Overview
overview
10Static
static
6DUMP_00A10...iR.exe
windows7-x64
7DgH5SjZFle...DI.exe
windows7-x64
10Dumped_.exe
windows7-x64
7EntrateSetup.exe
windows7-x64
9ErrorFileRemover.exe
windows7-x64
10ExtraTools.exe
windows7-x64
7F45F47EDCE...54.exe
windows7-x64
10decrypt_00...00.exe
windows7-x64
6dffde400ad...3d.exe
windows7-x64
10dircrypt.deobf.exe
windows7-x64
10dma locker 4.0.exe
windows7-x64
9downloader.js
windows7-x64
10dump.mem.exe
windows7-x64
6e0ff79cc94...ss.exe
windows7-x64
7e37dc428ec...ad.vbs
windows7-x64
1e5df2d114c...8a.exe
windows7-x64
10e6c4ae4709...ss.exe
windows7-x64
7e77df2ce34...2d.exe
windows7-x64
7e8e07496df...d2.exe
windows7-x64
ea8292721a...1e.exe
windows7-x64
5eaa857c95f...er.dll
windows7-x64
1ed3a685ca6...91.exe
windows7-x64
9edffa07d66...9d5.js
windows7-x64
10encrypter.exe
windows7-x64
10encryptor_...81.exe
windows7-x64
9f002618c01...35.apk
windows7-x64
3f213e54c85...ea.exe
windows7-x64
1f2c8eee2cd...3f.exe
windows7-x64
10f31bfe95e3...7_.exe
windows7-x64
9f6a8d7a429...da.exe
windows7-x64
10f915110765...da.exe
windows7-x64
7fb8823e949...-0.dll
windows7-x64
1General
-
Target
Batch_7.zip
-
Size
6.8MB
-
Sample
241122-dz4rzazlal
-
MD5
77e8eab2073a789150dc3eefb0541f1c
-
SHA1
e2a21748a32116967087f421e91b1e4afbe38dc5
-
SHA256
17b4d01d32c64a62e36496829da323fe308437048ca87143de7365fabd4194fd
-
SHA512
a9e462f5234ac18ef699243383ce3538ae0d1069cf900e5cfae132049a3b13bba783d61ac325348a1aaa2187095896864919916e8daf8c924bd22180974c0f1c
-
SSDEEP
196608:xu+epCgmrd0rEVf4ZxvoFApfzStfGGaPA:4+0mr+EOYApA
Behavioral task
behavioral1
Sample
DUMP_00A10000-00A1D000.exe.ViR.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe
Resource
win7-20240708-en
Behavioral task
behavioral3
Sample
Dumped_.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
EntrateSetup.exe
Resource
win7-20240903-en
Behavioral task
behavioral5
Sample
ErrorFileRemover.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
ExtraTools.exe
Resource
win7-20241023-en
Behavioral task
behavioral7
Sample
F45F47EDCED7FAC5A99C45AB4B8C2D54.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
decrypt_0000000000000020-000A0000.exe
Resource
win7-20241010-en
Behavioral task
behavioral9
Sample
dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe
Resource
win7-20241010-en
Behavioral task
behavioral10
Sample
dircrypt.deobf.exe
Resource
win7-20240903-en
Behavioral task
behavioral11
Sample
dma locker 4.0.exe
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
downloader.js
Resource
win7-20241023-en
Behavioral task
behavioral13
Sample
dump.mem.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
e0ff79cc943f489668067ec3be11398a084a76ecd0283c9e18b2d0bf6e464c32_not_packed_maybe_useless.exe
Resource
win7-20240903-en
Behavioral task
behavioral15
Sample
e37dc428ec65a38707ad9e247950f3501a94e4abccb737a3562d69032c8505ad.vbs
Resource
win7-20240708-en
Behavioral task
behavioral16
Sample
e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
Resource
win7-20240729-en
Behavioral task
behavioral17
Sample
e6c4ae470977aa78d1005746ae05deea0bf3b4260f88865662a35f99b2559dbc_not_packed_maybe_useless.exe
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
e77df2ce34949eb11290445a411a47fb927e8871e2580897581981d17730032d.exe
Resource
win7-20240903-en
Behavioral task
behavioral19
Sample
e8e07496df5370d2e49ecce5a47c1fd2.exe
