General

  • Target

    Batch_7.zip

  • Size

    6.8MB

  • Sample

    241122-dz4rzazlal

  • MD5

    77e8eab2073a789150dc3eefb0541f1c

  • SHA1

    e2a21748a32116967087f421e91b1e4afbe38dc5

  • SHA256

    17b4d01d32c64a62e36496829da323fe308437048ca87143de7365fabd4194fd

  • SHA512

    a9e462f5234ac18ef699243383ce3538ae0d1069cf900e5cfae132049a3b13bba783d61ac325348a1aaa2187095896864919916e8daf8c924bd22180974c0f1c

  • SSDEEP

    196608:xu+epCgmrd0rEVf4ZxvoFApfzStfGGaPA:4+0mr+EOYApA

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\360390_readme.txt

Ransom Note
ATTENTION: All your documents, photos, databases and other important personal files were encrypted using strong RSA-1024 algorithm with a unique key. To restore your files you have to pay 0.5 BTC (bitcoins). To do this: 1. Create Bitcoin wallet here: https://blockchain.info/wallet/new 2. Buy 0.5 BTC with cash, using search here: https://localbitcoins.com/buy_bitcoins 3. Send 0.5 BTC to this Bitcoin address: oJHR97yvh97wrjvwlkrcnqrp79w9rvqnrvj 4. Send any e-mail to: [email protected] After that you will recieve e-mail with detailed instructions how to restore your files. Remember: nobody can help you except us. It is useless to reinstall Windows, rename files, etc. Your files will be decrypted as quick as you make payment.

Extracted

Path

C:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.html

Ransom Note
<html> <head> <meta content="text/html; charset=UTF-8" http-equiv="content-type"> <title>jaff decryptor system</title> </head> <body style="background-color: rgb(102, 204, 204); color: rgb(0, 0, 0);" alink="#ee0000" link="#0000ee" vlink="#551a8b"> <div style="position: absolute; top:0; text-align:center; width:100%" > <h1 style="font-family: System; color: rgb(102, 102, 102);"><big>jaff decryptor system</big></h1> </div> <style> .center { width: 1000px; padding: 10px; margin: auto; background: #fc0; } </style> <div style="position: absolute; top:15%; left: 30%;" > <p style="border: 3px solid rgb(255, 255, 10); padding: 10px; background-color: rgb(223, 213, 209); text-align: left;"><big><big>Files are encrypted!</big></big><br> <br> <big><big>To decrypt flies you need to obtain the private key.<br> The only copy of the private key, which will allow you to decrypt your files, is located on a secret server in the Internet<br> <br> </big></big>&#10102;<big><big> You must install Tor Browser: https://www.torproject.org/download/download-easy.html.en<br> <br> </big></big>&#10103;<big><big> After instalation, run the Tor Browser and enter address: http://rktazuzi7hbln7sy.onion/<br> <br> Follow the instruction on the web-site.</big></big><br> </p> <br> <br> <center><h1><big>Your decrypt ID: 3318144683</big></h1></center> </div> </div> </body> </html>
URLs

http-equiv="content-type">

http://rktazuzi7hbln7sy.onion/<br>

Extracted

Path

C:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.txt

Ransom Note
jaff decryptor system Files are encrypted! To decrypt flies you need to obtain the private key. The only copy of the private key, which will allow you to decrypt your files, is located on a secret server in the Internet You must install Tor Browser: https://www.torproject.org/download/download-easy.html.en After instalation,run the Tor Browser and enter address: http://rktazuzi7hbln7sy.onion/ Follow the instruction on the web-site. Your decrypt ID: 3318144683
URLs

