General
-
Target
Desktop.rar
-
Size
8.2MB
-
Sample
241120-ajv84swkgs
-
MD5
711d6b60aea58d7197caeb75f51ce0e7
-
SHA1
9eba8bbcdc49ee3df32b232d32973e5a95d91426
-
SHA256
b8c1f3abe165e1bab5616f0b739f1cb53c642c40ffc92f9f26aec1a73eaf0de2
-
SHA512
6e73ffd540e9fddcf92fc119f71c38b02f650bdd9cb04fe425693d2f1746c0518413173d27baa439c253841e76c0ebea3ca928fc99ec1a403b7f59126ff6ca6c
-
SSDEEP
196608:gJ+x3EIGv3a0E4CdR1QcihIB5bEFwYBCxTYAwX/RLer+Z7c:gJHdv3ncd41hIYiYBCr+Qag
Malware Config
Extracted
sodinokibi
28
1155
awaitspain.com
domilivefurniture.com
cotton-avenue.co.il
datatri.be
fanuli.com.au
kelsigordon.com
jlwilsonbooks.com
charlesfrancis.photos
fi-institutionalfunds.com
techybash.com
avis.mantova.it
natturestaurante.com.br
ciga-france.fr
mollymccarthydesign.com
crestgood.com
haus-landliebe.de
advesa.com
so-sage.fr
cap29010.it
line-x.co.uk
-
net
true
-
pid
28
-
prc
dbsnmp
sql
msaccess
xfssvccon
wordpa
firefox
outlook
powerpnt
synctime
infopath
sqbcoreservice
ocssd
tbirdconfig
mydesktopqos
mydesktopservice
encsvc
steam
visio
dbeng50
winword
mspub
oracle
thebat
isqlplussvc
excel
ocautoupds
thunderbird
agntsvc
onenote
ocomm
-
ransom_oneliner
All of your files are encrypted! Find {EXT}Wannadie.txt and follow instructions
-
ransom_template
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
-
sub
1155
-
svc
vss
sophos
memtas
backup
svc$
mepocs
sql
veeam
Extracted
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\DECRYPT_YOUR_FILES.HTML
Extracted
C:\MSOCache\All Users\YOUR_FILES_ARE_ENCRYPTED.TXT
Extracted
C:\Users\Admin\AppData\Local\Temp\readme.hta
Extracted
C:\Program Files\How To Restore Files.txt
Extracted
C:\Users\8615eeb78wWannadie.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/0E906A35CB2ABC1B
http://decryptor.top/0E906A35CB2ABC1B
Targets
-
-
Target
Tear
-
Size
261KB
-
MD5
7d80230df68ccba871815d68f016c282
-
SHA1
e10874c6108a26ceedfc84f50881824462b5b6b6
-
SHA256
f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b
-
SHA512
64d02b3e7ed82a64aaac1f74c34d6b6e6feaac665ca9c08911b93eddcec66595687024ec576e74ea09a1193ace3923969c75de8733859835fef45335cf265540
-
SSDEEP
3072:vDKW1LgppLRHMY0TBfJvjcTp5XxG8pt+oSOpE22obq+NYgvPuCEbMBWJxLRiUgV:vDKW1Lgbdl0TBBvjc/M8n35nYgvKjdzi
Score10/10-
Fantom
Ransomware which hides encryption process behind fake Windows Update screen.
