General
-
Target
Batch_10.zip
-
Size
11.3MB
-
Sample
241122-d7pb9azlfm
-
MD5
b48fdef3291bb0abc112131cf87a8e15
-
SHA1
3a4cd49e66c6e38ca69fd6f6a6f494518ab76136
-
SHA256
5015af8fb5725c4c9ebac28a890128587b888acddab6cc9ff06e94e782713882
-
SHA512
3e8bda530a228eea7c36c7dd66b22f28d72a819408f2f8c1bd68fc9e73665293d4c09b562f09a4e6c79e77ac43539389dddb1e71a8e8b996a187c83821281dda
-
SSDEEP
196608:wtlLvswtv/acQbMgxSrvVK23tcrz00PonBnI9qJBd/fFD5:Ulzf3anbMgxMvVKOtEz0hnyiF9
Malware Config
Targets
-
-
Target
ScreenCapture_Win8.MalwareScanner1.exe
-
Size
137KB
-
MD5
e6b389c43c8f108c8e40fcd35903ec19
-
SHA1
54fd03fcc29a71996da1705d28d646606ca749c9
-
SHA256
2c2188db9cbb3079d6cc09dab391e750dd1f2ad333838efb1941c0858e7bf896
-
SHA512
d41ed4ae710c2ed355674f549c4d592a010bb5021b8c8b03fdb78256a596d9b4716ed61f556fb5965b605c19905ec24395b795ead6eeed5da6f3b6e0422d332e
-
SSDEEP
3072:HkScxQ+r7+OXo5WYD99HMig0e03PTrPgsEDte56AhR5:HkScxt2O4Ycg3MPTrPdSeRhR
Score1/10 -
-
-
Target
ScreenCapture_Win8.MalwareScanner2.exe
-
Size
137KB
-
MD5
f5dabcae00cd2fac2cee31a3a22210d7
-
SHA1
707ac7035e00884bc6e1e0197df6a8821d4dd169
-
SHA256
33e3b35775308dbac17df9b4b8813e12f0d0ce1842fcf348c64aef13b01144d6
-
SHA512
060e0e6ca10cbdd548c97c16dcdcbbb8bed2c5dbc8c7be740857ca5a2ae54959c6936cf8316fc943dba559ab490f045277a84cef8c2217a3138dc4db19caaab3
-
SSDEEP
3072:UkScxQ+r7+OXo5WYD99HMig0e03PTrPgsEDte56AhsB:UkScxt2O4Ycg3MPTrPdSeRhs
Score1/10 -
-
-
Target
ScreenCapture_Win8.PopupAlert.exe
-
Size
445KB
-
MD5
2f62803bf924b80095e6ca08f4fe2620
-
SHA1
1022f09bb5802fd744b2e94aac54b31033c9cc81
-
SHA256
0152264bb7c476c2b5ece910cf63d2401e079ed64a259cd04b7bc2456fe5d28b
-
SHA512
aad767be7cb1a03217c8afb020f96eff0c4b2144d33e031799c850bf25418df571aef3ae5e89aacfc4c20d7f9a85b492296b6b4f26dfe376712a931f5e0e4d30
-
SSDEEP
12288:0NUhryI+L3cwFrAC3nTNUhryI+L3cwFrAC3n:0WuI+LDFrAmnTWuI+LDFrAmn
Score1/10 -
-
-
Target
ScreenCapture_Win8.TaskServer.exe
-
Size
1.1MB
-
MD5
35f2486d9fddb5ee6023cf0ade83a7d2
-
SHA1
b6e97e8516cad2bdb75599a7b01fc7a17331e874
-
SHA256
bf15e8c89f3be24a8d394b0a0972892b8d224e9d1f6510f3a6e1463b268186af
-
SHA512
52c9def952737595eaf23f1daa79bd1116241d9148be645da2685034317168f6820dea64552ba9c0a21cdab4090081d41e56bf610d2063d91835be050d353058
-
SSDEEP
24576:Hpf1Z7qyk019VM1nvs45vvjsYUy258pf1Z:jZ/1cvLL7UyVZ
Score1/10 -
-
-
Target
ScreenCapture_Win8.WindowsLock.exe
-
Size
413KB
-
MD5
a35db7336ebf2a57763d31205286da1c
-
SHA1
c61fe448964afcd1fb6b657d04d911cce2d08511
-
SHA256
eb55317191979c185bf1ba2e40a9468c433e7d1538f928f85c9672589b6ba037
-
SHA512
