Score10/10-
Modifies WinLogon for persistence
-
Drops file in System32 directory
-
-
-
Target
retard ransomware.exe
-
Size
4KB
-
MD5
7db10af5b15842d4201c86c566143849
-
SHA1
126731d10e41f887dd3c22a96f780ff52f9982d8
-
SHA256
0c1a54cf85222b5228ed637d46bdc611fc3f5ca834f5561c6dc8b5ed50ddb8f0
-
SHA512
fe5ffdfe2abdc279d4dcb12ebe270c6bd438f0d63aaea4a655444f6c767ee75ec2bd4a08e561b3475ecebabeb8e9a45aa43126b4922a9bb5b76e58e2e25a47f7
-
SSDEEP
48:6vKjorOy13Ihf9hy7yR2ETEM8wjklCBUuq:MWf9hymR2ETcwAEuf
Score1/10 -
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
4Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Privilege Escalation
Boot or Logon Autostart Execution
4Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Defense Evasion
Direct Volume Access
1Impair Defenses
3Disable or Modify Tools
2Safe Mode Boot
1Indicator Removal
2File Deletion
2Modify Registry
8