Overview

overview

10

Static

static

10

VSNKLGuzoF...2).exe

windows7-x64

3

VSNKLGuzoF...5w.exe

windows7-x64

3

VideoCodeCX.exe

windows7-x64

10

WcsPlugInS...ex.exe

windows7-x64

5

WinLocker Builder.exe

windows7-x64

5

WinLocker_Builder.exe

windows7-x64

5

_003E0000.exe.vir.exe

windows7-x64

9

vmem02.exe

windows7-x64

3

w8i9eHkHOwWwQlX.exe

windows7-x64

3

wpbt0.exe

windows7-x64

10

xpiofrbtkzhr.exe

windows7-x64

xxx_video (2).exe

windows7-x64

7

xxx_video.exe

windows7-x64

5

xxx_video_...vi.exe

windows7-x64

10

xxx_video_...ir.exe

windows7-x64

10

xxx_video_...ir.exe

windows7-x64

10

xxx_video_...ir.exe

windows7-x64

10

xxx_video_...vi.exe

windows7-x64

10

xxx_video_...ir.exe

windows7-x64

10

zcrypt.exe

windows7-x64

7

{71257279-...a}.exe

windows7-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Batch_11.zip

  • Size

    3.9MB

  • Sample

    241122-d88saazlhm

  • MD5

    d9efba6b5d8f5cadcb5b72a261364879

  • SHA1

    847e175e807b9f271cfecdf0b451d029bdf73d5a

  • SHA256

    f6a83e6ed8bf92b8ff4da0aba72fe354199ec79a99008b34800e4cfdb92d3a67

  • SHA512

    ed9ae302a89f3aea8f749e804ed6b058f7d4a48e39ac3ef7d5d8e28eebbbe8a35f9ce7b7675ed57c968eade8ec29580cf37ac85f9aee9c56595b1662e6acaa60

  • SSDEEP

    98304:ywQRPA4p9xWgZgAAqLIld4nSUYuNmH6z3rcq/fsQ:yTST47mW7c4

Score
10/10
cryptolockerxoristdefense_evasiondiscoveryevasionexecutionimpactpersistenceransomwarespywarestealerupx

Malware Config

Targets

    • Target

      VSNKLGuzoFJgFHyEI15w (2).exe

    • Size

      357KB

    • MD5

      89e1efdc766e9c7d41305566993ba800

    • SHA1

      be06191ebb3c96fcf5a87a1d3442ddfb3f19edfb

    • SHA256

      c8400b635f1b14bef0135631f05ae408bf551dac45fb23c1b26e20d60ea00f08

    • SHA512

      26f395abc7cb6a6e156f8d91e3b05756e9d98e45f91ad0cce9825404120888d842319b584a3898752fdd126057e511a8f46c37a640dd5fa02aa3d80462fdea63

    • SSDEEP

      6144:H+dE6vqOE9Z8LapTWgK/W9uAExjAhQiM5bQCdf/ORqz9BLp5hjoLxqZ:H+vvbGlpoAExjAYbQCdf/ORqZBdfjoLW

    Score
    3/10
    discovery
    behavioral1

    • Target

      VSNKLGuzoFJgFHyEI15w.exe

    • Size

      357KB

    • MD5

      89e1efdc766e9c7d41305566993ba800

    • SHA1

      be06191ebb3c96fcf5a87a1d3442ddfb3f19edfb

    • SHA256

      c8400b635f1b14bef0135631f05ae408bf551dac45fb23c1b26e20d60ea00f08

    • SHA512

      26f395abc7cb6a6e156f8d91e3b05756e9d98e45f91ad0cce9825404120888d842319b584a3898752fdd126057e511a8f46c37a640dd5fa02aa3d80462fdea63

    • SSDEEP

      6144:H+dE6vqOE9Z8LapTWgK/W9uAExjAhQiM5bQCdf/ORqz9BLp5hjoLxqZ:H+vvbGlpoAExjAYbQCdf/ORqZBdfjoLW

    Score
    3/10
    discovery
    behavioral2

    • Target

      VideoCodeCX.exe

    • Size

      2.0MB

    • MD5

      0701e045db5d20c93427b4bb452bc341

    • SHA1

      6be9df576ebfed1b2a0b14f2352dceaa36a10c79

    • SHA256

      22b1af46ce7b3db0ec037026e035b0b09a6c791e5fb5fcb5e6ee3ef8d276abe1

    • SHA512

      40a542dbd44eab6c2f8f6631487be2065692489040632916aaee2d7f24810e4844291b1e6a0e5884362a7ebc534a03a44103465cd1266439107fc5c070c50dfb

    • SSDEEP

      49152:EkAG2QGTC5xvMdgpdb1KRzGepUu2cGbq7oc+tuNAn:EkAjQGTCnvMmpEQqUPn

    Score
    10/10
    discoverypersistence

    • Modifies WinLogon for persistence

      persistence

    • Loads dropped DLL

    • Blocklisted process makes network request

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral3

    • Target

      WcsPlugInService.ex.exe

    • Size

      113KB

    • MD5

      f9a974c8ed6793c226101c10af7542db

    • SHA1

      5719e5b45721af9ac9652332f2001d984e1d9a45

    • SHA256

      8f0c20eab317c9416ad6dd602013528dca8ee1467b111019fe6704ff8da6a241

    • SHA512

      1f00ca5c9fdb1ca8fe6d9b9728da6b3aac57b72e17e528ec37e77cdf6ae1cd52384b0ae8256e2f74f88ba87c9e90c575a0a8ebf729f894590fe71d5e6ce608d3

    • SSDEEP

      3072:pxuZMpyk7A79E6rdAXpRCxv/sqJ5SjTOaiZl7ObWlx+T:pYf79JAXKxHs0S3OaiZ1Oiv

    Score
    5/10
    discoveryupx

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral4

    • Target

      WinLocker Builder.exe

    • Size

      317KB

    • MD5

      10bc8a66ffe85a5eb04d5dd463204318

    • SHA1

      e0df54485e4fba5af4ff0a61c022f794a5ba25d1

    • SHA256

      3def8e9db50996046391a345099f3f7b023f8e0e26356702f73743e25d5716f8

    • SHA512

      3d833e8083cb4e781b7572eedc89d4c94ea91a04a77f0e7727ff8bb4d16bb8887c19b6a2470e90a2cf714bdf72d26679075f7c7f4127e1c504182955808b99e8

    • SSDEEP

      6144:eUKmfbTAYbMLaOphVx4bu9xJjF1031CP82ooSaYq:eUvfHfMLaOpXKbOjj/sNLoSbq

    Score
    5/10
    discoveryupx

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral5

    • Target

      WinLocker_Builder.exe

    • Size

      314KB

    • MD5

      d010491f999105e40f8550bd9daa4fa7

    • SHA1

      75f413c324f4b61a524c5330f17cd44019663544

    • SHA256

      cfa91ed5fa38bc5e369b4bf4d59030be432d47b8e2f7e58b9f25c3c034654cc1

    • SHA512

      a01eec4d45c9e27a4e138941851eacaa2c865d27c7d83ce94225a98dd3f80cd4576b5e9738a5d3637084443691a8bb72812c63daddbf098c0d69de92c928c669

    • SSDEEP

      6144:eH7QBEVURAirobeZq26b0FmS3utXig+vQeWXKjkQwLEaoS/V:BBEuR42q26AFmSetX+Qt6LuToS/V

    Score
    5/10
    discoveryupx

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral6

    • Target

      _003E0000.exe.vir.exe

    • Size

      116KB

    • MD5

      f57d188c4667fab46208396af20badd2

    • SHA1

      367ea268c494d17672ef371adebef0f505c1a804

    • SHA256

      878304de96556ed340f190a9d8b5650dc71512eed4210676560fc41e7ac4857c

    • SHA512

      157615951ccf90c69aaa4e4e1e1f664ffcb6c5817371143ac5bc2dfac04185e57981d50194ad4a1784c29f16211b6a18e9fa085721d05e29ba63377e40dc41a2

    • SSDEEP

      3072:SsB0ura/QOVLLkeyYP1RNDZyuubclhZUnr:Sef7wkey21flyu8+i

    Score
    9/10
    defense_evasiondiscoveryexecutionimpactpersistenceransomware
    behavioral7

    • Target

      vmem02.exe

    • Size

      36KB

    • MD5

      ceca6f5828b79d4da88523c4c30d890d

    • SHA1

      3a9197e2105200b5756e3428e7ca4f5dd2b6df23

    • SHA256

      16e42d3e4af4d7de0bc9adfc317a68fffa41feb406e82d870bff657a86ab448e

    • SHA512

      5448036fc6a88d1e6797cb194007327d7f263c8254c0a6463025fc4da1d08fb637ae033aa7da6e6c7f5dfd95aed029ce03c3e0df362f71a0becefe20f58957b2