12da2b8efd13b94b9a9f6bc943efb2847323dc3c8df4f6adb4d426679da11408ba124b8e540b2d1c70c87c51a92eb16c7aa95b741e47a3972792668b069427d2
-
SSDEEP
12288:jV+t1nfILUvE45vvck5+TCxVCny2u8Am:jVM1nvs45vvjsYUy25
Score1/10 -
-
-
Target
ScreenCapture_Win8.WindowsLock1.exe
-
Size
413KB
-
MD5
318415ffeaa1e006c47ee8d9ac7d0854
-
SHA1
951ee1a9d651fc2e10ba7e774ed716f477427bb9
-
SHA256
57a77c5c3e50974585782956cd37615e6218a1a4dec8bbe5515aca0508f59ac4
-
SHA512
e7571ed7f5a857c80126394527a745fa7c98bbfe20ae68d4c3fd13614de95b80f172db2825acf24144cafc5d16f7d38f9948743dbc60189b7232eb3dcfc0b172
-
SSDEEP
12288:sV+t1nfILUvE45vvck5+TCxVCny2u8Am:sVM1nvs45vvjsYUy25
Score1/10 -
-
-
Target
ScreenCapture_Win8.WindowsLock2.exe
-
Size
413KB
-
MD5
faf666e0d80adbf3929a8bd78b34888a
-
SHA1
eac5046cd25814f5c043c6b8a92a948f1572cd4e
-
SHA256
bcdde1db8c7e73cda2baa87f7596767fb2783c40e1f3961eda2602528e15f2bc
-
SHA512
337f4a41f8aade7a4144d116ae20e63dc3df2e290096b3de8087188f21e3b7be9bffbc040be855bed509e080192720176e7d50fcb6f174a528da6ee48c77aa2d
-
SSDEEP
12288:5V+t1nfILUvE45vvck5+TCxVCny2u8Am:5VM1nvs45vvjsYUy25
Score1/10 -
-
-
Target
Setup (5).exe
-
Size
396KB
-
MD5
13f4b868603cf0dd6c32702d1bd858c9
-
SHA1
a595ab75e134f5616679be5f11deefdfaae1de15
-
SHA256
cae57a60c4d269cd1ca43ef143aedb8bfc4c09a7e4a689544883d05ce89406e7
-
SHA512
e0d7a81c9cdd15a4ef7c8a9492fffb2c520b28cebc54a139e1bffa5c523cf17dfb9ffe57188cf8843d74479df402306f4f0ce9fc09d87c7cca92aea287e5ff24
-
SSDEEP
12288:jANwRo+mv8QD4+0V16nkFkkk2kyW9EArjaccoH0qzh4:jAT8QE+kHW9EAr+fr4i
Score7/10-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
-
-
Target
Setup (6).exe
-
Size
289KB
-
MD5
1a2af687af2c9f39a5489da1bfceb864
-
SHA1
f5502776ce55b19679a8ff5a17884f3cc5db34da
-
SHA256
bd194616665ef6125f7c4af3796de38103c38fc8653d27ee861975dc343520ba
-
SHA512
f8c094ec519dc59955bad70c0a02d3fd15741c539be5a8f1d0002fbe5007e798180d590ea14b3b22ea231ceb4c5424eced00043ac36d35e6ddf34f5475cd54f6
-
SSDEEP
6144:FZABbWqsE/Ao+mv8Qv0LVmwq4FU0fNoy6nkFkkk2kyWDwOrNkYgYRWW:jANwRo+mv8QD4+0V16nkFkkk2kyWUOrF
Score7/10-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
-
-
Target
Supplementary Agreement 26_01_2016.scr
-
Size
91KB
-
MD5
b0625408735468e40f4af9472afcb35a
-
SHA1
ae8afddc982abc163147fc47bfd30f2340c56086
-
SHA256
9842ac7705c39546d9e153b5e014c16df061f306fd2b1904368cf8f503f4204c
-
SHA512
49e96828e92f142fb55fd301f9855a3965c2dc9e933e50eed0d7d9634771f3201a34704ceba419b5b941dd089306fa91aec36a841665ccc7abe649b95dd1e6ec
-
SSDEEP
1536:Rr346DHQyoOhwRY35OSmoKM+bBcql/UxyQKs1OiYI/3lHEKIp0+cNFyV:R86LaGccOSLK9qqli1aKKHcNe
Score3/10 -
-
-
Target
T1.exe
-
Size
31KB
-
MD5
29cdb46d2e01f2efb9644c7695a007bb
-
SHA1
c276166bddcbcc093cf0b7164c4233745eda6cf5
-
SHA256
3ed94c1b319454f6122a05ef124e5bc8eefc60a3d81987fb712c7af78726e6b3
-
SHA512
fcce8e8a5c0689cf79dc4ca46ff0bbad6f4c5b8c74dbbb186e1e9df3988fa75526c00dfb6b8181ede6f0e5f1496b96caf23cc59de8c774a70812b1b0b5a590a8
-
SSDEEP
768:sg1mvOSFUyD+W4e4++sqzYbxw7S0/oc1xO2ISMggtCLYc3qFgxd:sgcvOSFfEe4+tbxw7iCkwe/Fgx
Score10/10-
T1Happy
T1Happy ransomware is a cryptovirus that behaves different than its counterparts.
-
T1happy family
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (5457) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Disables RegEdit via registry modification
-
Credentials from Password Stores: Windows Credential Manager
Suspicious access to Credentials History.
-
Drops startup file
-
Modifies file permissions
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Sets desktop wallpaper using registry
-
-
-
Target
T1_b7afca788487347804156f052c613db5.exe
-
Size
31KB
-
MD5
b7afca788487347804156f052c613db5
-
SHA1
dd3d9703c37589482344460d4c624f50dec7d077
-
SHA256
a41130085e6e7d7ed320599698d79af44da110a58d761e3dfb35e44500e6ac16
-
SHA512
a37d6ec993a3d0f19daffc3ff174b05707c12339c4475e88468135bca73572ee9b61fb1eae2fbb7285a3dc893b048da108cc54a0f6dec66983360483720eba7f
-
SSDEEP
768:eg1mvOSFR8d7OJecatzObxw7S0/o61xOxZKMggzCLYc3qFgxd:egcvOSFR8dVcPbxw7iQk2A/Fgx
Score10/10-
T1Happy
T1Happy ransomware is a cryptovirus that behaves different than its counterparts.
-
T1happy family
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (5449) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Disables RegEdit via registry modification
-
Credentials from Password Stores: Windows Credential Manager
Suspicious access to Credentials History.
-
Drops startup file
-
Modifies file permissions
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
TeenTube_90767.exe
-
Size
197KB
-
MD5
1105c4df3562b7ac9aaa3bf6037397c9
-
SHA1
5abd5e024b85078b9060e4eb75c9fc9c7549ad55
-
SHA256
efd8f55e43b1ab6379cac9d2f037fe5260ffae11433fb076fad3b639f9f9d4df
-
SHA512
98156f3f1707feaac20bc0250238aa3a4a8d0e531f77281e092c8b454a055bfbe97bc32b01538bbdc4f9b1ba76af6b626279bc8848484c79646aa5ea6bb8ad85
-
SSDEEP
3072:Oz+92mhTMMJ/cPiq5bVioBih1PJ8RsaX/Bv3WxAyZBQ73Uen/+V:Oz+92mhAMJ/cPl3iogavsAMBLen/U
Score10/10-
Modifies WinLogon for persistence
-
Executes dropped EXE
-
Loads dropped DLL
-
-
-
Target
Trojan-Ransom.Win32.Telecrypt.a.exe
-
Size
3.1MB
-
MD5
3e24d064025ec20d6a8e8bae1d19ecdb
-
SHA1
aaf26fd22d5cab24dda2923b7ba6b131772b3a68
-
SHA256
3d7dd597a465d5275ef31d9e4f9dd80ed4de6139a1b3707cb3b0ffa068595567
