Resubmissions

22-11-2024 22:54

241122-2vh7gaxmfl 10

22-11-2024 03:27

241122-dzqkcatmht 10

22-11-2024 03:16

241122-dsgc4atlgs 10

General

  • Target

    Batch_5.zip

  • Size

    10.7MB

  • Sample

    241122-2vh7gaxmfl

  • MD5

    840ef805274a90a6354a0f5d1c6f05f1

  • SHA1

    856f756302fb8559edac0804324c6fec97382d84

  • SHA256

    51b3773145652b5d559396a08e1282a3a1d92d4df473f774d61791386fca0598

  • SHA512

    a1dbedebf1dc9007ea6781116d3b92e052d5110b34bcc83e87d7ba8736d1b9353bfaeb88de6b53f11ea661ef60231ae2280a4a7e54c4c3bd06cbe7f1aa864904

  • SSDEEP

    196608:1iAo5dAtwAQT+rrxa/kHpuI7c/hDU9EPh3VkXI599o9kDD8xCO:1jCAtwAy+rrakDcpDU9uFNgaDQCO

Malware Config

Extracted

Path

C:\Users\Public\!!! READ THIS - IMPORTANT !!!.txt

Ransom Note
===============================# aes-ni ransomware #=============================== █████╗ ███████╗███████╗ ███╗ ██╗██╗ ██╔══██╗██╔════╝██╔════╝ ████╗ ██║██║ ███████║█████╗ ███████╗█████╗██╔██╗ ██║██║ ██╔══██║██╔══╝ ╚════██║╚════╝██║╚██╗██║██║ ██║ ██║███████╗███████║ ██║ ╚████║██║ ╚═╝ ╚═╝╚══════╝╚══════╝ ╚═╝ ╚═══╝╚═╝ SPECIAL VERSION: NSA EXPLOIT EDITION INTRO: If you are reading it, your server was attacked with NSA exploits. Make World Safe Again. SORRY! Your files are encrypted. File contents are encrypted with random key (AES-256 bit; ECB mode). Random key is encrypted with RSA public key (2048 bit). We STRONGLY RECOMMEND you NOT to use any "decryption tools". These tools can damage your data, making recover IMPOSSIBLE. Also we recommend you not to contact data recovery companies. They will just contact us, buy the key and sell it to you at a higher price. If you want to decrypt your files, you have to get RSA private key. In order to get private key, write here: [email protected] [email protected] [email protected] IMPORTANT: In some cases malware researchers can block our e-mails. If you did not receive any answer on e-mail in 48 hours, please do not panic and write to BitMsg (https://bitmsg.me) address: BM-2cVgoJS8HPMkjzgDMVNAGg5TG3bb1TcfhN or create topic on https://www.bleepingcomputer.com/ and we will find you there. If someone else offers you files restoring, ask him for test decryption. Only we can successfully decrypt your files; knowing this can protect you from fraud. You will receive instructions of what to do next. You MUST refer this ID in your message: GYHASOLS#F61E8FBF997FA21406F35B5B0154D7DF Also you MUST send all ".key.aes_ni_0day" files from C:\ProgramData if there are any. ===============================# aes-ni ransomware #===============================
URLs

https://bitmsg.me

https://www.bleepingcomputer.com/

Targets

    • Target

      AES-NI.exe

    • Size

      999KB

    • MD5

      83e824c998f321a9179efc5c2cd0a118

    • SHA1

      16b84004778505afbcc1032d1325c9bed8679b79

    • SHA256

      4142ff4667f5b9986888bdcb2a727db6a767f78fe1d5d4ae3346365a1d70eb76

    • SHA512

      d1c9fdb653d6b028c16a9d82895b7f03b6f96aecc802ab5104d6a762091e71502e407feea3d3d64f19b9f7c2888b1fb2b1dd5f2909b6e29414d4e4a78b56917b

    • SSDEEP

      24576:xMhc8sFdkS6BEeL8xYSCy3vIyzlueaBLxGLJe3:Ghc8sFB6WeIYSPAyUHxGLJe3

    • Renames multiple (5276) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

    • Deletes itself

    • Drops desktop.ini file(s)

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      Abrechnung.exe

    • Size

      103KB

    • MD5

      81ff324d2023d8ecb98a127b87d51450

    • SHA1

      acd24c80f6a02f7fe7a388a6779ea49be64674bc

    • SHA256

      7d9fc496bc0ade736bf75e05564e9c93167362ef18450d75222deef0664f9ed5

    • SHA512

      38b17683e835e7259a6972d0f920f9ac7f5823591962c624aa795c39c3213d0735bacd76c72b7255be1cefeb9c298ffc31266513f088684969e5e18ad4e0a139

    • SSDEEP

      1536:o7ZrIoIlP/A765noAXMoiCQ/5NSDy+Ud1IE9vpFARgHsjoCje6fLCy:odIp/A0noAcoiCQ/5NS6ERnECnfLCy

    • Disables RegEdit via registry modification

    • Deletes itself

    • Executes dropped EXE

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      Box (2).exe

    • Size

      438KB

    • MD5

      1bb4dd43a8aebc8f3b53acd05e31d5b5

    • SHA1

      54cd1a4a505b301df636903b2293d995d560887e

    • SHA256

      a2380a5f503bc6f5fcfd4c72e5b807df0740a60a298e8686bf6454f92e5d3c02

    • SHA512

      94c70d592e806bb426760f61122b8321e8dc5cff7f793d51f9d5650821c502c43096f41d3e61207ca6989df5bfdbff57bc23328de16e99dd56e85efc90affdce

    • SSDEEP

      3072:rE+rnVvKX8/tmssEDUbPwBIK6xDq3bnBZvG1BpTU41zjhkkxbNWWmZ:ImVa8/tmswUB36G9ZvGZQ49jRF

    Score
    3/10
    • Target

      Box.exe

    • Size

      440KB

    • MD5

      698746928e12831d6982b4e260a9da3a

    • SHA1

      c87945b0f3f19d3fa07f64b5454f588f568a94e7

    • SHA256

      63a6c3864b0a51c790d8d0312137995eb16710178aaaebfe34fa5e57caff9b36

    • SHA512

      8680e690337afa911471680aeb0ea6242e7cf68d83043e83b91bd6ffbe0af1af8aac140ecec8958ac6831a4b9f8401ac086e8322d6638144e5501df949594ea0

    • SSDEEP

      3072:LE+rnVvKX8/tmssEDUbPwBIK6xDq3bnBZvG1BpTU41zjhkkxbNWOc:omVa8/tmswUB36G9ZvGZQ49jR

    Score
    3/10
    • Target

      a66dde22983583da6d3b1e5b9eb1e8fb019f5157eda508305942292c0d10fa43.exe

    • Size

      212KB

    • MD5

      c697914b3e3c115391e5a32e6d8d3a98

    • SHA1

      b61335cc60ff37680e82c7245ec268d206fc21e2

    • SHA256

      a66dde22983583da6d3b1e5b9eb1e8fb019f5157eda508305942292c0d10fa43

    • SHA512

      dbdd230a9829eeae3cbb7ba7cead7b378661275ca3a97bef7c4d60a7c8a5a475120bda551c2e2d81e69f9cc4f0dc798f9160d2e94d11f1ed3cc9cdf4752ae35b

    • SSDEEP

      3072:HTS1pU/dvuuCtCxzxXXQu+pbSCu9P+5qd/o1x3wPWnK:HTeu/Zat6gH9un0ePW

    • Target

      a7768f4973ad7cf8217212a4d12dbae0.exe

    • Size

      380KB

    • MD5

      a7768f4973ad7cf8217212a4d12dbae0

    • SHA1

      143c52e5bf3978c7b1a544ccc9405afd17d77f55

    • SHA256

      c8ea293b1ad5343dde79c6e095c134e4100fdaf47c84eac5e3012eae0b0125a2

    • SHA512

      058cc6690f9910ead6441f7128f85cb6669f04a7a949bf0b464b42d7813695cf77f7fff539b742a829464cb1ad41ca0682df120e008095b9739e561f488201d5

    • SSDEEP

      6144:Uzv+kSZBbdH19ex4T02J4fqz22tvymTiB62iKnWKKmDTcNwjreOwIbN8CCg4mnw8:UzcRD02J4Sq2vHGB67KWKKmDzrCg44w8

    • Modifies WinLogon for persistence

    • UAC bypass

    • Checks whether UAC is enabled

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      aa7ff3bc285bcb4ec48bf2f361f0ad0a1d9fc8f17b7323d2f0615ade68973c1e.exe

    • Size

      550KB

    • MD5

      e1e589c2c91ca7563f8fb06cf356bbfc

    • SHA1

      54ac30e96d237ebed232648d8b484579fd7a33d8

    • SHA256

      aa7ff3bc285bcb4ec48bf2f361f0ad0a1d9fc8f17b7323d2f0615ade68973c1e

    • SHA512

      8c440d514c0e0b4587834e40ebe0603f1214a771f680c1a49d69a3dcf2cb799ff4f056faf06402a4f7243b927a296374fe024ecfbb754aa550ef25ceebfc0261

    • SSDEEP

      6144:Nb/thbA20Budh1Bbm20BloOVAIqDAYQ+:ltGcAYp

    • Drops startup file

    • Adds Run key to start application

    • Target

      aace43af8d0932a7b01c5b8fb71c8199.exe

    • Size

      2.7MB

    • MD5

      aace43af8d0932a7b01c5b8fb71c8199

    • SHA1

      56422e5cc2abe198198003d2c5bf009c8652a983

    • SHA256

      3bc78141ff3f742c5e942993adfbef39c2127f9682a303b5e786ed7f9a8d184b

    • SHA512

      c4fdee4e0041a98eba661b41f521ea393e2cf8a2683d7722ba198bbc5d7620600855a773c849b1a24fb0542a6fdaf478b4e66d2ca709663d5665fac1613de2b3

    • SSDEEP

      49152:HyhKEGeEWYQAsQ36mE4OZYYIqCGA02Ul0UFi28CdNT0BtT:HygEGTRQAsQ36mE4O6rqCb2i28CdNoBN

    • Indicator Removal: Network Share Connection Removal

      Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation.

    • Target

      ad3cc219a818047d6d3c38a8e4662e21dfedc858578cb2bde2c127d66dfeb7de_PonyNews.exe

    • Size

      216KB

    • MD5

      70a377690917a98e6ee682f7941eb565

    • SHA1

      246b1e0d01772a47a5f2032c8642d33d47a11c57

    • SHA256

      ad3cc219a818047d6d3c38a8e4662e21dfedc858578cb2bde2c127d66dfeb7de

    • SHA512

      c384afb2230222115bffeeb951e6e204e99c44ff8d27af58b5660aa084405b1da3ad25ee75179b9f5db0f1ca7ceab070457d314b001c53cc0faa71dd7dfe9709

    • SSDEEP

      3072:eowSng9e1zcHHgttb9a1XchykGt8N3mff:1IehkAttb9aFchy3um

    • Pony family

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Target

      aee03626b83a88b71b06899116cb7ce4b8092365103d69792b0c2d7153f24cb1.exe

    • Size

      218KB

    • MD5

      35f68acc0c3d5761a61975ec77b49cbc

    • SHA1

      f6d03e713bc9b47265141d9f9b83ae634d43d204

    • SHA256

      aee03626b83a88b71b06899116cb7ce4b8092365103d69792b0c2d7153f24cb1

    • SHA512

      6a9d131e7c4f310ec77cf3c9c07c75dca279b7ffd6c46b252c559947900f1d754400fc51ce12b8afde86a0fd758e1b68d00a2e5f9144ad019d51bff5c67a4656

    • SSDEEP

      3072:HfVD9B1hzRAjEdJNCQ4woDZD57Wr3FKajQNR9MiYbuWjqgdcnfKvdHmN5b3SM:/jlVEEbNtoPajxu85cfAG3

    Score
    6/10
    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Target

      afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe

    • Size

      164KB

    • MD5

      08b304d01220f9de63244b4666621bba

    • SHA1

      b7f9dd8ee3434b35fbb3395f69ff43fd5112a0c6

    • SHA256

      afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e

    • SHA512

      162cc0fb48615c67ce6e104ca462c41aba79bad0d5409e837b300cffc34a1c9bed63f603eee7091b93edfcd772d8ab1e180fcb3aae6b07fe24413b8505815ae9

    • SSDEEP

      3072:fHynAdzu0t5GtE13lkAB9z3KJZ3fCI1AjZ7yXgpiqQp:fHKautY3TzaJZarjZeXgpn

    • HydraCrypt

      Relatively unsophisticated ransomware family based on leaked CrypBoss source code.

    • Hydracrypt family

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Renames multiple (908) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of SetThreadContext

    • Target

      b56c4569d639e8ce104d9e52dffeba6d18813c058887a3404350904811f32d54_not_packed_maybe_useless.exe

    • Size

      53KB

    • MD5

      93de5300dabf0711c57cbe31b4c9ef04

    • SHA1

      4cad182a0cf72c2aff7c1a5b23eb26b352366f63

    • SHA256

      b56c4569d639e8ce104d9e52dffeba6d18813c058887a3404350904811f32d54

    • SHA512

      52c3e7a2721dac4b65d1b0ca78bd594f96f7adc36dcb9a69515665a039d644b4ce130f73f5eddd452911cac7f60c0af19688cdba57339fdec88c0ddfc574cc00

    • SSDEEP

      768:4chho/bbYYwktIZwTUtv3h12jG6hdYWnXAjpWTbBbIKP077hPdxPaq77tio/rM:PjoDMYwEINR8j/Yu2pqOd77hPQoQ

    Score
    3/10
    • Target

      0.8476237917779167.exe

    • Size

      80KB

    • MD5

      0a2284067bd109885b0597c3a858a88a

    • SHA1

      7634b3d0ede547c81f93fe570ef3102bf0e0ed14

    • SHA256

      19ec0d0e5143940492a1c79c06eb8f18aa9feb356e41b8b79fdc6a16a3bcd7bf

    • SHA512

      6405bee390d0c1f38ad434116de512cb67171b66ec6e4efbb43f08577597da51ab37fae899a6f8231fa17fa60654572e5141c2dbcebe520124db61e7393f9eea

    • SSDEEP

      1536:QF7P2btiVYiZ+TX2tbOH3UqCXOOlIoj6Q849X:U7ktiPCH3UqZAhR

    Score
    3/10
    • Target

      zsgblrbrumorwxfizuke.exe

    • Size

      80KB

    • MD5

      0a2284067bd109885b0597c3a858a88a

    • SHA1

      7634b3d0ede547c81f93fe570ef3102bf0e0ed14

    • SHA256

      19ec0d0e5143940492a1c79c06eb8f18aa9feb356e41b8b79fdc6a16a3bcd7bf

    • SHA512

      6405bee390d0c1f38ad434116de512cb67171b66ec6e4efbb43f08577597da51ab37fae899a6f8231fa17fa60654572e5141c2dbcebe520124db61e7393f9eea

    • SSDEEP

      1536:QF7P2btiVYiZ+TX2tbOH3UqCXOOlIoj6Q849X:U7ktiPCH3UqZAhR

    Score
    3/10
    • Target

      b7d9f11c166fa1a4ceef446dd9c8561c77115cb3ce4910a056dd6a361338a2b0.exe

    • Size

      518KB

    • MD5

      4523ccfd191dcceeae8e884f82f5c7ad

    • SHA1

      00107a6bdc9886e69425b7b0b761dcc8324946d3

    • SHA256

      b7d9f11c166fa1a4ceef446dd9c8561c77115cb3ce4910a056dd6a361338a2b0

    • SHA512

      79df12b1abb0d2ddab35e898aa01baaf7ea737fa37331c926b07d0ca478aa9c1c3d14795241e11d7dcff06ec3c5de93b2819cfbc0fd6db5bf6e752c52cfad5a5

    • SSDEEP

      12288:uPenEoSpi011oQSnRxhmVacKcMxS8JWwEHD1T6hX5IGC2C:SJomi0GnbPcKcNcWwEj1T6hqm

    Score
    5/10
    • Drops file in System32 directory

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe

    • Size

      33KB

    • MD5

      d9789bfbc54d5cb6d52c385fd8f5d288

    • SHA1

      b8f60c64c70f03c263bf9e9261aa157a73864aaf

    • SHA256

      c0fcf3ac6b125e985c6574ed7ef1a7929f3be8f6487b68e4d58a48a3b1517b5d

    • SHA512

      21e81d64136897e86362304666cb0a8510ae2280c432c8b768875d5459b527e2cdafe9a61107433d3ff7ccf8092f3bbc226f9366623c1d39f76445fc490dc4c8

    • SSDEEP

      768:IPXirrjYZp0Tf6yFz5Om5jPwxgjAqJTKV/Z:I/iTYHQCm5DpjhJTKVR

    • Detected Xorist Ransomware

    • Xorist Ransomware

      Xorist is a ransomware first seen in 2020.

    • Xorist family

    • Renames multiple (2189) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Drops file in Drivers directory

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      Saldo.Pdf______________________________________________________________.exe

    • Size

      446KB

    • MD5

      93cbe4ed3d46abe732a124a41e7147a2

    • SHA1

      94a24be60d90479ce27f7787a86678472aabdc6e

    • SHA256

      89e71eb0a6403725d2f95cb9e6506b8b139a6948a61dc1c5cfedf18648241ec4

    • SHA512

      8f46af90d8a2d78da003a8a395fd7f74cc235595238ee3a3e4d87fee2aa4c8abf6ece403bb3726122d3825437f5d079ea1f8d6b275153bb76b3b0d75c243ef09

    • SSDEEP

      6144:XOOxeLzWoeNqagVRUvOWcTwlOcTeP8uENXIEQSdO8c/AVxYflxiW:txeHWoA/Wr0lfQ8BfLkIVxYfrd

    Score
    1/10
    • Target

      bc557a7bfec430aab3a1b326f35c8d6c1d2de0532263df872b2280af65f32b8f.exe

    • Size

      791KB

    • MD5

      d1e75b274211a78d9c5d38c8ff2e1778

    • SHA1

      d14954a7b9e0c778909fe8dcad99ad4120365b2e

    • SHA256

      bc557a7bfec430aab3a1b326f35c8d6c1d2de0532263df872b2280af65f32b8f

    • SHA512

      1ec3fbb0bf17d4ad6397ba2e58daa210745f10f88f6722971464a6eeb7573f49be6d65e70a497002d6d00745317f11442bdeaf999b91127b123c11dfe9b088c2

    • SSDEEP

      24576:l2RNuxIAdOx6mNoGSyGMjc6XaMAy9xg5tMZ/Z3RPpEYrTQAU:rIG+lbGuntxktM15RPpEYrTQAU

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Target

      bd2d4d43009623941f49554f5932188154fc9d16d820e00db1281d057468b017.exe

    • Size

      54KB

    • MD5

      f0be874585b7ed666de5edb88ccb1107

    • SHA1

      9121c2e1e96cf87e5f9bab3a2dbd4b578bc5b438

    • SHA256

      bd2d4d43009623941f49554f5932188154fc9d16d820e00db1281d057468b017

    • SHA512

      f8941d32af25ba6f9f6907efd64265bff8e4884003c65410acd8f6dbb4e5c46f308e9bf0be5e7738f16bbb6dffe8adb2c61b4576ec754a7e5026741eb998d7fd

    • SSDEEP

      768:UYQW5/spNck0lUzPrU23Wsq91si1QGb6LNyF2kbWsiPfNa133CiMRKeFyZc:UYQW57kCUzbFqvyyFhl2gpyVcrc

    Score
    1/10
    • Target

      be03e43db0b190b879c893102a76183231ea39ec51206d25651a3cacffa8d81d_Dumped_TDS=4F8C315F.exe

    • Size

      116KB

    • MD5

      50e3871f540b228941b8ef76ef0d543e

    • SHA1

      ba51fc4ecff55d7c504db666d970490118153afc

    • SHA256

      160e7c9806857f1dfae4191a338c4e9341f1f589b6ed72f4cf6e10db483e3af6

    • SHA512

      16acd834a04b43eed8954d74a884032ae73439ffaefaf51f043fa19a7af7a71cdcf19a752d67194f6b15df1272947bd5522895a266e971a3e241d34aea79bf7f

    • SSDEEP

      1536:df/SovFSSZtDgN+DpDkDEFtCw0YF8965L+vpCYC:J/zv0SZtDgN+Dp+Er0YF896WpTC

    Score
    10/10
    • Modifies WinLogon for persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

    • Target

      be03e43db0b190b879c893102a76183231ea39ec51206d25651a3cacffa8d81d_TDS=4F90A68A.exe

    • Size

      59KB

    • MD5

      db4161aec038c9c18a03636304083a0e

    • SHA1

      096f0dfd110366a56cc5cb4b940311b13687663a

    • SHA256

      be03e43db0b190b879c893102a76183231ea39ec51206d25651a3cacffa8d81d

    • SHA512

      4330d31c2c014cba3981f881a5209c17e9321e634436dc83ee8765c2461376f54c971d85d3bdd4c70fa33f5c015d5d41e788cf087a9c3c8f737a172dec918147

    • SSDEEP

      1536:tK25W2YiTR9vZWsU2c0yChDadK3352M849X:thaiF9vZQ2XNpau52MhR

    Score
    3/10
    • Target

      be514549a2e654706aeeaa15c8cffce504f0e271c904fe07d865f3999ebaa61f.exe

    • Size

      9KB

    • MD5

      0c526b77abfe8d54363e3d14aa28acfe

    • SHA1

      3239434398da123454635d8fdb0bedc9f40d831a

    • SHA256

      be514549a2e654706aeeaa15c8cffce504f0e271c904fe07d865f3999ebaa61f

    • SHA512

      6c201b45e2041d3f96b05e0275c7e1164ea481b704b49767d2decba19e1587fc93ae54078c89fcb6d937de345697fe7196e49cf8245a53b8f519fa63970b40e4

    • SSDEEP

      192:DKsF20IA6HAypQRr202tR+6raWP4xqLtSQlH:5Uj1gxV202Xyy4xqpSQZ

    • Renames multiple (6563) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

    • Deletes itself

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Target

      bfb8f7f6cbe24330a310e5c7cbe99ed4_api-ms-win-system-wer-l1-1-0.dll

    • Size

      440KB

    • MD5

      bfb8f7f6cbe24330a310e5c7cbe99ed4

    • SHA1

      cfb97a66c90bff92b5d72eb9e81b2e9d8013b66d

    • SHA256

      a4e9c151a50595b59e787dd3b361ac53d02dd7f212d6b22639dc01776c886d05

    • SHA512

      f8a4c341b50a37b15c8a11979d8b0ce82c33fb4fd6a9749b4c561db84627e850f8fc23778f78d085b218ea40cdecf05864e68b73f5cc606d7ef30a0454c09550

    • SSDEEP

      6144:muStbEUJp4qjMO3QZW+PeT9JiPZCL/qrS9spyM:dStbJaE+NCLEnp

    • Blocklisted process makes network request

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Target

      bldjad.ex1.exe

    • Size

      132KB

    • MD5

      b1c88e7ed0edb803ead0c0eeeef53935

    • SHA1

      ddc529d37589d68e9013327e57d3cb15ddd6b406

    • SHA256

      3fb245ab1427cb59a359fb2e910a3a8e7e4535114cf61469001d740305e97200

    • SHA512

      129ade5293e0c5f0d5a1ad0dfde0e6e0f5eac5f3031f9d57d855a368e034dda932fca4f6d7020d111e463a37fd3da3ffc3405ec750e3a0dea5113a26ce316cd0

    • SSDEEP

      1536:/udS9WayNWqE9pDV6PSPP7dl5vUOENrlSN+jvNYvecy1q2sJ6Ysktv8FkXAk3RCG:/R9jyMqMVmcdlONoNklYvhvGklRWAx

    Score
    3/10
    • Target

      bldjad.exe

    • Size

      132KB

    • MD5

      b1c88e7ed0edb803ead0c0eeeef53935

    • SHA1

      ddc529d37589d68e9013327e57d3cb15ddd6b406

    • SHA256

      3fb245ab1427cb59a359fb2e910a3a8e7e4535114cf61469001d740305e97200

    • SHA512

      129ade5293e0c5f0d5a1ad0dfde0e6e0f5eac5f3031f9d57d855a368e034dda932fca4f6d7020d111e463a37fd3da3ffc3405ec750e3a0dea5113a26ce316cd0

    • SSDEEP

      1536:/udS9WayNWqE9pDV6PSPP7dl5vUOENrlSN+jvNYvecy1q2sJ6Ysktv8FkXAk3RCG:/R9jyMqMVmcdlONoNklYvhvGklRWAx

    Score
    3/10
    • Target

      bldjad2.exe

    • Size

      179KB

    • MD5

      305811f060ff21aad8d8cd872c1e89e2

    • SHA1

      32cba371f3021aabb76791992b7109e52fee2325

    • SHA256

      97e1dd8169a82282ab889ab8b21b78eb64af975d66b136a19252b9b44352cb58

    • SHA512

      ace79c93e2137410e02c29280df566d52a9b74d0759f6b5e25930834377c1cb7401fe963df896b60a55c9c67955c5e3ec232aedd87f91f9b5b7d7c76d4575644

    • SSDEEP

      3072:7oaXHWASj9Fxb9ziS9z7ACPUiwFVb3fSpVD2s+706aeUTQjNSwUbJMwQuUEXszln:0aHejjldiSJtU9Zqf2s+7jaeUoNSwUJI

    Score
    5/10
    • Suspicious use of SetThreadContext

    • Target

      c145a26dd6d200080c16300456e7c0bc95f2b71f56d94136619e239e466a04a0.exe

    • Size

      26KB

    • MD5

      01a18db18af5cd780eab9bbadd881e8c

    • SHA1

      36728334c4d1bb927310e0f1268b3890f2bd2457

    • SHA256

      c145a26dd6d200080c16300456e7c0bc95f2b71f56d94136619e239e466a04a0

    • SHA512

      ea81c1340b8ddbd9a6e796ddb5b18e55c575ac974dcf66ad40ff188f85ae630fe68fa58c2bddd0aef859b5e3ea31b01ed2ee025c49d06e7a6053bb469de0dffe

    • SSDEEP

      384:fyHccS+efqM7e5at0CdiSw+L0mNBrJKJ0wmQVrIUzf0tWqPWNnokwkwAetW:KHJkqM7eERYSw6ZTwHFIUAsqm

    Score
    3/10
    • Target

      c325092750dd55898c47be7ec8a7622c3bf8d1a79c40b160ef7901c2ef18f5db.exe

    • Size

      1.6MB

    • MD5

      82990aad8c1a1894d7b7fd56e78c3a6b

    • SHA1

      8874204f4247232a98cca34e2387a3bd2a47d4ae

    • SHA256

      c325092750dd55898c47be7ec8a7622c3bf8d1a79c40b160ef7901c2ef18f5db

    • SHA512

      afe8d2d40e09863e17a725e42ccca1368cc2737c1234f3b6219399a5c4cab765486efe34a92561cc126aad7e0cf51f5cb77fe64d0105b84342f2f345b80ecfa9

    • SSDEEP

      49152:j2L+FHeMX+8S31Ife70qkBxRXAmnTa+Gq:hXKIfVqWXAcabq

    Score
    3/10
    • Target

      c36c46f4de045ef332decc006694db6e.exe

    • Size

      137KB

    • MD5

      c36c46f4de045ef332decc006694db6e

    • SHA1

      35e869facb8d72500cbf4f92bd89a64d2964899c

    • SHA256

      4869d9a1cc95998879b95c141f1ea30518d3ea0a0dab9fe5172f80332e1b2df8

    • SHA512

      54ab54348f193dfb8ca39af215f5fea39c85bd9c4869a5f29cefbf76440056eefaeb016b4f49fb4a1b2ef6c6ad839d07101ef48b59ac7fb44737cece66dad1d7

    • SSDEEP

      1536:0krzRCHw9oa1KNvn4sBHoD/puuNNsFyVRYdvdE4zxNXGH8t/+rDCF:VrzwQ6akR4YIxNrRYdv6qxNXXEqF

    Score
    3/10
    • Target

      c3dd2e3cf0ebeec7a6c280e187a044a32b54b369a78aaaa89c600a0767b49704.exe

    • Size

      56KB

    • MD5

      c386730bdddbb25dc6eeda9702c1effe

    • SHA1

      2caa8dbd49b3bc07b4e2d6a4f30ae8c1ab3e07f7

    • SHA256

      c3dd2e3cf0ebeec7a6c280e187a044a32b54b369a78aaaa89c600a0767b49704

    • SHA512

      e3fd8e8ed88b4eb8453e46407fa467d022c866f399a472f29951793008363f47fae7c9fb0a34bc79582fac3eb4a3e7c10a4509a4bbcc69f42f7c992f9d205957

    • SSDEEP

      768:G/RZ9izj7h7723SVtXlD0NZewuqE7oOGX5/XtMpCrXZZW4wFxsqdxRp+rwFv:E9UV723SVQNZeP7oOGFtMpjsqDRlN

    Score
    3/10
    • Target

      c71c26bf894feb5dbedb2cf2477258f3edf3133a3c22c68ab378ba65ecf251d3_.exe

    • Size

      2.4MB

    • MD5

      3a37931a0c7f2c8ec5c38b04380c69e1

    • SHA1

      61ac0d9783a744dfc02f4b6dd880c82e24a274b0

    • SHA256

      c71c26bf894feb5dbedb2cf2477258f3edf3133a3c22c68ab378ba65ecf251d3

    • SHA512

      9be09704ae50a657793ddee577e69967483858aa42c92eb3403c79a195c2d11a6f84f274cb6c5e8e357b9e8627ae347d9a11a39d1549a15690765dcf1f3579da

    • SSDEEP

      49152:Ga8FL30rOQwir2OUXnfgwHrTi4UtqaAR1hbpTye21OR+jFlpuEKD:GaSL3KvSRnfX6qa61FdaOR6lpm

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

    • Target

      c8462829871b7bdb005f4dd881d253aa255a1b2f6f3d89edb1d609b51f5d04fd.exe

    • Size

      1.5MB

    • MD5

      00e3b69b18bfad7980c1621256ee10fa

    • SHA1

      b6cf6789c3b19ca82d12655274df7f9c302da794

    • SHA256

      c8462829871b7bdb005f4dd881d253aa255a1b2f6f3d89edb1d609b51f5d04fd

    • SHA512

      30cab0ba2a1e7a8d8c2da100c1eb7e06cb36012a7f67cceee1c3388d718c29d7a3f5543a3c41e7d07aaadde14bee873f4c9b29301460d7f473e2549830576ff9

    • SSDEEP

      24576:8B8LCHrjTWTHTkRDene4Xgez7d7A8AA6os3xyloB183SlrwCLk:y8OHz8zkRDeeigcfBDo0ocCLk

    Score
    5/10
    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

upx
Score
6/10

behavioral1

credential_accessdiscoverypersistenceprivilege_escalationransomwarestealerupx
Score
10/10

behavioral2

discoveryevasionpersistenceupx
Score
8/10

behavioral3

discovery
Score
3/10

behavioral4

discovery
Score
3/10

behavioral5

defense_evasiondiscoveryevasionexecutionimpactpersistenceransomwaretrojan
Score
9/10

behavioral6

discoveryevasionpersistencetrojanupx
Score
10/10

behavioral7

discoverypersistence
Score
7/10

behavioral8

defense_evasiondiscovery
Score
8/10

behavioral9

ponycredential_accessdiscoveryratspywarestealer
Score
10/10

behavioral10

discovery
Score
6/10

behavioral11

hydracryptdefense_evasiondiscoveryexecutionimpactpersistenceransomwarespywarestealer
Score
10/10

behavioral12

discovery
Score
3/10

behavioral13

discovery
Score
3/10

behavioral14

discovery
Score
3/10

behavioral15

discoveryupx
Score
5/10

behavioral16

xoristdiscoverypersistenceransomwarespywarestealerupx
Score
10/10

behavioral17

Score
1/10

behavioral18

discoverypersistencespywarestealer
Score
7/10

behavioral19

Score
1/10

behavioral20

discoverypersistence
Score
10/10

behavioral21

discovery
Score
3/10

behavioral22

credential_accessdiscoverypersistenceransomwarespywarestealer
Score
9/10

behavioral23

discoveryspywarestealer
Score
8/10

behavioral24

discovery
Score
3/10

behavioral25

discovery
Score
3/10

behavioral26

discovery
Score
5/10

behavioral27

discovery
Score
3/10

behavioral28

Score
3/10

behavioral29

discovery
Score
3/10

behavioral30

discovery
Score
3/10

behavioral31

discoverypersistence
Score
7/10

behavioral32

discovery
Score
5/10