Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

• • Target

    2016-08-26-EITest-Rig-EK-payload-CryptFile2.exe

  • Size

    127KB

  • MD5

    a202914a34dc528aa137bd394518d9b0

  • SHA1

    4724934b61687cb1abe96bab137c7b1d4476f271

  • SHA256

    f110528a354648070a7ef4cbc43046ca427adced8aad6c936bdc9e8932e01225

  • SHA512

    c18ece9e156c2020cc34e3aa77e00efaeda2cca2d5a99b0c0e6cf170b723a009dbaa775b14a7673ba076aefbb7aba1a0fec12e3db7d580c5b43841cb1659a8d6

  • SSDEEP

    3072:KFk6+tT5BzOgfGxUPY/4/4OXAkn0bioX13JDDJ8uD:QkTHygKUPg4/zQCADvJ8uD

  Score

  10^/10

  defense_evasiondiscoveryexecutionimpactpersistenceransomware

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution

  • Adds Run key to start application

    persistence

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  behavioral1

• • Target

    2016-08-30-EITest-Rig-EK-payload-CryptFile2.exe

  • Size

    132KB

  • MD5

    e3c267738f67276083b24d569757da8b

  • SHA1

    6d57305a13e7d811166e0daaf0cd7eac0772f726

  • SHA256

    51dbbfc5afb2b6e9f4ca37906d84b4f3807d7c79727c71d6ee5827a197644580

  • SHA512

    5579b33753fa100a83e8247339a45c49df1316f4c25c1ab9a161c61e543e2e51e94323ed705690bb1da8515565984e23030e924c217d55b57e975d794a7ea97e

  • SSDEEP

    3072:6FV9aY52irPvMIi+tOXAkn0bioX13JDDNq2HDbD:6BaYl4TQCADvVDb

  Score

  10^/10

  defense_evasiondiscoveryexecutionimpactpersistenceransomware

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution

  • Adds Run key to start application

    persistence

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  behavioral2

• • Target

    2016-09-14-EITest-Rig-EK-payload-Bart-ransomware.exe

  • Size

    121KB

  • MD5

    6de7324c37519831cf586e3b2c786e53

  • SHA1

    abb423454abd2caa431634667903640037b6ee9b

  • SHA256

    45fcdd90b1268f6d5dd2a99a78c3df1a95b7809cbe13b68d9f164edd2264005e

  • SHA512

    6172a9b52749e89017c4ad2f685a4399e5d092e0517ef98dff6d071b61e5db7343ca5298d00c57b1fed2d5a7afc9b63d2be8cd89b83af0c09b3e6c950c227227

  • SSDEEP

    3072:3s+7qZCqeKW9cafSypBCaJDftXdCD66X:377qZCqeKW9cotpBfVVoDX

  Score

  10^/10

  discoveryevasionransomware

  • Modifies visibility of file extensions in Explorer

    evasion

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Sets desktop wallpaper using registry

    ransomware
  behavioral3

• • Target

    2016-09-16-EITest-Rig-EK-payload-CryptFile2.exe

  • Size

    77KB

  • MD5

    e736d07744f89f05460b1f12daeb8172

  • SHA1

    19fb70308f0d47947eb6d2d5b572e96539d345bb

  • SHA256

    ac50a0eeec0bddc53420d110cf8161fd17c53a4136992132b2fa5b0c09a84cce

  • SHA512

    e9c7c6112940eda234e3fce2579ccbc38552c18df01a7f2642174e097d80f35594245b3d3b425e88e47e40113042788ae802b0bcb548c641bb2f23d776c78316

