Overview
overview
10Static
static
10757e3242f6...b4.exe
windows7-x64
976fe72e0ec...ss.exe
windows7-x64
778d4cf8df6...B3.exe
windows7-x64
778d4cf8df6...59.exe
windows7-x64
778db508226...69.exe
windows7-x64
97965f6adf3...ss.exe
windows7-x64
77B75B33BCF...B5.exe
windows7-x64
17E3903944E...72.exe
windows7-x64
77dd9312307...ca.dll
windows7-x64
37e4c9a7e39...1f.exe
windows7-x64
980eb72d781...B3.exe
windows7-x64
780eb72d781...9A.exe
windows7-x64
7845263c869...c8.exe
windows7-x64
98524224187...8f.exe
windows7-x64
686be3831f5...39.exe
windows7-x64
68791931bac...DA.exe
windows7-x64
78791931bac...69.exe
windows7-x64
787a4f3f9f6...88.exe
windows7-x64
789fb6d7ff2...f6.exe
windows7-x64
98c59148535...21.exe
windows7-x64
98d372fcf8a...e0.exe
windows7-x64
7900.exe
windows7-x64
9911d5905cb...b9.exe
windows7-x64
791d24e0657...eb.zip
windows7-x64
992ac6be4d9...5b.exe
windows7-x64
97512f4617...7c.exe
windows7-x64
1098aadc95c5...e7.exe
windows7-x64
109943256.exe
windows7-x64
109B9517FA15...DF.exe
windows7-x64
79b7eaffe4d...c8.exe
windows7-x64
10a322da0be4...44.exe
windows7-x64
10a42252e674...34.exe
windows7-x64
9General
-
Target
Batch_4.zip
-
Size
8.6MB
-
Sample
241122-dkdx1ayrbr
-
MD5
3179e3edf25f87e78f2fd054faf6ae60
-
SHA1
7648fb854c73c9a191b935278bcefd58cc5ad3fc
-
SHA256
471f3fb1a953fab38be3081eb835574694bc72b94f239edc400d1ce3d7a8ecb0
-
SHA512
b7d25a1a9008d363058192cd353fdd58c504db313bbcd9bf1090688c8af735f696c8a0551b3023f948de66f9f33c20c5cee18bde680afe7b2e2b60074f8abab7
-
SSDEEP
196608:ttxPNvdJy9CNBi63RgR+itIShWmG9E6rHm5F2T97o:Vh7iCNveR+ipWmNEBo
Behavioral task
behavioral1
Sample
757e3242f6a2685ed9957c9e66235af889a7accead5719514719106d0b3c6fb4.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
76fe72e0ecdc389b5749df5fe406cb70110b1ef8b64e51cf0a96da2fa2ec5eb2_not_packed_maybe_useless.exe
Resource
win7-20240903-en
Behavioral task
behavioral3
Sample
78d4cf8df6fe5717a0f4bad6cbfce6546fb59a45ee0ac3797b264b28e24ddc0b_Dumped_TDS=4F9911B3.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
78d4cf8df6fe5717a0f4bad6cbfce6546fb59a45ee0ac3797b264b28e24ddc0b_TDS=4FA04B59.exe
Resource
win7-20240903-en
Behavioral task
behavioral5
Sample
78db508226ccacd363fc0f02b3ae326a2bdd0baed3ae51ddf59c3fc0fcf60669.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
7965f6adf3261e8820fe583e94dcb2d17dc665efa0442743e47d27c989fcb05f_not_packed_maybe_useless.exe
Resource
win7-20240903-en
Behavioral task
behavioral7
Sample
7B75B33BCF4ECF013B93F84ED98B3FB5.exe
Resource
win7-20241010-en
Behavioral task
behavioral8
Sample
7E3903944EAB7B61B495572BAA60FB72.exe
Resource
win7-20240903-en
Behavioral task
behavioral9
Sample
7dd93123078b383ec179c4c381f9119f4eac4efb287fe8f538a82e7336dfa4ca.dll
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
7e4c9a7e391be4367d79bd1ab92b748d440e13fd5ca6c0820b30e6e9c670871f.exe
Resource
win7-20240708-en
Behavioral task
behavioral11
Sample
80eb72d78175761e34378e06a5ca13b26edd6c47ee18e0d222fa068a249785f2_Dumped_TDS=4F9911B3.exe
