Overview

overview

10

Static

static

3

sandboxie-5-69-6.exe

windows11-21h2-x64

$PLUGINSDI...ns.dll

windows11-21h2-x64

$PLUGINSDI...il.exe

windows11-21h2-x64

10

$PLUGINSDI...LL.dll

windows11-21h2-x64

8

$PLUGINSDI...ll.dll

windows11-21h2-x64

1

$PLUGINSDI...sg.dll

windows11-21h2-x64

1

$PLUGINSDI...em.dll

windows11-21h2-x64

3

32/SbieDll.dll

windows11-21h2-x64

3

32/SbieSvc.exe

windows11-21h2-x64

3

KmdUtil.exe

windows11-21h2-x64

1

SandboxieBITS.exe

windows11-21h2-x64

1

SandboxieCrypto.exe

windows11-21h2-x64

1

SandboxieD...ch.exe

windows11-21h2-x64

8

SandboxieRpcSs.exe

windows11-21h2-x64

1

SandboxieWUAU.exe

windows11-21h2-x64

1

SbieCtrl.exe

windows11-21h2-x64

1

SbieDll.dll

windows11-21h2-x64

1

SbieDrv.sys

windows11-21h2-x64

1

SbieIni.exe

windows11-21h2-x64

1

SbieMsg.dll

windows11-21h2-x64

1

SbieSvc.exe

windows11-21h2-x64

1

SboxHostDll.dll

windows11-21h2-x64

1

Start.exe

windows11-21h2-x64

1

UpdUtil.exe

windows11-21h2-x64

1

whatsnew.html

windows11-21h2-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    sandboxie-5-69-6.exe

  • Size

    2.9MB

  • Sample

    240821-yabp4swfrb

  • MD5

    f52f352a4def55c78779707efc001f3e

  • SHA1

    efcce55e998886319858ef83cb3ceeb86dc23eb6

  • SHA256

    95dbd294f511335bb0b368c487abe48e8d72aa4b165cba94d32cef71a5e46916

  • SHA512

    9faeb5435b9f68a718b89dde2152437368b722183f9ee2b66d1a6650e703e862707d6b288487a5224aab5918116a5380e2408ef9ef08dc8e2fd06a14ae28d5bf

  • SSDEEP

    49152:094iRfnCtFDyfWcyGAGTidbcW+/MVuiz1Py1v1GkfEgVAmm/S:0942fILBGAI4x+/a51snbmmH

Score
10/10
dharmafantommimikatzbootkitcredential_accessdefense_evasiondiscoveryevasionexecutionimpactpersistenceprivilege_escalationransomwarespywarestealerupx

Malware Config

Extracted

Path

C:\Program Files\7-Zip\DECRYPT_YOUR_FILES.HTML

Ransom Note
<html> <head> <style> body{ background-color: #3366CC; } h1 { background-color: RGB(249, 201, 16); } p { background-color: maroon; color: white; } </style> </head> <body> <center> <h1><b> Attention ! All your files </b> have been encrypted. </h1></br> <p> Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br> That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br> Getting a decryption of your files is - SIMPLY task.</br></br> That all what you need:</br> 1. Sent Your ID_KEY on mailbox [email protected] or [email protected] </br> 2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br> 3. Pay our services. </br> 4. GET software with passwords for decrypt you files.</br> 5. Make measures to prevent this type situations again.</br></br> IMPORTANT(1)</br> Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br> IMPORTANT(2) </br> We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption. </p> <p> Your ID_KEY: <br> </p> <table width="1024" border="0"> <tbody> <tr> <td><p>U3+H5QtSMwVvi3tsAYsFNTKgV75QnHZwSNF0sxatOm8darcDL8rh61PCdEkZthU/FNdmxN8BwCfPCT2ZoMU0ZCNrExmcNglwqgEobRwCQon7U7+MNwZJxpI7dWD9s3CXO8IqiheRg4u27YXBttsYL8OnrwXqUFYJUgu4a1P2GmOFdjH6VzyG05AZo+vHLHd7DtZlpK++/eFIOrXe8WTR7o7QzVsmV8n/jWf8JE1uZrJxziRdXELe0rIFXxBcZsyk7y6BY2FjaZnaL0zvY4P7PiWrCz3elWOb+IlCyEPQujyd9wIx2vhhpX/nSyaJlKnX8/h3N07n1FJBwicDQtDLzA==ZW4tVVM=</p></td> </tr> </tbody> </table> </center></html></body>