-
SHA512
02eeddcb6d33dada9214503ab460d409ba429dfb00c756722188e2b7b9a65dd054a0bdacf45613ef3d6aa9524f256da155e33daf94eade384dc94f7716724896
-
SSDEEP
49152:yAqPm6R8fkBn5GSOsnvjXo2KzB931XYPy:0O6R8fklXo2KzBHX
Score3/10 -
-
-
Target
Tuyen bo chung Viet Nam - Hoa Ky - Infected and EnCrypted.doc
-
Size
57KB
-
MD5
9ce30fe9bccb3d09b8326d9c2b4326d8
-
SHA1
a9174fec5d81977eee9de2658a92fa9e4de76dd4
-
SHA256
2d20d5751ffbac9290271969860106fdd34309878a1e06f9dbcac23a7f50b571
-
SHA512
ba1dae484f846fbb18df4a3abbb54bcf22549ec4762db34560afacacf226f6c62ca37ad2045193770dcfc1ff61a08e3a47369b6352d5d282146a3afcc91bf83f
-
SSDEEP
768:jwox3E+dBeFwhLsYyB/ZOy8gOKHwlidfeEXy:B3FdBmwhLsYCJH/
Score4/10 -
-
-
Target
Tuyen bo chung Viet Nam - Hoa Ky - Infected.doc
-
Size
38KB
-
MD5
2d2bd96b7b99a4727dd3d01db91ed276
-
SHA1
90aff4cebf1741efab3123e3455cbb0181d9f9f7
-
SHA256
e6b15419059e833424e9c726e9b0b085d9f0fcb2cccbfe1025b0d0f8a1735a66
-
SHA512
8338a2a2bbfbae0c5dc705e677eb063aeaf87acc1f287d11046370cdaa697092a15d539b9c0ee40a0155a7cfb221b299d5a7a3c65c26fdb50aff4961186d6e4a
-
SSDEEP
384:Zjj08Mjar5mlCQTzQsBpD7FPWGwTvx5RSwYg0j3pAYtt/g8:JjMj+5mlCQT8sBxxP/wTJrJI
Score4/10 -
-
-
Target
UNPACKED.exe
-
Size
1.3MB
-
MD5
6ec6069728a91a04407283bc6bf208b7
-
SHA1
5407241081ab23a29acafe11187bc118abdc15b0
-
SHA256
7910428acb8eb014340219f413e4fcaab9bd31f9664e644fe91dacda9e65470d
-
SHA512
bb809949f9305d4eed3becd28a254dc0eda7eea925a10548e6e560826ac22c51508a1ef9c9443e3690f98693b9775d238781392c16a0ca27301b5a1880913487
-
SSDEEP
24576:q9WQitvyUilzOUxaOWk01G4fbu/F41jen6KXYzkEEknJS7DFN4L3GmPA705sCvsF:q9WDAUozOUxaOyGau6I6WPDvlAAoefk1
Score9/10-
Renames multiple (2207) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops file in Drivers directory
-
Drops startup file
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Drops file in System32 directory
-
Sets desktop wallpaper using registry
-
-
-
Target
Uninstall (2).exe
-
Size
110KB
-
MD5
139df873521412f2aebc4b45da0bc3e9
-
SHA1
3fd72fd5bad8ee9422fb9efa5f601f6b485404df
-
SHA256
efe6bd2e0fc7030994fc2837b389da22c52a7b0bbdbd41852fcaf4308a23da10
-
SHA512
d85cf83d3b2cf9af3076e40d7419be42a561bce1160376ba580b3078b581ed2bd6d274fb2a0767aa81a9e92052762f39c1c391ca0cac3043ad85a72862713bd3
-
SSDEEP
1536:WO/z6hPABUjO/Zd1716EoLiL4l1HdIaqQPDm0xK8i6f0Zn9PRVW8sW45o26MI:DzgjO/Zd1RePDmZ8tf05iW4u2X
Score3/10 -
-
-
Target
Uninstall.exe
-
Size
110KB
-
MD5
139df873521412f2aebc4b45da0bc3e9
-
SHA1
3fd72fd5bad8ee9422fb9efa5f601f6b485404df
-
SHA256
efe6bd2e0fc7030994fc2837b389da22c52a7b0bbdbd41852fcaf4308a23da10
-
SHA512
d85cf83d3b2cf9af3076e40d7419be42a561bce1160376ba580b3078b581ed2bd6d274fb2a0767aa81a9e92052762f39c1c391ca0cac3043ad85a72862713bd3
-
SSDEEP
1536:WO/z6hPABUjO/Zd1716EoLiL4l1HdIaqQPDm0xK8i6f0Zn9PRVW8sW45o26MI:DzgjO/Zd1RePDmZ8tf05iW4u2X
Score3/10 -
-
-
Target
Upx.exe
-
Size
283KB
-
MD5
308f709a8f01371a6dd088a793e65a5f
-
SHA1
a07c073d807ab0119b090821ee29edaae481e530
-
SHA256
c0f9faffdf14ab2c853880457be19a237b10f8986755f184ecfe21670076cb35
-
SHA512
c107f1af768d533d02fb82ae2ed5c126c63b53b11a2e5a5bbf45e396cb7796ca4e7984ce969b487ad38d817f4d4366e7953fb555b279aa019ffb5d1bbba57e28
-
SSDEEP
6144:EBgzKMDrn1MUQ8Kr4eNyJf2EycBqABfpV6xSyQy9CZ07Yf+1+ujToS:v5rn6JfXCjUafpVeDQyUXfW+u/oS
Score5/10-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
-
-
Target
screenshot2016.exe
-
Size
4.6MB
-
MD5
b8c469c681323bad2efac3b30897e18f
-
SHA1
56bae6961b1fc0e3415b57483c1c21b8eaebd4b8
-
SHA256
121dd64aa3a17da1a9d27ae4ac84538a3b8ec23abec2f5f6e69a06f7826c4df5
-
SHA512
7184f92a537ea0737933190291bf49f64ecdba62739f2ea3546bb90f4868b08b48711eadbfd4c3d4166785abf1d759808d399c73cdf0cc2929a422ed6ff32f15
-
SSDEEP
49152:kvLL7UyvZBZF6DFrpnC6DFrpn67n7Z/1cvLL7UyVZbvLL7UygvLL7UyHvLL7Uy1l:krUy3KNpnCKNpnjrUybrUygrUyHrUy
Score7/10-
Executes dropped EXE
-
-
-
Target
sidacertification.exe
-
Size
1020KB
-
MD5
172aa496b7f2331fa20180b887cf4893
-
SHA1
5b2780dca42fdbd5ac695981ae60a37d1225e809
-
SHA256
f3e87cdbb12c555be95f8c60c3b36b64671e5241db9241644b795ed3b203bb60
-
SHA512
033565913156af4becf18d1fef70df5644b808b4c4610e9ea8783b4b6e5c923b6fa89e62af4c5d79014510f729005a99b2408ddce71a28865ffd2efbe09690af
-
SSDEEP
12288:H1nFG9yNghVwv2gAqeQTyiS62zV+vBOSyfWFp9/4wwTeM+jtH+Y888888888888B:G9yNgY+4eySXSBOSyfWFf/4dTPke
Score3/10 -
-
-
Target
spora.exe
-
Size
112KB
-
MD5
570e9cf484050e21346bcdcb99824d77
-
SHA1
f889cbfd2f25e65fae443c9f70192bd310a04b51
-
SHA256
2637247ad66e6e57a68093528bb137c959cdbb438764318f09326fc8a79bdaaf
-
SHA512
a31ac315c243f7225e32913873426de2a56331f2e47cf0d4ae613ac1ea27b334940a15908e6335db40d92b6cfc9e265143b0b363545c54e356a8d267381b7b2f
-
SSDEEP
1536:Ohw7p8e/dl1SHJ070ir7kREEvxLAEOBHYwBzHy0xD1/wb93vsslLng5n2:OhwH/dlS0QUsxLXOHbBby0b/wB0Ykn2
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit
-
Drops startup file
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext
-
-
-
Target
svhost.exe
-
Size
350KB
-
MD5
6fb915548ae2ce60326488761dedbe62
-
SHA1
cd2f503b3194f1e0987f7cfee123ffc323dbe5c1
-
SHA256
3594a403aca3195c3e9b74f95669e33548a06bfaccf6e9bc02b86767d38d214e
-
SHA512
51ee2953cb70a3b0ae344cc274381adebf77fc249732189c77d1e8dc8682040ad0ae6faf850a40af58fa63a13b0e75286562204e40f02da480e5444047095828
-
SSDEEP
6144:R19M6S33QFnHZxkcdaGB/D2IlV2qDClJL3tcTzQzerIaQTt7HYRh4E7kYFIhVF38:r9pSHKHZxkMBL2IlnYa18aOt74Ry+qhc
Score10/10-
Modifies WinLogon for persistence
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Hide Artifacts: Hidden Files and Directories
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
-
-
Target
sys100s.exe_.exe
-
Size
506KB
-
MD5
d06f3948aec51684a26a75dbe9dcd581
-
SHA1
af72af7676e74cc4c4b8e67c43f005c850e60267
-
SHA256
59ed7a26c56a644bf3f5ba45459965be8a6e6b79dcf4f90a5c51f2bb12190bf9
-
SHA512
4b7f50932aadefcb5b3e50ed5aed24eca8e39c5202d748ad77fe7774e269be030b12485c4e1d31028b87a9632c22930daee8115d5a1793b878d0823fe1eb87f5
-
SSDEEP
12288:Y3nZMhJ+ubNJVwlQjf1X6PwKU3sk1BLJuUlTopsNSwIWZ4IN:Y3nZqfbvGmjdXgwK891BLQsosSWZbN
Score9/10-
Renames multiple (1213) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE
-
Impair Defenses: Safe Mode Boot
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Network Share Discovery
Attempt to gather information on host network.
-
Drops file in System32 directory
-
-
-
Target
tordll.exe
-
Size
434KB
-
MD5
0abd351cc3bb4a8b406796dbb597301f
-
SHA1
85fc9c0d3b449b93419f4fd31df19d1caf3d7073
-
SHA256
52b748801aa98dab8195bd3c5f5f733b0a2c92da535a2a5372646c52c28efa45
-
SHA512
783ead0e916fb6980fabe22eddf8c88d2281ed54c4e7f6edae314f3c1ed04bf8200b99a603ddd734bbd88ce1e489e27e600e941b3176c5976fe2457e06ee8235
-
SSDEEP
12288:lxKfMazy+J75mcPt67p2L4uNBvULXXl1:lcfT5ZPA7p2L4uzvKXXl1
Score3/10 -
-
-
Target
uacbypass.exe
-
Size
24KB
-
MD5
d469a87f9b996a9f898f437a72668d11
-
SHA1
f63f8f8fad87bd53d5ec3d5365952d4f84b1781c
-
SHA256
8c1fb2fe36a122f0c47b8bda438dfa69395587ca459823b7cb88e167cf3e9605
-
SHA512
3e9fb5f519225bcd4e7b3e86ba54ded9794cc2c6d760f21fd2d02f7045e918dd7d54ed5a24c7d6e61acebc27a6d3dd6419f80e90b8dfdfadf1fe9a29611b87b5
-
SSDEEP
192:ALKf4my3ssAnktY67AN3BwQbqVx9XA3TzbXun2DYVFkakH9Dqy8RN6cE7H5s4HnL:+/18s1tvHAqVDSDYBkdOJb67BHnFp
Score3/10 -
-
-
Target
unpack.dll
-
Size
109KB
-
MD5
46110bbaaf43da136e386756e78061d3
-
SHA1
7b6bf2717063d24f0cad0da2e11de9cfe9e84301
-
SHA256
f58ddb230caa3541543bc2e9ffb68e37257bcda578ae71a0dd5be2c7db71c8e4
-
SHA512
52d5767827ec3377280ee8c5247f2bdd7a6a7c619be53a549149be07b1327c5d7b0bb609ba8dab11e7d74b371e0b4e8aa2dceced8c10b111e983937a5bb8c137
-
SSDEEP
3072:kGwOWQP1ofFYoNA5HbScuQq0tf5KmK5Y8nPRBTssu7r6dmHX/Yu9:2Qdol2bScuQq0tfIvPc/g
Score10/10-
Modifies WinLogon for persistence
-
Impair Defenses: Safe Mode Boot
-
Adds Run key to start application
-
-
-
Target
unpacked.ex_.exe
-
Size
12KB
-
MD5
1c18a0f35e1eb39e130eeeb12163701d
-
SHA1
05efb81dcd92695cec510f6e80c81b4ec7e5b42e
-
SHA256
a30c0eeba490a6855df6aadee5d546cedc0e410752163573d95b0114c9185107
-
SHA512
776cf8f5848f47bee24d294e648b376d0e304a963fb332cc59c9a6eccfa57770a8e2a23055117e523933c1ae5076e31b49c11f12cac31be4278cc4803968de0e
-
SSDEEP
192:1/TrG62a6B10k3g4fXk1iTV3HGc7EkpAqEjvu2q9C/YpXnAITZfPtRMF50n0FI3P:1ebFNw4Pk1itKkpAjjI2YpdmFw0FIf
Score9/10-
Renames multiple (2207) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops file in Drivers directory
-
Drops startup file
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Drops file in System32 directory
-
-
-
Target
unpacked.mem.exe
-
Size
1.8MB
-
MD5
397c3016232327177e21f147cb916ff4
-
SHA1
baf4cd0c7d6786b6026cc65e4cfa9acbc9fa6391
-
SHA256
24f6845635011f892b4be0ddb23ffe8442f152b0a55365d14b675cbe10c67c2c
-
SHA512
01952b6ad6d0f8c5584f93cb40cec64704edf822af683e344bba3d0c308399131492ff2c43dfe6ffbbf153a5b3138243180758da97ba8f970680d42cab784e6d
-
SSDEEP
49152:3KZ1IOgn/nPKyIdBoN2NbseVaBUXz7OT7SRlo:3KzIOgn/PPIHa2dseMBSzjRlo
Score10/10-
Troldesh family
-
Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
-
Adds Run key to start application
-
-
-
Target
upd.exe
-
Size
158KB
-
MD5
601c1dcbafd1df3cd8030c823a289f46
-
SHA1
cd8aa5088e563024bde4275cccb4e2b25c23dda9
-
SHA256
f760c187e989dab567b1696aeffdbfd558577e54fbd63039e3f925eb4f2cbdd1
-
SHA512
e0a92c3ef9d805e8f319ed0c8b8511e46b784018a6386949ee646ca926402bf4cef91fdb8c9d2faeef16c3a0e3a43e4b9ad7563c7b1a425794e707b9950fbd4b
-
SSDEEP
3072:uZtS9vOgslhX1BUKEAQvlLf+05ojihuwFWvo/z0:uZcJOvU8ribFWwb
Score6/10-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
verhdiehndi.bat
-
Size
195B
-
MD5
a2a0830859cdb108a3353dbb2d081334
-
SHA1
6e7585317f10b0c0c1cdabfc15249a2951852a14
-
SHA256
d0fa3a800cc6cfad30ba69acc55b059459af138736a35544aff213ba7ae27ab2
-
SHA512
b877d5e2d09c2772d0c88bb3e8e7381173a4a7cf9c3ff8dfdc7e34345873e1e8ffc9ccb765de7edad3f6964bcbd22b7a5f8fb7c1576846be37240ade072264c4
Score8/10-
Download via BitsAdmin
-
MITRE ATT&CK Enterprise v15
Persistence
BITS Jobs
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
BITS Jobs
1Direct Volume Access
1File and Directory Permissions Modification
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Safe Mode Boot
1Indicator Removal
2File Deletion
2Modify Registry
6Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
3Credentials In Files
3Discovery
Browser Information Discovery
1Network Share Discovery
1Query Registry
1Remote System Discovery
1System Information Discovery
1System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1