Overview
overview
10Static
static
6AES-NI.exe
windows10-2004-x64
10Abrechnung.exe
windows10-2004-x64
8Box (2).exe
windows10-2004-x64
3Box.exe
windows10-2004-x64
3a66dde2298...43.exe
windows10-2004-x64
9a7768f4973...e0.exe
windows10-2004-x64
10aa7ff3bc28...1e.exe
windows10-2004-x64
7aace43af8d...99.exe
windows10-2004-x64
8ad3cc219a8...ws.dll
windows10-2004-x64
10aee03626b8...b1.exe
windows10-2004-x64
6afd3b729cf...2e.exe
windows10-2004-x64
10b56c4569d6...ss.exe
windows10-2004-x64
30.84762379...67.exe
windows10-2004-x64
3zsgblrbrum...ke.exe
windows10-2004-x64
3b7d9f11c16...b0.exe
windows10-2004-x64
5b8f60c64c7...af.exe
windows10-2004-x64
10Saldo.Pdf_...__.exe
windows10-2004-x64
bc557a7bfe...8f.exe
windows10-2004-x64
7bd2d4d4300...17.vbs
windows10-2004-x64
1be03e43db0...5F.exe
windows10-2004-x64
10be03e43db0...8A.exe
windows10-2004-x64
3be514549a2...1f.exe
windows10-2004-x64
9bfb8f7f6cb...-0.dll
windows10-2004-x64
8bldjad.ex1.exe
windows10-2004-x64
3bldjad.exe
windows10-2004-x64
3bldjad2.exe
windows10-2004-x64
5c145a26dd6...a0.exe
windows10-2004-x64
3c325092750...db.apk
windows10-2004-x64
3c36c46f4de...6e.exe
windows10-2004-x64
3c3dd2e3cf0...04.exe
windows10-2004-x64
3c71c26bf89...3_.exe
windows10-2004-x64
7c846282987...fd.exe
windows10-2004-x64
5General
-
Target
Batch_5.zip
-
Size
10.7MB
-
Sample
241122-2vh7gaxmfl
-
MD5
840ef805274a90a6354a0f5d1c6f05f1
-
SHA1
856f756302fb8559edac0804324c6fec97382d84
-
SHA256
51b3773145652b5d559396a08e1282a3a1d92d4df473f774d61791386fca0598
-
SHA512
a1dbedebf1dc9007ea6781116d3b92e052d5110b34bcc83e87d7ba8736d1b9353bfaeb88de6b53f11ea661ef60231ae2280a4a7e54c4c3bd06cbe7f1aa864904
-
SSDEEP
196608:1iAo5dAtwAQT+rrxa/kHpuI7c/hDU9EPh3VkXI599o9kDD8xCO:1jCAtwAy+rrakDcpDU9uFNgaDQCO
Behavioral task
behavioral1
Sample
AES-NI.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral2
Sample
Abrechnung.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Box (2).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral4
Sample
Box.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
a66dde22983583da6d3b1e5b9eb1e8fb019f5157eda508305942292c0d10fa43.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral6
Sample
a7768f4973ad7cf8217212a4d12dbae0.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
aa7ff3bc285bcb4ec48bf2f361f0ad0a1d9fc8f17b7323d2f0615ade68973c1e.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral8
Sample
aace43af8d0932a7b01c5b8fb71c8199.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
ad3cc219a818047d6d3c38a8e4662e21dfedc858578cb2bde2c127d66dfeb7de_PonyNews.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral10
Sample
aee03626b83a88b71b06899116cb7ce4b8092365103d69792b0c2d7153f24cb1.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral12
Sample
b56c4569d639e8ce104d9e52dffeba6d18813c058887a3404350904811f32d54_not_packed_maybe_useless.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
0.8476237917779167.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral14
Sample
zsgblrbrumorwxfizuke.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
b7d9f11c166fa1a4ceef446dd9c8561c77115cb3ce4910a056dd6a361338a2b0.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral16
Sample
b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
Saldo.Pdf______________________________________________________________.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral18
Sample
bc557a7bfec430aab3a1b326f35c8d6c1d2de0532263df872b2280af65f32b8f.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
bd2d4d43009623941f49554f5932188154fc9d16d820e00db1281d057468b017.vbs
Resource
win10v2004-20241007-en
Behavioral task
behavioral20
Sample
be03e43db0b190b879c893102a76183231ea39ec51206d25651a3cacffa8d81d_Dumped_TDS=4F8C315F.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
be03e43db0b190b879c893102a76183231ea39ec51206d25651a3cacffa8d81d_TDS=4F90A68A.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral22
Sample
be514549a2e654706aeeaa15c8cffce504f0e271c904fe07d865f3999ebaa61f.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
bfb8f7f6cbe24330a310e5c7cbe99ed4_api-ms-win-system-wer-l1-1-0.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral24
Sample
bldjad.ex1.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral25
Sample
bldjad.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral26
Sample
bldjad2.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral27
Sample
c145a26dd6d200080c16300456e7c0bc95f2b71f56d94136619e239e466a04a0.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral28
Sample
c325092750dd55898c47be7ec8a7622c3bf8d1a79c40b160ef7901c2ef18f5db.apk
Resource
win10v2004-20241007-en
Behavioral task
behavioral29
Sample
c36c46f4de045ef332decc006694db6e.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral30
Sample
c3dd2e3cf0ebeec7a6c280e187a044a32b54b369a78aaaa89c600a0767b49704.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral31
Sample
c71c26bf894feb5dbedb2cf2477258f3edf3133a3c22c68ab378ba65ecf251d3_.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral32
Sample
c8462829871b7bdb005f4dd881d253aa255a1b2f6f3d89edb1d609b51f5d04fd.exe
Resource
win10v2004-20241007-en
Malware Config
Extracted
C:\Users\Public\!!! READ THIS - IMPORTANT !!!.txt
https://bitmsg.me
https://www.bleepingcomputer.com/
Targets
-
-
Target
AES-NI.exe
-
Size
999KB
-
MD5
83e824c998f321a9179efc5c2cd0a118
-
SHA1
16b84004778505afbcc1032d1325c9bed8679b79
-
SHA256
4142ff4667f5b9986888bdcb2a727db6a767f78fe1d5d4ae3346365a1d70eb76
-
SHA512
d1c9fdb653d6b028c16a9d82895b7f03b6f96aecc802ab5104d6a762091e71502e407feea3d3d64f19b9f7c2888b1fb2b1dd5f2909b6e29414d4e4a78b56917b
-
SSDEEP
24576:xMhc8sFdkS6BEeL8xYSCy3vIyzlueaBLxGLJe3:Ghc8sFB6WeIYSPAyUHxGLJe3
-
Renames multiple (5276) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Credentials from Password Stores: Windows Credential Manager
Suspicious access to Credentials History.
-
Deletes itself
-
Drops desktop.ini file(s)
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
-
-
Target
Abrechnung.exe
-
Size
103KB
-
MD5
81ff324d2023d8ecb98a127b87d51450
-
SHA1
acd24c80f6a02f7fe7a388a6779ea49be64674bc
-
SHA256
7d9fc496bc0ade736bf75e05564e9c93167362ef18450d75222deef0664f9ed5
-
SHA512
38b17683e835e7259a6972d0f920f9ac7f5823591962c624aa795c39c3213d0735bacd76c72b7255be1cefeb9c298ffc31266513f088684969e5e18ad4e0a139
-
SSDEEP
1536:o7ZrIoIlP/A765noAXMoiCQ/5NSDy+Ud1IE9vpFARgHsjoCje6fLCy:odIp/A0noAcoiCQ/5NS6ERnECnfLCy
Score8/10-
Disables RegEdit via registry modification
-
Deletes itself
-
Executes dropped EXE
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
Box (2).exe
-
Size
438KB
-
MD5
1bb4dd43a8aebc8f3b53acd05e31d5b5
-
SHA1
54cd1a4a505b301df636903b2293d995d560887e
-
SHA256
a2380a5f503bc6f5fcfd4c72e5b807df0740a60a298e8686bf6454f92e5d3c02
-
SHA512
94c70d592e806bb426760f61122b8321e8dc5cff7f793d51f9d5650821c502c43096f41d3e61207ca6989df5bfdbff57bc23328de16e99dd56e85efc90affdce
-
SSDEEP
3072:rE+rnVvKX8/tmssEDUbPwBIK6xDq3bnBZvG1BpTU41zjhkkxbNWWmZ:ImVa8/tmswUB36G9ZvGZQ49jRF
Score3/10 -
-
-
Target
Box.exe
-
Size
440KB
-
MD5
698746928e12831d6982b4e260a9da3a
-
SHA1
c87945b0f3f19d3fa07f64b5454f588f568a94e7
-
SHA256
63a6c3864b0a51c790d8d0312137995eb16710178aaaebfe34fa5e57caff9b36
-
SHA512
8680e690337afa911471680aeb0ea6242e7cf68d83043e83b91bd6ffbe0af1af8aac140ecec8958ac6831a4b9f8401ac086e8322d6638144e5501df949594ea0
-
SSDEEP
3072:LE+rnVvKX8/tmssEDUbPwBIK6xDq3bnBZvG1BpTU41zjhkkxbNWOc:omVa8/tmswUB36G9ZvGZQ49jR
Score3/10 -
-
-
Target
a66dde22983583da6d3b1e5b9eb1e8fb019f5157eda508305942292c0d10fa43.exe
-
Size
212KB
-
MD5
c697914b3e3c115391e5a32e6d8d3a98
-
SHA1
b61335cc60ff37680e82c7245ec268d206fc21e2
-
SHA256
a66dde22983583da6d3b1e5b9eb1e8fb019f5157eda508305942292c0d10fa43
-
SHA512
dbdd230a9829eeae3cbb7ba7cead7b378661275ca3a97bef7c4d60a7c8a5a475120bda551c2e2d81e69f9cc4f0dc798f9160d2e94d11f1ed3cc9cdf4752ae35b
-
SSDEEP
3072:HTS1pU/dvuuCtCxzxXXQu+pbSCu9P+5qd/o1x3wPWnK:HTeu/Zat6gH9un0ePW
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
a7768f4973ad7cf8217212a4d12dbae0.exe
-
Size
380KB
-
MD5
a7768f4973ad7cf8217212a4d12dbae0
-
SHA1
143c52e5bf3978c7b1a544ccc9405afd17d77f55
-
SHA256
c8ea293b1ad5343dde79c6e095c134e4100fdaf47c84eac5e3012eae0b0125a2
-
SHA512
058cc6690f9910ead6441f7128f85cb6669f04a7a949bf0b464b42d7813695cf77f7fff539b742a829464cb1ad41ca0682df120e008095b9739e561f488201d5
-
SSDEEP
6144:Uzv+kSZBbdH19ex4T02J4fqz22tvymTiB62iKnWKKmDTcNwjreOwIbN8CCg4mnw8:UzcRD02J4Sq2vHGB67KWKKmDzrCg44w8
Score10/10-
Modifies WinLogon for persistence
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
-
-
Target
aa7ff3bc285bcb4ec48bf2f361f0ad0a1d9fc8f17b7323d2f0615ade68973c1e.exe
-
Size
550KB
-
MD5
e1e589c2c91ca7563f8fb06cf356bbfc
-
SHA1
54ac30e96d237ebed232648d8b484579fd7a33d8
-
SHA256
aa7ff3bc285bcb4ec48bf2f361f0ad0a1d9fc8f17b7323d2f0615ade68973c1e
-
SHA512
8c440d514c0e0b4587834e40ebe0603f1214a771f680c1a49d69a3dcf2cb799ff4f056faf06402a4f7243b927a296374fe024ecfbb754aa550ef25ceebfc0261
-
SSDEEP
6144:Nb/thbA20Budh1Bbm20BloOVAIqDAYQ+:ltGcAYp
Score7/10-
Drops startup file
-
Adds Run key to start application
-
-
-
Target
aace43af8d0932a7b01c5b8fb71c8199.exe
-
Size
2.7MB
-
MD5
aace43af8d0932a7b01c5b8fb71c8199
-
SHA1
56422e5cc2abe198198003d2c5bf009c8652a983
-
SHA256
3bc78141ff3f742c5e942993adfbef39c2127f9682a303b5e786ed7f9a8d184b
-
SHA512
c4fdee4e0041a98eba661b41f521ea393e2cf8a2683d7722ba198bbc5d7620600855a773c849b1a24fb0542a6fdaf478b4e66d2ca709663d5665fac1613de2b3
-
SSDEEP
49152:HyhKEGeEWYQAsQ36mE4OZYYIqCGA02Ul0UFi28CdNT0BtT:HygEGTRQAsQ36mE4O6rqCb2i28CdNoBN
Score8/10-
Indicator Removal: Network Share Connection Removal
Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation.
-
-
-
Target
ad3cc219a818047d6d3c38a8e4662e21dfedc858578cb2bde2c127d66dfeb7de_PonyNews.exe
-
Size
216KB
-
MD5
70a377690917a98e6ee682f7941eb565
-
SHA1
246b1e0d01772a47a5f2032c8642d33d47a11c57
-
SHA256
ad3cc219a818047d6d3c38a8e4662e21dfedc858578cb2bde2c127d66dfeb7de
-
SHA512
c384afb2230222115bffeeb951e6e204e99c44ff8d27af58b5660aa084405b1da3ad25ee75179b9f5db0f1ca7ceab070457d314b001c53cc0faa71dd7dfe9709
-
SSDEEP
3072:eowSng9e1zcHHgttb9a1XchykGt8N3mff:1IehkAttb9aFchy3um
-
Pony family
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
-
-
Target
aee03626b83a88b71b06899116cb7ce4b8092365103d69792b0c2d7153f24cb1.exe
-
Size
218KB
-
MD5
35f68acc0c3d5761a61975ec77b49cbc
-
SHA1
f6d03e713bc9b47265141d9f9b83ae634d43d204
-
SHA256
aee03626b83a88b71b06899116cb7ce4b8092365103d69792b0c2d7153f24cb1
-
SHA512
6a9d131e7c4f310ec77cf3c9c07c75dca279b7ffd6c46b252c559947900f1d754400fc51ce12b8afde86a0fd758e1b68d00a2e5f9144ad019d51bff5c67a4656
-
SSDEEP
3072:HfVD9B1hzRAjEdJNCQ4woDZD57Wr3FKajQNR9MiYbuWjqgdcnfKvdHmN5b3SM:/jlVEEbNtoPajxu85cfAG3
Score6/10-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
-
Size
164KB
-
MD5
08b304d01220f9de63244b4666621bba
-
SHA1
b7f9dd8ee3434b35fbb3395f69ff43fd5112a0c6
-
SHA256
afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e
-
SHA512
162cc0fb48615c67ce6e104ca462c41aba79bad0d5409e837b300cffc34a1c9bed63f603eee7091b93edfcd772d8ab1e180fcb3aae6b07fe24413b8505815ae9
-
SSDEEP
3072:fHynAdzu0t5GtE13lkAB9z3KJZ3fCI1AjZ7yXgpiqQp:fHKautY3TzaJZarjZeXgpn
-
HydraCrypt
Relatively unsophisticated ransomware family based on leaked CrypBoss source code.
-
Hydracrypt family
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (908) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Suspicious use of SetThreadContext
-
-
-
Target
b56c4569d639e8ce104d9e52dffeba6d18813c058887a3404350904811f32d54_not_packed_maybe_useless.exe
-
Size
53KB
-
MD5
93de5300dabf0711c57cbe31b4c9ef04
-
SHA1
4cad182a0cf72c2aff7c1a5b23eb26b352366f63
-
SHA256
b56c4569d639e8ce104d9e52dffeba6d18813c058887a3404350904811f32d54
-
SHA512
52c3e7a2721dac4b65d1b0ca78bd594f96f7adc36dcb9a69515665a039d644b4ce130f73f5eddd452911cac7f60c0af19688cdba57339fdec88c0ddfc574cc00
-
SSDEEP
768:4chho/bbYYwktIZwTUtv3h12jG6hdYWnXAjpWTbBbIKP077hPdxPaq77tio/rM:PjoDMYwEINR8j/Yu2pqOd77hPQoQ
Score3/10 -
-
-
Target
0.8476237917779167.exe
-
Size
80KB
-
MD5
0a2284067bd109885b0597c3a858a88a
-
SHA1
7634b3d0ede547c81f93fe570ef3102bf0e0ed14
-
SHA256
19ec0d0e5143940492a1c79c06eb8f18aa9feb356e41b8b79fdc6a16a3bcd7bf
-
SHA512
6405bee390d0c1f38ad434116de512cb67171b66ec6e4efbb43f08577597da51ab37fae899a6f8231fa17fa60654572e5141c2dbcebe520124db61e7393f9eea
-
SSDEEP
1536:QF7P2btiVYiZ+TX2tbOH3UqCXOOlIoj6Q849X:U7ktiPCH3UqZAhR
Score3/10 -
-
-
Target
zsgblrbrumorwxfizuke.exe
-
Size
80KB
-
MD5
0a2284067bd109885b0597c3a858a88a
-
SHA1
7634b3d0ede547c81f93fe570ef3102bf0e0ed14
-
SHA256
19ec0d0e5143940492a1c79c06eb8f18aa9feb356e41b8b79fdc6a16a3bcd7bf
-
SHA512
6405bee390d0c1f38ad434116de512cb67171b66ec6e4efbb43f08577597da51ab37fae899a6f8231fa17fa60654572e5141c2dbcebe520124db61e7393f9eea
-
SSDEEP
1536:QF7P2btiVYiZ+TX2tbOH3UqCXOOlIoj6Q849X:U7ktiPCH3UqZAhR
Score3/10 -
-
-
Target
b7d9f11c166fa1a4ceef446dd9c8561c77115cb3ce4910a056dd6a361338a2b0.exe
-
Size
518KB
-
MD5
4523ccfd191dcceeae8e884f82f5c7ad
-
SHA1
00107a6bdc9886e69425b7b0b761dcc8324946d3
-
SHA256
b7d9f11c166fa1a4ceef446dd9c8561c77115cb3ce4910a056dd6a361338a2b0
-
SHA512
79df12b1abb0d2ddab35e898aa01baaf7ea737fa37331c926b07d0ca478aa9c1c3d14795241e11d7dcff06ec3c5de93b2819cfbc0fd6db5bf6e752c52cfad5a5
-
SSDEEP
12288:uPenEoSpi011oQSnRxhmVacKcMxS8JWwEHD1T6hX5IGC2C:SJomi0GnbPcKcNcWwEj1T6hqm
-
Drops file in System32 directory
-
-
-
Target
b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe
-
Size
33KB
-
MD5
d9789bfbc54d5cb6d52c385fd8f5d288
-
SHA1
b8f60c64c70f03c263bf9e9261aa157a73864aaf
-
SHA256
c0fcf3ac6b125e985c6574ed7ef1a7929f3be8f6487b68e4d58a48a3b1517b5d
-
SHA512
21e81d64136897e86362304666cb0a8510ae2280c432c8b768875d5459b527e2cdafe9a61107433d3ff7ccf8092f3bbc226f9366623c1d39f76445fc490dc4c8
-
SSDEEP
768:IPXirrjYZp0Tf6yFz5Om5jPwxgjAqJTKV/Z:I/iTYHQCm5DpjhJTKVR
-
Detected Xorist Ransomware
-
Xorist family
-
Renames multiple (2189) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops file in Drivers directory
-
Drops startup file
-
Adds Run key to start application
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
-
-
Target
Saldo.Pdf______________________________________________________________.exe
-
Size
446KB
-
MD5
93cbe4ed3d46abe732a124a41e7147a2
-
SHA1
94a24be60d90479ce27f7787a86678472aabdc6e
-
SHA256
89e71eb0a6403725d2f95cb9e6506b8b139a6948a61dc1c5cfedf18648241ec4
-
SHA512
8f46af90d8a2d78da003a8a395fd7f74cc235595238ee3a3e4d87fee2aa4c8abf6ece403bb3726122d3825437f5d079ea1f8d6b275153bb76b3b0d75c243ef09
-
SSDEEP
6144:XOOxeLzWoeNqagVRUvOWcTwlOcTeP8uENXIEQSdO8c/AVxYflxiW:txeHWoA/Wr0lfQ8BfLkIVxYfrd
Score1/10 -
-
-
Target
bc557a7bfec430aab3a1b326f35c8d6c1d2de0532263df872b2280af65f32b8f.exe
-
Size
791KB
-
MD5
d1e75b274211a78d9c5d38c8ff2e1778
-
SHA1
d14954a7b9e0c778909fe8dcad99ad4120365b2e
-
SHA256
bc557a7bfec430aab3a1b326f35c8d6c1d2de0532263df872b2280af65f32b8f
-
SHA512
1ec3fbb0bf17d4ad6397ba2e58daa210745f10f88f6722971464a6eeb7573f49be6d65e70a497002d6d00745317f11442bdeaf999b91127b123c11dfe9b088c2
-
SSDEEP
24576:l2RNuxIAdOx6mNoGSyGMjc6XaMAy9xg5tMZ/Z3RPpEYrTQAU:rIG+lbGuntxktM15RPpEYrTQAU
Score7/10-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
-
-
Target
bd2d4d43009623941f49554f5932188154fc9d16d820e00db1281d057468b017.exe
-
Size
54KB
-
MD5
f0be874585b7ed666de5edb88ccb1107
-
SHA1
9121c2e1e96cf87e5f9bab3a2dbd4b578bc5b438
-
SHA256
bd2d4d43009623941f49554f5932188154fc9d16d820e00db1281d057468b017
-
SHA512
f8941d32af25ba6f9f6907efd64265bff8e4884003c65410acd8f6dbb4e5c46f308e9bf0be5e7738f16bbb6dffe8adb2c61b4576ec754a7e5026741eb998d7fd
-
SSDEEP
768:UYQW5/spNck0lUzPrU23Wsq91si1QGb6LNyF2kbWsiPfNa133CiMRKeFyZc:UYQW57kCUzbFqvyyFhl2gpyVcrc
Score1/10 -
-
-
Target
be03e43db0b190b879c893102a76183231ea39ec51206d25651a3cacffa8d81d_Dumped_TDS=4F8C315F.exe
-
Size
116KB
-
MD5
50e3871f540b228941b8ef76ef0d543e
-
SHA1
ba51fc4ecff55d7c504db666d970490118153afc
-
SHA256
160e7c9806857f1dfae4191a338c4e9341f1f589b6ed72f4cf6e10db483e3af6
-
SHA512
16acd834a04b43eed8954d74a884032ae73439ffaefaf51f043fa19a7af7a71cdcf19a752d67194f6b15df1272947bd5522895a266e971a3e241d34aea79bf7f
-
SSDEEP
1536:df/SovFSSZtDgN+DpDkDEFtCw0YF8965L+vpCYC:J/zv0SZtDgN+Dp+Er0YF896WpTC
Score10/10-
Modifies WinLogon for persistence
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
-
-
Target
be03e43db0b190b879c893102a76183231ea39ec51206d25651a3cacffa8d81d_TDS=4F90A68A.exe
-
Size
59KB
-
MD5
db4161aec038c9c18a03636304083a0e
-
SHA1
096f0dfd110366a56cc5cb4b940311b13687663a
-
SHA256
be03e43db0b190b879c893102a76183231ea39ec51206d25651a3cacffa8d81d
-
SHA512
4330d31c2c014cba3981f881a5209c17e9321e634436dc83ee8765c2461376f54c971d85d3bdd4c70fa33f5c015d5d41e788cf087a9c3c8f737a172dec918147
-
SSDEEP
1536:tK25W2YiTR9vZWsU2c0yChDadK3352M849X:thaiF9vZQ2XNpau52MhR
Score3/10 -
-
-
Target
be514549a2e654706aeeaa15c8cffce504f0e271c904fe07d865f3999ebaa61f.exe
-
Size
9KB
-
MD5
0c526b77abfe8d54363e3d14aa28acfe
-
SHA1
3239434398da123454635d8fdb0bedc9f40d831a
-
SHA256
be514549a2e654706aeeaa15c8cffce504f0e271c904fe07d865f3999ebaa61f
-
SHA512
6c201b45e2041d3f96b05e0275c7e1164ea481b704b49767d2decba19e1587fc93ae54078c89fcb6d937de345697fe7196e49cf8245a53b8f519fa63970b40e4
-
SSDEEP
192:DKsF20IA6HAypQRr202tR+6raWP4xqLtSQlH:5Uj1gxV202Xyy4xqpSQZ
-
Renames multiple (6563) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Credentials from Password Stores: Windows Credential Manager
Suspicious access to Credentials History.
