xorist | c96b41fac848211321861fcf957e5f475a950c56f9024f792e5c9584f1fbd3ef

Sharing

Copy URL

Twitter E-mail

General

Target

Batch_9.zip
Size

11.5MB
Sample

241122-d54ddstney
MD5

c60d2e47faa0dce0efdb839dd8f092d7
SHA1

8597f45bdefbd589345c6f07c3270c4a24030086
SHA256

c96b41fac848211321861fcf957e5f475a950c56f9024f792e5c9584f1fbd3ef
SHA512

f77ec83e1c9d97fbf6da9baa32c8d96438b70fcce47d1ae135f343a0e9336f953ebfcf27719e4231390731d700aac102df227ed0ecb6897f83e78a34c52c1254
SSDEEP

196608:C2VvBgChLxQ08twUkBN0EZ28h85oU+1ZeR43uBPEy6FvhGNK2gMXRzBoiJdbqWC:C2R2uLz8tFkZ4qNZvmPSFn2gMzo+dW3

Score

10^/10

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\#DECRYPT_MY_FILES#.html

Ransom Note

<html> <title>S A T U R N</title> <center> <body> <h1>S A T U R N</h1> <h4>Your documents, photos, databases, and other important files have been encrypted!</h4> <br /> To Decrypt your files follow these instructions: <br /> <div> <h4>1. Download and Install Tor Browser from <a href=https://www.torproject.org/>https://www.torproject.org/</a></h4> <br /> <h4>2. Run the browser</h4> <br /> <h4>3. In the Tor Browser, open website:</h3> <div style="background-color: #d9d9d9; margin-left: 20px; margin-right: 20px; padding-bottom: 8px; padding-left: 8px; padding-right: 8px; padding-top: 8px;"> </a><b>http://su34pwhpcafeiztt.onion</b><br/> </div> <h4>4. Follow the instructions at this website</h4> </div> </body> </center> </html> <style> html { background-color: white; font-family: Helvetica, sans-serif; } div { background-color: #f2f2f2; width: 80: %; padding: 25px; margin: 25px; overflow:hidden; } </style>

Extracted

Path

C:\Program Files (x86)\Common Files\Services\ReadMe.html

Ransom Note

<html> <head> <meta content="text/html; charset=UTF-8" http-equiv="content-type"> <title>jaff decryptor system</title> </head> <body style="background-color: rgb(102, 204, 204); color: rgb(0, 0, 0);" alink="#ee0000" link="#0000ee" vlink="#551a8b"> <div style="position: absolute; top:0; text-align:center; width:100%" > <h1 style="font-family: System; color: rgb(102, 102, 102);"><big>jaff decryptor system</big></h1> </div> <style> .center { width: 1000px; padding: 10px; margin: auto; background: #fc0; } </style> <div style="position: absolute; top:15%; left: 30%;" > <p style="border: 3px solid rgb(255, 255, 10); padding: 10px; background-color: rgb(223, 213, 209); text-align: left;"><big><big>Files are encrypted!</big></big><br> <br> <big><big>To decrypt flies you need to obtain the private key.<br> The only copy of the private key, which will allow you to decrypt your files, is located on a secret server in the Internet<br> <br> </big></big>❶<big><big> You must install Tor Browser: https://www.torproject.org/download/download-easy.html.en<br> <br> </big></big>❷<big><big> After instalation, run the Tor Browser and enter address: http://rktazuzi7hbln7sy.onion/<br> <br> Follow the instruction on the web-site.</big></big><br> </p> <br> <br> <center><h1><big>Your decrypt ID: 4010832920</big></h1></center> </div> </div> </body> </html>

URLs

http-equiv="content-type">

http://rktazuzi7hbln7sy.onion/<br>

Extracted

Path

C:\Program Files (x86)\Common Files\Services\ReadMe.txt

Ransom Note

jaff decryptor system Files are encrypted! To decrypt flies you need to obtain the private key. The only copy of the private key, which will allow you to decrypt your files, is located on a secret server in the Internet You must install Tor Browser: https://www.torproject.org/download/download-easy.html.en After instalation,run the Tor Browser and enter address: http://rktazuzi7hbln7sy.onion/ Follow the instruction on the web-site. Your decrypt ID: 4010832920

