Overview

overview

10

Static

static

10

0.46582298...58.exe

windows7-x64

7

00331dd25b...3a.exe

windows7-x64

10

065988f36f...a0.exe

windows7-x64

3

0826716413...57.exe

windows7-x64

10

08cf8ed94c...a4.exe

windows7-x64

10

0997ba7292...3c.exe

windows7-x64

3

0b7996bca4...5f.exe

windows7-x64

0c3431dbb8...ui.dll

windows7-x64

5

0cd7440ca9...bc.exe

windows7-x64

10

100b8bfff5...ir.exe

windows7-x64

3

101.ex_.exe

windows7-x64

3

119.executable.exe

windows7-x64

6

119.unp.exe

windows7-x64

6

11abb44de5...47.exe

windows7-x64

10

11fb52c968...22.exe

windows7-x64

10

123.exe

windows7-x64

1

139.exe

windows7-x64

1

13E418BF18...73.dll

windows7-x64

3

144.exe

windows7-x64

1

17697e1829...44.dll

windows7-x64

3

19561b3379...er.exe

windows7-x64

10

19ec0d0e51...C5.exe

windows7-x64

7

1a6bed2aff...f2.exe

windows7-x64

10

1f210c60f9...40.exe

windows7-x64

10

1f3509cc11...dd.exe

windows7-x64

10

20c6d29da8...7d.exe

windows7-x64

9

234e77145d...2d.exe

windows7-x64

10

263fc6fc9e...32.exe

windows7-x64

9

2e0da054d0...23.zip

windows7-x64

9

Compenso.P...__.exe

windows7-x64

9

301a3f5017...5f.exe

windows7-x64

10

30620.ex_.exe

windows7-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Batch_1.zip

  • Size

    13.3MB

  • Sample

    241122-cpgn1sykap

  • MD5

    19090d44d59052a2c0747280fadc7f92

  • SHA1

    25162ddae11d4f21729418d6f5e43c8fd035de68

  • SHA256

    e9b99706a9b48b09974dd18c1af8a0e402ccddcaa0c91edf43fdd838128a7408

  • SHA512

    9168cb1b97bf680b5be065852486b51c38cd134ec2aebe97bc0a6a4b681a226cf83013e012de1e0402e44369fc6c1ed95068f94ab6e21b4dbba91606f95f9800

  • SSDEEP

    393216:17+hcOnO654Z2D2suR0212iUS8EgAoHBM9a6h2BS8uO:EZzuZu5uR0IRnyHBMIvYO

Score
10/10
blackmoonhydracryptmimikatzmodiloaderxoristbankercollectioncredential_accessdefense_evasiondiscoveryevasionexecutionimpactpersistenceransomwarespywarestealertrojanupx

Malware Config

Extracted

Path

C:\FILES.TXT

Ransom Note
Don't panic, read this and contact someone from IT department. Your computer has been infected with a virus known as ransomware. All files including your personal or business documents, backups and projects are encrypted. Encryption is very sophisticated and without paying a ransom you won't get your files back. You could be advised not to pay, but you should anyway get in touch with us. Ransom value for your files is 5000$ to be paid in digital currency called Bitcoin. If you have questions, write us. If you have doubts, write us. If you want to negotiate, write us. If you want to make sure we can get your files back, write us. [email protected] [email protected] [email protected] In case we don't respond to an email within one day, download application called BitMessage and reach to us for the fastest response. BitMessage BM-2cVPKqFb5ZRaMuYdryqxsMNxFMudibvnY6 ######################################################################### To someone from IT department This is custom developed ransomware, decrypter won't be made by an antivirus company. This one doesn't even have a name. It uses AES-256 for encrypting files, RSA-2048 for storing encrypted AES-256 password and SHA-2 for keeping the encrypted file integrity. It's written in C++ and have passed many quality assurance tests. To prevent this next time use offline backups. #########################################################################

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    ftp.free3v.net
  • Port:
    21
  • Username:
    money8
  • Password:
    12345678

Targets

    • Target

      0.4658229854220858.exe

    • Size

      126KB

    • MD5

      ec9bdf9d0c71f868b65faeaa62140814

    • SHA1

      ea38f99ccda904ce132b50126137820fd7cd301f

    • SHA256

      8c9d81fc8ca2d32585880f03d979eaf1e689767b6cb6e3fafce12c7821685c1b

    • SHA512

      e0f36113f0c053ff308fc5e1bcaaa412067286fc050bf9a199624b8cbd27fea21dc9ae2b2f1b26e5453d66cb2d399d247adf54877fbb47c389bd19be1b47b82c

