Overview

overview

10

Static

static

10

1K SOCKS5 HQ.txt.exe

windows10-2004-x64

9

Priv8 Grab...v8.exe

windows10-2004-x64

7

Project1.exe

windows10-2004-x64

3

VExploit 7.5.exe

windows10-2004-x64

9

autotiktok.exe

windows10-2004-x64

9

carding software.exe

windows10-2004-x64

10

cc.exe

windows10-2004-x64

10

dom2ip.exe

windows10-2004-x64

7

dungbulon_gnp..exe

windows10-2004-x64

10

flashSO (3).exe

windows10-2004-x64

8

game_12.exe

windows10-2004-x64

8

mass_exploit_wp.exe

windows10-2004-x64

9

revolve.co...g!.exe

windows10-2004-x64

9

suckmydick.exe

windows10-2004-x64

10

wallet_min...1).exe

windows10-2004-x64

8

xReverseFreeV2.exe

windows10-2004-x64

7

xReverseTrial.exe

windows10-2004-x64

7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    New folder.rar

  • Size

    98.3MB

  • Sample

    240810-lsn2yayeng

  • MD5

    33a752bc3f2418596423b3fb366ad00c

  • SHA1

    2c88e3795cccc85cf72dc1f2873f4c9230dfcb78

  • SHA256

    6c3d0aec1057e3783db453fb638ad9dd3cb72051326e09b4396921b1b85074c2

  • SHA512

    3fc9167459a82e349cd609175a1948e1814f2bf21b58affd3a8b10ac0d95d716fc40d39aaeb8eb6309e26416856ce837fb8a0af64f6a6ec7846c029b31f9bd5f

  • SSDEEP

    3145728:v2SUIC/W1v4S9NHpVsYGYvV0zet4YOABUn/mZAne9GC:vhUZe1g6VgzeHOABU/6mY

Score
10/10
blankgrabberchaosmeduzastormkittycollectioncredential_accessdefense_evasiondiscoveryevasionexecutionimpactpersistenceprivilege_escalationpyinstallerransomwarespywarestealerupx

Malware Config

Extracted

Family

meduza

C2

5.182.87.130

Extracted

Path

C:\Users\Admin\Documents\read_it.txt

Ransom Note
All of your files have been encrypted Your computer was infected with a ransomware virus. Your files have been encrypted and you won't be able to decrypt them without our help.What can I do to get my files back?You can buy our special decryption software, this software will allow you to recover all of your data and remove the ransomware from your computer.The price for the software is $1,500. Payment can be made in Bitcoin only. How do I pay, where do I get Bitcoin? Purchasing Bitcoin varies from country to country, you are best advised to do a quick google search yourself to find out how to buy Bitcoin. Many of our customers have reported these sites to be fast and reliable: Coinmama - hxxps://www.coinmama.com Bitpanda - hxxps://www.bitpanda.com Payment informationAmount: 0.1473766 BTC Bitcoin Address: bc1qma7ln7jfq5c7kl6du2cth8g7z8u468n4txw5rx

Targets

    • Target

      1K SOCKS5 HQ.txt.exe

    • Size

      7.0MB

    • MD5

      8d27355f003a0ff767f18b616d2c0e32

    • SHA1

      a919a976164d2e88728ee75dc902081bfe4966e7

    • SHA256

      7a7ec115d5216c04d1097ef30039ffd083db43735c39046ab72af1d4f6246ff6

    • SHA512

      b6d8d4e508726338daa68a97ec20628eabdc13a641f0612ecf6e3414ede0fa0dfd7cf62ca57b71e639d81be7319b656e224dc58f8594178638d1ebc7f93fe8cb

    • SSDEEP

      196608:7sQsGbT/9bvLz3S1bA329OqJyPXJdu+gmno:CGbTlj3S1bO29OqJyPXJdu+gmo

    Score
    9/10
    collectioncredential_accessdefense_evasiondiscoveryexecutionpersistenceprivilege_escalationspywarestealerupx

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Clipboard Data

      Adversaries may collect data stored in the clipboard from users copying information within or between applications.

      collection

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

      defense_evasion

    • Enumerates processes with tasklist

      discovery
    behavioral1

    • Target

      Priv8 Grabber by vexelvoxpriv8.exe

    • Size

      10.2MB

    • MD5

      945a919fff30b168e5147244e23b1bb4

    • SHA1

      2bc2bd7242dfa94fea0ddaa8721aea982efbf203

    • SHA256

      b7413294c2b3f39d38a6a016719e009dd90a9bb6ba98f2a13fc0e54bae18e9a0

    • SHA512

      3dc247e069a9b558df1d16330408bb7685a6c294e0ddda4ac45b3d82660a2a9af29e3491a86647d441f37de1a6a0c07d7cd66c5efcef656efa3ab81412c85e74