-
Fantom family
-
Renames multiple (3001) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Disables Task Manager via registry modification
-
Drops file in Drivers directory
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory
-
-
-
Target
adochi
-
Size
4KB
-
MD5
9a984b955c2914344529ea1017406445
-
SHA1
7e3df631e6c83f369ee60be7619759b04a15a646
-
SHA256
a85426622aa9bd49bcf17d259c28964bcc50b5bccaff2ba50c0a67c734b3d048
-
SHA512
27ef0f563fa0d01061df7360d19499a21f305973288f10c2ea1f21ddbf7019014d717f5b35864687c349d0b25754c96bd98d273c907635b39a413d86946a526e
-
SSDEEP
96:Z1wT/W2VCC/Ho94yg+vHXASo+9JGHn33X3Hn33X3Hn33X3Hn33XDEQUm:6uvC/IRvHQSFaEt
Score7/10-
Deletes itself
-
-
-
Target
autoit
-
Size
755KB
-
MD5
8a94444f516ae796c6a9b95182b537de
-
SHA1
3f7dc2fb25ab8a493bb64a957df89a7ac45337fc
-
SHA256
fd37685a99f5016d6537ce588e39d16ad8079d5ea7194f6cd4a0adff1cfa81b4
-
SHA512
b50318f529726469e440e4d12e5a33c2a3afc3cbd30f7a899a168e18c95dafe152c34dfe8df6d44d2d1a1dd1380bced5e29eafe3a2ad85c281067c66761c0536
-
SSDEEP
12288:/hkDgouVA2nxKkorvdRgQriDwOIxmxiZnYQE7PJcE4aIbd2IMxIfQdCli:FRmJkcoQricOIQxiZY1iaIpIxBb
Score10/10-
UAC bypass
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
-
-
Target
autoit2
-
Size
380KB
-
MD5
6177f9bde1fd578165974ceddcade3d9
-
SHA1
55998f23b74366042c4628c391e94d25c39523b0
-
SHA256
1cfb58fcaa04794556d5195a979839b3ef74533845e6f9becf4c547f6b60f29e
-
SHA512
aa9bb6cfa3d0c902c463c6e13540182820d1474223fa658a82d4fbafa8c06614d34406b9ca55fc11462d44d4309fad086e2779d36d93aacc8eda164204911f3c
-
SSDEEP
6144:Uzv+kSZBbdH19ex4T02J4fqz22tvymTiB62iKnWKKmDTcNwjreOwIrn8m/EBLKVB:UzcRD02J4Sq2vHGB67KWKKmDT8m/ExKH
Score10/10-
Modifies WinLogon for persistence
-
UAC bypass
-
Drops startup file
-
Checks whether UAC is enabled
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
-
-
Target
autoit3
-
Size
380KB
-
MD5
d68dda9d50ec5f965948e8b2d9ad17b9
-
SHA1
e16d8603132c4763e4fa87bf806d491920548686
-
SHA256
28bf399a594b68b00aeede888e147f1602eede821ec9780418e739f31b3eded6
-
SHA512
092e6d9b8868b85f45732b43b98ab91b8ac8000e03601810e0b54abb84a45a80c3c020db219be358900d1ad6ceb76de329b0f6007cb2928b3d469e07a86c593d
-
SSDEEP
6144:Uzv+kSZBbdH19ex4T02J4fqz22tvymTiB62iKnWKKmDTcNwjreOwI6yGdMKxVusp:UzcRD02J4Sq2vHGB67KWKKmDkMKTuqRf
Score10/10-
Modifies WinLogon for persistence
-
UAC bypass
-
Drops startup file
-
Checks whether UAC is enabled
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
-
-
Target
deviation
-
Size
224KB
-
MD5
9c5d6dca97dd4caf57cb3f82e03f795d
-
SHA1
c5c0ad6b16db6355a564e95398471608398e3076
-
SHA256
ee955b991c99a9016da0b39bc1c0e78a66990573501513ea9d287ebbe577084e
-
SHA512
5d1b0807954231f5868c0a612704904653921953708192cc99126f0de0dfeb163aff5cf5cb511a6f6cc6d50620284799c17d8dd26f761e74b04e8d58bdcea8a3
-
SSDEEP
1536:IWFmDx9+Uxtwt7HELWUkH7QXPuc0rsOB4Nx3be3/B1zC+IInU4FxOxM:SRtwZkLWc2cJOu3biBBZIiGxM
Score8/10-
Disables Task Manager via registry modification
-
Suspicious use of SetThreadContext
-
-
-
Target
encoder
-
Size
10KB
-
MD5
f1927e7f90416bf39fc7991bbc57e1b3
-
SHA1
2367249568ca4a34f8824a9313b03d16d1d7c0bc
-
SHA256
539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505
-
SHA512
a0ac1811c8944165ba1939e40fe965bba3f7473819cb6f5d1cd4b4e7c203685baec055a6c73359dd1b3ddc79cb05b42d8c7541c29ea466120233423c5a5fcc60
-
SSDEEP
192:yrj2/2OzcYKNEmkmTjtiIKZIF/2oQlLkMBBm4C:j/2OzcJNEmkmTjkI/92oQjBU7
Score10/10-
UAC bypass
-
Clears Windows event logs
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (9725) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Power Settings