URLs

http://rktazuzi7hbln7sy.onion/

Targets

- Target
  
  IQHGV07FDyQ5u7bmNAvn (2).exe
- Size
  
  357KB
- MD5
  
  d6ed4d4e8b1a95a224ebdd54529b3751
- SHA1
  
  f666205d580c570abc988038e3412df736e57c37
- SHA256
  
  48aa0a8be374691641742a5d81503f127e9dfdc6bbb717bb1c8479a0071486d0
- SHA512
  
  c579d2ec924a4136b3e7d19df6afcc509835e277facfcf693e5688d8ec3882944ca78b0b39edd808d43de19c81fd147f28936796560f9950f7fdbda4f07f65c2
- SSDEEP
  
  6144:v+dE6vqOE9Z8LapTWgK/W9uAExjAhQiM5bQCdf/ORqz9BLp5hjoH2EZ:v+vvbGlpoAExjAYbQCdf/ORqZBdfjoHJ
Score

3^/10

discovery
behavioral1
- Target
  
  IQHGV07FDyQ5u7bmNAvn.exe
- Size
  
  357KB
- MD5
  
  d6ed4d4e8b1a95a224ebdd54529b3751
- SHA1
  
  f666205d580c570abc988038e3412df736e57c37
- SHA256
  
  48aa0a8be374691641742a5d81503f127e9dfdc6bbb717bb1c8479a0071486d0
- SHA512
  
  c579d2ec924a4136b3e7d19df6afcc509835e277facfcf693e5688d8ec3882944ca78b0b39edd808d43de19c81fd147f28936796560f9950f7fdbda4f07f65c2
- SSDEEP
  
  6144:v+dE6vqOE9Z8LapTWgK/W9uAExjAhQiM5bQCdf/ORqz9BLp5hjoH2EZ:v+vvbGlpoAExjAYbQCdf/ORqZBdfjoHJ
Score

3^/10

discovery
behavioral2
- Target
  
  Junk)2345.eml.ViR.exe
- Size
  
  9KB
- MD5
  
  d39269e7eb92b9de0fc78ba1363af37a
- SHA1
  
  6b2f6d755d577f4170c018879449d6a78885aa93
- SHA256
  
  df8b9e5d4104604e0fa339e6ff704e2957e2dc20d90c111010e67586317337aa
- SHA512
  
  e1c29e37b4fedd309eebd105967dc3f6249e31fe01d43bc349def02f52aa7d573ad98c30f4ce3ae2754e10d64f03607da90e388e7efefc66478c84408cb7b78b
- SSDEEP
  
  192:zBurpqEcJLiCa4Z5CNvTBtPHfkdOiyDma82AZJfN4rcc7POQuE:FclV4iZN+xyDma8BKo+POQuE
Score

5^/10

discovery
- Drops file in System32 directory
behavioral3
- Target
  
  PC Cleaner.exe
- Size
  
  4.4MB
- MD5
  
  16a63ddd49552199b3a92b5fe88f804f
- SHA1
  
  bb5b1bcecfc8737b3397bc8442a4e483b1df5951
- SHA256
  
  b46940adcfefac96db737aa663f44e31e071fb7bffc757f98d811c2d82f1d3b8
- SHA512
  
  8ebf6a3ba7c866328ffd8fbd85d1a4946f806cd4a65540e0db389f7f6dadf0666ec8c7980455934234d469c2d8aaf7da7d630bd98640323f717722b62f6176cd
- SSDEEP
  
  98304:ywCDueZbuJtHA0QUCb7Yv8b8SIXtiogjiAuC475j:KueA7ZQ9Yv8jdWAS75j
Score

10^/10

discovery evasion persistence
- Modifies visiblity of hidden/system files in Explorer
  evasion
- Looks for VirtualBox Guest Additions in registry
  evasion
- Adds policy Run key to start application
  persistence
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
behavioral4
- Target
  
  PC_cleaner-cleaned.exe
- Size
  
  337KB
- MD5
  
  680acfbb639b80db6ed99f46a705656e
- SHA1
  
  6bfbd09899ef0a153fe3f82587458c29615ddce9
- SHA256
  
  7de4bf9af4e80cf93c1058ebae1fadf69c9a271a44338888b7388744205e3725
- SHA512
  
  c66b5eac487482724b65518aa22020cd430e62b7555a0a5458849bd912209fd071c47e4116d9bd6ec47e2dcad762183e1d7abb6d2ef27e95c508f8e1315815bc
- SSDEEP
  
  6144:o+WROxZQFpFXvGp4F3qd75zSCIHpj3el71nVNi9IY2enhzSs75/Krbgx02r:o+MI+FXt3qPOCIH8l7ZHyIXepSoab
Score

3^/10

discovery
behavioral5
- Target
  
  PC_cleaner_database-cleaned.exe
- Size
  
  20KB
- MD5
  
  2be874c130324b7641031dbe2d27424e
- SHA1
  
  b439928a15a34ca3105965c8a046c2e32223fb4e
- SHA256
  
  3d494740cdd42d9c0a4feb3bea6e3cbc2e05affe412feab469eeebc8853332b1
- SHA512
  
  217f9cac04e12771f28fe68348bb30bc2d0fdf6640ca6d6e46cb3935b80bed479599313ed636f83457be16b1e62a39d64b7685fc9358369f958268c096b25f0a
- SSDEEP
  
  384:dz1fNkvwKwq6uS9vwEG9/XwJwq6uJfq2GSLwqvOeuHisc4+ifzGml8nEJmjx:dz82GreuHs46EJmjx
Score

3^/10

discovery
behavioral6
- Target
  
  Pizzacrypts.exe
- Size
  
  168KB
- MD5
  
  00f57ac8b384f7d21eeade87446659fd
- SHA1
  
  ee0204b4cda5cee612b2f62345e0bab6b125c1c4
- SHA256
  
  d6818864dc9e10b15c88aca4d1e8fd971eff43572beba3001fd6c96028afd9f3
- SHA512
  
  f20f0049a941f7d4d7b643980a11966daed9b4a3f6b961824da7619321a62b3bc70b19955c1ccea4eb3de0641aef8a8a76679bb280d419b65b0dfa7698c5d4b6
- SSDEEP
  
  3072:3rw+G6t3JFCGHMszzDLfnxGwbg2/kfkN8LCo59e559c:3c635sszzDrxIc2xK9c
Score

9^/10

discovery persistence ransomware spyware stealer upx
- Renames multiple (451) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Deletes itself
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral7
- Target
  
  Ponmsiyyks.exe
- Size
  
  9.5MB
- MD5
  
  8df08dd868e16f24b01fe06719040cb2
- SHA1
  
  f730c013121eab0c6157081aa8bd972389a87cbb
- SHA256
  
  b05e06ab6e885de6f8646d6b9ffc8cc4aa8f285e656fd0738bb7cffb5c9d4f21
- SHA512
  
  b15963c22d9e7cbbbf2b7645b576cdecd65357a3525fa5d73a80aaadc2d08c2d578786085db8517819366242263222337bf28f9fd601678a5266d90f899bee7b
- SSDEEP
  
  768:wlT8pkJ1B5DfzDnGFEitHVLTn2RziX61Ba2T+xX5X07w:PKJpzDGOi/n2RziqQxB07
Score

3^/10

discovery
behavioral8
- Target
  
  Rlesvxamvenagx @ZL@0ECpw@ZL@ .xml.zyklon.exe
- Size
  
  99KB
- MD5
  
  60ac1eac655bbb1277f5736b3061a16c
- SHA1
  
  81521ea473ca90c738549c6c4d8679232bdbfbbf
- SHA256
  
  705eb586d4296b742dfb239d508894876c207806c2f126eafec206d2d0cd3e8c
- SHA512
  
  b10800b1592b0e661d68b0f8bebb8ff785238057e4435057e0d3ffdc0ab5e2d3f5903ec77fed2f77f2b8733e68d7aa420e43947cef7a4c54de43ba327d6fd95e
- SSDEEP
  
  3072:3/W57FHi5lAim2UwRqZQeJWn7bBj8PGn418v7MSit31:3/Wzi5O2UC+kRj8PwMA7Tit31
Score

1^/10
behavioral9
- Target
  
  SATURN_RANSOM.exe
- Size
  
  338KB
- MD5
  
  bbd4c2d2c72648c8f871b36261be23fd
- SHA1
  
  77c525e6b8a5760823ad6036e60b3fa244db8e42
- SHA256
  
  9e87f069de22ceac029a4ac56e6305d2df54227e6b0f0b3ecad52a01fbade021
- SHA512
  
  38f2ff3b7ff6faa63ef0a3200e0dbb9e48e1d404a065f6919cb6d245699479896a42316f299c33c8cc068922934c64f8aa06c88b000d1676870c1d0c0f18e14a
- SSDEEP
  
  6144:zUrigyvF8Q9fLglQ8t0qabFDfOdQ/LDA8H+wwaMZUUAOq+mwNf8fsS+:zUrigY8QBLg9t0qabFDGdQ/TlYiUQ+Vz
Score

10^/10

defense_evasion discovery evasion execution impact ransomware spyware stealer
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Enumerates VirtualBox registry keys
  evasion
- Looks for VirtualBox Guest Additions in registry
  evasion
- Renames multiple (155) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Deletes itself
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Sets desktop wallpaper using registry
  ransomware
behavioral10
- Target
  
  ScreenCapture_Win8.MalwareScanner.exe
- Size
  
  137KB
- MD5
  
  58ad3b1793bbdeee20b4a0415c9fd56a
- SHA1
  
  0c610f13fcd706d544c1ca8cf5d120a690ab6d1b
- SHA256
  
  f9d9b397488e1bf5c37320a4bccd015fa48495fa15f5c5ce14cb65366cc2526a
- SHA512
  
  4dec95018add51d5826c99521bc08cc4c0bb485499e1f6d5fc294d4928b024d020b581ddbcd1ffb9458639d32760b743860b94f788dc9ae18af1e4cec2d0aac3
- SSDEEP
  
  3072:ZkScxQ+r7+OXo5WYD99HMig0e03PTrPgsEDte56AhbXM:ZkScxt2O4Ycg3MPTrPdSeRhT
Score

1^/10
behavioral11
- Target
  
  license key.exe
- Size
  
  270KB
- MD5
  
  dff38f5dfdeff1e73debef355c4ac13e
- SHA1
  
  d9d8fbbde16aee63d22805d3a573de65f7486ef8
- SHA256
  
  c57040c2af2735aed3f84dbe838f6e142ad80631f50811c0b265bf0a5e3af91d
- SHA512
  
  6a7970027a7259fb244e4d79bbbfaeb3041508e25b24a40d1c6bef497ad412a6086463f343e84d9b6b32043f8752f99165aa56e5ca15a87a5c16cb04c549de94
- SSDEEP
  
  3072:1KJZx3+tGqTsnACpvmEhgwqvJ+Bsl94FnUDhcYprbAMc:1KrxiyLvmWVXGl6VYpgMc
Score

10^/10

discovery persistence
- Modifies WinLogon for persistence
  persistence
- Adds Run key to start application
  persistence
behavioral12
- Target
  
  malware.exe
- Size
  
  53KB
- MD5
  
  87ccd6f4ec0e6b706d65550f90b0e3c7
- SHA1
  
  213e6624bff6064c016b9cdc15d5365823c01f5f
- SHA256
  
  e79f164ccc75a5d5c032b4c5a96d6ad7604faffb28afe77bc29b9173fa3543e4
- SHA512
  
  a72403d462e2e2e181dbdabfcc02889f001387943571391befed491aaecba830b0869bdd4d82bca137bd4061bbbfb692871b1b4622c4a7d9f16792c60999c990
- SSDEEP
  
  768:4yKoNLsn4Jp9ZvRInygrpMoZN+WtOl08jxBEHCDwBLpZTPCUvQK:j/sn4/OycxZN+MKxp8t9zQK
Score

8^/10

discovery evasion persistence
- Disables RegEdit via registry modification
  evasion
- Disables Task Manager via registry modification
  evasion
- Adds Run key to start application
  persistence
- Modifies WinLogon
  persistence
behavioral13
- Target
  
  mamba_141.exe_.exe
- Size
  
  2.3MB
- MD5
  
  e0358edb797489ffc585e8f517b30f1c
- SHA1
  
  719c3b897826169190ffcaf8ec111e78acd1613e
- SHA256
  
  0fa05cbe58b253b09afbb79be27953ddfd36852d0a5fb5010dfb419d7705abb5
- SHA512
  
  0aae9d35e8d2248a50c2282fde0c3a8d2d76327b31bf046d64e89eb1b473f18952831e40ba58dbef24dda5fff4d89db806fd6c14c260c777f528f6311891241e
- SSDEEP
  