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
80eb72d78175761e34378e06a5ca13b26edd6c47ee18e0d222fa068a249785f2_TDS=4FAAF59A.exe
Resource
win7-20240903-en
Behavioral task
behavioral13
Sample
845263c86931440e934cf40f4461dc14903a474f6f5eab4773482842855ba1c8.exe
Resource
win7-20241010-en
Behavioral task
behavioral14
Sample
85242241870190a81b55d0ea723c25391fff14140bac149a32630c5f892a3a8f.exe
Resource
win7-20240729-en
Behavioral task
behavioral15
Sample
86be3831f5d8a975b0924168117fc7fcd1f5067ac5935c657efbb4798cb6a439.exe
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
8791931bac7d8afbb30dc1d32a4dd54ee59a2160580a83d822a927039d8ca98f_Dumped_TDS=4F83FCDA.exe
Resource
win7-20240903-en
Behavioral task
behavioral17
Sample
8791931bac7d8afbb30dc1d32a4dd54ee59a2160580a83d822a927039d8ca98f_TDS=4F84A969.exe
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
87a4f3f9f6dc263378f2f01db5f2c988.exe
Resource
win7-20240708-en
Behavioral task
behavioral19
Sample
89fb6d7ff29b0c349c19df2e81028a62a2758c33f2c72b87dc11af4f22d3c6f6.exe
Resource
win7-20241010-en
Behavioral task
behavioral20
Sample
8c591485357e45a09dad3116496e6f686fa11f445a6bea5ef3cd5ed1ac078821.exe
Resource
win7-20240903-en
Behavioral task
behavioral21
Sample
8d372fcf8a97223ebb86cdfe707d3035dfbfd4501c5688cfa82a9a4889e637e0.exe
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
900.exe
Resource
win7-20240729-en
Behavioral task
behavioral23
Sample
911d5905cbe1dd462f171b7167cd15b9.exe
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
91d24e06572099ba0aa5c20be6b1021fa48e864913fe3676ed05323e6b68fceb.zip
Resource
win7-20240903-en
Behavioral task
behavioral25
Sample
92ac6be4d9215b237d624177ca0543844d0dc8d071660ae4a4cf7c93cc11505b.exe
Resource
win7-20241023-en
Behavioral task
behavioral26
Sample
97512f4617019c907cd0f88193039e7c.exe
Resource
win7-20240903-en
Behavioral task
behavioral27
Sample
98aadc95c589e064a542802bbf0ef01ef00595c34d195f1a1e6443909846d2e7.exe
Resource
win7-20241010-en
Behavioral task
behavioral28
Sample
9943256.exe
Resource
win7-20240903-en
Behavioral task
behavioral29
Sample
9B9517FA1515F47A502FE56536236A20BE5BBADF.exe
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
9b7eaffe4dffcbd06445d0b32785cdc8.exe
Resource
win7-20240903-en
Behavioral task
behavioral31
Sample
a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
Resource
win7-20241023-en
Behavioral task
behavioral32
Sample
a42252e674a09a0b689e71c88f59969f538a473da647cc4eb5457a5d5e03a234.exe
Resource
win7-20241010-en
Malware Config
Extracted
C:\MSOCache\All Users\README_HOW_TO_UNLOCK.TXT
http://zvnvp2rhe3ljwf2m.onion
Extracted
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\How to restore files.hta
Extracted
C:\Users\Admin\Desktop\_XiaoBa_Info_.hta
http://www.w3.org/TR/html4/strict.dtd'>
Targets
-
-
Target
757e3242f6a2685ed9957c9e66235af889a7accead5719514719106d0b3c6fb4.exe
-
Size
18KB
-
MD5
d8e99fcae9a469c2081e7ff01675c361
-
SHA1
ef7c4358717ec9d04b9adc8e40b1eb928885ebf0
-
SHA256
757e3242f6a2685ed9957c9e66235af889a7accead5719514719106d0b3c6fb4
