Extracted

• • Target

    HEUR-Trojan-Ransom.Win32.Generic-150200c3b5cd1afd87110cc2ce0002bc3bb1590cf91bbc17e2ade2824e38d0cc.exe

  • Size

    1.3MB

  • MD5

    b5fcddeec6422bec63cbd59d4d0aaeab

  • SHA1

    2fb1cbec471ba7f0859e2a804e4cd51fb6b0be54

  • SHA256

    150200c3b5cd1afd87110cc2ce0002bc3bb1590cf91bbc17e2ade2824e38d0cc

  • SHA512

    825706455bcfcbfe9186f9030229f8d6aa64555803ff2f0ff8723f05b50511e9d889e4a8ebc2bbffff573930b07fe6b41b577d43262490032646d01d47918c55

  • SSDEEP

    24576:XN4EfsPHd9VbyiKSnKMnsNneRWrN2jHwTxbMmgCyq3eca44zpRPtHS:9z0/0iKSnKYsNn4WZ2LwQNGeca4aPl

  Score

  10^/10

  ouroboroscredential_accessdefense_evasiondiscoverypersistenceprivilege_escalationransomwarespywarestealerupx

  • Ouroboros family

    ouroboros

  • Ouroboros/Zeropadypt

    Ransomware family based on open-source CryptoWire.

    ransomwareouroboros

  • Renames multiple (651) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware

  • Drops file in Drivers directory

  • Manipulates Digital Signatures

    Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

  • Modifies Windows Firewall

    defense_evasion

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Credentials from Password Stores: Windows Credential Manager

    Suspicious access to Credentials History.

    credential_accessstealer

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Drops desktop.ini file(s)

  • Drops autorun.inf file

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  behavioral1behavioral2