http://rktazuzi7hbln7sy.onion/

Extracted

Family

pony

C2

http://startwavenow.com/gate.php

http://hollandfintech.net/api/gate.php

Extracted

Family

warzonerat

C2

195.140.213.91:5200

Extracted

Path

C:\Users\Admin\Documents\READ_THIS_TO_DECRYPT.html

Ransom Note
<html> <head> <title>-</title> <style> html {font-family:Consolas;font-size:20px;background-color:lightgrey;} div{ margin:0 auto 15px auto; border:1px solid; background-color:grey;} p,h3{ text-align:center; color:white; } #R{background-color:darkred;} button{padding:10px 15px; margin:15px;} </style> </head> <body> <div> <h3>YOU PERSONAL FILES HAS BEEN ENCRYPTED</h3> <p>-</p> <p>Your data (photos, documents, databases etc.) have been encrypted with a private and unique key generated for this computer. This means that you will not be able to access your files anymore until they are decrypted. The privete key is stored in our servers and the only way to receive your key to decrypt your files is making a payment.</p> </div> <div> <p>The payment has to be done in Bitcoin to a unique address that we generated for you. Bitcoins are the virtual currency to make online payments. If you don't know how to get Bitcoins, you can click the button "How to buy Bitcoins" below and follow the instructions. If you have problem with this task use internet.</p> <p><abbr style="color:red;background-color:black;">You have only 1 week to submit the payment.</abbr> When this time ends, the unique key will be destroyed and you won't be able to recover your files anymore.</p> </div> <div id="R"><h3>YOUR UNIQUE KEY WILL BE DESTROYED IN 1 WEEK FROM ENCRYPTION!</h3></div> <div> <p>To recover your files, you must send 0.1 Bitcoins ( ~$37 ) to the next Bitcoin address:</p> <p><abbr style="background-color:white;font-size:35px;color:black;">15F5FM7qMhLQ44RDxuozbKRwSbHKmq7N39</abbr></p> <a target="_blank" href="https://bitcoin.org/en/getting-started"><button>How to buy Bitcoins #1</button></a> <a target="_blank" href="https://en.bitcoin.it/wiki/Buying_Bitcoins_(the_newbie_version)"><button>How to buy Bitcoins #2</button></a> </div> </body> </html>

Targets

    • Target

      DUMP_00A10000-00A1D000.exe.ViR.exe

    • Size

      52KB

    • MD5

      6152709e741c4d5a5d793d35817b4c3d

    • SHA1

      05ae9c76f8f85ad2247c06d26a88bbbcfff4d62e

    • SHA256

      2c4c8066a1a7dfdf42c57ff4f9016f1ba05bcb004ff8b0ffc0989165d2ad30e2

    • SHA512

      1e5ebd53ac942b0f06f759f936efebeeb9a74062647cd978d5112720f772f607b12ee20c02ab838104a7a947fef2fde79b0db944286d8daf2e6e6d16e10b9390

    • SSDEEP

      768:UR/FcohAQFBY4JzKNkN3QZ0gGINlVOWcm:U1PhAQztJWNeCVOWc

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe

    • Size

      176KB

    • MD5

      b88fd69b53a6e4587d9e95a0c6061141

    • SHA1

      728281eb2bde83701f379797f1b2e36765429543

    • SHA256

      ebea4a46175b0e9c24e74b774f9ecfb036030f916ec5f2fced34fcb6c1f3ba57

    • SHA512

      5105c000a7d0c2d68feb00e4f7de77b5afe58347b5d0c24f64346ec3bd8f684f1087ef8559c568f19ef47c301c7675cea0bf91d5551aeb38c89e23a114421aba

    • SSDEEP

      3072:OCHM30xGHntNzuOIPEerSoKx1B2vUNc/H7BJ4gKraLKQ5oGqDQuRGBiY50pOwP:tMntdcKoWn2vzbvWm3ADQNwOo

    • Modifies WinLogon for persistence

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      Dumped_.exe

    • Size

      72KB

    • MD5

      afc0e1b3c683fcfb276f8e054d733945

    • SHA1

      a1ef6e368f78bc147c2ee70449917f3929d669ed

    • SHA256

      86a4ec02684bfd8a055929b0aa6f687bd54e80da0ed689be4e315adf76edbbcb

    • SHA512

      68adc819478468c55e85d9cb476b94a363f7d90df1697cd1a1814180ca1dfb47cba4f584d6706330c7d7e2b1e26092c780345cb59bdf736daf4616f06fae7ce7

    • SSDEEP

      768:0Nt2Lmmi8euodnS53h1O8jFQ3tuL7EAj+WTbibIKFQnjVPoxPaBF77tiU8r:nLZOQRM8Jg12+q7LnjVP0U

    Score
    7/10
    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Target

      EntrateSetup.exe

    • Size

      261KB

    • MD5

      cd6258b33207e85f20fec5f39d9ba09f

    • SHA1

      fc132ed8922a767061abfd372dfb6f23bd8c0b62

    • SHA256

      103bc884dce60ec680dd00bcd2d45721319b526b2f6ae7ebe75c73a5c977dafe

    • SHA512

      2d0f5c0ee81b050fa99dc40fd5ea1864ae68f4d08a7610ea08f8c99e589d90d917a009ff25286d4351b133cf466a408e442c99a8b8cca99d81a81af8e4c6ab49

    • SSDEEP

      6144:oxagl7jMOfUsQgatPpi9SQG7q94Al6HnIpOLoG7SYQ5SFZ:oxagRjM+JQ1Pp2y1Al6HesZ7Sl8Z

    • Target

      ErrorFileRemover.exe

    • Size

      2.4MB

    • MD5

      dbfbf254cfb84d991ac3860105d66fc6

    • SHA1

      893110d8c8451565caa591ddfccf92869f96c242

    • SHA256

      68b0e1932f3b4439865be848c2d592d5174dbdbaab8f66104a0e5b28c928ee0c

    • SHA512

      5e9ccdf52ebdb548c3fa22f22dd584e9a603ca1163a622db5707dbcc5d01e4835879dcfd28cb1589cbb25aed00f352f7a0a0962b1f38b68fc7d6693375e7666d

    • SSDEEP

      49152:6kAG2QGTC5xvMdgpdb1KRHGepUu2cGbqPs9+q2HRPTnFVSLE:6kAjQGTCnvMmpYQqPNRPTnF4Y

    Score
    10/10
    • Modifies WinLogon for persistence

    • Loads dropped DLL

    • Blocklisted process makes network request

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Target

      ExtraTools.exe

    • Size

      280KB

    • MD5

      0210d88f1a9c5a5a7eff5c44cf4f7fbc

    • SHA1

      83bff855966cf72a2dd85acae7187caeab556abf

    • SHA256

      06c8e0f6fa2616f4fa92c610a1faea23887ac31db8fa78cede49b6b8c80ec22f

    • SHA512

      42445a8d1a3662e16ee1f5129b8792a47c8b17992940e1ba97a96c11d038d0d5088ca00719c6031e204adefbb18672c58113ac5de66b016a63e330b672fde132

    • SSDEEP

      3072:il+Lkqpd5vh6+RDuUZbEl+Lkqpd5vlpcslRnXfFdRIVLdkVz1ZIGWSt8t81U3Uxu:Ppd5vhrDuUZxpd5vbXfNSLdkryGdY

    Score
    7/10
    • Executes dropped EXE

    • Target

      F45F47EDCED7FAC5A99C45AB4B8C2D54.exe

    • Size

      86KB

    • MD5

      f45f47edced7fac5a99c45ab4b8c2d54

    • SHA1

      9060189dd95635c5f75d7f91c9bd345200e83028

    • SHA256

      0529cdbc893fee664d3ac540b1e41e184797e0770808254058fc21de0a10b6c8

    • SHA512

      ecf1ae299d0525f86b8c398d06b429164a10d6552caf08710567680ba670bc0c918bfff1807214b33a177202cbe8eeeeffa1396b91e697aed4da91fe81f523d3

    • SSDEEP

      768:4H5GP9db20gWEF5mx1pOtIWoZzP5N1jydBWGwRYuKlYsVSsVSSVSENVSjYR:Uo760g95mRhZFrWBWvrs1/LNIYR

    • Modifies WinLogon for persistence

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Disables RegEdit via registry modification

    • Disables Task Manager via registry modification

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      decrypt_0000000000000020-000A0000.exe

    • Size

      611KB

    • MD5

      c81f5b5e057b4a3c7eee9e4d1c4abd53

    • SHA1

      949af2ac0176ae4bcc4c07a41e26094f8ed301aa

    • SHA256

      94f36b586379137a58862ca46cd1cd6c01c20ea9f56755f7b193f0c97b7a57bd

    • SHA512

      541892f2d23a1d3c3324e721764a62aed8191e4ff47ba681684aa251842337b8a8e78d72eee98c73d70bb917e19724ec9671259022b21faad324734fcf462a92

    • SSDEEP

      12288:LSY9aHA9OWHFzHaqxSjxspvZhsKsh+M7:hiA9OWlz6qmx8hnsh+u

    • Target

      dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe

    • Size

      182KB

    • MD5

      1105f1e5cd13fc30fde877432e27457d

    • SHA1

      108f03f9c98c63506dd8b9f6581f37ae5c18de23

    • SHA256

      dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d

    • SHA512

      49e9e4b02f432b9cc8f36913ce275f1d13672be627119c183713b5d6fb9fe27fd2cea67421560a463aaa16db35feb15df7c45258e2d102b5f70edb02865d9373

    • SSDEEP

      3072:nO2W3zwMGWxLNjglP4cdkYsxSehTr76bJnhL:O2izwWlFuPP2xSehX6Fx

    • CrypVault

      Ransomware family which makes encrypted files look like they have been quarantined by AV.