-
SHA512
cd75242646dde33b7c792e9bf9fe976ce7f2dd1b02c5c97a4cf2f9f80cfae1bd44463fc2b0f9e002d17087358fafa298ca0d4dc4aff17405df95f13099c79b02
-
SSDEEP
384:rd7gYWDhghSmeSQjkCg3St1bVz1LTwbZxssimS8dHDT:6lg/eLjkCwQQFx8SHX
Score9/10-
Renames multiple (780) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops file in Drivers directory
-
Drops startup file
-
Drops file in System32 directory
-
-
-
Target
76fe72e0ecdc389b5749df5fe406cb70110b1ef8b64e51cf0a96da2fa2ec5eb2_not_packed_maybe_useless.exe
-
Size
89KB
-
MD5
0af473977e2b58a3630dc2bd59245127
-
SHA1
6b1086070e0918c428b4f6688fe2760c9ab9dfea
-
SHA256
76fe72e0ecdc389b5749df5fe406cb70110b1ef8b64e51cf0a96da2fa2ec5eb2
-
SHA512
d2f001ed413538368597585483c6745ab1bec058e227ada41937b75435f9456135b876e0ce40249389448b9769a37c3c06233c0d648cfaf9f613e42ad0b92450
-
SSDEEP
1536:ef/SovFSSZtDgN+DpDkDEFtC+YF8965L+v:I/zv0SZtDgN+Dp+ErYF896W
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
-
-
Target
78d4cf8df6fe5717a0f4bad6cbfce6546fb59a45ee0ac3797b264b28e24ddc0b_Dumped_TDS=4F9911B3.exe
-
Size
116KB
-
MD5
5a580ab3f5b3806da853459e9ef7b368
-
SHA1
df93c0f0dd694ab49646b539418b67d83eafccb5
-
SHA256
5f60eed8e27867c843387fe7fece3af688586a40c8d3dd2c27647b23cc200fdc
-
SHA512
91ecd8f00f4cd6c7d199eb365cb7cfa414bcab41b144fe7a5f43529e560201a81284cdb3a3d18d252e2eb4429a67f2db5718eacc8bf1eeb072958c0a4be20a3b
-
SSDEEP
1536:tf/YvFSSZtDgN+DrDkDEFtCwbfF89lGL+vpCYC:Z/Yv0SZtDgN+Dr+ErbfF89llpTC
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
-
-
Target
78d4cf8df6fe5717a0f4bad6cbfce6546fb59a45ee0ac3797b264b28e24ddc0b_TDS=4FA04B59.exe
-
Size
72KB
-
MD5
f0b567179d42d5d4f27d6d9a7fcf183f
-
SHA1
fb91a4f85ad3576110cdb476b0eb94c2e14a4e1b
-
SHA256
78d4cf8df6fe5717a0f4bad6cbfce6546fb59a45ee0ac3797b264b28e24ddc0b
-
SHA512
ca5afd8671f79d1ee55d51aa75330daac87e4cb116b5b8f60d5be2ed1f21a1e0cbd9e4c613a3c20850bfd0bba78358e4289258f010b6d3c8c169b7a80998c64c
-
SSDEEP
768:Xf+vj1VHjoFW+gh2vHa0uTbPKYlNnYVbUnWfTMuRqj2O4sO2ieFZ0F:G71NoFhDHaT/CukbUWdfO4LFeP0F
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
-
-
Target
78db508226ccacd363fc0f02b3ae326a2bdd0baed3ae51ddf59c3fc0fcf60669.exe
-
Size
865KB
-
MD5
dbf3707a9cd090853a11dda9cfa78ff0
-
SHA1
5af5403d8e003812a34c7b085d878680d7130ad5
-
SHA256
78db508226ccacd363fc0f02b3ae326a2bdd0baed3ae51ddf59c3fc0fcf60669
-
SHA512
68b1627ed20e6980c32c44df3560fc3eeed37db2c47caaf8db86461c594a5d040a7404be777374af512fe05fcdc2f15a6014a914b1445c2e23adb741db68c7e0
-
SSDEEP
12288:SCdOy3vVrKxR5CXbNjAOxK/j2n+4YG/6c1mFFja3mXgcjfRlgsUBga+Q9bN9jQl:SCdxte/80jYLT3U1jfsWa+QpN9jQl
Score9/10-
Renames multiple (161) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
-
-
Target
7965f6adf3261e8820fe583e94dcb2d17dc665efa0442743e47d27c989fcb05f_not_packed_maybe_useless.exe
-
Size
54KB
-
MD5
e0c70373ea59baa4422771dde804a21c
-
SHA1
d9708f709a0e7ad070ee34b4065437e400e5bdd9
-
SHA256
7965f6adf3261e8820fe583e94dcb2d17dc665efa0442743e47d27c989fcb05f
-
SHA512
c9a6b94d091a48d1a294953226fca00089dbf266f81fa60481f9ca468f7c3e9a2460bdd384b070dd6ae8bb778fb0737e196a1870e6f550645b9192f78e9763fa
-
SSDEEP
768:zchho/bbYYwktIZwTUtv3h12jG6hdYWnXAjpWTbBbIKP077hPIxPaq77ti:wjoDMYwEINR8j/Yu2pqOd77hPl
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
-
-
Target
7B75B33BCF4ECF013B93F84ED98B3FB5.exe
-
Size
214KB
-
MD5
7b75b33bcf4ecf013b93f84ed98b3fb5
-
SHA1
7be5f5dcf6b9519c0f8c8071503b7f5dd66b6386
-
SHA256
74aa7b73b46d7bd7bc53cb44add9ec8172f2de7831d045e33db06e2d6b916edf
-
SHA512
96e1253358db1f724b381f9e1e416cc35bf44d94505e8b86508676f997b44be65d3c33c22df9c004652a34170e48805f9b7ba6f2703dd287e8c770cb426c5114
-
SSDEEP
3072:5W1M+lmsolAIrRuw+mqv9j1MWLQFPBCM+lmsolAIrRuw+mqv9j1MWLQlL:5J+lDAAIv+lDAAmL
Score1/10 -
-
-
Target
7E3903944EAB7B61B495572BAA60FB72.EXE
-
Size
228KB
-
MD5
7e3903944eab7b61b495572baa60fb72
-
SHA1
116930517baab6bdb0829990a43af54d155f5332
-
SHA256
06e921abf28c4b260c59d61d84a74c3a5dc12ac99a34110ca5480ce61689385c
-
SHA512
0e29eaea245dd0068d44ff016c5da65396e5ad94aa79fcbe3cb187666b7b21890b22e2a13ac57e4bcfcf39436a7c5fa53a5470a8fae6de7215f297b82ea62ad5
-
SSDEEP
3072:RKR+u1vFeb+pknH46ZjbVxltW8wylYJiocMor+ROYJPR+9RbA8D79qiNFwEQ7:R4Z19dknH4yFhtocMO+kYlI9tdJmr
Score7/10-
Deletes itself
-
Drops file in System32 directory
-
-
-
Target
7dd93123078b383ec179c4c381f9119f4eac4efb287fe8f538a82e7336dfa4ca.exe
-
Size
602KB
-
MD5
ae38213715e758e3c296715f1ec25aea
-
SHA1
bf0d7b7d8ab11536e25235f7c18901c9be65fae1
-
SHA256
7dd93123078b383ec179c4c381f9119f4eac4efb287fe8f538a82e7336dfa4ca
-
SHA512
fd0bbeaff08301f6e26c878ef59d7be964533075f1b1c6f93f3a03bee048f4587f44fef96cffe709f5f0511b81edeb4d64878be7b6852f5a14aa3318c9ed15e7
-
SSDEEP
12288:6oHEHblpWz0jPLhEfgP6WMDoEuY7jVWv:6vZPLWffWMDo+7Jc
Score3/10 -
-
-
Target
7e4c9a7e391be4367d79bd1ab92b748d440e13fd5ca6c0820b30e6e9c670871f.exe
-
Size
161KB
-
MD5
517d709b1b99fa87ddfe61950a93cf5c
-
SHA1
2b6da3641ad3c13be272c7e66c938afd5879d65f
-
SHA256
7e4c9a7e391be4367d79bd1ab92b748d440e13fd5ca6c0820b30e6e9c670871f
-
SHA512
e23c60821e71704ab77ed8031b025b6ec9065479b766ca9fce2d4e93f1e4e66f7ed821d161890dfd87306408917c82514aaf96506cfc335e2c0bd1166fd1809f
-
SSDEEP
3072:+dhOdhhyAbz6XdKWf4xEE1ODDl9oz4ilUEPllLBDlWz:+dhw1CZJEQXl9o05EDLBlWz
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Drops startup file
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
80eb72d78175761e34378e06a5ca13b26edd6c47ee18e0d222fa068a249785f2_Dumped_TDS=4F9911B3.exe
-
Size
116KB
-
MD5
5a580ab3f5b3806da853459e9ef7b368
-
SHA1
df93c0f0dd694ab49646b539418b67d83eafccb5
-
SHA256
5f60eed8e27867c843387fe7fece3af688586a40c8d3dd2c27647b23cc200fdc
-
SHA512
91ecd8f00f4cd6c7d199eb365cb7cfa414bcab41b144fe7a5f43529e560201a81284cdb3a3d18d252e2eb4429a67f2db5718eacc8bf1eeb072958c0a4be20a3b
-
SSDEEP
1536:tf/YvFSSZtDgN+DrDkDEFtCwbfF89lGL+vpCYC:Z/Yv0SZtDgN+Dr+ErbfF89llpTC
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
-
-
Target
80eb72d78175761e34378e06a5ca13b26edd6c47ee18e0d222fa068a249785f2_TDS=4FAAF59A.exe
-
Size
68KB
-
MD5
b1024afccaf9847146e611beab995356
-
SHA1
310a31da48325cea02182158efe0daa2ac6b451d
-
SHA256
80eb72d78175761e34378e06a5ca13b26edd6c47ee18e0d222fa068a249785f2
-
SHA512
164d5b81008251a454e0cc18ebbaaa3c1ce9f3dd24d45650359db5e4b30f00bd889f88333b2290e86667aa00296dea57f7b016d85f79ba12ea38eb6bd1342244
-
SSDEEP
1536:h3C4HGFE94jwEG/eO5VEx70AwAWkH+/z13+QDmsrxwSX:hNoESj8p5OeFAWp7p+Qbxr
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
-
-
Target
845263c86931440e934cf40f4461dc14903a474f6f5eab4773482842855ba1c8.exe
-
Size
246KB
-
MD5
7f61ab7160ccea4f69fed025fbbfdb30
-
SHA1
88d06d4124bca680bf28dde09cc1c3995002eef3
-
SHA256
845263c86931440e934cf40f4461dc14903a474f6f5eab4773482842855ba1c8
-
SHA512
8ff46db7d1bfddef6bab676c1439207a7b755280720bf83406d95a700eac364ef667978a7e538cc3d6e2836487b38ddc34df288100b510e32d16f013ffd07d98
-
SSDEEP
6144:clmE5hV/XRG4FmeAs32AcNhunE+AWTWk6+wv:2/XRG4FdAs32AeOWk
Score9/10-
Renames multiple (140) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
-
-
Target
85242241870190a81b55d0ea723c25391fff14140bac149a32630c5f892a3a8f.exe
-
Size
56KB
-
MD5
a865cae4f9a553fa100932e8786b80be
-
SHA1
1c691b07fa9c59c1eb6a993723887a9ac08b301c
-
SHA256
85242241870190a81b55d0ea723c25391fff14140bac149a32630c5f892a3a8f
-
SHA512
df149155fc97c72f9401826f614dfb16edbf982b64c6fb3d7302526cd9c4ee8368dcfdc666c1c1fe2a522115176042f135723e9390ed4755fb35b4ebddc263e2
-
SSDEEP
768:9Wf9/O9lXRyz4M9XyTm/O94NOYXkGQ40d4Wg/i+Pet+F/O9LiAU3UF3333efYZCz:9EmRyz4gOmxNOYXF+yzTPSwjH33wk
Score6/10-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
86be3831f5d8a975b0924168117fc7fcd1f5067ac5935c657efbb4798cb6a439.exe
-
Size
37KB
-
MD5
406588f62853601a4f0381ad537b51ca
-
SHA1
a4a5602c1446a61c653a7bf8ad89558b4761ce71
-
SHA256
86be3831f5d8a975b0924168117fc7fcd1f5067ac5935c657efbb4798cb6a439
-
SHA512
28e019a091c309bb732fa0f3782c763a333ae95e7cfed86424950dac658297e862d707de1328fe50dc8ac2372832c93e6e131db79bf9c9fa91ae58da1fba0bfc
-
SSDEEP
768:hLNLdNY8E+pRqAyQ3ipHbEMsm/IqJRDftP5IM05kHZnJ6zZQufB9wZOKh2h1:Ij+pRqAyQ3ipHbEMsm/IqJR3IP54JhA9
Score6/10-
Adds Run key to start application
-
-
-
Target
8791931bac7d8afbb30dc1d32a4dd54ee59a2160580a83d822a927039d8ca98f_Dumped_TDS=4F83FCDA.exe
-
Size
116KB
-
MD5
3444e41067c52192e3ee1e5f57ddd393
-
SHA1
cccd89e09c2391f7e6bb8cb972c364bc27cad61d
-
SHA256
d03d3d4eab25c38eef57493c7494d3a1ffd0147e1fcb2730a97d9b826e15e799
-
SHA512
81a6729a11b5626fc49bbcdc2988a2a1de0fe9b1805d5ac9271666a12b81a40f4ce932b51014a21f262fd677773a010894deae3b7bc13ab85d142647662b281e
-
SSDEEP
1536:MnUfv0+ZXqm3S+DQNn1Bp/GpL7F6iCINF8nqZULCYk:Mn6v0+ZX5S+DQ11Bx67FZNF8nqWLTk
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
-
-
Target
8791931bac7d8afbb30dc1d32a4dd54ee59a2160580a83d822a927039d8ca98f_TDS=4F84A969.exe
-
Size
72KB
-
MD5
311f6db6e5a4476b03cf973671e8afed
-
SHA1
5831825c55e55e9c4127d0ed72d38df060a00eee
-
SHA256
8791931bac7d8afbb30dc1d32a4dd54ee59a2160580a83d822a927039d8ca98f
-
SHA512
5d9824902cea653ac84667889b22017b444a1d878ee990fd6f3a5dabb1c288afa1268a6bb795f8b6ef4f856c4a114bca10d1db11643329e5805d8d659792a431
-
SSDEEP
1536:xiOtoD7Ja3UAZfd5ycu6vGRbelxbJ3uJ4GjAaH:gJa3UAlPyclv4belP3k9AM
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
-
-
Target
87a4f3f9f6dc263378f2f01db5f2c988.exe
-
Size
630KB
-
MD5
87a4f3f9f6dc263378f2f01db5f2c988
-
SHA1
dab86879e6e423582fedab0cc00c95882d3c3417
-
SHA256
5d196e6481f38fa6657d74288fc51b91e273b62ec00100737d0d0cc8f1e8379b
-
SHA512
b2d98312e827c14702befe05c4262718a2e321a7200f1c08ddaa2517157b4fef960ba9508cec43654c77bec060c998d71f7be8e0b84633531e1cb5cd10b903e6
-
SSDEEP
12288:AzBsMGrB6kzTKOeW9dY82G+JTlJR8E4TeOb57BIAwP/wyBmrdTOVf8I6jTBwF2dO:ifGIkzGOeW9dYG0pFf0wP/wyBmrdTOVN
Score7/10-
Deletes itself
-
Drops startup file
-
Drops file in System32 directory
-
Sets desktop wallpaper using registry
-
-
-
Target
89fb6d7ff29b0c349c19df2e81028a62a2758c33f2c72b87dc11af4f22d3c6f6.exe
-
Size
276KB
-
MD5
0c997c93bf7aac43e8bc22a9ea2fd9f8
-
SHA1
1c1e46e49c769c48104ee40506c67f738c6978f9
-
SHA256
89fb6d7ff29b0c349c19df2e81028a62a2758c33f2c72b87dc11af4f22d3c6f6
-
SHA512
da27770d969800978e3a21a4ff9d887f1cfca8ee33c81cbbd9c61aa5640e1f6535a6189b45f9c498d8e75628714226ff91658ff53855332036124459b34ebffa
-
SSDEEP
6144:1nsJCTa8fC8OrAk2o90sBDuSeJ5zOSP+N4s7:1nWCTa8fC8W/0sBWJ5zvp
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
8c591485357e45a09dad3116496e6f686fa11f445a6bea5ef3cd5ed1ac078821.exe
-
Size
246KB
-
MD5
04742f7774cda5b58d7e5c1ba5a4e941
-
SHA1
a8e35ff71e0561268f8c3082bcaa2f314a272005
-
SHA256
8c591485357e45a09dad3116496e6f686fa11f445a6bea5ef3cd5ed1ac078821
-
SHA512
726974f82334c474b363d2232f21db2e04730965147e01f9ac5b8f06a44c873e78e2ee7982147c85dffb1eec40fdb445b18b67d4e25303f1dfc672f63f0b9562
-
SSDEEP
1536:xQqUQQ5fNlzCKxOxwoBg5KE+Y5NpWEibmbkWuEZ8DIPsfie8Sf1wKygNiJK:6NBbOKnoIKE+YpWFCoWk6a1wKyPK
Score9/10-
Renames multiple (177) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
-
-
Target
8d372fcf8a97223ebb86cdfe707d3035dfbfd4501c5688cfa82a9a4889e637e0.exe
-
Size
4.9MB
-
MD5
4313fd0a3d2cbedd4570230931833fe1
-
SHA1
8280f59248747c6901079ac6e52814606ab8cdc4
-
SHA256
8d372fcf8a97223ebb86cdfe707d3035dfbfd4501c5688cfa82a9a4889e637e0
-
SHA512
1fd81fb997cbc2973b66a2f95b848dc5813b44513d21189b73a708e9d26b583bebe6bb429c89ecb7dd687262fa4a35abb791f56db3dc884e281b4d056b05887e
-
SSDEEP
98304:/VKIRQd+TZAJPEoRgWkJgsgv4n/C2QHij4WeoM14s7Oc3b7e6l/R4ze9H:NKo4iAJcoSLi4/C2QHTRh6o/Gy9
-
Loads dropped DLL
-
-
-
Target
900.exe
-
Size
12KB
-
MD5
5a43d2db5c8cc3b8ec273aa470ccc931
-
SHA1
dfcc68945b9daf7e9f49be4837a6934560ec635f
-
SHA256
2424a7ce5e885bf460aeb8968ceab48057813430973c5a2e27d846553e79402c
-
SHA512
ffae7fe714667cb44d200f87c36a6f60735926d03ce86dd5756b7e91ab1bd04e7b98dccd1dc0b3f652ea50f5d4c74ffa1f66245052b61e00fd0e8273681a99d3
-
SSDEEP
192:LvJ8ZxTFrv7bg1d4/QkODGAoyjwlkp7qQT6yNQ+pJYMq6fdw4RI2P:d8zt+UFxy9p7qk3DfC4RI
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (1113) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Credentials from Password Stores: Windows Credential Manager
Suspicious access to Credentials History.
-
Drops startup file
-
Drops desktop.ini file(s)
-
-
-
Target
911d5905cbe1dd462f171b7167cd15b9.exe
-
Size
138KB
-
MD5
911d5905cbe1dd462f171b7167cd15b9
-
SHA1
bca38ab2f4b461e25e4686cfe523d3b0ed2d1cd0
-
SHA256
8c42a084278ff8e25f7ee765c37da84da02780da725505108f9eb39cfb05c051
-
SHA512
c60c274360040b2385fcfbc1f9cbc85cd48c9872d0cadcfbe0343efb16e5401af1b74159ecd29d5adeb519c2818bde022fd21b20c12e4dfb274351733d38b7d1
-
SSDEEP
1536:IhcFu21x8xUoDq88z/1h5jOla6H7uTnkwwZI0qXAREZ+QOS4D0rtJ/lxABC:7DnoDjbin/w1O3D5J/lxABC
Score7/10-
Deletes itself
-
-
-
Target
91d24e06572099ba0aa5c20be6b1021fa48e864913fe3676ed05323e6b68fceb.exe
-
Size
282KB
-
MD5
f79b517d733de07ee82e5ac8cd9ee192
-
SHA1
050b21190591004cbee3a06019dcb34e766afe47
-
SHA256
91d24e06572099ba0aa5c20be6b1021fa48e864913fe3676ed05323e6b68fceb
-
SHA512
799e55b3a1e04c7c87c7fe6fcb807600975510a7f05fa57f83a9301731a378c1323486343ba880a575aef59faa6e1d1ccc9cea90173b7626228b24ff9d4e685c
-
SSDEEP
6144:QY4mV5gq4DBKkxa2RNJYw8coEdNqAniTw1sbLp7ByJ7NFPjsnH5+qPZOMbM+juE:OmVmb9Kkxa21Yw8QiJdAJTqNbM+/
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook accounts
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
92ac6be4d9215b237d624177ca0543844d0dc8d071660ae4a4cf7c93cc11505b.exe
-
Size
315KB
-
MD5
8434eea972e516a35f4ac59a7f868453
-
SHA1
39eff0a248b7f23ee728396968e9279b241d2378
-
SHA256
92ac6be4d9215b237d624177ca0543844d0dc8d071660ae4a4cf7c93cc11505b
-
SHA512
308160a34f7074f9a8178ce8ba37f155ba096c7448bc5cd0e9861788e158d2eacdbb329f716bc1b6935db9b26c0bcb9aca23966c73e4114c8ea92e6f53d77348
-
SSDEEP
6144:BswDdb2MemnBVlz0SoVbO4A6OA4Trl28TyT6llY1/I8cWJWlfTXve:BswRSslz0P1OdFXJlJ8buXve
Score10/10-
Modifies WinLogon for persistence
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
-
-
Target
97512f4617019c907cd0f88193039e7c.exe
-
Size
666KB
-
MD5
97512f4617019c907cd0f88193039e7c
-
SHA1
24cfa261ee30f697e7d1e2215eee1c21eebf4579
-
SHA256
438888ef36bad1079af79daf152db443b4472c5715a7b3da0ba24cc757c53499
-
SHA512
cfbb8dd91434f917d507cb919aa7e6b16b7b2056d56185f6ad5b6149e05629325cdb3df907f58bb3f634b17a9989bf5b6d6b81f5396a3a556431742ed742ac4a
-
SSDEEP
12288:bB/72HFAQBMiZB7fJJ2qDHKK/K5FJL+xQhrwjeI:bBKqFiT7fJJ2qbKK6F5+xQhrEJ
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (84) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
-
-
Target
98aadc95c589e064a542802bbf0ef01ef00595c34d195f1a1e6443909846d2e7.exe
-
Size
151KB
-
MD5
993135dacbff2607839ee5a76ca06c61
-
SHA1
c1a9a8cdad293887214605ca0e47f3ddfa4e1a52
-
SHA256
98aadc95c589e064a542802bbf0ef01ef00595c34d195f1a1e6443909846d2e7
-
SHA512
69472dc86d5d3c44742b209fb0a57ab3afd8f93d0c5adfdcd48c2e4828828309101fcb9500813044712b1bc3e85e6a2ad3e5dde5f3818fb8772f0ff5d0b873ea
-
SSDEEP
3072:aMAr2Q8LH/r1GgDwheOj9Pm4uX2QZJiU8ypfoAWe:aMAaQ0D1VDwheuhJmJiU8y90
Score10/10-
Renames multiple (1038) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
-
-
Target
9943256.exe
-
Size
134KB
-
MD5
25e54dfbce20546da0e8cd8152ee2b8e
-
SHA1
3f0b80ef090c0b14821309b6110839cbd2312afe
-
SHA256
4725414537a3605ee6cdd226d189419cc5d3a7df1b092b526b61b8c5e2a59386
-
SHA512
215f4d5d35153622f159970e0097cde6e00d387f5636a1c28d3de6c0f5f84b61dfcaf4d390464eb888738786a0028d7d6f6ce13a29e07116ad032027428215a2
-
SSDEEP
3072:r+qf9FUiVdubWibOQNi3MWL4FksNYFfPK:r+iLUwAbpi3MDEK
Score10/10-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
-
-
Target
9B9517FA1515F47A502FE56536236A20BE5BBADF.exe
-
Size
119KB
-
MD5
b80a2daca4b5000fae089e655f2fa4b0
-
SHA1
9b9517fa1515f47a502fe56536236a20be5bbadf
-
SHA256
e58e7b91af952f56d32d3cb11e82d366f256f40d2e4c846f3aa8cda886bfb49f
-
SHA512
9e5a24fd11bf542608ca8762ad735de749cfcfdc2bd750ca3f7de20dbc19a2ccda0cc88544261314c8dfa77c5ad2fd6e97af51ceee344794fba1efa49d32964f
-
SSDEEP
3072:VAsj8MBX8s0oXJE455Vdcws635oUIFNTNC1f3U:VAsBZW+VdK6iUcIfU
Score7/10-
Loads dropped DLL
-
Suspicious use of SetThreadContext
-
-
-
Target
9b7eaffe4dffcbd06445d0b32785cdc8.exe
-
Size
39KB
-
MD5
9b7eaffe4dffcbd06445d0b32785cdc8
-
SHA1
af992e2e6c045137b8220c60f534f80da968dd38
-
SHA256
4137f8c196fdd99a5cd64c518ed27c466953e37b78887954ea192b5595a0a076
-
SHA512
3639fc1b3ccd57b6a61acecfce8030a7c2c634deb44b75345b5c69eb5cad03a8aecae781b950c254e35f4db248b5e9113fd06412f14ca7a90596985a282e123f
-
SSDEEP
768:BPXsWRbrIA8vxG/VZ0xcv+n9DfUEGC4ZC:B/s+HUxSZOcvI9DsE4ZC
-
Detected Xorist Ransomware
-
Xorist family
-
Renames multiple (2217) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops file in Drivers directory
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
-
-
Target
a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
-
Size
322KB
-
MD5
4a6bcd14aee9be6ccd5fd4939f8350ef
-
SHA1
10a7e4377fdbab12ee66151d3c5af9096bc47b59
-
SHA256
a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244
-
SHA512
336c05288cae08c966659b5ca528994ccdb0be55cc2197ee810067242995a3448321a9c1b2355a16c5f4cbdcc4131f2707839e055dec4df2bd8dbb6c5090b7f2
-
SSDEEP
6144:lf0H8b57WZ87m4eEictcjk76F3OpRsmC:lf/b57WZ8K1ZcenF3OpRs
-
Blackmoon family
-
Detect Blackmoon payload
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Credentials from Password Stores: Windows Credential Manager
Suspicious access to Credentials History.
-
Drops startup file
-
Drops desktop.ini file(s)
-
Drops autorun.inf file
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in System32 directory
-
Sets desktop wallpaper using registry
-
-
-
Target
a42252e674a09a0b689e71c88f59969f538a473da647cc4eb5457a5d5e03a234.exe
-
Size
246KB
-
MD5
7ec4fb3737e96c0aef2f98d20013dc5a
-
SHA1
4e8a042292c4ef20556d4aedf5b3ea0a29d2fbe7
-
SHA256
a42252e674a09a0b689e71c88f59969f538a473da647cc4eb5457a5d5e03a234
-
SHA512
849ab6bfd9f61a10d29b727e0bfcc7804653764e2d4a9a01515a48b6ff52e37fd1954715d8decb7bde819bf490563924c3d8e51dcaf8218c40852ffdf9d65eb8
-
SSDEEP
3072:6NBbOKnoIKE+Ypjf+MGtmhoWk6a1wKyPK:clmE5jfwWk6+wv
Score9/10-
Renames multiple (154) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
MITRE ATT&CK Enterprise v15
Execution
Scheduled Task/Job
1Scheduled Task
1Windows Management Instrumentation
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Direct Volume Access
1Impair Defenses
1Disable or Modify Tools
1Indicator Removal
2File Deletion
2Modify Registry
6Subvert Trust Controls
1SIP and Trust Provider Hijacking
1Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1