  49152:XM16E7qQoM5NWX7DP+1egOhcraQzG6j97V:c16//M5oW1ZrRz
Score

1^/10
behavioral14
- Target
  
  mamba_152.exe_.exe
- Size
  
  2.3MB
- MD5
  
  a50325553a761d73ed765e326a1733a3
- SHA1
  
  6a5250a24439cb760e91c228b56d991a717e556a
- SHA256
  
  74336da7eb463092a5f1bca3071f96b005f52e6df5826f8b0351e10537ba0459
- SHA512
  
  cc5040fdc1fae74ce903e237c18c034b02c55e8d73165bee1c58a22142d46cb0fdc37b2549f51c94e624d2d698e5fef536998d433c6dad0d6e9a2de2a3835db0
- SSDEEP
  
  49152:aEzWq251mCxFFF1uFwRYVFFFvsVmHNiFFFZ7HBvFFFbp1GWaPvJlx8G+:aEh25LuFUhGJlx8
Score

5^/10

discovery
- Suspicious use of SetThreadContext
behavioral15
- Target
  
  microsoft-cleaned.exe
- Size
  
  337KB
- MD5
  
  2568651635cffe50fd45776886cdc514
- SHA1
  
  bf7567d7492b701a4471a8c9b7a401460bf4621c
- SHA256
  
  03f1e07d8b2eddac94f0de473100dd8f33183c0030dd275a9dfb467d99af97b7
- SHA512
  
  53e0046576c21da95ca5766e7f06fba20f77310a2e486bb1b7c6207a7345b039a846ffa6141f6c4b2f2cf76315bd052dcfe04e016f476fefad62786a2d286f5b
- SSDEEP
  
  6144:C+uRqxZQFpFXvGp4F3qd75zSCIHpj3el71nVNi9IY2enhzSs75/Krbgx02r:C+08+FXt3qPOCIH8l7ZHyIXepSoab
Score

3^/10

discovery
behavioral16
- Target
  
  msiexec.exe
- Size
  
  401KB
- MD5
  
  8028ee3776ac68bb5789575e5a904465
- SHA1
  
  d142f9a30280f31b173080388bc04c71b6c45cc6
- SHA256
  
  f5096a51fdc054c4a217966b22f827a921d50a12436aa995d6f4180bdc4ba420
- SHA512
  
  33b988d5d80c072a12454a4eb49a70c93ffb3c418ae4a3ef61f1a2d8e81b0ee1e590e176ccb5391e5e7237822f022151fe4a3d7b979d301d7b1c41d5a544118a
- SSDEEP
  
  12288:iza760BmY7fheiaEyG5wv/kTSie0+vqGlCc:iza+afhzaEyZ4hz6C
Score

10^/10

discovery evasion persistence
- Modifies visiblity of hidden/system files in Explorer
  evasion
- Looks for VirtualBox Guest Additions in registry
  evasion
- Adds policy Run key to start application
  persistence
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Deletes itself
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral17
- Target
  
  nc.exe
- Size
  
  60KB
- MD5
  
  7ce968dddd2ed97a980dcc00eff84a77
- SHA1
  
  682df7e5bc6a9d185907b39891237d0ee407b949
- SHA256
  
  f89ae8d431706d82bfb965b0b8f393f99aae897460ba473529256186693c2bd0
- SHA512
  
  ba78aeddd6143ea2bcaeb70c42d522b014d85b7419f6f9c5e6a28558f2bc090546640c9ecc0a867a7808c0534d794bd237f227998a2ea307d58e834efd946af4
- SSDEEP
  
  768:2i3A+wAwcw1/GWTw8+7TAB+fThAapYgVLrORoMn+xtuHkydSsa6CvwEBRMOog:L3A+wAwjp+fTnlOR/+xtuHnK6p2Rog
Score

