Extracted

• • Target

    RNSM00386.7z

  • Size

    8.4MB

  • MD5

    a31afb786fd93be121f890a82bebdc9c

  • SHA1

    8528f8f9141eda1a4940172f0adef6e9c05ffba7

  • SHA256

    3de5223ca74c4b449c7d4da7e586077e014ee421689f37e2e96505800ccd9f73

  • SHA512

    5a117fc7c3418c3090ef80582bf10bf097289949688503152bef07f3b5e2adb730d1aa2c51a3e862f44842bc6c7a5b9234b4846fe413332b33532975b589e267

  • SSDEEP

    196608:f+FZZP/1r1bGN0JNhKex/2wUwTdNHI05qp3Q2cl:qZZHd1gMNUg2wJboOq1C

  Score

  10^/10

  azorultjigsawtroldeshcredential_accessdefense_evasiondiscoveryevasioninfostealerpersistenceprivilege_escalationransomwarespywarestealertrojanupx

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    trojaninfostealerazorult

  • Azorult family

    azorult

  • Jigsaw Ransomware

    Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.

    ransomwarejigsaw

  • Jigsaw family

    jigsaw

  • Troldesh family

    troldesh

  • Troldesh, Shade, Encoder.858

    Troldesh is a ransomware spread by malspam.

    ransomwaretrojantroldesh

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • Renames multiple (109) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware

  • Boot or Logon Autostart Execution: Active Setup

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence

  • Modifies Windows Firewall

    evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Credentials from Password Stores: Windows Credential Manager

    Suspicious access to Credentials History.

    credential_accessstealer

  • Drops startup file

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion

  • Impair Defenses: Safe Mode Boot

    defense_evasion

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Drops desktop.ini file(s)

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Indicator Removal: File Deletion

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion

  • Legitimate hosting services abused for malware hosting/C2

  • AutoIT Executable

    AutoIT scripts compiled to PE executables.

  • Drops autorun.inf file

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  behavioral1