Overview

overview

10

Static

static

6

516874.exe

windows7-x64

7

5479329c03...a2.exe

windows7-x64

10

54ab323053...1f.exe

windows7-x64

9

5600.exe

windows7-x64

6

56a9736b82...7a.exe

windows7-x64

10

59ddf36a9e...ws.dll

windows7-x64

10

5C53687F73...ViR.js

windows7-x64

3

5bfae47c9f..._2.dll

windows7-x64

1

5c6416f819...be.exe

windows7-x64

1

5f1fcdfb95...1c.exe

windows7-x64

10

5fc9230812...e9.exe

windows7-x64

9

61318fa1f1...5F.exe

windows7-x64

7

61318fa1f1...5B.exe

windows7-x64

7

6184f1def4...ss.exe

windows7-x64

7

61bc10e8ed...3e.exe

windows7-x64

7

6217ea6bb8...f5.apk

windows7-x64

3

62ebcfeeff...C3.exe

windows7-x64

7

62ebcfeeff...BB.exe

windows7-x64

7

647f242.exe.vir.exe

windows7-x64

9

64bfea1efc...99.exe

windows7-x64

9

64f540a7c6...B3.exe

windows7-x64

7

64f540a7c6...77.exe

windows7-x64

7

6916a006c4...9a.exe

windows7-x64

7

69ee634973...df.exe

windows7-x64

6f772eb660...bc.exe

windows7-x64

7

7077437251...e9.exe

windows7-x64

1

7175d6bb11...2b.exe

windows7-x64

9

728733095f...on.dll

windows7-x64

8

73c3d88d0d...5F.exe

windows7-x64

7

73c3d88d0d...BF.exe

windows7-x64

7

74add6536c...ef.exe

windows7-x64

10

757a661bcc...d8.exe

windows7-x64

7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Batch_3.zip

  • Size

    8.3MB

  • Sample

    241122-c3zrraspfs

  • MD5

    41c0c04ff68dd76a7c376f209e4b1413

  • SHA1

    c462551de41e5277ec3ad8f911c37f92312999f8

  • SHA256

    7e7c00740baa58af22ef6f825d86344732464a4e325b5eb6f93f33898de079fa

  • SHA512

    d30f8278362b5c4ecc010c50050d4e33d16a5abb62f98cae7edd6223e10a8b285185a177c60e8035d0d95321a59caa669cc62f7bdb97fb93d50c6e8a176a045f

  • SSDEEP

    196608:YWTkVZgeNSKZWAyuUlOkZPk21Dwi8M/6p/JsMjKl8JVCXHXjPxZlLMTcOBZe:bofgegKZ1mlVxbJwbiaKKVC3X9l

Score
10/10
maktubmetasploitponybackdoorbootkitcollectioncredential_accessdefense_evasiondiscoveryevasionexecutionimpactpersistenceransomwareratspywarestealertrojanupx

Malware Config

Extracted

Path

C:\Windows\ReadMe.txt

Ransom Note
jaff decryptor system Files are encrypted! To decrypt flies you need to obtain the private key. The only copy of the private key, which will allow you to decrypt your files, is located on a secret server in the Internet You must install Tor Browser: https://www.torproject.org/download/download-easy.html.en After instalation,run the Tor Browser and enter address: http://rktazuzi7hbln7sy.onion/ Follow the instruction on the web-site. Your decrypt ID: 1498806328
URLs

http://rktazuzi7hbln7sy.onion/

Extracted

Path

C:\Windows\ReadMe.html

Ransom Note
<html> <head> <meta content="text/html; charset=UTF-8" http-equiv="content-type"> <title>jaff decryptor system</title> </head> <body style="background-color: rgb(102, 204, 204); color: rgb(0, 0, 0);" alink="#ee0000" link="#0000ee" vlink="#551a8b"> <div style="position: absolute; top:0; text-align:center; width:100%" > <h1 style="font-family: System; color: rgb(102, 102, 102);"><big>jaff decryptor system</big></h1> </div> <style> .center { width: 1000px; padding: 10px; margin: auto; background: #fc0; } </style> <div style="position: absolute; top:15%; left: 30%;" > <p style="border: 3px solid rgb(255, 255, 10); padding: 10px; background-color: rgb(223, 213, 209); text-align: left;"><big><big>Files are encrypted!</big></big><br> <br> <big><big>To decrypt flies you need to obtain the private key.<br> The only copy of the private key, which will allow you to decrypt your files, is located on a secret server in the Internet<br> <br> </big></big>&#10102;<big><big> You must install Tor Browser: https://www.torproject.org/download/download-easy.html.en<br> <br> </big></big>&#10103;<big><big> After instalation, run the Tor Browser and enter address: http://rktazuzi7hbln7sy.onion/<br> <br> Follow the instruction on the web-site.</big></big><br> </p> <br> <br> <center><h1><big>Your decrypt ID: 1498806328</big></h1></center> </div> </div> </body> </html>
URLs

http-equiv="content-type">

http://rktazuzi7hbln7sy.onion/<br>

Extracted

Path

C:\Users\Admin\Favorites\Microsoft Websites\_DECRYPT_INFO_elzyw.html

Ransom Note
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'> <!-- saved from url=(0014)about:internet --> <html xmlns='http://www.w3.org/1999/xhtml'> <head> <meta http-equiv='Content-Type' content='text/html; charset=iso-8859-1' /> <title>elzyw decrypt</title> <style type='text/css'> <!-- html, body {margin: 0;padding: 0;margin-left: 0px;margin-top: 0px;margin-right: 0px;margin-bottom: 0px; background-color: #bfbfbf; height: 100%;} a {color:426BBD; font-family:Tahoma, Verdana, Arial, Helvetica; font-size:12px;} td { font-family: Verdana, Arial, Helvetica, sans-serif; font-weight: bold; color: #f0f0f0; font-size: 14px; } .style1 { font-family: Verdana, Arial, Helvetica, sans-serif; font-weight: bold; color: #d7001e; font-size: 48px; } .style3 { font-family: Verdana, Arial, Helvetica, sans-serif; font-weight: bold; color: #f5e700; font-size: 60px; } .style4 { font-family: Verdana, Arial, Helvetica, sans-serif; font-weight: bold; color: #28caf9; font-size: 14px; } .style5 { font-family: Verdana, Arial, Helvetica, sans-serif; font-weight: bold; color: #f5e700; font-size: 14px; } .style6 { font-family: Verdana, Arial, Helvetica, sans-serif; font-weight: bold; color: #d7001e; font-size: 14px; } .style7 { width:685px; height:120px; background-color:#393838; border:1px solid #565656; font-family: Courier New; font-weight: bold; color: #f0f0f0; font-size: 13px; } } --> </style> <script type='text/javascript'> function init() { var xtime; document.getElementById('fe_text').innerHTML = '00:00:00'; xtime = Math.floor(1732243871+(12*60*60) - (Date.now()/1000)); window.setTimeout('update_timestamp('+xtime+')',1000); } function component(x, y, z) { var res if (z == 1) res = Math.floor(x / y); else res = Math.floor(x / y) % z; if (res < 10) res = '0'+res; return res; } function update_timestamp(tstamp) { if (tstamp < 1) { document.getElementById('fe_text').innerHTML = '00:00:00'; } else { var hours = component(tstamp, 60*60, 1), minutes = component(tstamp, 60, 60), seconds = component(tstamp, 1, 60); document.getElementById('fe_text').innerHTML = hours+':'+minutes+':'+seconds; tstamp-=1; window.setTimeout('update_timestamp('+tstamp+')',1000); } } </script> </head> <body onload='init();'> <div align='center'> <table width='700' height='100%' border='0' cellpadding='0' cellspacing='0' bgcolor='#000000'> <tr> <td width='225' align='left'><img src='file:///C:/Users/Admin/AppData/Local/Temp/elzyw.gif' width='225' height='221' /></td> <td width='415' valign='top'><div align='center' class='style1'>WARNING!<br /> </div><div align='center'>Your personal files are encrypted.<br /> <br /> <br /> </div> <div align='center' class='style3' id='fe_text'></div></p></td> </tr> <tr> <td colspan='2' align='center'><table width='97%' border='0' cellpadding='0' cellspacing='0'> <tr> <td colspan='2' align='left'> <br /> Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. The server will eliminate the key after a time period specified in this window.<br /> <br /> </td> </tr> <tr> <td width='7%' nowrap='nowrap' align='left'>Open&nbsp;</td> <td width='93%' align='left'><a href='http://bs7aygotd2rnjl4o.onion.link' class='style4'>http://bs7aygotd2rnjl4o.onion.link</a> or</td> </tr> <tr> <td width='7%'></td> <td width='93%' align='left'><a href='http://bs7aygotd2rnjl4o.torstorm.org' class='style4'>http://bs7aygotd2rnjl4o.torstorm.org</a> or</td> </tr> <tr> <td width='7%'></td> <td width='93%' align='left'><a href='http://bs7aygotd2rnjl4o.tor2web.org' class='style4'>http://bs7aygotd2rnjl4o.tor2web.org</a></td> </tr> <tr> <td colspan='2' align='left'>in your browser. They are public gates to the secret server.<br /> <br /> <span class='style5'>If you have problems with gates, use direct connection:</span><br /> 1) Download TOR Browser from <a href='http://torproject.org' class='style4'>http://torproject.org</a><br /> 2) In the Tor Browser open the <span class='style6'>http://bs7aygotd2rnjl4o.onion</span><br /> (Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable).<br /> <br /> <span class='style5'>Write in the following public key in the input from on server:<br /><br /></span> <div align='center'><textarea class='style7'> K1MTJ-7URB7-H5NKS-DXT7G-V4EBP-48CED-8TWS7-W0XNR-0Y3WS-CEKKP-TZAWR-JKGHY-16R1R-DVVP3 HEQV8-WPTKP-KNW7K-PPHQ7-K6Y0Z-6NH7F-BSK12-X3Z6B-T3HQM-0CQD5-BUJ0Z-SFM5H-HYWNW-C13GD GESWM-SN520-VBRX7-ZQ0FZ-BHSRR-7RB6H-MUA06-3D7G5-50Q7V-880DX-452DX-704Y3-GF18F-QTH6Y RYBDB-V18Y8-TARDR-RMZ6P-TN3XB-5FYDZ-KRFT8-0S47N-WYDFN-MNAW3-15RD1-87XB8-X40D6-SS22T 6X0Y0-3V4DD-EWUDB-SNZYM-CMQUW-UWFVW-Y8G21-HTSF7-QY0U6-SQ7UJ-FGAV5-BBSJF-Y182U-2RRAP PYJVG-NV4SK-H3DXE-8W6R6-WXCVS-01FK6-WMPX7-32E5T-PMMDQ-YUBP3-QDSGT-8DSUG </textarea> <br /> </div> <br /> <br /> <br /> </div> </td> </tr> </table></td> </tr> </table> </div> </body> </html>
URLs

http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>

http-equiv='Content-Type

Extracted

Path

C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\_DECRYPT_INFO_elzyw.html

Ransom Note
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'> <!-- saved from url=(0014)about:internet --> <html xmlns='http://www.w3.org/1999/xhtml'> <head> <meta http-equiv='Content-Type' content='text/html; charset=iso-8859-1' /> <title>elzyw decrypt</title> <style type='text/css'> <!-- html, body {margin: 0;padding: 0;margin-left: 0px;margin-top: 0px;margin-right: 0px;margin-bottom: 0px; background-color: #bfbfbf; height: 100%;} a {color:426BBD; font-family:Tahoma, Verdana, Arial, Helvetica; font-size:12px;} td { font-family: Verdana, Arial, Helvetica, sans-serif; font-weight: bold; color: #f0f0f0; font-size: 14px; } .style1 { font-family: Verdana, Arial, Helvetica, sans-serif; font-weight: bold; color: #d7001e; font-size: 48px; } .style3 { font-family: Verdana, Arial, Helvetica, sans-serif; font-weight: bold; color: #f5e700; font-size: 60px; } .style4 { font-family: Verdana, Arial, Helvetica, sans-serif; font-weight: bold; color: #28caf9; font-size: 14px; } .style5 { font-family: Verdana, Arial, Helvetica, sans-serif; font-weight: bold; color: #f5e700; font-size: 14px; } .style6 { font-family: Verdana, Arial, Helvetica, sans-serif; font-weight: bold; color: #d7001e; font-size: 14px; } .style7 { width:685px; height:120px; background-color:#393838; border:1px solid #565656; font-family: Courier New; font-weight: bold; color: #f0f0f0; font-size: 13px; } } --> </style> <script type='text/javascript'> function init() { var xtime; document.getElementById('fe_text').innerHTML = '00:00:00'; xtime = Math.floor(1732243873+(12*60*60) - (Date.now()/1000)); window.setTimeout('update_timestamp('+xtime+')',1000); } function component(x, y, z) { var res if (z == 1) res = Math.floor(x / y); else res = Math.floor(x / y) % z; if (res < 10) res = '0'+res; return res; } function update_timestamp(tstamp) { if (tstamp < 1) { document.getElementById('fe_text').innerHTML = '00:00:00'; } else { var hours = component(tstamp, 60*60, 1), minutes = component(tstamp, 60, 60), seconds = component(tstamp, 1, 60); document.getElementById('fe_text').innerHTML = hours+':'+minutes+':'+seconds; tstamp-=1; window.setTimeout('update_timestamp('+tstamp+')',1000); } } </script> </head> <body onload='init();'> <div align='center'> <table width='700' height='100%' border='0' cellpadding='0' cellspacing='0' bgcolor='#000000'> <tr> <td width='225' align='left'><img src='file:///C:/Users/Admin/AppData/Local/Temp/elzyw.gif' width='225' height='221' /></td> <td width='415' valign='top'><div align='center' class='style1'>WARNING!<br /> </div><div align='center'>Your personal files are encrypted.<br /> <br /> <br /> </div> <div align='center' class='style3' id='fe_text'></div></p></td> </tr> <tr> <td colspan='2' align='center'><table width='97%' border='0' cellpadding='0' cellspacing='0'> <tr> <td colspan='2' align='left'> <br /> Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. The server will eliminate the key after a time period specified in this window.<br /> <br /> </td> </tr> <tr> <td width='7%' nowrap='nowrap' align='left'>Open&nbsp;</td> <td width='93%' align='left'><a href='http://bs7aygotd2rnjl4o.onion.link' class='style4'>http://bs7aygotd2rnjl4o.onion.link</a> or</td> </tr> <tr> <td width='7%'></td> <td width='93%' align='left'><a href='http://bs7aygotd2rnjl4o.torstorm.org' class='style4'>http://bs7aygotd2rnjl4o.torstorm.org</a> or</td> </tr> <tr> <td width='7%'></td> <td width='93%' align='left'><a href='http://bs7aygotd2rnjl4o.tor2web.org' class='style4'>http://bs7aygotd2rnjl4o.tor2web.org</a></td> </tr> <tr> <td colspan='2' align='left'>in your browser. They are public gates to the secret server.<br /> <br /> <span class='style5'>If you have problems with gates, use direct connection:</span><br /> 1) Download TOR Browser from <a href='http://torproject.org' class='style4'>http://torproject.org</a><br /> 2) In the Tor Browser open the <span class='style6'>http://bs7aygotd2rnjl4o.onion</span><br /> (Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable).<br /> <br /> <span class='style5'>Write in the following public key in the input from on server:<br /><br /></span> <div align='center'><textarea class='style7'> K1MTJ-7URB7-H5NKS-DXT7G-V4EBP-48CED-8TWS7-W0XNR-0Y3WS-CEKKP-TZAWR-JKGHY-16R1R-DVVP3 HEQV8-WPTKP-KNW7K-PPHQ7-K6Y0Z-6NH7F-BSK12-X3Z6B-T3HQM-0CQD5-BUJ0Z-SFM5H-HYWNW-C13GD GESWM-SN520-VBRX7-ZQ0FZ-BHSRR-7RB6H-MUA06-3D7G5-50Q7V-880DX-452DX-704Y3-GF18F-QTH6Y RYBDB-V18Y8-TARDR-RMZ6P-TN3XB-5FYDZ-KRFT8-0S47N-WYDFN-MNAW3-15RD1-87XB8-X40D6-SS22T 6X0Y0-3V4DD-EWUDB-SNZYM-CMQUW-UWFVW-Y8G21-HTSF7-QY0U6-SQ7UJ-FGAV5-BBSJF-Y182U-2RRAP PYJVG-NV4SK-H3DXE-8W6R6-WXCVS-01FK6-WMPX7-32E5T-PMMDQ-YUBP3-QDSGT-8DSUG </textarea> <br /> </div> <br /> <br /> <br /> </div> </td> </tr> </table></td> </tr> </table> </div> </body> </html>
URLs

http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>

http-equiv='Content-Type

Extracted

Path

C:\Users\Admin\Desktop\backup_elzyw\_DECRYPT_INFO_elzyw.html

Ransom Note
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'> <!-- saved from url=(0014)about:internet --> <html xmlns='http://www.w3.org/1999/xhtml'> <head> <meta http-equiv='Content-Type' content='text/html; charset=iso-8859-1' /> <title>elzyw decrypt</title> <style type='text/css'> <!-- html, body {margin: 0;padding: 0;margin-left: 0px;margin-top: 0px;margin-right: 0px;margin-bottom: 0px; background-color: #bfbfbf; height: 100%;} a {color:426BBD; font-family:Tahoma, Verdana, Arial, Helvetica; font-size:12px;} td { font-family: Verdana, Arial, Helvetica, sans-serif; font-weight: bold; color: #f0f0f0; font-size: 14px; } .style1 { font-family: Verdana, Arial, Helvetica, sans-serif; font-weight: bold; color: #d7001e; font-size: 48px; } .style3 { font-family: Verdana, Arial, Helvetica, sans-serif; font-weight: bold; color: #f5e700; font-size: 60px; } .style4 { font-family: Verdana, Arial, Helvetica, sans-serif; font-weight: bold; color: #28caf9; font-size: 14px; } .style5 { font-family: Verdana, Arial, Helvetica, sans-serif; font-weight: bold; color: #f5e700; font-size: 14px; } .style6 { font-family: Verdana, Arial, Helvetica, sans-serif; font-weight: bold; color: #d7001e; font-size: 14px; } .style7 { width:685px; height:120px; background-color:#393838; border:1px solid #565656; font-family: Courier New; font-weight: bold; color: #f0f0f0; font-size: 13px; } } --> </style> <script type='text/javascript'> function init() { var xtime; document.getElementById('fe_text').innerHTML = '00:00:00'; xtime = Math.floor(1732243867+(12*60*60) - (Date.now()/1000)); window.setTimeout('update_timestamp('+xtime+')',1000); } function component(x, y, z) { var res if (z == 1) res = Math.floor(x / y); else res = Math.floor(x / y) % z; if (res < 10) res = '0'+res; return res; } function update_timestamp(tstamp) { if (tstamp < 1) { document.getElementById('fe_text').innerHTML = '00:00:00'; } else { var hours = component(tstamp, 60*60, 1), minutes = component(tstamp, 60, 60), seconds = component(tstamp, 1, 60); document.getElementById('fe_text').innerHTML = hours+':'+minutes+':'+seconds; tstamp-=1; window.setTimeout('update_timestamp('+tstamp+')',1000); } } </script> </head> <body onload='init();'> <div align='center'> <table width='700' height='100%' border='0' cellpadding='0' cellspacing='0' bgcolor='#000000'> <tr> <td width='225' align='left'><img src='file:///C:/Users/Admin/AppData/Local/Temp/elzyw.gif' width='225' height='221' /></td> <td width='415' valign='top'><div align='center' class='style1'>WARNING!<br /> </div><div align='center'>Your personal files are encrypted.<br /> <br /> <br /> </div> <div align='center' class='style3' id='fe_text'></div></p></td> </tr> <tr> <td colspan='2' align='center'><table width='97%' border='0' cellpadding='0' cellspacing='0'> <tr> <td colspan='2' align='left'> <br /> Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. The server will eliminate the key after a time period specified in this window.<br /> <br /> </td> </tr> <tr> <td width='7%' nowrap='nowrap' align='left'>Open&nbsp;</td> <td width='93%' align='left'><a href='http://bs7aygotd2rnjl4o.onion.link' class='style4'>http://bs7aygotd2rnjl4o.onion.link</a> or</td> </tr> <tr> <td width='7%'></td> <td width='93%' align='left'><a href='http://bs7aygotd2rnjl4o.torstorm.org' class='style4'>http://bs7aygotd2rnjl4o.torstorm.org</a> or</td> </tr> <tr> <td width='7%'></td> <td width='93%' align='left'><a href='http://bs7aygotd2rnjl4o.tor2web.org' class='style4'>http://bs7aygotd2rnjl4o.tor2web.org</a></td> </tr> <tr> <td colspan='2' align='left'>in your browser. They are public gates to the secret server.<br /> <br /> <span class='style5'>If you have problems with gates, use direct connection:</span><br /> 1) Download TOR Browser from <a href='http://torproject.org' class='style4'>http://torproject.org</a><br /> 2) In the Tor Browser open the <span class='style6'>http://bs7aygotd2rnjl4o.onion</span><br /> (Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable).<br /> <br /> <span class='style5'>Write in the following public key in the input from on server:<br /><br /></span> <div align='center'><textarea class='style7'> K1MTJ-7URB7-H5NKS-DXT7G-V4EBP-48CED-8TWS7-W0XNR-0Y3WS-CEKKP-TZAWR-JKGHY-16R1R-DVVP3 HEQV8-WPTKP-KNW7K-PPHQ7-K6Y0Z-6NH7F-BSK12-X3Z6B-T3HQM-0CQD5-BUJ0Z-SFM5H-HYWNW-C13GD GESWM-SN520-VBRX7-ZQ0FZ-BHSRR-7RB6H-MUA06-3D7G5-50Q7V-880DX-452DX-704Y3-GF18F-QTH6Y RYBDB-V18Y8-TARDR-RMZ6P-TN3XB-5FYDZ-KRFT8-0S47N-WYDFN-MNAW3-15RD1-87XB8-X40D6-SS22T 6X0Y0-3V4DD-EWUDB-SNZYM-CMQUW-UWFVW-Y8G21-HTSF7-QY0U6-SQ7UJ-FGAV5-BBSJF-Y182U-2RRAP PYJVG-NV4SK-H3DXE-8W6R6-WXCVS-01FK6-WMPX7-32E5T-PMMDQ-YUBP3-QDSGT-8DSUG </textarea> <br /> </div> <br /> <br /> <br /> </div> </td> </tr> </table></td> </tr> </table> </div> </body> </html>
URLs

http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>

http-equiv='Content-Type

Extracted

Family

metasploit

Version

windows/single_exec

Targets

    • Target

      516874.exe

    • Size

      1.2MB

    • MD5

      9a60890fc062d10d826c31d049706ab7

    • SHA1

      3ae8d97461fb08c4327431c0589322e3cbb1e3de

    • SHA256

      c89944f9ec704c2b8da3a1acf726699022e7c68334110f72007d762217a9a4a5

    • SHA512

      03de8351ab6ab1e46c4f1792f4caeeaaee4b8a18b407839c1697890032aa813cae9174e1a27cb582ef5286be0b47d23966a71e0b740feb6b1814137b779fcdcc

    • SSDEEP

      24576:DDSANUv0/NUvKLpkr2dY/aBcjJOBHOBIQBajMtWvoJiLE1+XgRKz89G/4ZSb0FuH:T80/8KLpkr2dY/aBcjJOBHOBIQBajMtA

    Score
    7/10
    discovery

    • Executes dropped EXE

    • Loads dropped DLL

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral1

    • Target

      5479329c03e12e27adc81caeefe1a1dc26bf59d4dac36dd2eae008213e8fe0a2.exe

    • Size

      152KB

    • MD5

      7469c1ee0827a289fa775f4a5656e5f9

    • SHA1

      0392ccbd6b894cbc10e325801ddd1220b22bff13

    • SHA256

      5479329c03e12e27adc81caeefe1a1dc26bf59d4dac36dd2eae008213e8fe0a2

    • SHA512

      24723a6de103c8d1a97bb70bc46fd3e1b34127337d25b655586e8763d4ca03b93267851cefeed0daff9b05d579b68f517f10c346cff1e4559b4ef2cf6c12be85

    • SSDEEP

      3072:7IynAd9u9GuIPmsy/FMd/rUCvb87SwoYQp:7IKgUGuGmXivbsKY

    Score
    10/10
    discoveryevasionpersistencetrojan

    • Modifies visiblity of hidden/system files in Explorer

      evasion

    • UAC bypass

      evasiontrojan

    • Adds policy Run key to start application

      persistence

    • Disables taskbar notifications via registry modification

      evasion

    • Deletes itself

    • Blocklisted process makes network request

    • Suspicious use of SetThreadContext

    behavioral2

    • Target

      54ab323053f1138e5ccaa8f8afaa38cabca9491f.exe

    • Size

      10KB

    • MD5

      b14c45c1792038fd69b5c75e604242a3

    • SHA1

      54ab323053f1138e5ccaa8f8afaa38cabca9491f

    • SHA256

      e9ffda70e3ab71ee9d165abec8f2c7c52a139b71666f209d2eaf0c704569d3b1

    • SHA512

      fdf64a9f2be75b66af69a1ddf2c5e6fa4580587190edd0da3d0243326fc73ebabf0357b903c640458ae627789b68a5a480d7108e80d4f1eb202be386fba0f044

    • SSDEEP

      192:EI9ImrPAYflNL3/MnXjGpst8uVA/rMXznNdXk:dDUgXojRVATuk

    Score
    9/10
    discoveryransomwarespywarestealerupx

    • Renames multiple (900) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Drops file in Drivers directory

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral3

    • Target

      5600.exe

    • Size

      424KB

    • MD5

      b2e807bb5140744cd64174c2b811237e

    • SHA1

      949fca8bab5c656fa950dd65cb896ecfdde68776

    • SHA256

      9f617bee97b9c676dd5ed928093f64e020c6e93ea60b0f641fc3127a7a325ced

    • SHA512

      a85c5809af9371f11426f67c463ff80e11ef0e307271716fccff5d57afe6f74261a453b2ee96f5b3526c54a2be02166fd29dfcd0160c9039b7b9e85cbcb66f5c

    • SSDEEP

      6144:CEaPKs6jJIrlbAC+RUPI/PsI/Pr1HPsIpP:CEaPKs6jJIrlEC2SXUE

    Score
    6/10
    discoverypersistence

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral4

    • Target

      56a9736b82bc9f65ddad590d1edfd9df26b5d97ecfeb48787f6ccc00ce26597a.exe

    • Size

      4.0MB

    • MD5

      83be4f97ca8793343140a9d107ad35b3

    • SHA1

      6303977a4bed77b4157daa1f9ca32967d282f639

    • SHA256

      56a9736b82bc9f65ddad590d1edfd9df26b5d97ecfeb48787f6ccc00ce26597a

    • SHA512

      0b1167252debdaf493d5ef9464ea056e57a3243feef1e6f50cdae1dea5f6e24ab2bb406a245a85b98f3381851d1132c01f1b807f6a37e764f138675bac034fca

    • SSDEEP

      98304:UKlAOiZrq1DfPH9sDJVur+B9a+DI47j7wnG2OLEyFvs:UMAO79sDJVur+BjfU7O0

    Score
    10/10
    metasploitbackdoorbootkitdiscoverypersistencetrojan

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

      trojanbackdoormetasploit

    • Metasploit family

      metasploit

    • Executes dropped EXE

    • Loads dropped DLL

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence
    behavioral5

    • Target

      59ddf36a9e85f4cf82a6511b49cfcdd9e4521b17f7e245f005e18418176ff4aa_PonyNews.exe

    • Size

      352KB

    • MD5

      971c578c9dea43f91bfb44ceac0ee01d

    • SHA1

      0487c3856c5e44d3a5c2dcee29c63cb644a4fc52

    • SHA256

      59ddf36a9e85f4cf82a6511b49cfcdd9e4521b17f7e245f005e18418176ff4aa

    • SHA512

      38c441e1bb58eee4526e910484369d49d47597d4f1a353cce9a678d9825b3253aeccd3269cf647c7344560461eca9cc1be86787f6147048dc8fc902b5ff05d7a

    • SSDEEP

      6144:nrZ3ZOL1bZ+u+GUrk0ips8eplQOAaHBQIVw79J8/aPbkkxTu651:lwLb+urZ5SOOAaGZFgkxCA

    Score
    10/10
    ponycredential_accessdiscoveryratspywarestealer

    • Pony family

      pony

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

      ratspywarestealerpony

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral6

    • Target

      5C53687F7327933R.js.ViR.js

    • Size

      54KB

    • MD5

      03fb80faa9c20bc8f0cb3a0e59d97036

    • SHA1

      d0549ab344468a51ddfbcfe719ad08d1a4312dbd

    • SHA256

      e66bde4b0614172aa057716d10cf73f180bcb616a4002df8a4aeceeeb282ad9b

    • SHA512

      44e0445ba9c1173c5eb98cabca2903df5829c35f952856102334b3427965fc185bb83833ab480ed5f90d00884da0398611f8019625b6dbb8befb741c13eb714c

    • SSDEEP

      1536:Bi2lvT13zyadIF4jIF4MyFGEIFBIF2XIF41IFzIFAlIFojW:M2lvT13+adIF4jIF4My8EIFBIF2XIFGt

    Score
    3/10
    execution
    behavioral7

    • Target

      5bfae47c9fda81243b50b6df53ac4184d90a70000894fa2a516044fa44770cfd_Stealer_2.dll

    • Size

      993KB

    • MD5

      b824d94af0f981106ec2a12d0c4cc1c0

    • SHA1

      b4e17ebe8b07727e7ce6ae8580b97d1129e7c6ce

    • SHA256

      5bfae47c9fda81243b50b6df53ac4184d90a70000894fa2a516044fa44770cfd

    • SHA512

      4dd79f51be35a55f64f1658651f2ab52d824f6d87b82082a5d24f129988b1d9635778ffa5a5bc21688f8a74991d7fd68d7b54faddc4ad2d2bf20a2a027e1995a

    • SSDEEP

      24576:GAwOEE2PTlSPNT9SCD7jEnkEd5JyHNSys4Q:sTlSlH7Mtd5JyHNSj4Q

    Score
    1/10
    behavioral8

    • Target

      5c6416f819bfbca2f1862691a03f68be.exe

    • Size

      414KB

    • MD5

      5c6416f819bfbca2f1862691a03f68be

    • SHA1

      b26cb187e3ea74fbb76bbea4096aa9315ac4e405

    • SHA256

      b5c2e240ebc4323421fea99a02507a79ea9fba5b29ee9b6cc3e808d288de8c02

    • SHA512

      9288510c7541aace8bd669f2ed8e186760a1d224874234a1d797fd7f64462313308828785e43edd010d332f589f8ba93124fe55879638655d18673d56c0d0b26

    • SSDEEP

      12288:IOkIEyW/jLPWXR8Kwxs/bJYorMvQGuArOQb1K1Gc4nS:AyWPWq/xAxMbrOQJ9c4n

    Score
    1/10
    behavioral9

    • Target

      5f1fcdfb951dc4642ce136a5d3e6bc42021f8e0cd631975a5eb3842da020531c.exe

    • Size

      160KB

    • MD5

      f3d9b2cb51e81d12ff3d5faaca231041

    • SHA1

      ca7cf9e472f34973216781c3a1e269c510af0300

    • SHA256

      5f1fcdfb951dc4642ce136a5d3e6bc42021f8e0cd631975a5eb3842da020531c

    • SHA512

      e723241f1bb0db93712fcd298bb7506f414e78dfea8b3360f3db80456ead79e16b0a99a9c101efb891c41482800f4a6752aacb19942eef3143dc536ea78cd856

    • SSDEEP

      3072:ho+Z3+yf/xg77QtPrn4FAsm+Ro5nLAdGkk3JIFBKuHIGQ5Nxb+b5knn:2o+yf+Kn4FAsm4MMd3kkKuHINLZ+9

    Score
    10/10
    defense_evasiondiscoveryransomwarespywarestealer

    • Renames multiple (4057) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Drops file in Drivers directory

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

      defense_evasion

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware
    behavioral10

    • Target

      5fc92308120aa10dc1062c4c319559ed0b1308befe117d5cafa283e245bea1e9.exe

    • Size

      220KB

    • MD5

      941fb1cd3fdab89abc35f0a21abd2f45

    • SHA1

      349c15855c91c341db0bc01cc328a17a3554cbc4

    • SHA256

      5fc92308120aa10dc1062c4c319559ed0b1308befe117d5cafa283e245bea1e9

    • SHA512

      14cf15e0f84f821adfd4dfe3037421291f296e9613db3f77405053e2b4a9a2e18625c2425a56af02bb479ff8e5c6b2eb45808d0054b5dbefd3d9cba213c0ade5

    • SSDEEP

      3072:sTVZEA0R5UeyVSzeIw6upojbcbf0L1siwNGRRH9fZvl2hZm6nE:sxWA0EeKvpdbf0L1si9H9fZvj6E

    Score
    9/10
    defense_evasiondiscoveryevasionexecutionimpactpersistenceransomwaretrojan
    behavioral11

    • Target

      61318fa1f1db342045573d584badc254c9e2578db916594dc749d8cc44ce8ac4_Dumped_TDS=4F8C315F.exe

    • Size

      116KB

    • MD5

      50e3871f540b228941b8ef76ef0d543e

    • SHA1

      ba51fc4ecff55d7c504db666d970490118153afc

    • SHA256

      160e7c9806857f1dfae4191a338c4e9341f1f589b6ed72f4cf6e10db483e3af6

    • SHA512

      16acd834a04b43eed8954d74a884032ae73439ffaefaf51f043fa19a7af7a71cdcf19a752d67194f6b15df1272947bd5522895a266e971a3e241d34aea79bf7f

    • SSDEEP

      1536:df/SovFSSZtDgN+DpDkDEFtCw0YF8965L+vpCYC:J/zv0SZtDgN+Dp+Er0YF896WpTC

    Score
    7/10
    discoverypersistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence
    behavioral12

    • Target

      61318fa1f1db342045573d584badc254c9e2578db916594dc749d8cc44ce8ac4_TDS=4F91F15B.exe

    • Size

      76KB

    • MD5

      eac5147a7febdf744c06e452dbd67cc1

    • SHA1

      78be5cd993dd3d67eb9229979bf033c576cf009b

    • SHA256

      61318fa1f1db342045573d584badc254c9e2578db916594dc749d8cc44ce8ac4

    • SHA512

      75d4a3ecc209f4b2cf021758b3566dcf18a056c2f94f62d5dcbe424382d041b3c2a40ae32cd5fe9cd8c8fb45328d0e970d4fde0d43299082a9b011067c289e9d

    • SSDEEP

      1536:+l07ZXrWuQV9yDQ10SAcm3nE+p2cm849X:q05BQXy000AEXhR

    Score
    7/10
    discoverypersistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence
    behavioral13

    • Target

      6184f1def457c10b2ae10a33b8639c89cb0115061c3d424d330342b44d4179aa_not_packed_maybe_useless.exe

    • Size

      90KB

    • MD5

      df655cb975eea5794931898e4748c835

    • SHA1

      36c681a55eb75e565df234933a503caf65a1bf82

    • SHA256

      6184f1def457c10b2ae10a33b8639c89cb0115061c3d424d330342b44d4179aa

    • SHA512

      803dcce02c6607ae4363f8f946fed311bb11f820b15f218b6880024732b5596445c0259785ec7200866c64b83666756651d2a4b68351be6ff7de9885aae35090

    • SSDEEP

      1536:rnUfv0+ZXqm3S+DQNn1Bp/GpL7F6iCFNF8nqZ:rn6v0+ZX5S+DQ11Bx67F4NF8nq

    Score
    7/10
    discoverypersistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence
    behavioral14

    • Target

      61bc10e8ede3997da73b3de9fa57b059e352b592404fb9c171469c4026fdc03e.exe

    • Size

      188KB

    • MD5

      ec3a2b5b80e39d553841a77508fa2aa8

    • SHA1

      ae28b9cfb3c2c6f2745fa62b43f79304387ac8f9

    • SHA256

      61bc10e8ede3997da73b3de9fa57b059e352b592404fb9c171469c4026fdc03e

    • SHA512

      24ae65b0b6534659a868aaa76ce4e2380d5e96be0b173276d1a64e86057c18073f5ddbed50160b2b6168b5bdda9f376bef4e39e33d11c8144ded7b60f6d14822

    • SSDEEP

      3072:Vhv5UWpHLLgPyB6W5C6qZT0+SqxMLdSeaUMW6UMI5JSxyl:VZ2W9iy0rp0+Se0wepMyMI5k

    Score
    7/10
    discoverypersistencespywarestealer

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral15

    • Target

      6217ea6bb87295983c4915a4d97c7e4142effef95d1e815693a72ea3a73b45f5.exe

    • Size

      1.0MB

    • MD5

      d7fffb1934fd8abf88a4e6a4c1d06a7a

    • SHA1

      ee7157c22bd36baab3061be64811011f87bebee9

    • SHA256

      6217ea6bb87295983c4915a4d97c7e4142effef95d1e815693a72ea3a73b45f5

    • SHA512

      1b765bf19b7d9b40445ea76edb352530a4b402055bcdc8237bd2fd5edeadfad324f02b177d7e31ee6a9580600611dd01bd4108239d9f3670dbfe941abbe31457

    • SSDEEP

      24576:+HA+GceO87uF3RymfHkCq4RKCaheQSeWzzXbk9fGexCmPBB:aA5ceV7uTvkQKCaheQSeWvbYeexrBB

    Score
    3/10
    discovery
    behavioral16

    • Target

      62ebcfeeff976f3635e36544b9f6d6282a565ea6a0b4d8319d9831ce68ef26df_Dumped_TDS=4F854EC3.exe

    • Size

      116KB

    • MD5

      d7f138beb0d7af7bf39ba0f84592f937

    • SHA1

      d15de95d5536560d3edad6cc68bd8720b9d8d345

    • SHA256

      d95312a777a941af73fe9c14821664423bd83893f75775ce49789a09dd1942af

    • SHA512

      3eff0fd7e21d219679d6b0112a8ee458ecbcd5b1f9a6877246eddd16ddf5353d7a13eb8455a30ba4a590c4c64b10d9ee8b14bc28f8684fd7a8769eed649c6e6c

    • SSDEEP

      1536:ofviwv96S5tDAN+8ZDkDEFtCwPxF89b5L+vhCYC:Ov7vES5tDAN+8Z+ErPxF89bWhTC

    Score
    7/10
    discoverypersistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence
    behavioral17

    • Target

      62ebcfeeff976f3635e36544b9f6d6282a565ea6a0b4d8319d9831ce68ef26df_TDS=4F8644BB.exe

    • Size

      72KB

    • MD5

      2fbd1175ed3ced1094306b17d29a3dc1

    • SHA1

      8a113b8f8c4028d0284083bfc08aeee457a07851

    • SHA256

      62ebcfeeff976f3635e36544b9f6d6282a565ea6a0b4d8319d9831ce68ef26df

    • SHA512

      a3b8cb9d97c47155c86d8dcc0ec3beb43092f3a8388eeb51a01b9df2ac096f46c542e971d473a23f4ad1c12e746459797e375b614a3e327d100f2e2aef82f4bd

    • SSDEEP

      1536:WBEkfVi/vqW6kJz2iyA7h8ep661/fwiJvyWyjAaH:WciIVyA7WW66xf94WAAM

    Score
    7/10
    discoverypersistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence
    behavioral18

    • Target

      647f242.exe.vir.exe

    • Size

      209KB

    • MD5

      d43abef5a62b46a660a5128330070479

    • SHA1

      9d60f58fe742dfc93363bd79eff64c337fc5cb23

    • SHA256

      0099510027ecf682b76db6a885c9fa8c2270f6c8e6efded2f52c8860714d0e26

    • SHA512

      5d169c68e0c76b299bd38350c223f43b2f90afd6a7a36d71520954b1cab08a1324aa13aa33be8631c68b7954a2fef484595e4f0867655f371cf379803d22bc82

    • SSDEEP

      3072:fRr1LYTa7G7NojiKJQ7mVzRRG7ul56WeTQtOK9Fgy++Q9utAfXIHH5h:fRhYTay+72cLn8YOK4++ut0If

    Score
    9/10
    defense_evasiondiscoveryexecutionimpactpersistenceransomware
    behavioral19

    • Target

      64bfea1efccb47a049ba2cb592878e5c415cc70f9488dd97291c1356e3d79299.exe

    • Size

      561KB

    • MD5

      81d39888c40bd377f1d84089e02c6c4f

    • SHA1

      b1eeb812dcbc2b4d871a7e34fa149205df177a22

    • SHA256

      64bfea1efccb47a049ba2cb592878e5c415cc70f9488dd97291c1356e3d79299

    • SHA512

      b879c20ee382bdf1c278edfe17241686abeb1b989adf62ca4ee52846febfe7feea51f3b03730aa1feb50f62dc695db3ed1991f27b5d2118f5b02824d883429d7

    • SSDEEP

      6144:wQIFrm2L96ygCkDv9LiUAH7oxytqXoRURYZESxR2GT+5pJBYZ+txYec:wZFiIVnkDv9BvNtSn2GCXKz

    Score
    9/10
    defense_evasiondiscoveryevasionexecutionimpactpersistenceransomwaretrojan

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral20

    • Target

      64f540a7c6ded1c751c9a66629fd2aaa6cdd61749f05c8d0760a1aaeb5548935_Dumped_TDS=4F9911B3.exe

    • Size

      116KB

    • MD5

      5a580ab3f5b3806da853459e9ef7b368

    • SHA1

      df93c0f0dd694ab49646b539418b67d83eafccb5

    • SHA256

      5f60eed8e27867c843387fe7fece3af688586a40c8d3dd2c27647b23cc200fdc

    • SHA512

      91ecd8f00f4cd6c7d199eb365cb7cfa414bcab41b144fe7a5f43529e560201a81284cdb3a3d18d252e2eb4429a67f2db5718eacc8bf1eeb072958c0a4be20a3b

    • SSDEEP

      1536:tf/YvFSSZtDgN+DrDkDEFtCwbfF89lGL+vpCYC:Z/Yv0SZtDgN+Dr+ErbfF89llpTC

    Score
    7/10
    discoverypersistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence
    behavioral21

    • Target

      64f540a7c6ded1c751c9a66629fd2aaa6cdd61749f05c8d0760a1aaeb5548935_TDS=4F9DB277.exe

    • Size

      58KB

    • MD5

      035df8236f31380b650b69a03168ad1a

    • SHA1

      742f605e9ca1d726076431a5af304260bb72ad92

    • SHA256

      64f540a7c6ded1c751c9a66629fd2aaa6cdd61749f05c8d0760a1aaeb5548935

    • SHA512

      5cc268e3e3e21d6333c29fe710b9f91575ab0f9aebc140a4d866a670ef4afa26a9d5ef2108876def371ace28eea5110031354765984d3a86274fadef0ca99a76

    • SSDEEP

      1536:gad6u91qySNlP3qFXHxyK+1F+PNqhdOVNykDnJYHtFtkiyx:gad6G1gj6hxb+FvhwVNTDQtOx

    Score
    7/10
    discoverypersistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence
    behavioral22

    • Target

      6916a006c429a3b3a76dfa8c162ddab178b5a20763493506deeb9447875d039a.exe

    • Size

      224KB

    • MD5

      27536ce5b9f559b94c8821634640dd30

    • SHA1

      2b3582cf5a7fc058e18b1da3491db589b84c28be

    • SHA256

      6916a006c429a3b3a76dfa8c162ddab178b5a20763493506deeb9447875d039a

    • SHA512

      ea26dfa07c9de1ae89a333cc729d753fa758713ba5371d75f3c42a89dabb1c61861d2f9ca88d35cb686848dad4611c8203e0201c347eb674bf74ec3d51215a13

    • SSDEEP

      6144:uJ9y0noQa1cxp/UWD9xgYxY68hX7qowFnwmWV+:n0nuOp8J2Y68hL6D

    Score
    7/10
    discoverypersistence

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral23

    • Target

      69ee6349739643538dd7eb60e92368f209e12a366f00a7b80000ba02307c9bdf.exe

    • Size

      111KB

    • MD5

      063394a08bb3eec2680a30939e906343

    • SHA1

      9abeef3ed793f28a24562c3e5c3104eee99daa1c

    • SHA256

      69ee6349739643538dd7eb60e92368f209e12a366f00a7b80000ba02307c9bdf

    • SHA512

      2fa11d5fbfd4f0e3e40fe1b0ed1717a7cbceeae8970f69ece46a8ed628dbdfefc01ec097c2b387a04d7db6840c4132daa0426e11db9abdbc0dd222218e875edb

    • SSDEEP

      3072:pPpAZR3J5jvx5mRCNbUjfADPbyyvWL9OzpC/fk:p6hTQjfAjGyqOzp7

    Score
    1/10
    behavioral24

    • Target

      6f772eb660bc05fc26df86c98ca49abc.exe

    • Size

      138KB

    • MD5

      6f772eb660bc05fc26df86c98ca49abc

    • SHA1

      8da75dd328c195b84f15740a33fc9888af4da2be

    • SHA256

      7b53a00b3a8859755f6144cb2149673fa17fdd6e439cbfdee21a7a513e6395b2

    • SHA512

      3e028cecf08ed4fe0100a7587f04ba4c4cebb023b371cc4e793a7dfb7be64a4d2ef8066fc352ea834c239cb7c5836626673e02fbaa63f4631b71d40c4cc284a1

    • SSDEEP

      1536:USX6DdHTs0Zwboo0z29sHH3ga/7/nvvgDD0jj0ZT8fS4D0rF4p4sxVZ7:36BZwlOn4DdTBDiusxVZ7

    Score
    7/10

    • Deletes itself

    • Executes dropped EXE

    behavioral25

    • Target

      70774372517532ae1dcb97a7133983811d5cc7d2975cd58a1f132f2ef100c5e9.exe

    • Size

      1.3MB

    • MD5

      891d04a494362e4da70353a0423b3eda

    • SHA1

      54181b303515428cef4d1419fae37fd334ad8d2f

    • SHA256

      70774372517532ae1dcb97a7133983811d5cc7d2975cd58a1f132f2ef100c5e9

    • SHA512

      c47fd20a79a270209588a390fb3653005815d620881f7672dc802d6e6485f575a6422633ef4ef0075ca14737c15f0bf815cf8f27bea9ae6a992a986f20fb57df

    • SSDEEP

      24576:mxcvxpDJzmMxZ/NhjBcB4vWmQe9/34dJ:AMBZ/6Q34n

    Score
    1/10
    behavioral26

    • Target

      7175d6bb11dea0932bd4b611d0f7221b62a71dbc54607e97ad397f104bcffa2b.exe

    • Size

      657KB

    • MD5

      50400e6fa866b326f6a67300848ad529

    • SHA1

      663c7c0c21c9e9338bcdfec0676a24fca4d72e6c

    • SHA256

      7175d6bb11dea0932bd4b611d0f7221b62a71dbc54607e97ad397f104bcffa2b

    • SHA512

      da41821a918bcd9317fe7e7ab30aa3fc5828b5fc738d82d8fe4a27ea3326b62974acc5df6e8d8b9283db2e49368548d92871c7658388f4a821f45390e70a50c4

    • SSDEEP

      6144:5YaC47y+HbjC3HjeSVa/wLTAvtQ5GjqgnCOFd0dcXloLaAj9PgM1ZxKbrOXJaFS:3C3HjbVbLkFQ2qe0fLVj9IIrK2Za

    Score
    9/10
    collectiondefense_evasiondiscoveryevasionexecutionimpactpersistenceransomwaretrojan

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Accesses Microsoft Outlook accounts

      collection

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral27

    • Target

      728733095fe2c66f91a19ebde412dd25_70186ceb735016eadd98466e62c03635_TheLastReveton.exe