    • Crypvault family

    • Pony family

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Adds policy Run key to start application

    • Deletes itself

    • Drops startup file

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses Microsoft Outlook accounts

    • Accesses Microsoft Outlook profiles

    • Checks whether UAC is enabled

    • Drops file in System32 directory

    • Enumerates processes with tasklist

    • Suspicious use of SetThreadContext

    • Target

      dircrypt.deobf.exe

    • Size

      321KB

    • MD5

      d224637a6b6e3001753d9922e749d00d

    • SHA1

      bacb2313289e00a1933b7984dd1cbef01c8019ee

    • SHA256

      9c67320f0a29796abfb5b53ef2fa2fbcb56b33cff6cdb3f96a8d303685e17263

    • SHA512

      08eb7f64f852bbb3403d26a6cbcaa28a5747070b499464bed45b3578fd8ebb31ee97fc15f99a14fab9c01585ba5abeded3bd95aa80c73ce76c5af19bf587c4b0

    • SSDEEP

      6144:rHpp6ZEmJSr/49JSpIGOGsX5HWY7ydvxHlcaAy0iWYOcG4BDhnxD28ixv7uDphY+:zuYQJUaGsX7/Qwgylf

    • Modifies WinLogon for persistence

    • Modifies firewall policy service

    • Modifies security service

    • UAC bypass

    • Windows security bypass

    • Disables Task Manager via registry modification

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Windows security modification

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      dma locker 4.0.exe

    • Size

      315KB

    • MD5

      18ef6bc988d99b2ec1e91daec2619f72

    • SHA1

      ddb7bce5fd44d1b3a1d38dfccb8d5b23ae5ed73b

    • SHA256

      53a0dc85e447c58cb8d7c7e00381c8548878390c7a1443326625faa2b461ebe8

    • SHA512

      02d30a6ac6a9fddc9fe542d19284e0398e1b6b329eff0c0d1410a5568cf87fb7b3c2e7d548c111b7e0fb41e4a5aee2d14678b3be11e11bd33c39477840d1ee6a

    • SSDEEP

      3072:uon0fbxl3q7UWEj8FBqLXtCovWZ9crTb2aa1ppUPZCvW2Zg5JpdNCympz/CpUERj:1wl3eB6XtCMWZerWDvUhCvWl5NF

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Adds Run key to start application

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Target

      downloader.js

    • Size

      8KB

    • MD5

      2fabecc77b10b39ff03f221f39f50c6c

    • SHA1

      e66ab4015c360a0f0866ea840dbeb2ef4953c86d

    • SHA256

      f6e2c1b42ce68165fd2cd8580daf47d594c4960fc8fb5cdbf1ec210e3ffae87f

    • SHA512

      9c8bcaee59eaa6d9738caf9a61214e098438e5ecc352e8faaa7972625c3bce3f00eece4bd7b43587b09a5ef66c93778b42d0b39a7ef46aeca5d3f7da2a43384a

    • SSDEEP

      192:E4/wMMuUYDKe5enZr2CU0eC+To2fOO0spxetRut64pB6BS:bMufcnZr2CU0etTaO7GtRut6UMQ

    • Blocklisted process makes network request

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Target

      dump.mem.exe

    • Size

      53KB

    • MD5

      22c7f529c6da6da1d063daeeaea41d71

    • SHA1

      e24872be78361eb23ab5797aff421a6c7561e235

    • SHA256

      ea3745e02a69f4123e06115b3abeb8dc6930000ed97d8a55351641b76b4d5e1a

    • SHA512

      d93e581d158bb7d23d42cca59704ae1c1a1ba3846833dc76bece113360b319381a97d8a50d3d9cf02ac0f710e763057699e95c1843c00a5971dc1feec42386ae

    • SSDEEP

      384:v3Arp7pMcV+D7xMkycTUFkY7XnxO/hH+mbtv/f5E8mGfF2A/:vSpdkyF57XabtHf5EEdp

    • Target

      e0ff79cc943f489668067ec3be11398a084a76ecd0283c9e18b2d0bf6e464c32_not_packed_maybe_useless.exe

    • Size

      89KB

    • MD5

      276e5289101e0536abf03736217f9fbd

    • SHA1

      2631f18ca5631d265c6e4ffc8eb1fcfbcf1c68bd

    • SHA256

      e0ff79cc943f489668067ec3be11398a084a76ecd0283c9e18b2d0bf6e464c32

    • SHA512

      fa7f39599f9aa689f7944930704106a6c294715a9d0984cc0624aa666da87cdfc4315b865d07874674ba14cf91df43dd54f15fc4ed2f18c3acb9ed0a5119765a

    • SSDEEP

      1536:Af/YvFSSZtDgN+DrDkDEFtClfF89lGL+v:m/Yv0SZtDgN+Dr+EcfF89ll

    Score
    7/10
    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

    • Target

      e37dc428ec65a38707ad9e247950f3501a94e4abccb737a3562d69032c8505ad.exe

    • Size

      54KB

    • MD5

      4b24f2c99d93b86bd0d8a1445d976092

    • SHA1

      6ea9246fd85cf2663ca6fc7e97b7bcd11d25551b

    • SHA256

      e37dc428ec65a38707ad9e247950f3501a94e4abccb737a3562d69032c8505ad

    • SHA512

      43c9bc692edbc5151518626008eb33e14b7d6b80ff9b457a0d0702ef2d5b86b33cab0df8a22005182a56aa6a4275458b5a0edb18af4aa759e60be75b88ac792a

    • SSDEEP

      768:1YQW5/spNck0lUzPrU23Wsq91si1QGb6LNyF2kbWsiPfNa133CiMRKeFyZR:1YQW57kCUzbFqvyyFhl2gpyVcrR

    Score
    1/10
    • Target

      e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe

    • Size

      33KB

    • MD5

      0d2c400c967b3df9f1c5e193e9ffe482

    • SHA1

      2b09bd6fb74d067e107727a7494ddd33eba47338

    • SHA256

      e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a

    • SHA512

      55366092f2c6d036ac23b7832a59eabb78e31c9dec1a390fadc2173e3cbccf064ec657f0df7303769ed6769437c193c2d589f2760d82dda45b6b274e805f35b4

    • SSDEEP

      384:XKrBEMQmrwynWHmetF/2zmb/yzU0JBECvQgdxyllliReMGm4hEEZGIG5YBg49YZT:FMpBWH3HdbOygUhobYBraZs2SM6Q

    • Renames multiple (4076) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Drops file in Drivers directory

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

    • Target

      e6c4ae470977aa78d1005746ae05deea0bf3b4260f88865662a35f99b2559dbc_not_packed_maybe_useless.exe

    • Size

      54KB

    • MD5

      bc6a67d5665ccfba24c093da2a606d9d

    • SHA1

      5bca38d447165307087df43912f4b15b43c934a2

    • SHA256

      e6c4ae470977aa78d1005746ae05deea0bf3b4260f88865662a35f99b2559dbc

    • SHA512

      5b25e0b84414cfe3ea35948d82274b73f1d993c2403503572fc6fb4520bfeae64ee55d014887db1667419f6847720e4b12bfc6c227f68e22d2d42f193d2ad820

    • SSDEEP

      768:emX2MKhRw7+am7nx3h1OPG0H+l65Fuj0AjmWTbsbIK9QnjVPO1xPao1X7tiHC:egKIqamtRMPJQoh2mqxTnjVPti

    Score
    7/10
    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Target

      e77df2ce34949eb11290445a411a47fb927e8871e2580897581981d17730032d.exe

    • Size

      196KB

    • MD5

      c82617e2ea031d93d5c2ea8165656753

    • SHA1

      62e495b8e7bf597cb5fac48828f808d46f064930

    • SHA256

      e77df2ce34949eb11290445a411a47fb927e8871e2580897581981d17730032d

    • SHA512

      36766d8d98348926ed49e40a88e3ac928de8f2bd415bbe955aa73edb0db943f20c0d2e92b955bbd1d93ca2db316c6a421066993c3ce675d4597bc397110fd563

    • SSDEEP

      768:JQ092dvBhHL+Txzm9xrHefCQ+LKSYTPlSfDj017JaS8+LvH5:C092ZjHezmTrHUoYzNT8yh

    Score
    7/10
    • Uses the VBS compiler for execution

    • Target

      e8e07496df5370d2e49ecce5a47c1fd2.exe

    • Size

      181KB

    • MD5

      e8e07496df5370d2e49ecce5a47c1fd2

    • SHA1

      caa07048b079f148d704a49a0d44cd299a3db380

    • SHA256

      63b541a11d8389b13c634665ba72437270cd8bbbbc3df7dc43acfe201a5a67e5

    • SHA512

      8734843f2c9b1ed9afb5304806ce5adfffba8f8a93d6a1e1f0e9a1e2ec6c87df7435b54b3231aa583e5f08435ff470e2650c953fdfe4cde0461e5c00fa1bac94

    • SSDEEP

      3072:Sed1DM5u4n7pV1HiBDqSe/01R+8UQrbUQrYc1rIzDu:3fDM5u41HiBK/s+4rXrYc1

    • Detected Xorist Ransomware

    • Xorist Ransomware

      Xorist is a ransomware first seen in 2020.

    • Xorist family

    • Renames multiple (2565) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Drops file in Drivers directory

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      ea8292721a34ca2f1831447868bbe91e.exe

    • Size

      52KB

    • MD5

      ea8292721a34ca2f1831447868bbe91e

    • SHA1

      2ea7bf7b43ca83102d74f57edb5e783c02c40c6f

    • SHA256

      21c0601f225087fa6d36ed951e0328bcbd2138bcea6a413162d1a8e17b0cb179

    • SHA512

      8d2357cd8c216f67765a3c1c9f222f9fb258c9bb83642cd89fc0feb46ee6ca31b46c1bc7c459f483858b6348a14ed74a930a97607e817ec5bba31505d55ffb8e

    • SSDEEP

      1536:BfLvzQzLRYhvpipuhVzwkZz3gaPOi4YYCcPzQOq4O:BDvVzwkFvd4YYDzq

    Score
    5/10
    • Suspicious use of SetThreadContext

    • Target

      eaa857c95fca38ca08411b757f4ad2a841cfb9782deca8abf64aada445923c0d_Stealer.exe

    • Size

      949KB

    • MD5

      d65f155381d26f8ddfa304c83b1ad95a

    • SHA1

      87d7a85b4ea7d4041ade140576b4d6fd2c5aa403

    • SHA256

      eaa857c95fca38ca08411b757f4ad2a841cfb9782deca8abf64aada445923c0d

    • SHA512

      a37f7eab52a486c947313d67c1b06dfd923f6ed5804fd74fa9cd2b30b9dac931bcb0c5827b3dfbf6ad784879e9b77ef7d0e92032b02855c35d83fba3d27fe7f0

    • SSDEEP

      24576:qqHcFnufDotGNFfZptfvB2heOGmyC4//Ptn+O:qsDotivvWGmyC4//F

    Score
    1/10
    • Target

      ed3a685ca65de70b79faf95bbd94c343e73a150e83184f67e0bdb35b11d05791.exe

    • Size

      1.2MB

    • MD5

      0ced87772881b63caf95f1d828ba40c5

    • SHA1

      6e5fca51a018272d1b1003b16dce6ee9e836908c

    • SHA256

      ed3a685ca65de70b79faf95bbd94c343e73a150e83184f67e0bdb35b11d05791

    • SHA512

      65f3a52930dd560cf27a9a6e7386ae1bba22d663a1112b44fa1db043bd0b980f7dcb1d5fe21b873bb93db69c5c4d0b3c7dcf13ea110836970454b56dc16e57bb

    • SSDEEP

      24576:DxIWmj1GwuqWt6GoXrxv7EJoD7p1YQzA+GdctrOvpk5P4TB5tP9P6F:Dnqqo5PzA+Gda4TB5tFP6F

    • Target

      edffa07d667dbd224682639f56eb1b913e4ffeac874999e02c23e86eeb6489d5.exe

    • Size

      559KB

    • MD5

      535494aa6ce3ccef7346b548da5061a9

    • SHA1

      2c0b5637701c83b7b2aeabdf3120a89db1dbaad7

    • SHA256

      edffa07d667dbd224682639f56eb1b913e4ffeac874999e02c23e86eeb6489d5

    • SHA512

      f02464b3563b4552246b86e2c6ec377b8b0734576647bbc69ca8f4dd775d59f54ffbf3dd7f6433990ec187f1116891426f0e70a7524c9b793df9bc78e087f6dc

    • SSDEEP

      12288:ZVJ/hB+eGkeURqNvA0msxNxgnr/V4ZhiKjUkE6PofKhs:R/r47iKjUBIs

    • Pony family

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • Executes dropped EXE

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses Microsoft Outlook accounts

    • Accesses Microsoft Outlook profiles

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Target

      encrypter.exe

    • Size

      40KB

    • MD5

      3ab401abcc5394e06c5e81fb08a5a451

    • SHA1

      ad4fd5e28586ce50d1db6647e2490145a9dbe172

    • SHA256

      3251403ff9848ed520230a0fb8979ea4b5c8a4aa4e4a392da4c4458390f040db

    • SHA512

      fdfb6d16e007bac6b8aa5e376fada1f155a261ca63d272c4e5ea0a2e1b7f7970371275a43b7f48aac186c718ea90f1a9115a6eb97dcbbeca4c2ea4ac7d7c1104

    • SSDEEP

      384:WAqJTdAAZpZd269D26KNLL15FFWjeiBTwohMMIPqUQXjSQ5Yhy:1c7d269D26at2TwomMrRXWGYhy

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies boot configuration data using bcdedit

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Target

      encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe

    • Size

      111KB

    • MD5

      2ce82b2c3e43a6090685bf7e3ec36d0f

    • SHA1

      112a99938d60abd821e345538b0b1446cd9113a5

    • SHA256

      d4410c277e4120169a546d613d06b6f1ca1c09ea94494baeb0af796bfaefeefa

    • SHA512

      9f0fc8a81da4977d683e4051169b5ca0f3fcd592a6946da8a4da962c2519c1fd0044baa0c950332334d9bb6e56a43aceb174bd18166cd183921d5d4213c01ece

    • SSDEEP

      1536:Nynce2jUA5AaPcHbh7g9WKBvwAYbwdlR3zkWOSgiC81rZ8R9YgAic2i:RrjxwHbhgNwAp/R7pgi7rWv

    • Target

      f002618c01fe652f7f00eabd0e890e4992ccce818dfb2863e82c43f793685635.exe

    • Size

      1.0MB

    • MD5

      f65657f31da966e1a4f52488f91d9e90

    • SHA1

      86c197ac4d89c2a3d5425eb3e8625970dbd317b0

    • SHA256

      f002618c01fe652f7f00eabd0e890e4992ccce818dfb2863e82c43f793685635

    • SHA512

      49c95e774d82668cba1527d6d72783d973f1b2a28146cda9e2da4e4bcf65d0d4414b822dbeb408f185ee00200ea0e051ddf50ea3663896d26296bfef7c65be2e

    • SSDEEP

      24576:WgtpsYed+8uF2RypfI1aNGKwCik8oNelkzTbkGf9ee/1lL:ptOYeM8vIw1swCik8oNelKbPVeen

    Score
    3/10
    • Target

      f213e54c8520e7458751020edf15a5ea.exe

    • Size

      208KB

    • MD5

      f213e54c8520e7458751020edf15a5ea

    • SHA1

      9ff0b2f8c83d6efea0dad136179a83d33cc141eb

    • SHA256

      2cd85dc5040ecbc052bb243575c8f9924afafdbf774a21afe03d2d4896e5d0e1

    • SHA512

      70e3b96da403d6d5be5a00022e4b0cd30eeaecbcb3b3f3e462695c2b0400db1fcefaaecffc9ffc40528b255dd34a126613bcf99764abe7c007b5e22c39655622

    • SSDEEP

      3072:RM+lmsolAIrRuw+mqv9j1MWLQkMTmmsolNIrRuw+mqv9j1MWLQa:K+lDAAqTmDAN

    Score
    1/10
    • Target

      f2c8eee2cd88b834e9d4c0eb4930f03f.exe

    • Size

      809KB

    • MD5

      f2c8eee2cd88b834e9d4c0eb4930f03f

    • SHA1

      a47b40f642bb78757b2de40344f555dc48a5a12f

    • SHA256

      0cc95d376267ae78c309fd5f60f3083670b1c2616b6e3e2eec8810fa273c24be

    • SHA512

      3be3760ff7b308017d820307af224bff1c5d49ae3ea71062792816477b071af9cb106e5f2ec970da022b7a055010b91b47d57e571e18643f808787538386831d

    • SSDEEP

      12288:hmnc1DmxioiLAJmR+1IfFHmqgCqwwNgJV1TGBEXgyJ:hmnc1KioiLAcRHgCiNS1TGB

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Warzonerat family

    • Warzone RAT payload

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Target

      f31bfe95e31d761459b885052d35ba5e25ab19333378fb72b12efd675f6018d7_.exe

    • Size

      689KB

    • MD5

      0aa0397edc45cc08dd005a73f707fec5

    • SHA1

      7c1319364fe39580d9f0a928a6f6dc593f425528

    • SHA256

      f31bfe95e31d761459b885052d35ba5e25ab19333378fb72b12efd675f6018d7

    • SHA512

      5766cd40e76bb48233649ecdebf31449020b65146a6e90cc9fa97651f73a3bbd13be2791fcf47c9bba8e158f21d304fa087c8d6dc5c1d53be96c107fa84e6e32