1^/10
behavioral18
- Target
  
  nd2vj1ux.exe
- Size
  
  140KB
- MD5
  
  dffb9df79dba2f3b14f8d0d169b05a39
- SHA1
  
  51956d31ce3b5f6c944b4bb9f0544a7225ae02c6
- SHA256
  
  5a1d1e5aa09e1eff12365374044b8fc6c1da1024cdf9cc87efdef314ddd6857a
- SHA512
  
  acfc2c977e51cd2bb881206885f599864e6b726583a975f3f074c705e89ba5be2e19c33bde2c1934914c4ecfaf38226ebd91a1a673423216ebd137b8cd6bac42
- SSDEEP
  
  3072:Dnnn2nQsco5vjD3cpBBJB9uufEnnnVYennznhfMQZWdn2aaBzuHYuEbKb+OlrtP4:tomQZ7zuHJE2b+Olxj0tMs
Score

1^/10
behavioral19
- Target
  
  notes.exe
- Size
  
  1KB
- MD5
  
  eec736bb161167781aadcb6041003931
- SHA1
  
  d550a30d4692f831c0d79a36b44d114d601496a6
- SHA256
  
  15e726d9eb37e96f5a34d910702c59e6b98eecca957292cbb0e8f2e746ccdd6e
- SHA512
  
  47c895562590db33cf67f7e5eee7061e9742607eba8b46a8353278478abc6de35f7f08eea0698aad84d7f1b200a9545d1e59ffe7891c973f1bb82b2204998f90
Score

1^/10
behavioral20
- Target
  
  nzpuHohZGP2RNfMTp0sr (2).exe
- Size
  
  357KB
- MD5
  
  1914724aeea3ca954322053dd883b14a
- SHA1
  
  ec12c2f0e1b16c0ba1f9960ed58be1e4862e3b4e
- SHA256
  
  9336c8dbbdd65d18cee1de53ee153aeeb2fd9fcf3ceafb9f251ffcc21bf7211f
- SHA512
  
  068857835aebe679584350b3ac486131ee26b35a6986076ccc3c3c1f4cd586c6a5d055cab61360fc4c52e846dbdc6325d9165460d29d17f5e7ffd444c8fd508c
- SSDEEP
  
  6144:c+dE6vqOE9Z8LapTWgK/W9uAExjAhQiM5bQCdf/ORqz9BLp5hjo/GWZ:c+vvbGlpoAExjAYbQCdf/ORqZBdfjo/b
Score

3^/10

discovery
behavioral21
- Target
  
  nzpuHohZGP2RNfMTp0sr.exe
- Size
  
  357KB
- MD5
  
  1914724aeea3ca954322053dd883b14a
- SHA1
  
  ec12c2f0e1b16c0ba1f9960ed58be1e4862e3b4e
- SHA256
  
  9336c8dbbdd65d18cee1de53ee153aeeb2fd9fcf3ceafb9f251ffcc21bf7211f
- SHA512
  
  068857835aebe679584350b3ac486131ee26b35a6986076ccc3c3c1f4cd586c6a5d055cab61360fc4c52e846dbdc6325d9165460d29d17f5e7ffd444c8fd508c
- SSDEEP
  
  6144:c+dE6vqOE9Z8LapTWgK/W9uAExjAhQiM5bQCdf/ORqz9BLp5hjo/GWZ:c+vvbGlpoAExjAYbQCdf/ORqZBdfjo/b
Score

3^/10

discovery
behavioral22
- Target
  
  old_14b68cb9f911ce937f52ed8282ef4395f2291c0a23f14d33f731a15572834b0d.exe
- Size
  
  84KB
- MD5
  
  fef2837fa1deb4704de03eaa76b62241
- SHA1
  
  8bb3914b5ae46383f0223ace7a7b3b6de2b6344e
- SHA256
  
  14b68cb9f911ce937f52ed8282ef4395f2291c0a23f14d33f731a15572834b0d
- SHA512
  
  9b7ca59308240a46bc215975c14e508bdc853ab5c7a7bc76a92ef42d1dfce0adec2aa1b51b8f9569590bb110c8f9cb47f2c1c446c4ec6c747dac453a918c78f7
- SSDEEP
  
  768:DhnciumS4FeU6ggYpFJVuGwv8zE2rCaBE1s6zAKKXb/7BxkxzDNHwP00VPSuilVV:1D5vzuf8qfSpKKXxiha00tSHVOWc
Score

7^/10

discovery persistence
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral23
- Target
  
  patched.exe
- Size
  
  1.3MB
- MD5
  
  7d2af690ad89d53ffc070f066a778edf
- SHA1
  
  29d212d55c2d41efe96ca384132ab935d6f80861
- SHA256
  
  eaac4bcbf42384c31cc4f1e217e7becd9217647aa693e93488d2d9559127dc3f
- SHA512
  
  ebb6bf66361fc6e72f463f61b9eb18f7fec51e1551eac78b1cf0fb4a900568d5d99ca34517f90396a08cf5794a38f666c8affb28a136232f459237ff9c82acda
- SSDEEP
  
  24576:R9WQitvyUilzOUxaOWk01G4fbu/F41jen6KXYzkEEknJS7DFN4L3GmPA705sCvsF:R9WDAUozOUxaOyGau6I6WPDvlAAoefk1
Score

9^/10

discovery persistence ransomware spyware stealer
- Renames multiple (2223) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Drops file in Drivers directory
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Sets desktop wallpaper using registry
  ransomware
behavioral24
- Target
  
  pclock.exe
- Size
  
  239KB
- MD5
  
  bb9c3be8f8ee44993bc2ed175abcaf1b
- SHA1
  
  fee3a493cbfc84799c1e6c2c3b7d84e84433578d
- SHA256
  
  302b437cf639368e85af4d16b2ba11707f5e94d257e5718be7f913c7162bf954
- SHA512
  
  c4dddee9db4929ec00d3344ecd748c4cf41a516489f39eac9ffe159dba8058b5d2ac23f47edbdb0cd310793699af3631d6b3577fdba59efe599dfc81d12f6837
- SSDEEP
  
  3072:3Nkgq5A+T73rKiwT6ChOe97tauWx/7PaoHdWOGNKbZNM4rfnxl1YWOFW+OKd:mR3a6CrXWx/7ao9aKbQ4rycKd
Score

7^/10

discovery persistence upx
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral25
- Target
  
  pclock_unpack.exe
- Size
  
  419KB
- MD5
  
  1fc5cb7e0ad732461f8eab5d1125c427
- SHA1
  
  2974651cf335d46b2e7d2287b325232c3b77d9f1
- SHA256
  
  05fab5797ed3fa8ba1fbe0e0de14e5284f84506c1b5bb386638e49c3f027e75d
- SHA512
  
  b0818ac1d5ec83cad5760b76551f8237e2a3e1968ebdfec8deacccb291842ef7f838ad7071590a215b9cb6c030b6f69ccf81c3d05447216c6456b6cec20961e9
- SSDEEP
  
  6144:zHuwWf/SZxB5+TlkJUjvvh02jNnPAPowEoxAKJaITtSXp:OfoxB5+JM+6oJIovSDtSX
Score

7^/10

discovery persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral26
- Target
  
  pitupi20.exe
- Size
  
  152KB
- MD5
  
  942c6a039724ed5326c3c247bfce3461
- SHA1
  
  6ed179d6131f2407d19b37e31d4aa9c9709d4d99
- SHA256
  
  1be07198c324c9732d4e2676945ec021eeacd78775aea2100f49ca0483d3f901
- SHA512
  
  ac934d0d5defd5ea4354b743520b0d1a8280d74b953b0ea0e7c6cede3f036bfd715e8b4568d794db6f007f0b5ddd8be46bb5a8707252ed8b3cb304fb6746265b
- SSDEEP
  
  3072:4/s16aN54vUh4EyiDg2Z/1RrUPjfyUOqC4tn4yDDqJBftdIW6oc6jSsG:4/sMa74vUhVyXsuOU9vn5DuJBftdV+D
Score

10^/10

defense_evasion discovery ransomware spyware stealer
- Renames multiple (4039) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Drops file in Drivers directory
- Deletes itself
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Indicator Removal: File Deletion
  Adversaries may delete files left behind by the actions of their intrusion activity.
  defense_evasion
- Drops file in System32 directory
- Sets desktop wallpaper using registry
  ransomware
behavioral27
- Target
  
  pozhehgxmlhobpvwlqco.exe
- Size
  
  56KB
- MD5
  
  327cea8d93ff1094fe1ba9008e8c5657
- SHA1
  
  97574533c1260e6e3bd3008359e38055aba0d203
- SHA256
  
  d2164cdbc9c78db0115f382a139ccd758f8a25ebfc5ab3e0034e7aef0fe0b6b4
- SHA512
  
  7904652fa2c81296be80efec5617dd86059a940ef0ee10c45a9673d6d85cf845afaa188385d4dd7643ff37ad61a25c33c14486448c5eb51b55d9ba59158c6357
- SSDEEP
  