Extracted

Path

C:\Program Files\7-Zip\DECRYPT_YOUR_FILES.HTML

Ransom Note
<html> <head> <style> body{ background-color: #3366CC; } h1 { background-color: RGB(249, 201, 16); } p { background-color: maroon; color: white; } </style> </head> <body> <center> <h1><b> Attention ! All your files </b> have been encrypted. </h1></br> <p> Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br> That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br> Getting a decryption of your files is - SIMPLY task.</br></br> That all what you need:</br> 1. Sent Your ID_KEY on mailbox [email protected] or [email protected] </br> 2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br> 3. Pay our services. </br> 4. GET software with passwords for decrypt you files.</br> 5. Make measures to prevent this type situations again.</br></br> IMPORTANT(1)</br> Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br> IMPORTANT(2) </br> We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption. </p> <p> Your ID_KEY: <br> </p> <table width="1024" border="0"> <tbody> <tr> <td><p>ne1BcoXgOohrJCMaUCEJdm/VstpwCtLATXH6kiDKaS23M/152rOCxF0efZzCVc79gYTETD/C0W150CwGPJLhXYIWsaHYc34WoNkHEiwNQYGkdwLbQ94Hzq8gtVTEiKpt60g6U0gHvsNgYgq9FEzzY2FLRVCHDGw17KUOuceQ6dzTknAG7DxMWXrYzrmUNEYZF0gNBiRwEVecNGdl95tm0ayFOhdCza8n0iCFnlKET8WJ3DqK/MscgGiOWYwmfXxH03bKkTlzPdFVlNbbh+DIBjUyAN8l0k96E+C/6f66mhSUewVhaSLhfDHD3HEmVP7iOWbdh2EMLTmlLr3jHfgXGQ==ZW4tVVM=</p></td> </tr> </tbody> </table> </center></html></body>

Targets

    • Target

      sandboxie-5-69-6.exe

    • Size

      2.9MB

    • MD5

      f52f352a4def55c78779707efc001f3e

    • SHA1

      efcce55e998886319858ef83cb3ceeb86dc23eb6

    • SHA256

      95dbd294f511335bb0b368c487abe48e8d72aa4b165cba94d32cef71a5e46916

    • SHA512

      9faeb5435b9f68a718b89dde2152437368b722183f9ee2b66d1a6650e703e862707d6b288487a5224aab5918116a5380e2408ef9ef08dc8e2fd06a14ae28d5bf

    • SSDEEP

      49152:094iRfnCtFDyfWcyGAGTidbcW+/MVuiz1Py1v1GkfEgVAmm/S:0942fILBGAI4x+/a51snbmmH

    Score
    8/10
    defense_evasiondiscovery

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    behavioral1

    • Target

      $PLUGINSDIR/InstallOptions.dll

    • Size

      14KB

    • MD5

      046074d285897c008499f7f3ad5be114

    • SHA1

      159040d616a056ee3498ec86debab58ef5036a55

    • SHA256

      254c5ccbce59ad882f7f51d0bf760cabde8c88c5af84e13cc8ad77ba0361055c

    • SHA512

      ab7436fda44e340dd5909ddec809c6b569a90d888529ef9320375e1aae7af85afcab8c1c1618551d3fe8d6ae727f7dca97aa8781b5555da759d501d2ccd749e1

    • SSDEEP

      192:+Gs+dH4+oQOTgDbzuNfrigyULWsXXZF/01JJijqK72dwF7dBEnbok:+GvdH4qMebzPY2Vijq+BEnbo

    Score
    8/10
    defense_evasiondiscoveryevasionpersistenceprivilege_escalationupx

    • Downloads MZ/PE file

    • Modifies Windows Firewall

      evasion

    • Drops startup file

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Network Share Discovery

      Attempt to gather information on host network.

      discovery
    behavioral2

    • Target

      $PLUGINSDIR/KmdUtil.exe

    • Size

      210KB

    • MD5

      3581f6d1470ca02b67fd618204b30d9e

    • SHA1

      1cc2c14eadf5f653df6372072e7eed45c3742c81

    • SHA256

      1d72e61808f8f5ad2bf23bc7f11513eebd1b757f1ec201d1bfe0d3b168f1d5bb

    • SHA512

      edf417db125aa6d508954c163484663f7281fa576354effe5edec6b75df7a514f47f5b94fdd38b900b4b379a6d9e22661214bf4d6e16324f9e3052dac53be414

    • SSDEEP

      3072:Y7MG3w21H+HhCrn9l0rYihWzPQOgcL+gxXgg0TiPKLPwSvOnM:4dqCrnj0rYfzlpLUPwSmnM

    Score
    10/10
    dharmafantommimikatzbootkitcredential_accessdefense_evasiondiscoveryevasionexecutionimpactpersistenceransomwarespywarestealer

    • Dharma

      Dharma is a ransomware that uses security software installation to hide malicious activities.

      ransomwaredharma

    • Fantom

      Ransomware which hides encryption process behind fake Windows Update screen.

      ransomwarefantom

    • Mimikatz

      mimikatz is an open source tool to dump credentials on Windows.

      mimikatz

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Renames multiple (559) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • mimikatz is an open source tool to dump credentials on Windows

    • Disables Task Manager via registry modification

      evasion

    • Downloads MZ/PE file

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

      credential_accessstealer

    • Deletes itself

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Legitimate hosting services abused for malware hosting/C2

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Drops file in System32 directory

    behavioral3

    • Target

      $PLUGINSDIR/LangDLL.dll

    • Size

      5KB

    • MD5

      4cdaaf5da900a8eaed090cd22b8f8781

    • SHA1

      6c7d9cfd96e66d236b66b8d50d65083a0dbb1b11

    • SHA256

      09477d605677bea48019b896f068ce6c2e89004e5c5f0a86c0276db30c6515a6

    • SHA512

      3797d59aeb908dcd66c63eca76cb2064416d3b66033dc687bc7a9c50e2979c42ac94773f54bc8ec45a9cd69c8056b83a2bca6efcd703f71a4b5f67e166f1e06d

    • SSDEEP

      48:iV6HAvq8WeMPUptuM4Z+0x/ImnycNSCwVYOY4vnpXTHhHX/JvR0J/of5d2:2yplJ5ZbnycNSCwVYTwFB3ZR0Qd2

    Score
    8/10
    defense_evasiondiscoveryevasionpersistenceransomware

    • Disables Task Manager via registry modification

      evasion

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Legitimate hosting services abused for malware hosting/C2

    • Modifies WinLogon

      persistence

    • Sets desktop wallpaper using registry

      ransomware
    behavioral4

    • Target

      $PLUGINSDIR/SbieDll.dll

    • Size

      903KB

    • MD5

      e2ff7ff41be41ea79e0f502461577161

    • SHA1

      8dcbd20c9235bb2366d73d6c2d6f40cf63441997

    • SHA256

      cd5d0d000ba4fa7149ef10ce218e52d37250581a32a337db06bfc47c49a9b90e

    • SHA512

      d1487b9bbad667aeb7389d9f35707dd4d8988d9d0fecee30e73bfe2b5e607c30bb0dae77c021243ec18b2ecda7aa9ce5c865a02907caedcd164ce5b9f9682371

    • SSDEEP

      12288:JAWt2/ntVEZLHk8YLnUANNDO/5NrOJFct1V/yi0cW9u:2Wt2/tVEZA8WNO5JOJF81dd0cW9u

    Score
    1/10
    behavioral5

    • Target

      $PLUGINSDIR/SbieMsg.dll

    • Size

      3.1MB

    • MD5

      63bde85df787585f487821ad8b9d1de2

    • SHA1

      99fcd7ccd5da5d8a48acf4cb1cc52181478796f2

    • SHA256

      4085a022d44870f2ddd420268eb557129f93ab876fe283e1a0cef1cb96340d7a

    • SHA512

      03d810131f35deb5651a2c5eaeb2b110a2abca50b2095b48cec6829b20430b315560be28466c473c9f2905ea70a1f2dd1bfbf495b692075708d110a71d240e4d

    • SSDEEP

      12288:fV5RMirS8WYUv5wOeniSsI2fT61y5RXvPtuVDOxApT2k0PCps:NBxOengIc61y5RXvPkVDM1

    Score
    1/10
    behavioral6

    • Target

      $PLUGINSDIR/System.dll

    • Size

      10KB

    • MD5

      0ff5120f1afd0f295c2baa0f7192d3f8

    • SHA1

      bde842d5d11005dcb4ff1d4ea97da31865477697

    • SHA256

      4ca5bf1beb4b802914c4d3e2f37861f6ba5ecf969cfeadf5855edf58f647a721

    • SHA512

      e049ffd7aace8d136eee007ee4f8dbc2ae8f3dce79d1c633d9654392240f8215787df8a6d08085257db51f28ff2a8023a13333dda3ea7f9bdc8b9c57b605f0a0

