Resubmissions

28/03/2025, 16:52

250328-vdc6kazry9 9

24/03/2025, 22:22

250324-2aphra1jx7 10

General

  • Target

    Batch_2.zip

  • Size

    6.0MB

  • Sample

    250328-vdc6kazry9

  • MD5

    4b0434ee95a7ed21bd35a7824360f6e6

  • SHA1

    595bca71378490bd11db6237735c4ab524b43cc6

  • SHA256

    8b0f9d248e67199bb7f1a778a03e4caee7d267e61d8a7d70fa1c1f6d7944e96a

  • SHA512

    1b35d0d0304a52a13d41e0ed979fee45d1b238df7a0ab6d9ee590cda33da4c4bceb44c2bd567763eb54e893882853b81aff42a2386b8b1c05c7dcfc07173cf4c

  • SSDEEP

    196608:KpdJTVD7+Ts66FiucqX0gJqSrjj56onVjnqK1prd:cdJV7+AKucqEgMwXoshTprd

Malware Config

Targets

    • Target

      30bc4934d7e29c8c4c4c9be0510fc7558fddf8db666a0343784c5cf1587b3af0.exe

    • Size

      184KB

    • MD5

      ee041688d36494fdddf710a3ddb873bd

    • SHA1

      1a93d78c2b2262c02e1fffd54d3f5f4aa8400b76

    • SHA256

      30bc4934d7e29c8c4c4c9be0510fc7558fddf8db666a0343784c5cf1587b3af0

    • SHA512

      c76e2b1bcdc179e358c159c87dde5c185cdec3659e7c33db686f04e3845547ef489ce600a51e99e10b26b0d33fbdca25edf2e1b9dbb81d4ed7f845c9167a17e0

    • SSDEEP

      3072:zsj3FGQtB/fDq/8QJ+mkkk9mADOS0WlbEJV1OaqpEZtBgoh1vErXhcKrWfyB:gj3cQtB/fFQJekHSLbAxpmcKrW

    Score
    6/10
    • Drops desktop.ini file(s)

    • Target

      338fdf3626aa4a48a5972f291aacf3d6172dd920fe16ac4da4dd6c5b999d2f13.exe

    • Size

      6KB

    • MD5

      f297544a20bda66ee6f98e3dc91060c6

    • SHA1

      3e140a5df3161ff5d3935b1139275e07903cfff5

    • SHA256

      338fdf3626aa4a48a5972f291aacf3d6172dd920fe16ac4da4dd6c5b999d2f13

    • SHA512

      3f626ba5a5153a0a0a0d7b09e810689f5c79e9d0d017bb639fbc18b3d0c052ad179bb994b4fb25f0030c06bb8b741819620e65622c6bc47584ca24e2520c78a7

    • SSDEEP

      96:lia+ERqIgNI9X6xIzKSnjeKk/GJi/T9oCN1GzNt:liauIq/SnjC/VpRQ

    Score
    1/10
    • Target

      342933cb4cbb31a2c30ac1733afc318a6e5cd0226160a59197686d635ec71b20.exe

    • Size

      1.2MB

    • MD5

      a393b9536a1caa34914636d3da7378b5

    • SHA1

      5aced706d9f6a0bb6a95c8bdf1e123485219a123

    • SHA256

      342933cb4cbb31a2c30ac1733afc318a6e5cd0226160a59197686d635ec71b20

    • SHA512

      4ac4b2c2f87d305f3073f79136cec44cacca296f75451c6d67653b9de4a2b871409a11631e5ff5d76478c3043e5f47040e72e2f86db1536079f586c12ebd42de

    • SSDEEP

      12288:2CdOy3vVrKxR5CXbNjAOxK/j2n+4YG/6c1mFFja3mXgcjfRlgsUBgac9Q9bNHTQx:2Cdxte/80jYLT3U1jfsWakQpNHTQx

    • Renames multiple (402) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Target

      343ace5874a5854858e11e6c196007bffc045717ed29db9b03f23d01568e8303.exe

    • Size

      510KB

    • MD5

      565dacda99cc8d28d3e650b4d85e8d24

    • SHA1

      6c5f2ab498ae16332a3863e45d35e47e1aabe001

    • SHA256

      343ace5874a5854858e11e6c196007bffc045717ed29db9b03f23d01568e8303

    • SHA512

      534eeda2e7c99ffef2bf023aa3f68739953ecbdfabcd57ad41af08c8c563fe27f7f8be04e80bdc2904ed0632984968551ddb107917fbe6dfc7a0e704af313946

    • SSDEEP

      12288:M7iBDowvTfS6ublBri5g3D7eJit/mUZ5jI0B57g3l1TV0:/EkStbjfdteUZ+0BQ7TV

    • Disables Task Manager via registry modification

    • Event Triggered Execution: Image File Execution Options Injection

    • Executes dropped EXE

    • Modifies system executable filetype association

    • Adds Run key to start application

    • Drops file in System32 directory

    • Target

      34818CE171EA150B91429AC1DD6FBE49.exe

    • Size

      170KB

    • MD5

      34818ce171ea150b91429ac1dd6fbe49

    • SHA1

      765f7cea9ae6e126181e5a78b897304913530d4d

    • SHA256

      502386cb2288ce85af522da55916b5a05c71d9a32a80cec396bc4cdd0e0ac665

    • SHA512

      e44b009eef9710787ddf63d5038e15112969ef5ac952520f772b5ab78dfe57c42f7562044642f573c9480c76569ef9a7912cc5cd1b0472e4d61c25e79a03bfb0

    • SSDEEP

      3072:xUiScf7Taa44mVg6zMe4sfPZfE8dreM9aSW3OKojVbc7n4CRWLvSFlp6+qvv1:xUUm4mG6zwQLaM9aKjRg0SLlK1

    • Target

      360390_crypt.exe

    • Size

      2KB

    • MD5

      955fc65f54fa12afaa5199585d749e67

    • SHA1

      b4b401f7ce39cdc1444c7505206f22e2d8177336

    • SHA256

      286f57eb83302eaee7fda4836e4197136f7f9de0b6e4ff3df7649e3bf2f82389

    • SHA512

      d9b35e6e92af712586424228986b9a45dea5ac1b7e54bcaecc6b24d558589d4fb1976c66f11de591be2855b0900bfb0b111bad3b0c1e81f62387f1d3f725245a

    Score
    3/10
    • Target

      360390_tree.cmd

    • Size

      15KB

    • MD5

      49163792f3b8c4f62018670033e9fc82

    • SHA1

      f2d8da51a9371cebc0fd41cb3d86f3768e791fae

    • SHA256

      4637c6b332d640450e7cb3ae6a6b0d7d4451454770699acf364d855e28805267

    • SHA512

      2fd7a02da20ca41c27b30f272bbf3bb186187492fc927a9dc8c7ea36b22c9e8ac6906428cab27eb7f907a21f352a2c7ed6ce60e48e0d9c35238a71ee8be6efad

    • SSDEEP

      192:iJCJ+JGJ6JaJeJWJSJSJeJ2J2bJ6JeJGJiJiJ+JmJ6JaJeJWJSJSJ05:iIU8Ao8Ug4UMcbYM0goUcAIcUg4C5

    Score
    7/10
    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Target

      3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe

    • Size

      516KB

    • MD5

      b2b0e6184b82144f65389d39f1eadd0d

    • SHA1

      17311fb1fb33da5f303ae30ee7b4b60b80985d2e

    • SHA256

      3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db

    • SHA512

      d1abc2c74aa2bad9ac8a59c1552904e6d65717786ed7a193c4fcda23218371bcad0953848f1e1c5b9df50a86e2549c6da35c6e372366826dc25f042107a8babb

    • SSDEEP

      12288:j3nZMhJ+ubNmzdCanVtkEY70mOpFRxd/GAXl0xtiNe96bgRO:j3nZqfbkzkcvElOpPj/DA2+6ERO

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Network Share Discovery

      Attempt to gather information on host network.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Drops file in System32 directory

    • Target

      3a061ee07d87a6bb13e613e000e9f685cbffb96bd7024a9e7b4cb0be9a4af38c.exe

    • Size

      831KB

    • MD5

      093e50c2d493f7300abcbfc4ed40c955

    • SHA1

      8ffa33374b41c1ff4a209de04badac2c51fcd081

    • SHA256

      3a061ee07d87a6bb13e613e000e9f685cbffb96bd7024a9e7b4cb0be9a4af38c

    • SHA512

      2e086b06c64c610971e804365394b6e1607eff7036ae43dca7f49104086c2a57e1a8360959e3ffce6efb034044a3326feb3ffa7331ee5993ceb92f8f1ccf1166

    • SSDEEP

      12288:DWvcsSHPUCdmmBeBCvxg1AcqY+4w5sZLZWp9VR3kb5L+s5ENOeQiV1Li/k6Xm:eummBqaJG7qRGLeYeXV1i/kS

    Score
    3/10
    • Target

      3af4fa2bffaab37fd557ae8146ae0a29ba0faf6d99ad8a1a8d5bf598ac9a23d1.exe

    • Size

      603KB

    • MD5

      1a81ed9b043c7bffb1177a4d13dd8065

    • SHA1

      c47711d08eaa7dea7299bc205b86e99dd3c40fcc

    • SHA256

      3af4fa2bffaab37fd557ae8146ae0a29ba0faf6d99ad8a1a8d5bf598ac9a23d1

    • SHA512

      b5842a22df1c77c49b86e348008b8eeb8f295d6b34f93c0ed8ea1b0edfdaeacb2446cf952de7b2fc7a5943e22495caf3f68f893809919376642e91103cfcd041

    • SSDEEP

      6144:QuML75oIlCGJPY2Z2AlptXbgz0+Q4odCGfTnpbEdd/fudqsa0jucQgBMacCGNoEx:koHEHblpWz0jPLhEfgP6WMDoEOYQwfE

    Score
    3/10
    • Target

      3bb691982de416a7a4e57b91211e80bea82dcca7b4bdbf25c0c80451dc138421.exe

    • Size

      205KB

    • MD5

      458c1cbd0ff849119214e739d8815f37

    • SHA1

      64d26b1614693f15bed6bd4f4d2a6a35b2c4bc9f

    • SHA256

      3bb691982de416a7a4e57b91211e80bea82dcca7b4bdbf25c0c80451dc138421

    • SHA512

      695f17ca034f7c894bb87bf04db20a2387f144ade77188f497870d3711d0871c721b86327769cd393366b162229ad649671e111aa5b5b80d676156f47ededd08

    • SSDEEP

      6144:JJOIZvsEy+fDjKSGXwLfjFU/coiqilMi:JJOIKEy+ffKerjFtoiLMi

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

    • Target

      3e3f980ab668ccde6aafee60ce16e3c35cd91e9b59bff20ce1615d5fb362a458_Dumped_TDS=4FBA3695.exe

    • Size

      72KB

    • MD5

      facdc4646b7f1876349cf72d6490f1d4

    • SHA1

      27bfa893b2f73ed61764a2f2f3bfa0b03b5f76fa

    • SHA256

      fef9c6c514e2ee00b96f6d33026f91080e43ed854d3aff103826d5063c9e7778

    • SHA512

      8a8f08230ced45ed6e06351ee5c2ae5afe2e52a7a0284fbe74474cb9aab848a5e4226d041f4c3d50ab45c855d627e5e581a4fb66c43ace6c4ab092597985aa4a

    • SSDEEP

      768:Fchho/bbYYwktIZwTUtv3h12jG6hdYWnXAjpWTbBbIKP077hPsxPaq77tiy/r:KjoDMYwEINR8j/Yu2pqOd77hPxy

    Score
    7/10
    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Target

      3e3f980ab668ccde6aafee60ce16e3c35cd91e9b59bff20ce1615d5fb362a458_TDS=4FBADA26.exe

    • Size

      52KB

    • MD5

      ca61cd4036c218e8197896c5b97515dc

    • SHA1

      26520452eda2e766052d35630e59ecf7ce8de629

    • SHA256

      9118d694540722bf703ae0b0e7fdfd5d04878fc289615bbed9aeea524535ec9c

    • SHA512

      4528291fe2a96ede9a886b579b40923d7d0951b59e6bc51a397db84c413854a213a68e0abe6c0a4aece80101167527f2b1cce0a08c5ba2539de9a0e0c1cb103f

    • SSDEEP

      768:lGUGWHeFkc68dT0Ju3GBZJBATs6lV3jWpG0R5Kb8AD:lBJeKO10JWKCIesPrK8

    Score
    7/10
    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Target

      3e75e8238a6bbd8817164658696198af_72889f61171de37d6b4d59016c55ec52__2.exe

    • Size

      244KB

    • MD5

      3e75e8238a6bbd8817164658696198af

    • SHA1

      3c0246b41063f5ea26de9d96301774836270eff3

    • SHA256

      669ae51d73a3fac117ec39195efb969cb41a16fadecfe412ad83b767b25ae2ae

    • SHA512

      7e0ba0eac7395162c071fd21bd9b525de6df25067c01dbda28e1d33072159b9c4c40ec87e52e9abe1b186aaaef36f0de728f1849f566fb4c2d42a620da6d65af

    • SSDEEP

      3072:JrwLB3HRdkT9MyJHT+/PBuZqWq6aIDMVV3dWklykCbZx5:Jrw5HjkT9MyJHeBuZh3DMVNbykgZx

    Score
    6/10
    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Target

      400cad56ff3d210346cf6c4795aeb607e5b211b3dc4a8421b9437621c254239a.exe

    • Size

      1.9MB

    • MD5

      b2db12c684763da2cba50c6346376ef5

    • SHA1

      f186ccba2d7566968b8d14552e7dd3e6898c35f4

    • SHA256

      400cad56ff3d210346cf6c4795aeb607e5b211b3dc4a8421b9437621c254239a

    • SHA512

      db2be27e5bc919bff1f8c58b9d66a9767f15731391cdc1a185755016b17461d8c7c77b62ecace75cc226011537a0dc3de6e9b38fef5a1f2db20d0bebc203abfa

    • SSDEEP

      12288:uNE0rbJMurexwCPEbA0RgxegWWDeNNU1TH1wd6PO:RxSb5REjSNIVwd6W

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Looks for VirtualBox Guest Additions in registry

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Adds Run key to start application

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      40b3cb2a210fafdaabdebefe1430862bd1192a80fcde84f51ceb387136d1410c.exe

    • Size

      268KB

    • MD5

      12666b5054cc0cb62cf758736340c1bc

    • SHA1

      0f9ec608413918adef409e8e97612b6e71fd1bc7

    • SHA256

      40b3cb2a210fafdaabdebefe1430862bd1192a80fcde84f51ceb387136d1410c

    • SHA512

      df49dbcd1f2f0bf0d0129cb4e5dd343fc9fba1b46a7fc24db3e1fd560816ae86e79c360873ac06c62876051f622a9a54a327c3aa3019ecdad4a32f9dc9a68a77

    • SSDEEP

      6144:1AZMCVtysJu4wCZt953XCWSntmb6IEACyoO+:u2wXCBWLEA5n+

MITRE ATT&CK Enterprise v15

Tasks

static1

upxmacro
Score
8/10

behavioral1

discovery
Score
6/10

behavioral2

discovery
Score
6/10

behavioral3

Score
1/10

behavioral4

Score
1/10

behavioral5

discovery
Score
7/10

behavioral6

discoverypersistenceransomwarespywarestealer
Score
9/10

behavioral7

discovery
Score
3/10

behavioral8

defense_evasiondiscoverypersistence
Score
8/10

behavioral9

defense_evasiondiscovery
Score
8/10

behavioral10

defense_evasiondiscovery
Score
8/10

behavioral11

Score
1/10

behavioral12

discovery
Score
3/10

behavioral13

spywarestealer
Score
7/10

behavioral14

spywarestealer
Score
7/10

behavioral15

bootkitdiscoverypersistence
Score
8/10

behavioral16

bootkitdiscoverypersistence
Score
7/10

behavioral17

discovery
Score
3/10

behavioral18

discovery
Score
3/10

behavioral19

discovery
Score
3/10

behavioral20

discovery
Score
3/10

behavioral21

Score
1/10

behavioral22

credential_accessdefense_evasiondiscoveryexecutionimpactpersistenceransomwarespywarestealer
Score
9/10

behavioral23

Score
7/10

behavioral24

discovery
Score
7/10

behavioral25

discovery
Score
7/10

behavioral26

discovery
Score
3/10

behavioral27

discovery
Score
6/10

behavioral28

discovery
Score
6/10

behavioral29

defense_evasiondiscoverypersistenceupx
Score
9/10

behavioral30

defense_evasiondiscoverypersistenceupx
Score
9/10

behavioral31

defense_evasiondiscoverytrojan
Score
7/10

behavioral32

defense_evasiondiscoveryexecutionimpactpersistenceransomwaretrojan
Score
9/10