Overview

overview

10

Static

static

7

BitchTits ...P].exe

windows7-x64

7

WannaFartCry.exe

windows7-x64

3

Wannashiturself.exe

windows7-x64

10

big FAT ti...RE.exe

windows7-x64

10

big fat se...re.exe

windows7-x64

1

bitch man ...re.exe

windows7-x64

8

bro what t...at.dll

windows7-x64

7

cocksucker...L].exe

windows7-x64

7

fart poopy...re.exe

windows7-x64

7

fart weewe...re.exe

windows7-x64

10

farting po...re.exe

windows7-x64

10

farty poo ...re.exe

windows7-x64

10

fuck you.exe

windows7-x64

7

large peni...24.exe

windows7-x64

niggaware ...29.exe

windows7-x64

10

pee poo pi...re.exe

windows7-x64

10

retard ransomware.exe

windows7-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Downloads.rar

  • Size

    5.1MB

  • Sample

    240720-rqnahs1bkm

  • MD5

    15850e52e9c87dc6ede614c3e255165b

  • SHA1

    e0c10e296fa4b59a52fb84777808f42e94468118

  • SHA256

    5b731e23be406f4b0e0908bccfba25798fa5fff5695191de760fe385a538688b

  • SHA512

    29600f8b4a293a4258ddb0770ad5454aedad030297c43793cc28e78b547fe2e9f491dffd0c4794cf9f6d44f5b4d57d427db098588ad0fcc51a9d2b60712b640c

  • SSDEEP

    98304:DCH8UrY74ZQuvUNNFRkQDXR16JBF6S900Kiw3k6Qijbf5VVIMUxai:DCH8RpuvUD5DXmhJm06LfhIz

Score
10/10
dharmagandcrabtroldeshaspackv2backdoordefense_evasiondiscoveryevasionexecutionimpactpersistenceransomwarespywarestealertrojanupx