    • Size

      160KB

    • MD5

      728733095fe2c66f91a19ebde412dd25

    • SHA1

      fd1ae96536ef9f29f336425b83022d2beab767a2

    • SHA256

      dff7c0aac326f210705e4f53cd78a57cb277e80ecec7bdffd6f68db3bdda39c3

    • SHA512

      ec992b0eaf04242cd2b21a863c2bf5d0702aa45336625fde0c48a453b7aa32eb9bdbe0bdcce1dafa6d1756214f567aff378931464f97e8191ae290757501b44d

    • SSDEEP

      3072:g/X2RwrY/2VC8+yGdYmmn1P4yJxI4c10V:g/XgwrY+VF+xddmFTxI4

    Score
    8/10
    discoverypersistence

    • Blocklisted process makes network request

    • Server Software Component: Terminal Services DLL

      persistence
    behavioral28

    • Target

      73c3d88d0d9d1c73080bcdda423879ce9eff3aa1f26cc93d120f596091825960_Dumped_TDS=4F8C315F.exe

    • Size

      116KB

    • MD5

      50e3871f540b228941b8ef76ef0d543e

    • SHA1

      ba51fc4ecff55d7c504db666d970490118153afc

    • SHA256

      160e7c9806857f1dfae4191a338c4e9341f1f589b6ed72f4cf6e10db483e3af6

    • SHA512

      16acd834a04b43eed8954d74a884032ae73439ffaefaf51f043fa19a7af7a71cdcf19a752d67194f6b15df1272947bd5522895a266e971a3e241d34aea79bf7f

    • SSDEEP

      1536:df/SovFSSZtDgN+DpDkDEFtCw0YF8965L+vpCYC:J/zv0SZtDgN+Dp+Er0YF896WpTC

    Score
    7/10
    discoverypersistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence
    behavioral29

    • Target

      73c3d88d0d9d1c73080bcdda423879ce9eff3aa1f26cc93d120f596091825960_TDS=4F8DFBBF.exe

    • Size

      72KB

    • MD5

      c8718e623098dcd075971792b2ad6619

    • SHA1

      f19bb89439511145dfa3c8dea07cec8fd54e55a5

    • SHA256

      73c3d88d0d9d1c73080bcdda423879ce9eff3aa1f26cc93d120f596091825960

    • SHA512

      621c853f0401943801adc42df553c34a037b86a59cfc95dc8fabc1ccba0aba5f1b5351df7a69361a6a9b9fd701de0dc58609c536321a38f860116e97b4dafb6c

    • SSDEEP

      1536:0rI14DGk52j9yF8b3jNxm26eebgz849X:0+k6937m26e9zhR

    Score
    7/10
    discoverypersistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence
    behavioral30

    • Target

      74add6536cdcfb8b77d10a1e7be6b9ef.exe

    • Size

      229KB

    • MD5

      74add6536cdcfb8b77d10a1e7be6b9ef

    • SHA1

      b35c295f625ce4203f70106d33ecdfb39be3537b

    • SHA256

      f5ab764c439a45ed892a3346f228d36f24d7f2377d4cddc5e82a0566f8521082

    • SHA512

      91c1f048b39bb620e498342a259b8edfdf0655c674870104d5d335d49598aed93b54e1793b80a0b5a3f203c493e07f72601f5174925021c94dee7d9afb78b1d6

    • SSDEEP

      6144:t9Kx9J/srIEV00YdR29lGx/adfteNtUlnNCc2HLN:+R29l2QfFfJ2H

    Score
    10/10
    maktubdefense_evasiondiscoveryexecutionimpactransomwareupx

    • Maktub Locker

      Advanced ransomware family capable of offline decryption, generally distributed via .scr email attachments.

      ransomwaremaktub

    • Maktub family

      maktub

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Renames multiple (140) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral31

    • Target

      757a661bcc68616f99366b10abac92d8.exe

    • Size

      231KB

    • MD5

      757a661bcc68616f99366b10abac92d8

    • SHA1

      9a7173aa6b51643417ce37f8b1238de4dd45b516

    • SHA256

      f1ba18a6b67c5e1c659b3cbab2b12abb416dd62087cc9870650c0d8c73047739

    • SHA512

      c6d55af7d3fd3740e5b86aadcfaa463b564458f914bb2140bb2f971e632195d2ca84991f1f694c4cfbb1b6d8156b0ce0413e5c8afb874531eb1ad34b37e36843

    • SSDEEP

      6144:4CzaYkhfMMTzhpWuaEU5rXQokUERHxtYXwNg:jtcfMShwuaKoCRHQe

    Score
    7/10
    discovery

    • Executes dropped EXE

    behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

JavaScript

1
T1059.007

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Server Software Component

1
T1505

Terminal Services DLL

1
T1505.005

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Direct Volume Access

1
T1006

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Indicator Removal

3
T1070

File Deletion

3
T1070.004

Modify Registry

9
T1112

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

3
T1552

Credentials In Files

3
T1552.001

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

4
T1012

System Information Discovery

5
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

2
T1005

Email Collection

2
T1114

Command and Control

Exfiltration

Impact

Defacement

1
T1491

Inhibit System Recovery

2
T1490

Tasks

static1

upx
Score
6/10

behavioral1

discovery
Score
7/10

behavioral2

discoveryevasionpersistencetrojan
Score
10/10

behavioral3

discoveryransomwarespywarestealerupx
Score
9/10

behavioral4

discoverypersistence
Score
6/10

behavioral5

metasploitbackdoorbootkitdiscoverypersistencetrojan
Score
10/10

behavioral6

ponycredential_accessdiscoveryratspywarestealer
Score
10/10

behavioral7

execution
Score
3/10

behavioral8

Score
1/10

behavioral9

Score
1/10

behavioral10

defense_evasiondiscoveryransomwarespywarestealer
Score
10/10

behavioral11

defense_evasiondiscoveryevasionexecutionimpactpersistenceransomwaretrojan
Score
9/10

behavioral12

discoverypersistence
Score
7/10

behavioral13

discoverypersistence
Score
7/10

behavioral14

discoverypersistence
Score
7/10

behavioral15

discoverypersistencespywarestealer
Score
7/10

behavioral16

discovery
Score
3/10

behavioral17

discoverypersistence
Score
7/10

behavioral18

discoverypersistence
Score
7/10

behavioral19

defense_evasiondiscoveryexecutionimpactpersistenceransomware
Score
9/10

behavioral20

defense_evasiondiscoveryevasionexecutionimpactpersistenceransomwaretrojan
Score
9/10

behavioral21

discoverypersistence
Score
7/10

behavioral22

discoverypersistence
Score
7/10

behavioral23

discoverypersistence
Score
7/10

behavioral24

Score
1/10

behavioral25

Score
7/10

behavioral26

Score
1/10

behavioral27

collectiondefense_evasiondiscoveryevasionexecutionimpactpersistenceransomwaretrojan
Score
9/10

behavioral28

discoverypersistence
Score
8/10

behavioral29

discoverypersistence
Score
7/10

behavioral30

discoverypersistence
Score
7/10

behavioral31

maktubdefense_evasiondiscoveryexecutionimpactransomwareupx
Score
10/10

behavioral32

discovery
Score
7/10