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
ea8292721a34ca2f1831447868bbe91e.exe
Resource
win7-20241010-en
Behavioral task
behavioral21
Sample
eaa857c95fca38ca08411b757f4ad2a841cfb9782deca8abf64aada445923c0d_Stealer.dll
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
ed3a685ca65de70b79faf95bbd94c343e73a150e83184f67e0bdb35b11d05791.exe
Resource
win7-20241010-en
Behavioral task
behavioral23
Sample
edffa07d667dbd224682639f56eb1b913e4ffeac874999e02c23e86eeb6489d5.js
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
encrypter.exe
Resource
win7-20240729-en
Behavioral task
behavioral25
Sample
encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
Resource
win7-20240903-en
Behavioral task
behavioral26
Sample
f002618c01fe652f7f00eabd0e890e4992ccce818dfb2863e82c43f793685635.apk
Resource
win7-20240708-en
Behavioral task
behavioral27
Sample
f213e54c8520e7458751020edf15a5ea.exe
Resource
win7-20240903-en
Behavioral task
behavioral28
Sample
f2c8eee2cd88b834e9d4c0eb4930f03f.exe
Resource
win7-20240903-en
Behavioral task
behavioral29
Sample
f31bfe95e31d761459b885052d35ba5e25ab19333378fb72b12efd675f6018d7_.exe
Resource
win7-20241023-en
Behavioral task
behavioral30
Sample
f6a8d7a4291c55020101d046371a8bda.exe
Resource
win7-20240903-en
Behavioral task
behavioral31
Sample
f9151107655aaa6db995888a7cb69ada.exe
Resource
win7-20240903-en
Behavioral task
behavioral32
Sample
fb8823e9494016f59ab25ec6cc0961da_api-ms-win-system-softpub-l1-1-0.dll
Resource
win7-20241010-en
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\360390_readme.txt
Extracted
C:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.html
http-equiv="content-type">
http://rktazuzi7hbln7sy.onion/<br>
Extracted
C:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.txt
http://rktazuzi7hbln7sy.onion/
Extracted
pony
http://startwavenow.com/gate.php
http://hollandfintech.net/api/gate.php
Extracted
warzonerat
195.140.213.91:5200
Extracted
C:\Users\Admin\Documents\READ_THIS_TO_DECRYPT.html
Targets
-
-
Target
DUMP_00A10000-00A1D000.exe.ViR.exe
-
Size
52KB
-
MD5
6152709e741c4d5a5d793d35817b4c3d
-
SHA1
05ae9c76f8f85ad2247c06d26a88bbbcfff4d62e
-
SHA256
2c4c8066a1a7dfdf42c57ff4f9016f1ba05bcb004ff8b0ffc0989165d2ad30e2
-
SHA512
1e5ebd53ac942b0f06f759f936efebeeb9a74062647cd978d5112720f772f607b12ee20c02ab838104a7a947fef2fde79b0db944286d8daf2e6e6d16e10b9390
-
SSDEEP
768:UR/FcohAQFBY4JzKNkN3QZ0gGINlVOWcm:U1PhAQztJWNeCVOWc
Score7/10-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe
-
Size
176KB
-
MD5
b88fd69b53a6e4587d9e95a0c6061141
-
SHA1
728281eb2bde83701f379797f1b2e36765429543
-
SHA256
ebea4a46175b0e9c24e74b774f9ecfb036030f916ec5f2fced34fcb6c1f3ba57
-
SHA512
5105c000a7d0c2d68feb00e4f7de77b5afe58347b5d0c24f64346ec3bd8f684f1087ef8559c568f19ef47c301c7675cea0bf91d5551aeb38c89e23a114421aba
-
SSDEEP
3072:OCHM30xGHntNzuOIPEerSoKx1B2vUNc/H7BJ4gKraLKQ5oGqDQuRGBiY50pOwP:tMntdcKoWn2vzbvWm3ADQNwOo
Score10/10-
Modifies WinLogon for persistence
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
Dumped_.exe
-
Size
72KB
-
MD5
afc0e1b3c683fcfb276f8e054d733945
-
SHA1
a1ef6e368f78bc147c2ee70449917f3929d669ed
-
SHA256
86a4ec02684bfd8a055929b0aa6f687bd54e80da0ed689be4e315adf76edbbcb
-
SHA512
68adc819478468c55e85d9cb476b94a363f7d90df1697cd1a1814180ca1dfb47cba4f584d6706330c7d7e2b1e26092c780345cb59bdf736daf4616f06fae7ce7