    • SSDEEP

      3072:Z4JEg+pmSenMnxgK1Lb36X1oDKOBCAMva0stvdm+eIWBJPao1o:aJEoSkKx7DKOBXMvHodmSc7o

    Score
    7/10
    discovery

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral1

    • Target

      00331dd25b83984d4b6d9753fec2b306e88ac87371ea48188df49cb630905d3a.exe

    • Size

      320KB

    • MD5

      222bdee5eca9fb8fe2a66f9f9c363c73

    • SHA1

      dd361bed6888f6b59db8f579d589ea89598fab23

    • SHA256

      00331dd25b83984d4b6d9753fec2b306e88ac87371ea48188df49cb630905d3a

    • SHA512

      4a8979354b8c4eb32ac4e62ae3f5bf1dc61a2925e6a9c7e27074b301fe3dd8791b594bbc05adad735deb8bdcdf7b9e476969125903acd1c1af2c6d2863ee5010

    • SSDEEP

      6144:skldreTgLp61fV1MQNA0m2MyqmQ6gl+bn0eGWZhHpIE1FUQZCa:HdSTgLp61frpAbyHrD0fWtIGKQd

    Score
    10/10
    discoveryevasionpersistence
    behavioral2

    • Target

      065988f36f3ab99ff40893c7ad756cfcc3baea1b8b5217f17cdd6e44160df0a0.exe

    • Size

      517KB

    • MD5

      f9da7dcf28c9e06ef9b2d39467c82f70

    • SHA1

      da4b57856503f0a6473aac73a726de0d5c3cb5cd

    • SHA256

      065988f36f3ab99ff40893c7ad756cfcc3baea1b8b5217f17cdd6e44160df0a0

    • SHA512

      711b20ed66071836b69d1aa1dad2230ac3e470e8bf67e09780f97de93699bc6dfe9c6477b412ac92cbc4bc0e49da613e012f2437633d4149dffe19d946aab939

    • SSDEEP

      3072:EhBFivy/l0If89/UZqBNSWadsT4I0iG1BlLjW/2WtCjqTrEOAYSI2SlkHdpVZyn:Oav+0IfYnNoAw/nWuWQqdSBPdpVo

    Score
    3/10
    discovery
    behavioral3

    • Target

      082671641341d89fe49d0da717846035ba6af02edb59840148eddc3586d21557.exe

    • Size

      949KB

    • MD5

      4f6011ff98c257441ed388c607c5c7fe

    • SHA1

      cff8ccf239f9513ee2272c7e710b3d40e4d17ae4

    • SHA256

      3d9af2cb75bf685209ca0cfcc84e7ece27a2007044c2dc4b0ddcbc7fb141ad3e

    • SHA512

      1951009509dfaeccca69c1d94bd40e8f090174fa106b11f993c8cb5c1df7df345aa07978a1be927a12cf54de397c3379f91ba098d5b9aaa7c47e2fece5fe8329

    • SSDEEP

      12288:BuucC/r6vkvt5Bv1s+7+bK6ErCd46hDjHyVqZOf3OD/RC6UE1ygKraRVR8TqjN:EucEa+7ubPxj57/LkrU5

    Score
    10/10
    persistence

    • Modifies WinLogon for persistence

      persistence

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    behavioral4

    • Target

      08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe

    • Size

      727KB

    • MD5

      d13f890034a68ccb4af4e0bf51e2b5ec

    • SHA1

      84afde24c913c007b0c0490041b61877aa254737

    • SHA256

      08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4

    • SHA512

      0065844527f3a3556bc50705f9d5608561a04e95a2d99b1a262db1094ca188425ef69f02f801eab2eaf74e14e027ceebb471a754192e195e51b6c57d3d7d45ce

    • SSDEEP

      12288:jk2624GHVUBOSRVrHZfiZHJ2HFO/9xwrPgWyzZp+L7vN3:H6+VUBraeF8/tSh

    Score
    10/10
    credential_accessdefense_evasiondiscoveryevasionexecutionimpactpersistenceransomwarestealer

    • Clears Windows event logs

      evasionransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

      credential_accessstealer

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops desktop.ini file(s)

    • Power Settings

      powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

      persistence

    • Suspicious use of SetThreadContext

    behavioral5

    • Target

      0997ba7292ddbac1c7e7ade6766ed53c.exe

    • Size

      40KB

    • MD5

      0997ba7292ddbac1c7e7ade6766ed53c

    • SHA1

      d63ff86f05b6f2fb86abf0dcd16cd2008fa3c158

    • SHA256

      3208efe96d14f5a6a2840daecbead6b0f4d73c5a05192a1a8eef8b50bbfb4bc1

    • SHA512

      62fa4f721bfc1800044e794bf97a2608640731f03f5b548779b28c4e401c38a4743cf8318a45f96e3d26677449e26b272b59209f3319c5e7a2f5da0584ccf837

    • SSDEEP

      768:qqsKtER6RyqAaeN5E62J7hHKr3jzK8zBkTcbI9fN2PjM9J7YoztYcF0Kc6K:qqZQQyqA7wFJ7ZKr3XnaTc8KjmJ5j0KY

    Score
    3/10
    discovery
    behavioral6

    • Target

      0b7996bca486575be15e68dba7cbd802b1e5f90436ba23f802da66292c8a055f.exe

    • Size

      475KB

    • MD5

      27d857e12b9be5d43f935b8cc86eaabf

    • SHA1

      ffebffc89a0b417e56dea3fdce962ee54f7ce00f

    • SHA256

      0b7996bca486575be15e68dba7cbd802b1e5f90436ba23f802da66292c8a055f

    • SHA512

      0898c58b8c69528c37d231a4ab5d83833d7b5235abdff5f94a238824f02fac794e57802cdeac5a39259723ff8cb860831a230300d39ddab390a0b2c93aa7e439

    • SSDEEP

      12288:jp429hwR3RIryG/iMTL5IG8FEVVnk0Okn:jD9hwnrhMTGG8FEvk0Okn

    Score
    1/10
    behavioral7

    • Target

      0c3431dbb8cd0478250eb4357257880e_localui.dll

    • Size

      441KB

    • MD5

      0c3431dbb8cd0478250eb4357257880e

    • SHA1

      0a1d2182f272ff4e4321b41f6bf65f8320d9e88c

    • SHA256

      565dadb36e1d8b0c787d0d5e4cd7ec8c24cac1d6b37637427547ae465ab0fff0

    • SHA512

      7d27c8a16d45944532d2f3602b712caf095c030fa3bc3e733cf5e417e368d869c0a40258f2f48143cd81d790ca752a6142d39cefbab940a04382f5363c93f062

    • SSDEEP

      12288:O8A22qXSMfxUbFhgRRce5EXxlqI8mG1NU:vA2PCMf6bFkf5YNG

    Score
    5/10

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral8

    • Target

      0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe

    • Size

      1.6MB

    • MD5

      16d202aac28076f3c4c1bec60f356f7b

    • SHA1

      4d9592f4b3f4ea12b245c531b93082ccfd6fd292

    • SHA256

      0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc

    • SHA512

      9f70ed2f374a82fb03d58a22cceb33f1ee8eef7bc8d97bca67c5240aa6b60d201d88415cc2501b635ff53be7fde1f0a08b036a2ffc8d29c5f71b4c0db52deaf4

    • SSDEEP

      24576:EFwvcMczi2I0CHpQlDOk0Uig4dMwbQ4Mf7Pgw433naEtl1:EqXczupQbZ4Z8v7PgwwnaE1

    Score
    10/10
    discoveryspywarestealerupx

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops file in System32 directory

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral9

    • Target

      100b8bfff550fb74c98a2ef9a71d4bb53553d2d7ba509bb451fe32814ec57e48.exe.vir.exe

    • Size

      308KB

    • MD5

      e2982778434438cce87e6f43493d63ce

    • SHA1

      1927c6f73714a3d06d379d2bc4693e7a970d5cea

    • SHA256

      100b8bfff550fb74c98a2ef9a71d4bb53553d2d7ba509bb451fe32814ec57e48

    • SHA512

      47e51150b308109e218949cfe80160706bca06f2ba9b2ffac27e36db35a2ead729766afc09936d020cde20e0678a7c912d1ed59a6295fe9bcceb17f2b12b2248

    • SSDEEP

      6144:j09jZMz/y1rekkCkVg+AW93YVfhZR3MM+SYRQlsQc0EJroJ:AXC/FkdkVg9WlufR3MM+PRQvcZ

    Score
    3/10
    discovery
    behavioral10

    • Target

      101.ex_.exe

    • Size

      72KB

    • MD5

      8ce930987752f9790864543b6da34317

    • SHA1

      7d89ae64e1dae59e8e85749b875aa712a4fc5e36

    • SHA256

      5bce08b97565564ccdebec5b9c45ac680e0b3f01ddde2461f1dff4a9bbe50836

    • SHA512

      456c1eb90d51145a785ee47c15d49b0bc9ce9a14f636bbac69e4df19fb2ab8b6e4f785657797042561e0d12e237fc223537220493d9a4ef3f1b29cda373fb65d

    • SSDEEP

      1536:7L7EqNd1A9O75xPIFcQaxXoNzgueHhkKLcjKsMFYM6dN:73h7ecBmxghHxLcjKsHN

    Score
    3/10
    discovery
    behavioral11

    • Target

      119.executable.exe

    • Size

      24KB

    • MD5

      1d27a7210f54a047264f23c7506e9506

    • SHA1

      4116e4e8f34e5e7f3fc6cf23cffd04fb027a1527

    • SHA256

      431111e367629bea37db016682c6354303360cd1419c033a22a26115121ccfe9

    • SHA512

      077054eb1afbe2fd375d409176b61bdc407c8ef10351b4d00ccdc5c02f87a2f99c319a81baa99d92cd8f0bfd32bdf95b54dc6ea4b288a8dc5d9bec9b08523700