    • SSDEEP

      12288:yHesdPT6mID+Nscf3SDEmaBY2sWevYKrQaUeSSU8g+HnCPMmq8:o4DbcvqEmay2sIaUJig/T

    • Renames multiple (51) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Target

      f6a8d7a4291c55020101d046371a8bda.exe

    • Size

      799KB

    • MD5

      f6a8d7a4291c55020101d046371a8bda

    • SHA1

      09b08e04ee85b26ba5297cf3156653909671da90

    • SHA256

      082060e3320870d1d576083e0ee65c06a1104913ae866137f8ca45891c059a76

    • SHA512

      547ad8ac404e494cce474209ebfbe33a40b69feb59f564215622f479e98dd93699794f4950b05d21225af271c55987da24c68d7c4c172f1d99ba7050b7063888

    • SSDEEP

      24576:Fpfzmg0hsVxPJHnhxqj/jELyOpQR2dnCy:FpfCHKrPFnh4jEWOpQEdnCy

    Score
    10/10
    • Drops startup file

    • Target

      f9151107655aaa6db995888a7cb69ada.exe

    • Size

      360KB

    • MD5

      f9151107655aaa6db995888a7cb69ada

    • SHA1

      854755b232ef00fffdafe68ed624cf91fe0fe92b

    • SHA256

      b70c528731e7fa31c6038f26a07f48a0436741162961922d9bba468f77b3ce0f

    • SHA512

      0b600b60a6fae79d0a815b8c2f43e6843941205b0560858e4274cd105e2124e87c91b0b73baa8ef58a357b5e9b3b5af73597dd96a815f559d4cc3ac7d5b8d894

    • SSDEEP

      6144:iBDWtg/7YsXUmTXgEXrMzp14WaumddWFlhdYBb+faDvLPoJgQ1GqXOFK:iEtu/3XgsdumdIlnYZPyv1LZ

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Target

      fb8823e9494016f59ab25ec6cc0961da_api-ms-win-system-softpub-l1-1-0.dll

    • Size

      261KB

    • MD5

      fb8823e9494016f59ab25ec6cc0961da

    • SHA1

      e8468fafaea37696af5ed86396d3f40a20d35a99

    • SHA256

      3b6cdb0d03f07af774ea34a964a6e2fb6ce321d7adc487af0486f13e5aed0304

    • SHA512

      4cd273d95b561e2424a8a09aaa5032d8c879d044f434e39c8897315863cdb0c49c9f27be29a541c179f7595d0e3c4682cc0a0d4dd8da9e5bbc5d0d7d7001740b

    • SSDEEP

      3::

    Score
    1/10

MITRE ATT&CK Enterprise v15

Tasks

static1

upx
Score
6/10

behavioral1

discoverypersistenceupx
Score
7/10

behavioral2

discoverypersistenceupx
Score
10/10

behavioral3

Score
7/10

behavioral4

defense_evasiondiscoveryevasionexecutionimpactpersistenceransomwaretrojan
Score
9/10

behavioral5

discoverypersistence
Score
10/10

behavioral6

discovery
Score
7/10

behavioral7

discoveryevasionpersistenceupx
Score
10/10

behavioral8

discoverypersistence
Score
6/10

behavioral9

crypvaultponycollectioncredential_accessdefense_evasiondiscoveryevasionexecutionimpactpersistenceransomwareratspywarestealertrojan
Score
10/10

behavioral10

discoveryevasionpersistencetrojanupx
Score
10/10

behavioral11

defense_evasiondiscoveryexecutionimpactpersistenceransomware
Score
9/10

behavioral12

executionransomwarespywarestealer
Score
10/10

behavioral13

discoverypersistence
Score
6/10

behavioral14

persistence
Score
7/10

behavioral15

Score
1/10

behavioral16

defense_evasiondiscoveryransomwarespywarestealer
Score
10/10

behavioral17

Score
7/10

behavioral18

Score
7/10

behavioral19

xoristdiscoverypersistenceransomwarespywarestealerupx
Score
10/10

behavioral20

discovery
Score
5/10

behavioral21

Score
1/10

behavioral22

defense_evasiondiscoveryexecutionimpactransomwarespywarestealer
Score
9/10

behavioral23

ponycollectioncredential_accessdiscoveryexecutionpersistenceratspywarestealer
Score
10/10

behavioral24

defense_evasiondiscoveryevasionexecutionimpactransomwarespywarestealer
Score
10/10

behavioral25

defense_evasiondiscoveryexecutionimpactpersistenceransomwarespywarestealer
Score
9/10

behavioral26

discovery
Score
3/10

behavioral27

Score
1/10

behavioral28

warzoneratdiscoveryinfostealerpersistencerat
Score
10/10

behavioral29

discoverypersistenceransomware
Score
9/10

behavioral30

discoveryransomware
Score
10/10

behavioral31

discoveryspywarestealer
Score
7/10

behavioral32

Score
1/10