Overview
overview
10Static
static
6AES-NI.exe
windows7-x64
7AES-NI.exe
windows10-2004-x64
7Abrechnung.exe
windows7-x64
8Abrechnung.exe
windows10-2004-x64
8Box (2).exe
windows7-x64
3Box (2).exe
windows10-2004-x64
3Box.exe
windows7-x64
3Box.exe
windows10-2004-x64
3a66dde2298...43.exe
windows7-x64
9a66dde2298...43.exe
windows10-2004-x64
9a7768f4973...e0.exe
windows7-x64
10a7768f4973...e0.exe
windows10-2004-x64
10aa7ff3bc28...1e.exe
windows7-x64
7aa7ff3bc28...1e.exe
windows10-2004-x64
7aace43af8d...99.exe
windows7-x64
8aace43af8d...99.exe
windows10-2004-x64
8ad3cc219a8...ws.dll
windows7-x64
10ad3cc219a8...ws.dll
windows10-2004-x64
10aee03626b8...b1.exe
windows7-x64
6aee03626b8...b1.exe
windows10-2004-x64
6afd3b729cf...2e.exe
windows7-x64
10afd3b729cf...2e.exe
windows10-2004-x64
10b56c4569d6...ss.exe
windows7-x64
3b56c4569d6...ss.exe
windows10-2004-x64
30.84762379...67.exe
windows7-x64
70.84762379...67.exe
windows10-2004-x64
3zsgblrbrum...ke.exe
windows7-x64
7zsgblrbrum...ke.exe
windows10-2004-x64
3b7d9f11c16...b0.exe
windows7-x64
5b7d9f11c16...b0.exe
windows10-2004-x64
5b8f60c64c7...af.exe
windows7-x64
10b8f60c64c7...af.exe
windows10-2004-x64
10General
-
Target
Batch_5.zip
-
Size
10.7MB
-
Sample
241122-dzqkcatmht
-
MD5
840ef805274a90a6354a0f5d1c6f05f1
-
SHA1
856f756302fb8559edac0804324c6fec97382d84
-
SHA256
51b3773145652b5d559396a08e1282a3a1d92d4df473f774d61791386fca0598
-
SHA512
a1dbedebf1dc9007ea6781116d3b92e052d5110b34bcc83e87d7ba8736d1b9353bfaeb88de6b53f11ea661ef60231ae2280a4a7e54c4c3bd06cbe7f1aa864904
-
SSDEEP
196608:1iAo5dAtwAQT+rrxa/kHpuI7c/hDU9EPh3VkXI599o9kDD8xCO:1jCAtwAy+rrakDcpDU9uFNgaDQCO
Behavioral task
behavioral1
Sample
AES-NI.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
AES-NI.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Abrechnung.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
Abrechnung.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
Box (2).exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
Box (2).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
Box.exe
Resource
win7-20241023-en
Behavioral task
behavioral8
Sample
Box.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
a66dde22983583da6d3b1e5b9eb1e8fb019f5157eda508305942292c0d10fa43.exe
Resource
win7-20240708-en
Behavioral task
behavioral10
Sample
a66dde22983583da6d3b1e5b9eb1e8fb019f5157eda508305942292c0d10fa43.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
a7768f4973ad7cf8217212a4d12dbae0.exe
Resource
win7-20241010-en
Behavioral task
behavioral12
Sample
a7768f4973ad7cf8217212a4d12dbae0.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
aa7ff3bc285bcb4ec48bf2f361f0ad0a1d9fc8f17b7323d2f0615ade68973c1e.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
aa7ff3bc285bcb4ec48bf2f361f0ad0a1d9fc8f17b7323d2f0615ade68973c1e.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
aace43af8d0932a7b01c5b8fb71c8199.exe
Resource
win7-20240708-en
Behavioral task
behavioral16
Sample
aace43af8d0932a7b01c5b8fb71c8199.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
ad3cc219a818047d6d3c38a8e4662e21dfedc858578cb2bde2c127d66dfeb7de_PonyNews.dll
Resource
win7-20240729-en
Behavioral task
behavioral18
Sample
ad3cc219a818047d6d3c38a8e4662e21dfedc858578cb2bde2c127d66dfeb7de_PonyNews.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
aee03626b83a88b71b06899116cb7ce4b8092365103d69792b0c2d7153f24cb1.exe
Resource
win7-20241010-en
Behavioral task
behavioral20
Sample
aee03626b83a88b71b06899116cb7ce4b8092365103d69792b0c2d7153f24cb1.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
b56c4569d639e8ce104d9e52dffeba6d18813c058887a3404350904811f32d54_not_packed_maybe_useless.exe
Resource
win7-20241010-en
Behavioral task
behavioral24
Sample
b56c4569d639e8ce104d9e52dffeba6d18813c058887a3404350904811f32d54_not_packed_maybe_useless.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral25
Sample
0.8476237917779167.exe
Resource
win7-20241010-en
Behavioral task
behavioral26
Sample
0.8476237917779167.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral27
Sample
zsgblrbrumorwxfizuke.exe
Resource
win7-20241023-en
Behavioral task
behavioral28
Sample
zsgblrbrumorwxfizuke.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral29
Sample
b7d9f11c166fa1a4ceef446dd9c8561c77115cb3ce4910a056dd6a361338a2b0.exe
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
b7d9f11c166fa1a4ceef446dd9c8561c77115cb3ce4910a056dd6a361338a2b0.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral31
Sample
b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe
Resource
win7-20240708-en
Behavioral task
behavioral32
Sample
b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe
Resource
win10v2004-20241007-en
Malware Config
Targets
-
-
Target
AES-NI.exe
-
Size
999KB
-
MD5
83e824c998f321a9179efc5c2cd0a118
-
SHA1
16b84004778505afbcc1032d1325c9bed8679b79
-
SHA256
4142ff4667f5b9986888bdcb2a727db6a767f78fe1d5d4ae3346365a1d70eb76
-
SHA512
d1c9fdb653d6b028c16a9d82895b7f03b6f96aecc802ab5104d6a762091e71502e407feea3d3d64f19b9f7c2888b1fb2b1dd5f2909b6e29414d4e4a78b56917b
-
SSDEEP
24576:xMhc8sFdkS6BEeL8xYSCy3vIyzlueaBLxGLJe3:Ghc8sFB6WeIYSPAyUHxGLJe3
-
Deletes itself
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
-
-
Target
Abrechnung.exe
-
Size
103KB
-
MD5
81ff324d2023d8ecb98a127b87d51450
-
SHA1
acd24c80f6a02f7fe7a388a6779ea49be64674bc
-
SHA256
7d9fc496bc0ade736bf75e05564e9c93167362ef18450d75222deef0664f9ed5
-
SHA512
38b17683e835e7259a6972d0f920f9ac7f5823591962c624aa795c39c3213d0735bacd76c72b7255be1cefeb9c298ffc31266513f088684969e5e18ad4e0a139
-
SSDEEP
1536:o7ZrIoIlP/A765noAXMoiCQ/5NSDy+Ud1IE9vpFARgHsjoCje6fLCy:odIp/A0noAcoiCQ/5NS6ERnECnfLCy
Score8/10-
Disables RegEdit via registry modification
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
Box (2).exe
-
Size
438KB
-
MD5
1bb4dd43a8aebc8f3b53acd05e31d5b5
-
SHA1
54cd1a4a505b301df636903b2293d995d560887e
-
SHA256
a2380a5f503bc6f5fcfd4c72e5b807df0740a60a298e8686bf6454f92e5d3c02
-
SHA512
94c70d592e806bb426760f61122b8321e8dc5cff7f793d51f9d5650821c502c43096f41d3e61207ca6989df5bfdbff57bc23328de16e99dd56e85efc90affdce
-
SSDEEP
3072:rE+rnVvKX8/tmssEDUbPwBIK6xDq3bnBZvG1BpTU41zjhkkxbNWWmZ:ImVa8/tmswUB36G9ZvGZQ49jRF
Score3/10 -
-
-
Target
Box.exe
-
Size
440KB
-
MD5
698746928e12831d6982b4e260a9da3a
-
SHA1
c87945b0f3f19d3fa07f64b5454f588f568a94e7
-
SHA256
63a6c3864b0a51c790d8d0312137995eb16710178aaaebfe34fa5e57caff9b36
-
SHA512
8680e690337afa911471680aeb0ea6242e7cf68d83043e83b91bd6ffbe0af1af8aac140ecec8958ac6831a4b9f8401ac086e8322d6638144e5501df949594ea0
-
SSDEEP
3072:LE+rnVvKX8/tmssEDUbPwBIK6xDq3bnBZvG1BpTU41zjhkkxbNWOc:omVa8/tmswUB36G9ZvGZQ49jR
Score3/10 -
-
-
Target
a66dde22983583da6d3b1e5b9eb1e8fb019f5157eda508305942292c0d10fa43.exe
-
Size
212KB
-
MD5
c697914b3e3c115391e5a32e6d8d3a98
-
SHA1
b61335cc60ff37680e82c7245ec268d206fc21e2
-
SHA256
a66dde22983583da6d3b1e5b9eb1e8fb019f5157eda508305942292c0d10fa43
-
SHA512
dbdd230a9829eeae3cbb7ba7cead7b378661275ca3a97bef7c4d60a7c8a5a475120bda551c2e2d81e69f9cc4f0dc798f9160d2e94d11f1ed3cc9cdf4752ae35b
-
SSDEEP
3072:HTS1pU/dvuuCtCxzxXXQu+pbSCu9P+5qd/o1x3wPWnK:HTeu/Zat6gH9un0ePW
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
a7768f4973ad7cf8217212a4d12dbae0.exe
-
Size
380KB
-
MD5
a7768f4973ad7cf8217212a4d12dbae0
-
SHA1
143c52e5bf3978c7b1a544ccc9405afd17d77f55
-
SHA256
c8ea293b1ad5343dde79c6e095c134e4100fdaf47c84eac5e3012eae0b0125a2
-
SHA512
058cc6690f9910ead6441f7128f85cb6669f04a7a949bf0b464b42d7813695cf77f7fff539b742a829464cb1ad41ca0682df120e008095b9739e561f488201d5
-
SSDEEP
6144:Uzv+kSZBbdH19ex4T02J4fqz22tvymTiB62iKnWKKmDTcNwjreOwIbN8CCg4mnw8:UzcRD02J4Sq2vHGB67KWKKmDzrCg44w8
Score10/10-
Modifies WinLogon for persistence
-
Drops startup file
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
-
-
Target
aa7ff3bc285bcb4ec48bf2f361f0ad0a1d9fc8f17b7323d2f0615ade68973c1e.exe
-
Size
550KB
-
MD5
e1e589c2c91ca7563f8fb06cf356bbfc
-
SHA1
54ac30e96d237ebed232648d8b484579fd7a33d8
-
SHA256
aa7ff3bc285bcb4ec48bf2f361f0ad0a1d9fc8f17b7323d2f0615ade68973c1e
-
SHA512
8c440d514c0e0b4587834e40ebe0603f1214a771f680c1a49d69a3dcf2cb799ff4f056faf06402a4f7243b927a296374fe024ecfbb754aa550ef25ceebfc0261
-
SSDEEP
6144:Nb/thbA20Budh1Bbm20BloOVAIqDAYQ+:ltGcAYp
Score7/10-
Drops startup file
-
Adds Run key to start application
-
-
-
Target
aace43af8d0932a7b01c5b8fb71c8199.exe
-
Size
2.7MB
-
MD5
aace43af8d0932a7b01c5b8fb71c8199
-
SHA1
56422e5cc2abe198198003d2c5bf009c8652a983
-
SHA256
3bc78141ff3f742c5e942993adfbef39c2127f9682a303b5e786ed7f9a8d184b
-
SHA512
c4fdee4e0041a98eba661b41f521ea393e2cf8a2683d7722ba198bbc5d7620600855a773c849b1a24fb0542a6fdaf478b4e66d2ca709663d5665fac1613de2b3
-
SSDEEP
49152:HyhKEGeEWYQAsQ36mE4OZYYIqCGA02Ul0UFi28CdNT0BtT:HygEGTRQAsQ36mE4O6rqCb2i28CdNoBN
Score8/10-
Indicator Removal: Network Share Connection Removal
Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation.
-
-
-
Target
ad3cc219a818047d6d3c38a8e4662e21dfedc858578cb2bde2c127d66dfeb7de_PonyNews.exe
-
Size
216KB
-
MD5
70a377690917a98e6ee682f7941eb565
-
SHA1
246b1e0d01772a47a5f2032c8642d33d47a11c57
-
SHA256
ad3cc219a818047d6d3c38a8e4662e21dfedc858578cb2bde2c127d66dfeb7de
-
SHA512
c384afb2230222115bffeeb951e6e204e99c44ff8d27af58b5660aa084405b1da3ad25ee75179b9f5db0f1ca7ceab070457d314b001c53cc0faa71dd7dfe9709
-
SSDEEP
3072:eowSng9e1zcHHgttb9a1XchykGt8N3mff:1IehkAttb9aFchy3um
-
Pony family
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
-
-
Target
aee03626b83a88b71b06899116cb7ce4b8092365103d69792b0c2d7153f24cb1.exe
-
Size
218KB
-
MD5
35f68acc0c3d5761a61975ec77b49cbc
-
SHA1
f6d03e713bc9b47265141d9f9b83ae634d43d204
-
SHA256
aee03626b83a88b71b06899116cb7ce4b8092365103d69792b0c2d7153f24cb1
-
SHA512
6a9d131e7c4f310ec77cf3c9c07c75dca279b7ffd6c46b252c559947900f1d754400fc51ce12b8afde86a0fd758e1b68d00a2e5f9144ad019d51bff5c67a4656
-
SSDEEP
3072:HfVD9B1hzRAjEdJNCQ4woDZD57Wr3FKajQNR9MiYbuWjqgdcnfKvdHmN5b3SM:/jlVEEbNtoPajxu85cfAG3
Score6/10-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
-
Size
164KB
-
MD5
08b304d01220f9de63244b4666621bba
-
SHA1
b7f9dd8ee3434b35fbb3395f69ff43fd5112a0c6
-
SHA256
afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e
-
SHA512
162cc0fb48615c67ce6e104ca462c41aba79bad0d5409e837b300cffc34a1c9bed63f603eee7091b93edfcd772d8ab1e180fcb3aae6b07fe24413b8505815ae9
-
SSDEEP
3072:fHynAdzu0t5GtE13lkAB9z3KJZ3fCI1AjZ7yXgpiqQp:fHKautY3TzaJZarjZeXgpn
-
HydraCrypt
Relatively unsophisticated ransomware family based on leaked CrypBoss source code.
-
Hydracrypt family
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (471) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Suspicious use of SetThreadContext
-
-
-
Target
b56c4569d639e8ce104d9e52dffeba6d18813c058887a3404350904811f32d54_not_packed_maybe_useless.exe
-
Size
53KB
-
MD5
93de5300dabf0711c57cbe31b4c9ef04
-
SHA1
4cad182a0cf72c2aff7c1a5b23eb26b352366f63
-
SHA256
b56c4569d639e8ce104d9e52dffeba6d18813c058887a3404350904811f32d54
-
SHA512
52c3e7a2721dac4b65d1b0ca78bd594f96f7adc36dcb9a69515665a039d644b4ce130f73f5eddd452911cac7f60c0af19688cdba57339fdec88c0ddfc574cc00
-
SSDEEP
768:4chho/bbYYwktIZwTUtv3h12jG6hdYWnXAjpWTbBbIKP077hPdxPaq77tio/rM:PjoDMYwEINR8j/Yu2pqOd77hPQoQ
Score3/10 -
-
-
Target
0.8476237917779167.exe
-
Size
80KB
-
MD5
0a2284067bd109885b0597c3a858a88a
-
SHA1
7634b3d0ede547c81f93fe570ef3102bf0e0ed14
-
SHA256
19ec0d0e5143940492a1c79c06eb8f18aa9feb356e41b8b79fdc6a16a3bcd7bf
-
SHA512
6405bee390d0c1f38ad434116de512cb67171b66ec6e4efbb43f08577597da51ab37fae899a6f8231fa17fa60654572e5141c2dbcebe520124db61e7393f9eea
-
SSDEEP
1536:QF7P2btiVYiZ+TX2tbOH3UqCXOOlIoj6Q849X:U7ktiPCH3UqZAhR
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
-
-
Target
zsgblrbrumorwxfizuke.exe
-
Size
80KB
-
MD5
0a2284067bd109885b0597c3a858a88a
-
SHA1
7634b3d0ede547c81f93fe570ef3102bf0e0ed14
-
SHA256
19ec0d0e5143940492a1c79c06eb8f18aa9feb356e41b8b79fdc6a16a3bcd7bf
-
SHA512
6405bee390d0c1f38ad434116de512cb67171b66ec6e4efbb43f08577597da51ab37fae899a6f8231fa17fa60654572e5141c2dbcebe520124db61e7393f9eea
-
SSDEEP
1536:QF7P2btiVYiZ+TX2tbOH3UqCXOOlIoj6Q849X:U7ktiPCH3UqZAhR
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
-
-
Target
b7d9f11c166fa1a4ceef446dd9c8561c77115cb3ce4910a056dd6a361338a2b0.exe
-
Size
518KB
-
MD5
4523ccfd191dcceeae8e884f82f5c7ad
-
SHA1
00107a6bdc9886e69425b7b0b761dcc8324946d3
-
SHA256
b7d9f11c166fa1a4ceef446dd9c8561c77115cb3ce4910a056dd6a361338a2b0
-
SHA512
79df12b1abb0d2ddab35e898aa01baaf7ea737fa37331c926b07d0ca478aa9c1c3d14795241e11d7dcff06ec3c5de93b2819cfbc0fd6db5bf6e752c52cfad5a5
-
SSDEEP
12288:uPenEoSpi011oQSnRxhmVacKcMxS8JWwEHD1T6hX5IGC2C:SJomi0GnbPcKcNcWwEj1T6hqm
-
Drops file in System32 directory
-
-
-
Target
b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe
-
Size
33KB
-
MD5
d9789bfbc54d5cb6d52c385fd8f5d288
-
SHA1
b8f60c64c70f03c263bf9e9261aa157a73864aaf
-
SHA256
c0fcf3ac6b125e985c6574ed7ef1a7929f3be8f6487b68e4d58a48a3b1517b5d
-
SHA512
21e81d64136897e86362304666cb0a8510ae2280c432c8b768875d5459b527e2cdafe9a61107433d3ff7ccf8092f3bbc226f9366623c1d39f76445fc490dc4c8
-
SSDEEP
768:IPXirrjYZp0Tf6yFz5Om5jPwxgjAqJTKV/Z:I/iTYHQCm5DpjhJTKVR
-
Detected Xorist Ransomware
-
Xorist family
-
Renames multiple (2158) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops file in Drivers directory
-
Drops startup file
-
Adds Run key to start application
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Direct Volume Access
1Impair Defenses
1Disable or Modify Tools
1Indicator Removal
3File Deletion
2Network Share Connection Removal
1Modify Registry
6Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3