    • SSDEEP

      384:ymlG7hWSGNjLmCdCH72JrgITFYDVOElufavSeAE3hbj/hohmg57CtJwjr0n:ymQ9WSGNzdc2iITF1fav7AE3hbj/hohI

    Score
    6/10
    discoverypersistenceupx

    • Adds Run key to start application

      persistence

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral12

    • Target

      119.unp.exe

    • Size

      68KB

    • MD5

      1d79ad8323f4c0d42a5886be05a9c635

    • SHA1

      ce40f723074765819876b2ae579d5b1ad78558b6

    • SHA256

      fbaa0b9fe6f035b1c466a75f768c6c86da669af72b363de043b4e5339bbbc4de

    • SHA512

      77704129642a75c6bba54ad2c174ddf131190e1ed327d9ac57300cb10777f7498712edd66c66be485004717c4bd278d865855072bfed28ca76cd715ebff460b3

    • SSDEEP

      768:yRl1JQ56c46jVT+XtVkWVGcPYSh4IwyyFN/yFHiWv6cF/hlL3Yw+oEy4AhmarTr8:2LA6YTzSqrzsFCe/h53Yk4Ak4RBU

    Score
    6/10
    discoverypersistence
    behavioral13

    • Target

      11abb44de53807e32980a010a473514694f901841e63ab33f5e0ff8754009b47.exe

    • Size

      254KB

    • MD5

      3fda59bf85d09c340d7146a5c32eee5f

    • SHA1

      69199e81914f50dd795ba9cc2732473abaa19430

    • SHA256

      11abb44de53807e32980a010a473514694f901841e63ab33f5e0ff8754009b47

    • SHA512

      5def471171a85c53643b363eca48e42a477e529ea3dc11fd0cb1585b2d6ae002adbffede6efb7ec36849517704db46e7abfbb349080e203f267ed1aa555be434

    • SSDEEP

      3072:2odLe4TZUfOFp17Sm0vizvH1F6BgoUjp1vUO9BuGgcUQDGY8z3YuHR8xHdE:2b4S+1MvyrCvUJ9PUQDGYtdE

    Score
    10/10
    blackmoonbankerdiscoveryevasionpersistencespywarestealertrojanupx

    • Blackmoon family

      blackmoon

    • Blackmoon, KrBanker

      Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

      trojanbankerblackmoon

    • Detect Blackmoon payload

    • UAC bypass

      evasiontrojan

    • Adds policy Run key to start application

      persistence

    • Disables RegEdit via registry modification

      evasion

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral14

    • Target

      11fb52c96853e12f011b7b7894e9884e56eb5522.exe

    • Size

      496KB

    • MD5

      04eacd2031de21c56ccec496e1b5ed68

    • SHA1

      11fb52c96853e12f011b7b7894e9884e56eb5522

    • SHA256

      e908284c087983e3b9f3a3b828f1a3812bfe0e77694b9ef943c0e5c90eb747bb

    • SHA512

      7951a8a8370c01273ce32c3695d16f496d485641f8a7454a86890abb894be9fed867e66ff57c8313bc10d8afd79e330c6e13936ca2bcb81c2b82bbf23a48799f

    • SSDEEP

      6144:H8CL0LckC2bYXES5c+rvM10d+dDJPDCWpKrSgBoreMDLu2zbgVn9Sr/WIInBt5op:cA0LK/5c3aqPiTebDLuibinIrwBtTE

    Score
    10/10
    discoveryevasionpersistencetrojanupx

    • Modifies WinLogon for persistence

      persistence

    • Modifies firewall policy service

      evasion

    • Modifies security service

      evasion

    • UAC bypass

      evasiontrojan

    • Windows security bypass

      evasiontrojan

    • Disables Task Manager via registry modification

      evasion

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral15

    • Target

      123.exe

    • Size

      2.3MB

    • MD5

      498bdcfb93d13fecaf92e96f77063abf

    • SHA1

      263d14f535c264aa254fbee0b66e94a32c156a4c

    • SHA256

      1b44a3b1dec865a96e44f2b556f19682fd844ebe3e7b0577bd7e58d307fcba4f

    • SHA512

      f7f0e29f7eea16a8652b200a93d238fd59ceee281976682ee17ed43565096d4e3e5f73c71d9e4c52fa94bf106fded1f787f97f9b23341525ce26851518241329

    • SSDEEP

      49152:gM16E7qEoM5NWX7DP+1egOhcraQzq6j97V:h16/bM5oW1ZrRz

    Score
    1/10
    behavioral16

    • Target

      139.exe

    • Size

      2.3MB

    • MD5

      409d80bb94645fbc4a1fa61c07806883

    • SHA1

      4080bb3a28c2946fd9b72f6b51fe15de74cbb1e1

    • SHA256

      2ecc525177ed52c74ddaaacd47ad513450e85c01f2616bf179be5b576164bf63

    • SHA512

      a99a2f17d9fbb1da9fb993b976df63afa74317666eca46d1f04e7e6e24149547d1ac7210f673caeae9b23a900528ad6ad0a7b98780eff458d3d505029a06e9ba

    • SSDEEP

      49152:XM16E7qUoM5NWX7DP+1egOhcraQzK6j97V:c16/rM5oW1ZrRz

    Score
    1/10
    behavioral17

    • Target

      13E418BF18B03AC80580DB69ADA305A2B7093DFED00692DCF91A99D2526D3A73.exe

    • Size

      603KB

    • MD5

      f9e5a0f72d62f5cc2678a1326b91953c

    • SHA1

      123f161ca160761dd4ef9f3ecfbba32ce091802e

    • SHA256

      13e418bf18b03ac80580db69ada305a2b7093dfed00692dcf91a99d2526d3a73

    • SHA512

      f0f237b884fe0b46d51e5ecf853fcd477fe8f39bf830ea36aaa46545d4f456798defc0fa206ea89221a87255adc64b939a2f13df5ab2d2c8e887cfab0aad9714

    • SSDEEP

      6144:QuML7/oIlCGJPY2Z2AlptXbgz0+Q4odCGfTnpbEdd/fudqsa0jucQgBMacCGNoE4:GoHEHblpWz0jPLhEfgP6WMDoEiY+L/W

    Score
    3/10
    discovery
    behavioral18

    • Target

      144.exe

    • Size

      2.3MB

    • MD5

      37c0d7f81f6cb81d50505d9c2d17133b

    • SHA1

      177843629cd1dc4345b03e48574eed12d0551ce6

    • SHA256

      e141f564003773d4fe3ef462458a041a871699fb7dc646632cf00afac4870779

    • SHA512

      d8f5e378d2ecdf12f1e20396c2e60120b1cc91c04e1e1af8860db7c5d96617f586454407361087a704359d39885ba1bfadec61a55d1587065942bcedd9aad4c7

    • SSDEEP

      49152:XM16E7qMoM5NWX7DP+1egOhcraQza6j97V:c16/jM5oW1ZrRz

    Score
    1/10
    behavioral19

    • Target

      17697e1829f0d18d2051a67bc2bca134_da3ded254909e9abaa46eb5bc3b10944.exe

    • Size

      288KB

    • MD5

      17697e1829f0d18d2051a67bc2bca134

    • SHA1

      d3f6bd8b57a8c353fd3f25d66e0690d9f578d35e

    • SHA256

      ab7a58b6e50be6b9bcb926c550ff26669601bbd8bfd922a5b32756e663b25a67

    • SHA512

      043807916717c72b2265915fa0a99688946f384286d3bf637646f38b5dcc6860b71c8f4896000d136f7ae18eb808537391f43991234ec25c1700872662ab53e4

    • SSDEEP

      3072:g9OePfXFnSzjrF4SAiInBfe54R0nANPJYCWupbjvlx1X2qpOCFIQ4OWd6nWWBSJ/:eVdSzjtAfHRNrW8bjlHIIIHL

    Score
    3/10
    discovery
    behavioral20

    • Target

      19561b33793dcb865eae56575a899ce8_kovter_from_Sakura82_taskmanger.exe

    • Size

      119KB

    • MD5

      19561b33793dcb865eae56575a899ce8

    • SHA1

      aeff444147fb35adbdf4faed6b5c4bd385b1d98c

    • SHA256

      d625fcec98e282032f550ba80f60de2603adc9f18dd6ae597defda9df5200bd2

    • SHA512

      c1ddaafcd3b8623f446acec01afe763e765e3abf930fe258e6cb728f6c2f68c1cf3c966f12473267628c4d8613b74c68c5369e03a5bbbc3c9db4c0584da0fad1

    • SSDEEP

      3072:TphxjSC0KVR9sr6NuO4pTMq5tWkLgQ3+jOJgg3gv/5f6XKk6+/F:Tp7jYKV8+Nhud5dLgDyggE5sKo

    Score
    10/10
    modiloaderdiscoveryevasionpersistencetrojanupx

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

      trojanmodiloader

    • Modifies WinLogon for persistence

      persistence

    • Modiloader family

      modiloader

    • ModiLoader Second Stage

    • Adds policy Run key to start application

      persistence

    • Disables RegEdit via registry modification

      evasion

    • Disables Task Manager via registry modification

      evasion

    • Deletes itself

    • Adds Run key to start application

      persistence

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral21

    • Target

      19ec0d0e5143940492a1c79c06eb8f18aa9feb356e41b8b79fdc6a16a3bcd7bf_TDS=4F9B33C5.exe