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
-
-
Target
encoder2
-
Size
328KB
-
MD5
3ef478a7c898e91f09385da44555d986
-
SHA1
07c1f289891b59892ae45253ffdc969f11267ac5
-
SHA256
1d241bd0b71408abcf11871a9318cbfcd925b195814951c3123abca27554c6f4
-
SHA512
e67b411fbc1a05a6482b03d8320fad0bd08836c5fa651b435473ee3233bb62240c1ffaab1ede7f58fee9eee70f4e313a230411a143495e2d30826546148cd4d1
-
SSDEEP
3072:uhl75wtMO7RTbcA6Ao7A75PeunlG7m//5/vZ/5TVk5ixJNe4yg6bMtJWPhyhMvcc:E5sRXcTAmEFRJ/525caYzfpCHFc8j
Score9/10-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (7777) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Credentials from Password Stores: Windows Credential Manager
Suspicious access to Credentials History.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
-
-
Target
encoder3
-
Size
164KB
-
MD5
7518ecf9cd7d3f204de349103bd95c54
-
SHA1
417df7e036285c9409affa1e9bef8634d8994869
-
SHA256
14d09a259f72569f309fdd7bc14519753d01016706c7b9335a215b2d0b64c632
-
SHA512
71a181e597a5d9eae8ccd22683b650039f2506ba502b44a2da4f786e8884a1538603df9ab57d19c78d9777cb8f643ec78439346c32611776984acc569dbaba32
-
SSDEEP
3072:FHixaVZFiOCDJtOicNDWEzZQjnS2C/vbgnB:FHigLF5CCj5zZQDV0bq
Score10/10-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Sodinokibi family
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory
-
Sets desktop wallpaper using registry
-
-
-
Target
encoder4
-
Size
5.3MB
-
MD5
4c2fdadb29f624ff540c0e2790b60987
-
SHA1
e4b95dd05aa80f8380554590359ba63036c76e69
-
SHA256
b3dc1bb1c72c6bda1a7508147b2c92021aa18eb99d419db7e8245f32979cd01b
-
SHA512
03a26f8769f46ca5b8bdc9fb44b8ed4a56dfab21a8948516a2fabdbbde7f9c73f708c11c1540ce8c2e0ff47ab539e0780b202c249fe3ebd5423ae31e922294b3
-
SSDEEP
98304:z4ARSOULuXDTLjEGxGUiibSpRZxP4BPXWtqZLr8U+GzNQ12Pe7Xw1:z4NOUL+PECGUiUS1xgJge7xwa
Score5/10-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
encoder5
-
Size
62KB
-
MD5
1a6820fec1c45cd9c928533090e7908d
-
SHA1
9df9d1e4579a0f759db01951ff616019c6c9196e
-
SHA256
a89591555b9acb65353c2b854e582bc41db2fbc0eda2210b89a877d1862084df
-
SHA512
c6eed68a0fbdb05bf504676e1c0816660f856ae768b7340678b9d84d909fce267066b2e314148521563309c466fdec7d74f00d1addb1a14abe15163d2203a81a
-
SSDEEP
768:hK3mGmDuuNXM1KPptWOahoICS4AIA4DZqB87pdMFtb8cmY11f3qrVBUoxygse3l:hK3UDugp88ICS4AR4tA8lCFtb8If6
Score10/10-
Seon
The Seon Ransomware is an encryption ransomware Trojan first observed on November 14, 2018.
-
Seon family
-
Renames multiple (244) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
-
-
Target
erebus
-
Size
1.2MB
-
MD5
0ced87772881b63caf95f1d828ba40c5
-
SHA1
6e5fca51a018272d1b1003b16dce6ee9e836908c
-
SHA256
ed3a685ca65de70b79faf95bbd94c343e73a150e83184f67e0bdb35b11d05791
-
SHA512
65f3a52930dd560cf27a9a6e7386ae1bba22d663a1112b44fa1db043bd0b980f7dcb1d5fe21b873bb93db69c5c4d0b3c7dcf13ea110836970454b56dc16e57bb
-
SSDEEP
24576:DxIWmj1GwuqWt6GoXrxv7EJoD7p1YQzA+GdctrOvpk5P4TB5tP9P6F:Dnqqo5PzA+Gda4TB5tFP6F
Score9/10-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
-
-
Target
myxaha
-
Size
425KB
-
MD5
c44b71932e47cd323f03f3e6949cc9fd
-
SHA1
f011c627961fea886483001c1766aefec6fbd1a9
-
SHA256
be139b39ce0de52d7d486d25eada2bf18c24afb8ca111f62a1f0762bfc642ea9
-
SHA512
682e572eb2cfcea4642f8ac4409c57472ab171e3e5d49b552893c6c2851270a08efb5496a047de36f844ac67f25b6b02b1780ad9defda75a6b425880eadbf281
-
SSDEEP
12288:hVL+LDunkSvLR83sBPNLfe2Q5NO1cPOLfel8ozmiTh53:hNnkSKsF6i1eJfj3
Score7/10-
ACProtect 1.3x - 1.4x DLL software
Detects file using ACProtect software.
-
Executes dropped EXE
-
Loads dropped DLL
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
-
-
Target
$LOCALAPPDATA/ConduitInstaller.exe
-
Size
275KB
-
MD5
ddd4f06b739a5cac8e93ee0e5c2d654d
-
SHA1
cdb4be6861695a82e23c06fc9ae83ef595335673
-
SHA256
19e303979fd9708c965026b88a15bd2366e0d3ac162938466f90ee3d6e091f78
-
SHA512
ca61cf6c220da2578dfdc565088bf84b91d2f1b46d9ca051e4a2ff5e1d4fa3d79860c00e2c522ddcbaed52516083741eaf90f62a328bd8a75ca1097103595290
-
SSDEEP
6144:gXRuR5lmIMLPkuWCgXmyaun3sBPV8aspReyM8oyasBPV8aspReyM8oyQg:WslmhLR63sBPOLfef8onsBPOLfef8odg
Score7/10-
Loads dropped DLL
-
-
-
Target
$PLUGINSDIR/LangDLL.dll
-
Size
5KB
-
MD5
9384f4007c492d4fa040924f31c00166
-
SHA1
aba37faef30d7c445584c688a0b5638f5db31c7b
-
SHA256
60a964095af1be79f6a99b22212fefe2d16f5a0afd7e707d14394e4143e3f4f5
-
SHA512
68f158887e24302673227adffc688fd3edabf097d7f5410f983e06c6b9c7344ca1d8a45c7fa05553adcc5987993df3a298763477168d4842e554c4eb93b9aaaf
-
SSDEEP
48:iV6pAvmNC6iMPUptxEZK65x/AmvycNSmwVsOYJyvrpXptp/JvR0Jlof5d2:2811GED5ZTvycNSmwVsTJuftpZR0Sd2
Score3/10 -
-
-
Target
$PLUGINSDIR/System.dll
-
Size
11KB
-
MD5
c17103ae9072a06da581dec998343fc1
-
SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
-
SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
-
SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f
-
SSDEEP
192:7DKnJZCv6VmbJQC+tFiUdK7ckD4gRXKQx+LQ2CSF:7ViJrtFRdbmXK8+PCw
Score3/10 -
-
-
Target
$PLUGINSDIR/inetc.dll
-
Size
24KB
-
MD5
1efbbf5a54eb145a1a422046fd8dfb2c
-
SHA1
ec4efd0a95bb72fd4cf47423647e33e5a3fddf26
-
SHA256
983859570099b941c19d5eb9755eda19dd21f63e8ccad70f6e93f055c329d341
-
SHA512
7fdeba8c961f3507162eb59fb8b9b934812d449cc85c924f61722a099618d771fed91cfb3944e10479280b73648a9a5cbb23482d7b7f8bfb130f23e8fd6c15fb
-
SSDEEP
384:XErRo4TdlKCdUk6qz46qu2vPqUcnlSHmkuPJOiya4fF0Ac9khYLMkIX0+GvBgK3M:XiRoW7Kc5bBq1qNlSHmkuPJOJa4f4CD
Score3/10 -
-
-
Target
$PLUGINSDIR/md5dll.dll
-
Size
6KB
-
MD5
0745ff646f5af1f1cdd784c06f40fce9
-
SHA1
bf7eba06020d7154ce4e35f696bec6e6c966287f
-
SHA256
fbed2f1160469f42ce97c33ad558201b2b43e3020257f9b2259e3ce295317a70
-
SHA512
8d31627c719e788b5d0f5f34d4cb175989eaa35aa3335c98f2ba7902c8ae01b23de3ccb9c6eb95945f0b08ef74d456f9f22ca7539df303e1df3f6a7e67b358da
-
SSDEEP
96:GL2PcvGn5olZMTZxEp8agTsflVwn4GogZcko5N1ub:U2Pxn5UZMTZipyaw4ZkKP2
Score7/10-
ACProtect 1.3x - 1.4x DLL software
Detects file using ACProtect software.
