Overview

overview

10

Static

static

10

VSNKLGuzoF...2).exe

windows7-x64

3

VSNKLGuzoF...2).exe

windows10-2004-x64

3

VSNKLGuzoF...5w.exe

windows7-x64

3

VSNKLGuzoF...5w.exe

windows10-2004-x64

3

VideoCodeCX.exe

windows7-x64

10

VideoCodeCX.exe

windows10-2004-x64

10

WcsPlugInS...ex.exe

windows7-x64

5

WcsPlugInS...ex.exe

windows10-2004-x64

7

WinLocker Builder.exe

windows7-x64

5

WinLocker Builder.exe

windows10-2004-x64

5

WinLocker_Builder.exe

windows7-x64

5

WinLocker_Builder.exe

windows10-2004-x64

5

_003E0000.exe.vir.exe

windows7-x64

9

_003E0000.exe.vir.exe

windows10-2004-x64

7

vmem02.exe

windows7-x64

3

vmem02.exe

windows10-2004-x64

3

w8i9eHkHOwWwQlX.exe

windows7-x64

3

w8i9eHkHOwWwQlX.exe

windows10-2004-x64

3

wpbt0.exe

windows7-x64

10

wpbt0.exe

windows10-2004-x64

10

xpiofrbtkzhr.exe

windows7-x64

xpiofrbtkzhr.exe

windows10-2004-x64

xxx_video (2).exe

windows7-x64

7

xxx_video (2).exe

windows10-2004-x64

7

xxx_video.exe

windows7-x64

5

xxx_video.exe

windows10-2004-x64

5

xxx_video_...vi.exe

windows7-x64

10

xxx_video_...vi.exe

windows10-2004-x64

5

xxx_video_...ir.exe

windows7-x64

10

xxx_video_...ir.exe

windows10-2004-x64

5

xxx_video_...ir.exe

windows7-x64

10

xxx_video_...ir.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Batch_11.zip

  • Size

    3.9MB

  • Sample

    241122-ecwzaazmbr

  • MD5

    d9efba6b5d8f5cadcb5b72a261364879

  • SHA1

    847e175e807b9f271cfecdf0b451d029bdf73d5a

  • SHA256

    f6a83e6ed8bf92b8ff4da0aba72fe354199ec79a99008b34800e4cfdb92d3a67

  • SHA512

    ed9ae302a89f3aea8f749e804ed6b058f7d4a48e39ac3ef7d5d8e28eebbbe8a35f9ce7b7675ed57c968eade8ec29580cf37ac85f9aee9c56595b1662e6acaa60

  • SSDEEP

    98304:ywQRPA4p9xWgZgAAqLIld4nSUYuNmH6z3rcq/fsQ:yTST47mW7c4

Score
10/10
xoristdefense_evasiondiscoveryexecutionimpactpersistenceransomwareupx

Malware Config

Targets

    • Target

      VSNKLGuzoFJgFHyEI15w (2).exe

    • Size

      357KB

    • MD5

      89e1efdc766e9c7d41305566993ba800

    • SHA1

      be06191ebb3c96fcf5a87a1d3442ddfb3f19edfb

    • SHA256

      c8400b635f1b14bef0135631f05ae408bf551dac45fb23c1b26e20d60ea00f08

    • SHA512

      26f395abc7cb6a6e156f8d91e3b05756e9d98e45f91ad0cce9825404120888d842319b584a3898752fdd126057e511a8f46c37a640dd5fa02aa3d80462fdea63

    • SSDEEP

      6144:H+dE6vqOE9Z8LapTWgK/W9uAExjAhQiM5bQCdf/ORqz9BLp5hjoLxqZ:H+vvbGlpoAExjAYbQCdf/ORqZBdfjoLW