    • Size

      62KB

    • MD5

      4a62e310e45e83b3f5cae161fe1133ea

    • SHA1

      941f334a016b8279c40cf8fb4dc972d9cc92d17e

    • SHA256

      bc45024fcb7b942ba9ee417c6b949ac5c1f92bb5b07eb5993f17923487080f29

    • SHA512

      9b043a4daf425f962fa1eea3191302594c6711b5d6a9e22443b93e2a231b08e3e9714910149661dc1f3ba6ad58f3e32044ab7174f4e30d8651748e4fea39cba5

    • SSDEEP

      1536:2F7P2btiVYiZ+TX2tbOH3UqCXOOlIoj6Q849XY:S7ktiPCH3UqZAhRY

    Score
    7/10
    discoverypersistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence
    behavioral22

    • Target

      1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe

    • Size

      164KB

    • MD5

      5f2d13576e4906501c91b8bf400e0890

    • SHA1

      adff2761a6afe9ecaa70486c0a04746c676a133b

    • SHA256

      1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2

    • SHA512

      29186d7c1702ab738844777a780ce982882727d8fb3ae6e1fd084bffef3ac63fcd7ca4624ee9bf047c909c303deece27f81650b1309280d6609d207e29131dfd

    • SSDEEP

      3072:rIynAdou+ZKzVq6yWcp35EMVGv4sbJt0vQP3rmQp:rIKRD6qnnKdvbfm

    Score
    10/10
    hydracryptdefense_evasiondiscoveryexecutionimpactpersistenceransomwarespywarestealer

    • HydraCrypt

      Relatively unsophisticated ransomware family based on leaked CrypBoss source code.

      ransomwarehydracrypt

    • Hydracrypt family

      hydracrypt

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Renames multiple (453) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of SetThreadContext

    behavioral23

    • Target

      1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe

    • Size

      43KB

    • MD5

      c86e6c9a14e2c11428dea7f72805d999

    • SHA1

      1e41e641e54bb6fb26b5706e39b90c93165bcb0b

    • SHA256

      1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40

    • SHA512

      32ed8ef777e5d30ae086d6bd05202b94932f6894e25a48c2e92a2e8a77ba80651c45ee04ed0b70831d479a74a2d48af14b40623e59c06223289cb3d4b144576d

    • SSDEEP

      768:wO70S7b0vJinmDOxCRfcwt5Dqcjgqa57R/SVcQPnmX5URz7D7PpUmNq:ngawv2PTq5D1jgZ7RKJeJU1D7PpUQ

    Score
    10/10
    xoristdiscoverypersistenceransomwarespywarestealerupx

    • Detected Xorist Ransomware

    • Xorist Ransomware

      Xorist is a ransomware first seen in 2020.

      ransomwarexorist

    • Xorist family

      xorist

    • Renames multiple (2200) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Drops file in Drivers directory

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral24

    • Target

      1f3509cc11ffa1f7d839df93615cf1ba0819d75cafd5ef59110d9b01fb90addd.exe

    • Size

      2.4MB

    • MD5

      6e44abb2b449dd0bcadf8b0316590d0e

    • SHA1

      332b18785c716091e0dd8e3fa94340fbfb909b93

    • SHA256

      1f3509cc11ffa1f7d839df93615cf1ba0819d75cafd5ef59110d9b01fb90addd

    • SHA512

      14ba742a4904bb966223006c4f453de5f0a85148910a0f6ead28323a0d106bfb75042458271b3349ceaf416c3a6010fa9edd3f0f4fa388e4c186e3cea25e4187

    • SSDEEP

      49152:rOlrKV9RqsFBVhP6zyueenTEpcEwX+6WWZbenMJpRd20/Sd5:6JULqUbhSzyCFu6W8bewf

    Score
    10/10
    mimikatzdiscoveryspywarestealer

    • Mimikatz

      mimikatz is an open source tool to dump credentials on Windows.

      mimikatz

    • Mimikatz family

      mimikatz

    • Creates a large amount of network flows

      This may indicate a network scan to discover remotely running services.

      discovery

    • mimikatz is an open source tool to dump credentials on Windows

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    behavioral25

    • Target

      20c6d29da875075afa0ed7b4fb58e555de89d4bed13bf5ad109817c593ddd77d.exe

    • Size

      2.0MB

    • MD5

      217c23371f1d91e81beac74a759be045

    • SHA1

      7aa2abe3c6d2decee0bd741198a59db9c92d4cbd

    • SHA256

      20c6d29da875075afa0ed7b4fb58e555de89d4bed13bf5ad109817c593ddd77d

    • SHA512

      5f8f0550b61bfeac6675c7c489cbf5e9d5d85ffe98798499e086d207a63a970aaae81bfb07eed841abff073df2505d6c2e271e01836658d940c6c3e1c62031f5

