Overview
overview
10Static
static
3cerber.exe
windows7-x64
cryptowall.exe
windows7-x64
9jigsaw.exe
windows7-x64
10Locky.exe
windows7-x64
10131.exe
windows7-x64
1Matsnu-MBR...3 .exe
windows7-x64
7027cc450ef...d9.dll
windows7-x64
10027cc450ef...ju.dll
windows7-x64
10myguy.hta
windows7-x64
10svchost.exe
windows7-x64
7General
-
Target
Ransomware-Samples-main.zip
-
Size
15.1MB
-
Sample
240805-2ba2rathle
-
MD5
e88a0140466c45348c7b482bb3e103df
-
SHA1
c59741da45f77ed2350c72055c7b3d96afd4bfc1
-
SHA256
bab1853454ca6fdd3acd471254101db1b805b601e309a49ec7b4b1fbcfc47ad7
-
SHA512
2dc9682f4fb6ea520acc505bdbe7671ab7251bf9abd25a5275f0c543a6157d7fa5325b9dce6245e035641ab831d646f0e14f6649f9464f5e97431ab1bf7da431
-
SSDEEP
393216:+8HaL/eOo2nfFSrjIMVePFmu/GyBSib+JYSWTmZ:LHayONnnBNmkPbDSWm
Static task
static1
Behavioral task
behavioral1
Sample
cerber.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
cryptowall.exe
Resource
win7-20240729-en
Behavioral task
behavioral3
Sample
jigsaw.exe
Resource
win7-20240705-en
Behavioral task
behavioral4
Sample
Locky.exe
Resource
win7-20240708-en
Behavioral task
behavioral5
Sample
131.exe
Resource
win7-20240729-en
Behavioral task
behavioral6
Sample
Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe
Resource
win7-20240729-en
Behavioral task
behavioral7
Sample
027cc450ef5f8c5f653329641ec1fed9.dll
Resource
win7-20240708-en
Behavioral task
behavioral8
Sample
027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745_98STJd8lju.dll
Resource
win7-20240704-en
Behavioral task
behavioral9
Sample
myguy.hta
Resource
win7-20240708-en
Behavioral task
behavioral10
Sample
svchost.exe
Resource
win7-20240704-en
Malware Config
Extracted
C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___ZSG87OTT_.txt
cerber
http://p27dokhpz2n7nvgr.onion/9F99-7CDB-3FA9-0446-917D
http://p27dokhpz2n7nvgr.12hygy.top/9F99-7CDB-3FA9-0446-917D
http://p27dokhpz2n7nvgr.14ewqv.top/9F99-7CDB-3FA9-0446-917D
http://p27dokhpz2n7nvgr.14vvrc.top/9F99-7CDB-3FA9-0446-917D
http://p27dokhpz2n7nvgr.129p1t.top/9F99-7CDB-3FA9-0446-917D
http://p27dokhpz2n7nvgr.1apgrn.top/9F99-7CDB-3FA9-0446-917D
Extracted
http://french-cooking.com/myguy.exe
Targets
-
-
Target
cerber.exe
-
Size
604KB
-
MD5
8b6bc16fd137c09a08b02bbe1bb7d670
-
SHA1
c69a0f6c6f809c01db92ca658fcf1b643391a2b7
-
SHA256
e67834d1e8b38ec5864cfa101b140aeaba8f1900a6e269e6a94c90fcbfe56678
-
SHA512
b53d2cc0fe5fa52262ace9f6e6ea3f5ce84935009822a3394bfe49c4d15dfeaa96bfe10ce77ffa93dbf81e5428122aa739a94bc709f203bc346597004fd75a24
-
SSDEEP
6144:yYghlI5/u8f1mr+4RJ99MpDa52RX5wRDhOOU0qsR:yYKlYmDXEpDHRXP01
-
Blocklisted process makes network request
-
Contacts a large (1096) amount of remote hosts
This may indicate a network scan to discover remotely running services.
-
Modifies Windows Firewall
-
Deletes itself
-
Drops startup file
-
Drops file in System32 directory
-
Sets desktop wallpaper using registry
-
-
-
Target
cryptowall.bin
-
Size
240KB
-
MD5
47363b94cee907e2b8926c1be61150c7
-
SHA1
ca963033b9a285b8cd0044df38146a932c838071
-
SHA256
45317968759d3e37282ceb75149f627d648534c5b4685f6da3966d8f6fca662d
-
SHA512
93dfaafc183360829448887a112dd49c90ec5fe50dcd7c7bbc06c1c8daa206eeea5577f726d906446322c731d0520e93700d5ff9cefd730fba347c72b7325068
-
SSDEEP
3072:xkeyloECBch6ZCGBGSmHJ0y5lj6jdojK7+MGOXpXx8z3Lp7Yoq:xGlnCIwMpj6ijKfxx8z3F0V
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Drops startup file
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
jigsaw
-
Size
283KB
-
MD5
2773e3dc59472296cb0024ba7715a64e
-
SHA1
27d99fbca067f478bb91cdbcb92f13a828b00859
-
SHA256
3ae96f73d805e1d3995253db4d910300d8442ea603737a1428b613061e7f61e7
-
SHA512
6ef530b209f8ec459cca66dbf2c31ec96c5f7d609f17fa3b877d276968032fbc6132ea4a45ed1450fb6c5d730a7c9349bf4481e28befaea6b119ec0ded842262
-
SSDEEP
6144:7fukPLPvucHiQQQ4uuy9ApZbZWxcZt+kTfMLJTOAZiYSXjjeqXus:7fu5cCT7yYlWi8kTfMLJTOAZiYSXjyqX
Score10/10-
Jigsaw Ransomware
Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.
-
Renames multiple (2010) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE
-
Adds Run key to start application
-
-
-
Target
Locky
-
Size
180KB
-
MD5
b06d9dd17c69ed2ae75d9e40b2631b42
-
SHA1
b606aaa402bfe4a15ef80165e964d384f25564e4
-
SHA256
bc98c8b22461a2c2631b2feec399208fdc4ecd1cd2229066c2f385caa958daa3
-
SHA512
8e54aca4feb51611142c1f2bf303200113604013c2603eea22d72d00297cb1cb40a2ef11f5129989cd14f90e495db79bffd15bd6282ff564c4af7975b1610c1c
-
SSDEEP
3072:gzWgfLlUc7CIJ1tkZaQyjhOosc8MKi6KDXnLCtyAR0u1cZ86:gdLl4wkZa/UDiD7ukst1H6
Score10/10 -
-
-
Target
131.exe
-
Size
2.3MB
-
MD5
409d80bb94645fbc4a1fa61c07806883
-
SHA1
4080bb3a28c2946fd9b72f6b51fe15de74cbb1e1
-
SHA256
2ecc525177ed52c74ddaaacd47ad513450e85c01f2616bf179be5b576164bf63
-
SHA512
a99a2f17d9fbb1da9fb993b976df63afa74317666eca46d1f04e7e6e24149547d1ac7210f673caeae9b23a900528ad6ad0a7b98780eff458d3d505029a06e9ba
-
SSDEEP
49152:XM16E7qUoM5NWX7DP+1egOhcraQzK6j97V:c16/rM5oW1ZrRz
Score1/10 -
-
-
Target
Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .com_
-
Size
102KB
-
MD5
1b2d2a4b97c7c2727d571bbf9376f54f
-
SHA1
1fc29938ec5c209ba900247d2919069b320d33b0
-
SHA256
7634433f8fcf4d13fb46d680802e48eeb160e0f51e228cae058436845976381e
-
SHA512
506fc96423e5e2e38078806591e09a6eb3cf924eb748af528f7315aa0b929890823798a3ef2a5809c14023c3ff8a3db36277bc90c7b099218422aafa4e0c2ee0
-
SSDEEP
1536:jj+Rj1lGIXKSmE17v97yiqHGMRPtbsLW8/V2k12v1/BDxVyCfCrCAc:jjw6Sf0iqmMnb2W02v3mCf4Nc
Score7/10-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
027cc450ef5f8c5f653329641ec1fed9.exe
-
Size
353KB
-
MD5
71b6a493388e7d0b40c83ce903bc6b04
-
SHA1
34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d
-
SHA256
027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745
-
SHA512
072205eca5099d9269f358fe534b370ff21a4f12d7938d6d2e2713f69310f0698e53b8aff062849f0b2a521f68bee097c1840993825d2a5a3aa8cf4145911c6f
-
SSDEEP
6144:y/Bt80VmNTBo/x95ZjAetGDN3VFNq7pC+9OqFoK30b3ni5rdQY/CdUOs2:y/X4NTS/x9jNG+w+9OqFoK323qdQYKUG
-
mimikatz is an open source tool to dump credentials on Windows
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
-
-
Target
027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745_98STJd8lju.bin
-
Size
353KB
-
MD5
71b6a493388e7d0b40c83ce903bc6b04
-
SHA1
34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d
-
SHA256
027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745
-
SHA512
072205eca5099d9269f358fe534b370ff21a4f12d7938d6d2e2713f69310f0698e53b8aff062849f0b2a521f68bee097c1840993825d2a5a3aa8cf4145911c6f
-
SSDEEP
6144:y/Bt80VmNTBo/x95ZjAetGDN3VFNq7pC+9OqFoK30b3ni5rdQY/CdUOs2:y/X4NTS/x9jNG+w+9OqFoK323qdQYKUG
-
mimikatz is an open source tool to dump credentials on Windows
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
-
-
Target
myguy.hta
-
Size
13KB
-
MD5
0487382a4daf8eb9660f1c67e30f8b25
-
SHA1
736752744122a0b5ee4b95ddad634dd225dc0f73
-
SHA256
ee29b9c01318a1e23836b949942db14d4811246fdae2f41df9f0dcd922c63bc6
-
SHA512
e1e7d81d54efd526139ea8ac792ed2035c8e70f040319c0b65f723431d31077c7a6927553890c99151f2354f51c4020ed94e0e2e5d56386c2fc4828e95869106
-
SSDEEP
192:ScIsmNvaHz65bP/U/njs3NH0Z0UvDVE6Az6XVHBycT6iLMUpJ2seCYHlfeb:SPXTmnjs3BU9A27BNLMUTb
-
Blocklisted process makes network request
-
-
-
Target
svchost.exe
-
Size
704KB
-
MD5
d2ec63b63e88ece47fbaab1ca22da1ef
-
SHA1
dd52fcc042a44a2af9e43c15a8e520b54128cdc8
-
SHA256
e5c643f1d8ecc0fd739d0bbe4a1c6c7de2601d86ab0fff74fd89c40908654be5
-
SHA512
89d9e63d5f3b34be3d25317933031815a42c039fbee30ce8c86f8b1b7c6ca9ccfc8731da99b9246381a2c05a95ada423f4944ff72111eb0451a44e9dcb3e053e
-
SSDEEP
12288:rue4X2Uz0DsetgxLdsCHvX8XYJWs6XS1bFLDw1P86jZpMV7uikFg:v+2UzSgxLdsCHmQb6XSbFLDs06jZulus
Score7/10-
Drops startup file
-
Creates a large amount of network flows
This may indicate a network scan to discover remotely running services.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Windows Management Instrumentation
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Direct Volume Access
1Impair Defenses
1Disable or Modify System Firewall
1Indicator Removal
2File Deletion
2Modify Registry
3Pre-OS Boot
1Bootkit
1