Malware Config

Extracted

Path

F:\$RECYCLE.BIN\S-1-5-21-2958949473-3205530200-1453100116-1000\GRTNMJFJ-MANUAL.txt

Family

gandcrab

Ransom Note
---= GANDCRAB V5.2 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .GRTNMJFJ The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/e6da197513c00a4 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAMafOUG05DIOkMSEMcr5bJI53GEmQUpH0d/J1OLwKMjjRHnwCCiVCrXvyO1fWj41FEEkR37EiB4tyIYsQITi0BjS8Doz1VunVz7E+pNSMN1ZXf6Y8vYicIa36vQVqKQc33q9Ph35b593GH0X+XhIDB3M/mcEmoqpB9D8mHu6Uy+1hoZ3UeDYV3sJYqUl10sPWiI54XjLq96kCuk/8iI3XF0qpqVN3s81IdA2aENZ0oO4841j1oTfQ+g29EhrddaeUYtVnEM+uCqxFUSyOJVYeXYylgqSsFW5fW4+490UZdz080WQKPVU5sHNIEX6blQJZwMUVylRg5ypcdHyScHAG2whb0As5RiBpwhSE0Z9+Nkm3n6KKNKO/z1CnCV1Vilvui02Iq4p5te7juEyneBGDY1SM4Slba/GqEsrGahXNYUShJa0ONMAGf4g5b1o9Q46hvcsJ6wM0BAUWg/EiwFqTaxHR7ejXu0iZwOFBbBb+jomMkxLee3/Qqt9C5XN32FywzIcyh2v4NpaJxrDDjENHjRtFb3scxMiAIiV0XC8R84+6JdvRDSZatChAf3uhiJn1IfY0xVe062sopp+tZsffdzT64HnCR1QS2yOf/moXz5/o5uZ6WBUCxBVOWiASUu5/ua1PnjelQukf3cZtRuXk0/sZsxYyZvOJMgxOfR3bz9XRzQjzLfKuioxBa0iwFvMelAsvA4/1O3MYB7VBASQk8K4jcF1caZYQWA4OOEzw/GWwAesrLhr3n0gi7I4muosZHlAI8tMMLJSN95fACyLWWVkI8Q3GGGTJojQGEXTgFCJGtlqmGO0GjEBUFBzBShE5P1Mdsil+HvxmPY6hiGVGyzXScqpUc3fR757TCgokf9DvffTzipF0ogGhm/StgVhfmD1J7HUczFzKeTyF6KNcNyVQJlmyKoW4uPq14IzA8idx5YLSQ6VwI8/xg4DzoU+EBhl9rQbiErYoEtlnP/J7iVWkOcT4NTA8JMVnoj05u7FHr3hs/2ykfGPCdERP9bZSxnouW7QCRNATvx5474uW+j15kBPdYudyMTg7hku20WWaiTwDwy5zSqMUwaYEuXxsIe3Y0vpShujP04Mef7XOW/DQUNN69xyXILvd5TVQkmHQWsuMWNMgAnB8/C7hY1BkFfxTuwqKfOJBmDsBFVBMUgBEUA/klqhxmNN/Pp+Teux0TRKMZhHdpjLbrDhbQe1Omfu64jdME9J7fANkNH4RZMXJMV7Pcmnm8fpp24mXlBwy+F84N+Odh5emcMPawd03V6hxXMD3bGyFnagPVdzr3IVx+exnAikB+Dr3lnVRutr2Qd1sbvU9nFZSCl2VbyOtg1SJmxG05sVOt6HU7XupLsJL7DffCnP/SmKTMCIW9gZgsB+eX3p1MRbpk9POAyegpma6A3lNjY/pk+RYx3Vku3lzkFJ0J63V96HodTkFbIgllt86aO/iTnMojZzwWowfGwgdMPrpXzMxv70qH1fES6t0V2N02oiI1J0CJBOJiO0Vfq/yVXY0qLh7grP86Q1TbpaBxXVEycUEKwcjdC/xeMFIASJLmW0GWpWv148sgw49O6J8aeH2FKCR0g6ViVZtZoDic2xTJoTT7MjYCuvuOG3xO3OxiKfOqfv/0s/bh5+Qvf8TlE2FJuk5xu/cSxSNdE3nbAtCvXlnoSwr+BmKPSAtUhGSG4Ho5GgIqsr0rP1IN4ni/QYGN7nTcLvniinkUnQ1AlU2MI5QIeVrxITHZhPrvqNTOYvUTQ1AAF+FwYYvW+ad9bmUypjfvQF2p2LLAAmeag2p1McYhCYYQ1pYech5Wvxq1PWZE84+5dzlz70/1YIRLHD9Av2im0LdwdCttIZcDuhN6CrjuBm/Gj3duuPs9LwXpJI84/99Mt08/GN8F5P7KITy9veux87Qngxe3xkpiLqEL9nusqRUBh3VQKLS7BmVaCyeTVty2gxvAnk2Jpac8sMFrnfZfRg/ovyBMJlfUThW+c+m5sQ8lw+sW6nd44xr8WVMKo/kOjKkbrb3Gt5BKvNZso5ktC23jCAUKQ41p5L6XnCnfUTFDtYq1jRBAP6UbzkExwJX7SdhjScJahETXKgTj6Z0qHTFVCy8m9Ln+XL81roQnVVyXfjpyL22q1XKPJXbbNxSGcqYKD5u8qGAxU5pzfsRFKo9pbDwEcPNKgiXOjYe8vQ4LWCStfrwBNaywhZvXQMkVn7THgBhwb/Vg8v+S2z0Sd/f8h3yygeGcs= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- 7ftDEgLb/ZS0lcmZbHM61KDJ6AOtD78KkA7absMgUXYxWLsC+5+UYF9xVmDp9NTJMZDcAvSVv+DLRWrIKnQXQzua3LPyzokSUuglaqKXwabsGM4pXku5In6gtMQMqg7sgEh1XW1iPMFgiUj/s1LdWpJHdiPjMpn7rCZNO/A31mak0K8RefoREu3BxtlAsseHWfVIIKN0U4NnA3w0Ga7XDLlF3iOIB6ImYbF6Z/7MBN2mgBr2rZ2mU0R7+dxfWLoypoW25ypHEnKnMMuBl1Cmehqo5VrrnNSZu19KSVzOtTAymPz79ICyGBkpCKj0RQwVePfN00RSUyDDtO6JLNAMBi1qqcY7R+G3MrGfmdSRjEfRP93y6vM9LODjDaPvr3tWv+YKTznJt/bAL0J01/eNSzezgKAqoTvFqJ2HPDmx5ShGudnoMloV6iCVyemoqB5vY7wFrtkyqy8E1f2lXjmT7rN4cOwygU+wTkywb+cfzdw/LWqjqbjWwFvi9DPXKP+ghY2cWKz+6gkLvCeiiYFcEv1EtSM9ANLhxdQDIBf1BEGWyeuMbp0J1h0/u+RWez0Et3TBCrbrZtdJPEOVKsosLrgbsAnNcG2VuLCZEZKsSbTenISaf0Ihb4k0t1Gacy3SiKIADBDFnYH2qA1whEaNxA== ---END PC DATA---
URLs

http://gandcrabmfe6mnef.onion/e6da197513c00a4

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note
All your files have been encrypted! All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail [email protected] Write this ID in the title of your message 3F60CAD0 In case of no answer in 24 hours write us to theese e-mails: [email protected] You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. Free decryption as guarantee Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/ Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Targets

    • Target

      BitchTits Ransomware [VIP].exe

    • Size

      564KB

    • MD5

      b0ab2ac4595df2a276f5485d549783a7

    • SHA1

      383eca2859577e658d484084922dadf4191dd7c7

    • SHA256

      d2a74e0837a55dbfeffd504b3fd0b2decc332d7c7724ed23b85266c95e0fac58

    • SHA512

      3e134c8707e94b423dd7fc48056aaf9975fad406bfa12e061e749312b8507afd312cfe5e36500eb6239c9acf2842e552216162dff204c3b08a20a7b9b5528031

    • SSDEEP

      6144:/slLxiHV+n32Z6kus2jmjvHBYJLxskckBUIrb271uvERPh5qe7/JFB7XYdjSYGiB:ue4GZ6Kjvmdnb2hpRP2e7/JFTD1Ut3

    Score
    7/10
    persistenceupx

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1

    • Target

      WannaFartCry.exe

    • Size

      393KB

    • MD5

      49e98ce0148d7cd9a847066fa683ac6e

    • SHA1

      8a1c2fb6384005d4949c2315187db81f6a990328

    • SHA256

      852fc68a02012fe8d0973ea9be8baa401d1be37c403697ee769c68bfad73c563

    • SHA512

      4f967c5e59ac18c5db6fcef62f8d88dfcbd327c795c99fae7b05743d07d02f8dd18f48113bc42b0382e174b322626353c3b240f9e350e4736766abdcb27f055f

    • SSDEEP

      12288:28n+q7BpMZ5ztVYnLZj2Cr8Yo+JLya0fcn+u:ZjiQLgCrXo+JL6C+u

    Score
    3/10
    behavioral2

    • Target

      Wannashiturself.exe

    • Size

      396KB

    • MD5

      c419d3769a7b6c21e039a2f8bf3b8a7e

    • SHA1

      710aae63e6b98e54f7269305e0d8d45defb9292f

    • SHA256

      a64b4ec712a97ddc55f187cdd899ce00b3283992cbfa91d9e88647e61f62f693

    • SHA512

      e7ded4bd334922752e3dc244c150ce05afc8c7ea3a90624d98ed89d003a8a47ab156c1f58ff58a4268b2fef8952f2651a4b6cd2b1952e7dd8a01126c1f065de8

    • SSDEEP

      6144:A4nR2vxBCQjXJeKA7Eqe+D5IXo5IbFKVGW2QamiglBsvJR7M3imZIQ90:b2bCwXke+DuXrpGdPI7M/o

    Score
    10/10
    discoveryevasionpersistencetrojan

    • Windows security bypass

      evasiontrojan

    • Disables taskbar notifications via registry modification

      evasion

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral3

    • Target

      big FAT tits RANSOMWARE.exe

    • Size

      1.6MB

    • MD5

      6750c55843b503be8d3c8fafa9229a15

    • SHA1

      6c1e35a314b760103465c6b8b295697de12f2654

    • SHA256

      43d4ddb608614be57f034aaa0fce1fb801a284057b6141a0713f6e698a064bdc

    • SHA512

      4a11450e628f3a3f3f8c205100c1a21fe9df5848f7eee0d317fd406d83ac53b8ff0c4a9f4dd8113cac6adae55b131b1e9bb2eace9fef0ff9e15e267fc4f4ce3a

    • SSDEEP

      24576:atgZUgpG9t9x4iK7Dkv5lskkcv/8IIh8Tg6qpX103LNkVIgAoeLZfmSXm:aCZHitwiKUwtm8IKkgA7olAoedfTm

    Score
    10/10
    troldeshdiscoverypersistenceransomwarespywarestealertrojanupx

    • Troldesh, Shade, Encoder.858

      Troldesh is a ransomware spread by malspam.

      ransomwaretrojantroldesh

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral4

    • Target

      big fat sexy dildo poop ransomware.exe

    • Size

      1.1MB

    • MD5

      365c420055e65efc397235b48a937354

    • SHA1

      1fa4f99856a1f4b34e916c5c38d7919b993787a1

    • SHA256

      1ba17c343abc3076637a5b744c02920058116a7ea88e7476912aa69162963243

    • SHA512

      bde2ae9b1f7dcfc0d51d0e423ec6c156217b5fd7756fb690761b7aaa8f2e4131a1ce5a2ae5b751b29e63ecb55c950683c4cb58287796b3fbb9c29c8bab02d840

    • SSDEEP

      24576:yxAQJ89kVyjJRGqHT3+nLmuqennVUHY2Xa3411TokYv+:y1Sk+GqHT+nLmknyK3SkkW+

    Score
    1/10
    behavioral5

    • Target

      bitch man ransomware.exe

    • Size

      54KB

    • MD5

      5d55ed9e61bbd72c30793c5db6c4e2c0

    • SHA1

      cad90549d832bf16e8bd15e9613800cdee495bbd

    • SHA256

      b74b57fc010ceb1457978ca8d089c880fe854d112a1fb20f931718f4d77f1513

    • SHA512

      0d72487a19773bb674b22a22b67d30d5e7349108a9bff46ff521ad99547ff590e933300ca38bc8c3517d8a1fbc65cff64dbf949492efb0c69012bd86791607ba

    • SSDEEP

      1536:u3kgIekvc/f/tugCsxPSEAyZhuKuJmUJoKg1Wai:YbIekQHZBhuKjU+KgM

    Score
    8/10
    defense_evasionpersistencespywarestealer

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Drops file in Drivers directory

    • Deletes itself

    • Drops startup file

    • Executes dropped EXE

    • Impair Defenses: Safe Mode Boot

      defense_evasion

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    behavioral6

    • Target

      bro what the fuckkk ur seriously beliving that.exe

    • Size

      123KB

    • MD5

      21147329bec4cbc1c6fce80297974696

    • SHA1

      c8c0065c7fc7336cef5bb2f4368724b36d7e4fa7

    • SHA256

      e5209b13acdaff500e51c049a436710dd794ea027286b0a6c7c41426471194c2

    • SHA512

      f025948a3d8086e2ef8834d8d29fd3d717f2500d071e4a0f47db5cba1f01214e8b15e392e2e0a0925767b21e630edfea92bee5653297e2beacabfc1a0e23bc50

    • SSDEEP

      3072:K7dDRBM7qvXAv/8low26slwGNktA8o1QI3:M7uqfs8lo9quktA8VU

    Score
    7/10
    upx

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral7

    • Target

      cocksucker ransomware [COOL].exe

    • Size

      378KB

    • MD5

      232fa9e369270ad2400f147358106f84

    • SHA1

      652c7b72f2de9ac2b6a38f61bbab56c31cd4f56b

    • SHA256

      eb08cd98561489036e4f156b1cf30312358a455a076396a1244a940cf91172ca

    • SHA512

      088f6945749499224678e34624e8d91a8853bf574d3bfeb4b745b62a4c0198457272458491ff28b33dfa2bf88e0981db3314633d0dac1a242add86137b82b334

    • SSDEEP

      6144:Dp7/yjcX8JtYa0exxWT+9g7jyOhM+9bHUm4pZdjBto+VXaWLtBLNKdeoS:djlX5asT6g7fhMjm43dzo+QOB1oS

    Score
    7/10
    persistenceupx

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence
    behavioral8

    • Target

      fart poopy ransowmare.exe

    • Size

      59KB

    • MD5

      f522150465f8568398eee5d89f4edc1c

    • SHA1

      17ba3eb1274df0036f26835b21f26035c22aaf26

    • SHA256

      e80ec6b586096c75c5811ab5049f356330d1b63a8acf18a1be413f1405415ec8

    • SHA512

      99c57559f4f1332253ce0417cae2e142565adda08ffc446d82bf38e28f3d599f8863970598352b40d65f62d355cae5572e48e24b4ba777347f05a90941569eaf

    • SSDEEP

      768:2FoWTi7VKJKT0OWs5TtWERYImI7YSNyPtGJiIf6hYyIGfMrSnshKubehypRl4TM0:ybT0QRs5TQxUGwf6bsr5Sh2Rl4h5z

    Score
    7/10
    upx

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral9

    • Target

      fart weewee ransomware.exe

    • Size

      135KB

    • MD5

      9086042b51122885883c927e612a5191

    • SHA1

      98dbe208dc906f5dcc17b66aa8fde46a711c6715

    • SHA256

      e0b0694554714b0f33f4e5fa6014d5419ff92831812390f840b0f75efd3b0ef0

    • SHA512

      d3a9d532ca2e578cd277ee452f05800e748cec5864a0d67b9c2ce876be45c9929d2c14bca2c0da9c1df10737b9d9cab4b4002c22930e62004f2ee15d8e375253

    • SSDEEP

      3072:HH6/kaUyjMV8VTBXz7q/DcNymNtqJ75rjQQwpFtlfhj9A5Sb:nm1jMer2VmNz/FLJj96

    Score
    10/10
    defense_evasionpersistence
    behavioral10

    • Target

      farting poop sex ransomware.exe

    • Size

      190KB

    • MD5

      2bebc43247cc29bc75e91f0f6f5eb05e

    • SHA1

      b11e21dc35751a26fbc8304187b663ee3ae15676

    • SHA256

      a1c01cc7189609f84e71d6758c5837fc118ce3d0ed05b009fc29d90e59cc6fd3

    • SHA512

      ffc07134cb26836c245b2d3d2dfb4bad35d2893d72cf41f179fbc6aba31475fb727d0462ea2f77f7d31da5ce94930017ffa30d92ccbfdaf4f8144fc87f28440f

    • SSDEEP

      3072:8hZQj6bmfjN9StAd1YO8sKI+Lj+dW4LBIxB+NK6AK89:56eNYI1YO89fnhgK6BY

    Score
    10/10
    gandcrabbackdoordefense_evasionexecutionimpactransomwarespywarestealer

    • Gandcrab

      Gandcrab is a Trojan horse that encrypts files on a computer.

      ransomwarebackdoorgandcrab

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Renames multiple (277) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware
    behavioral11

    • Target

      farty poo poo ransomware.exe

    • Size

      218KB

    • MD5

      9b20e48b731d1a78ffce07e1b4dfb7c0

    • SHA1

      031e4932fc6da1cabde7735280b09b897719ba29

    • SHA256

      f4b60e17e83f037c811ee111e21964cd772a817186324987fe5033420233ec43

    • SHA512

      e59ecaf97a277aa46af7f027a5f9806b2c42a8b9555eb2db1475c25bccc50fb46621727ee2ba98590da3c2cff424557e0dd0803551a6dc8a399470cae5b56b8c

    • SSDEEP

      3072:knUdM17tCgrmcEwBnJWJ9IHfYCeNpD/cgjj9w7BT0cfWjE39mbo:kl9tCMmFGJWgHfYpDkgjeJWjuIb

    Score
    10/10
    dharmadefense_evasionexecutionimpactpersistenceransomwarespywarestealer

    • Dharma

      Dharma is a ransomware that uses security software installation to hide malicious activities.

      ransomwaredharma

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Renames multiple (319) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Drops file in System32 directory

    behavioral12

    • Target

      fuck you.exe

    • Size

      370KB

    • MD5

      b8d68920aeadab481011b4f4519a8d39

    • SHA1

      6284d4a622115d6721678e1204e7f4477575e2ae

    • SHA256

      0159d20f5ea1df6d03d6cff8729b7e90e064ceb7caf05b6c0ce220d8bbdf38b2

    • SHA512

      a03a3e6a6426aa472c71b605a57868a40119fa6dd5bbcee8100133b07995fcd7d364c5fc671f6b4e6cac77ebda4f8a1078b91d174946424404370f8358d1db9f

    • SSDEEP

      6144:v0hwqmfHn/RN16uuToftAMs62LCkDnQ0eDQjizMVCiEzlc7R/0AnwWOwbITaxoSa:vwmP/xETSm1DhQeiiEzW/tvVwCoSa

    Score
    7/10
    persistenceupx

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence
    behavioral13

    • Target

      large penis ransomware 2024.exe

    • Size

      63KB

    • MD5

      26c694b48cd31b6d72b80600a628a9bb

    • SHA1

      7f49fae234ece4eaa6e24bb036e22f5bf9695af5

    • SHA256

      58a7fb4318058b3408693e6d1358b2f95dd00d8774f897464fbde3094c00de41

    • SHA512

      bbd57471cdc48110380a275c765f4f730daf294b2e78d18f3bdda7337ae6e156b164fd6f495a374eaf5bceb8b21c7f5070e6549fd1a34be2a0511d7fef5f0394

    • SSDEEP

      1536:X2raMo+pQDwUmjBl96LG9psn/yJo3XWHVmcuuIYWtJULLLES:GrRo+pEwU096KJvmTJULLLES

    Score
    7/10
    persistence

    • Deletes itself

    • Adds Run key to start application

      persistence
    behavioral14

    • Target

      niggaware ransomware in 2029.exe

    • Size

      396KB

    • MD5

      6bea20141f31c1f027e325d631dd7416

    • SHA1

      306060f6d99d2d39dccbca0877725cc88a098651

    • SHA256

      54924abbcd3589b5758a4efb30be4e910488365230f24a97b2d642e699ff4fdc

    • SHA512

      00fb5f0fd5c746edf5441f7e6eddb7dff3fd04b4886c4e0a1349af8be76fced72658a48d96962a3de22612b87fb9b126b5429f0d527a12db7709428a8cdb9bc3

    • SSDEEP

      12288:TfTkNEWWcfMjzcR8eN565iIfhEl08V6pCo:jTkuQMDecG0cZo

    Score
    10/10
    discoveryevasionpersistencetrojan

    • Windows security bypass

      evasiontrojan

    • Disables taskbar notifications via registry modification

      evasion

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral15

    • Target

      pee poo piss piss ransomware rare.exe

    • Size

      418KB

    • MD5

      afe081816b33e7d8bdff7f7291fa3718

    • SHA1

      b05d2d80f846e95d70463b3096e7412575c5ce54

    • SHA256

      acee7b1fe33cae78353a100855e4da887599a504833f47c185373ed079529374

    • SHA512

      91604a604d3acccddbbec61854bba80756aea78341c098a66982a4c4c6c0ac3bdf09132b527caaaedceedb4f70539c6df7cc2dd7f029bb1ccb0695c535397c72

    • SSDEEP

      12288:I8y5iDtzoYgveS30QRuWlG9GDnH+9XUmwP:IDcCvegHEymw

    Score
    10/10
    persistence

    • Modifies WinLogon for persistence

      persistence

    • Drops file in System32 directory

    behavioral16

    • Target

      retard ransomware.exe

    • Size

      4KB

    • MD5

      7db10af5b15842d4201c86c566143849

    • SHA1

      126731d10e41f887dd3c22a96f780ff52f9982d8

    • SHA256

      0c1a54cf85222b5228ed637d46bdc611fc3f5ca834f5561c6dc8b5ed50ddb8f0

    • SHA512

      fe5ffdfe2abdc279d4dcb12ebe270c6bd438f0d63aaea4a655444f6c767ee75ec2bd4a08e561b3475ecebabeb8e9a45aa43126b4922a9bb5b76e58e2e25a47f7

    • SSDEEP

      48:6vKjorOy13Ihf9hy7yR2ETEM8wjklCBUuq:MWf9hymR2ETcwAEuf

    Score
    1/10
    behavioral17

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Windows Management Instrumentation

2
T1047

Persistence

Boot or Logon Autostart Execution

13
T1547

Registry Run Keys / Startup Folder

9
T1547.001

Winlogon Helper DLL

3
T1547.004

Active Setup

1
T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

13
T1547

Registry Run Keys / Startup Folder

9
T1547.001

Winlogon Helper DLL

3
T1547.004

Active Setup

1
T1547.014

Defense Evasion

Modify Registry

22
T1112

Impair Defenses

6
T1562

Disable or Modify Tools

4
T1562.001

Safe Mode Boot

2
T1562.009

Indicator Removal

4
T1070

File Deletion

4
T1070.004

Direct Volume Access

2
T1006

Credential Access

Unsecured Credentials

4
T1552

Credentials In Files

4
T1552.001

Discovery

System Information Discovery

11
T1082

Query Registry

6
T1012

Peripheral Device Discovery

2
T1120

Lateral Movement

Collection

Data from Local System

4
T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

4
T1490

Defacement

1
T1491

Resource Development

Reconnaissance

Tasks

static1

aspackv2upx
Score
7/10

behavioral1

persistenceupx
Score
7/10

behavioral2

Score
3/10

behavioral3

discoveryevasionpersistencetrojan
Score
10/10

behavioral4

troldeshdiscoverypersistenceransomwarespywarestealertrojanupx
Score
10/10

behavioral5

Score
1/10

behavioral6

defense_evasionpersistencespywarestealer
Score
8/10

behavioral7

upx
Score
7/10

behavioral8

persistenceupx
Score
7/10

behavioral9

upx
Score
7/10

behavioral10

defense_evasionpersistence
Score
10/10

behavioral11

gandcrabbackdoordefense_evasionexecutionimpactransomwarespywarestealer
Score
10/10

behavioral12

dharmadefense_evasionexecutionimpactpersistenceransomwarespywarestealer
Score
10/10

behavioral13

persistenceupx
Score
7/10

behavioral14

persistence
Score
7/10

behavioral15

discoveryevasionpersistencetrojan
Score
10/10

behavioral16

persistence
Score
10/10

behavioral17

Score
1/10