General
-
Target
RS.7z
-
Size
20.5MB
-
Sample
250331-apdw1ssjs8
-
MD5
2e40472330409ed96f91e8e0bb796eb4
-
SHA1
8fd90404184de1a627068a93482313449dbbec91
-
SHA256
c5741701b3866459dd1ffa2477cfd8776713612912693a5897f78aac795d23e9
-
SHA512
b11720cb8519fc6838161ba8bf696681b242b0789ffd5c442efbb50161d511fd65229ca88a347c856e8ff91501c077f5de7714b09e29d4400f595bfe7829189d
-
SSDEEP
393216:NkDF1XseDcJIrXeSG0b5mKZ1F0gvpdO8GPnqzHLP3iN5M0CptgNpAcklC0CN:GDjXseDcSra45mKt0gvT0PnMbzkNpAc/
Malware Config
Extracted
blackmatter
1.2
512478c08dada2af19e49808fbda5b0b
- Username:
[email protected] - Password:
120Heisler
- Username:
[email protected] - Password:
Tesla2019
- Username:
[email protected] - Password:
iteam8**
https://paymenthacks.com
http://paymenthacks.com
https://mojobiden.com
http://mojobiden.com
-
attempt_auth
true
-
create_mutex
true
-
encrypt_network_shares
true
-
exfiltrate
true
-
mount_volumes
true
Extracted
mespinoza
-
ransomnote
Hi Company, Every byte on any types of your devices was encrypted. Don't try to use backups because it were encrypted too. To get all your data back contact us: [email protected] [email protected] [email protected] Also, be aware that we downloaded files from your servers and in case of non-payment we will be forced to upload them on our website, and if necessary, we will sell them on the darknet. Check out our website, we just posted there new updates for our partners: http://wqmfzni2nvbbpk25.onion/ -------------- FAQ: 1. Q: How can I make sure you don't fooling me? A: You can send us 2 files(max 2mb). 2. Q: What to do to get all data back? A: Don't restart the computer, don't move files and write us. 3. Q: What to tell my boss? A: Protect Your System Amigo.
Extracted
sodinokibi
$2a$10$kmb3nsvQXC.93GYNCGKy/uq9hYHivf0e3HcajFIifr8Hf3fmnofgm
7258
gasbarre.com
all-turtles.com
rksbusiness.com
christ-michael.net
mardenherefordshire-pc.gov.uk
erstatningsadvokaterne.dk
marchand-sloboda.com
unim.su
bauertree.com
faronics.com
moveonnews.com
autopfand24.de
mountsoul.de
beaconhealthsystem.org
cerebralforce.net
aprepol.com
kaotikkustomz.com
dubnew.com
simulatebrain.com
alvinschwartz.wordpress.com
-
net
true
-
pid
$2a$10$kmb3nsvQXC.93GYNCGKy/uq9hYHivf0e3HcajFIifr8Hf3fmnofgm
-
prc
outlook
agntsvc
infopath
sqbcoreservice
steam
firefox
ocomm
ocssd
mydesktopqos
oracle
powerpnt
wordpad
synctime
sql
thebat
onenote
excel
visio
encsvc
winword
mydesktopservice
dbsnmp
isqlplussvc
tbirdconfig
mspub
msaccess
thunderbird
ocautoupds
xfssvccon
dbeng50
-
ransom_oneliner
All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions
-
ransom_template
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] Data leak [+] First of all we have uploaded more then 70 GB archived data from your file server and SQL server Example of data: - Accounting - Finance - Personal Data - Banking data - Confidential files And more other... Our blog: http://dnpscnbaix6nkwvystl3yxglz7nteicqrou3t75tpcc5532cztc46qyd.onion/ Read what happens to those who do not pay. We are ready: - To provide you the evidence of stolen data - To give you universal decrypting tool for all encrypted files. - To delete all the stolen data. [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
-
sub
7258
-
svc
svc$
vss
sophos
mepocs
backup
sql
memtas
veeam
Extracted
sodinokibi
$2a$10$dfjpLrXuDytfF.kmYtQ1ROgsXjTJEe8EmQT65ftxlTpJtXPZrhsAq
7178
kamahouse.net
bridgeloanslenders.com
abitur-undwieweiter.de
live-your-life.jp
xn--rumung-bua.online
anteniti.com
marcuswhitten.site
ostheimer.at
joseconstela.com
deepsouthclothingcompany.com
dr-seleznev.com
ecpmedia.vn
aunexis.ch
anthonystreetrimming.com
pocket-opera.de
mooreslawngarden.com
osterberg.fi
extraordinaryoutdoors.com
kamienny-dywan24.pl
fitovitaforum.com
-
net
false
-
pid
$2a$10$dfjpLrXuDytfF.kmYtQ1ROgsXjTJEe8EmQT65ftxlTpJtXPZrhsAq
-
prc
avgadmsv
BackupUpdater
ocautoupds
synctime
thebat
excel
isqlplussvc
ccSetMgr
SPBBCSvc
Sage.NA.AT_AU.SysTray
lmibackupvssservice
CarboniteUI
powerpnt
BackupMaint
onenote
klnagent
sql
Rtvscan
xfssvccon
Smc
mspub
encsvc
LogmeInBackupService
kavfsscs
ccSvcHst
BackupExtender
NSCTOP
outlook
dbsnmp
mydesktopservice
-
ransom_oneliner
All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions
-
ransom_template
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] Attention!!! [+] Also your private data was downloaded. We will publish it in case you will not get in touch with us asap. [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
-
sub
7178
-
svc
ssistelemetry
adsync
svc$
msseces
mbamservice
ssastelemetry
altaro
sbamsvc
ds_notifier
ntrtscan
ofcservice
code42service
macmnsvc
memtas
auservice
telemetryserver
tmccsf
psqlwge
sppsvc
viprepplsvc
azurea
ds_monitor
swi_filter
protectedstorage
mfemms
mfevtp
kaseyaagentendpoint
ltservice
dssvc
altiback
Extracted
C:\Users\Admin\805202-readme.html
avaddon
Extracted
C:\Recovery\WindowsRE\README.9a401f55.TXT
darkside
http://darksidfqzcuhtk2.onion/LYID3U99RAJSTEYEFWS6SLYDGMUXKNAT3OPKN9D56PIGX1QHBU5DHGUN4HGMX2IW
Extracted
C:\Recovery\README.f063298e.TXT
darkside
http://darksidedxcftmqa.onion/blog/article/id/6/dQDclB_6Kg-c-6fJesONyHoaKh9BtI8j9Wkw2inG8O72jWaOcKbrxMWbPfKrUbHC
http://darksidfqzcuhtk2.onion/K71D6P88YTX04R3ISCJZHMD5IYV55V9247QHJY0HJYUXX68H2P05XPRIR5SP2U68
Extracted
C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\readme.txt
dearcry
Extracted
C:\Users\Admin\HOW-TO-DECRYPT-gn9cj.txt
Extracted
C:\Program Files\Restore-My-Files.txt
lockbit
http://lockbit-decryptor.top/?BC76D224712A7481EADA412145DE215D
http://lockbitks2tvnmwk.onion/?BC76D224712A7481EADA412145DE215D
Extracted
sodinokibi
5
367
craftingalegacy.com
g2mediainc.com
brinkdoepke.eu
vipcarrental.ae
autoteamlast.de
hostastay.com
gavelmasters.com
ronaldhendriks.nl
successcolony.com.ng
medicalsupportco.com
kompresory-opravy.com
sveneulberg.de
oththukaruva.com
voetbalhoogeveen.nl
selected-minds.de
log-barn.co.uk
fsbforsale.com
jobkiwi.com.ng
ivancacu.com
11.in.ua
-
net
true
-
pid
5
-
prc
wordpad.exe
outlook.exe
tbirdconfig.exe
agntsvc.exe
thebat.exe
mydesktopservice.exe
sqbcoreservice.exe
thunderbird.exe
ocomm.exe
excel.exe
thebat64.exe
steam.exe
xfssvccon.exe
firefoxconfig.exe
sqlagent.exe
ocssd.exe
mydesktopqos.exe
msaccess.exe
isqlplussvc.exe
mspub.exe
winword.exe
sqlbrowser.exe
dbeng50.exe
sqlservr.exe
oracle.exe
encsvc.exe
powerpnt.exe
dbsnmp.exe
infopath.exe
ocautoupds.exe
-
ransom_oneliner
All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions
-
ransom_template
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
-
sub
367
Targets
-
-
Target
RansomwareSamples/Avaddon_09_06_2020_1054KB.exe
-
Size
1.0MB
-
MD5
c9ec0d9ff44f445ce5614cc87398b38d
-
SHA1
591ffe54bac2c50af61737a28749ff8435168182
-
SHA256
05af0cf40590aef24b28fa04c6b4998b7ab3b7f26e60c507adb84f3d837778f2
-
SHA512
c340baeb66fc46830b6b77b2583033ade6e10b3de04d82ece7e241107afe741442585bf2ea9d6496af93143c37e9676d4f1e1d301d55632b88b12daadadd43f0
-
SSDEEP
24576:Cs6JmdFn5KLOCgHWcAvcrOcEsKfR9uA7rmFbbbbpccf:Cs6JY5KLOCyWcDUfRAA3mFbbbbpc4
Score10/10-
Avaddon
Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.
-
Avaddon family
-
UAC bypass
-
Renames multiple (161) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
RansomwareSamples/Avos_18_07_2021_403KB.exe
-
Size
402KB
-
MD5
de6152b2b3a181509c5d71a332a75043
-
SHA1
d62c0ad2ec132065c5807c0fe7a4cabcba34cf29
-
SHA256
01792043e07a0db52664c5878b253531b293754dc6fd6a8426899c1a66ddd61f
-
SHA512
99df08f8c0d966c1ca866cc414939ee9ff23a044496497edd5c64fb83a7011718183272f9001dec97111a8e8387218632c7ef6a9f00644e01363540002f5b0d4
-
SSDEEP
12288:L5rxhWsTDzB6BybYxl+xX4VpMDEvqXHRAS0uayw4H5qsNI4j:L5rxhW6PB6BybYxlWX/DEv4eZw
Score10/10-
Avoslocker Ransomware
Avoslocker is a relatively new ransomware, that was observed in late June and early July, 2021.
-
Avoslocker family
-
Renames multiple (71) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
-
-
Target
RansomwareSamples/Babik_04_01_2021_31KB.exe
-
Size
30KB
-
MD5
e10713a4a5f635767dcd54d609bed977
-
SHA1
320d799beef673a98481757b2ff7e3463ce67916
-
SHA256
8203c2f00ecd3ae960cb3247a7d7bfb35e55c38939607c85dbdb5c92f0495fa9
-
SHA512
fed1cb7e1798ea0d131a0d4962a2b9f6c700ee3e1c9482c7837be930ce5167196ac7b1e715d9c9a5c171c349f3df3dde1a42db8e439459bc742928f9d19b38a7
-
SSDEEP
768:S4DnL4DGrUVvP917yo6Xee7amb26ZghLybmGJ87tHvg7jzTzt:SILd639NdCbXZxbytH6
Score10/10-
Babuk Locker
RaaS first seen in 2021 initially called Vasa Locker.
-
Babuk family
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (2120) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Credentials from Password Stores: Windows Credential Manager
Suspicious access to Credentials History.
-
Drops startup file
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
-
-
Target
RansomwareSamples/Babuk_20_04_2021_79KB.exe
-
Size
79KB
-
MD5
024382eef9abab8edd804548f94b78fc
-
SHA1
b69a5385d880f4d0acd3358df002aba42b12820f
-
SHA256
c4282e9040cdc1df92b722568a8b4c42ce9f6533fed0bd34b7fdbae264947784
-
SHA512
011bd185ef5aef409dbd198f59829d9812d2b1ead69e867e8b9983eb7c742356b074b17383c17fe22f417b61e6aaf7858cbb9e3abd5d25d02f256b69834c42d4
-
SSDEEP
1536:jRS6UhZM4hubesrQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2zs4:jRMhZ5YesrQLOJgY8Zp8LHD4XWaNH71m
Score10/10-
Babuk Locker
RaaS first seen in 2021 initially called Vasa Locker.
-
Babuk family
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (193) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
-
-
Target
RansomwareSamples/BlackKingdom_23_03_2021_12460KB.exe
-
Size
12.2MB
-
MD5
96c2f4acef5807b54ded4e0dae6ed79d
-
SHA1
3e93999954ce080a4dc2875638745a92c539bd50
-
SHA256
c4aa94c73a50b2deca0401f97e4202337e522be3df629b3ef91e706488b64908
-
SHA512
bfb933ce0e68c2d320a49e29eb883c505012895bd04b82f29167cd791e4bd507ee5529a2199a51c6faaf9f70053869b488833766b6dfa1efeab2700c0bcea30c
-
SSDEEP
393216:Rd9c5hlEK/PNKwtN3ZWyp032LOqKT1g8Cy:RXEhxtKwtN3p232LOqKgz
Score10/10-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s)
-
-
-
Target
RansomwareSamples/BlackMatter_02_08_2021_67KB.exe
-
Size
67KB
-
MD5
598c53bfef81e489375f09792e487f1a
-
SHA1
80a29bd2c349a8588edf42653ed739054f9a10f5
-
SHA256
22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6
-
SHA512
6a82ad5009588d2fa343bef8d9d2a02e2e76eec14979487a929a96a6b6965e82265a69ef8dd29a01927e9713468de3aedd7b5ee5e79839a1a50649855a160c35
-
SSDEEP
1536:RzICS4AT6GxdEe+TOdincJXvKv8Zg3kl:qR7auJXSkZg3C
Score10/10-
BlackMatter Ransomware
BlackMatter ransomware group claims to be Darkside and REvil succesor.
-
Blackmatter family
-
Renames multiple (150) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Sets desktop wallpaper using registry
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
RansomwareSamples/Conti_22_12_2020_186KB.exe
-
Size
185KB
-
MD5
7076f9674bc42536d1e0e2ca80d1e4f6
-
SHA1
854485ee63e5a399fffe150f04cd038d6a5490ef
-
SHA256
ebeca2df24a55c629cf0ce0d4b703ed632819d8ac101b1b930ec666760036124
-
SHA512
71c507108cc0c8b5609076672bd0b64a42c015995fe7220aa97e273c1754e63271edb06b284f4fc01b71a4751c1bcac0f572339e94ff0fd538dc0250caa9181a
-
SSDEEP
3072:+qS7gtGIeq8KxrvRp1MImcZeuLaxugfCJsOlq8WkJK0BOog/Tt3onM9kHpOBae4f:zS7gtyuzFxm16axugfqlMw5g5BkOdSlr
Score10/10-
Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
-
Conti family
-
Renames multiple (8327) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Credentials from Password Stores: Windows Credential Manager
Suspicious access to Credentials History.