-
SSDEEP
768:0Nt2Lmmi8euodnS53h1O8jFQ3tuL7EAj+WTbibIKFQnjVPoxPaBF77tiU8r:nLZOQRM8Jg12+q7LnjVP0U
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
-
-
Target
EntrateSetup.exe
-
Size
261KB
-
MD5
cd6258b33207e85f20fec5f39d9ba09f
-
SHA1
fc132ed8922a767061abfd372dfb6f23bd8c0b62
-
SHA256
103bc884dce60ec680dd00bcd2d45721319b526b2f6ae7ebe75c73a5c977dafe
-
SHA512
2d0f5c0ee81b050fa99dc40fd5ea1864ae68f4d08a7610ea08f8c99e589d90d917a009ff25286d4351b133cf466a408e442c99a8b8cca99d81a81af8e4c6ab49
-
SSDEEP
6144:oxagl7jMOfUsQgatPpi9SQG7q94Al6HnIpOLoG7SYQ5SFZ:oxagRjM+JQ1Pp2y1Al6HesZ7Sl8Z
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
ErrorFileRemover.exe
-
Size
2.4MB
-
MD5
dbfbf254cfb84d991ac3860105d66fc6
-
SHA1
893110d8c8451565caa591ddfccf92869f96c242
-
SHA256
68b0e1932f3b4439865be848c2d592d5174dbdbaab8f66104a0e5b28c928ee0c
-
SHA512
5e9ccdf52ebdb548c3fa22f22dd584e9a603ca1163a622db5707dbcc5d01e4835879dcfd28cb1589cbb25aed00f352f7a0a0962b1f38b68fc7d6693375e7666d
-
SSDEEP
49152:6kAG2QGTC5xvMdgpdb1KRHGepUu2cGbqPs9+q2HRPTnFVSLE:6kAjQGTCnvMmpYQqPNRPTnF4Y
Score10/10-
Modifies WinLogon for persistence
-
Loads dropped DLL
-
Blocklisted process makes network request
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
-
-
Target
ExtraTools.exe
-
Size
280KB
-
MD5
0210d88f1a9c5a5a7eff5c44cf4f7fbc
-
SHA1
83bff855966cf72a2dd85acae7187caeab556abf
-
SHA256
06c8e0f6fa2616f4fa92c610a1faea23887ac31db8fa78cede49b6b8c80ec22f
-
SHA512
42445a8d1a3662e16ee1f5129b8792a47c8b17992940e1ba97a96c11d038d0d5088ca00719c6031e204adefbb18672c58113ac5de66b016a63e330b672fde132
-
SSDEEP
3072:il+Lkqpd5vh6+RDuUZbEl+Lkqpd5vlpcslRnXfFdRIVLdkVz1ZIGWSt8t81U3Uxu:Ppd5vhrDuUZxpd5vbXfNSLdkryGdY
Score7/10-
Executes dropped EXE
-
-
-
Target
F45F47EDCED7FAC5A99C45AB4B8C2D54.exe
-
Size
86KB
-
MD5
f45f47edced7fac5a99c45ab4b8c2d54
-
SHA1
9060189dd95635c5f75d7f91c9bd345200e83028
-
SHA256
0529cdbc893fee664d3ac540b1e41e184797e0770808254058fc21de0a10b6c8
-
SHA512
ecf1ae299d0525f86b8c398d06b429164a10d6552caf08710567680ba670bc0c918bfff1807214b33a177202cbe8eeeeffa1396b91e697aed4da91fe81f523d3
-
SSDEEP
768:4H5GP9db20gWEF5mx1pOtIWoZzP5N1jydBWGwRYuKlYsVSsVSSVSENVSjYR:Uo760g95mRhZFrWBWvrs1/LNIYR
Score10/10-
Modifies WinLogon for persistence
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
-
-
Target
decrypt_0000000000000020-000A0000.exe
-
Size
611KB
-
MD5
c81f5b5e057b4a3c7eee9e4d1c4abd53
-
SHA1
949af2ac0176ae4bcc4c07a41e26094f8ed301aa
-
SHA256
94f36b586379137a58862ca46cd1cd6c01c20ea9f56755f7b193f0c97b7a57bd
-
SHA512
541892f2d23a1d3c3324e721764a62aed8191e4ff47ba681684aa251842337b8a8e78d72eee98c73d70bb917e19724ec9671259022b21faad324734fcf462a92
-
SSDEEP
12288:LSY9aHA9OWHFzHaqxSjxspvZhsKsh+M7:hiA9OWlz6qmx8hnsh+u
Score6/10-
Adds Run key to start application
-
-
-
Target
dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe
-
Size
182KB
-
MD5
1105f1e5cd13fc30fde877432e27457d
-
SHA1
108f03f9c98c63506dd8b9f6581f37ae5c18de23
-
SHA256
dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d
-
SHA512
49e9e4b02f432b9cc8f36913ce275f1d13672be627119c183713b5d6fb9fe27fd2cea67421560a463aaa16db35feb15df7c45258e2d102b5f70edb02865d9373
-
SSDEEP
3072:nO2W3zwMGWxLNjglP4cdkYsxSehTr76bJnhL:O2izwWlFuPP2xSehX6Fx
-
CrypVault
Ransomware family which makes encrypted files look like they have been quarantined by AV.
-
Crypvault family
-
Pony family
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Adds policy Run key to start application
-
Deletes itself
-
Drops startup file
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses Microsoft Outlook accounts
-
Accesses Microsoft Outlook profiles
-
Drops file in System32 directory
-
Enumerates processes with tasklist
-
Suspicious use of SetThreadContext
-
-
-
Target
dircrypt.deobf.exe
-
Size
321KB
-
MD5
d224637a6b6e3001753d9922e749d00d
-
SHA1
bacb2313289e00a1933b7984dd1cbef01c8019ee
-
SHA256
9c67320f0a29796abfb5b53ef2fa2fbcb56b33cff6cdb3f96a8d303685e17263
-
SHA512
08eb7f64f852bbb3403d26a6cbcaa28a5747070b499464bed45b3578fd8ebb31ee97fc15f99a14fab9c01585ba5abeded3bd95aa80c73ce76c5af19bf587c4b0
-
SSDEEP
6144:rHpp6ZEmJSr/49JSpIGOGsX5HWY7ydvxHlcaAy0iWYOcG4BDhnxD28ixv7uDphY+:zuYQJUaGsX7/Qwgylf
Score10/10-
Modifies WinLogon for persistence
-
Modifies firewall policy service
-
Modifies security service
-
Disables Task Manager via registry modification
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
-
-
Target
dma locker 4.0.exe
-
Size
315KB
-
MD5
18ef6bc988d99b2ec1e91daec2619f72
-
SHA1
ddb7bce5fd44d1b3a1d38dfccb8d5b23ae5ed73b
-
SHA256
53a0dc85e447c58cb8d7c7e00381c8548878390c7a1443326625faa2b461ebe8
-
SHA512
02d30a6ac6a9fddc9fe542d19284e0398e1b6b329eff0c0d1410a5568cf87fb7b3c2e7d548c111b7e0fb41e4a5aee2d14678b3be11e11bd33c39477840d1ee6a
-
SSDEEP
3072:uon0fbxl3q7UWEj8FBqLXtCovWZ9crTb2aa1ppUPZCvW2Zg5JpdNCympz/CpUERj:1wl3eB6XtCMWZerWDvUhCvWl5NF
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
-
-
Target
downloader.js
-
Size
8KB
-
MD5
2fabecc77b10b39ff03f221f39f50c6c
-
SHA1
e66ab4015c360a0f0866ea840dbeb2ef4953c86d
-
SHA256
f6e2c1b42ce68165fd2cd8580daf47d594c4960fc8fb5cdbf1ec210e3ffae87f
-
SHA512
9c8bcaee59eaa6d9738caf9a61214e098438e5ecc352e8faaa7972625c3bce3f00eece4bd7b43587b09a5ef66c93778b42d0b39a7ef46aeca5d3f7da2a43384a
-
SSDEEP
192:E4/wMMuUYDKe5enZr2CU0eC+To2fOO0spxetRut64pB6BS:bMufcnZr2CU0etTaO7GtRut6UMQ
Score10/10-
Blocklisted process makes network request
-
-
-
Target
dump.mem.exe
-
Size
53KB
-
MD5
22c7f529c6da6da1d063daeeaea41d71
-
SHA1
e24872be78361eb23ab5797aff421a6c7561e235
-
SHA256
ea3745e02a69f4123e06115b3abeb8dc6930000ed97d8a55351641b76b4d5e1a
-
SHA512
d93e581d158bb7d23d42cca59704ae1c1a1ba3846833dc76bece113360b319381a97d8a50d3d9cf02ac0f710e763057699e95c1843c00a5971dc1feec42386ae
-
SSDEEP
384:v3Arp7pMcV+D7xMkycTUFkY7XnxO/hH+mbtv/f5E8mGfF2A/:vSpdkyF57XabtHf5EEdp
Score6/10-
Adds Run key to start application
-
-
-
Target
e0ff79cc943f489668067ec3be11398a084a76ecd0283c9e18b2d0bf6e464c32_not_packed_maybe_useless.exe
-
Size
89KB
-
MD5
276e5289101e0536abf03736217f9fbd
-
SHA1
2631f18ca5631d265c6e4ffc8eb1fcfbcf1c68bd
-
SHA256
e0ff79cc943f489668067ec3be11398a084a76ecd0283c9e18b2d0bf6e464c32
-
SHA512
fa7f39599f9aa689f7944930704106a6c294715a9d0984cc0624aa666da87cdfc4315b865d07874674ba14cf91df43dd54f15fc4ed2f18c3acb9ed0a5119765a
-
SSDEEP
1536:Af/YvFSSZtDgN+DrDkDEFtClfF89lGL+v:m/Yv0SZtDgN+Dr+EcfF89ll
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
-
-
Target
e37dc428ec65a38707ad9e247950f3501a94e4abccb737a3562d69032c8505ad.exe
-
Size
54KB
-
MD5
4b24f2c99d93b86bd0d8a1445d976092
-
SHA1
6ea9246fd85cf2663ca6fc7e97b7bcd11d25551b
-
SHA256
e37dc428ec65a38707ad9e247950f3501a94e4abccb737a3562d69032c8505ad
-
SHA512
43c9bc692edbc5151518626008eb33e14b7d6b80ff9b457a0d0702ef2d5b86b33cab0df8a22005182a56aa6a4275458b5a0edb18af4aa759e60be75b88ac792a
-
SSDEEP
768:1YQW5/spNck0lUzPrU23Wsq91si1QGb6LNyF2kbWsiPfNa133CiMRKeFyZR:1YQW57kCUzbFqvyyFhl2gpyVcrR
Score1/10 -
-
-
Target
e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
-
Size
33KB
-
MD5
0d2c400c967b3df9f1c5e193e9ffe482
-
SHA1
2b09bd6fb74d067e107727a7494ddd33eba47338
-
SHA256
e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a
-
SHA512
55366092f2c6d036ac23b7832a59eabb78e31c9dec1a390fadc2173e3cbccf064ec657f0df7303769ed6769437c193c2d589f2760d82dda45b6b274e805f35b4
-
SSDEEP
384:XKrBEMQmrwynWHmetF/2zmb/yzU0JBECvQgdxyllliReMGm4hEEZGIG5YBg49YZT:FMpBWH3HdbOygUhobYBraZs2SM6Q
Score10/10-
Renames multiple (4076) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops file in Drivers directory
-
Deletes itself
-
Indicator Removal: File Deletion
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in System32 directory
-
Sets desktop wallpaper using registry
-
-
-
Target
e6c4ae470977aa78d1005746ae05deea0bf3b4260f88865662a35f99b2559dbc_not_packed_maybe_useless.exe
-
Size
54KB
-
MD5
bc6a67d5665ccfba24c093da2a606d9d
-
SHA1
5bca38d447165307087df43912f4b15b43c934a2
-
SHA256
e6c4ae470977aa78d1005746ae05deea0bf3b4260f88865662a35f99b2559dbc
-
SHA512
5b25e0b84414cfe3ea35948d82274b73f1d993c2403503572fc6fb4520bfeae64ee55d014887db1667419f6847720e4b12bfc6c227f68e22d2d42f193d2ad820
-
SSDEEP
768:emX2MKhRw7+am7nx3h1OPG0H+l65Fuj0AjmWTbsbIK9QnjVPO1xPao1X7tiHC:egKIqamtRMPJQoh2mqxTnjVPti
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
-
-
Target
e77df2ce34949eb11290445a411a47fb927e8871e2580897581981d17730032d.exe
-
Size
196KB
-
MD5
c82617e2ea031d93d5c2ea8165656753
-
SHA1
62e495b8e7bf597cb5fac48828f808d46f064930
-
SHA256
e77df2ce34949eb11290445a411a47fb927e8871e2580897581981d17730032d
-
SHA512
36766d8d98348926ed49e40a88e3ac928de8f2bd415bbe955aa73edb0db943f20c0d2e92b955bbd1d93ca2db316c6a421066993c3ce675d4597bc397110fd563
-
SSDEEP
768:JQ092dvBhHL+Txzm9xrHefCQ+LKSYTPlSfDj017JaS8+LvH5:C092ZjHezmTrHUoYzNT8yh
Score7/10-
Uses the VBS compiler for execution
-
-
-
Target
e8e07496df5370d2e49ecce5a47c1fd2.exe
-
Size
181KB
-
MD5
e8e07496df5370d2e49ecce5a47c1fd2
-
SHA1
caa07048b079f148d704a49a0d44cd299a3db380
-
SHA256
63b541a11d8389b13c634665ba72437270cd8bbbbc3df7dc43acfe201a5a67e5
-
SHA512
8734843f2c9b1ed9afb5304806ce5adfffba8f8a93d6a1e1f0e9a1e2ec6c87df7435b54b3231aa583e5f08435ff470e2650c953fdfe4cde0461e5c00fa1bac94
-
SSDEEP
3072:Sed1DM5u4n7pV1HiBDqSe/01R+8UQrbUQrYc1rIzDu:3fDM5u41HiBK/s+4rXrYc1
-
Detected Xorist Ransomware
-
Xorist family
-
Renames multiple (2565) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops file in Drivers directory
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Drops file in System32 directory
-
Sets desktop wallpaper using registry
-
-
-
Target
ea8292721a34ca2f1831447868bbe91e.exe
-
Size
52KB
-
MD5
ea8292721a34ca2f1831447868bbe91e
-
SHA1
2ea7bf7b43ca83102d74f57edb5e783c02c40c6f
-
SHA256
21c0601f225087fa6d36ed951e0328bcbd2138bcea6a413162d1a8e17b0cb179
-
SHA512
8d2357cd8c216f67765a3c1c9f222f9fb258c9bb83642cd89fc0feb46ee6ca31b46c1bc7c459f483858b6348a14ed74a930a97607e817ec5bba31505d55ffb8e
-
SSDEEP
1536:BfLvzQzLRYhvpipuhVzwkZz3gaPOi4YYCcPzQOq4O:BDvVzwkFvd4YYDzq
Score5/10-
Suspicious use of SetThreadContext
-
-
-
Target
eaa857c95fca38ca08411b757f4ad2a841cfb9782deca8abf64aada445923c0d_Stealer.exe
-
Size
949KB
-
MD5
d65f155381d26f8ddfa304c83b1ad95a
-
SHA1
87d7a85b4ea7d4041ade140576b4d6fd2c5aa403
-
SHA256
eaa857c95fca38ca08411b757f4ad2a841cfb9782deca8abf64aada445923c0d
-
SHA512
a37f7eab52a486c947313d67c1b06dfd923f6ed5804fd74fa9cd2b30b9dac931bcb0c5827b3dfbf6ad784879e9b77ef7d0e92032b02855c35d83fba3d27fe7f0
-
SSDEEP
24576:qqHcFnufDotGNFfZptfvB2heOGmyC4//Ptn+O:qsDotivvWGmyC4//F
Score1/10 -
-
-
Target
ed3a685ca65de70b79faf95bbd94c343e73a150e83184f67e0bdb35b11d05791.exe
-
Size
1.2MB
-
MD5
0ced87772881b63caf95f1d828ba40c5
-
SHA1
6e5fca51a018272d1b1003b16dce6ee9e836908c
-
SHA256
ed3a685ca65de70b79faf95bbd94c343e73a150e83184f67e0bdb35b11d05791
-
SHA512
65f3a52930dd560cf27a9a6e7386ae1bba22d663a1112b44fa1db043bd0b980f7dcb1d5fe21b873bb93db69c5c4d0b3c7dcf13ea110836970454b56dc16e57bb
-
SSDEEP
24576:DxIWmj1GwuqWt6GoXrxv7EJoD7p1YQzA+GdctrOvpk5P4TB5tP9P6F:Dnqqo5PzA+Gda4TB5tFP6F
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
-
-
Target
edffa07d667dbd224682639f56eb1b913e4ffeac874999e02c23e86eeb6489d5.exe
-
Size
559KB
-
MD5
535494aa6ce3ccef7346b548da5061a9
-
SHA1
2c0b5637701c83b7b2aeabdf3120a89db1dbaad7
-
SHA256
edffa07d667dbd224682639f56eb1b913e4ffeac874999e02c23e86eeb6489d5
-
SHA512
f02464b3563b4552246b86e2c6ec377b8b0734576647bbc69ca8f4dd775d59f54ffbf3dd7f6433990ec187f1116891426f0e70a7524c9b793df9bc78e087f6dc
-
SSDEEP
12288:ZVJ/hB+eGkeURqNvA0msxNxgnr/V4ZhiKjUkE6PofKhs:R/r47iKjUBIs
-
Pony family
-
Executes dropped EXE
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses Microsoft Outlook accounts
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
-
-
Target
encrypter.exe
-
Size
40KB
-
MD5
3ab401abcc5394e06c5e81fb08a5a451
-
SHA1
ad4fd5e28586ce50d1db6647e2490145a9dbe172
-
SHA256
3251403ff9848ed520230a0fb8979ea4b5c8a4aa4e4a392da4c4458390f040db
-
SHA512
fdfb6d16e007bac6b8aa5e376fada1f155a261ca63d272c4e5ea0a2e1b7f7970371275a43b7f48aac186c718ea90f1a9115a6eb97dcbbeca4c2ea4ac7d7c1104
-
SSDEEP
384:WAqJTdAAZpZd269D26KNLL15FFWjeiBTwohMMIPqUQXjSQ5Yhy:1c7d269D26at2TwomMrRXWGYhy
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit
-
-
-
Target
encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
-
Size
111KB
-
MD5
2ce82b2c3e43a6090685bf7e3ec36d0f
-
SHA1
112a99938d60abd821e345538b0b1446cd9113a5
-
SHA256
d4410c277e4120169a546d613d06b6f1ca1c09ea94494baeb0af796bfaefeefa
-
SHA512
9f0fc8a81da4977d683e4051169b5ca0f3fcd592a6946da8a4da962c2519c1fd0044baa0c950332334d9bb6e56a43aceb174bd18166cd183921d5d4213c01ece
-
SSDEEP
1536:Nynce2jUA5AaPcHbh7g9WKBvwAYbwdlR3zkWOSgiC81rZ8R9YgAic2i:RrjxwHbhgNwAp/R7pgi7rWv
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Drops file in Drivers directory
-
Adds Run key to start application
-
Drops file in System32 directory
-
-
-
Target
f002618c01fe652f7f00eabd0e890e4992ccce818dfb2863e82c43f793685635.exe
-
Size
1.0MB
-
MD5
f65657f31da966e1a4f52488f91d9e90
-
SHA1
86c197ac4d89c2a3d5425eb3e8625970dbd317b0
-
SHA256
f002618c01fe652f7f00eabd0e890e4992ccce818dfb2863e82c43f793685635
-
SHA512
49c95e774d82668cba1527d6d72783d973f1b2a28146cda9e2da4e4bcf65d0d4414b822dbeb408f185ee00200ea0e051ddf50ea3663896d26296bfef7c65be2e
-
SSDEEP
24576:WgtpsYed+8uF2RypfI1aNGKwCik8oNelkzTbkGf9ee/1lL:ptOYeM8vIw1swCik8oNelKbPVeen
Score3/10 -
-
-
Target
f213e54c8520e7458751020edf15a5ea.exe
-
Size
208KB
-
MD5
f213e54c8520e7458751020edf15a5ea
-
SHA1
9ff0b2f8c83d6efea0dad136179a83d33cc141eb
-
SHA256
2cd85dc5040ecbc052bb243575c8f9924afafdbf774a21afe03d2d4896e5d0e1
-
SHA512
70e3b96da403d6d5be5a00022e4b0cd30eeaecbcb3b3f3e462695c2b0400db1fcefaaecffc9ffc40528b255dd34a126613bcf99764abe7c007b5e22c39655622
-
SSDEEP
3072:RM+lmsolAIrRuw+mqv9j1MWLQkMTmmsolNIrRuw+mqv9j1MWLQa:K+lDAAqTmDAN
Score1/10 -
-
-
Target
f2c8eee2cd88b834e9d4c0eb4930f03f.exe
-
Size
809KB
-
MD5
f2c8eee2cd88b834e9d4c0eb4930f03f
-
SHA1
a47b40f642bb78757b2de40344f555dc48a5a12f
-
SHA256
0cc95d376267ae78c309fd5f60f3083670b1c2616b6e3e2eec8810fa273c24be
-
SHA512
3be3760ff7b308017d820307af224bff1c5d49ae3ea71062792816477b071af9cb106e5f2ec970da022b7a055010b91b47d57e571e18643f808787538386831d
-
SSDEEP
12288:hmnc1DmxioiLAJmR+1IfFHmqgCqwwNgJV1TGBEXgyJ:hmnc1KioiLAcRHgCiNS1TGB
Score10/10-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzonerat family
-
Warzone RAT payload
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
-
-
Target
f31bfe95e31d761459b885052d35ba5e25ab19333378fb72b12efd675f6018d7_.exe
-
Size
689KB
-
MD5
0aa0397edc45cc08dd005a73f707fec5
-
SHA1
7c1319364fe39580d9f0a928a6f6dc593f425528
-
SHA256
f31bfe95e31d761459b885052d35ba5e25ab19333378fb72b12efd675f6018d7
-
SHA512
5766cd40e76bb48233649ecdebf31449020b65146a6e90cc9fa97651f73a3bbd13be2791fcf47c9bba8e158f21d304fa087c8d6dc5c1d53be96c107fa84e6e32
-
SSDEEP
12288:yHesdPT6mID+Nscf3SDEmaBY2sWevYKrQaUeSSU8g+HnCPMmq8:o4DbcvqEmay2sIaUJig/T
Score9/10-
Renames multiple (51) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
-
-
Target
f6a8d7a4291c55020101d046371a8bda.exe
-
Size
799KB
-
MD5
f6a8d7a4291c55020101d046371a8bda
-
SHA1
09b08e04ee85b26ba5297cf3156653909671da90
-
SHA256
082060e3320870d1d576083e0ee65c06a1104913ae866137f8ca45891c059a76
-
SHA512
547ad8ac404e494cce474209ebfbe33a40b69feb59f564215622f479e98dd93699794f4950b05d21225af271c55987da24c68d7c4c172f1d99ba7050b7063888
-
SSDEEP
24576:Fpfzmg0hsVxPJHnhxqj/jELyOpQR2dnCy:FpfCHKrPFnh4jEWOpQEdnCy
Score10/10-
Drops startup file
-
-
-
Target
f9151107655aaa6db995888a7cb69ada.exe
-
Size
360KB
-
MD5
f9151107655aaa6db995888a7cb69ada
-
SHA1
854755b232ef00fffdafe68ed624cf91fe0fe92b
-
SHA256
b70c528731e7fa31c6038f26a07f48a0436741162961922d9bba468f77b3ce0f
-
SHA512
0b600b60a6fae79d0a815b8c2f43e6843941205b0560858e4274cd105e2124e87c91b0b73baa8ef58a357b5e9b3b5af73597dd96a815f559d4cc3ac7d5b8d894
-
SSDEEP
6144:iBDWtg/7YsXUmTXgEXrMzp14WaumddWFlhdYBb+faDvLPoJgQ1GqXOFK:iEtu/3XgsdumdIlnYZPyv1LZ
-
Deletes itself
-
-
-
Target
fb8823e9494016f59ab25ec6cc0961da_api-ms-win-system-softpub-l1-1-0.dll
-
Size
261KB
-
MD5
fb8823e9494016f59ab25ec6cc0961da
-
SHA1
e8468fafaea37696af5ed86396d3f40a20d35a99
-
SHA256
3b6cdb0d03f07af774ea34a964a6e2fb6ce321d7adc487af0486f13e5aed0304
-
SHA512
4cd273d95b561e2424a8a09aaa5032d8c879d044f434e39c8897315863cdb0c49c9f27be29a541c179f7595d0e3c4682cc0a0d4dd8da9e5bbc5d0d7d7001740b
-
SSDEEP
3::
Score1/10 -
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2JavaScript
1Windows Management Instrumentation
1Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Direct Volume Access
1Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Indicator Removal
3File Deletion
3Modify Registry
12Virtualization/Sandbox Evasion
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
4