gandcrab

Sharing

General

Target

whine.rar
Size

20.9MB
Sample

240720-swq42a1hqq
MD5

02bf389608661daa17b76dc2d38af0b2
SHA1

65f4edb17b2aa9c91bbd9ffef8b22176e922679b
SHA256

142482b54e8df90d91524768c5df2009899da7d011d6eff3082c9d4b26368a97
SHA512

ff39d389e42b88527417b0a284ab3b82235e2c56fa4b8c613ebb2ea05014de49ec06ca279d830927e6a61d406b9807f24d148e488c427127c0045be2ea568192
SSDEEP

393216:SV4PINQim2NZOe8fYjGlFFPVBz0fcn1KiU75MZ6IeY5X5faioFtnupF8lDI:SV4YnNse8fYUv11Kb7ukIb5XJaiobnuN

Score

10^/10

Malware Config

Extracted

Ransom Note

Tutorials & Guides Buy Bitcoins with Credit Card Send Bitcoins YOUR PERSONAL FILE ARE ENCRYPTED ! ! ! Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the data in your files have been encrypted . Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key . WHAT IS ENCRYPTION? Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key . EVERYTHING IS CLEAR FOR ME BUT WHAT SHOULD I DO? The first step is reading these instructions to the end . Your files have been encrypted with with strongest encryption and unique key; the instructions ("DECRYPT MY FILES.html" and "DECRYPT MY FILES.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the word "Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. Any attempts to get back your files with the third-party tools can be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files . When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with our software may be fatal for your files. There are several plain steps to restore your files but if you do not follow them we will not be able to help you, and we will not try since you have read this warning already. For your information the process to decrypt your files (as well as the private key provided together) are paid products . If you understand all importance of the situation please follow to next point where you will receive the complete instructions and guarantees to restore your files. HOW TO DECRYPT MY FILES??? For recover encrypted files you need to make the following points: 1 Copy Bitcoin address to safe place First you need copy in safe place the bitcoin payment address . In case of loss the bitcoin payment address, you can't decrypt your files. Please mark bitcoin address from green line, copy, and save it in safe place: xxxaddrxxx1 Please mark bitcoin address above, copy, and save it in safe place. 2 Purchase Bitcoins with Credit Card or Paypal Your decryption key can only be purchased with Bitcoins. Bitcoin is a digital currency which can be exchanged from nearly every normal currency. There are a lot of exchange platforms on the internet, most of them are specialized on a single currency. Today buying bitcoins online is very easy and it's getting simpler every day! You have to purchase at least the amount shown below. It is recommended to purchase a bit more, to ensure a successfull payment. An extra of 2% should be enough. If you already own enough Bitcoins, you could skip this step. Demand: btcsum1 Bitcoins The following exchanges and marketplaces are recommended: ● https://www.coinbase.com/ USA, Europe & UK ● https://www.localbitcoins.com Bank Wire and Cash ● https://www.coinmama.com Worldwide ● https://www.bitpanda.com/ Europe ● https://www.coinhouse.io/ Europe ● https://cex.io/ Worldwide, credit or debit card ● https://www.glidera.io/ ● https://www.247exchange.com/ Any kind of Bitcoin-Wallet isn't required, you can transfer the purchased bitcoins directly to the payment address. If you want create a wallet anyway, http://www.blockchain.com is recommended. Buy Bitcoin with a Credit Card or Paypal is easy process. Here are step-by-step instructions to help make the buying process easier for you. If you successfull bought the right amount of Bitcoins, please follow the next step. 3 Do a bitcoin transaction Now you have to send your purchased Bitcoins to the payment address. If you just purchased Bitcoins an a exchange or marketplace site, look for a section called "Withdraw" and enter the details shown below. If you already own Bitcoins, send the right amount to the payment address shown below, directly from the wallet you use. If you have any problems with the transaction, feel free to contact our Support. Demand: btcsum2 Bitcoins Address: xxxaddrxxx2 After you made the payment transaction, you have to wait until we manually confirm it. This process usually takes a few hours. In some rare cases some payments need more time to get confirmed. Send Bitcoin to payment address is easy process. Here are step-by-step instructions to help make the sending process easier for you. 4 Decrypt your files Process of decryption files will start automatically after payment received. The process of decrypting files can take a long time depending on the number of files. After purchase of the decrypt process you will be able to: 1. decrypt all your files; 2. work with your documents; 3. view your photos and other media; 4. continue your usual and comfortable work at the computer. We guarantee the restore of your files. Once the file restore process is complete, you should see the following picture: Please click "Close" button. Program will self-delete after closing. Great!

URLs

https://www.localbitcoins.com

https://www.coinmama.com

https://www.bitpanda.com/

https://www.coinhouse.io/

https://cex.io/

https://www.glidera.io/

https://www.247exchange.com/

http://www.blockchain.com

Extracted

Path

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\#DECRYPT_MY_FILES#.html

Ransom Note

<html> <title>S A T U R N</title> <center> <body> <h1>S A T U R N</h1> <h4>Your documents, photos, databases, and other important files have been encrypted!</h4> <br /> To Decrypt your files follow these instructions: <br /> <div> <h4>1. Download and Install Tor Browser from <a href=https://www.torproject.org/>https://www.torproject.org/</a></h4> <br /> <h4>2. Run the browser</h4> <br /> <h4>3. In the Tor Browser, open website:</h3> <div style="background-color: #d9d9d9; margin-left: 20px; margin-right: 20px; padding-bottom: 8px; padding-left: 8px; padding-right: 8px; padding-top: 8px;"> </a><b>http://su34pwhpcafeiztt.onion</b><br/> </div> <h4>4. Follow the instructions at this website</h4> </div> </body> </center> </html> <style> html { background-color: white; font-family: Helvetica, sans-serif; } div { background-color: #f2f2f2; width: 80: %; padding: 25px; margin: 25px; overflow:hidden; } </style>

Extracted

Path

C:\Users\README_BACK_FILES.htm

Ransom Note

<html><header><style>body {background: grey;color: white;}.c {width: 50%;margin: 0 auto;padding: 30px;background: rgba(0,0,0,.3);border-radius:30px;}</style></header><body><div><center><h2>YOUR PERSONAL ID:</h2></center><div class="c" style="text - align: center; ">0xV11J7jQWpqbnNXdXNrVHRIZEJqbVc= </div></div><div><center><h2>YOUR FILES ARE ENCRYPTED! </h2></center><div class="c">TO DECRYPT, FOLLOW THE INSTRUCTIONS BELOW.<br><br>To recover data you need decryptor.<br><br>To get the decryptor you should:<br>Send 1 crypted test image or text file or document to [email protected] ||| [email protected]<br>In the letter include your personal ID (look at the beginning of this document).<br>We will give you the decrypted file and assign the price for decryption all files<br><br>We can decrypt one file in quality the evidence that we have the decoder.</div><div><center><h2>MOST IMPORTANT!!!</h2></center><div class="c">Do not contact other services that promise to decrypt your files, this is fraud on their part! They will buy a decoder from us, and you will pay more for his services. No one, except [email protected] ||| [email protected], will decrypt your files. <br><br>Only [email protected] ||| [email protected] can decrypt your files. Do not trust anyone besides [email protected] ||| [email protected]<br>Antivirus programs can delete this document and you can not contact us later.<br>Attempts to self-decrypting files will result in the loss of your data</div></body></html>

Emails

[email protected]

[email protected]<br>In

[email protected]

[email protected]<br>Antivirus

Extracted

Path

F:\$RECYCLE.BIN\S-1-5-21-701583114-2636601053-947405450-1000\NZALA-MANUAL.txt

Family

gandcrab

Ransom Note

---= GANDCRAB V5.2 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .NZALA The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/e0af1f99a2a74613 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAI/vc1t2N8S6KIR3sSl1JmL3Lh6z0kVLDqInBphXppj9I1miYuAXCgLaN0NbbVQBbOpuRYx3lvlvkgKRZk42fErQlBDfyfqAPnf83KU1kcBuQMZ52o8UNrz+3GC4b5WkRTi0feetUqfv0HrgA6WPV+WVNUL7BZaT21ME+ArX6i7u5tySYkDGFUlKKUEXJmT57GSgWf81suG7dAiQ0Xo9xsxakRJFcsXANrnLUGGdxCT4VceNVCH/H+wYR4iiaFAxokjsXb971+HlZAdc30nXpWdODeC8hqx7cmHqa6cvX01GHtyDUVA4yoUKP2KUP+rwhmLmOr+9aZq4FAnrvN4kUIWDuNuYJrHj8PWphrR4f7zrnbQ0VEkBfWJDKLOvY8sAIX+TNgetTC6YOuWKmt2UrCKzvozMmJwfs+QrJupKaSwwzB0wRRp2vuQ0vvTSqWamK/sfhgV7bqBbEFqWpV67sZN5vyKB799pJIfAmLALfY2AO6ONlIrDnbDMfyg8IqQJI2K+4GaaY4mglv/f9w3DI11QpMV5Llj+c2WQHTrAOF0yPDgT+uYtA2BIk36RdGeBWPenMm/Dm+Nv5+abFqZ7BX0wV4iSG9ltxCt0I6F7REVnPiflVXptt6d4fVs+S74qwdfltZo4bSM5HKaGZuL5wJ0uBShqsrcF+P70EvRmUNw5aKiBkYjsgai2abUPgjUfjOjhl13h/lUJbsSYLGoRPVnA/Bn2jdG8F2s8AkrmUTPDlaVTbWgG8hIVApieHCbn3HbgDg+d35BbdEIer6+7UOwqb5AEnG0FZYH3mIWMFCMnRnPbN9+37W40mw/resbMlhl4kS/yfexY0FUruDD4JcIO9Xr6yYE2TUWVboS/HhHFz82F1pLU3cHo6sj8ynI+GFGOqFjSFqAJ9j3tfwrr/XLPQjcKfj4seyjUxftTQN5f//+EsqatcrWwfLJaPtfVcGjnTez6GvrIPxOMWVIISuXPk8e0HSe6U63UK23h5OP3zHoXZt78duTXVfFhLeE3T+7lZdiWRazf4eRHDkRXATdqL9E9ZtLdSuGBHSik1iLeCeE/lT6aVEZcFsBNdgHpIurOmDhk4s+0fFi6FhRokPi20URkGVs7C1vT0Q+rRM4d1eJ5vwV+3nQ+xiqr7hnSVlcGZwGCbDmPr1cmV9s9IzyfVutjkFoweR5UIACSEdNi6nt65r3MHgMLZmXSW01CMAhqUylI+yHGLuI3E4WoXi0lA1Rm+s/JbFfY+M5+ZvT43PKLPF86598s2HzKD+xDea7yKBKjhCSOlPCbr6z1YAczNCwnWtC7MKFUmDBalNM8gpNXRzhUv9iY8catVT/dHQNuA4+gE4hrgIVUjA71lNsWFLYIW6jivwnCkYjnaQ9gTcyG2wQlJB9at7gj9TojMH8NF7HWbOqaRvkaA929zMOJ77NSHo2ovSCZMFiQ1tifPndBXMbGNB1mfvPLWbz2zSR2jvWM2khNs+hDDKzmrw9eUQWq2kEPwuh6CcSP2EmeElxcGvHGZMaaFBDMKWU0vU2EYmnHIYTue5LCANaH1tkpXGgejg/6EIz6kkfLYzlMXdniYy3C5Xq0h8SOc7YJo3PU9Try+8LEhhwZHGRrEKb90gKg+Zf8MIKgF3srdXIR6l8tGcqdtMH0o9NqP+HVAsmbf8cemQjyERJS+KM6ieGCmuPZjlWLxApvHzXpEuhrgdOaZRHqJoQfcVUH6ihbgy7Y8WbzF4YtfyBVnO58Q85cCv7wMzI0qBBcnUaw8hA2VEf88Ckb3ZYAdrjM1qAGjiNIX1nZnkekiej7ysIOwhlsLNO6J+t70hGWD/yVGbXZtVZqBgwCVuSrsaPWagROnWXxjp6UjDxeQUKRMHwQe4afKYrpy9djCkPKBoV3zovRayNe4qY9xhFqBnh/K1Vzdue4dKsEe19wu/Lc/kiZdQ1sU+JLzxUY8Z2XCyWyMFjFU/xLQm/64yl4HVbjNIdjERdSYSofGJwzk3/8axfxc7gW7T2lTrdmki/Wt1o3vrcCEc4X+17K20K+zrAlJ0viw8ia/rmmfDd0vbfg1zD0i0pMvhi7nDWXKtCCkvaMMTsNiZb+t5DfkqWZt88me7fNiTDBpcyKSzKF4zD+LaPUX92j4JYR62AglEEkUxMJ3xMllWnI7+4+4r9QbtTppXZv37gQBPaS69oH2lNPNEk61873don6oNI8khkyCHIwLL7MIZnLf8V/njfMu9zyY9agt0QrpwM= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- 7ftDEgLb/ZS0lcmZbHM61KDJ6AOtD78KkA7absMgUXYxWLsC+5+UYF9xVmDz9MnJOZDVAuWVsuDYRWnIKnQXQzua3LPyzokSUuglaqKXwabsGM4pXku5In6gtMQMqg7sgEh1XW1iPMFgiUj/s1LdWpJHdiPjMpn7rCZNO/A31mak0K8RefoREu3BxtlAsseHWfVIIKN0U4NnA3w0Ga7XDLlF3iOIB6ImYbF6Z/7MBN2mgBr2rZ2gU1R7jNx2WKAyu4W+5zlHFnKwMISBi1CwemOo6FrxnP+Z5F9bSR7OvDBsmLj7oYD6GBgpBqj3RSAVfvfE0yZSXyCRtLeJKNANBnVq+MY/R7a3OLHFmYWRjkfRP97y+PNjLLXjWqP0r1BW4eYoT03JrPa/L0B0wffnS0ez96BFoTHFq52HPDCx6yhEudvoPVoM6iaVy+mvqAdvYbwBrtoypS8G1filXjmR7q94AOw4gTGwK0yub5gfz9wpLQCj3bimwDPi8jPeKPiggI2bWKz+7QkWvC2ihYFfEuZEsyM4ANvhxNQXIE31UkGbyf6MN51c1gY/+eQae2sEznTbCqfrOdcnPBOVfcolLq8b9AmRcCeV7bCGEZisVbSQnNiaPkJ9b5I041HXc2vSx6IODB3F1IH8qANwhkbcxMPGvnUSm+rK ---END PC DATA---

URLs

http://gandcrabmfe6mnef.onion/e0af1f99a2a74613

Targets

- Target
  
  096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe
- Size
  
  499KB
- MD5
  
  1004596e635c155c0b073d3d76349985
- SHA1
  
  fba141902dfc4a7331b9f9748e6f36b7dcb623f7
- SHA256
  
  096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f
- SHA512
  
  5c7afcc7bed629659ed0c02313e88255f0c2d58400c73d5aa1f860a64ffac77936e299e4be54ca59174f820d103fcc6c39e066ef1a1bc81bbbd40cd49f8d4568
- SSDEEP
  
  12288:zmo7A0sLeXZnI5HLW+RxS4ch1SH5a5wUeCiCisG3sV9oFN:L7AhOI5Ha+xch1/eCpiv3U9Q
Score

10^/10

defense_evasion evasion execution impact ransomware spyware stealer
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Enumerates VirtualBox registry keys
  evasion
- Looks for VirtualBox Guest Additions in registry
  evasion
- Renames multiple (101) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Sets desktop wallpaper using registry
  ransomware
behavioral1
- Target
  
  2decc47201a1d43aeec5853c4c89b7273bfdd782fcc52106a3675944739998a2.exe
- Size
  
  538KB
- MD5
  
  ee5fa4a6c9be3b2adfff4ad6d7eb0a4d
- SHA1
  
  a64c13ab87f5c6f7abc20c76602c45ba89ad074c
- SHA256
  
  2decc47201a1d43aeec5853c4c89b7273bfdd782fcc52106a3675944739998a2
- SHA512
  
  a7f363e2b3c2b9c66632442da4dc32016a1a895ccc023b5633062de39e72b82d1107b18e8ba968610d9957b8a32b1b56a94dfb2639fb61cca0e6f92aed0980ab
- SSDEEP
  
  12288:5RdtqHbR0vxkpaU3gnbrU/jYs+AdtOEE8pYyf:jdtw0vxkpP3k4UsddHE8myf
Score

10^/10

persistence ransomware spyware stealer
- Renames multiple (1321) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
behavioral2
- Target
  
  44f28cd6ea894c05030ab913e2a0f1f1596b4aa7c551df9381f521cb88a92f7e.exe
- Size
  
  1.2MB
- MD5
  
  6aa468aad5cfed969149dcaca4034b88
- SHA1
  
  33cbf796ae5cb3c512ddd4c865f88aaa22cadc3c
- SHA256
  
  44f28cd6ea894c05030ab913e2a0f1f1596b4aa7c551df9381f521cb88a92f7e
- SHA512
  
  a121db38f37cff19dcd5ad5dd8e56bdf65c60784eb1e313cf9937c72ef6b6d12622350df191084db65e88dd017b67d2416ff72273d714c5b2e8b96c987760662
- SSDEEP
  
  24576:f9Q9o30tdl+D5XJHE/7wNsZ8nyaXoGbxLBNoG35WQ9:wdludJk/7wNs6nZXoGbxYQW
Score

1^/10
behavioral3
- Target
  
  82ad5183183a5fa7d9f2324c67b21bb7c97ed1dd46cfb7b63494a6b94f8b893a.exe
- Size
  
  588KB
- MD5
  
  edc39d6c6198e24db56f29dfbb988cd8
- SHA1
  
  55390d5df006dfc2083788360f0d94843f8864d7
- SHA256
  
  82ad5183183a5fa7d9f2324c67b21bb7c97ed1dd46cfb7b63494a6b94f8b893a
- SHA512
  
  7d62e2ec803ba164750c37b72955a27afee0d886618652699217abf5d098e4bab2a9752253724433061134c56292c9eb85b1c20d2cd1434b61701f4c948e39ca
- SSDEEP
  
  12288:xvwwiYGwyG9QhKNWYgeWYg955/155/Iiblc7cFghSa4G85oRv:xv8YGwyG9WKWm7ggF85Mv
Score

9^/10

defense_evasion execution impact ransomware spyware stealer
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Renames multiple (1929) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops desktop.ini file(s)
behavioral4
- Target
  
  92c50cd253de42823a2e1a59f2551aa315ceb12b8f741820bdbc14b5ebe1dfb9.exe
- Size
  
  986KB
- MD5
  
  f69cb073623d1cd054c140fc231fbeea
- SHA1
  
  cdbdf379204d9ee332659eb2ba456fbc96a0af65
- SHA256
  
  92c50cd253de42823a2e1a59f2551aa315ceb12b8f741820bdbc14b5ebe1dfb9
- SHA512
  
  83c3213880eddea42ccdcca7aff2bd6dc693b91a723a121e573d87288bf81b53c61a1e52f5ac59f3f3e761c9b88ace8c9772294b30aa9cd4ef66358bb7c56b56
- SSDEEP
  
  24576:WCdxte/80jYLT3U1jfsWaqP0/NHxkzK2Q:fw80cTsjkWaqIHxaM
Score

6^/10
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral5
- Target
  
  a58b5f2e8172be31e3d1fcc046d044bd862393f3d3e12922287bedf6f8c18e39.exe
- Size
  
  1.8MB
- MD5
  
  104ecbc2746702fa6ecd4562a867e7fb
- SHA1
  
  05cf385b36cf22f10c0cd758d71cdcb228cca2a4
- SHA256
  
  a58b5f2e8172be31e3d1fcc046d044bd862393f3d3e12922287bedf6f8c18e39
- SHA512
  
  02698abb7cbfb0c4596d8b487d9808c3a0746606999892d49d5250412cb96f971b33b8f233e7a1e465b08ddef47fa011ac463085f5247a9ecf5cda9b3c18002f
- SSDEEP
  
  49152:R9dnjRHnRMWHrVDoqNcVhcAwARGcWRrLy3pNq:3dVHRMUrVDEVHLRGdRrLy5N
Score

10^/10

mimikatz defense_evasion discovery evasion execution impact ransomware spyware stealer
- Mimikatz
  mimikatz is an open source tool to dump credentials on Windows.
  mimikatz
- Clears Windows event logs
  evasion ransomware
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Modifies boot configuration data using bcdedit
  ransomware evasion
- mimikatz is an open source tool to dump credentials on Windows
- Deletes backup catalog
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral6
- Target
  
  c531015ec09adf346131a375df9b9d04c90657fac9b80f2b1e269dae6186de86.exe
- Size
  
  11.1MB
- MD5
  
  d9268c17cb7052926a766046ae7b2265
- SHA1
  
  c624e82cbc90bc0703ac98b05428221e484a8564
- SHA256
  
  c531015ec09adf346131a375df9b9d04c90657fac9b80f2b1e269dae6186de86
- SHA512
  
  047e53d729a776f2c3c4d3ff04b2cb378a8834c665c58a3825fbaadc9077b564e7a2b202391b888786e729d2b90142f98c752421363bf1b02088f2984005fdcc
- SSDEEP
  
  196608:QxCzXIsPSSQ+xNYpT5/54H6w5gV3SHW0WbpSzZTfuPM5Jvghs1VTrQvG:dbIsqT+xNYFN54aw5XBlzZfOs/X
Score

8^/10

spyware stealer
- Drops file in Drivers directory
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops file in System32 directory
behavioral7
- Target
  
  ca8b0ebbb30f371219c2ae79cdc0bd1dd3114cdf27821e71cfbcc11f9daca30e.exe
- Size
  
  1.0MB
- MD5
  
  1833aaec4050f44cb067e7583e159e92
- SHA1
  
  bcb22c5894c3a42a8e5eac9aa18a79a5a252f083
- SHA256
  
  ca8b0ebbb30f371219c2ae79cdc0bd1dd3114cdf27821e71cfbcc11f9daca30e
- SHA512
  
  1e05ba9e70d27559182ab8f397ace2070bfdb69c7d6aa0cefee5e24d19900affd1458df2378328e33c0874137d1d75add6151e2eb7d2a8f4613c197114e3018b
- SSDEEP
  
  24576:F2RUdHDi0HYsrGiqne6NOV7SjH/fMe4X1VNeum4op0Isl:F2RWv2NNADBenjsl
Score

9^/10

ransomware
- Renames multiple (111) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
behavioral8
- Target
  
  d8fd9ad2f30cade8bf0c36f5a3acc64ccc95f625b9f3e2c0654046a531b4e83b.exe
- Size
  
  608KB
- MD5
  
  3593209c748bd92c690629708266e9d6
- SHA1
  
  f714bb1041beacfaad20ee8fe16b53ab5aa19388
- SHA256
  
  d8fd9ad2f30cade8bf0c36f5a3acc64ccc95f625b9f3e2c0654046a531b4e83b
- SHA512
  
  ab90fe1fc5035d29377e2e6fb3fcc7ec17f72f2289548da38727e445abcdba6df2f3760a7508e8915b471d90592b999c5bd422fc3dbb8b7844c4fee93aaf47eb
- SSDEEP
  
  12288:JGCvd4YfdiwaYepoOlD9neGGwkUHAHHHg263GgpU9UpUQ:WhpoOFpeGGwkUHAHHHg263GgpU9Up5
Score

10^/10

gandcrab backdoor ransomware spyware stealer
- Gandcrab
  Gandcrab is a Trojan horse that encrypts files on a computer.
  ransomware backdoor gandcrab
- Renames multiple (344) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Sets desktop wallpaper using registry
  ransomware
- Suspicious use of SetThreadContext
behavioral9
- Target
  
  f241f35bb0f53a1baf0e5da26ef7bb86f3de83e94f3ccab04086b26f2f95dde5.exe
- Size
  
  5.4MB
- MD5
  
  2f03bf90f0b0ffbe9240782090aa9038
- SHA1
  
  e167787cada9ecb91c862704783152a989a761fd
- SHA256
  
  f241f35bb0f53a1baf0e5da26ef7bb86f3de83e94f3ccab04086b26f2f95dde5
- SHA512
  
  c0b4b9889e2b3b6aec1ac22b57b18acdc1486627930395f2368b584c0946d78aeb10814f6db497df8a65caf0b7b425b781f0def72475dcb392fb784a3ba16c85
- SSDEEP
  
  98304:ga2Qd3aLniRewGRbE65cN3VAUO4lxnERfUL7eE/tCvPO7iZARI1ldx66:boLnv5TQOyxOKVCciZ46lD66
Score

7^/10

persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral10
- Target
  
  $APPDATA/cl/Crypto.Hash._SHA256.pyd
- Size
  
  10KB
- MD5
  
  ff1572e32a186328a4c9772d6bf86801
- SHA1
  
  67a86ed4e19db016d308b1438fb7e9727b8dc0f2
- SHA256
  
  fd792cf966bc67177c9f37e95c23d8c4170756f6aac7dc80e9ebc6c808566921
- SHA512
  
  1c217f47edc1afbd59b05f15e57ab21813eec1c8a676beddfc192bff05ea53e1c737bec174bdcaed32b1222f01ceb8defe9059bca7ea52d52fbcc488e4381ad2
- SSDEEP
  
  192:eidzghojQKuGhNUyA5jQjT8KW6WZXN7cLmoVktRcYX3X62dqNea:9dzgwLkjjoT8KQXgVktRK2s
Score

1^/10
behavioral11
- Target
  
  $APPDATA/cl/Crypto.Random.OSRNG.winrandom.pyd
- Size
  
  9KB
- MD5
  
  db04c5da88d10092c87688b27fd23bf8
- SHA1
  
  608a644929e661d897ca9870520121e6900af1ae
- SHA256
  
  6f6f423c4080754019e4c0618e91fe83fcab46779f3677f0480d083fd729c1d4
- SHA512
  
  3077d2e6079096a1847142cea478a9dc73a9c38514c0e96771931eba52b017a6bff27dc94259ed551c514b3b910b58f7d37ba6ce35693f6a8020ac810667f5d2
- SSDEEP
  
  192:5SI4ySF5IHS37idhLjK83XXF2dqGeFI4BUKXKXecWnHcyZfgC:54F5cQ7OdK0HF2QZZ
Score

1^/10
behavioral12
- Target
  
  $APPDATA/cl/Crypto.Util._counter.pyd
- Size
  
  10KB
- MD5
  
  a0fe2acdc8c7b87391f1a6138b22758a
- SHA1
  
  7d725ee12ef769e1a793801f1930dffc711cec27
- SHA256
  
  4f2634f649284624d65db8ce27685b343857f542a9893978aa3ffa57aea30313
- SHA512
  
  9486580b5bfe3fbec52aabbd78ef907bfda8e83e24e63920fa46e2c5bcca79fcb1aed213170bdf1f7d6afe76fd935434d57b25737faf778a5add9744c749d367
- SSDEEP
  
  192:LxDn3nSJIcNaVT6Gbp8wyrKY3X62dqZ3:L1n3nkNAT6Gl8XKoK2O
Score

1^/10
behavioral13
- Target
  
  $APPDATA/cl/Crypto.Util.strxor.pyd
- Size
  
  7KB
- MD5
  
  1239323b388874e102b2c849d83b4af3
- SHA1
  
  f364995dfd8e831941a739f327203952973b7437
- SHA256
  
  cc7cb8651a209ed6366690b3533b3e3893491397e200fa4bd1ee967c6dadbc89
- SHA512
  
  d9f30e188bff8427990b18ca9996888fffb7f754d893b5eddb05c1d65fe0bed35d0971c77168566bcbed48b2a8e7387d0693d8c41ab0a46e1997ba8aff7a8797
- SSDEEP
  
  96:Y6zocBaUTNs8MODmfSvAEJzaXtFT7KZr3XA+U+1dq9OWPQsm8bt:hbBxN6uokJaXtFT7Kl3XK2dqcWPxZ
Score

1^/10
behavioral14
- Target
  
  $APPDATA/cl/_ctypes.pyd
- Size
  
  85KB
- MD5
  
  6af3148bb46d4e4e3e3aa361ac1eca90
- SHA1
  
  49dc2339419644e8bc6c19fbddd2c80224e56804
- SHA256
  
  1d0a560cdc8b4af3b38222a940f20068fa7e9139f698b0bc72b17e9a0ce25ef4
- SHA512
  
  7cf4cffece718b662a556acc410047547a7dabb902620077f9a2886c945f87e6369a4dfd9fb57290285570bd94e86c03f9a6cea0283aa5eb888977ae99ff037c
- SSDEEP
  
  1536:VwTqmRgto4d5SDNcDQNt1wjC4GgesDE3acTMxUWk9R/EcdgdNc+8N:i9g6k0NQkt1wjesDqMxUJ/PdgdO+8N
Score

1^/10
behavioral15
- Target
  
  $APPDATA/cl/_hashlib.pyd
- Size
  
  698KB
- MD5
  
  3c58062b89379f2d29a12bffd3d01af8
- SHA1
  
  0e0cf91da17d972f02a4983e7dc67142d89b2f4e
- SHA256
  
  706beba9f66b1422ac45f35e9094846f1e6e76cf1120fcab0835ea6be4236b61
- SHA512
  
  54cf110b88fa2ee2d69a03952776cf1a3022ab3d340aa71bc79e90725262f2c946cf5bcc719756b483a5dfacf38ba5dca09efc39cbb8a400165efe140ab2fcd4
- SSDEEP
  
  12288:mKubGdOpMSgMeHHXRN8xvs4JuJfcNBxH6Mzo3BDcrtLo9:mKulMSg/HBN8xvs4kKt6MzmBDGJ
Score

1^/10
behavioral16
- Target
  
  $APPDATA/cl/_ssl.pyd
- Size
  
  1.1MB
- MD5
  
  6f47cddcc5c74cf22a1b5cf710935ebf
- SHA1
  
  aaa5311dcc655fa099ffc00bcc07c25f7190bcda
- SHA256
  
  d9fadb044ca15ee133f157180197f6867fe21d03fb3a4f601a6f356150f1d08d
- SHA512
  
  ef80aa9d3f4eca7a3745c47c5411e8d8fc991874a2ef63fc6e70fd10a5ca9f79cb194bbb1b8b5dd893e56f4bd985059dc785d0878e0640093322b526ae65e444
- SSDEEP
  
  24576:D4CQH+ztEuDxXtx+n+KpPiPK1FXrIl9ZTVTByHiy2ZHp/IL47glq:MTH+zfF+b6yzEldTU52ZHp/O47glq
Score

1^/10
behavioral17
- Target
  
  $APPDATA/cl/bz2.pyd
- Size
  
  67KB
- MD5
  
  a9445508c595c742d93b473b1db1758c
- SHA1
  
  9c9e37e1028677ebf6b17d43e5884a6f715c33d3
- SHA256
  
  e9e06e0d6e4b9b3486eb0e100c35b13c90a92864305cde9e6daea74cff7722cd
- SHA512
  
  70e7b3eeed052a74e3bded0034f8ed58b7bbf7d06a7340120801844d61c91cda3392ec83ffefc6c52d76d649006a34d0e41573912506bb6fe39a36e44ef1df6a
- SSDEEP
  
  1536:IfWrPz5tQfU+FwiiRGnY3c20jGVZdS4QqJnWvaGO0X8y+fHPP+Zg:Iiz5uBFNQc9jG/8oJWvaGO0M5fX
Score

1^/10
behavioral18
- Target
  
  $APPDATA/cl/cl.exe
- Size
  
  31KB
- MD5
  
  5bcabb6e0d1d6d2744798520f879851f
- SHA1
  
  fb14f8f983ebac4581b1feb813ef795b7f91f841
- SHA256
  
  5fafb92a6b4cc0061d6596dd9ddd730d21c6d0fd71e9ba0faf2dbac17eb4128f
- SHA512
  
  6ec23e136c7af54ec04dc2aef72d9232b32a6604669622ebb49435dbb74fdd2b089cf057afe44f277a3e2d2d7fdfcd87b9d3f0dc468823ab0aae254293483ad7
- SSDEEP
  
  768:Uyq82Ud7/zfkn8I+ile90q7z//ga+TYH2e/GqIBkpTpuHolhVEtiHErdGnd2Nb/d:jq824LfM9q7z//ga+m2e/GqIBklpuHo2
Score

1^/10
behavioral19
- Target
  
  $APPDATA/cl/mklnk.cmd
- Size
  
  451B
- MD5
  
  70d689bf9aee0d74482ee29c70becb52
- SHA1
  
  d5d2b56ddff9829541fe520aec58f94f05916740
- SHA256
  
  379df8b4dccd7568204b91838fe6ec35ec5516388d39500b5afcaf6809207879
- SHA512
  
  b1948c0d87c68f0c786ecfe7bc6df7407eb2d620220a998da9014eca094ac27ea7329f4ba1caef74ce72bf8eafd1685885a7e441d4c32ba1db5314a66757df53
Score

3^/10
behavioral20
- Target
  
  $APPDATA/cl/pyexpat.pyd
- Size
  
  124KB
- MD5
  
  67da26aed9cbd7fcebe9f7b8ce0a6448
- SHA1
  
  62a9d1f8d236a5dbad6a7f677d3c10b37b4b7839
- SHA256
  
  0b7fc6f03587372c01f717f9b63b646ad2f6e18d139b792921399b4cef0b65e1
- SHA512
  
  b15fe9abef225334da757b4239dd33e7af5035f99cceeb1d143a9196533650792c13d7506b5fcc036c5726416c28bdba0874d4f9af74bdb9b98e6dcdb0225db9
- SSDEEP
  
  3072:S1U2+Gs6aRG1xY4DiYg3Uu33bOrNEBvKOJIjpK3i:S1WcaR2if3UubOheCOGjAy
Score

1^/10
behavioral21
- Target
  
  $APPDATA/cl/python27.dll
- Size
  
  2.3MB
- MD5
  
  9d7f84a3795bacba4403c1e64f6bc932
- SHA1
  
  6a27015451a02957034834cee005c0de0ba7151e
- SHA256
  
  fe5e626e467226bd250717c66944950371f74cc83b60425644cd2e95616376de
- SHA512
  
  c723a6e977f5d02477d1c5999290c875fa5e18b60367c5d21131595ad8b082edba26b006c9d788a98aac9283857f3483c32cac2e332f9676041a87d255f59360
- SSDEEP
  
  49152:5kSX6jb5rHEDLBPDu0SVM+RfRYhaTH3IP4H4yn0MdAPYKCW/UL94:aS+x0X4fzYQHR0MdbroK94
Score

3^/10
behavioral22
- Target
  
  $APPDATA/cl/pywintypes27.dll
- Size
  
  108KB
- MD5
  
  51e04bd3d1e9de22a9cd52b96178eb81
- SHA1
  
  98f20baea0b6da3b56503e696ae36094de773c1e
- SHA256
  
  2e83a0c45fdeb123b3b4ad3823b74bc8106f1ec79a15c36047333485be7ab704
- SHA512
  
  07b7eefc93c84e9932ca4de27438e0013467bd77c0c1f1e6bce6b78ff2b8fde931ef511a29f92b5711d593b918919bf611cddde62499ec8d52c453108066da63
- SSDEEP
  
  3072:ZJ3S1M+tYU06cwxxKEYLRjM/HRBVAg7Y7bi0tNgU70fNNOKlzdZp1U1:ZxSRtYU0bwxxKEYLRjy/Y7bi0H70VNOK
Score

3^/10
behavioral23
- Target
  
  $APPDATA/cl/remove.cmd
- Size
  
  301B
- MD5
  
  bb30ad1ced426c76d5214f9f874fb980
- SHA1
  
  31978d5e7c5aae0a843dc643ad18cac9fb38fca8
- SHA256
  
  fddd4197b9afe42923ead0ace3f0aa0006c386bafa7e9c9285a2e714e9d97f06
- SHA512
  
  5baca7d1f0027717380eba83a7d44e1a0d1f294549eb96320d738f0ef9158c531145cde69707470e6dfe6e7dadf48f7f00930a1fdb70415d24a8a92fbd2cc6a6
Score

1^/10
behavioral24
- Target
  
  $APPDATA/cl/select.pyd
- Size
  
  10KB
- MD5
  
  4f1c033a4b8b1bc19565a78655c0e385
- SHA1
  
  44b3db6ecc4e65d06be6f66aee6b923fbb81ef9a
- SHA256
  
  029d60725554ef87bf13c667b01ad32159dd2852faca43f3a81d71d0062a3a33
- SHA512
  
  2433e6ba389912842a41bd7c0966bcdf97c11e7bb5d50d8cfe2c13005f8fc34b410087668face2b03ed796b045a5d4a56db5520e76761245d3b13826ee7aa07f
- SSDEEP
  
  192:qRRZOAm7QNw7MPDdqPSUcEmJXUnv3XDVR6y2Xc1U5Ly:qRnrCAPDdFDDXoPzV5Au6y
Score

1^/10
behavioral25
- Target
  
  $APPDATA/cl/ui.exe
- Size
  
  543KB
- MD5
  
  b48ee99b4777224f195851ab88be3b7d
- SHA1
  
  1f0618e3362e66d724354f3fb889dda7c5cfb707
- SHA256
  
  b01d1230f31200a5f195b7f44fcc552a71b9bfe131f7b8eccd2466eb66a952dc
- SHA512
  
  eef579b5f8fe62c69a5417ece5d2153547db5df3b37509e3c6cb2663453c0a97746c51d9323dcdb71b74b50ab3e265825116e642b2ac461272faefec137cc3df
- SSDEEP
  
  6144:UHmimhqaDkyQAxzoXqsaoGfN/5Q5Yv0SRpCLq1t3G3Gv7qgbDWtdOVzLE/U/ckf3:kUh/DkyQioOXBT3YtAhLEwcsB
Score

3^/10
behavioral26
- Target
  
  $APPDATA/cl/unicodedata.pyd
- Size
  
  670KB
- MD5
  
  b4530adc9cba15114a001d1aae2e98b3
- SHA1
  
  55b07b26998b9e0628dc9f733ab62a2b2e4dcaee
- SHA256
  
  c7c85f717b8a3676716bb2106e31b288ea1dfe90d1802180169cf92488f47dde
- SHA512
  
  a4755ca20e3c40d8b0d149bed29ccbd907a0e64e6952fdfaae4ae573dbf5105a1e04cf4644860eb57d1ae84246e4f58e34fb7c01b83e53b6c5ab54e21d68f33e
- SSDEEP
  
  12288:Ir3z3AxoMPBt8FpQsVdFiI5mZMPXubUxktwd:Q3rxM8XQsVdXSPAxLd
Score

1^/10
behavioral27
- Target
  
  $APPDATA/cl/win32api.pyd
- Size
  
  98KB
- MD5
  
  a39bc68b2259d0758f5202d37a5fd138
- SHA1
  
  b7eff9bc1383d55c29880fae4724aac2dde84fbd
- SHA256
  
  833bda379cca0747230a9d04bc6fd8698632e45b7829cc18d790895408582c46
- SHA512
  
  cd472a1d340fc1b4197c0dbfb5ac3fa67bbc60dbda79b90aa0fd0baed930ecd1e0c05f6de5bd84db626761f67ccc4a17f55dfd2e07d1f96ca86993fbfc6dec68
- SSDEEP
  
  3072:b26TeDrjMOxYNlF7eho6gltO/w3OVhV3LHhBNIxJ2cUTganAtyqgJrPhYA:q6T+/zxYNlF6o6gltOEOVhVxcUTgNyqk
Score

1^/10
behavioral28
- Target
  
  $APPDATA/cl/win32pdh.pyd
- Size
  
  25KB
- MD5
  
  e1516d9f70a9489fd7bbb430a469160e
- SHA1
  
  2ac76853bf1a85f960806f63c437e80ca9ade8f1
- SHA256
  
  a8743e814f905d7ae689160e04b1dd6e78653c8cdae20eee119a3dc1fc495211
- SHA512
  
  fb803c16af1479699975394904be3fe36de146a571ff0659c939ed9e97f567d02fd6aa5523d765484e76fb9b9ed460ad6db8764fb6e8991ef3656645efc398f2
- SSDEEP
  
  384:HUlSJ7oQTvsezqx7BNbcqTm3RTt+oTiyJKu50X+lJgcz/QOVlrFaK:H6QvPzqx7BBl69uyJL5o+THz4IVFa
Score

1^/10
behavioral29
- Target
  
  $APPDATA/cl/win32pipe.pyd
- Size
  
  23KB
- MD5
  
  360d0826c865c76dc0a70c8c7ed5207b
- SHA1
  
  57a050ddc5d0a42658de928604aad171ccead69c
- SHA256
  
  317f595b92caf5d8f7c4c21bf5e7cdd9a8f063592613b596fb16e297238c303a
- SHA512
  
  06a0f21b7fc39f068f6379761d256440b0d1657ae6daaa4bfe570caf73ed7daa3a44805c32ccda24578fe4c9cac8c0866dda48b1a41b07f0ae8ccf85ff64174a
- SSDEEP
  
  384:VGOIiDSVujmVnO7aNf3jsfBxjMDczBkx56DUgnnVl0JD4ZM0D9cJ:R/DSYiVnO7SIBDzBeoBVBdD9c
Score

1^/10
behavioral30
- Target
  
  $APPDATA/cl/win32wnet.pyd
- Size
  
  24KB
- MD5
  
  10f5aa748130774c89b7274c8d9b83e3
- SHA1
  
  f195d87517bb0a6e6cbca9f4302dc100f9a5aa36
- SHA256
  
  fcfd8d0d6a8e905b31ccf5a9dc00366ae2a436072eeff4378bd4fc14ce7ac267
- SHA512
  
  e07676f40d284bd4a00f132f77419064bb5137674428fac61c6d6cee33545b8ebd72a50bdd0c907f408494962359d3065085f05d1dae8baf850dadb2a261cbb1
- SSDEEP
  
  768:eRZ5g+l3KQZrpJI/fm2Jj4cgANOtr85OELxV262R:eRZ5g+l3KQZrpefm2Jj4cgANOtCLxV25
Score

1^/10
behavioral31
- Target
  
  $PLUGINSDIR/INetC.dll
- Size
  
  21KB
- MD5
  
  92ec4dd8c0ddd8c4305ae1684ab65fb0
- SHA1
  
  d850013d582a62e502942f0dd282cc0c29c4310e
- SHA256
  
  5520208a33e6409c129b4ea1270771f741d95afe5b048c2a1e6a2cc2ad829934
- SHA512
  
  581351aef694f2489e1a0977ebca55c4d7268ca167127cefb217ed0d2098136c7eb433058469449f75be82b8e5d484c9e7b6cf0b32535063709272d7810ec651
- SSDEEP
  
  384:VpOSdCjDyyvBwRlX+ODbswYM2s74NS0v0Ac9khYLMkIX0+Gzyekx:rdCjW/lX1PfYM2X1
Score

3^/10
behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Targets

Deletes shadow copies

Enumerates VirtualBox registry keys

Looks for VirtualBox Guest Additions in registry

Renames multiple (101) files with added filename extension

Checks BIOS information in registry

Checks computer location settings

Drops startup file

Reads user/profile data of web browsers

Sets desktop wallpaper using registry

Renames multiple (1321) files with added filename extension

Drops startup file

Reads user/profile data of web browsers

Adds Run key to start application

Deletes shadow copies

Renames multiple (1929) files with added filename extension

Checks computer location settings

Reads user/profile data of web browsers

Drops desktop.ini file(s)

Enumerates connected drives

Mimikatz

Clears Windows event logs

Deletes shadow copies

Modifies boot configuration data using bcdedit

mimikatz is an open source tool to dump credentials on Windows

Deletes backup catalog

Executes dropped EXE

Reads user/profile data of web browsers

Checks installed software on the system

Drops file in Drivers directory

Loads dropped DLL

Reads user/profile data of web browsers

Drops file in System32 directory

Renames multiple (111) files with added filename extension

Renames multiple (344) files with added filename extension

Checks computer location settings

Drops startup file

Reads user/profile data of web browsers

Enumerates connected drives

Sets desktop wallpaper using registry

Suspicious use of SetThreadContext

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25