    Score
    3/10
    discovery
    behavioral1behavioral2

    • Target

      VSNKLGuzoFJgFHyEI15w.exe

    • Size

      357KB

    • MD5

      89e1efdc766e9c7d41305566993ba800

    • SHA1

      be06191ebb3c96fcf5a87a1d3442ddfb3f19edfb

    • SHA256

      c8400b635f1b14bef0135631f05ae408bf551dac45fb23c1b26e20d60ea00f08

    • SHA512

      26f395abc7cb6a6e156f8d91e3b05756e9d98e45f91ad0cce9825404120888d842319b584a3898752fdd126057e511a8f46c37a640dd5fa02aa3d80462fdea63

    • SSDEEP

      6144:H+dE6vqOE9Z8LapTWgK/W9uAExjAhQiM5bQCdf/ORqz9BLp5hjoLxqZ:H+vvbGlpoAExjAYbQCdf/ORqZBdfjoLW

    Score
    3/10
    discovery
    behavioral3behavioral4

    • Target

      VideoCodeCX.exe

    • Size

      2.0MB

    • MD5

      0701e045db5d20c93427b4bb452bc341

    • SHA1

      6be9df576ebfed1b2a0b14f2352dceaa36a10c79

    • SHA256

      22b1af46ce7b3db0ec037026e035b0b09a6c791e5fb5fcb5e6ee3ef8d276abe1

    • SHA512

      40a542dbd44eab6c2f8f6631487be2065692489040632916aaee2d7f24810e4844291b1e6a0e5884362a7ebc534a03a44103465cd1266439107fc5c070c50dfb

    • SSDEEP

      49152:EkAG2QGTC5xvMdgpdb1KRzGepUu2cGbq7oc+tuNAn:EkAjQGTCnvMmpEQqUPn

    Score
    10/10
    discoverypersistence

    • Modifies WinLogon for persistence

      persistence

    • Loads dropped DLL

    • Blocklisted process makes network request

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral5behavioral6

    • Target

      WcsPlugInService.ex.exe

    • Size

      113KB

    • MD5

      f9a974c8ed6793c226101c10af7542db

    • SHA1

      5719e5b45721af9ac9652332f2001d984e1d9a45

    • SHA256

      8f0c20eab317c9416ad6dd602013528dca8ee1467b111019fe6704ff8da6a241

    • SHA512

      1f00ca5c9fdb1ca8fe6d9b9728da6b3aac57b72e17e528ec37e77cdf6ae1cd52384b0ae8256e2f74f88ba87c9e90c575a0a8ebf729f894590fe71d5e6ce608d3

    • SSDEEP

      3072:pxuZMpyk7A79E6rdAXpRCxv/sqJ5SjTOaiZl7ObWlx+T:pYf79JAXKxHs0S3OaiZ1Oiv

    Score
    7/10
    discoveryupxpersistence

    • Deletes itself

    • Adds Run key to start application

      persistence

    • Blocklisted process makes network request

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral7behavioral8

    • Target

      WinLocker Builder.exe

    • Size

      317KB

    • MD5

      10bc8a66ffe85a5eb04d5dd463204318

    • SHA1

      e0df54485e4fba5af4ff0a61c022f794a5ba25d1

    • SHA256

      3def8e9db50996046391a345099f3f7b023f8e0e26356702f73743e25d5716f8

    • SHA512

      3d833e8083cb4e781b7572eedc89d4c94ea91a04a77f0e7727ff8bb4d16bb8887c19b6a2470e90a2cf714bdf72d26679075f7c7f4127e1c504182955808b99e8

    • SSDEEP

      6144:eUKmfbTAYbMLaOphVx4bu9xJjF1031CP82ooSaYq:eUvfHfMLaOpXKbOjj/sNLoSbq

    Score
    5/10
    discoveryupx

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral10behavioral9

    • Target

      WinLocker_Builder.exe

    • Size

      314KB

    • MD5

      d010491f999105e40f8550bd9daa4fa7

    • SHA1

      75f413c324f4b61a524c5330f17cd44019663544

    • SHA256

      cfa91ed5fa38bc5e369b4bf4d59030be432d47b8e2f7e58b9f25c3c034654cc1

    • SHA512

      a01eec4d45c9e27a4e138941851eacaa2c865d27c7d83ce94225a98dd3f80cd4576b5e9738a5d3637084443691a8bb72812c63daddbf098c0d69de92c928c669

    • SSDEEP

      6144:eH7QBEVURAirobeZq26b0FmS3utXig+vQeWXKjkQwLEaoS/V:BBEuR42q26AFmSetX+Qt6LuToS/V

    Score
    5/10
    discoveryupx

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral11behavioral12

    • Target

      _003E0000.exe.vir.exe

    • Size

      116KB

    • MD5

      f57d188c4667fab46208396af20badd2

    • SHA1

      367ea268c494d17672ef371adebef0f505c1a804

    • SHA256

      878304de96556ed340f190a9d8b5650dc71512eed4210676560fc41e7ac4857c

    • SHA512

      157615951ccf90c69aaa4e4e1e1f664ffcb6c5817371143ac5bc2dfac04185e57981d50194ad4a1784c29f16211b6a18e9fa085721d05e29ba63377e40dc41a2

    • SSDEEP

      3072:SsB0ura/QOVLLkeyYP1RNDZyuubclhZUnr:Sef7wkey21flyu8+i

    Score
    9/10
    defense_evasiondiscoveryexecutionimpactpersistenceransomware
    behavioral13behavioral14

    • Target

      vmem02.exe

    • Size

      36KB

    • MD5

      ceca6f5828b79d4da88523c4c30d890d

    • SHA1

      3a9197e2105200b5756e3428e7ca4f5dd2b6df23

    • SHA256

      16e42d3e4af4d7de0bc9adfc317a68fffa41feb406e82d870bff657a86ab448e

    • SHA512

      5448036fc6a88d1e6797cb194007327d7f263c8254c0a6463025fc4da1d08fb637ae033aa7da6e6c7f5dfd95aed029ce03c3e0df362f71a0becefe20f58957b2

    • SSDEEP

      768:FtGLOTlOw4qwau28gJV6eRf130SngnM1RLNen+l3:wO5x7waQPeRt3BngMHU+J

    Score
    3/10
    discovery
    behavioral15behavioral16

    • Target

      w8i9eHkHOwWwQlX.exe

    • Size

      1.3MB

    • MD5

      6ec6069728a91a04407283bc6bf208b7

    • SHA1

      5407241081ab23a29acafe11187bc118abdc15b0

    • SHA256

      7910428acb8eb014340219f413e4fcaab9bd31f9664e644fe91dacda9e65470d

    • SHA512

      bb809949f9305d4eed3becd28a254dc0eda7eea925a10548e6e560826ac22c51508a1ef9c9443e3690f98693b9775d238781392c16a0ca27301b5a1880913487

    • SSDEEP

      24576:q9WQitvyUilzOUxaOWk01G4fbu/F41jen6KXYzkEEknJS7DFN4L3GmPA705sCvsF:q9WDAUozOUxaOyGau6I6WPDvlAAoefk1

    Score
    3/10
    discovery
    behavioral17behavioral18

    • Target

      wpbt0.dll

    • Size

      50KB

    • MD5

      df9188698b078a38b399a8b6f61f9c34

    • SHA1

      b221335078e9e368f07b102fccab2c83c4f90a5f

    • SHA256

      9282cdf4c83b4ca8015b0e450ac68c5bb7effe4503d3d34efa2ad496d37d2d26

    • SHA512

      97242771d5c9f864d6f929c141085c718da9642777778228e3a2b072c2137467c6b80fc8c0d439cc5aac0e434a5e6cef13b22b537ab52812de9ed3d98eb6e37b

    • SSDEEP

      768:it81vCu5ZnWpQgUMq9+12GDuRUP6Ez9Ctwgg/wI2oRPfFSTYJa2U:iqOpQCq9+1VDuSVIhJGe

    Score
    10/10
    defense_evasiondiscoverypersistenceupx

    • Modifies WinLogon for persistence

      persistence

    • Impair Defenses: Safe Mode Boot

      defense_evasion

    • Adds Run key to start application

      persistence

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral19behavioral20

    • Target

      xpiofrbtkzhr.exe

    • Size

      46KB

    • MD5

      25a11c9dd8d3eb6ecf8544e95d866a98

    • SHA1

      b462e8f5a05dba7328885af7646f9229d09656fb

    • SHA256

      6a298fd7189f63d29fb4c4cc342844a98c10945f8e0700363b0d078111568528

    • SHA512

      2483c4b7dad5bf273c955c70716dcb61a7f61ea1047de6f03ab867e549a3791a1c93291ef9d81e6308eecffb3a05f963b45f8b539ab31f84c5520844cb8a8992

    • SSDEEP

      768:1ySfi5TqmFi4tuXnKtgYr/TOsex9PEMBex6BHmRGBNc1uobW80vOA4N:dK5TbUayYLTOh9PEMEx+O150vOPN

    Score
    7/10
    discoverypersistenceupx

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral21behavioral22

    • Target

      xxx_video (2).exe

    • Size

      608KB

    • MD5

      2bcae695288cd75a2d71c0dbb69359fd

    • SHA1

      6a0476b62c069d42a2d8290b7d467d8a136312e7

    • SHA256

      d51d08aef8661780261241ddb5bb2617b1fafa1ac1cdcad77e825c16faf48c79

    • SHA512

      a28d5299addd39b0905745889cc478549c295ba9a19d49b1b0fe723840c298d0793203627ea5852e91ed2efc6684d2cf7362ff2958e52eb30c859cab497b0e96

    • SSDEEP

      12288:ao7VLRpB3hC/K+wAN0PdyT9ElIdq5uMumzu5FEiXqv3RZF8N4E:9P5zZI43

    Score
    7/10
    discoverypersistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral23behavioral24

    • Target

      xxx_video.exe

    • Size

      74KB

    • MD5

      ed6cec1486bd9af8a567604112f786bf

    • SHA1

      147b9b965701a42fb6e8088da0abf4eb3b987d1c

    • SHA256

      2a9e5ded530da46678845fc5f3be1f83819b6a255765174eb4ae06ba4abb5b53

    • SHA512

      e8e1ae480b129a9bff0d98c65d212973be9892f4fa103a78bbb275f3d3be7c68e871888dcb73bcdd35c3958f9d7b889671b9d8aadbdc4623c4b4a81ba182805b

    • SSDEEP

      1536:Y4adWLt4aPI7ZPItWEK01i+jmcIJID+U5pnouy8NM:C8LGaPI7ZPItFK0zxIC9noutNM

    Score
    5/10
    discoveryupx

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral25behavioral26

    • Target

      xxx_video_26726.avi.exe

    • Size

      62KB

    • MD5

      91096e06bc95a718d0b67661764a92b3

    • SHA1

      a05df3707c71b2cedfb94bb81c6c1af3311be235

    • SHA256

      76520b94f15467309d3ca3d8022bb156e8daa811223774b7a74127881ab50fc0

    • SHA512

      67dd71681bbde5dd5c2972f57930b856c68d90b5cf2f0edbbdfcdf2b6fb5898ff2ecfe58be6aa4aa8b0aa88bacee6a58043fa8733b5b911f2c478f30347e715d

    • SSDEEP

      1536:zX9X3D0CmuUFQArTc+OMnlf5JSVeK69mEgey5O:79n7Urc+dnlB4VzLTw

    Score
    10/10
    discoverypersistenceupx

    • Modifies WinLogon for persistence

      persistence

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral27behavioral28

    • Target

      xxx_video_35942.avi.exe.vir.exe

    • Size

      52KB

    • MD5

      cc279bf22bc5f3348034cc732db279df

    • SHA1

      1df6eceb7417fdca34ec2e351752e62b9e308bf0

    • SHA256

      0a5506d1867dbb76b428b099b2ae6a3ec0c85ec8dc855b66ae822fcc77ba0f12

    • SHA512

      c76c05b996b13815be43c640773b73e1aaaf34b642502098e0ed736e4dc98ee071a89a4d524a7440a3b2a3fd2d571d0396658070268d1e2e04a5a4e4555c6875

    • SSDEEP

      1536:VxpWSs6Ugax7sR5T3qgWXHYccHbs3CJP0YLI:V7WSs7Fx7sR5joHYcmYk8c

    Score
    10/10
    discoverypersistenceupx

    • Modifies WinLogon for persistence

      persistence

    • Event Triggered Execution: Image File Execution Options Injection

      persistence

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral29behavioral30

    • Target

      xxx_video_35942.avi_unpacked_.exe.vir.exe

    • Size

      74KB

    • MD5

      af5c2e270346cdb9206ab7c09074a13f

    • SHA1

      b20c204a948da5f41b1cc8c047ca4c410b67f60d

    • SHA256

      2c7a6f717702e2789aa4813bbeef2890edfcb216c0af83ac399015853c057c80

    • SHA512

      dffa29aa1a627455a1d04e86238dbbc52f881281c66f3d278f176794a32ce3a5920a101fff8ae85322d962021a8fb6a1c1ac96a2a2fd382f407cb3ce6ae58310

    • SSDEEP

      768:V7B7vOri/ija+1IqhZ9o9nn6vRhwXzqaRMicwVSeRSNRGfbxuuNtpzWLhp4oQsSJ:V7B7vyDo9nadaRuwweBzxJWLv6smf

    Score
    10/10
    discoverypersistence

    • Modifies WinLogon for persistence

      persistence

    • Event Triggered Execution: Image File Execution Options Injection

      persistence
    behavioral31behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

1
T1546

Image File Execution Options Injection

1
T1546.012

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

1
T1546

Image File Execution Options Injection

1
T1546.012

Defense Evasion

Direct Volume Access

1
T1006

Impair Defenses

1
T1562

Safe Mode Boot

1
T1562.009

Indicator Removal

2
T1070

File Deletion

2
T1070.004

Modify Registry

5
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Discovery

Browser Information Discovery

1
T1217

Peripheral Device Discovery

1
T1120

Query Registry

3
T1012

System Information Discovery

4
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

2
T1490

Tasks

static1

upxxorist
Score
10/10

behavioral1

discovery
Score
3/10

behavioral2

discovery
Score
3/10

behavioral3

discovery
Score
3/10

behavioral4

discovery
Score
3/10

behavioral5

discoverypersistence
Score
10/10

behavioral6

discoverypersistence
Score
10/10

behavioral7

discoveryupx
Score
5/10

behavioral8

discoverypersistenceupx
Score
7/10

behavioral9

discoveryupx
Score
5/10

behavioral10

discoveryupx
Score
5/10

behavioral11

discoveryupx
Score
5/10

behavioral12

discoveryupx
Score
5/10

behavioral13

defense_evasiondiscoveryexecutionimpactpersistenceransomware
Score
9/10

behavioral14

discoverypersistence
Score
7/10

behavioral15

discovery
Score
3/10

behavioral16

discovery
Score
3/10

behavioral17

discovery
Score
3/10

behavioral18

discovery
Score
3/10

behavioral19

defense_evasiondiscoverypersistenceupx
Score
10/10

behavioral20

defense_evasiondiscoverypersistenceupx
Score
10/10

behavioral21

discoverypersistenceupx
Score
7/10

behavioral22

discoverypersistenceupx
Score
7/10

behavioral23

discoverypersistence
Score
7/10

behavioral24

discoverypersistence
Score
7/10

behavioral25

discoveryupx
Score
5/10

behavioral26

discoveryupx
Score
5/10

behavioral27

discoverypersistenceupx
Score
10/10

behavioral28

upx
Score
5/10

behavioral29

discoverypersistenceupx
Score
10/10

behavioral30

upx
Score
5/10

behavioral31

discoverypersistence
Score
10/10

behavioral32

discoverypersistence
Score
10/10