-
Drops startup file
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s)
-
-
-
Target
RansomwareSamples/Cuba_08_03_2021_1130KB.exe
-
Size
1.1MB
-
MD5
a12e733ddbe6f404b27474fa0e5de61d
-
SHA1
e8d0c95621a19131ef9480e58a8d6dd3d15c9acd
-
SHA256
271ef3c1d022829f0b15f2471d05a28d4786abafd0a9e1e742bde3f6b36872ad
-
SHA512
f27605a283e958690eb7ad50aa46110b6d155217ad09d658ad3f9c4368d4c66ab623a0cc3489d695a02db462fec3bcf8ebee13f9da1bd61e2e3db46de2d73ddf
-
SSDEEP
12288:xtwee4XgIijsCMtcTCWVRapiyC9vwic8CPK3EOnA+u+:8efgIiICMtIChp8N2K3EOAK
Score10/10 -
-
-
Target
RansomwareSamples/DarkSide_01_05_2021_30KB.exe
-
Size
30KB
-
MD5
f00aded4c16c0e8c3b5adfc23d19c609
-
SHA1
86ca4973a98072c32db97c9433c16d405e4154ac
-
SHA256
4d9432e8a0ceb64c34b13d550251b8d9478ca784e50105dc0d729490fb861d1a
-
SHA512
a2697c2b008af3c51db771ba130590e40de2b0c7ad6f18b5ba284edffdc7a38623b56bc24939bd3867a55a7d263b236e02d1f0d718a5d3625402f2325cbfbedf
-
SSDEEP
768:lXnIczxCbTRNl71wHpZQgYI1TQPB3aYJEOW:hIMxCXd1+pZQgYIxk3vJE
Score10/10-
DarkSide
Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
-
Darkside family
-
Renames multiple (155) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Credentials from Password Stores: Windows Credential Manager
Suspicious access to Credentials History.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Command and Scripting Interpreter: PowerShell
Using powershell.exe command.
-
Sets desktop wallpaper using registry
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
-
-
Target
RansomwareSamples/DarkSide_16_01_2021_59KB.exe
-
Size
59KB
-
MD5
0ed51a595631e9b4d60896ab5573332f
-
SHA1
7ae73b5e1622049380c9b615ce3b7f636665584b
-
SHA256
243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60
-
SHA512
9bfd6318b120c05d9a42a456511efc59f2be5ad451baa6d19d5de776e2ff74dbee444c85478ee7cfdbf705517cc147cd64c6814965f76c740fe1924594a37cb5
-
SSDEEP
768:vjjmbIax7F3DS4/S9+CuUSbVAdNcxGV1yl3RYY23W58:0x7Fu4/ihrhDTV1ylhZ58
Score10/10-
DarkSide
Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
-
Darkside family
-
Renames multiple (151) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Credentials from Password Stores: Windows Credential Manager
Suspicious access to Credentials History.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Command and Scripting Interpreter: PowerShell
Using powershell.exe command.
-
Sets desktop wallpaper using registry
-
-
-
Target
RansomwareSamples/DarkSide_18_11_2020_17KB.exe
-
Size
17KB
-
MD5
f87a2e1c3d148a67eaeb696b1ab69133
-
SHA1
d1dfe82775c1d698dd7861d6dfa1352a74551d35
-
SHA256
9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297
-
SHA512
e361811b07a66d9a784be37bdace0bdec9e11374083d7ccf7d9830e47a59afa8b9d12d80d4d47ea1932116354ad60bbc8ea6a6a265885d264b35486986415ea3
-
SSDEEP
384:SGyUrEk/yEoQE+yckIYN/pBa3AWK3T2oTboHblKR/:l4klFypIYFpB/x9ngb
Score10/10-
DarkSide
Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
-
Darkside family
-
Renames multiple (188) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Credentials from Password Stores: Windows Credential Manager
Suspicious access to Credentials History.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Command and Scripting Interpreter: PowerShell
Using powershell.exe command.
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
-
-
Target
RansomwareSamples/DearCry_13_03_2021_1292KB.exe
-
Size
1.3MB
-
MD5
0e55ead3b8fd305d9a54f78c7b56741a
-
SHA1
f7b084e581a8dcea450c2652f8058d93797413c3
-
SHA256
2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff
-
SHA512
5c3d58d1001dce6f2d23f33861e9c7fef766b7fe0a86972e9f1eeb70bfad970b02561da6b6d193cf24bc3c1aaf2a42a950fa6e5dff36386653b8aa725c9abaaa
-
SSDEEP
24576:LU5NX2yJOiUXmEICxu2WAP0NIzkQM+KpPRQ9StIUDpl1fpxkHVZgMCS+:L7XP7P9o5QzUtl1fpxkHVZgMC3
Score10/10-
DearCry
DearCry is a ransomware first seen after the 2021 Microsoft Exchange hacks.
-
Dearcry family
-
Renames multiple (6603) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops desktop.ini file(s)
-
-
-
Target
RansomwareSamples/Hades_29_03_2021_1909KB.exe
-
Size
1.9MB
-
MD5
9fa1ba3e7d6e32f240c790753cdaaf8e
-
SHA1
7bcea3fbfcb4c170c57c9050499e1fae40f5d731
-
SHA256
fe997a590a68d98f95ac0b6c994ba69c3b2ece9841277b7fecd9dfaa6f589a87
-
SHA512
8d2fb58cb8776ead15f445671431eae13a00b48921e545c7ecbf91829015d818d663d9369f181de669ebb771b113c2f675c3a156fac5ede019b5fad9cb8c65fe
-
SSDEEP
49152:zHOalx8WJjq64Hv7OHxTAhEu5undVmB9dn5AI7EyP3S:Z/8WJjiPSRRu5undVmDd5VEyvS
Score10/10-
Hades Ransomware
Ransomware family attributed to Evil Corp APT first seen in late 2020.
-
Hades family
-
Hades payload
-
CryptOne packer
Detects CryptOne packer defined in NCC blogpost.
-
Renames multiple (146) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE
-
-
-
Target
RansomwareSamples/Hive_17_07_2021_808KB.exe
-
Size
808KB
-
MD5
504bd1695de326bc533fde29b8a69319
-
SHA1
67f0c8d81aefcfc5943b31d695972194ac15e9f2
-
SHA256
a0b4e3d7e4cd20d25ad2f92be954b95eea44f8f1944118a3194295c5677db749
-
SHA512
18c5b28bafb13edf47f6a2b803d9d9a914945f037b266a765f2a324842c5ef04ebda27eba31851d2d63e00779a42900e0edfe4ad5bd817eb4f43fa4d4e3a4767
-
SSDEEP
24576:lafTGwLNdRk4RBtr/ioF4/I+CMx3cMt3/4KFG8Qz4YwY:IT7dRFr/ioFjicMtvV4z
Score10/10-
Detects Go variant of Hive Ransomware
-
Hive
A ransomware written in Golang first seen in June 2021.
-
Hive family
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Drops startup file
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s)
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
-
-
Target
RansomwareSamples/LockBit_14_02_2021_146KB.exe
-
Size
146KB
-
MD5
69bec32d50744293e85606a5e8f80425
-
SHA1
101b90ac7e0c2a8b570686c13dfa0e161ddd00e0
-
SHA256
95739e350d7f2aca2c609768ee72ad67fcf05efca5c7ad8df3027c82b9c454cf
-
SHA512
e01f976fcbfa67cfd6e97855d07350a27b67fcc825d4e813ac9d2f4e8f464bb4f8bbbbe58a26bc27e78fa15db0ee5271e8f041dd72f036c11964eb1c591b438f
-
SSDEEP
3072:V6ZkRGjkBrmKmY99UpkD1/34bIpVSrtLmqc2LVMMqqD/h2LuTeONA5tIHVcH:IS9rLPPUpa3VVEtLXcCqqD/hOQnaMcH
Score10/10-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Lockbit family
-
Clears Windows event logs
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit
-
Renames multiple (6003) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes System State backups
Uses wbadmin.exe to inhibit system recovery.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
RansomwareSamples/MAKOP_27_10_2020_115KB.exe
-
Size
114KB
-
MD5
b33e8ce6a7035bee5c5472d5b870b68a
-
SHA1
783d08fe374f287a4e0412ed8b7f5446c6e65687
-
SHA256
2b5a3934d3e81fee4654bb1a7288c81af158a6d48a666cf8e379b0492551188f
-
SHA512
78c36e1f8ba968d55e8b469fba9623bd20f9d7216b4f5983388c32be564484caab228935f96fd8bff82bc8bb8732f7beb9ccede50385b6b6ba7e23b5cc60679f
-
SSDEEP
3072:Rf1BDZ0kVB67Duw9AMcUTeQnbZ7pgHzL8O1oc8rEUvZfqv8dOWVIc:R9X0GGZpYzL8VcFUvZyUdb
Score7/10-
Loads dropped DLL
-
-
-
Target
RansomwareSamples/MedusaLocker_24_04_2020_661KB.exe
-
Size
661KB
-
MD5
19ddac9782acd73f66c5fe040e86ddee
-
SHA1
24ceba1e2951cde8e41939da21c6ba3030fc531d
-
SHA256
dde3c98b6a370fb8d1785f3134a76cb465cd663db20dffe011da57a4de37aa95
-
SHA512
e7be7472241fdd26db48dbd0311afe821905f6d59dfb56e3dc035944b7346b0767a8af76d110c5f60c0ba0183ca3791e56d9b3c8b9ba887afa111aafc949c1d4
-
SSDEEP
12288:vN3K5e8nbwFigzk6VVMqX8aQNRMcauV9B/rtiPnA40Q8:hCXbwFigzkQVdXvlcayDh49
Score10/10-
MedusaLocker
Ransomware with several variants first seen in September 2019.
-
MedusaLocker payload
-
Medusalocker family
-
UAC bypass
-
Renames multiple (181) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks whether UAC is enabled
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
-
-
Target
RansomwareSamples/MountLocker_20_11_2020_200KB.exe
-
Size
200KB
-
MD5
c2671bf5b5dedbfd3cfe3f0f944fbe01
-
SHA1
da3e830011e6f9d41dd6c93fdb48c47c1c6e35e1
-
SHA256
226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2
-
SHA512
256bc8582cc9b53b3cf9307a2882117476648ab9df540d501fc5f46a4030beacab9df2019f2d83b0a63d510803cbf6cbae01dc1325588f93a1a74521a07fe4d9
-
SSDEEP
1536:ssBoz9GFuIdclwKfVPoawSL20mRbg2DrE1mHkrY0f3r6fR0ZzDWR+3itGSh6ZVvg:ssS3oifBoaXhDWA4G3eeJaeIbmC00
Score10/10-
MountLocker Ransomware
Ransomware family first seen in late 2020, which threatens to leak files if ransom is not paid.
-
Mountlocker family
-
Command and Scripting Interpreter: PowerShell
Run Powershell and hide display window.
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
-
-
Target
RansomwareSamples/Nefilim_31_08_2020_3061KB.exe
-
Size
3.0MB
-
MD5
cd7b5d2391af7cc10f5ab11f2baef503
-
SHA1
c735ff582ab489f13cfc76ee744e52b868012e2e
-
SHA256
0bafde9b22d7147de8fdb852bcd529b1730acddc9eb71316b66c180106f777f5
-
SHA512
b01c843c9a7c154ab592b667fe66b49123bfc2218904391600c1d17623b91c4e83eb6049aba01813586251596d999cce953ca689957390e658ee306a9859adca
-
SSDEEP
24576:YOXKA8qDbjm8N3CNWYqdQCVzCYXjG9xLAW0bUXo2xdQS3aVOqL1UrSlcbHLWcR4+:tXKOm8mkdHJC0jG9xE9gdQS3aLibLw
Score9/10-
Renames multiple (168) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
-
-
Target
RansomwareSamples/Nemty_03_02_2021_124KB.exe
-
Size
123KB
-
MD5
78c3c27df6232caa15679c6b72406799
-
SHA1
e439d28b6bb6fd449bddad9cf36c97433a363aed
-
SHA256
a2fe2942436546be34c1f83639f1624cae786ab2a57a29a75f27520792cbf3da
-
SHA512
36dcdaffaef3ea2136cca3386f18ee3f6462aa66c82ef64660e3c300f3d58720a9c742930e2ee8e94c2379fbc7b3e6932dda20b5caa30b1c1f1ef38095aac6f6
-
SSDEEP
3072:xlwfdbiGnmYcAbwc7HNXG8/IEjkeOBeFtEv9VTYnH5upMocGMn7qxR1tMkTJNzn:DwfY2sA0kHFkktN5upMocGMns/lNzn
Score9/10-
Renames multiple (148) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
-
-
Target
RansomwareSamples/NetWalker_19_10_2020_903KB.ps1
-
Size
902KB
-
MD5
7770c598848339cf3562b7480856d584
-
SHA1
b3d39042aab832b7d2bed732c8b8e600a4cf5197
-
SHA256
ee3b0468a16789da8706d46aa361049ec51586c36899646a596b630d913e7304
-
SHA512
02af6d5910f0627074fbea72901b2f2b491f7dba58f53ae1fad1dc47230e000a7b459c8475a76aaf006629bb5822d89d4672d32fb64d073464ca41140cb134d2
-
SSDEEP
6144:KxYcCQ2x63Ib0NQrqxpPbI1ZVedvUhwDNGjG+zBumDKemdglhykA:KCQ2x6TdvUqDUjG+zBumDKemdgy9
Score10/10-
Netwalker Ransomware
Ransomware family with multiple versions. Also known as MailTo.
-
Netwalker family
-
Renames multiple (926) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
-
-
Target
RansomwareSamples/Phoenix_29_03_2021_1930KB.exe
-
Size
1.9MB
-
MD5
d86f451bbff804e59a549f9fb33d6e3f
-
SHA1
3cb0cb07cc2542f1d98060adccda726ea865db98
-
SHA256
008ec79765325200361d9c93ac35edd430f8b17894ff843268caa5acd6224549
-
SHA512
c86ad7e1d5c445d4de9866faab578b2eb04f72ffef4fac380b7164003471b4b48b09772e735ea15205e2ab4a1f4d194d188cdeb12c7199d0824ddaba393dcaa2
-
SSDEEP
49152:olyGDEemRoq2KKpgL5lWKDFcmjkf8cudB/8WjM:UYerFq/FgUcuf/85
Score10/10-
Hades Ransomware
Ransomware family attributed to Evil Corp APT first seen in late 2020.
-
Hades family
-
Hades payload
-
CryptOne packer
Detects CryptOne packer defined in NCC blogpost.
-
Renames multiple (176) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE
-
-
-
Target
RansomwareSamples/PwndLocker_04_03_2020_17KB.exe
-
Size
17KB
-
MD5
16a29314e8563135b18668036a6f63c8
-
SHA1
90cf5ca4df9d78cf92bb865b5b399a4d2752e55b
-
SHA256
4e6c191325b37da546e72f4a7334d820995d744bf7bb1a03605adb3ad30ce9ca
-
SHA512
45c023e6dd4202079e913b8946825b47fab30b584bbd79b0416152cc4a54975b12205393827289c1f03feb71b54d3b6b34490be3001e9b565c1f89e13e752032
-
SSDEEP
384:RJueT9Jtx33bRsoOjhveu+q7hPOx58Zbxe:RJueJx33bDO1uMbc
Score10/10-
Renames multiple (5967) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s)
-
Indicator Removal: File Deletion
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Network Share Discovery
Attempt to gather information on host network.
-
-
-
Target
RansomwareSamples/Pysa_08_04_2021_500KB.exe
-
Size
500KB
-
MD5
d751f54365181f544f908cc9ae3c91c5
-
SHA1
51cbc9455b7781cf0529f299631e59016fe52e95
-
SHA256
af99b482eb0b3ff976fa719bf0079da15f62a6c203911655ed93e52ae05c4ac8
-
SHA512
04497dcac535c18247b13634db35a3a53369719696e700ff2c45637c616f6932ba22ddad2e3925055c92e5922f38c34f09ce8d87106f894a7a586ad0d41e6d33
-
SSDEEP
12288:oDMUibBYoo+OeO+OeNhBBhhBB7TRU+FR+q1mITXimIscFa:KMUiFTTRU+3+qAILfo
Score10/10-
Mespinoza Ransomware
Also known as Pysa. Ransomware-as-a-servoce which first appeared in 2020.
-
Mespinoza family
-
Renames multiple (3455) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
-
-
Target
RansomwareSamples/REvil_07_04_2021_121KB.exe
-
Size
120KB
-
MD5
726d948d365cb9db1dfd84a30203a642
-
SHA1
78ed4bcf9c0aca8d14b25da2e679a91c48dd6797
-
SHA256
d74f04f0b948d9586629e06e2a2a21bdf20d678e47058afb637414eb3701c1f6
-
SHA512
bd17f2b265c30f0d9ddc60e01026f21ad6b6355f68b762b14b3e8882a90de0a20970f77105a2515a7cb4a0d1429f3a70cdf40d4247384592d36da6f2907a690a
-
SSDEEP
1536:bjxXC9jVwbhEW8z3w1R+KjJLRiOQJo0SoLCdpuOk2ICS4Ang6lUkdq0tK3CmZ6+n:mmV1wKdLoLC/OemUkdq4WCmA0qG9
Score10/10-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Sodinokibi family
-
Credentials from Password Stores: Windows Credential Manager
Suspicious access to Credentials History.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry
-
-
-
Target
RansomwareSamples/REvil_08_04_2021_121KB.exe
-
Size
120KB
-
MD5
2075566e7855679d66705741dabe82b4
-
SHA1
136443e2746558b403ae6fc9d9b40bfa92b23420
-
SHA256
12d8bfa1aeb557c146b98f069f3456cc8392863a2f4ad938722cd7ca1a773b39
-
SHA512
312dcb3d83a5201ef16c5027aabd8d7baebfd9761bf9514cafecc8a6936970b897b18b993e056d0f7aec81e6f0ab5756aa5efd3165e43f64692d5dbdb7423129
-
SSDEEP
1536:bjxXC9jVwbhEW8z3w1R+KjJLRiOQJo0SoLCdpuOk2ICS4Ang6lUgvfYiFyRFywX/:mmV1wKdLoLC/OemUWYjfywpbPa
Score10/10-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Sodinokibi family
-
Credentials from Password Stores: Windows Credential Manager
Suspicious access to Credentials History.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry
-
-
-
Target
RansomwareSamples/Ragnar_11_02_2020_40KB.exe
-
Size
39KB
-
MD5
6171000983cf3896d167e0d8aa9b94ba
-
SHA1
b155264bbfbad7226b5eb3be2ab38c3ecd9f3e18
-
SHA256
9bdd7f965d1c67396afb0a84c78b4d12118ff377db7efdca4a1340933120f376
-
SHA512
1b10008d5eaeb3755c899334d416e8d0a30695e093dc597b21e630fd8bde4b9c5d808fd2663f1acd7489e33b947660dacdb80f7f3aa4911cd24d605cfc44e73a
-
SSDEEP
768:spCmKJILjsoq65corBjd/3oqab0k3RLKul1FX8xUtE:splco4aFoqaXpTX8xa
Score10/10-
RagnarLocker
Ransomware first seen at the end of 2019, which has been used in targetted attacks against multiple companies.
-
Ragnarlocker family
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (8811) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Credentials from Password Stores: Windows Credential Manager
Suspicious access to Credentials History.
-
Drops startup file
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
-
-
Target
RansomwareSamples/RansomEXX_14_12_2020_156KB.exe
-
Size
156KB
-
MD5
fcd21c6fca3b9378961aa1865bee7ecb
-
SHA1
0abaa05da2a05977e0baf68838cff1712f1789e0
-
SHA256
4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458
-
SHA512
e39c1f965f6faeaa33dfec6eba23fbfff14b287f4777797ea79480bb037d6d806516bda7046315e051961fce12e935ac546819c1e0bef5c33568d68955a9792a
-
SSDEEP
1536:7ZLTzASUIG0TOOYTufIaSWvRYkekdvizSBXxNe9VPw6s6aUCT7Q7qn:OBI9HYyfNBdviGBBQsrhPk4
Score10/10-
Deletes NTFS Change Journal
The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.
-
RansomEXX Ransomware
Targeted ransomware with variants which affect Windows and Linux systems.
-
Ransomexx_win family
-
Clears Windows event logs
-
Modifies boot configuration data using bcdedit
-
Renames multiple (181) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes backup catalog
Uses wbadmin.exe to inhibit system recovery.
-
Disables use of System Restore points
-
Overwrites deleted data with Cipher tool
Cipher is a Windows tool which be used to securely wipe deallocated HDD space, preventing recovery of deleted data.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
-
-
Target
RansomwareSamples/Ranzy_20_11_2020_138KB.exe
-
Size
138KB
-
MD5
954479f95ce67fcb855c5b882d68e74b
-
SHA1
43ccf398999f70b613e1353cfb6845ee09b393ca
-
SHA256
c4f72b292750e9332b1f1b9761d5aefc07301bc15edf31adeaf2e608000ec1c9
-
SHA512
515e675401ec67d2d06f06264cb33808ad7d214a0609492ddf73f40a3b829358d75f79fff04b29c6953fc3f450c0d55207d5a6fd3b571f60ae05e25327c41a5f
-
SSDEEP
3072:WNnBEPCZ788hExMfHg/50iIETyyCDRk8gE9QIluYEh0VZvcWrMFh:WPEa586nHg/50/ET3CoE7uYEau
Score10/10-
Renames multiple (180) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
-
-
Target
RansomwareSamples/Ryuk_21_03_2021_274KB.exe
-
Size
273KB
-
MD5
0eed6a270c65ab473f149b8b13c46c68
-
SHA1
bffb380ef3952770464823d55d0f4dfa6ab0b8df
-
SHA256
7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed
-
SHA512
1edc5af819e0a604bef31bca55efeea4d50f089aa6bdd67afee00a10132b00172a82cda214ea0ca8164b8d7444d648984c27c45f27acc69e227188ec25064aff
-
SSDEEP
3072:n/YRw64GUbH9dpWYEFq5hY9e1Z36NS31gs03ApyCb6DnE/PdrfS6sOK5hI+z7XI:Qa6owYEFq5hY9aqNS1y4/PdzS+s64I
Score10/10-
Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
-
Ryuk family
-
Renames multiple (7578) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Credentials from Password Stores: Windows Credential Manager
Suspicious access to Credentials History.
-
Drops startup file
-
Executes dropped EXE
-
Modifies file permissions
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s)
-
-
-
Target
RansomwareSamples/Sekhmet_30_03_2020_364KB.msi
-
Size
364KB
-
MD5
15fc8a15e86c367586e3661b03bcab44
-
SHA1
a6a6f2dc244d75cac1509e46c7de88ff479b9ee6
-
SHA256
b2945f293ee3f68a97cc493774ff1e8818f104fb92ef9dbeead05a32fc7006ff
-
SHA512
cad4c868065a4715126a6e644c1fc1c5d9832e027f62f2f9370172e523fe7db63119871ba64977fc2f25959197a20f0e0e98bd66b2539eae7d46ded9d571436b
-
SSDEEP
6144:nj+vyxz9WYWqpkGbOAqMK/oVZUlz/F8GO53OuzZOJM7CQ5g//s4Y:j+wpWYkGA/WGUGO53OIZkh/Y
Score10/10-
Detected Egregor ransomware
-
Egregor Ransomware
Variant of the Sekhmet ransomware first seen in September 2020.
-
Egregor family
-
Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
-
Locky family
-
Sekhmet Ransomware
Ransomware family active in the wild since early 2020.
-
Sekhmet family
-
Credentials from Password Stores: Windows Credential Manager
Suspicious access to Credentials History.
-
Drops startup file
-
Blocklisted process makes network request
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
-
-
Target
RansomwareSamples/Sodinokibi_04_07_2019_253KB.exe
-
Size
252KB
-
MD5
1ce1ca85bff4517a1ef7e8f9a7c22b16
-
SHA1
f35f0cd23692e5f5d0a3be7aefc8b01dfdd4e614
-
SHA256
06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851
-
SHA512
6e67fa01a8792453b148074fe027def90e1d3f6042037216986ee9e3d0c436c177764bc5e5900dbbab91e10d8a3c86a2ea04ef547149bfc92a33ec0236759949
-
SSDEEP
6144:Rb8oNGxoFlv2ynsDJv++C3uGsKTYZH7nJHVyjG7q9J4:RTvnOdtC+GENnvyjGN
Score10/10-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Sodinokibi family
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
4PowerShell
3Scheduled Task/Job
1Scheduled Task
1Windows Management Instrumentation
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Installer Packages
1Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Installer Packages
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Direct Volume Access
1File and Directory Permissions Modification
1Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
1Disable or Modify Tools
1Indicator Removal
5Clear Windows Event Logs
1File Deletion
4Modify Registry
5Pre-OS Boot
1Bootkit
1System Binary Proxy Execution
1Msiexec
1Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1