Resubmissions

22-11-2024 22:54

241122-2vh7gaxmfl 10

22-11-2024 03:27

241122-dzqkcatmht 10

22-11-2024 03:16

241122-dsgc4atlgs 10

General

  • Target

    Batch_5.zip

  • Size

    10.7MB

  • Sample

    241122-dzqkcatmht

  • MD5

    840ef805274a90a6354a0f5d1c6f05f1

  • SHA1

    856f756302fb8559edac0804324c6fec97382d84

  • SHA256

    51b3773145652b5d559396a08e1282a3a1d92d4df473f774d61791386fca0598

  • SHA512

    a1dbedebf1dc9007ea6781116d3b92e052d5110b34bcc83e87d7ba8736d1b9353bfaeb88de6b53f11ea661ef60231ae2280a4a7e54c4c3bd06cbe7f1aa864904

  • SSDEEP

    196608:1iAo5dAtwAQT+rrxa/kHpuI7c/hDU9EPh3VkXI599o9kDD8xCO:1jCAtwAy+rrakDcpDU9uFNgaDQCO

Malware Config

Targets

    • Target

      AES-NI.exe

    • Size

      999KB

    • MD5

      83e824c998f321a9179efc5c2cd0a118

    • SHA1

      16b84004778505afbcc1032d1325c9bed8679b79

    • SHA256

      4142ff4667f5b9986888bdcb2a727db6a767f78fe1d5d4ae3346365a1d70eb76

    • SHA512

      d1c9fdb653d6b028c16a9d82895b7f03b6f96aecc802ab5104d6a762091e71502e407feea3d3d64f19b9f7c2888b1fb2b1dd5f2909b6e29414d4e4a78b56917b

    • SSDEEP

      24576:xMhc8sFdkS6BEeL8xYSCy3vIyzlueaBLxGLJe3:Ghc8sFB6WeIYSPAyUHxGLJe3

    Score
    7/10
    • Deletes itself

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      Abrechnung.exe

    • Size

      103KB

    • MD5

      81ff324d2023d8ecb98a127b87d51450

    • SHA1

      acd24c80f6a02f7fe7a388a6779ea49be64674bc

    • SHA256

      7d9fc496bc0ade736bf75e05564e9c93167362ef18450d75222deef0664f9ed5

    • SHA512

      38b17683e835e7259a6972d0f920f9ac7f5823591962c624aa795c39c3213d0735bacd76c72b7255be1cefeb9c298ffc31266513f088684969e5e18ad4e0a139

    • SSDEEP

      1536:o7ZrIoIlP/A765noAXMoiCQ/5NSDy+Ud1IE9vpFARgHsjoCje6fLCy:odIp/A0noAcoiCQ/5NS6ERnECnfLCy

    • Disables RegEdit via registry modification

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      Box (2).exe

    • Size

      438KB

    • MD5

      1bb4dd43a8aebc8f3b53acd05e31d5b5

    • SHA1

      54cd1a4a505b301df636903b2293d995d560887e

    • SHA256

      a2380a5f503bc6f5fcfd4c72e5b807df0740a60a298e8686bf6454f92e5d3c02

    • SHA512

      94c70d592e806bb426760f61122b8321e8dc5cff7f793d51f9d5650821c502c43096f41d3e61207ca6989df5bfdbff57bc23328de16e99dd56e85efc90affdce

    • SSDEEP

      3072:rE+rnVvKX8/tmssEDUbPwBIK6xDq3bnBZvG1BpTU41zjhkkxbNWWmZ:ImVa8/tmswUB36G9ZvGZQ49jRF

    Score
    3/10
    • Target

      Box.exe

    • Size

      440KB

    • MD5

      698746928e12831d6982b4e260a9da3a

    • SHA1

      c87945b0f3f19d3fa07f64b5454f588f568a94e7

    • SHA256

      63a6c3864b0a51c790d8d0312137995eb16710178aaaebfe34fa5e57caff9b36

    • SHA512

      8680e690337afa911471680aeb0ea6242e7cf68d83043e83b91bd6ffbe0af1af8aac140ecec8958ac6831a4b9f8401ac086e8322d6638144e5501df949594ea0

    • SSDEEP

      3072:LE+rnVvKX8/tmssEDUbPwBIK6xDq3bnBZvG1BpTU41zjhkkxbNWOc:omVa8/tmswUB36G9ZvGZQ49jR

    Score
    3/10
    • Target

      a66dde22983583da6d3b1e5b9eb1e8fb019f5157eda508305942292c0d10fa43.exe

    • Size

      212KB

    • MD5

      c697914b3e3c115391e5a32e6d8d3a98

    • SHA1

      b61335cc60ff37680e82c7245ec268d206fc21e2

    • SHA256

      a66dde22983583da6d3b1e5b9eb1e8fb019f5157eda508305942292c0d10fa43

    • SHA512

      dbdd230a9829eeae3cbb7ba7cead7b378661275ca3a97bef7c4d60a7c8a5a475120bda551c2e2d81e69f9cc4f0dc798f9160d2e94d11f1ed3cc9cdf4752ae35b

    • SSDEEP

      3072:HTS1pU/dvuuCtCxzxXXQu+pbSCu9P+5qd/o1x3wPWnK:HTeu/Zat6gH9un0ePW

    • Target

      a7768f4973ad7cf8217212a4d12dbae0.exe

    • Size

      380KB

    • MD5

      a7768f4973ad7cf8217212a4d12dbae0

    • SHA1

      143c52e5bf3978c7b1a544ccc9405afd17d77f55

    • SHA256

      c8ea293b1ad5343dde79c6e095c134e4100fdaf47c84eac5e3012eae0b0125a2

    • SHA512

      058cc6690f9910ead6441f7128f85cb6669f04a7a949bf0b464b42d7813695cf77f7fff539b742a829464cb1ad41ca0682df120e008095b9739e561f488201d5

    • SSDEEP

      6144:Uzv+kSZBbdH19ex4T02J4fqz22tvymTiB62iKnWKKmDTcNwjreOwIbN8CCg4mnw8:UzcRD02J4Sq2vHGB67KWKKmDzrCg44w8

    • Modifies WinLogon for persistence

    • UAC bypass

    • Drops startup file

    • Checks whether UAC is enabled

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      aa7ff3bc285bcb4ec48bf2f361f0ad0a1d9fc8f17b7323d2f0615ade68973c1e.exe

    • Size

      550KB

    • MD5

      e1e589c2c91ca7563f8fb06cf356bbfc

    • SHA1

      54ac30e96d237ebed232648d8b484579fd7a33d8

    • SHA256

      aa7ff3bc285bcb4ec48bf2f361f0ad0a1d9fc8f17b7323d2f0615ade68973c1e

    • SHA512

      8c440d514c0e0b4587834e40ebe0603f1214a771f680c1a49d69a3dcf2cb799ff4f056faf06402a4f7243b927a296374fe024ecfbb754aa550ef25ceebfc0261

    • SSDEEP

      6144:Nb/thbA20Budh1Bbm20BloOVAIqDAYQ+:ltGcAYp

    • Drops startup file

    • Adds Run key to start application

    • Target

      aace43af8d0932a7b01c5b8fb71c8199.exe

    • Size

      2.7MB

    • MD5

      aace43af8d0932a7b01c5b8fb71c8199

    • SHA1

      56422e5cc2abe198198003d2c5bf009c8652a983

    • SHA256

      3bc78141ff3f742c5e942993adfbef39c2127f9682a303b5e786ed7f9a8d184b

    • SHA512

      c4fdee4e0041a98eba661b41f521ea393e2cf8a2683d7722ba198bbc5d7620600855a773c849b1a24fb0542a6fdaf478b4e66d2ca709663d5665fac1613de2b3

    • SSDEEP

      49152:HyhKEGeEWYQAsQ36mE4OZYYIqCGA02Ul0UFi28CdNT0BtT:HygEGTRQAsQ36mE4O6rqCb2i28CdNoBN

    • Indicator Removal: Network Share Connection Removal

      Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation.

    • Target

      ad3cc219a818047d6d3c38a8e4662e21dfedc858578cb2bde2c127d66dfeb7de_PonyNews.exe

    • Size

      216KB

    • MD5

      70a377690917a98e6ee682f7941eb565

    • SHA1

      246b1e0d01772a47a5f2032c8642d33d47a11c57

    • SHA256

      ad3cc219a818047d6d3c38a8e4662e21dfedc858578cb2bde2c127d66dfeb7de

    • SHA512

      c384afb2230222115bffeeb951e6e204e99c44ff8d27af58b5660aa084405b1da3ad25ee75179b9f5db0f1ca7ceab070457d314b001c53cc0faa71dd7dfe9709

    • SSDEEP

      3072:eowSng9e1zcHHgttb9a1XchykGt8N3mff:1IehkAttb9aFchy3um

    • Pony family

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Target

      aee03626b83a88b71b06899116cb7ce4b8092365103d69792b0c2d7153f24cb1.exe

    • Size

      218KB

    • MD5

      35f68acc0c3d5761a61975ec77b49cbc

    • SHA1

      f6d03e713bc9b47265141d9f9b83ae634d43d204

    • SHA256

      aee03626b83a88b71b06899116cb7ce4b8092365103d69792b0c2d7153f24cb1

    • SHA512

      6a9d131e7c4f310ec77cf3c9c07c75dca279b7ffd6c46b252c559947900f1d754400fc51ce12b8afde86a0fd758e1b68d00a2e5f9144ad019d51bff5c67a4656

    • SSDEEP

      3072:HfVD9B1hzRAjEdJNCQ4woDZD57Wr3FKajQNR9MiYbuWjqgdcnfKvdHmN5b3SM:/jlVEEbNtoPajxu85cfAG3

    Score
    6/10
    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Target

      afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe

    • Size

      164KB

    • MD5

      08b304d01220f9de63244b4666621bba

    • SHA1

      b7f9dd8ee3434b35fbb3395f69ff43fd5112a0c6

    • SHA256

      afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e

    • SHA512

      162cc0fb48615c67ce6e104ca462c41aba79bad0d5409e837b300cffc34a1c9bed63f603eee7091b93edfcd772d8ab1e180fcb3aae6b07fe24413b8505815ae9

    • SSDEEP

      3072:fHynAdzu0t5GtE13lkAB9z3KJZ3fCI1AjZ7yXgpiqQp:fHKautY3TzaJZarjZeXgpn

    • HydraCrypt

      Relatively unsophisticated ransomware family based on leaked CrypBoss source code.

    • Hydracrypt family

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Renames multiple (471) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of SetThreadContext

    • Target

      b56c4569d639e8ce104d9e52dffeba6d18813c058887a3404350904811f32d54_not_packed_maybe_useless.exe

    • Size

      53KB

    • MD5

      93de5300dabf0711c57cbe31b4c9ef04

    • SHA1

      4cad182a0cf72c2aff7c1a5b23eb26b352366f63

    • SHA256

      b56c4569d639e8ce104d9e52dffeba6d18813c058887a3404350904811f32d54

    • SHA512

      52c3e7a2721dac4b65d1b0ca78bd594f96f7adc36dcb9a69515665a039d644b4ce130f73f5eddd452911cac7f60c0af19688cdba57339fdec88c0ddfc574cc00

    • SSDEEP

      768:4chho/bbYYwktIZwTUtv3h12jG6hdYWnXAjpWTbBbIKP077hPdxPaq77tio/rM:PjoDMYwEINR8j/Yu2pqOd77hPQoQ

    Score
    3/10
    • Target

      0.8476237917779167.exe

    • Size

      80KB

    • MD5

      0a2284067bd109885b0597c3a858a88a

    • SHA1

      7634b3d0ede547c81f93fe570ef3102bf0e0ed14

    • SHA256

      19ec0d0e5143940492a1c79c06eb8f18aa9feb356e41b8b79fdc6a16a3bcd7bf

    • SHA512

      6405bee390d0c1f38ad434116de512cb67171b66ec6e4efbb43f08577597da51ab37fae899a6f8231fa17fa60654572e5141c2dbcebe520124db61e7393f9eea

    • SSDEEP

      1536:QF7P2btiVYiZ+TX2tbOH3UqCXOOlIoj6Q849X:U7ktiPCH3UqZAhR

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

    • Target

      zsgblrbrumorwxfizuke.exe

    • Size

      80KB

    • MD5

      0a2284067bd109885b0597c3a858a88a

    • SHA1

      7634b3d0ede547c81f93fe570ef3102bf0e0ed14

    • SHA256

      19ec0d0e5143940492a1c79c06eb8f18aa9feb356e41b8b79fdc6a16a3bcd7bf

    • SHA512

      6405bee390d0c1f38ad434116de512cb67171b66ec6e4efbb43f08577597da51ab37fae899a6f8231fa17fa60654572e5141c2dbcebe520124db61e7393f9eea

    • SSDEEP

      1536:QF7P2btiVYiZ+TX2tbOH3UqCXOOlIoj6Q849X:U7ktiPCH3UqZAhR

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

    • Target

      b7d9f11c166fa1a4ceef446dd9c8561c77115cb3ce4910a056dd6a361338a2b0.exe

    • Size

      518KB

    • MD5

      4523ccfd191dcceeae8e884f82f5c7ad

    • SHA1

      00107a6bdc9886e69425b7b0b761dcc8324946d3

    • SHA256

      b7d9f11c166fa1a4ceef446dd9c8561c77115cb3ce4910a056dd6a361338a2b0

    • SHA512

      79df12b1abb0d2ddab35e898aa01baaf7ea737fa37331c926b07d0ca478aa9c1c3d14795241e11d7dcff06ec3c5de93b2819cfbc0fd6db5bf6e752c52cfad5a5

    • SSDEEP

      12288:uPenEoSpi011oQSnRxhmVacKcMxS8JWwEHD1T6hX5IGC2C:SJomi0GnbPcKcNcWwEj1T6hqm

    Score
    5/10
    • Drops file in System32 directory

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe

    • Size

      33KB

    • MD5

      d9789bfbc54d5cb6d52c385fd8f5d288

    • SHA1

      b8f60c64c70f03c263bf9e9261aa157a73864aaf

    • SHA256

      c0fcf3ac6b125e985c6574ed7ef1a7929f3be8f6487b68e4d58a48a3b1517b5d

    • SHA512

      21e81d64136897e86362304666cb0a8510ae2280c432c8b768875d5459b527e2cdafe9a61107433d3ff7ccf8092f3bbc226f9366623c1d39f76445fc490dc4c8

    • SSDEEP

      768:IPXirrjYZp0Tf6yFz5Om5jPwxgjAqJTKV/Z:I/iTYHQCm5DpjhJTKVR

    • Detected Xorist Ransomware

    • Xorist Ransomware

      Xorist is a ransomware first seen in 2020.

    • Xorist family

    • Renames multiple (2158) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Drops file in Drivers directory

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks

static1

upx
Score
6/10

behavioral1

discoveryupx
Score
7/10

behavioral2

discoveryupx
Score
7/10

behavioral3

discoveryevasionpersistenceupx
Score
8/10

behavioral4

discoveryevasionpersistenceupx
Score
8/10

behavioral5

discovery
Score
3/10

behavioral6

discovery
Score
3/10

behavioral7

discovery
Score
3/10

behavioral8

discovery
Score
3/10

behavioral9

defense_evasiondiscoveryevasionexecutionimpactpersistenceransomwaretrojan
Score
9/10

behavioral10

defense_evasiondiscoveryevasionexecutionimpactpersistenceransomwaretrojan
Score
9/10

behavioral11

discoveryevasionpersistencetrojanupx
Score
10/10

behavioral12

discoveryevasionpersistencetrojanupx
Score
10/10

behavioral13

discoverypersistence
Score
7/10

behavioral14

discoverypersistence
Score
7/10

behavioral15

defense_evasiondiscovery
Score
8/10

behavioral16

defense_evasiondiscovery
Score
8/10

behavioral17

ponycredential_accessdiscoveryratspywarestealer
Score
10/10

behavioral18

ponycredential_accessdiscoveryratspywarestealer
Score
10/10

behavioral19

discovery
Score
6/10

behavioral20

discovery
Score
6/10

behavioral21

hydracryptdefense_evasiondiscoveryexecutionimpactpersistenceransomwarespywarestealer
Score
10/10

behavioral22

hydracryptdefense_evasiondiscoveryexecutionimpactpersistenceransomwarespywarestealer
Score
10/10

behavioral23

discovery
Score
3/10

behavioral24

discovery
Score
3/10

behavioral25

discoverypersistence
Score
7/10

behavioral26

discovery
Score
3/10

behavioral27

discoverypersistence
Score
7/10

behavioral28

discovery
Score
3/10

behavioral29

discoveryupx
Score
5/10

behavioral30

discoveryupx
Score
5/10

behavioral31

xoristdiscoverypersistenceransomwarespywarestealerupx
Score
10/10

behavioral32

xoristdiscoverypersistenceransomwarespywarestealerupx
Score
10/10