    • SSDEEP

      196608:wrt2JqS7B2DONbU2pHOLfK4FMIZETSejPePdrQJ/BNOqioH0vYPv1:tJz7B2D4RqKQETSevJHOqGvi1

    Score
    7/10

    • Loads dropped DLL

    behavioral2

    • Target

      Project1.exe

    • Size

      121KB

    • MD5

      baf403646dd8669d8b84f91d4a910b44

    • SHA1

      bddce5ff7a558f52de55a6154badc5fec8e811d8

    • SHA256

      84ef75374b30aa55860fd64c63fe24a46d917ec54e88a94215cbab9582bbe0a2

    • SHA512

      0d1fed0b998a4ed138acd93440a88dbccdee469701d5e11f6175e36c454262d6d98d78ae2523818c3f56ed6869058b745d7de62615dc447277db187cbe953c50

    • SSDEEP

      3072:Jjmuo9txMnNYT/VsOIvKh+h1JGuOr0XJqUNQauWW5mIn:J9oRwYWOFhW1gboXJYmIn

    Score
    3/10
    discovery
    behavioral3

    • Target

      VExploit 7.5.exe

    • Size

      3.0MB

    • MD5

      b576d503248249aa9d80c75812735b95

    • SHA1

      07e528c971ee71afbf67381424a94278ddb168a8

    • SHA256

      26e99147a71dab9e54af91b164c7d6755e91d7e84b01907e74ef55aedcd00f44

    • SHA512

      0646222a0bc2fa3daa0ac9e79783c96c1ca6e7d59968ac2456865d5f030fbbbe87582fe22626cf86590b81d8a312275fb6358e632ba7a11ad18826928788cdaa

    • SSDEEP

      49152:NPlxT9CAot1ZewmTyGlj0cmGVmCWK0IK9LBRv3OUDr95NwmWWD3KpbQTV3:NPlDCjZkHluoTl49LBx3OU/N3MbQp

    Score
    9/10
    credential_accessspywarestealerupx

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral4

    • Target

      autotiktok.exe

    • Size

      14.9MB

    • MD5

      51a342514e8ac6cc0c28a8efe517085e

    • SHA1

      fb48ec3f94064f40a7da135a9d2f18591a085fb2

    • SHA256

      682081e75727400e5a29471b8f1564f0917e8d91ee84123722573cea15037491

    • SHA512

      6d1d0627a47c3ad3648c0562270a699371adf9b239804e225369288cbdcd6938f2c42ceda4227f6520e94ed934839ad45d04b0b21f89afc91fd887cb2a85cd1d

    • SSDEEP

      393216:SL+jPdq2VeGuuh7VIJh3LlVTYV+Zi8fje2hrahAlY:SL+j0kJVIJxLlVTYMZiullY

    Score
    9/10
    credential_accessdefense_evasiondiscoveryexecutionspywarestealer

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

      defense_evasion

    • Enumerates processes with tasklist

      discovery
    behavioral5

    • Target

      carding software.exe

    • Size

      23KB

    • MD5

      003890676b63239d5fef463e4dd46ed4

    • SHA1

      5a9e67ac8794d9bcf18c1e67da5c0bdf1c0adfba

    • SHA256

      63fde64543a837c1cf7072bb0478445232d526597a252e335381081f75745bee

    • SHA512

      e77d77e8619e700c106b658be724406167043a2989e8da250983dbb4a68481fc76c7b3d5fd433d68cdd1012840e0d6b7ace501facf73d782e392c447b6cc3f6d

    • SSDEEP

      384:33Mg/bqo2mJk5BFnqXipFqjuwzU3Jmr91CdFHbTKe3:hqo2b5iXip0jK5mr9YFHbGe3

    Score
    10/10
    chaosdefense_evasionevasionexecutionimpactransomwarespywarestealer

    • Chaos

      Ransomware family first seen in June 2021.

      ransomwarechaos

    • Chaos Ransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    behavioral6

    • Target

      cc.exe

    • Size

      323KB

    • MD5

      eeec1c5bad5802d01834153e7df20a96

    • SHA1

      c35f1072cab375b246d254a475b4ee617cdfedcf

    • SHA256

      903c15b544940978f54c8add35edb4dfac62f4da00e0afe5b9979834cc9ad469

    • SHA512

      6daac35e6428b4cf3c6758e5b45453fb5a201b831ca3d5a52c83032e8363655e0b043c3d2b8a527393ba948139f13fb4d749a0fd0ce79ce4d0ad780313c189dc

    • SSDEEP

      6144:bR/N1Q5Ng+8j/svwt+IsOU9UzoprcBOJ+X:bR/N6r8j/svw1U9XuB

    Score
    10/10
    stormkittycollectioncredential_accessdiscoveryspywarestealer

    • StormKitty

      StormKitty is an open source info stealer written in C#.

      stealerstormkitty

    • StormKitty payload

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Drops desktop.ini file(s)

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral7

    • Target

      dom2ip.exe

    • Size

      7.7MB

    • MD5

      141013086c87f8c529607d41fb5f5537

    • SHA1

      4056fab0a8e3fced2836df33558436681f3e7b7b

    • SHA256

      250386ce7948feac1bbcefc0e8c2f5f1bb99aaaeba21d2af53071b7d70d12a09

    • SHA512

      d64fbaf9ef6738c6cc6d4952ea79b05e5471b43c7d9801b07e562d47814b40485a615f8be3bfead86e0b4b6c4158a23afc4b707b8e6b6c899af2c1f7eb1a1e65

    • SSDEEP

      196608:F0GYeaRDfyGlW21X5Sp6GemDMPw2IGbWqYPGk7ts:lYeaRDfDllpfaMPLgs

    Score
    7/10

    • Loads dropped DLL

    behavioral8

    • Target

      dungbulon_gnp..exe

    • Size

      696KB

    • MD5

      558ccdda252f2b544386d99345e68c42

    • SHA1

      0285a983d81a148c0146b47b7f74610278fe750a

    • SHA256

      410f5d4346f1c26ef99cbd3d34e72462a15a0c59ea0053903bbf5cbf85ab0769

    • SHA512

      18a84cafefaa8adbe5a1d143e043db2a6960ee3c4823490d8a97924a9535de8bb83aeee9fe65f949745cc57d7ef74f2fb07d0f6f80c7823f94f32f961ec72069

    • SSDEEP

      12288:3YU9PtTNzZXkBhnCd2p5X6x8TCXYe7fQBhHsqpp1XY2CHrnlVx26R4YrsmQMlerO:3TptpZXkBhnCd2p5X6x8THe74BljYrrz

    Score
    10/10
    stormkittycollectioncredential_accessdiscoveryspywarestealer

    • StormKitty

      StormKitty is an open source info stealer written in C#.

      stealerstormkitty

    • StormKitty payload

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Drops desktop.ini file(s)

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral9

    • Target

      flashSO (3).exe

    • Size

      2.7MB

    • MD5

      6a3ab7ec2c4fd2d93a0f8fc2dc47f062

    • SHA1

      3d5f8bd0d1bab522252ad49f832f1e0519a8b563

    • SHA256

      558963a35ffa085be310eb2809db9c61d46e8b0637e9a2b9f0ca45ed9231b7fa

    • SHA512

      2a57a51d0732384bdae7e0001651b9caf8440b622eea93ea70de1df6bd5dedd20e3d8d189d034c5328508ce19d85efea92673aad353e1b0637c8c708a7072467

    • SSDEEP

      49152:nkDg6C5FBC7YoaL6oMRcx1DixxzK2N+lCWg4zXZRsAbmoX+UBzppVR3:kDgPfBCkofc3DcxzXGNp6//UBzp

    Score
    8/10
    defense_evasionevasionexecutionpersistence

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Creates new service(s)

      persistenceexecution

    • Sets service image path in registry

      persistence

    • Stops running service(s)

      evasionexecution

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Executes dropped EXE

    • Indicator Removal: Clear Windows Event Logs

      Clear Windows Event Logs to hide the activity of an intrusion.

      defense_evasion

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral10

    • Target

      game_12.exe

    • Size

      2.7MB

    • MD5

      6a3ab7ec2c4fd2d93a0f8fc2dc47f062

    • SHA1

      3d5f8bd0d1bab522252ad49f832f1e0519a8b563

    • SHA256

      558963a35ffa085be310eb2809db9c61d46e8b0637e9a2b9f0ca45ed9231b7fa

    • SHA512

      2a57a51d0732384bdae7e0001651b9caf8440b622eea93ea70de1df6bd5dedd20e3d8d189d034c5328508ce19d85efea92673aad353e1b0637c8c708a7072467

    • SSDEEP

      49152:nkDg6C5FBC7YoaL6oMRcx1DixxzK2N+lCWg4zXZRsAbmoX+UBzppVR3:kDgPfBCkofc3DcxzXGNp6//UBzp

    Score
    8/10
    defense_evasionevasionexecutionpersistence

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Creates new service(s)

      persistenceexecution

    • Stops running service(s)

      evasionexecution

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Executes dropped EXE

    • Indicator Removal: Clear Windows Event Logs

      Clear Windows Event Logs to hide the activity of an intrusion.

      defense_evasion

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral11

    • Target

      mass_exploit_wp.exe

    • Size

      16.3MB

    • MD5

      e308ed98087fc09bdcb0a79cb7daf15c

    • SHA1

      178faf56520e84a130fc80ef172264188a5bf528

    • SHA256

      2b076c94c0a6e32657d5250b1e7a5613fdfc72029917f385e8efadd137172e5b

    • SHA512

      436529467ecbd01d25c0666e2b81463d989b39a15de9f083af0d7ef42d249a69b55a9f4576e01fbb1be42f5c04558bb406a39ae6867c37cb35feb776ae25feed

    • SSDEEP

      393216:qEkcq8ZgP8AxYDX1+TtIiFvY9Z8D8Ccl6lnZGtorGMtQS7LnwxgK:qkdZbX71QtI6a8DZcIlQt8yEK

    Score
    9/10
    credential_accessdiscoveryspywarestealer

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Enumerates processes with tasklist

      discovery
    behavioral12

    • Target

      revolve.com !Pro Cracking!.exe

    • Size

      7.0MB

    • MD5

      3527bda2004d01aeb779422d4f83ba28

    • SHA1

      65c50adca4c59ec1e4dc2633f35ddf29cc6e7ba8

    • SHA256

      385e4713487a238122cb2c403609deaf1e236b86dd55d52f0be668191c4e61dd

    • SHA512

      e36aa5c83abad0f695f5a1b540616d9237f68f1feb90a9e07e37f8ab00561a55dd539bc7c75000e2cc7ff5ef13ec74161e110e9600afc5bd322260d195038ff4

    • SSDEEP

      98304:HwzHqdVfB2GyuT/9vUIdD9C+z3zO917vOTh+ezsNh75S2zh/hQqVvmJ1YPFlVtqM:H4QsGbT/9bvLz3S1bA32zOqwYPdT

    Score
    9/10
    collectioncredential_accessdefense_evasiondiscoveryexecutionpersistenceprivilege_escalationspywarestealerupx

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Clipboard Data

      Adversaries may collect data stored in the clipboard from users copying information within or between applications.

      collection

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

      defense_evasion

    • Enumerates processes with tasklist

      discovery
    behavioral13

    • Target

      suckmydick.exe

    • Size

      1.5MB

    • MD5

      7d4eeda2499810f21d490682de99483b

    • SHA1

      c254973294423379f73c2769419abaf506b83b9e

    • SHA256

      05e07223e3947417c67bab98d2513eabf65a3d6c824fb93f0cc6b36e0cdb5f47

    • SHA512

      b7136e6e9d1673902fcd7afbed7b4d58b0fd3b4e62f8a1414b9650a6431dad7288c7e6af413bcd82cdb00bbbe8cf2403e1a353207faa93312ddc85b9f0999143

    • SSDEEP

      24576:EXx7thhBQyfYJ776BDDN1JeJsrHQ+PohHLROCElLwkZMfK0JSGumpb:IthhBQywJ36BDVeJZ+QhrR1SKumx

    Score
    10/10
    meduzacollectiondiscoverystealer

    • Meduza

      Meduza is a crypto wallet and info stealer written in C++.

      stealermeduza

    • Meduza Stealer payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

      collection

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral14

    • Target

      wallet_miner_v3.1 (1).exe

    • Size

      5.2MB

    • MD5

      c263627b444c7cfacda7683b5d8e3d65

    • SHA1

      503fd59856ecd95eb2636ed3c7c7522fa6b9831e

    • SHA256

      23cd00b31c81c4258d7400bb802077ed356bdab30756f7194d8576a4ed2e8be8

    • SHA512

      3382b876466acceaf628c84eac5d05602833eb7e73591d5889a3fc9bfdeef2f64cc0d8eea51eb721ad343d2e47298ffa63bdf027751af5dc4f91cbc4faa2f912

    • SSDEEP

      98304:5a4QonBcCaW1pc0fElZACqqUUAp7TCe648CgWTOSwLbx:c4Q+Bf1pbMlWOUUo38CgWOFbx

    Score
    8/10
    defense_evasionevasionexecutionpersistence

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Creates new service(s)

      persistenceexecution

    • Sets service image path in registry

      persistence

    • Stops running service(s)

      evasionexecution

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Executes dropped EXE

    • Indicator Removal: Clear Windows Event Logs

      Clear Windows Event Logs to hide the activity of an intrusion.

      defense_evasion

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral15

    • Target

      xReverseFreeV2.exe

    • Size

      12.0MB

    • MD5

      44bfa964a2413a31b5e0d3ce4379fced

    • SHA1

      5d0aef8f2a212c721c6a330d5796984453ce3781

    • SHA256

      cfaba74207494654284267afc7025dd943d901a97a6ebb57509eafdfbffea54a

    • SHA512

      ab0fd3f8d7910a5448a9ce1168664db6f312a285a8d5a9c32f190c9d173cf2c999d472d11f8c5b4cf8e69cad60f1cff89eb4a89945e7c4c45e5453bfd09fb536

    • SSDEEP

      196608:yhd0cjdUzbW854h/qwSvZSzsx1utTE8p4rzrwDytnLbhPMscnu8iEnNBzbXAD+:gScM35AzS0zI1uZMrzrw2xdMu8iM

    Score
    7/10

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral16

    • Target

      xReverseTrial.exe

    • Size

      12.4MB

    • MD5

      d0ad080be20e6a90d872a3f254abf625

    • SHA1

      c6f68da66c55edafb1557b24fa91d1f6f7f48f76

    • SHA256

      3c07137a3fef0381d293cd4ced47f724a57be0df60c64be8f7e419c8a48c58aa

    • SHA512

      268693e9d42bfe14c5efa41f4f28e925df1600233efbab3052c56b010495fbfd87909f3b6d06d271688bcfa9490d458747656188526eed6d9955f45bcb27808f

    • SSDEEP

      196608:thCIhSOdFAPcc5ZiXrABDZBB/ZbVuNjw9SJooT93N2yL9oOjxyp0K2OyG6oSN2:K1OLAPR5UXrABp2k9SaoTj9VsFS

    Score
    7/10

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral17

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

3
T1059

PowerShell

2
T1059.001

System Services

2
T1569

Service Execution

2
T1569.002

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Direct Volume Access

1
T1006

Impair Defenses

1
T1562

Indicator Removal

4
T1070

Clear Windows Event Logs

1
T1070.001

File Deletion

3
T1070.004

Modify Registry

2
T1112

Obfuscated Files or Information

1
T1027

Command Obfuscation

1
T1027.010

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

5
T1552

Credentials In Files

5
T1552.001

Discovery

Browser Information Discovery

1
T1217

Peripheral Device Discovery

1
T1120

Process Discovery

1
T1057

Query Registry

7
T1012

Remote System Discovery

1
T1018

System Information Discovery

8
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

2
T1016

Internet Connection Discovery

1
T1016.001

Wi-Fi Discovery

1
T1016.002

Lateral Movement

Collection

Clipboard Data

1
T1115

Data from Local System

4
T1005

Email Collection

1
T1114

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Inhibit System Recovery

4
T1490

Service Stop

1
T1489

Tasks

static1

pyinstallerupxblankgrabberchaosstormkittymeduza
Score
10/10

behavioral1

collectioncredential_accessdefense_evasiondiscoveryexecutionpersistenceprivilege_escalationspywarestealerupx
Score
9/10

behavioral2

Score
7/10

behavioral3

discovery
Score
3/10

behavioral4

credential_accessspywarestealerupx
Score
9/10

behavioral5

credential_accessdefense_evasiondiscoveryexecutionspywarestealer
Score
9/10

behavioral6

chaosdefense_evasionevasionexecutionimpactransomwarespywarestealer
Score
10/10

behavioral7

stormkittycollectioncredential_accessdiscoveryspywarestealer
Score
10/10

behavioral8

Score
7/10

behavioral9

stormkittycollectioncredential_accessdiscoveryspywarestealer
Score
10/10

behavioral10

defense_evasionevasionexecutionpersistence
Score
8/10

behavioral11

defense_evasionevasionexecutionpersistence
Score
8/10

behavioral12

credential_accessdiscoveryspywarestealer
Score
9/10

behavioral13

collectioncredential_accessdefense_evasiondiscoveryexecutionpersistenceprivilege_escalationspywarestealerupx
Score
9/10

behavioral14

meduzacollectiondiscoverystealer
Score
10/10

behavioral15

defense_evasionevasionexecutionpersistence
Score
8/10

behavioral16

Score
7/10

behavioral17

Score
7/10