  • SSDEEP

    1536:qbhPdYbPd5FX05V6Mu3DmQtxRS6oAZx0pcQb3iqt:i5UX05V6RiQ3E40pjt

  Score

  10^/10

  defense_evasiondiscoveryexecutionimpactpersistenceransomware

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution

  • Adds Run key to start application

    persistence

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  behavioral4

• • Target

    2016-09-19-EITest-Rig-EK-payload-CryptFile2.exe

  • Size

    96KB

  • MD5

    df80cbaadb754de14c97dc05995fdc4a

  • SHA1

    6f9369c9d2f174b4abd642d4fb43cff690f364df

  • SHA256

    43fbc1ee5c4ef4a5bfdbbd67407c4364e6cf205475250f97138f55db4c77002c

  • SHA512

    cccf010d4344bd574dea5a254800207b8603b1ff2dcae8d4b341c4368976544ebee9fc68632701be3ab41098ab0c6b64f2b61f27063a068777e3bc440bac01d7

  • SSDEEP

    1536:umsz2jF1PzSg1dPVHT4MVyU3NJZfA1111111bilpPXvlMq12Kpuyjg1kFa:hdPV8uyU3zJA1111111bilpPX6q2y8kc

  Score

  10^/10

  defense_evasiondiscoveryexecutionimpactpersistenceransomware

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution

  • Adds Run key to start application

    persistence

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  behavioral5

• • Target

    2016-09-21-EITest-Rig-EK-payload-CryptFile2-after-germansuppliesinc.com.exe

  • Size

    84KB

  • MD5

    420b2f010edbc63a68b2cce2cdf1e5e9

  • SHA1

    4cf5072cfe0eb42d387713067e2706902c89b294

  • SHA256

    8f9a62a9e43ed55f0fa810737facc6460dc89c41f16f4d610debc8a35babe6b9

  • SHA512

    de85edb0217c3d1e615e81154831fe0f3f7c7514f843f253eecf38da09895558b4dc71c1e4141dd196bda7aa75d2c14c85658355a834f98238370df0bea46f35

  • SSDEEP

    1536:cYYxci1ZP39zud52ilpPXvlMq12Kpuyjg1kF3mI:+xFyd52ilpPX6q2y8kF3j

  Score

  10^/10

  defense_evasiondiscoveryexecutionimpactpersistenceransomware

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution

  • Adds Run key to start application

    persistence

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  behavioral6

• • Target

    2016-09-27-Afraidgate-Rig-EK-payload-Locky-downloader.exe

  • Size

    46KB

  • MD5

    baf62438109b097fbcaacc66ae09734c

  • SHA1

    1548ce00fa365670a40ded8ffe6e001b52f8a77b

  • SHA256

    c8e567bcb80b60d315de1845f9faf89094d7ca33801b1662c8e8d8be11de6100

  • SHA512

    f3bc64725037049874bf812acefe10971b0225434b64d20dbc7c62eae214e3b79f8ae71645509f7d9da5139172b6001114adfd685a97abbc020c924b3e0ce999

  • SSDEEP

    768:veW02gal8GgXD04RRkVE4yH0j3jWP0sVU8W4QnL/TFZBO:zVgaGA4RRvpQ3jWPfVHW4Q9u

  Score

  7^/10

  defense_evasiondiscovery

  • Drops startup file

  • Drops desktop.ini file(s)

  • Indicator Removal: File Deletion

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  behavioral7

• • Target

    2016-09-28-EITest-Rig-EK-payload-CryptFile2-after-beyondrpoxy.com.exe

  • Size

    89KB

  • MD5

    a4e832a6634151516ef43c1374544c9d

  • SHA1

    b9956d73f1ac987dd7b84c6e55f5aa1bf4816b5c

  • SHA256

    eab7d92ea08e1028b010c8c4287fa5b6cbdcb598270853944dde3bfcd5beeb8b

  • SHA512

    d263bd0ee9491f331e8d8e8e0cf639299101f8a5b46e1e60123e53fa1f98e6bd53bd642741402d5fae2a9846aed73f0c5204dcf5a439eccb28dd5e11f5f160ba

  • SSDEEP

    1536:Tp4G6gKt7m4yZsC8PK9S0583LHz2H0qquMTwx/EZVj2X1KFuOCrr:VDTh9S0583LHz20qBZxA/Y

  Score

  10^/10

  defense_evasiondiscoveryexecutionimpactpersistenceransomware

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution

  • Adds Run key to start application

    persistence

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  behavioral8

• • Target

    2016-09-28-EITest-Rig-EK-payload-CryptFile2-after-orfab.com.exe

  • Size

    89KB

  • MD5

    a4e832a6634151516ef43c1374544c9d

  • SHA1

    b9956d73f1ac987dd7b84c6e55f5aa1bf4816b5c

  • SHA256

    eab7d92ea08e1028b010c8c4287fa5b6cbdcb598270853944dde3bfcd5beeb8b

  • SHA512

    d263bd0ee9491f331e8d8e8e0cf639299101f8a5b46e1e60123e53fa1f98e6bd53bd642741402d5fae2a9846aed73f0c5204dcf5a439eccb28dd5e11f5f160ba

  • SSDEEP

    1536:Tp4G6gKt7m4yZsC8PK9S0583LHz2H0qquMTwx/EZVj2X1KFuOCrr:VDTh9S0583LHz20qBZxA/Y

  Score

  10^/10

  defense_evasiondiscoveryexecutionimpactpersistenceransomware

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution

  • Adds Run key to start application

    persistence

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  behavioral9

• • Target

    2016-09-29-EITest-Rig-EK-payload-1st-run-CryptFile2.exe

  • Size

    87KB

  • MD5

    bf39f469e4af87274c2b97134fabdc93

  • SHA1

    bbc7b5877148271a572ef3899de7be51a7c1cd6a

  • SHA256

    269253135ed7108a0981a821dcbd41b5f3037e2f55bba790dba5955287344efd

  • SHA512

    e6c7adb007fd75701b0f832ff8e81649dc3e20ebece4d5e614b35a0ef5e50cd5c041ddf9ec36e128513c35947c23399103b1833d4ab349c0baa79d705a91f27e

  • SSDEEP

    1536:o04ryQiYjoJTPUA5tZUz7ubezM9XOzn0QEor9/tQS6XKRyp:d8A5t+7uyN70QEoJVMr

  Score

  10^/10

  defense_evasiondiscoveryexecutionimpactpersistenceransomware

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution

  • Adds Run key to start application

    persistence

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  behavioral10

• • Target

    2016-09-29-EITest-Rig-EK-payload-8th-run-CryptFile2.exe

  • Size

    100KB

  • MD5

    a94f5fa05150bf568a3c2d719ace2c02

  • SHA1

    51bde3d8160a6e9eec4d0f445ef3b27076dddfbf

  • SHA256

    7a3f89664c70aa0f6614ef731e9eddb061394497daeaf0720b89fee47af2f242

  • SHA512

    6dee48b6d24f2a4361d03797af8aa6561ff6ae05f882b3f4d6034fde094b4bfa596f61b446258232e7657484d9ff00db6631eef527fffffe78651895c2bdeae6

  • SSDEEP

    1536:ueBhQ2N/dYPAvq4OMZdRpK8WKzAlEEv4fvQUiEEvA2DsBpRLInFhm4zX:VtHy4OSLpKpe8Dvgcv8pRQm4

  Score

  10^/10

  defense_evasiondiscoveryexecutionimpactpersistenceransomware

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution

  • Adds Run key to start application

    persistence

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  behavioral11

• • Target

    2016-10-04-Afraidgate-Rig-EK-payload-Locky-downloader.exe

  • Size

    60KB

  • MD5

    43e4f8eb0a41c4f325cfc59bef8f3f99

  • SHA1

    0d8f19ab1184d3992197f607681d6681fd148d1b

  • SHA256

    179d1e27ac9a38b78cdc7c23bb3145f09fbaf7dc1fc975d5238e1f3f262dcc8e

  • SHA512

    72217c75ae9fdca28ad03837797712cae7cb18182c480d29cba31a8f68863ca10ad2e4d6cfe8fa9913595cc89ace353c52fe80a3547e5730fc85f7fc81768e34

  • SSDEEP

    768:qJW7/Ku2k5x9NhsLrEk/kTBcSYd5MI4EDmYzdP/5h9qQO9iTFeiXNPzw7Gb28IuB:qJqH5/GEXVHYT9yYZP/49iTIiXN8QDI

  Score

  7^/10

  defense_evasiondiscovery

  • Deletes itself

  • Drops startup file

  • Drops desktop.ini file(s)

  • Indicator Removal: File Deletion

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  behavioral12

• • Target

    2016-10-05-EITest-Rig-EK-payload-CryptFile2.exe

  • Size

    87KB

  • MD5

    329d083880ddb262e38a8db3c5a6c9c3

  • SHA1

    d580d080f717c3bc03bf487d38902f3ba8abbb46

  • SHA256

    1445d1d97f2700ab8335af641b50395522381fa1d06a12770987350fcca97c8a

  • SHA512

    433c1b54b7414aa58311fd8ed8c222fa91852e0a25fd2039c9ab9c2eb2f02a5d8c598508002618485f77ac636a150c1e64f649320d574d48f63e3dacdb058042

  • SSDEEP

    1536:etImPuQ5yf7aqkHNz8lnhF2ljUJlptcm5aqkHNz8lnhF2ljUJlptc:3m2cyf7aqkknhF2l0cm5aqkknhF2l0c

  Score

  10^/10

  defense_evasiondiscoveryexecutionimpactpersistenceransomware

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution

  • Adds Run key to start application

    persistence

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  behavioral13

• • Target

    2016-10-06-EITest-Rig-EK-payload-second-run-CryptFile2.exe

  • Size

    76KB

  • MD5

    56895d0a3d6b6f9107448c4c94c8608e

  • SHA1

    cf0243d461f1b820df9861ea5930a02c211d8ef6

  • SHA256

    83f549e4db93384add65c4203bf80d1eb9b7b5272b9636e77532284d8b760928

  • SHA512

    d8893fb5b7ddf854f85a3196d2d2b9ea6807ea9c1937b7a7fcfae2261ba9eaab2d18b66646e93ffec21d64caccdba9e2b1f3fc4e0be006c837c3df8493ec4b49

  • SSDEEP

    1536:dPpMF9fS4PUP511AtDxD93D+e+xKiSUrJTsD:za4P511INpCe2LrJTs

  Score

  10^/10

  defense_evasiondiscoveryexecutionimpactpersistenceransomware

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution

  • Adds Run key to start application

    persistence

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  behavioral14

• • Target

    2016-10-12-Afraidgate-Rig-EK-payload-locky-downloader.exe

  • Size

    56KB

  • MD5

    41abdbf5231e289254fef128caae15de

  • SHA1

    c0b5afadd6e3cfa96a1427b0aba104750f1efbbf

  • SHA256

    4048e0130ab78184e2c9b8415d6b02eb314bebd2624e430603649e01e9ce08ed

  • SHA512

    0eb418a6045945f04cf633ccd224bbdb07aead5030546e1529face12c943d6185ba7a1f8da1254769c1e1f6abf41e1f2f7871a490ed6f9d4f3dc46074af055a4

  • SSDEEP

    768:RFUPF9e2TGCi+3d6VTuq3zWTP3xO1eRUIbNidcsE28msGAQROmkQuKj:RFUOJGdCTujTP341eRjN1sEXmQQR8C

  Score

  7^/10

  defense_evasiondiscovery

  • Deletes itself

  • Drops startup file

  • Drops desktop.ini file(s)

  • Indicator Removal: File Deletion

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  behavioral15

• • Target

    2016-10-14-Afraidgate-Rig-EK-payload-Locky-downloader.exe

  • Size

    57KB

  • MD5

    ff2b71cea0e2093ad9cdb60f35d04e1c

  • SHA1

    5f92a6aea9ba315571f5c54211ed84b02aae4570

  • SHA256

    dd142090d4813db5243a151aca1fdf51c05e015691e4f3e2dd818adf6aba5b5b

  • SHA512

    4089c9e7c2af00ba474c7e20801e4b5ac07170251e7bac522768cb1cd9c77fef20a0bc772d3bbc4ac960f37789ac70eb073434c7a7a7478ebb88944238638c2f

  • SSDEEP

    768:q8Au2r+t2qr7AvvZ7THZBWJmEVlJtlCWAr2qMCUyexsTqUFQysG2m9rMLrF:MytRrcvvBPGVlJtlCrvq3pFm

  Score

  7^/10

  discovery

  • Drops startup file

  • Drops desktop.ini file(s)

  behavioral16

• • Target

    2016-10-18-EITest-Rig-EK-payload-CryptFile2.exe

  • Size

    74KB

  • MD5

    0457fd40e4b9eb689a83d5775235faaf

  • SHA1

    78a6e1d442e0a6ed613f1469a1cc0fa97dd29fd2

  • SHA256

    c9fa0be3995834ccc51ea05f02b948904d4a8ee027fc86febfd11eb2612f5cd4

  • SHA512

    ce447e50d879a58ca8ecbdb822fdaa8b06ec78966e70838ab8ab0cb651e98f0167645e1b546e1489394846d4a28a4356d3bd4065685945824463c75b00f21307

  • SSDEEP

    1536:AKiJyP/g4tdpOoV3fJLbau+CY/sxOVhKcB:X3woZ0uLYkx/c

  Score

  10^/10

  defense_evasiondiscoveryexecutionimpactpersistenceransomware

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution

  • Adds Run key to start application

    persistence

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  behavioral17

• • Target

    2016-10-23-Afraidgate-Rig-EK-payload-Locky-downloader.exe

  • Size

    94KB

  • MD5

    94e93612ad6284d274394be088e811c9

  • SHA1

    6383b52c4f4b6e99c86d085a7d4cc41df44e743e

  • SHA256

    5d75cf1b675a216ee0ccf3bece9fda40a2d64dac40b34830e51f2952dc4855d1

  • SHA512

    c1aff0f69eda770c8f2015755f8aab97865a49eb2efe5d1b647cfdb2c98104e0b1dd195d2cb2129b6c5c06adf313bd494e11b6c44fa370d859e2ec8b31993f58

  • SSDEEP

    1536:75NyiCg3BV12x3fDI1EmSBmYK3wp53jnjfKP9bS9SgxkJNq9BnWwC2YUjO:7GiCgZ2xvseBmYCwjbzKP5USKkUWnU

  Score

  7^/10

  defense_evasiondiscovery

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • Drops desktop.ini file(s)

  • Indicator Removal: File Deletion

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  behavioral18

• • Target

    2016-10-28-EITest-Rig-EK-payload-first-run-CryptFile2.exe

  • Size

    87KB

  • MD5

    28f486318ef8e9ec7f0017dde41acfcc

  • SHA1

    eb8035d5633fd044151c50a9acdfc51db93e88a1

  • SHA256

    730c76b5761c02c65956dbd4afb6b44a946c76f51b0f8e039a0076ff098bc9b5

  • SHA512

    22a3a575fd9f8facc97efb615aeae178237027878a59f154a1878a9562551f990906b9cb18a343bea9dafc42c1fe5f14656d27ab8494a407bfbf62862b654a59

  • SSDEEP

    1536:1mqfkQPtw8Ku5Ekkkkas+ocyNGlQ0lwp+N55JXXHhaXd:1mF05BSOG0znHhQ

  Score

  10^/10

  defense_evasiondiscoveryexecutionimpactpersistenceransomware

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution

  • Adds Run key to start application

    persistence

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  behavioral19

• • Target

    2016-11-07-EITest-Rig-EK-payload-CryptFile2.exe

  • Size

    90KB

  • MD5

    48237318fe0b0c7f472c31141903be8f

  • SHA1

    2e4bc11981a2058285d96454eb14ba335b1afe64

  • SHA256

    c9fa87bd0b0738e3fab364ddcdc11d0d81a74b20b6579d6b77fb72dd223480a2

  • SHA512

    fc3499d844a3c5745f11cb0284326a7421848ea2a2a05fda94b2a49e141abb9b24d1a07f66841182c44d7ad0364ecd4b43414db47e9f0d9d73b6340e3f236b80

  • SSDEEP

    1536:aS8aRYI4QOGvGP3+DP+B5y97JheTsAxp9n8+YFzqfeEcS/R:gjJQPs5yLhmsAEEcSZ

  Score

  10^/10

  defense_evasiondiscoveryexecutionimpactpersistenceransomware

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution

  • Adds Run key to start application

    persistence

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  behavioral20

• • Target

    2016-11-08-3rd-run-EITest-Rig-EK-payload-CryptFile2.exe

  • Size

    87KB

  • MD5

    ab68413f9685bfac416520b220b4e49b

  • SHA1

    adf4e3925c2965be9487659ca606a86b61951093

  • SHA256

    64a7cf0a5c8c4eebd1e2d96c2877623183520afd0e467fc6932664f550597554

  • SHA512

    002367ee8785d25736240173f034ce240a601c2b53ed7a0af9be311c739ad887233e159cf1e8ffa5f9f6aed9e4e2e6139489b28e3468f9c556a04c1b1a64e84c

  • SSDEEP

    1536:VjnRGW/IqP2IHef6RkkkkCu2i6CrKbbWaDsPuHVPICaSaB:5nk5ceCcuuTHMEVP7aB

  Score

  10^/10

  defense_evasiondiscoveryexecutionimpactpersistenceransomware

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution

  • Adds Run key to start application

    persistence

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  behavioral21

• • Target

    2016-11-09-1st-run-EITest-Rig-EK-payload-CryptFile2.exe

  • Size

    85KB

  • MD5

    dbfb3cab8256d5cf12ccec4a75ac7a32

  • SHA1

    58b9373549cc649ebfd7e7ff279065696bbd6bd5

  • SHA256

    9b7a93df69ec9521ca5e169e865bfb9905625cadf056f2d10d48014a22cb253c

  • SHA512

    06f76ea6fe93e612f5f8f60d71814aeb46040a6d39bb5c142d704801d8026ed51fcdfcf3ee7de454b45416df7f9799c2bb7047cad19bca0018a61beea777ae3f

  • SSDEEP

    1536:VOF/WBUPuy14N5waImZ+uI3bQkizzgA7PftyFq3p:wFCy1a5pb6bQWATtRZ

  Score

  10^/10

  defense_evasiondiscoveryexecutionimpactpersistenceransomware

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution

  • Adds Run key to start application

    persistence

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  behavioral22

• • Target

    2016-11-15-2nd-run-Rig-standard-payload-CryptFile2.exe

  • Size

    76KB

  • MD5

    a5dfab7a679bb358f0650bff59a02cdc

  • SHA1

    f5051b79bbbce0ef9af3e47112e7d825c5fe0800

  • SHA256

    ab112b5cee5725be8ec1c6c3f13ac498da3b70bdf03162e0f1208c93338546f5

  • SHA512

    bc4aeb3b7a5d7f7386d3895336a66043f6a8ddfea4258b0d7922f7990ae7240f7f094a87319adc505bd3ca373adc6ce0ae10148a084f0a6033e14ad9ff71539d

  • SSDEEP

    1536:tXPGltIbHVH9PewYl5odRbmen9i3G1nEW1U:tH5Hal5oBYZcU

  Score

  10^/10

  defense_evasiondiscoveryexecutionimpactpersistenceransomware

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution

  • Adds Run key to start application

    persistence

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  behavioral23

• • Target

    2016-11-16-4th-run-Rig-standard-payload-CryptFile2.exe

  • Size

    79KB

  • MD5

    eb2972b9ac8a5db042cbadce971f64de

  • SHA1

    40e03dde3562e379fa1be28f45eb36107c37c0de

  • SHA256

    4b447266bd7a130c5b27c9ec4bd68a9ebf731a4ce0300702f41b37da1d6384ef

  • SHA512

    10cdec84cd819270b57e37d730efe6fcd615adf744b54c0e9bf075fdf29067b4408748cb069750bb2067c1c569a1ff39c38f20f183a44c28e2c8e03d780e15ad

  • SSDEEP

    1536:sRu6a2/bEPH2dFzd5Bsnu7jjd405wfGtu76KvJ:sRvdFR5Bsnu7jjKcYQY6KvJ

  Score

  10^/10

  defense_evasiondiscoveryexecutionimpactpersistenceransomware

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution

  • Adds Run key to start application

    persistence

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  behavioral24

• • Target

    2016-11-21-2nd-run-EITest-Rig-standard-payload-CryptFile2.exe

  • Size

    81KB

  • MD5

    03efa23cb13898fdfda7821ea7dc5e10

  • SHA1

    e25e2f68f0c159378f133d0e161a980d7f148a91

  • SHA256

    f2dbf29985a759e73c6a515422e218e6b0a1a844a327917428a1f9a1248f2320

  • SHA512

    eb7afaac956b2781c4551cec46c97c4b9dee08b29844f9551ad8ff7fe766f48a9897288a3f8f514789f4f3dabc4d00ec2284c5602b4b253ca7cfc8ac393280c5

  • SSDEEP

    1536:WqcJ/2POlymkGECwdqnUzyQon3f+RltHWSqTWfY:WPynRDcnUzyfn3WRltH7XfY

  Score

  10^/10

  defense_evasiondiscoveryexecutionimpactpersistenceransomware

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution

  • Adds Run key to start application

    persistence

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  behavioral25

• • Target

    2017-03-15-EITest-Rig-EK-payload-Revenge-ransomware-5uhcwesi.exe

  • Size

    113KB

  • MD5

    3bceadd4c2c546aba24e24307f1defcd

  • SHA1

    81e4110a72821a1b1f01a3f3a8bf89188af40067

  • SHA256

    8ab65ceef6b8a5d2d0c0fb3ddbe1c1756b5c224bafc8065c161424d63937721c

  • SHA512

    fbe80ee6902b76a533e8662e580cf887e7a6735752731a53a6189d7b8c1e1c7c881d817a137c3553ab1b6f40c673887d83460d35d01ad0ace18a89c7f5bea525

  • SSDEEP

    1536:eEzTqjcZdskFrWcN9JsWjcdZB+TMKVu0CcqDuvn+FsN7S1bdQlBrr2DYLN:bzocZGgrh92ZYTMKEHD0nj21bd01N

  Score

  10^/10

  defense_evasiondiscoveryexecutionimpactpersistenceransomware

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution

  • Adds Run key to start application

    persistence

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  behavioral26

• • Target

    2017-04-07-1st-run-EITest-HoeflerText-payload-Spora-ransomware.exe

  • Size

    77KB

  • MD5

    1b96a20d2b8a062f538eb40aef3e8ec8

  • SHA1

    3ba495326b2a6e59e91814a8f5e713a5fa327ee7

  • SHA256

    1809aa1e4d1ed14722417ee284cea229fac1c09b8c14434f7e1b2ea8547c5aeb

  • SHA512

    81560a82fc2a0df21274adfcd126193b939f3323e29498b109a698f1a3626e860cc323e36385ab3db43b8760d822acfe098e1dde62cbfc71def26e5e1379bb71

  • SSDEEP

    1536:5JJIPV0EfELXWcEJXYMxJ06pifrpE/Aw1w:53IZhVphpif611w

  Score

  10^/10

  defense_evasiondiscoveryexecutionimpactransomwarespywarestealer

  • Process spawned unexpected child process

    This typically indicates the parent process was compromised via an exploit or macro.

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution

  • Drops startup file

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  behavioral27

• • Target

    2017-04-07-2nd-run-EITest-HoeflerText-payload-Spora-ransomware.exe

  • Size

    64KB

  • MD5

    366aad320bb8a36a88491ad1d164cf09

  • SHA1

    32e3c8c00cb87db06f8e65b2fbc7f04e08a14105

  • SHA256

    fc950f34ce2005659e7b76fed9a740511688e83f84d9d7d225c0e632750518eb

  • SHA512

    921b4d02d2944ea159d2d4623c5b3233bbbf574278e6f8f8f4b023c9b853c6d002f642beb78e316d643df3ab9043b0973cacb5a18a1776ba52d18fabaeff16d7

  • SSDEEP

    768:jykKUSkyDjBSNBvSMIhK7VHQLvGdwFtg2dY6edSYQrq3RWD3Ghc5tTZ92th5Tk9x:SJEN8I5zGXgF6eIdq3Yym5l+tnP

  Score

  10^/10

  defense_evasiondiscoveryexecutionimpactransomwarespywarestealer

  • Process spawned unexpected child process

    This typically indicates the parent process was compromised via an exploit or macro.

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution

  • Drops startup file

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  behavioral28

• • Target

    2017-04-07-3rd-run-EITest-HoeflerText-payload-Spora-ransomware.exe

  • Size

    77KB

  • MD5

    9448fc34ecb9f95825442ae14c39fda6

  • SHA1

    7dd4a2005211ddc5e001cc8ecd857929797a08f9

  • SHA256

    a1566b0b4783b58fefb512872ed01310fe5c9c3a64303f547739787be68a45da

  • SHA512

    b33e2eafb9f3b75a151312c0fbceb6c88e3c851624b0847b8229ffaf375dbe29a6f88ee0a0f3003344007751301c095ce4558dec0afa9bfe471a0f012aa84203

  • SSDEEP

    1536:RdloGy9Cy3QuQv8VtYOxJ06pifrpE/Aw1f:R/oGYQ/kVphpif611f

  Score

  10^/10

  defense_evasiondiscoveryexecutionimpactransomwarespywarestealer

  • Process spawned unexpected child process

    This typically indicates the parent process was compromised via an exploit or macro.

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution

  • Drops startup file

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  behavioral29

• • Target

    2018-01-28-Seamless-campaign-Rig-EK-payload-GandCrab-ransomware.exe

  • Size

    145KB

  • MD5

    8141ae1b905d61f4e0d3534052e45364

  • SHA1

    a9d17cd249f4f882d1e2128d7f25bd13b20d9da2

  • SHA256

    0e47b58d99eaf5ca77f7c1b4e03e779992c7e9bf7860ec5e6cd817b4d9199b63

  • SHA512

    cb980feeab2c4e8ccb28c0b0cefe827574fe0e7a2f7390dbb36aac78dd0f9c7501b8e4d78393f58c8edec3c88928a4b068992ebc6449b7739c2a0e8188aa30fa

  • SSDEEP

    3072:PVWq+fziq1cEhIv/7M7BC/FTqdVY77C37R:Pn+fziq1VIv

  Score

  10^/10

  gandcrabbackdoordiscoveryransomware

  • GandCrab payload

  • Gandcrab

    Gandcrab is a Trojan horse that encrypts files on a computer.

    ransomwarebackdoorgandcrab

  • Gandcrab family

    gandcrab

  • Unexpected DNS network traffic destination

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  behavioral30