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
-
-
Target
$PLUGINSDIR/nsDialogs.dll
-
Size
9KB
-
MD5
c10e04dd4ad4277d5adc951bb331c777
-
SHA1
b1e30808198a3ae6d6d1cca62df8893dc2a7ad43
-
SHA256
e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a
-
SHA512
853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e
-
SSDEEP
96:hBABCcnl5TKhkfLxSslykcxM2DjDf3GE+Xv8Xav+Yx4VndY7ndS27gA:h6n+0SAfRE+/8ZYxMdqn420
Score3/10 -
-
-
Target
$PLUGINSDIR/nsRandom.dll
-
Size
21KB
-
MD5
ab467b8dfaa660a0f0e5b26e28af5735
-
SHA1
596abd2c31eaff3479edf2069db1c155b59ce74d
-
SHA256
db267d9920395b4badc48de04df99dfd21d579480d103cae0f48e6578197ff73
-
SHA512
7d002dc203997b8a4d8ec20c92cd82848e29d746414f4a61265c76d4afb12c05bce826fc63f4d2bd3d527f38506c391855767d864c37584df11b5db9ca008301
-
SSDEEP
384:LCHDPMs4GdtyO5roguusMxUXiO3wOw95euooP2UgKbd9BvNtf:LCHD6Gh87MKXil/5r2U3z
Score5/10-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
-
-
Target
trucry
-
Size
527KB
-
MD5
548bbee5bde54f123e7f3704a3a9116a
-
SHA1
7236dc5821b1e9fcde0a227de57f928af5f7edb5
-
SHA256
623fdfb190b9cd0a1d8729842efd1edf41aec13dda70e447a69b7f94921a0f88
-
SHA512
bf113c90707d38fcbb6ecd0b33cbb564d0c15c37970e293ce2d1f7b8541fb823b3380e02a8c5c5064ee830ef35c9f228f9cd705e22f7651c5ad73b4b5ac3ecca
-
SSDEEP
6144:l1n1kY7ejab1KDnn5mumMrkPtbFenNP3Fhwg9S1G:r13bKbmMrkyPVhTS1
Score10/10-
UAC bypass
-
Renames multiple (67) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
Drops desktop.ini file(s)
-
Sets desktop wallpaper using registry
-
-
-
Target
wlock
-
Size
1.0MB
-
MD5
b8d5798d8fe8791ae0dba1aea0985789
-
SHA1
c4524946a3b49a9de4fdfd5165ee50dfb7638a15
-
SHA256
bf0744eb4010ecb60f54852eb670f72345e19d5182c2fc7078bf899e6084a20a
-
SHA512
3fc86a259a4de82e890b006135a9aec59e2a83cf31d48f73f77c697e2e530e4cae4d23cdd83e4ac0619c2ff7c626b83a4bf176d38399c49255fe97fb91005aaa
-
SSDEEP
12288:+gKYsl/Cu+c+ajxAgReHIyHyxnohI3S+bK50jCV3j/byr/0t+VPU1qDC2sSlWup4:NrIueSWyP
Score3/10 -
-
-
Target
wlock2
-
Size
229KB
-
MD5
6e7d32b6a66ba7d6b6dbfe0adc5a7eff
-
SHA1
394b5f38d3a5a1ce2d3d0f3b046898f1a5519543
-
SHA256
e4e452529a55436c7608482ef47687ef48ece4b068a989ae5f86ef6c59ff49fc
-
SHA512
648b4f95b02b7e2e5e0aba3439066ab766ff6c01e9fc2d3b05d44b4a8862d7c8a88d27a8572d7fe5e3a8471bb217cf9c7179bd7ab8bacfd4a3d42dcf1f4699c2
-
SSDEEP
6144:6NjkWhUh1S4A05cYNe/8xXWwK80i6F+eco+Sxaat:8jkS50G5cXg66F+eeSQ
Score8/10-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Power Settings
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Direct Volume Access
1Impair Defenses
1Disable or Modify Tools
1Indicator Removal
3Clear Windows Event Logs
1File Deletion
2Modify Registry
8Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1