Overview
overview
10Static
static
3cerber.exe
windows7-x64
10cerber.exe
windows10-2004-x64
10cryptowall.exe
windows7-x64
9cryptowall.exe
windows10-2004-x64
3jigsaw.exe
windows7-x64
10jigsaw.exe
windows10-2004-x64
10Locky.exe
windows7-x64
10Locky.exe
windows10-2004-x64
10131.exe
windows7-x64
1131.exe
windows10-2004-x64
3Matsnu-MBR...3 .exe
windows7-x64
7Matsnu-MBR...3 .exe
windows10-2004-x64
3027cc450ef...d9.dll
windows7-x64
10027cc450ef...d9.dll
windows10-2004-x64
10027cc450ef...ju.dll
windows7-x64
10027cc450ef...ju.dll
windows10-2004-x64
10myguy.hta
windows7-x64
10myguy.hta
windows10-2004-x64
10svchost.exe
windows7-x64
7svchost.exe
windows10-2004-x64
7Ransomware...oad.sh
windows7-x64
3Ransomware...oad.sh
windows10-2004-x64
3Ransomware...est.py
windows7-x64
3Ransomware...est.py
windows10-2004-x64
3Ransomware...st2.py
windows7-x64
3Ransomware...st2.py
windows10-2004-x64
3Ransomware...rna.py
windows7-x64
3Ransomware...rna.py
windows10-2004-x64
3General
-
Target
Ransomware-master.zip
-
Size
12.9MB
-
Sample
241128-2gc4astjdt
-
MD5
255ffabf0788a28c52889e9f9675c9dc
-
SHA1
4c61f9e16df1705db48ee91ec1a2ab3d84e2f107
-
SHA256
3e2ba9a25e9891c6dcb75ad73c1262d523e09f0eb3d095ede9ea9d11f42ebc28
-
SHA512
ccfbf169a47f7bcb653fa04b0b0b10762a594a703eae14f56bb6e0bb2e3ab0b7ee4b3a2c14ade7ee6509fcabfed1a5a4da2e7bf035295e797eba8140079eef3d
-
SSDEEP
393216:CMa/Yi2nfFSrjISVemu/GyBSFb+JYSWTmZ:CMaUnnlmk+bDSWs
Static task
static1
Behavioral task
behavioral1
Sample
cerber.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
cerber.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
cryptowall.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
cryptowall.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
jigsaw.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
jigsaw.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
Locky.exe
Resource
win7-20241010-en
Behavioral task
behavioral8
Sample
Locky.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
131.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
131.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe
Resource
win7-20241010-en
Behavioral task
behavioral12
Sample
Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
027cc450ef5f8c5f653329641ec1fed9.dll
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
027cc450ef5f8c5f653329641ec1fed9.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745_98STJd8lju.dll
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745_98STJd8lju.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
myguy.hta
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
myguy.hta
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
svchost.exe
Resource
win7-20241010-en
Behavioral task
behavioral20
Sample
svchost.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
Ransomware-master/etc/load.sh
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
Ransomware-master/etc/load.sh
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
Ransomware-master/test.py
Resource
win7-20241010-en
Behavioral task
behavioral24
Sample
Ransomware-master/test.py
Resource
win10v2004-20241007-en
Behavioral task
behavioral25
Sample
Ransomware-master/test2.py
Resource
win7-20240903-en
Behavioral task
behavioral26
Sample
Ransomware-master/test2.py
Resource
win10v2004-20241007-en
Behavioral task
behavioral27
Sample
Ransomware-master/warna.py
Resource
win7-20240903-en
Behavioral task
behavioral28
Sample
Ransomware-master/warna.py
Resource
win10v2004-20241007-en
Malware Config
Extracted
C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___MMBXD_.txt
cerber
http://p27dokhpz2n7nvgr.onion/A1E8-9D40-2CDD-0446-9DB6
http://p27dokhpz2n7nvgr.12hygy.top/A1E8-9D40-2CDD-0446-9DB6
http://p27dokhpz2n7nvgr.14ewqv.top/A1E8-9D40-2CDD-0446-9DB6
http://p27dokhpz2n7nvgr.14vvrc.top/A1E8-9D40-2CDD-0446-9DB6
http://p27dokhpz2n7nvgr.129p1t.top/A1E8-9D40-2CDD-0446-9DB6
http://p27dokhpz2n7nvgr.1apgrn.top/A1E8-9D40-2CDD-0446-9DB6
Extracted
http://french-cooking.com/myguy.exe
Extracted
http://french-cooking.com/myguy.exe
Extracted
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\_R_E_A_D___T_H_I_S___OO7EZK42_.txt
cerber
http://p27dokhpz2n7nvgr.onion/F88E-BF91-A8BD-0446-95E7
http://p27dokhpz2n7nvgr.12hygy.top/F88E-BF91-A8BD-0446-95E7
http://p27dokhpz2n7nvgr.14ewqv.top/F88E-BF91-A8BD-0446-95E7
http://p27dokhpz2n7nvgr.14vvrc.top/F88E-BF91-A8BD-0446-95E7
http://p27dokhpz2n7nvgr.129p1t.top/F88E-BF91-A8BD-0446-95E7
http://p27dokhpz2n7nvgr.1apgrn.top/F88E-BF91-A8BD-0446-95E7
Extracted
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\_R_E_A_D___T_H_I_S___6T95GWH_.hta
cerber
Targets
-
-
Target
cerber.exe
-
Size
604KB
-
MD5
8b6bc16fd137c09a08b02bbe1bb7d670
-
SHA1
c69a0f6c6f809c01db92ca658fcf1b643391a2b7
-
SHA256
e67834d1e8b38ec5864cfa101b140aeaba8f1900a6e269e6a94c90fcbfe56678
-
SHA512
b53d2cc0fe5fa52262ace9f6e6ea3f5ce84935009822a3394bfe49c4d15dfeaa96bfe10ce77ffa93dbf81e5428122aa739a94bc709f203bc346597004fd75a24
-
SSDEEP
6144:yYghlI5/u8f1mr+4RJ99MpDa52RX5wRDhOOU0qsR:yYKlYmDXEpDHRXP01
-
Cerber family
-
Blocklisted process makes network request
-
Contacts a large (1097) amount of remote hosts
This may indicate a network scan to discover remotely running services.
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Drops startup file
-
Drops file in System32 directory
-
Sets desktop wallpaper using registry
-
-
-
Target
cryptowall.bin
-
Size
240KB
-
MD5
47363b94cee907e2b8926c1be61150c7
-
SHA1
ca963033b9a285b8cd0044df38146a932c838071
-
SHA256
45317968759d3e37282ceb75149f627d648534c5b4685f6da3966d8f6fca662d
-
SHA512
93dfaafc183360829448887a112dd49c90ec5fe50dcd7c7bbc06c1c8daa206eeea5577f726d906446322c731d0520e93700d5ff9cefd730fba347c72b7325068
-
SSDEEP
3072:xkeyloECBch6ZCGBGSmHJ0y5lj6jdojK7+MGOXpXx8z3Lp7Yoq:xGlnCIwMpj6ijKfxx8z3F0V
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Drops startup file
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
jigsaw
-
Size
283KB
-
MD5
2773e3dc59472296cb0024ba7715a64e
-
SHA1
27d99fbca067f478bb91cdbcb92f13a828b00859
-
SHA256
3ae96f73d805e1d3995253db4d910300d8442ea603737a1428b613061e7f61e7
-
SHA512
6ef530b209f8ec459cca66dbf2c31ec96c5f7d609f17fa3b877d276968032fbc6132ea4a45ed1450fb6c5d730a7c9349bf4481e28befaea6b119ec0ded842262
-
SSDEEP
6144:7fukPLPvucHiQQQ4uuy9ApZbZWxcZt+kTfMLJTOAZiYSXjjeqXus:7fu5cCT7yYlWi8kTfMLJTOAZiYSXjyqX
Score10/10-
Jigsaw Ransomware
Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.
-
Jigsaw family
-
Renames multiple (2029) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
-
-
Target
Locky
-
Size
180KB
-
MD5
b06d9dd17c69ed2ae75d9e40b2631b42
-
SHA1
b606aaa402bfe4a15ef80165e964d384f25564e4
-
SHA256
bc98c8b22461a2c2631b2feec399208fdc4ecd1cd2229066c2f385caa958daa3
-
SHA512
8e54aca4feb51611142c1f2bf303200113604013c2603eea22d72d00297cb1cb40a2ef11f5129989cd14f90e495db79bffd15bd6282ff564c4af7975b1610c1c
-
SSDEEP
3072:gzWgfLlUc7CIJ1tkZaQyjhOosc8MKi6KDXnLCtyAR0u1cZ86:gdLl4wkZa/UDiD7ukst1H6
Score10/10-
Locky family
-
-
-
Target
131.exe
-
Size
2.3MB
-
MD5
409d80bb94645fbc4a1fa61c07806883
-
SHA1
4080bb3a28c2946fd9b72f6b51fe15de74cbb1e1
-
SHA256
2ecc525177ed52c74ddaaacd47ad513450e85c01f2616bf179be5b576164bf63
-
SHA512
a99a2f17d9fbb1da9fb993b976df63afa74317666eca46d1f04e7e6e24149547d1ac7210f673caeae9b23a900528ad6ad0a7b98780eff458d3d505029a06e9ba
-
SSDEEP
49152:XM16E7qUoM5NWX7DP+1egOhcraQzK6j97V:c16/rM5oW1ZrRz
Score3/10 -
-
-
Target
Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .com_
-
Size
102KB
-
MD5
1b2d2a4b97c7c2727d571bbf9376f54f
-
SHA1
1fc29938ec5c209ba900247d2919069b320d33b0
-
SHA256
7634433f8fcf4d13fb46d680802e48eeb160e0f51e228cae058436845976381e
-
SHA512
506fc96423e5e2e38078806591e09a6eb3cf924eb748af528f7315aa0b929890823798a3ef2a5809c14023c3ff8a3db36277bc90c7b099218422aafa4e0c2ee0
-
SSDEEP
1536:jj+Rj1lGIXKSmE17v97yiqHGMRPtbsLW8/V2k12v1/BDxVyCfCrCAc:jjw6Sf0iqmMnb2W02v3mCf4Nc
Score7/10-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
027cc450ef5f8c5f653329641ec1fed9.exe
-
Size
353KB
-
MD5
71b6a493388e7d0b40c83ce903bc6b04
-
SHA1
34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d
-
SHA256
027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745
-
SHA512
072205eca5099d9269f358fe534b370ff21a4f12d7938d6d2e2713f69310f0698e53b8aff062849f0b2a521f68bee097c1840993825d2a5a3aa8cf4145911c6f
-
SSDEEP
6144:y/Bt80VmNTBo/x95ZjAetGDN3VFNq7pC+9OqFoK30b3ni5rdQY/CdUOs2:y/X4NTS/x9jNG+w+9OqFoK323qdQYKUG
-
Mimikatz family
-
mimikatz is an open source tool to dump credentials on Windows
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
-
-
Target
027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745_98STJd8lju.bin
-
Size
353KB
-
MD5
71b6a493388e7d0b40c83ce903bc6b04
-
SHA1
34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d
-
SHA256
027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745
-
SHA512
072205eca5099d9269f358fe534b370ff21a4f12d7938d6d2e2713f69310f0698e53b8aff062849f0b2a521f68bee097c1840993825d2a5a3aa8cf4145911c6f
-
SSDEEP
6144:y/Bt80VmNTBo/x95ZjAetGDN3VFNq7pC+9OqFoK30b3ni5rdQY/CdUOs2:y/X4NTS/x9jNG+w+9OqFoK323qdQYKUG
-
Mimikatz family
-
mimikatz is an open source tool to dump credentials on Windows
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
-
-
Target
myguy.hta
-
Size
13KB
-
MD5
0487382a4daf8eb9660f1c67e30f8b25
-
SHA1
736752744122a0b5ee4b95ddad634dd225dc0f73
-
SHA256
ee29b9c01318a1e23836b949942db14d4811246fdae2f41df9f0dcd922c63bc6
-
SHA512
e1e7d81d54efd526139ea8ac792ed2035c8e70f040319c0b65f723431d31077c7a6927553890c99151f2354f51c4020ed94e0e2e5d56386c2fc4828e95869106
-
SSDEEP
192:ScIsmNvaHz65bP/U/njs3NH0Z0UvDVE6Az6XVHBycT6iLMUpJ2seCYHlfeb:SPXTmnjs3BU9A27BNLMUTb
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
-
-
Target
svchost.exe
-
Size
704KB
-
MD5
d2ec63b63e88ece47fbaab1ca22da1ef
-
SHA1
dd52fcc042a44a2af9e43c15a8e520b54128cdc8
-
SHA256
e5c643f1d8ecc0fd739d0bbe4a1c6c7de2601d86ab0fff74fd89c40908654be5
-
SHA512
89d9e63d5f3b34be3d25317933031815a42c039fbee30ce8c86f8b1b7c6ca9ccfc8731da99b9246381a2c05a95ada423f4944ff72111eb0451a44e9dcb3e053e
-
SSDEEP
12288:rue4X2Uz0DsetgxLdsCHvX8XYJWs6XS1bFLDw1P86jZpMV7uikFg:v+2UzSgxLdsCHmQb6XSbFLDs06jZulus
Score7/10-
Drops startup file
-
Drops desktop.ini file(s)
-
-
-
Target
Ransomware-master/etc/load.sh
-
Size
4KB
-
MD5
8f14e34971812277edeb8a31376cb27a
-
SHA1
5a96858d0d97ca1e229a1270d1a34a09c3c677ea
-
SHA256
1a275cbf23a5a5620d40cda6bd3f621a48d7b2119b2c8bf97b87a97f83933e85
-
SHA512
a63a692e0d63944ee9824578b52f7eb41fd9d9f7e3414d22cb3b81f337571f0c8720672866f4f534eb1c7f3c87662b120addff038806363f3ccaf86a69949ca4
-
SSDEEP
96:v7fGWJIKNsm/kgrkSYpJhc0P+Z6psE8Gkh+mKuc3nWX5neEpT2:vbdp1fY3hlaG1kh+mjcm4EU
Score3/10 -
-
-
Target
Ransomware-master/test.py
-
Size
186B
-
MD5
f5c90d7b70869e8de04c7d7e3051dea9
-
SHA1
93cf6fd3b58cfa7e9ccb7c88bd2cccd65a4d4be7
-
SHA256
4bfe4b8e987cae3539dddec1fc0732a7b1195768f0c8ff3352dccd4fa76bc249
-
SHA512
64d5aaaa1bcbb17eff100bc83d1020660b6e4b6734f99bd5017e0d895753b70619bafd63809b72768815ce1ad1cc80fecd41e8414b1498201bd310dfed213d25
Score3/10 -
-
-
Target
Ransomware-master/test2.py
-
Size
554B
-
MD5
dc42f74575c40fc6c90d73b747df6803
-
SHA1
ff5d98b1f959810719299c5fb0042436634b1999
-
SHA256
d1f9f5e30ac4d8d5771af930b15a51fb040cb1a2b84c7b7feeebb7e4d5fdc1bb
-
SHA512
d4a311676aa16d11f678eaf32e5ee4c18ba2f3beab0d494e09ae6a8214575d5178b9de7126131ad0d5da909594a4e0dbbb791ebed62550b9080cf2a8fb78bb9e
Score3/10 -
-
-
Target
Ransomware-master/warna.py
-
Size
650B
-
MD5
19522678240a7e6d1e5531ed275b6a64
-
SHA1
01653b2ca19505c7e9a7972df2e7d6784cc627b6
-
SHA256
6986bfb870797a56611749719d8aabfdfcf272392765692a15c065c42f88c3cf
-
SHA512
8f2d1efd81a4bafa8d3a50fce740514469a7ccdb2d68f908b9e86d1714ca605525e75a5f0f5ac9dd798299db75810bdf0d06f88e0103609b4d0843ff12d24292
Score3/10 -
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Windows Management Instrumentation
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Direct Volume Access
1Impair Defenses
1Disable or Modify System Firewall
1Indicator Removal
2File Deletion
2Modify Registry
3Pre-OS Boot
1Bootkit
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1