    • SSDEEP

      192:Xv+cJZE61KRWJQO6tFiUdK7ckD4k7l1XRBm0w+NiHi1nSJ:Xf6rtFRdbQ1W+fn8

    Score
    3/10
    discovery
    behavioral7

    • Target

      32/SbieDll.dll

    • Size

      719KB

    • MD5

      a46189cbfcbdea07870e9c2c7bf33837

    • SHA1

      27ad4ee0d9f4ec3a781064df6e6ce50f55eef2ab

    • SHA256

      cb1b68f4e3f7db4b566e1bff0857fc6c4a316457a1bdd96d1e51050493c98017

    • SHA512

      b0676dcbc9f8bc5c4ff09594b42c89e5e893f31baf6a5b9d1498b258b5333abb91a4de4efb9076e07e9fa8885dd81d16b3b33f062f9671847e8ac5f6756079e1

    • SSDEEP

      12288:YJMUeKgZKTmJUm8LmPodt/UNpJ2ViPyDGHxLxuTaWx6t:UMUevKSJ8Lso//8J2VsCGH16aWst

    Score
    3/10
    discovery
    behavioral8

    • Target

      32/SbieSvc.exe

    • Size

      312KB

    • MD5

      b07ffe2f0e2134614572ed9a2f406233

    • SHA1

      bfaa5bb3f677dfe39ccfb17d44a7c5192a545dd3

    • SHA256

      7d65b996629d0137bdb2c173afb14b85f8a9cd9caa8912bd3727b0ac48192262

    • SHA512

      69d8af6e6ffb2720ece1da6802d03e64ab66f0910e76a10fc93366d30c9857de63dd0f950117bd413c6620f9f684e466292c84fbc8f7cee28523b308457790b8

    • SSDEEP

      6144:UUP8mY++yejbcaSNdWmLD4+7GWOXwaHQ81tokwWj5mTqce1oOsoalJ:RYryejc6mLD42swchtoGaLe6oan

    Score
    3/10
    discovery
    behavioral9

    • Target

      KmdUtil.exe

    • Size

      210KB

    • MD5

      3581f6d1470ca02b67fd618204b30d9e

    • SHA1

      1cc2c14eadf5f653df6372072e7eed45c3742c81

    • SHA256

      1d72e61808f8f5ad2bf23bc7f11513eebd1b757f1ec201d1bfe0d3b168f1d5bb

    • SHA512

      edf417db125aa6d508954c163484663f7281fa576354effe5edec6b75df7a514f47f5b94fdd38b900b4b379a6d9e22661214bf4d6e16324f9e3052dac53be414

    • SSDEEP

      3072:Y7MG3w21H+HhCrn9l0rYihWzPQOgcL+gxXgg0TiPKLPwSvOnM:4dqCrnj0rYfzlpLUPwSmnM

    Score
    1/10
    behavioral10

    • Target

      SandboxieBITS.exe

    • Size

      116KB

    • MD5

      b7dc047dd40e5d01a390d61a2877c404

    • SHA1

      c354cab3bbf2e19aea868f8210c85dde0babf0ab

    • SHA256

      fca5047eb1e80dcac1579474026af99f2acb04f2831a8a34c3540d51b08d3560

    • SHA512

      36406a4351b9a6e15160d32a09318850c83262577db4896f9436351c29f781326e4b4644a83ef322a866b09a8b5ab8800460d683e9e1dd1bc1e8e0a1a13b6f80

    • SSDEEP

      3072:y7skahIsvyIEdAWqFg/o6oZMFWJrQF0cQI8:I6h16IEqW/oZMurhcd8

    Score
    1/10
    behavioral11

    • Target

      SandboxieCrypto.exe

    • Size

      147KB

    • MD5

      012b180d49ab0cf66459c9fef050710c

    • SHA1

      6decfd13691070a0b796afc3e70a9b05027eb3fe

    • SHA256

      5c73a7638ef3631badd9531bb933863a70f9005f6c3dbc6612229a4a6e2b08fe

    • SHA512

      9090cb2cc3c0a92916af9a150f7334630947079ea15b36e4fa54a868cee0a8a3eb3051d3b2996b09d0b69c035b1d122e36ce2fa58c9d8369d9e4659235d9ce2e