    • SSDEEP

      49152:cbIZw+8h+93HIyboFW0eqqoD5PyyGBrmM/eZzUBSzPayRxcJ:zb3HlCW0eGIy6r//eZAIWyRxq

    Score
    9/10
    defense_evasiondiscoveryevasionexecutionimpactransomware
    behavioral26

    • Target

      234e77145d329956192c389249e20520851853e2a33779be93530788201b612d.exe

    • Size

      488KB

    • MD5

      cbb57e24964c4f12adc9a2db6b8bcb65

    • SHA1

      e968b7fd762475c6eab8cd5b3f32ebc56944d95c

    • SHA256

      234e77145d329956192c389249e20520851853e2a33779be93530788201b612d

    • SHA512

      2827258fc71966d7e22902d214e97bc8ea1aa982088f0cbf09c8e8a8f71a852ac3206a456a9585bdc17c1755556104e9adfe225432516fb62b029d46a582fc41

    • SSDEEP

      12288:UzcRD02J4Sq2vHGB67KWKKmDKLPJ8W2jTAnPhrIh5H:+cRToImoAmLOW2yPhw

    Score
    10/10
    discoveryevasionpersistencetrojanupx

    • Modifies WinLogon for persistence

      persistence

    • UAC bypass

      evasiontrojan

    • Drops startup file

    • Checks whether UAC is enabled

      evasiontrojan

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral27

    • Target

      263fc6fc9efa4c05a08d9ff1fc7bb060a7b8f376f82afa17fd3fc267bc8e8032.exe

    • Size

      215KB

    • MD5

      f97d91f8aebbce4628664231184af5a1

    • SHA1

      19cbbf718826377ae342f7dd1dbee68d5dfb30f8

    • SHA256

      263fc6fc9efa4c05a08d9ff1fc7bb060a7b8f376f82afa17fd3fc267bc8e8032

    • SHA512

      786a72e6f41d84555061ee1a15dfa68046c5f676ed911ad86303f99d64c607b60f2ba424cefaa2a0ea5e61d9d2aa019b930b150e4d9ab0969c2d1d345aa0f1b3

    • SSDEEP

      3072:JwJbQEHr/KGapjJzx15Ggz8DhGljxPaxXoyAq7NlCQ+VInzgYL8V3ZKJb8E1s1e8:eLLYpjzTzqUljx8XrAHY0YYEf4f

    Score
    9/10
    defense_evasiondiscoveryexecutionimpactpersistenceransomware
    behavioral28

    • Target

      2e0da054d03fde4e7b2c2057cc4aa410c64b6ab8777ee6d4fd43f031a5170a23.exe

    • Size

      284KB

    • MD5

      83c23855e2176eb28b99c25be875c8f3

    • SHA1

      6b8ba758c4075e766d2cd928ffb92b2223c644d7

    • SHA256

      2e0da054d03fde4e7b2c2057cc4aa410c64b6ab8777ee6d4fd43f031a5170a23

    • SHA512

      95f2baf2ecca3e00292f7ffab2a8f28b825c8e3c76589f79a05533c58f44d2b748527e7cd4aed9c486b678832beb26fd940f129f5791f2b2bec213ebb24c73e6

    • SSDEEP

      6144:CcQu7L20QOPNMNYKEdf7Q0chT7WbK1xb5Z:920Q1YKMfE06jZ

    Score
    9/10
    collectiondefense_evasiondiscoveryevasionexecutionimpactpersistenceransomwaretrojan
    behavioral29

    • Target

      Compenso.Pdf______________________________________________________________.exe

    • Size

      446KB

    • MD5

      93cbe4ed3d46abe732a124a41e7147a2

    • SHA1

      94a24be60d90479ce27f7787a86678472aabdc6e

    • SHA256

      89e71eb0a6403725d2f95cb9e6506b8b139a6948a61dc1c5cfedf18648241ec4

    • SHA512

      8f46af90d8a2d78da003a8a395fd7f74cc235595238ee3a3e4d87fee2aa4c8abf6ece403bb3726122d3825437f5d079ea1f8d6b275153bb76b3b0d75c243ef09

    • SSDEEP

      6144:XOOxeLzWoeNqagVRUvOWcTwlOcTeP8uENXIEQSdO8c/AVxYflxiW:txeHWoA/Wr0lfQ8BfLkIVxYfrd

    Score
    9/10
    collectiondefense_evasiondiscoveryevasionexecutionimpactpersistenceransomwaretrojan
    behavioral30

    • Target

      301a3f5017e578fb04b0eb33f45831bb9bb8318020e0a18d222ebea08bf1c75f.exe

    • Size

      413KB

    • MD5

      3023d7526b479ea3df315a5b1779a43d

    • SHA1

      b5ae71b96a28b9353a4f33c5370ac18750937c17

    • SHA256

      301a3f5017e578fb04b0eb33f45831bb9bb8318020e0a18d222ebea08bf1c75f

    • SHA512

      67fe1cf7538e8ef76b6acbba99326af0de58464bf5710ae6fa7b85d73da9a84c58122de6b87c7d9560f0d366de711a95d03be231c1018eacb7489fd32aeb0834