-
Deletes itself
-
Executes dropped EXE
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
-
-
Target
bfb8f7f6cbe24330a310e5c7cbe99ed4_api-ms-win-system-wer-l1-1-0.dll
-
Size
440KB
-
MD5
bfb8f7f6cbe24330a310e5c7cbe99ed4
-
SHA1
cfb97a66c90bff92b5d72eb9e81b2e9d8013b66d
-
SHA256
a4e9c151a50595b59e787dd3b361ac53d02dd7f212d6b22639dc01776c886d05
-
SHA512
f8a4c341b50a37b15c8a11979d8b0ce82c33fb4fd6a9749b4c561db84627e850f8fc23778f78d085b218ea40cdecf05864e68b73f5cc606d7ef30a0454c09550
-
SSDEEP
6144:muStbEUJp4qjMO3QZW+PeT9JiPZCL/qrS9spyM:dStbJaE+NCLEnp
-
Blocklisted process makes network request
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
-
-
Target
bldjad.ex1.exe
-
Size
132KB
-
MD5
b1c88e7ed0edb803ead0c0eeeef53935
-
SHA1
ddc529d37589d68e9013327e57d3cb15ddd6b406
-
SHA256
3fb245ab1427cb59a359fb2e910a3a8e7e4535114cf61469001d740305e97200
-
SHA512
129ade5293e0c5f0d5a1ad0dfde0e6e0f5eac5f3031f9d57d855a368e034dda932fca4f6d7020d111e463a37fd3da3ffc3405ec750e3a0dea5113a26ce316cd0
-
SSDEEP
1536:/udS9WayNWqE9pDV6PSPP7dl5vUOENrlSN+jvNYvecy1q2sJ6Ysktv8FkXAk3RCG:/R9jyMqMVmcdlONoNklYvhvGklRWAx
Score3/10 -
-
-
Target
bldjad.exe
-
Size
132KB
-
MD5
b1c88e7ed0edb803ead0c0eeeef53935
-
SHA1
ddc529d37589d68e9013327e57d3cb15ddd6b406
-
SHA256
3fb245ab1427cb59a359fb2e910a3a8e7e4535114cf61469001d740305e97200
-
SHA512
129ade5293e0c5f0d5a1ad0dfde0e6e0f5eac5f3031f9d57d855a368e034dda932fca4f6d7020d111e463a37fd3da3ffc3405ec750e3a0dea5113a26ce316cd0
-
SSDEEP
1536:/udS9WayNWqE9pDV6PSPP7dl5vUOENrlSN+jvNYvecy1q2sJ6Ysktv8FkXAk3RCG:/R9jyMqMVmcdlONoNklYvhvGklRWAx
Score3/10 -
-
-
Target
bldjad2.exe
-
Size
179KB
-
MD5
305811f060ff21aad8d8cd872c1e89e2
-
SHA1
32cba371f3021aabb76791992b7109e52fee2325
-
SHA256
97e1dd8169a82282ab889ab8b21b78eb64af975d66b136a19252b9b44352cb58
-
SHA512
ace79c93e2137410e02c29280df566d52a9b74d0759f6b5e25930834377c1cb7401fe963df896b60a55c9c67955c5e3ec232aedd87f91f9b5b7d7c76d4575644
-
SSDEEP
3072:7oaXHWASj9Fxb9ziS9z7ACPUiwFVb3fSpVD2s+706aeUTQjNSwUbJMwQuUEXszln:0aHejjldiSJtU9Zqf2s+7jaeUoNSwUJI
Score5/10-
Suspicious use of SetThreadContext
-
-
-
Target
c145a26dd6d200080c16300456e7c0bc95f2b71f56d94136619e239e466a04a0.exe
-
Size
26KB
-
MD5
01a18db18af5cd780eab9bbadd881e8c
-
SHA1
36728334c4d1bb927310e0f1268b3890f2bd2457
-
SHA256
c145a26dd6d200080c16300456e7c0bc95f2b71f56d94136619e239e466a04a0
-
SHA512
ea81c1340b8ddbd9a6e796ddb5b18e55c575ac974dcf66ad40ff188f85ae630fe68fa58c2bddd0aef859b5e3ea31b01ed2ee025c49d06e7a6053bb469de0dffe
-
SSDEEP
384:fyHccS+efqM7e5at0CdiSw+L0mNBrJKJ0wmQVrIUzf0tWqPWNnokwkwAetW:KHJkqM7eERYSw6ZTwHFIUAsqm
Score3/10 -
-
-
Target
c325092750dd55898c47be7ec8a7622c3bf8d1a79c40b160ef7901c2ef18f5db.exe
-
Size
1.6MB
-
MD5
82990aad8c1a1894d7b7fd56e78c3a6b
-
SHA1
8874204f4247232a98cca34e2387a3bd2a47d4ae
-
SHA256
c325092750dd55898c47be7ec8a7622c3bf8d1a79c40b160ef7901c2ef18f5db
-
SHA512
afe8d2d40e09863e17a725e42ccca1368cc2737c1234f3b6219399a5c4cab765486efe34a92561cc126aad7e0cf51f5cb77fe64d0105b84342f2f345b80ecfa9
-
SSDEEP
49152:j2L+FHeMX+8S31Ife70qkBxRXAmnTa+Gq:hXKIfVqWXAcabq
Score3/10 -
-
-
Target
c36c46f4de045ef332decc006694db6e.exe
-
Size
137KB
-
MD5
c36c46f4de045ef332decc006694db6e
-
SHA1
35e869facb8d72500cbf4f92bd89a64d2964899c
-
SHA256
4869d9a1cc95998879b95c141f1ea30518d3ea0a0dab9fe5172f80332e1b2df8
-
SHA512
54ab54348f193dfb8ca39af215f5fea39c85bd9c4869a5f29cefbf76440056eefaeb016b4f49fb4a1b2ef6c6ad839d07101ef48b59ac7fb44737cece66dad1d7
-
SSDEEP
1536:0krzRCHw9oa1KNvn4sBHoD/puuNNsFyVRYdvdE4zxNXGH8t/+rDCF:VrzwQ6akR4YIxNrRYdv6qxNXXEqF
Score3/10 -
-
-
Target
c3dd2e3cf0ebeec7a6c280e187a044a32b54b369a78aaaa89c600a0767b49704.exe
-
Size
56KB
-
MD5
c386730bdddbb25dc6eeda9702c1effe
-
SHA1
2caa8dbd49b3bc07b4e2d6a4f30ae8c1ab3e07f7
-
SHA256
c3dd2e3cf0ebeec7a6c280e187a044a32b54b369a78aaaa89c600a0767b49704
-
SHA512
e3fd8e8ed88b4eb8453e46407fa467d022c866f399a472f29951793008363f47fae7c9fb0a34bc79582fac3eb4a3e7c10a4509a4bbcc69f42f7c992f9d205957
-
SSDEEP
768:G/RZ9izj7h7723SVtXlD0NZewuqE7oOGX5/XtMpCrXZZW4wFxsqdxRp+rwFv:E9UV723SVQNZeP7oOGFtMpjsqDRlN
Score3/10 -
-
-
Target
c71c26bf894feb5dbedb2cf2477258f3edf3133a3c22c68ab378ba65ecf251d3_.exe
-
Size
2.4MB
-
MD5
3a37931a0c7f2c8ec5c38b04380c69e1
-
SHA1
61ac0d9783a744dfc02f4b6dd880c82e24a274b0
-
SHA256
c71c26bf894feb5dbedb2cf2477258f3edf3133a3c22c68ab378ba65ecf251d3
-
SHA512
9be09704ae50a657793ddee577e69967483858aa42c92eb3403c79a195c2d11a6f84f274cb6c5e8e357b9e8627ae347d9a11a39d1549a15690765dcf1f3579da
-
SSDEEP
49152:Ga8FL30rOQwir2OUXnfgwHrTi4UtqaAR1hbpTye21OR+jFlpuEKD:GaSL3KvSRnfX6qa61FdaOR6lpm
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
c8462829871b7bdb005f4dd881d253aa255a1b2f6f3d89edb1d609b51f5d04fd.exe
-
Size
1.5MB
-
MD5
00e3b69b18bfad7980c1621256ee10fa
-
SHA1
b6cf6789c3b19ca82d12655274df7f9c302da794
-
SHA256
c8462829871b7bdb005f4dd881d253aa255a1b2f6f3d89edb1d609b51f5d04fd
-
SHA512
30cab0ba2a1e7a8d8c2da100c1eb7e06cb36012a7f67cceee1c3388d718c29d7a3f5543a3c41e7d07aaadde14bee873f4c9b29301460d7f473e2549830576ff9
-
SSDEEP
24576:8B8LCHrjTWTHTkRDene4Xgez7d7A8AA6os3xyloB183SlrwCLk:y8OHz8zkRDeeigcfBDo0ocCLk
Score5/10-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Direct Volume Access
1Impair Defenses
1Disable or Modify Tools
1Indicator Removal
3File Deletion
2Network Share Connection Removal
1Modify Registry
6Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
3Credentials In Files
3