    • SSDEEP

      768:FtGLOTlOw4qwau28gJV6eRf130SngnM1RLNen+l3:wO5x7waQPeRt3BngMHU+J

    Score
    3/10
    discovery
    behavioral8

    • Target

      w8i9eHkHOwWwQlX.exe

    • Size

      1.3MB

    • MD5

      6ec6069728a91a04407283bc6bf208b7

    • SHA1

      5407241081ab23a29acafe11187bc118abdc15b0

    • SHA256

      7910428acb8eb014340219f413e4fcaab9bd31f9664e644fe91dacda9e65470d

    • SHA512

      bb809949f9305d4eed3becd28a254dc0eda7eea925a10548e6e560826ac22c51508a1ef9c9443e3690f98693b9775d238781392c16a0ca27301b5a1880913487

    • SSDEEP

      24576:q9WQitvyUilzOUxaOWk01G4fbu/F41jen6KXYzkEEknJS7DFN4L3GmPA705sCvsF:q9WDAUozOUxaOyGau6I6WPDvlAAoefk1

    Score
    3/10
    discovery
    behavioral9

    • Target

      wpbt0.dll

    • Size

      50KB

    • MD5

      df9188698b078a38b399a8b6f61f9c34

    • SHA1

      b221335078e9e368f07b102fccab2c83c4f90a5f

    • SHA256

      9282cdf4c83b4ca8015b0e450ac68c5bb7effe4503d3d34efa2ad496d37d2d26

    • SHA512

      97242771d5c9f864d6f929c141085c718da9642777778228e3a2b072c2137467c6b80fc8c0d439cc5aac0e434a5e6cef13b22b537ab52812de9ed3d98eb6e37b

    • SSDEEP

      768:it81vCu5ZnWpQgUMq9+12GDuRUP6Ez9Ctwgg/wI2oRPfFSTYJa2U:iqOpQCq9+1VDuSVIhJGe

    Score
    10/10
    defense_evasiondiscoverypersistenceupx

    • Modifies WinLogon for persistence

      persistence

    • Impair Defenses: Safe Mode Boot

      defense_evasion

    • Adds Run key to start application

      persistence

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral10

    • Target

      xpiofrbtkzhr.exe

    • Size

      46KB

    • MD5

      25a11c9dd8d3eb6ecf8544e95d866a98

    • SHA1

      b462e8f5a05dba7328885af7646f9229d09656fb

    • SHA256

      6a298fd7189f63d29fb4c4cc342844a98c10945f8e0700363b0d078111568528

    • SHA512

      2483c4b7dad5bf273c955c70716dcb61a7f61ea1047de6f03ab867e549a3791a1c93291ef9d81e6308eecffb3a05f963b45f8b539ab31f84c5520844cb8a8992

    • SSDEEP

      768:1ySfi5TqmFi4tuXnKtgYr/TOsex9PEMBex6BHmRGBNc1uobW80vOA4N:dK5TbUayYLTOh9PEMEx+O150vOPN

    Score
    7/10
    discoverypersistenceupx

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral11

    • Target

      xxx_video (2).exe

    • Size

      608KB

    • MD5

      2bcae695288cd75a2d71c0dbb69359fd

    • SHA1

      6a0476b62c069d42a2d8290b7d467d8a136312e7

    • SHA256

      d51d08aef8661780261241ddb5bb2617b1fafa1ac1cdcad77e825c16faf48c79

    • SHA512

      a28d5299addd39b0905745889cc478549c295ba9a19d49b1b0fe723840c298d0793203627ea5852e91ed2efc6684d2cf7362ff2958e52eb30c859cab497b0e96

    • SSDEEP

      12288:ao7VLRpB3hC/K+wAN0PdyT9ElIdq5uMumzu5FEiXqv3RZF8N4E:9P5zZI43

    Score
    7/10
    discoverypersistence

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral12

    • Target

      xxx_video.exe

    • Size

      74KB

    • MD5

      ed6cec1486bd9af8a567604112f786bf

    • SHA1

      147b9b965701a42fb6e8088da0abf4eb3b987d1c

    • SHA256

      2a9e5ded530da46678845fc5f3be1f83819b6a255765174eb4ae06ba4abb5b53

    • SHA512

      e8e1ae480b129a9bff0d98c65d212973be9892f4fa103a78bbb275f3d3be7c68e871888dcb73bcdd35c3958f9d7b889671b9d8aadbdc4623c4b4a81ba182805b

    • SSDEEP

      1536:Y4adWLt4aPI7ZPItWEK01i+jmcIJID+U5pnouy8NM:C8LGaPI7ZPItFK0zxIC9noutNM

    Score
    5/10
    discoveryupx

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral13

    • Target

      xxx_video_26726.avi.exe

    • Size

      62KB

    • MD5

      91096e06bc95a718d0b67661764a92b3

    • SHA1

      a05df3707c71b2cedfb94bb81c6c1af3311be235

    • SHA256

      76520b94f15467309d3ca3d8022bb156e8daa811223774b7a74127881ab50fc0

    • SHA512

      67dd71681bbde5dd5c2972f57930b856c68d90b5cf2f0edbbdfcdf2b6fb5898ff2ecfe58be6aa4aa8b0aa88bacee6a58043fa8733b5b911f2c478f30347e715d

    • SSDEEP

      1536:zX9X3D0CmuUFQArTc+OMnlf5JSVeK69mEgey5O:79n7Urc+dnlB4VzLTw

    Score
    10/10
    discoverypersistenceupx

    • Modifies WinLogon for persistence

      persistence

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral14

    • Target

      xxx_video_35942.avi.exe.vir.exe

    • Size

      52KB

    • MD5

      cc279bf22bc5f3348034cc732db279df

    • SHA1

      1df6eceb7417fdca34ec2e351752e62b9e308bf0

    • SHA256

      0a5506d1867dbb76b428b099b2ae6a3ec0c85ec8dc855b66ae822fcc77ba0f12

    • SHA512

      c76c05b996b13815be43c640773b73e1aaaf34b642502098e0ed736e4dc98ee071a89a4d524a7440a3b2a3fd2d571d0396658070268d1e2e04a5a4e4555c6875

    • SSDEEP

      1536:VxpWSs6Ugax7sR5T3qgWXHYccHbs3CJP0YLI:V7WSs7Fx7sR5joHYcmYk8c

    Score
    10/10
    discoverypersistenceupx

    • Modifies WinLogon for persistence

      persistence

    • Event Triggered Execution: Image File Execution Options Injection

      persistence

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral15

    • Target

      xxx_video_35942.avi_unpacked_.exe.vir.exe

    • Size

      74KB

    • MD5

      af5c2e270346cdb9206ab7c09074a13f

    • SHA1

      b20c204a948da5f41b1cc8c047ca4c410b67f60d

    • SHA256

      2c7a6f717702e2789aa4813bbeef2890edfcb216c0af83ac399015853c057c80

    • SHA512

      dffa29aa1a627455a1d04e86238dbbc52f881281c66f3d278f176794a32ce3a5920a101fff8ae85322d962021a8fb6a1c1ac96a2a2fd382f407cb3ce6ae58310

    • SSDEEP

      768:V7B7vOri/ija+1IqhZ9o9nn6vRhwXzqaRMicwVSeRSNRGfbxuuNtpzWLhp4oQsSJ:V7B7vyDo9nadaRuwweBzxJWLv6smf

    Score
    10/10
    discoverypersistence

    • Modifies WinLogon for persistence

      persistence

    • Event Triggered Execution: Image File Execution Options Injection

      persistence
    behavioral16

    • Target

      xxx_video_73240.avi____.exe.vir.exe

    • Size

      202KB

    • MD5

      ec1515255dd45a0fa15a23fe5f07a23e

    • SHA1

      e61bf707f6eaa7009504c65f2d498de72818f738

    • SHA256

      4a47be4e443a8d327b607cf606994666dfcd688ae02a50b9c7c0ea2b0e0c9b41

    • SHA512

      23c8b170549c5d1340938a152bcf4ab0cdcddbe6d446be3bdcbb9c211127d60013fbe00019208151c784e6f522ae5770e546f4dec88cf285a891a3938648b526

    • SSDEEP

      768:vs8Rt5Kv/2CxxurzvCW6QtKarJ0R9ShWbSt+Y41P+MBefyap3eKFW3e:vf4vgzKWxkaiR9Shp+Y0mMBeqapVFW

    Score
    10/10
    discoverypersistence
    behavioral17

    • Target

      xxx_video_77498.avi.exe

    • Size

      53KB

    • MD5

      1980cdff48796a156a69bbc5b71b8bc6

    • SHA1

      feec2e4f363839525ffea205a33d7a1c0241a5f8

    • SHA256

      8041d6917560303a9562dfe705a8c57c57425f11f61ffe9e91907e19cfe8619e

    • SHA512

      01b297498995e0ecc4c2f3bde81a3fd6abe93924cd930712a97f2932e5f18693a545ec7ab76c768a740b3e4e11ffb010fc49455127649438656d015fa6bb17d6

    • SSDEEP

      768:W9881n/iH9YJVNv0ryM8CZarJ305Q0nUxtLnZ0XX5FcfH7Gt61:czCYJVNvPM3Zap05Qb3ZoFcfbb1

    Score
    10/10
    discoveryevasionpersistence

    • Modifies WinLogon for persistence

      persistence

    • Disables Task Manager via registry modification

      evasion
    behavioral18

    • Target

      xxx_video_87279.avi.exe.vir.exe

    • Size

      47KB

    • MD5

      a5fe0efa78b0b70bfe86b62f55cf8ba6

    • SHA1

      39a3c0aa0795d2d81cba8e998735b2df77eadea5

    • SHA256

      d29dac501b57a07abdc2f7da0550fffa9ed321d228b50235eb76ccb248f0d4e9

    • SHA512

      b01378c32c893ea5a7c0c892515fd93ef005b867df86ab0896bb15b7b06b71d1e1acad009c330a8e943378f579615370b6c3966d46c83d883773cff9970233a1

    • SSDEEP

      768:Vtr+TB0qJUvzy7idWzLql4Ha71YpJaskLnkKDakY2S1MDiuk:v+8v2gWnCcaJEUKR2Ov

    Score
    10/10
    discoverypersistenceupx

    • Modifies WinLogon for persistence

      persistence

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral19

    • Target

      zcrypt.exe

    • Size

      791KB

    • MD5

      d1e75b274211a78d9c5d38c8ff2e1778

    • SHA1

      d14954a7b9e0c778909fe8dcad99ad4120365b2e

    • SHA256

      bc557a7bfec430aab3a1b326f35c8d6c1d2de0532263df872b2280af65f32b8f

    • SHA512

      1ec3fbb0bf17d4ad6397ba2e58daa210745f10f88f6722971464a6eeb7573f49be6d65e70a497002d6d00745317f11442bdeaf999b91127b123c11dfe9b088c2

    • SSDEEP

      24576:l2RNuxIAdOx6mNoGSyGMjc6XaMAy9xg5tMZ/Z3RPpEYrTQAU:rIG+lbGuntxktM15RPpEYrTQAU

    Score
    7/10
    discoverypersistencespywarestealer

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence
    behavioral20

    • Target

      {71257279-042b-371d-a1d3-fbf8d2fadffa}.exe

    • Size

      338KB

    • MD5

      04fb36199787f2e3e2135611a38321eb

    • SHA1

      65559245709fe98052eb284577f1fd61c01ad20d

    • SHA256

      d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9

    • SHA512

      533d6603f6e2a77bd1b2c6591a135c4717753d53317c1be06e43774e896d9543bcd0ea6904a0688aa84b2d8424641d68994b1e7dc4aa46d66c36feecb6145444

    • SSDEEP

      6144:sWmw0EuCN0pLWgTO3x5N22vWvLRKKAX5l++SybIvC:sWkEuCaNT85I2vCMX5l+ZRv

    Score
    10/10
    cryptolockerdiscoverypersistenceransomware
    behavioral21

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

1
T1546

Image File Execution Options Injection

1
T1546.012

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

1
T1546

Image File Execution Options Injection

1
T1546.012

Defense Evasion

Direct Volume Access

1
T1006

Impair Defenses

1
T1562

Safe Mode Boot

1
T1562.009

Indicator Removal

2
T1070

File Deletion

2
T1070.004

Modify Registry

5
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

1
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

2
T1490

Tasks

static1

upxxorist
Score
10/10

behavioral1

discovery
Score
3/10

behavioral2

discovery
Score
3/10

behavioral3

discoverypersistence
Score
10/10

behavioral4

discoveryupx
Score
5/10

behavioral5

discoveryupx
Score
5/10

behavioral6

discoveryupx
Score
5/10

behavioral7

defense_evasiondiscoveryexecutionimpactpersistenceransomware
Score
9/10

behavioral8

discovery
Score
3/10

behavioral9

discovery
Score
3/10

behavioral10

defense_evasiondiscoverypersistenceupx
Score
10/10

behavioral11

discoverypersistenceupx
Score
7/10

behavioral12

discoverypersistence
Score
7/10

behavioral13

discoveryupx
Score
5/10

behavioral14

discoverypersistenceupx
Score
10/10

behavioral15

discoverypersistenceupx
Score
10/10

behavioral16

discoverypersistence
Score
10/10

behavioral17

discoverypersistence
Score
10/10

behavioral18

discoveryevasionpersistence
Score
10/10

behavioral19

discoverypersistenceupx
Score
10/10

behavioral20

discoverypersistencespywarestealer
Score
7/10

behavioral21

cryptolockerdiscoverypersistenceransomware
Score
10/10