    • SSDEEP

      3072:aOMuCWBSJWOJ6wosiOjNiXfoZf+lD1WaiWVq:/HcJWOJ3QOjIXfuFyq

    Score
    1/10
    behavioral12

    • Target

      SandboxieDcomLaunch.exe

    • Size

      149KB

    • MD5

      04e2eb557706d98a16f3567c246ffde7

    • SHA1

      c9880684220dfc5b6066d382f95ba3d94f2d0a52

    • SHA256

      76125e38e18c2042f7fcdea09ac9559ec1e1c1612983d0060c584a6699274347

    • SHA512

      9258d3dcf8ad267ed5e6180dad3f9c4ffbea6dd1bac130c272c84bead7b7474aebaa624cf08c1bb31d92b7762b9a6dc700e46a729e9e1b277a88456e9686b7e7

    • SSDEEP

      3072:Xg9E6ACHaMH61pFtZYwYn92LB06ZerK7zV:QVAmaMHMZunQEEzV

    Score
    8/10
    defense_evasiondiscovery

    • Downloads MZ/PE file

    • Executes dropped EXE

    behavioral13

    • Target

      SandboxieRpcSs.exe

    • Size

      164KB

    • MD5

      41bf5c88be029daa495d237b53e49a67

    • SHA1

      c6923a68a8326337d0589e70422972c9c7249fe2

    • SHA256

      36f812862999730f1eab5b2b7223cca2b5d19801746343c1ff60b879929faa20

    • SHA512

      004b8558602eff8a46913b6d1dbc5d2d914af52d8532a8b638d527690bc24491ab1a30ca2b9cebdf4c078c974f18c148952b87480b585c517e3486c5859cb6fa

    • SSDEEP

      3072:1KFcwTQ3Y89Ezfr4g++6D1nkyrVpJug67LbcpqC/r1:IF+srr4g++Gk0VWL2q41

    Score
    1/10
    behavioral14

    • Target

      SandboxieWUAU.exe

    • Size

      119KB

    • MD5

      768c4270911ca424e48843b135295f70

    • SHA1

      5fc673b48936ac5c46f8e63a19765f4e0f1c8b9e

    • SHA256

      db97d2dd7e3d33b189971553500191161577ba1ebd02f634aa2d5335ce029428

    • SHA512

      3634095425589c2f729429e0d121903f9d1a90c6470ff5b273cf709addb37a361bd8f088a65ca340e26c51626c20da3183c10b73e71605564d4c5adfde3e816d

    • SSDEEP

      3072:QYfTLB26sk5Yy8mQVf7ToyUZWYnnydlpR8DPn:vfx26sk5XQVDThDDben

    Score
    1/10
    behavioral15

    • Target

      SbieCtrl.exe

    • Size

      3.2MB

    • MD5

      8d678d2d08fc83abda7064903c0cb0dd

    • SHA1

      3244f38b720fd95ff3dced0db4a77da25cb7a098

    • SHA256

      c3da60381751b387a09f7ffc045379783e5d9975ad3e2521aa893f1bb7b02e53

    • SHA512

      b76b6e74f82280e823af2498d3acd7d70f701cc16ce35c0fd8c0b5a97804c0fc4359876a5726ab8bc0c0ff69664e633fbd867a575f12d9cb170c7b12121c73fa

    • SSDEEP

      49152:IV5dT9dkI2f7IwfOFOUhpxTNnpL2xtIQYkPjGObfvES3xoRZAamMPtKLUIH27CYG:IJfWxtIRWfvEqoiMPALUIWWYijZ

    Score
    1/10
    behavioral16

    • Target

      SbieDll.dll

    • Size

      903KB

    • MD5

      e2ff7ff41be41ea79e0f502461577161

    • SHA1

      8dcbd20c9235bb2366d73d6c2d6f40cf63441997

    • SHA256

      cd5d0d000ba4fa7149ef10ce218e52d37250581a32a337db06bfc47c49a9b90e

    • SHA512

      d1487b9bbad667aeb7389d9f35707dd4d8988d9d0fecee30e73bfe2b5e607c30bb0dae77c021243ec18b2ecda7aa9ce5c865a02907caedcd164ce5b9f9682371

    • SSDEEP

      12288:JAWt2/ntVEZLHk8YLnUANNDO/5NrOJFct1V/yi0cW9u:2Wt2/tVEZA8WNO5JOJF81dd0cW9u

    Score
    1/10
    behavioral17

    • Target

      SbieDrv.sys

    • Size

      244KB

    • MD5

      5f0cd51a356a4e45e490d12fd281d82d

    • SHA1

      7af10fe83f4500a71713d4a1480d7f71248a09fb

    • SHA256

      c1eaabe9d29ddf49d8ed00ffb0e9232cbeb0d9a429daba9e3a51b8aab2cb63ea

    • SHA512

      e5281311e1a458314376a4455a34d5585c531c643670545a13c0fcf491a58f89e61398d7bdac27d33a635f2443a9681741758305569c3340ceb8818c337e21c5

    • SSDEEP

      3072:utVHZ2eQfIGGUgLh2WKk+cV0AqQHfANOD8FyDrCMPEFLcYKY77yOLqn8Y:kVHZ2eQOUg12/7cV//ANOD8GfPEFLjXK

    Score
    1/10
    behavioral18

    • Target

      SbieIni.exe

    • Size

      150KB

    • MD5

      512489798a99f8c6ff71dda28a961581

    • SHA1

      911cec4ee5475704a430052dd403bb08c3d7ad51

    • SHA256

      cb524875f4d7d5e8b01af193c18b87084eb4509ccdc13f93eb3223144a6a882b

    • SHA512

      815ffff762fb9f83b3bca0eebf467e6d0f6f9f5f403e01d7706542535c4e056cd057c139312e42954052df00b243d3cd013b2f69ee816110c65f8abee32993ed

    • SSDEEP

      3072:qzmWO/hqJAH+/TZf+2bh8m+JDVHQl+BS7Teojl3hbRLEkT:qiWHJAeVf9yLHYKoZRRVT

    Score
    1/10
    behavioral19

    • Target

      SbieMsg.dll

    • Size

      3.1MB

    • MD5

      63bde85df787585f487821ad8b9d1de2

    • SHA1

      99fcd7ccd5da5d8a48acf4cb1cc52181478796f2

    • SHA256

      4085a022d44870f2ddd420268eb557129f93ab876fe283e1a0cef1cb96340d7a

    • SHA512

      03d810131f35deb5651a2c5eaeb2b110a2abca50b2095b48cec6829b20430b315560be28466c473c9f2905ea70a1f2dd1bfbf495b692075708d110a71d240e4d

    • SSDEEP

      12288:fV5RMirS8WYUv5wOeniSsI2fT61y5RXvPtuVDOxApT2k0PCps:NBxOengIc61y5RXvPkVDM1

    Score
    1/10
    behavioral20

    • Target

      SbieSvc.exe

    • Size

      404KB

    • MD5

      ad92d85b2805d37bb4519262748ecb10

    • SHA1

      9b879484a13349b45f0e7e989653b3e1ee0e5a57

    • SHA256

      2ced712381fb90de50b3cf596de7b469c62b5fd48c74d242ca942c788619cbf4

    • SHA512

      25da94d457059480bd9bd0f8bf3c82c4dd41922de85aaa5e5ce4a11289bc4451ce4b5d575f5a9de0a1a0b2fbc85d636316a33d425044cc8d8c7812de7c30a727

    • SSDEEP

      6144:tTz3+tpsdRHgObbs9xf+ORIRUJlUJMTs5jNQfGL8HzyhBBYoRabGb:x3+tqOObGAORIRUJ2JMA5jmrHgBBb

    Score
    1/10
    behavioral21

    • Target

      SboxHostDll.dll

    • Size

      141KB

    • MD5

      a29ee7ba18258b227918751eef9b87e1

    • SHA1

      2d6ff583195d34d1bb79e21923fba76470023ed6

    • SHA256

      98d5ba8b92989f1f65b3abfe25c0012a4bf675958d2ad1b5edacb5bcc5dfa738

    • SHA512

      e601c52fefa3eff4eaa73f70b48e1b95b601f83fa55b2b6a466d1e2a1bb9466ba5b0145fc4469f62274eab927ad2e4f459d71e737e60efebe92e6eddcc20f45e

    • SSDEEP

      3072:rr6DJvMlCSYJ2DjPOrxwUxqDIQh2GmGHjQYKf1vos7Lcv7k:rCMlCSYJ2fmwUxoNQYMAZk

    Score
    1/10
    behavioral22

    • Target

      Start.exe

    • Size

      329KB

    • MD5

      d902d34862a108481cfcfeb2c9bbe85c

    • SHA1

      46bed5b71c53f7aef90cbaf52342a0b8f03babef

    • SHA256

      eb200d9bb0480e5f601d9fc6ed237c17bd8c6f9908a881e52c25c86d76f1288f

    • SHA512

      d950bcdd9a8cc8b4311f64350b022111bcc691e0d45f366362e22b0156145b12c7f00adf6c5569a6cb3b58e8661e8646a6da906338d3095559cdcbe279289e57

    • SSDEEP

      6144:Q92u6tIpsIxUzk8bb2zxstSlOXyQYCV8RstX:Q92u6+psIxekJnOXyQLV8e

    Score
    1/10
    behavioral23

    • Target

      UpdUtil.exe

    • Size

      176KB

    • MD5

      86e73288b35b3e7d0eecc24da40688cb

    • SHA1

      ba9351e0609512e8f5c241ba825cafe0b097a34d

    • SHA256

      4bd8f6a3be85eaa48f834ac0709b42b6d42cce6f782dfba21003250c252b4e60

    • SHA512

      5ed510d81d3f91d4cda6e372a67690a4aedc5cfc359e5078ef7095ac15577d97e1845b2d8fbe7084272e1e60974887bd45168c5a55bf5e83ee09f67844ac529d

    • SSDEEP

      3072:ovOfAOS07g7exWKAn6BD9WUjYAC4ZMHmE9Fb1HTWKOtmVhd3c:kOG7qD9WU8AC4Zwd1zYMrc

    Score
    1/10
    behavioral24

    • Target

      whatsnew.html

    • Size

      65KB

    • MD5

      1e22ef93595ee8ae48628143940639b5

    • SHA1

      0877bc5998746c6699c726cf74a2b43d4eba0f46

    • SHA256

      52d602a2f601447f002ac12d5f2160d68e9fb0480d608b6df352c1ad91973825

    • SHA512

      18940994cc9bda12147bec0a1b5d1e7cb5c5fde73468a5b056bab574db1b7e3786d5d9ddbfae9fdb7d66ca9b82ecd73514f10e8efb2079ce7722e6823a4a1895

    • SSDEEP

      1536:q+7nxsj07A4n0czlBpNyCxC/ooBe71ZL/qcrp+7PrNMg:1nxso7Ln0cRNyCEE77qc0

    Score
    3/10
    discovery
    behavioral25

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Direct Volume Access

1
T1006

File and Directory Permissions Modification

1
T1222

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Indicator Removal

2
T1070

File Deletion

2
T1070.004

Modify Registry

3
T1112

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Subvert Trust Controls

1
T1553

SIP and Trust Provider Hijacking

1
T1553.003

Credential Access

Credentials from Password Stores

2
T1555

Credentials from Web Browsers

1
T1555.003

Windows Credential Manager

1
T1555.004

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

Network Share Discovery

1
T1135

Peripheral Device Discovery

2
T1120

Query Registry

3
T1012

System Information Discovery

4
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Defacement

1
T1491

Inhibit System Recovery

2
T1490

Tasks

static1

Score
3/10

behavioral1

defense_evasiondiscovery
Score
8/10

behavioral2

defense_evasiondiscoveryevasionpersistenceprivilege_escalationupx
Score
8/10

behavioral3

dharmafantommimikatzbootkitcredential_accessdefense_evasiondiscoveryevasionexecutionimpactpersistenceransomwarespywarestealer
Score
10/10

behavioral4

defense_evasiondiscoveryevasionpersistenceransomware
Score
8/10

behavioral5

Score
1/10

behavioral6

Score
1/10

behavioral7

discovery
Score
3/10

behavioral8

discovery
Score
3/10

behavioral9

discovery
Score
3/10

behavioral10

Score
1/10

behavioral11

Score
1/10

behavioral12

Score
1/10

behavioral13

defense_evasiondiscovery
Score
8/10

behavioral14

Score
1/10

behavioral15

Score
1/10

behavioral16

Score
1/10

behavioral17

Score
1/10

behavioral18

Score
1/10

behavioral19

Score
1/10

behavioral20

Score
1/10

behavioral21

Score
1/10

behavioral22

Score
1/10

behavioral23

Score
1/10

behavioral24

Score
1/10

behavioral25

discovery
Score
3/10