    • SSDEEP

      6144:OpZsqlbu151gFomsCfv6hdgnkG6FSXrIiucY6/4sTj3GUcqcPVpNghCQ:Ussu15qlsmShRG6mIiucN42qxqcC

    Score
    10/10
    discoveryevasionpersistence

    • Modifies WinLogon for persistence

      persistence

    • Modifies security service

      evasion

    • Deletes itself

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    behavioral31

    • Target

      30620.ex_.exe

    • Size

      102KB

    • MD5

      2b0d89587b59313e26ca8a5fb54db196

    • SHA1

      7e171b08b1ce0b40de8bb6192e957d603deceb00

    • SHA256

      e7fc8300fd164ec248ffde850e6cc73a9a010973828326f3f7ea57d828ee3199

    • SHA512

      d89052e9a170b122cd4a218b060a12908a6e73debe63ac5c960c4d750b2861af19c27b7ba4eef2a77d543bfad10ea4b37f749348e8b13f7bb6849686bb5c4168

    • SSDEEP

      768:iWXJzWpHKhNXP6rtm21qGyNhB0FlwR7YMBMzjdopFkkD8EDW1nDceWzaS3PvSVkI:7JzWp2NXS5m21SBpRnMzjdCkgcDcFz

    Score
    10/10
    discoverypersistence
    behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1
T1091

Execution

Command and Scripting Interpreter

1
T1059

System Services

1
T1569

Service Execution

1
T1569.002

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

3
T1543

Windows Service

3
T1543.003

Power Settings

1
T1653

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

3
T1543

Windows Service

3
T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Direct Volume Access

1
T1006

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Impair Defenses

5
T1562

Disable or Modify System Firewall

1
T1562.004

Disable or Modify Tools

3
T1562.001

Indicator Removal

4
T1070

Clear Windows Event Logs

1
T1070.001

File Deletion

3
T1070.004

Modify Registry

11
T1112

Credential Access

Credentials from Password Stores

2
T1555

Credentials from Web Browsers

1
T1555.003

Windows Credential Manager

1
T1555.004

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

Network Service Discovery

1
T1046

Peripheral Device Discovery

1
T1120

Query Registry

4
T1012

System Information Discovery

5
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Data from Local System

1
T1005

Email Collection

2
T1114

Command and Control

Exfiltration

Impact

Defacement

1
T1491

Inhibit System Recovery

4
T1490

Service Stop

1
T1489

Tasks

static1

upxblackmoon
Score
10/10

behavioral1

discovery
Score
7/10

behavioral2

discoveryevasionpersistence
Score
10/10

behavioral3

discovery
Score
3/10

behavioral4

persistence
Score
10/10

behavioral5

credential_accessdefense_evasiondiscoveryevasionexecutionimpactpersistenceransomwarestealer
Score
10/10

behavioral6

discovery
Score
3/10

behavioral7

Score
1/10

behavioral8

Score
5/10

behavioral9

discoveryspywarestealerupx
Score
10/10

behavioral10

discovery
Score
3/10

behavioral11

discovery
Score
3/10

behavioral12

discoverypersistenceupx
Score
6/10

behavioral13

discoverypersistence
Score
6/10

behavioral14

blackmoonbankerdiscoveryevasionpersistencespywarestealertrojanupx
Score
10/10

behavioral15

discoveryevasionpersistencetrojanupx
Score
10/10

behavioral16

Score
1/10

behavioral17

Score
1/10

behavioral18

discovery
Score
3/10

behavioral19

Score
1/10

behavioral20

discovery
Score
3/10

behavioral21

modiloaderdiscoveryevasionpersistencetrojanupx
Score
10/10

behavioral22

discoverypersistence
Score
7/10

behavioral23

hydracryptdefense_evasiondiscoveryexecutionimpactpersistenceransomwarespywarestealer
Score
10/10

behavioral24

xoristdiscoverypersistenceransomwarespywarestealerupx
Score
10/10

behavioral25

mimikatzdiscoveryspywarestealer
Score
10/10

behavioral26

defense_evasiondiscoveryevasionexecutionimpactransomware
Score
9/10

behavioral27

discoveryevasionpersistencetrojanupx
Score
10/10

behavioral28

defense_evasiondiscoveryexecutionimpactpersistenceransomware
Score
9/10

behavioral29

collectiondefense_evasiondiscoveryevasionexecutionimpactpersistenceransomwaretrojan
Score
9/10

behavioral30

collectiondefense_evasiondiscoveryevasionexecutionimpactpersistenceransomwaretrojan
Score
9/10

behavioral31

discoveryevasionpersistence
Score
10/10

behavioral32

discoverypersistence
Score
10/10