  768:mbLjRB9o7troDVMOXsgRha8ZwByuiiCKR0YFeIupRXnzUpiPqDOyktPxEY:k/L9stroDzRhD6yuDR0lIupRnXTboY
Score

7^/10

discovery
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral28
- Target
  
  ransom_50.00_dol_df410f19157f591860e1633b85dfb50b.scr
- Size
  
  621KB
- MD5
  
  a7f91301712b5a3cc8c3ab9c119530ce
- SHA1
  
  22c17c048eacd78038e820350181e2fb1aa2fe75
- SHA256
  
  f1384ff19a870f5aa718486666a14e88873d79eaea5725e3a2097b2d9fd9a320
- SHA512
  
  53f608c8ab14595559ea91f028632c427c60b490ab79f57f6ac8b09dfd3920b69acf011ca0d8891fb3a3db474967691d69acb9175d777be65a0ab9b71b7e135f
- SSDEEP
  
  12288:o8S/eSSa+KprpGAOB+TJyZJKiPKIQInLDIAvcn0YP2TFjqHHsFNW0jGjG:NS/rSarrpGr+1yzKUKIQILDIAknzuBje
Score

9^/10

discovery ransomware spyware stealer upx
- Renames multiple (109) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral29
- Target
  
  ransomware1061911a3e0a74827a76bbd7bfe16d20.exe
- Size
  
  195KB
- MD5
  
  f75957ce3208ef38cfaae1e46bf5dad9
- SHA1
  
  4633cb0d8a55d8d9252a4e61a786f0b3110af74e
- SHA256
  
  74456d286d471069dee7171ce654f910722ef0ddf42e701337c2b4a1e0f5c36c
- SHA512
  
  29db93c1920e14bba0f668a5ad9a5ba39f960f68fa9188bb968c4dcd32a1013e2776fa7897e97667b7f870ee16b01bcb6576cc25a25eba9b0d3e000f31df061d
- SSDEEP
  
  3072:DwJ52Y7ZoH5XJaT45embG1bMxXa6LTDRQb73WMRqIlDoUtSVEPvKbSts:DwHysTtMG16XNY77qCoTVqVW
Score

9^/10

defense_evasion discovery execution impact persistence ransomware
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral30
- Target
  
  safeinf.dll
- Size
  
  702KB
- MD5
  
  a0a45b5de3c04e4c659395857bee3ead
- SHA1
  
  bdf4e7315bddb3fa7ae86dda5049b30cdc648dea
- SHA256
  
  add92cb6047f2fb412dcbcb5a2d8ee7fad56091ccd6667105d977b010a33b561
- SHA512
  
  b8f3d847a19dc7615a9cbf30dfe6cbf344045e6f5510863ec9bbf1fdb171a146e1ffbc44cb7a5cb08862ed78b1bcee72f99d6e792b82f70f41494a0a0071d0da
- SSDEEP
  
  12288:dXmwRo+mv8QD4+0N46glpxInQMUmO+NWJUaS5plVvj9fOOIAxHfoeYJO/:dX48QE+UiK6P+YeXplpXIS/oXS
Score

7^/10

discovery persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral31
- Target
  
  schet1074.15.03.16.doc
- Size
  
  1.1MB
- MD5
  
  99289be18f8eff90737733fd7e1255c6
- SHA1
  
  736c1b31cb3735f301d8cd4981c24ad70d017083
- SHA256
  
  72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9
- SHA512
  
  351d9ab3c36dccbe591fdd7aa4cfc6e33e82c3a2dc07a829b79a99794b7184811307f749ddba7881eab4ed46660ae6b8214c1c41c974d9f8a3c934a786b0560e
- SSDEEP
  
  24576:kbKw4bfMpV7ceKPvi14LEt5k/W0DPwCna++V8TQheoP:TwOMAtPq18Et5k+qH+GTQZ
Score

10^/10

discovery persistence upx
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral32