Overview

overview

9

Static

static

3

DECRYPT.exe

windows7-x64

7

DECRYPT.exe

windows10-2004-x64

7

ENCRYPT.exe

windows7-x64

7

ENCRYPT.exe

windows10-2004-x64

9

Resubmissions

25-01-2025 02:46

250125-c9q37atjcn 9

24-01-2025 23:20

250124-3bhbhavpfp 9

Sharing

Copy URL
Twitter E-mail

General

  • Target

    file.zip

  • Size

    86.1MB

  • Sample

    250125-c9q37atjcn

  • MD5

    014581b072212dbe584d2ce1ebc1dbf6

  • SHA1

    fd83107d694b8ee625f0b246e3d66b4b4ceb60f5

  • SHA256

    467f66d64ac576529234ed7cc6048515a5c7cfe476537949422141286a47730c

  • SHA512

    df087e238e9ef346051e7fc9a642493d3b117322a8393fa797d97b350e9098224a8046691d317dacf3ab9b86753b2f8beeb2a0d3370bd006dc48982dacfef339

  • SSDEEP

    1572864:qTvIYVPtGwMT98edQb4NboUhlPklxGjHzIYyjRkpGfXYPpxLT:azKy8Q+ogklxQrytrQ7T

Score
9/10
credential_accessdiscoveryransomwarespywarestealer

Malware Config

Targets

    • Target

      DECRYPT.exe

    • Size

      21.8MB

    • MD5

      841e54e543dfdaba4f4e8b4e38942d1e

    • SHA1

      f87b4f5ce54bf446e3c7e4beb32870641f30cefa

    • SHA256

      17b697a8b157e4c40c5e970cf895528784732c8a2e48dbc71c8fa174b4aacd1c

    • SHA512

      a2d968ec4f33fa4a27984b9c92b9e05b128409ca8d89a75525afc57710534fadb70223d52ef1eeb8dd3e891392c58c385901a5260a5d2baca1413fac291fd0ac

    • SSDEEP

      393216:xFaSF52WFt4BV/TbyG7QZDB9jezK0feetyKyBZcbwEskKNW+GJW2a6C:xFtfF2NPyV17uK0fxtyC3KN+JWrj

    Score
    7/10

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral1behavioral2

    • Target

      ENCRYPT.exe

    • Size

      64.5MB

    • MD5

      2c94c25286ed06ec9a5cacdb11013cf6

    • SHA1

      bd8a5e8d64bf79e0519c3bbba9ba40f203a15179

    • SHA256

      65731c5e9dd98ef1556457d9af51d37aae22658a45c1b7add4590f6aa3bd6a96

    • SHA512

      dc7bdfa7c9fdd1689697fcbe19bac822cf5c86ff0b2cff37465b6be5b535db59cf670d679075d1b0aee01776d8f5311a513f3b3c6f61bb40aab7b1da790175d0

    • SSDEEP

      1572864:cvIuV4GPk86ImGUDI4arnlGFO6VL3MegFfI1F:mhV4GWIqI4acOdtM

    Score
    9/10
    credential_accessdiscoveryransomwarespywarestealer

    • Renames multiple (13573) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

      credential_accessstealer

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer
    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks