dharma

Sharing

General

Target

Batch_6.zip
Size

8.6MB
Sample

241122-dwswastmds
MD5

efd2b474bb13fdb3b8a3159a64a22896
SHA1

48515da815cafb4d990efdd7b67baf86ac949813
SHA256

c41899315b2f3dad512ed1f58746e59fdb2f9717badcf7b2c861c1248d945991
SHA512

05195802d912ff48aac8035a8a061a3d8dc5b312ed936a147a742ad65ab75f982e3b443ebb001dd145086644006bfc361f83fb40799f60e51dd6eb053139f190
SSDEEP

196608:PYpWTGAAWAquK9u/2fpA4kuu0xCDCFvyRyi1GGywTpGRE:PYpWTGAAqub/2y4kudiCFviy88GGi

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\Music\!HELP_SOS.hta

Ransom Note

<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>Decryption Instructions</title> <HTA:APPLICATION ID='App' APPLICATIONNAME="Decryption Instructions" SCROLL="yes" SINGLEINSTANCE="yes" WINDOWSTATE="maximize"> <style> a { color: #04a; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #222; font-family: "Lucida Sans Unicode", "Lucida Grande", sans-serif; font-size: 12pt; line-height: 16pt; } body, h1 { margin: 0; padding: 0; } h1 { color: #555; text-align: center; padding-bottom: 1.5em; } h2 { color: #555; text-align: center; } ol li { padding-bottom: 13pt; } .container { background-color: #EEE; border: 2pt solid #C7C7C7; margin: 3%; min-width: 600px; padding: 5% 10%; color: #444; } .filecontainer{ padding: 5% 10%; display: none; } .header { border-bottom: 2pt solid #c7c7c7; padding-bottom: 5%; } .hr { background: #bda; display: block; height: 2pt; margin-top: 1.5%; margin-bottom: 1.5%; overflow: hidden; width: 100%; } .key{ background-color: #A1D490; border: 1px solid #506A48; display: block; text-align: center; margin: 0.5em 0; padding: 1em 1.5em; word-wrap: break-word; } .keys{ margin: 3em 0; } .filename{ border: 3px solid #AAA; display: block; text-align: center; margin: 0.5em 0em; padding: 1em 1.5em; background-color: #DCC; } .us{ text-decoration: strong; color: #333; } .info{ background-color: #E4E4E4; padding: 0.5em 3em; margin: 1em 0; } .text{ text-align: justify; } #file{ background-color: #FCC; } .lsb{ display: none; margin: 3%; text-align: center; } .ls{ border: 1px solid #888; border-radius: 3px; padding: 0 0.5em; margin: 1em 0.1em; } .ls:hover{ background-color: #D0D0D0; } .l{ display:none; } </style> <script language="vbscript"> Function GetCmd GetCmd = App.commandLine End Function </script> <script language="javascript"> function openlink(url){ new ActiveXObject("WScript.Shell").Run(url); return false; } function aIndexOf(arr, v){ for(var i = 0; i < arr.length; i++) if(arr[i] == v) return i; return -1; } function tweakClass(cl, f){ var els; if(document.getElementByClassName != null){ els = document.getElementsByClassName(cl); } else{ els = []; var tmp = document.getElementsByTagName('*'); for (var i = 0; i < tmp.length; i++){ var c = tmp[i].className; if( (c == cl) || ((c != '') && ((' '+c+' ').indexOf(' '+cl+' ') != -1)) ) els.push(tmp[i]); } } for(var i = 0; i < els.length; i++) f(els[i]); } var langs = ["en","de","it","pt","es","fr","kr","nl","ar","fa","zh"]; function setLang(lang){ if(aIndexOf(langs, lang) == -1) lang = langs[0]; for(var i = 0; i < langs.length; i++){ var clang = langs[i]; tweakClass('l-'+clang, function(el){ el.style.display = (clang == lang) ? 'block' : 'none'; }); tweakClass('ls-'+clang, function(el){ el.style.backgroundColor = (clang == lang) ? '#BBB' : ''; }); } } function onPageLoaded(){ try{ tweakClass('lsb', function(el){ el.style.display = 'block'; }); }catch(e){} try{ setLang(en); }catch(e){} try{ var args = GetCmd().match(/"[^"]+"|[^ ]+/g); if(args.length > 1){ var file = args[args.length-1]; if(file.charAt(0) == '"' && file.charAt(file.length-1) == '"') file = file.substr(1, file.length-2); document.getElementById('filename').innerHTML = file; document.getElementById('file').style.display = 'block'; document.title = 'File is encrypted'; } }catch(e){} } </script> </head> <body onload='javascript:onPageLoaded()'> <div class='lsb'> <span class='ls ls-en' onclick="javascript:return setLang('en')">English</span> <span class='ls ls-de' onclick="javascript:return setLang('de')">Deutsch</span> <span class='ls ls-it' onclick="javascript:return setLang('it')">Italiano</span> <span class='ls ls-pt' onclick="javascript:return setLang('pt')">Português</span> <span class='ls ls-es' onclick="javascript:return setLang('es')">Español</span> <span class='ls ls-fr' onclick="javascript:return setLang('fr')">Français</span> <span class='ls ls-kr' onclick="javascript:return setLang('kr')">한국어</span> <span class='ls ls-nl' onclick="javascript:return setLang('nl')">Nederlands</span> <span class='ls ls-ar' onclick="javascript:return setLang('ar')">العربية</span> <span class='ls ls-fa' onclick="javascript:return setLang('fa')">فارسی</span> <span class='ls ls-zh' onclick="javascript:return setLang('zh')">中文</span> </div> <div id='file' class='container filecontainer'> <div class='filename'> <div style='float:left; padding:18px 0'><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAADEAAABACAYAAACz4p94AAAABmJLR0QA/wD/AP+gvaeTAAAACXBIWXMAARCQAAEQkAGJrNK4AAAAB3RJTUUH4QEcFBoaYAOrHQAABThJREFUaN7tmlloXGUUx3/3ziRtTa2xcZ1gtaJFDFjtwSqllaKiiEilKOKDNS2UivXF+qD0QRBRUMQXN/TBBcFifahYFC0urfpghSMqaDSkdQMvojZpIk2zTMaHe776MZ17M6u9ozkwzAwz3/ed/9m+s9yABkhEUFX/+43ATcBy4FxgMdABTAB/Aj8CXwO7VfVdb10AlPy9aqGgTuYDVS3Z56XA48AtdWz1OrBdVQ82AiaoVfJATlWLIrIAeAbYWKciS975LwJ3q+pEJQ03DYRJKVDVGRFZCew0kylnqFaaAULgB+B2Vd1fru3ZKFcDAFS1JCLXA7uBMxs1S29t0fzn5kKhMBBF0WAURYgIURQ1DsIAhKaBVcAbwKk0l0JgGlgIrCkUChpF0U/VAgmrOCBvPrAEeBY4jdZQ3jRyDvCEiJxl2ne+mLowTQs5VZ0yJ95mobMaRx0A3gMGgSPAycCFwHXARQlrfKFeDjwMbG7IsT0zKorIauBtYFGFvxY9s3wZ2Kaqwyn7dgNPpkQ1t9/PwGZV3TNbxErThAOwCOhPADBtexwGNqrqrrR4bxFnBNgkIm8CrwFdCX66BNgA7KlLE2aDeVWdFpHlwPsVfMEBGAXuUtUd1YRGH6CIrLdAESZoYxC4Q1U/r8exQwMQAFdb+CuP7U6LO6oF4MK0d+47ZlpJfJ0HXFsm3OpB2HsPsCZBUtgF9VSZo85KFq7zqnrUTOq3ChYyA3QCq7x1NYFwZnYKsKJCFOqwz59YJKo5VTAmAQ4CuxKiHUCviCyryZzMhIqeOnsSDh8B9qnqTJqU0kKyAT8MfJwiyB5gWa0+ETjGgPOBeQkSGgG+rPdmM99wfjUEHEoA0Q0srRmEaSRv+VFHAogx84lGyO01ChxI+E8XcHq9aUdnhahU8uL471bszJoWVEFHbL8kHhfXCyIE5qesGXX+UW9F5mli0jSbRPMaAdGZ8vtUtSG1ykg1mXIRdzaaxVYjSU7kPmFKaAsq5DW+dBY2WAyV89GV8ntXran4tGfzW4B7K0grAI5WMIF6zAjgD2ATsDXhrPFaGwGZJhE59jrOPMraMIuBK4EzTFqlE8x7YNr6TFUP+dkwQCAiobuhRWQt8DTQl2FlfAtsVdW9DoyviUeA7U1owbSSfL4eU9UHjlVRInI/8FDGATizcvytLhQKQRRFewMRuQJ4y+y/Xcg13IaA/tBCWxftRe5+uwC4NQTWzpabZFgbAFeF1qzKtSEIp40+l+QFtC91hvwHaA7E/xlEKesgZrz6u19VA/eytH64FUGkmSCKtt8XwKWq+opL0GxE8AKwknh6mkkQ03bXRMTT0F9d7m/pfdGy5SHgPtclyRoIZyLfAR95APC6If4A5sOsgfB7UQe88jbJoceI+6+ZdeyOKrWWzxqIwJN+H/F8rlJDzR8XrMiyT1wM3OnX7V797oBeQzxYbF6lJCLTTcpi3fhrBNiiqjsrNCBuIx5Ozs+qT+SJW5vdxHPoS3yHlrjH8nyzAbTCsZ1ZjfPPoMa/DMdpAc0lgHMg2gREqcxPSrSoHdoqx+4Ceu3Sc4x3c/wkNpMgclZT9AIPisjZFl57gUeZZeKThcuuvDhyAppsFfOt9gl/385/w7FLtDmFwF9ebdxO5IQ/HBIPLabaGMT+kLitP9GGAELi4ecHIfAqyc9VZJWc+SvwUi6KorFCofANsA44qQ0AuEfrfgHuUdWB0IqWT4Ebml3At4hywPfAelXd5y47sIfY7XbdQNytuwxYkCHmR4GvgOfcM4fGL38Dzdjo/H/3PFAAAAAASUVORK5CYII=" style='padding:0 7.5px'/></div> <div> <h2 class='l l-en' style='display:block'>The file is encrypted but can be restored</h2> <h2 class='l l-de' >Die Datei ist verschlüsselt, aber kann wiederhergestellt werden</h2> <h2 class='l l-it' >Il file è crittografato, ma può essere ripristinato</h2> <h2 class='l l-pt' >O arquivo está criptografado, mas poderá ser descriptografado</h2> <h2 class='l l-es' >El archivo está encriptado pero puede ser restaurado</h2> <h2 class='l l-fr' >Le fichier est crypté mais peut être restauré</h2> <h2 class='l l-kr' >파일은 암호화되었지만 복원 할 수 있습니다</h2> <h2 class='l l-nl' >Het bestand is versleuteld maar kan worden hersteld</h2> <h2 class='l l-ar' > الملف مشفر لكن من الممكن إسترجاعه </h2> <h2 class='l l-fa' >این فایل رمزگذاری شده است اما می تواند بازیابی شود</h2> <h2 class='l l-zh' >文件已被加密，但是可以解密</h2> <p><span id='filename'></span></p> </div> </div> <h2>The file you tried to open and other important files on your computer were encrypted by "SAGE 2.0 Ransomware".</h2> <h2>Action required to restore your files.</h2> </div> <div class='container'> <div class="text l l-en" style='display:block'> <h1>File recovery instructions</h2> <p>You probably noticed that you can not open your files and that some software stopped working correctly.</p> <p>This is expected. Your files content is still there, but it was encrypted by <span class='us'>"SAGE 2.0 Ransomware"</span>.</p> <p>Your files are not lost, it is possible to revert them back to normal state by decrypting.</p> <p>The only way you can do that is by getting <span class='us'>"SAGE Decrypter"</span> software and your personal decryption key.</p> <div class='info'> <p>Using any other software which claims to be able to restore your files will result in files being damaged or destroyed.</p> </div> <p>You can purchase <span class='us'>"SAGE Decrypter"</span> software and your decryption key at your personal page you can access by following links:</p> <div class='keys'> <div class='key'> <a href="http://7gie6ffnkrjykggd.op7su2.com/login/AelT-PiV3tFi59XTJjDTrctVPZfMa4LFFsh1nm4yOcrGMDCZU__-DAfA" onclick='javascript:return openlink(this.href)'>http://7gie6ffnkrjykggd.op7su2.com/</a> </div> <div class='key'> <a href="http://7gie6ffnkrjykggd.pe6zawc.com/login/AelT-PiV3tFi59XTJjDTrctVPZfMa4LFFsh1nm4yOcrGMDCZU__-DAfA" onclick='javascript:return openlink(this.href)'>http://7gie6ffnkrjykggd.pe6zawc.com/</a> </div> </div> <p>If you are asked for your personal key, copy it to the form on the site. This is your personal key:</p> <div class='keys'> <div class='key'> AelT-PiV3tFi59XTJjDTrctVPZfMa4LFFsh1nm4yOcrGMDCZU__-DAfA </div> </div> <p>You will also be able to decrypt one file for free to make sure "SAGE Decrypter" software is able to recover your files</p> <div class='info'> <p>If none of those links work for you for a prolonged period of time or you need your files recovered as fast as possible, you can also access your personal page using "Tor Browser".</p> <p>In order to do that you need to:</p> <ol> <li>open Internet Explorer or any other internet browser;</li> <li>copy the address <a href='https://www.torproject.org/download/download-easy.html.en' onclick='javascript:return openlink(this.href)'>https://www.torproject.org/download/download-easy.html.en</a> into address bar and press "Enter";</li> <li>once the page opens, you will be offered to download Tor Browser, download it and run the installator, follow installation instructions;</li> <li>once installation is finished, open the newly installed Tor Browser and press the "Connect" button (button can be named differently if you installed non-English version);</li> <li>Tor Browser will establish connection and open a normal browser window;</li> <li>copy the address <div class='key'>http://7gie6ffnkrjykggd.onion/login/AelT-PiV3tFi59XTJjDTrctVPZfMa4LFFsh1nm4yOcrGMDCZU__-DAfA</div> into this browser address bar and press "Enter";</li> <li>your personal page should be opened now; if it didn't then wait for a bit and try again.</li> </ol> <p>If you can not perform this steps then check your internet connection and try again. If it still doesn't work, try asking some computer guy for help in performing this steps for you or look for some video guides on <a href='https://www.youtube.com/results?search_query=tor+browser+install' onclick='javascript:return openlink(this.href)'>YouTube</a>.</p> </div> <div class='info'> <p>You can find a copy of this instruction in files named "!HELP_SOS" stored next to your encrypted files.</p> </div> </div> <div class="text l l-de" > <h1>Anleitung zur Dateiwiederherstellung</h2> <p>Sie haben sicherlich gemerkt, dass Sie Ihre Daten nicht öffnen können und dass Programme nicht mehr ordnungsgemäß funktionieren.</p> <p>Dies ist zu erwarten. Die Dateiinhalte existieren noch, aber wurden mit {us_enc}} verschlüsselt.</p> <p>Ihre Daten sind nicht verloren. Es ist möglich, sie mit Hilfe von Entschlüsselung in ihren Originalzustand zurückzuversetzen.</p> <p>Die einzige Möglichkeit das zu tun, ist die Verwendung von <span class='us'>"SAGE Decrypter"</span> Software und Ihr persönlicher Entschlüsselungskey.</p> <div class='info'> <p>Das Verwenden von anderer Software, die angeblich ihre Daten wiederherstellen kann, wird dazu führen, dass Ihre Daten beschädigt oder zerstört werden.</p> </div> <p>Sie können die <span class='us'>"SAGE Decrypter"</span> Software und Ihren Entschlüsselungskey auf Ihrer persönlichen Seite erwerben, indem Sie diesen Links folgen:</p> <div class='keys'> <div class='key'> <a href="http://7gie6ffnkrjykggd.op7su2.com/login/AelT-PiV3tFi59XTJjDTrctVPZfMa4LFFsh1nm4yOcrGMDCZU__-DAfA" onclick='javascript:return openlink(this.href)'>http://7gie6ffnkrjykggd.op7su2.com/</a> </div> <div class='key'> <a href="http://7gie6ffnkrjykggd.pe6zawc.com/login/AelT-PiV3tFi59XTJjDTrctVPZfMa4LFFsh1nm4yOcrGMDCZU__-DAfA" onclick='javascript:return openlink(this.href)'>http://7gie6ffnkrjykggd.pe6zawc.com/</a> </div> </div> <p>Falls Sie nach ihrem persönlichen Key gefragt werden, kopieren Sie ihn in das Formular auf dieser Seite. Dies ist Ihr persönlicher Key:</p> <div class='keys'> <div class='key'> AelT-PiV3tFi59XTJjDTrctVPZfMa4LFFsh1nm4yOcrGMDCZU__-DAfA </div> </div> <p>Sie können eine Datei gratis entschlüssen, um sicher zu sein, dass die "SAGE Decrypter" Software ihre Daten wiederherstellen kann</p> <div class='info'> <p>Falls keine dieser Links über einen längeren Zeitraum funktionieren sollten oder Sie Ihre Daten so schnell wie möglich wiederherstellen müssen, können Sie Ihre persönliche Seite mit Hilfe des "Tor Browser" aufrufen.</p> <p>Dazu benötigen Sie:</p> <ol> <li>Öffnen Sie den Internet Explorer oder einen anderen Internetbrowser;</li> <li>Kopieren Sie diese Adresse <a href='https://www.torproject.org/download/download-easy.html.en' onclick='javascript:return openlink(this.href)'>https://www.torproject.org/download/download-easy.html.en</a> in die Adressleiste und drücken Sie "Enter";</li> <li>So bald sich die Seite öffnet, wird Ihnen der Download des Tor Browser angeboten. Laden Sie ihn herunter und führen Sie die Installation aus, indem Sie den Installationsanweisungen folgen;</li> <li>Wenn die Installation abgeschlossen ist, öffnen Sie den soeben installierten Tor Browser und drücken Sie den "Connect" Knopf (Der Namen kann abweichen, falls Sie eine nicht-englische Version installiert haben);</li> <li>Tor Browser wird eine Verbindung herstellen und ein normales Browserfenster öffnen;</li> <li>Kopieren Sie die Adresse <div class='key'>http://7gie6ffnkrjykggd.onion/login/AelT-PiV3tFi59XTJjDTrctVPZfMa4LFFsh1nm4yOcrGMDCZU__-DAfA</div> in die Browseradressleiste und drücken Sie "Enter";</li> <li>Ihre persönliche Seite sollte sich nun geöffnet haben; falls nicht: Warten Sie eine Weile und versuchen Sie es erneut.</li> </ol> <p>Falls Sie nicht in der Lage sind, diese Schritte durchzuführen, überprüfen Sie Ihre Internetverbindung. Wenn es noch immer nicht funktioniert, fragen Sie jemanden, der sich mit Computern auskennt, um diese Schritte durchzuführen oder schauen Sie sich einige Videoanleitungen auf {a_youtube}} an.</p> </div> <div class='info'> <p>Sie finden eine Kopie dieser Anleitung in einer Datei namens "!HELP_SOS" neben Ihren verschlüsselten Daten.</p> </div> </div> <div class="text l l-it" > <h1>Istruzioni per il recupero dei file</h2> <p>Probabilmente hai notato che non puoi più aprire i tuoi file e alcuni software hanno smesso di funzionare correttamente.</p> <p>Questo era previsto. I tuoi file si trovano ancora al loro posto, ma sono stati crittografati da <span class='us'>"SAGE 2.0 Ransomware"</span>.</p> <p>I tuoi file non sono persi, è possibile farli tornare al loro stato normale eseguendo una decrittazione.</p> <p>L'unico modo in cui è possibile f

Extracted

Path

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note

All your files have been encrypted! All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail [email protected] Write this ID in the title of your message CE721289 In case of no answer in 24 hours write us to theese e-mails: [email protected] You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. Free decryption as guarantee Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/ Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Targets

- Target
  
  D02D012970AA164CAD15C757D7E52994.exe
- Size
  
  214KB
- MD5
  
  d02d012970aa164cad15c757d7e52994
- SHA1
  
  25eef16797a7cf4168938f9d372332d65356b6f7
- SHA256
  
  eba685abd63d2c7378f788aa5ca8e4f95f4b82b51347cb8818090ef54e8f7d29
- SHA512
  
  640545996e924b5f759ba69f970686e67defc9142a195fb6774dd275e22961fd9b21328b119d42b4032f1cf4eb6363ccce64bf6f423d2bf3ddc1d8d5b1f524ee
- SSDEEP
  
  3072:BM+lmsolAIrRuw+mqv9j1MWLQ6xZ4qM+lmsolAIrRuw+mqv9j1MWLQlL:6+lDAArx2+lDAAmL
Score

1^/10
behavioral1
- Target
  
  DBm0yQwt.exe.ViR.exe
- Size
  
  216KB
- MD5
  
  3cb2c3ce48ac870ab0be9afb7233295f
- SHA1
  
  b87ac51e95b85e64bb3fecbbb8f9d2acb5b53895
- SHA256
  
  ac3f6f87217e1d4fbcd56289b4c77b1adea3dbbaf4131a84b7b2508d6fadcfaf
- SHA512
  
  e41c6ad1f5522dda96e19fdf4b79ebd8b7bc13507c5ed5afc1155e37b1dabf16f11f66b1101124035d3d92a942bcd60122e3751069ebd7da1a36e498845b6900
- SSDEEP
  
  3072:UPPdPl/PuW/Yqoeog665R6OKEjzG6hgckhmnl/5aUWTo+Kuv+nAo:UHTnVHv82ZJFgJ+/Hxn
Score

10^/10

defense_evasion discovery execution impact ransomware
- Contacts a large (7699) amount of remote hosts
  This may indicate a network scan to discover remotely running services.
  discovery
- Creates a large amount of network flows
  This may indicate a network scan to discover remotely running services.
  discovery
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Sets desktop wallpaper using registry
  ransomware
behavioral2
- Target
  
  ca6ec46ee9435a4745fd3a03267f051dc64540dd348f127bb33e9675dadd3d52.exe
- Size
  
  1.5MB
- MD5
  
  4b4d8abbca536c987fca430af62c9bc8
- SHA1
  
  4055b08de4d70cd512e1f10d186d887a2c38c86e
- SHA256
  
  ca6ec46ee9435a4745fd3a03267f051dc64540dd348f127bb33e9675dadd3d52
- SHA512
  
  1feb88f28eeda10e670761cda1d61039fc51f76e38aaf731cf11d7f4621b5f45ac2816037fbaf5a40ad53f14e221f24dbefc34023329a6b753fb90c35a515736
- SSDEEP
  
  24576:C6+MSDnehBCO+whjuFtxY5CMbkQfLenj3eesz07m5zvRquduX85ng7ScD:C6PQe3X+C6Mb1Den5i0MzvRgX85g7ScD
Score

3^/10

discovery
behavioral3
- Target
  
  calc.exe
- Size
  
  161KB
- MD5
  
  df543c8c85a47c41886f644f4ecf66ff
- SHA1
  
  460154b09e361829c46efcbd64848bfd1db43f53
- SHA256
  
  ef00fed6e97e926bdb3b968030795ef5dd34e8e40dec2b7cf802de97feed6321
- SHA512
  
  2a43d36b8db163de66c48d3e1db318d4ffc4aa52f2bb5e3b5074cd597cedd18be5f01b07d1afe7cb53af54c54d4e3e32e0bd0c27d2f8698459c1214b5ebfc17d
- SSDEEP
  
  3072:g4eqa10YgyW9nnrS8zut754EmUQqWKcm+cqAdZuRqoDb1Ndgjx9MApVfqF8CHJq:A5WFrbzSeE6qWK+yHuR/DfCt9vpAFrp
Score

7^/10

discovery persistence upx
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral4
- Target
  
  ccc71c83c8d9895ef0b375273f9f185dfac63ecd01775e2dc705afe4d48c95e2_Dumped_TDS=4F9911B3.exe
- Size
  
  112KB
- MD5
  
  c1fa82712918b9907168593ce4497295
- SHA1
  
  dbd20b8fb720fa9735c9b4edce20f819f26f3f15
- SHA256
  
  ffdc8e2813a270f45ebd2540e0b0d8730443b6ab444c2d8ac4d1b4dbbd1e7854
- SHA512
  
  3ddc30baca3c92566e68d2148912fdd72d470404793edd7448464ec9c5a092e336e0176ea4f55dedabc6f95bd7ad974507324177cb191d26a1f208dfb9b1db4c
- SSDEEP
  
  1536:mf/YvFSSZtDgN+DrDkDEFtCofF89lGL+v:Q/Yv0SZtDgN+Dr+EpfF89ll
Score

7^/10

persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
behavioral5
- Target
  
  ccc71c83c8d9895ef0b375273f9f185dfac63ecd01775e2dc705afe4d48c95e2_TDS=4FAD9768.exe
- Size
  
  68KB
- MD5
  
  2fbed8e1453f1cf9c9ac43d642df00fc
- SHA1
  
  22aa6eeb79e95ff26f0775804152041aeb6df46b
- SHA256
  
  ccc71c83c8d9895ef0b375273f9f185dfac63ecd01775e2dc705afe4d48c95e2
- SHA512
  
  88043ca993f9fc81ae9a8da8579274796fde3f8bded78e11419fa06cf41466d671b0c50169645f19fa9e683c0b014d24366b31552f561267f03d0f2214578687
- SSDEEP
  
  1536:HFxpZTK0l7htEAoWt4EsLGtPx00oipJlzL6oMNbzKl+OJL8LeG:HjpZTKk1te/rLGtPC0NFLnY4R1G
Score

7^/10

discovery persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
behavioral6
- Target
  
  cd2d085998a289134ffaf27fbdcbc8cb_api-ms-win-system-dispex-l1-1-0.dll
- Size
  
  440KB
- MD5
  
  cd2d085998a289134ffaf27fbdcbc8cb
- SHA1
  
  e22678fe4bd0b209b14d5ed061ae61bb52e79df1
- SHA256
  
  0b12584302a5a72f467a08046814593ea505fa397785f1012ab973dd961a6c0e
- SHA512
  
  69c3ea1ff6c140ac4b21051bf0c0f3049750c31c0a1622ffa145daa1285b24678cd02d6bc89f85ecc5416b99ee99f42763a2d4e1d214c1d9d9e4acee834adc93
- SSDEEP
  
  6144:LDOrPcXOQeRKIawC7duJDaD0A9B5+9MRALsfwT4HZQO2f8etm:LqDQiF/Ad+9YzHZeZ
Score

8^/10

discovery spyware stealer
- Blocklisted process makes network request
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral7
- Target
  
  cdffb7e75b20eeae4db75c9962c17b3be980a719f7597e8b11a747d72c975a36_not_packed_maybe_useless.exe
- Size
  
  53KB
- MD5
  
  16f3a592d1a19d9873134f8e9c6ebbcc
- SHA1
  
  4e1a7a09e393c0d387e4846b4a48bfe273effe43
- SHA256
  
  cdffb7e75b20eeae4db75c9962c17b3be980a719f7597e8b11a747d72c975a36
- SHA512
  
  2b80c9ee5ba51132ab19059bef46d6db6228bea1d250905795f27ffabfffc20ad785aba42129a1d95b6432ea5a4cab226bf23cc7c2f658f7dc40770af93d492c
- SSDEEP
  
  768:uxX2MKhRw7+am7nx3h1OPG0H+l65Fuj0AjmWTbsbIK9QnjVPCxPao1X7tiJ+r/:uFKIqamtRMPJQoh2mqxTnjVPpJG
Score

3^/10

discovery
behavioral8
- Target
  
  cf7382c25a8bf0d904d51063ceb29fb70f630bc9.exe
- Size
  
  501KB
- MD5
  
  8cef8cf2a22f58a16b12b5b0b05552ba
- SHA1
  
  cf7382c25a8bf0d904d51063ceb29fb70f630bc9
- SHA256
  
  c95fde4a188dbc361f9eff80e9ba9d082ef40f7a16809b5ef4886903f8fc8698
- SHA512
  
  86031b49267669987ee4cbe0e267d953c17032428c4ccaac318c3737c2b9a4c0203fa162f8c83a7f1616b73450118e6e5c0a474008130e1681443b3a51171591
- SSDEEP
  
  12288:clxTE2jm56ven1viU+NoAHKor2Bzqbb+0eT9aEZuo:cE2qvGHKorIaK0eMjo
Score

6^/10

discovery persistence
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral9
- Target
  
  cgi19-alptsevs-h555.exe_.exe
- Size
  
  569KB
- MD5
  
  e9b9c39dd91c7fac1ee0b92e018a21bd
- SHA1
  
  1ddcf37b32f90f864b51adba3f4bd3a0f5ea935f
- SHA256
  
  388cc8da15d0fbee9bb9fb87715c8f2967b1584a12e30b4ea1ebbc27ff3b557b
- SHA512
  
  dee5a5da3fe70e5d15f48ba9e8d9204a2de641b91e22a8e3ddb7dfaa1aafd6d943bb21188985bb8d40836fc6e24ee2df9a9d988f5ea8048d30517cd6bf7e3add
- SSDEEP
  
  12288:j3nZMhJ+ubNmz0C4nkspjhPMy7NxkIXGUikyjk0y0xjYfYK4zjibVWidV3BtGN:j3nZqfbkz94h9P1+sbi3j2Bwjifv3BAN
Score

7^/10

bootkit discovery persistence spyware stealer
- ACProtect 1.3x - 1.4x DLL software
  Detects file using ACProtect software.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Drops file in System32 directory
behavioral10
- Target
  
  chrst.exe
- Size
  
  130KB
- MD5
  
  c657daf595b5d535ccc757ad837eebe8
- SHA1
  
  894e953e86e54a830a14fac94e57569d184a9c09
- SHA256
  
  a02565ec78fa1221433e720bd57b044938345b8c65a73143bd9ff73529767526
- SHA512
  
  21a26bc146dd2a915c17b268b13edc565e9a582d11c1714d89741f4156a880dfe35415d4920a6326d164519f4b28b6371ef9c7bfdb5e19080448bd77b4a20a4b
- SSDEEP
  
  3072:YpcslRnXfFdRIVLdkVz1ZIGWSt8t81U3Uxi1mVB9kx:4XfNSLdkryGd
Score

3^/10

discovery
behavioral11
- Target
  
  ci05l2a.exe
- Size
  
  179KB
- MD5
  
  27b4d4c481f97f0a90c420fb106be2a1
- SHA1
  
  35c8fd7176b2f50caf6af597b07d18074a6c8619
- SHA256
  
  94bf77695e893c6c9cd0b69e1081eb00a617ec384c980c127681d010f8aceb71
- SHA512
  
  8e6d23ec233308c32dfe4373900132b021856082584c94ddc01c31b74c859cdf73cb3b2816fd51a693848b35d248bcdc76212a3b323ccc045dcfc8df59bb31c5
- SSDEEP
  
  3072:Kz23EV9nbulU4sYjoEgwNLu4T4gG1ZJC8VMKsMJ9Bi1YrJ+YPkiKL/vZ6d:o3aJoEgiLuEEJjMaNI1iI6d
Score

1^/10
behavioral12
- Target
  
  cl.exe
- Size
  
  236KB
- MD5
  
  748ec019c171f22b8384195742967c51
- SHA1
  
  e3fefcbd3c432ac85d046a7ab27d2b0114ae658a
- SHA256
  
  b082e82311a6e8416b1823122959ea368316a936aa6ca667c032d300f76effaf
- SHA512
  
  a2bbef3dacdac5d5cf65f71f97c663b8731e2f2dbd9d923076e3551b68fce33157b961bd4709bfd6ccb1c5c807c453a8bae209538093dfe4c0662fb7e074ddc3
- SSDEEP
  
  6144:6741oQa1cxp/UWD9xgYxY68hX7Ph0ht7LRhU/a:v1uOp8J2Y68hLPhZ
Score

7^/10

discovery persistence
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral13
- Target
  
  clean.exe
- Size
  
  114KB
- MD5
  
  d15cfcd6caabb1cd1ebdc352a6ebb39e
- SHA1
  
  e60f23f716f37a7c91ae459fba65e41b4a60f752
- SHA256
  
  c926450324f23575ff6e980b70688caa56f584a84f2b447aea78183828099e50
- SHA512
  
  c5e3989e8157520036db2937c68bbb603ad58d16217fabbcb4860a7193d43e27d99062f4edcfcf3ab158ed7f0122df8665dd39aa1de53e81b2399aea6de7db57
- SSDEEP
  
  768:W+ry2sgHBHn+Kcv+aEtm0aOL9/rxM/UUk9B:I7gpiyri/UUYB
Score

3^/10

discovery
behavioral14
- Target
  
  coinvault.exe
- Size
  
  544KB
- MD5
  
  b3a7fc445abfba3429094542049063c2
- SHA1
  
  451d2a60192d5a49c13dd4aed19c15448358969d
- SHA256
  
  2a5333438bed6532770f7d34b72439006625a9b38fd91f7659e390530cda18fd
- SHA512
  
  711d5a9a0fe539dc9e12092d360b008cc469cd387606e5a76c703e98b7e71863256cea4dbabf41b69b5d6bf0a7cebc01f2acd445c8d0e3a841f8dc46bc532908
- SSDEEP
  
  12288:xtMW53Bkb5nG7KC/MIkf74f6Z0PvB5V/EXF:xtJ53m5G7fP+Mi
Score

9^/10

defense_evasion discovery execution impact persistence ransomware
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Adds Run key to start application
  persistence
behavioral15
- Target
  
  com_loader.exe
- Size
  
  64KB
- MD5
  
  7bb58c27b807d0de43de40178ca30154
- SHA1
  
  d3a69a5aa1f49a55eaed6de0686b45dede103b31
- SHA256
  
  eb72bef17b4f62a3cef6e36385cbdd65cf916f36b28d86b37b2990e2fc9e5330
- SHA512
  
  538527ca1c5037f4325ceca26b66ee0ef2d293eb29566b6bffa521593fa52e13450a01ba194ca5f574b2fa2d3335f3ab14ce759bf2d3421f746ffee5617a9d32
- SSDEEP
  
  768:TDYGaFFIR9v3PHchAps29+PP+ZkY1DjSzT2MxeRzL3MJV:HdJIAps29uujJjSH25
Score

3^/10

discovery
behavioral16
- Target
  
  csrss.ex_.exe
- Size
  
  892KB
- MD5
  
  d1217c81cca33f5fcc4bed6cd948a36b
- SHA1
  
  b1a299b2e29141618fd8ee1eba33f46dcbaa3f0a
- SHA256
  
  d460e5870a252c2827b88fdfc651a033a5d5875770f21a23b476a36e56ad5a8e
- SHA512
  
  bd63a2a187e5fba3691933b3eef02e86a09efd07d18c68dc1e372f9f848655ef4fffd930c5df6cc1f1ec10f66d424595c22866b74aa4d3688998c6c7013b897b
- SSDEEP
  
  24576:zdRpOBhPImfR23aAHRdY2Eq2htqgQdsmGDs2SZ:5R0BtoqAHnvEvhcVGDs
Score

6^/10

discovery persistence upx
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral17
- Target
  
  d.exe
- Size
  
  130KB
- MD5
  
  1e592556901445106d9b1e779bbe062d
- SHA1
  
  6999e59bd935faf42a977b25a078ce8adfe08dd2
- SHA256
  
  c2f7af050697d7b0140f4ee1ce6c87225e958e6ff4f18867afd842aecbfe87ad
- SHA512
  
  d6f24ac2034a1d876e910b15c97a324468ab2ca70799fd9fc72ade39daac76d4853ca8d1acba89d48525ce2ec5a7d018a9bf3383c6836633b81c32ef8ae331e2
- SSDEEP
  
  3072:CfAHvg0rsef7WSkYvnW4iq9jAfDkt31bkaQaY76E:KWr97WSBW4iq9jArk31Wf76E
Score

3^/10

discovery
behavioral18
- Target
  
  d0a5cfec8e80622b3e194b5ee03e93d78c7ef3478bead6a039d213caaaa58523_Dumped_TDS=4F9911B3.exe
- Size
  
  116KB
- MD5
  
  5a580ab3f5b3806da853459e9ef7b368
- SHA1
  
  df93c0f0dd694ab49646b539418b67d83eafccb5
- SHA256
  
  5f60eed8e27867c843387fe7fece3af688586a40c8d3dd2c27647b23cc200fdc
- SHA512
  
  91ecd8f00f4cd6c7d199eb365cb7cfa414bcab41b144fe7a5f43529e560201a81284cdb3a3d18d252e2eb4429a67f2db5718eacc8bf1eeb072958c0a4be20a3b
- SSDEEP
  
  1536:tf/YvFSSZtDgN+DrDkDEFtCwbfF89lGL+vpCYC:Z/Yv0SZtDgN+Dr+ErbfF89llpTC
Score

7^/10

persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
behavioral19
- Target
  
  d0a5cfec8e80622b3e194b5ee03e93d78c7ef3478bead6a039d213caaaa58523_TDS=4FA478A6.exe
- Size
  
  68KB
- MD5
  
  c4c129fa72b3c0a6364635e33ee3d9b7
- SHA1
  
  50f622bc092397885d032a26e872c6983c89a4b1
- SHA256
  
  d0a5cfec8e80622b3e194b5ee03e93d78c7ef3478bead6a039d213caaaa58523
- SHA512
  
  5c17a3c8c3344254858d1401c0309af8ebb23e51717542493b2bf87184e30a914aab6c057a24882a2f376449d36da72c7b6542af475dbb4698c65ea739b41917
- SSDEEP
  
  768:cYC0MRRsJMuQrfJ6J7IIxDcSr1wif7SvK73qUzBA/mbLWpXcjMqJ8ocoNV3T9:cYLMRGMulJxf7EKbqaAqWp0MqJD3T9
Score

7^/10

discovery persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
behavioral20
- Target
  
  d2164cdbc9c78db0115f382a139ccd758f8a25ebfc5ab3e0034e7aef0fe0b6b4_Dumped_TDS=4FB252FB.exe
- Size
  
  53KB
- MD5
  
  16f3a592d1a19d9873134f8e9c6ebbcc
- SHA1
  
  4e1a7a09e393c0d387e4846b4a48bfe273effe43
- SHA256
  
  cdffb7e75b20eeae4db75c9962c17b3be980a719f7597e8b11a747d72c975a36
- SHA512
  
  2b80c9ee5ba51132ab19059bef46d6db6228bea1d250905795f27ffabfffc20ad785aba42129a1d95b6432ea5a4cab226bf23cc7c2f658f7dc40770af93d492c
- SSDEEP
  
  768:uxX2MKhRw7+am7nx3h1OPG0H+l65Fuj0AjmWTbsbIK9QnjVPCxPao1X7tiJ+r/:uFKIqamtRMPJQoh2mqxTnjVPpJG
Score

3^/10

discovery
behavioral21
- Target
  
  d2164cdbc9c78db0115f382a139ccd758f8a25ebfc5ab3e0034e7aef0fe0b6b4_TDS=4FB30D08.exe
- Size
  
  56KB
- MD5
  
  327cea8d93ff1094fe1ba9008e8c5657
- SHA1
  
  97574533c1260e6e3bd3008359e38055aba0d203
- SHA256
  
  d2164cdbc9c78db0115f382a139ccd758f8a25ebfc5ab3e0034e7aef0fe0b6b4
- SHA512
  
  7904652fa2c81296be80efec5617dd86059a940ef0ee10c45a9673d6d85cf845afaa188385d4dd7643ff37ad61a25c33c14486448c5eb51b55d9ba59158c6357
- SSDEEP
  
  768:mbLjRB9o7troDVMOXsgRha8ZwByuiiCKR0YFeIupRXnzUpiPqDOyktPxEY:k/L9stroDzRhD6yuDR0lIupRnXTboY
Score

7^/10

discovery
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral22
- Target
  
  d4439055d2d63e52ffc23c6d24d89194_86e510605f1ee068bdc1ae306312652a__1.dll
- Size
  
  160KB
- MD5
  
  d4439055d2d63e52ffc23c6d24d89194
- SHA1
  
  92a35105a3cf19a183ef9ca9e66cb9063fffecf1
- SHA256
  
  1036c84a003378907560356642bb065caef961f9dbc5c3b2a4954d5cbe7100df
- SHA512
  
  f9d77411522444d7924baf6c0933cb3f4ae856c4e5b73990e81b6e2e4e372b309aececc585df3b3306db037612b1fb09516adc0403c28306f37cf3bb2b9f9499
- SSDEEP
  
  3072:OcT8OeFXkldH+kqGq+WZO1Vdeuo5punOreYt2HxOMrR7:/T1Cklt+kqGq+WI1VdeaEefUM
Score

3^/10

discovery
behavioral23
- Target
  
  d54d2a216e637bcd36e5217cfba98896.exe
- Size
  
  285KB
- MD5
  
  d54d2a216e637bcd36e5217cfba98896
- SHA1
  
  41e846d00379083a988db6028890233b4d74e8f4
- SHA256
  
  d620778dbbcf11e3a293aeaaebac7b6a9a02e7d8790ca5ffa59bda1e9b9632f4
- SHA512
  
  b92fdfd0ec1cbbfc4145465b88efe75223fb4df2df1d77122527175d211db0d572449726dd9ea8579f7cb4c5dc9df467f5980cb7344b7e931e85a34207f500b3
- SSDEEP
  
  6144:XZABbWqsE/Ao+mv8Qv0LVmwq4FU0fNoy6x2UjYe0yIJA94agq/L9j:pANwRo+mv8QD4+0V16x2Y0yIu4agq/Lt
Score

7^/10

discovery
- Drops startup file
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral24
- Target
  
  d5f29750a8cb158d9b89a1e02e8addc5e410d1ddc48e660589144ade47f794c5.exe
- Size
  
  1.7MB
- MD5
  
  187f7d5ae06b386581f5f177340ca2b7
- SHA1
  
  0f25cefa85a0822a08ad23caca24a622fbf4aef0
- SHA256
  
  d5f29750a8cb158d9b89a1e02e8addc5e410d1ddc48e660589144ade47f794c5
- SHA512
  
  682d127bf1ffc42cc475f119a010eeb12460ca2e9a8fbc8a0207e3ee8912ed0c8a0fcea374c83e91f494cba2bc378173f1833b3b4f5913b622279da2c0f62248
- SSDEEP
  
  49152:BATnMeAX+Iexb7peltHmeOCbJOIOUCZKw:BeMtU7pMHVZJOzTB
Score

3^/10

discovery
behavioral25
- Target
  
  d6c32b0146f219bdcb5cf524ea9e0047d9b9bd0fd7c395d5b11cbc4c3298824d.exe
- Size
  
  284KB
- MD5
  
  3751a4a1f68718405518d107a8bcc563
- SHA1
  
  c58fe7477c0a639e64bcf1a49df79dee58961a34
- SHA256
  
  d6c32b0146f219bdcb5cf524ea9e0047d9b9bd0fd7c395d5b11cbc4c3298824d
- SHA512
  
  8fa33e5682069baf48c0e85375a4151356e5917d63fbe62642c1dc9f33ce77881a359c2300e2d221bce297fbe7349a66b55cc47ff8502125b2a44c23d59e8dfd
- SSDEEP
  
  6144:ZcQu7L20QOPNMNYKEdf7Q0chT7WbK1xb5a:S20Q1YKMfE06ja
Score

9^/10

collection defense_evasion discovery evasion execution impact persistence ransomware trojan
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Executes dropped EXE
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
  collection
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of SetThreadContext
behavioral26
- Target
  
  d889734783273b7158deeae6cf804a6be99c3a5353d94225a4dbe92caf3a3d48.exe
- Size
  
  419KB
- MD5
  
  71375aa4ad00f0fb209c8f22e0090715
- SHA1
  
  d7b0255d7d98c33a30fe71543ec98d802c2a2dd7
- SHA256
  
  d889734783273b7158deeae6cf804a6be99c3a5353d94225a4dbe92caf3a3d48
- SHA512
  
  82281ebc86c9cb70f56bf1f6da625397e8d74f504c38f893a82b780b690796b0c107ba15854b0650d71546a45e98cb9b1b85ff50ec8e34dd0d1658babb310c1e
- SSDEEP
  
  6144:hUACNIqeT/ibcxeejQB/VlTpMf5wh4rNJPAyPmzwl+jJJxV0N9XN/:h/CyToGgjEwh+DPAKBgCNhN/
Score

1^/10
behavioral27
- Target
  
  daaa72f48bea498c5ac7ce9bc315e585ff11dad04d1eeb0d1b0ce33a28bedf2d.exe
- Size
  
  823KB
- MD5
  
  82cdd59192afa50e4dbe1b16d6254ad7
- SHA1
  
  7392f0d93fd8e604431adedf00b237ebbf6a3881
- SHA256
  
  daaa72f48bea498c5ac7ce9bc315e585ff11dad04d1eeb0d1b0ce33a28bedf2d
- SHA512
  
  a5e2e99b3725c4e860caee27ed2a2dcb35a3f3fe3abc06b9412b209e950cd518049e53831ec3c9adf74b0d4815e271dbf0832db70f9a9435ff7a6ad61121cb2a
- SSDEEP
  
  6144:PrjxuKuDjTlGWu5kOqaJ049Od6bKaZ3GS4Ur3jC/ZdXtrOsEJDQqEGQLzXQ4T:ZyDjxGWerJ0eWQ443u/tabE
Score

9^/10

collection defense_evasion discovery evasion execution impact persistence ransomware trojan
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Accesses Microsoft Outlook accounts
  collection
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral28
- Target
  
  ddbf1840bf626da19d8f3467fe9e20e2.exe
- Size
  
  173KB
- MD5
  
  ddbf1840bf626da19d8f3467fe9e20e2
- SHA1
  
  e56e267b688418c372ce088d09c027338bcede3e
- SHA256
  
  85113774d887cf194b7bfbcc8b44f0904a49a19b9c4cf304d11a4b73944996a7
- SHA512
  
  5fa35c8e132ae631a280e5ab3a3fae79e6bd5327e969f52ebd5cd57acd244b72860221c70099f7f824dcb5c63d287f1fac1e31525c090bf10bcc3bb26b5d50a2
- SSDEEP
  
  3072:MtmG0J6qaFw9mIxlCxkwCQ5fdWw8DKCegdMf0x+bwAv7M87T0M5g9S3Y:Smd0qqaAxlN8D9egmFbwAV7T0Mo
Score

10^/10

dharma credential_access defense_evasion discovery execution impact persistence ransomware spyware stealer
- Dharma
  Dharma is a ransomware that uses security software installation to hide malicious activities.
  ransomware dharma
- Dharma family
  dharma
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Renames multiple (327) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Credentials from Password Stores: Windows Credential Manager
  Suspicious access to Credentials History.
  credential_access stealer
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Drops file in System32 directory
behavioral29
- Target
  
  de882c049be133a950b6917562bb2313_583a76e23c1998307d702709dadbe103__3.dll
- Size
  
  659KB
- MD5
  
  de882c049be133a950b6917562bb2313
- SHA1
  
  93e9e42eba18e83811b4e9858be5cd09b9c50e5d
- SHA256
  
  e53610a977b65c01b275e37aefad7884368dfe00b50750e35b6c8c87556a2c06
- SHA512
  
  a5915f0247627f3556acea9743d2bfa7f9b4c6d047f4fa754684bd973f8926fdd50d52572d8c24cf33bc771870b84950c27ee0ba9dc9eec2f2738f4f3374e271
- SSDEEP
  
  12288:amxpNJkdqblBAEBJ05jP5Fspq7EuVvCxcgOmKVEPILAJtARBvq8IqpwNBcLRm8QL:zxrJkdqblBAEBQP5qQbVvCNOmKVE5/A8
Score

3^/10

discovery
behavioral30
- Target
  
  decrypt.exe
- Size
  
  75KB
- MD5
  
  cde1a96c7d1fc4fd04d4f076b936e9a0
- SHA1
  
  76cab15be34a942de6f878ec11ce5100f10e6855
- SHA256
  
  491333504219247276258b0691a79e4ccfbc4162999f9f372512c337418e757e
- SHA512
  
  782d4e602422a67539116d57e82a2362540aa52f28e1e2ce5ab238b3733b60926d9e540888bee9b558c76f7f53b9ba6f98d0dd6d7c5c8dc47354fe07a17da615
- SSDEEP
  
  1536:v5gwm1brk4bXgdDMyR6u7YHwpv7EBFG36CBIvRo28aPduysjCPaAmy:nww9Mg7YHGvKG36
Score

3^/10

discovery
behavioral31
- Target
  
  decrypted.ex_.exe
- Size
  
  507KB
- MD5
  
  b374304c7603f7ea36112909fb3b8991
- SHA1
  
  222e85c995558ab0bd14e4a840a3788fe63d380f
- SHA256
  
  ea407f99a8e150b84bbfb47f1c22e2ef804333fbe4315ada0aab919ae2d2ec7e
- SHA512
  
  42ab474f6bc309bf3d2c2fb636804c293f3fc384304d7dfbdfd4e388cba6dbac0934295030e09c6656b69b1c8a9aac3c3d70e7c2e2c2cdc9eb2c0bfc0ede2700
- SSDEEP
  
  12288:njQfF4Ibclmp6S44rgpEEt5p69QFCkohJW:nsuRlmpl440ttGi8hE
Score

6^/10

discovery persistence
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral32