Overview
overview
10Static
static
7Documents/...er.exe
windows7-x64
Documents/...er.exe
windows10-2004-x64
10Documents/...ll.exe
windows7-x64
9Documents/...ll.exe
windows10-2004-x64
3Documents/...aw.exe
windows7-x64
10Documents/...aw.exe
windows10-2004-x64
10Documents/...ky.exe
windows7-x64
10Documents/...ky.exe
windows10-2004-x64
10Documents/...31.exe
windows7-x64
1Documents/...31.exe
windows10-2004-x64
1Documents/...3 .exe
windows7-x64
7Documents/...3 .exe
windows10-2004-x64
3Documents/...d9.dll
windows7-x64
10Documents/...d9.dll
windows10-2004-x64
10027cc450ef...ju.dll
windows7-x64
10027cc450ef...ju.dll
windows10-2004-x64
10ee29b9c013...bc6.js
windows7-x64
3ee29b9c013...bc6.js
windows10-2004-x64
3fe2e5d0543...L9.rtf
windows7-x64
4fe2e5d0543...L9.rtf
windows10-2004-x64
1Documents/...uy.hta
windows7-x64
10Documents/...uy.hta
windows10-2004-x64
10Documents/...st.exe
windows7-x64
7Documents/...st.exe
windows10-2004-x64
7Documents/...39.exe
windows7-x64
6Documents/...39.exe
windows10-2004-x64
Documents/...5c.exe
windows7-x64
6Documents/...5c.exe
windows10-2004-x64
Documents/...00.exe
windows7-x64
7Documents/...00.exe
windows10-2004-x64
7out.exe
windows7-x64
3out.exe
windows10-2004-x64
3General
-
Target
bc41543926dda3762ae39e35aba7a813_JaffaCakes118
-
Size
13.8MB
-
Sample
240630-bcjr6svbkk
-
MD5
bc41543926dda3762ae39e35aba7a813
-
SHA1
81bf36d2c8c97901eb88133566838eba26d74138
-
SHA256
f255227fd45316c4681085f39e6da2f509af851f8cc2d2a84ea99c06b935ffe6
-
SHA512
29404267b0a85340a4b9e821aca8a37ee716532adb9626acc39941148c2e91f67022125a4db3d65468b6b564134bf9fa496252bd4d2aacda0be0fd54684c0291
-
SSDEEP
393216:LDZBIw5QnNtQs9HQYsiZfmu/GyBSye+tfLXSDOaC0zjLCrj:vlQnNSA1skfmkzdtfOi0jLA
Behavioral task
behavioral1
Sample
Documents/Ransomware.Cerber/cerber.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
Documents/Ransomware.Cerber/cerber.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
Documents/Ransomware.Cryptowall/cryptowall.exe
Resource
win7-20240611-en
Behavioral task
behavioral4
Sample
Documents/Ransomware.Cryptowall/cryptowall.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral5
Sample
Documents/Ransomware.Jigsaw/jigsaw.exe
Resource
win7-20240508-en
Behavioral task
behavioral6
Sample
Documents/Ransomware.Jigsaw/jigsaw.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral7
Sample
Documents/Ransomware.Locky/Locky.exe
Resource
win7-20240611-en
Behavioral task
behavioral8
Sample
Documents/Ransomware.Locky/Locky.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral9
Sample
Documents/Ransomware.Mamba/131.exe
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
Documents/Ransomware.Mamba/131.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
Documents/Ransomware.Matsnu/Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe
Resource
win7-20240611-en
Behavioral task
behavioral12
Sample
Documents/Ransomware.Matsnu/Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
Documents/Ransomware.Petrwrap/Ransomware.Petrwrap/027cc450ef5f8c5f653329641ec1fed9.dll
Resource
win7-20240419-en
Behavioral task
behavioral14
Sample
Documents/Ransomware.Petrwrap/Ransomware.Petrwrap/027cc450ef5f8c5f653329641ec1fed9.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral15
Sample
027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745_98STJd8lju.dll
Resource
win7-20240419-en
Behavioral task
behavioral16
Sample
027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745_98STJd8lju.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral17
Sample
ee29b9c01318a1e23836b949942db14d4811246fdae2f41df9f0dcd922c63bc6.js
Resource
win7-20240611-en
Behavioral task
behavioral18
Sample
ee29b9c01318a1e23836b949942db14d4811246fdae2f41df9f0dcd922c63bc6.js
Resource
win10v2004-20240611-en
Behavioral task
behavioral19
Sample
fe2e5d0543b4c8769e401ec216d78a5a3547dfd426fd47e097df04a5f7d6d206_OFkNP1kKL9.rtf
Resource
win7-20240221-en
Behavioral task
behavioral20
Sample
fe2e5d0543b4c8769e401ec216d78a5a3547dfd426fd47e097df04a5f7d6d206_OFkNP1kKL9.rtf
Resource
win10v2004-20240508-en
Behavioral task
behavioral21
Sample
Documents/Ransomware.Petrwrap/Ransomware.Petrwrap/myguy.hta
Resource
win7-20240611-en
Behavioral task
behavioral22
Sample
Documents/Ransomware.Petrwrap/Ransomware.Petrwrap/myguy.hta
Resource
win10v2004-20240611-en
Behavioral task
behavioral23
Sample
Documents/Ransomware.Petrwrap/Ransomware.Petrwrap/svchost.exe
Resource
win7-20240508-en
Behavioral task
behavioral24
Sample
Documents/Ransomware.Petrwrap/Ransomware.Petrwrap/svchost.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral25
Sample
Documents/Ransomware.Petya/Ransomware.Petya/26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739.exe
Resource
win7-20240508-en
Behavioral task
behavioral26
Sample
Documents/Ransomware.Petya/Ransomware.Petya/26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral27
Sample
Documents/Ransomware.Petya/Ransomware.Petya/4c1dc737915d76b7ce579abddaba74ead6fdb5b519a1ea45308b8c49b950655c.exe
Resource
win7-20240508-en
Behavioral task
behavioral28
Sample
Documents/Ransomware.Petya/Ransomware.Petya/4c1dc737915d76b7ce579abddaba74ead6fdb5b519a1ea45308b8c49b950655c.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral29
Sample
Documents/Ransomware.Radamant/Ransomware.Radamant/DUMP_00A10000-00A1D000.exe
Resource
win7-20240611-en
Behavioral task
behavioral30
Sample
Documents/Ransomware.Radamant/Ransomware.Radamant/DUMP_00A10000-00A1D000.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral31
Sample
out.exe
Resource
win7-20240508-en
Behavioral task
behavioral32
Sample
out.exe
Resource
win10v2004-20240508-en
Malware Config
Extracted
C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___VBTJZKN_.txt
cerber
http://p27dokhpz2n7nvgr.onion/5C86-F978-3435-0446-91C2
http://p27dokhpz2n7nvgr.12hygy.top/5C86-F978-3435-0446-91C2
http://p27dokhpz2n7nvgr.14ewqv.top/5C86-F978-3435-0446-91C2
http://p27dokhpz2n7nvgr.14vvrc.top/5C86-F978-3435-0446-91C2
http://p27dokhpz2n7nvgr.129p1t.top/5C86-F978-3435-0446-91C2
http://p27dokhpz2n7nvgr.1apgrn.top/5C86-F978-3435-0446-91C2
Extracted
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\_R_E_A_D___T_H_I_S___PP0MW4ML_.txt
cerber
http://p27dokhpz2n7nvgr.onion/8D17-771D-3AF8-0446-9495
http://p27dokhpz2n7nvgr.12hygy.top/8D17-771D-3AF8-0446-9495
http://p27dokhpz2n7nvgr.14ewqv.top/8D17-771D-3AF8-0446-9495
http://p27dokhpz2n7nvgr.14vvrc.top/8D17-771D-3AF8-0446-9495
http://p27dokhpz2n7nvgr.129p1t.top/8D17-771D-3AF8-0446-9495
http://p27dokhpz2n7nvgr.1apgrn.top/8D17-771D-3AF8-0446-9495
Extracted
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\_R_E_A_D___T_H_I_S___DAVP5KX_.hta
cerber
Extracted
http://french-cooking.com/myguy.exe
Extracted
http://french-cooking.com/myguy.exe
Targets
-
-
Target
Documents/Ransomware.Cerber/cerber.exe
-
Size
604KB
-
MD5
8b6bc16fd137c09a08b02bbe1bb7d670
-
SHA1
c69a0f6c6f809c01db92ca658fcf1b643391a2b7
-
SHA256
e67834d1e8b38ec5864cfa101b140aeaba8f1900a6e269e6a94c90fcbfe56678
-
SHA512
b53d2cc0fe5fa52262ace9f6e6ea3f5ce84935009822a3394bfe49c4d15dfeaa96bfe10ce77ffa93dbf81e5428122aa739a94bc709f203bc346597004fd75a24
-
SSDEEP
6144:yYghlI5/u8f1mr+4RJ99MpDa52RX5wRDhOOU0qsR:yYKlYmDXEpDHRXP01
-
Blocklisted process makes network request
-
Contacts a large (1095) amount of remote hosts
This may indicate a network scan to discover remotely running services.
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Drops startup file
-
Drops file in System32 directory
-
Sets desktop wallpaper using registry
-
-
-
Target
Documents/Ransomware.Cryptowall/cryptowall.exe
-
Size
240KB
-
MD5
47363b94cee907e2b8926c1be61150c7
-
SHA1
ca963033b9a285b8cd0044df38146a932c838071
-
SHA256
45317968759d3e37282ceb75149f627d648534c5b4685f6da3966d8f6fca662d
-
SHA512
93dfaafc183360829448887a112dd49c90ec5fe50dcd7c7bbc06c1c8daa206eeea5577f726d906446322c731d0520e93700d5ff9cefd730fba347c72b7325068
-
SSDEEP
3072:xkeyloECBch6ZCGBGSmHJ0y5lj6jdojK7+MGOXpXx8z3Lp7Yoq:xGlnCIwMpj6ijKfxx8z3F0V
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Drops startup file
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
Documents/Ransomware.Jigsaw/jigsaw
-
Size
283KB
-
MD5
2773e3dc59472296cb0024ba7715a64e
-
SHA1
27d99fbca067f478bb91cdbcb92f13a828b00859
-
SHA256
3ae96f73d805e1d3995253db4d910300d8442ea603737a1428b613061e7f61e7
-
SHA512
6ef530b209f8ec459cca66dbf2c31ec96c5f7d609f17fa3b877d276968032fbc6132ea4a45ed1450fb6c5d730a7c9349bf4481e28befaea6b119ec0ded842262
-
SSDEEP
6144:7fukPLPvucHiQQQ4uuy9ApZbZWxcZt+kTfMLJTOAZiYSXjjeqXus:7fu5cCT7yYlWi8kTfMLJTOAZiYSXjyqX
Score10/10-
Jigsaw Ransomware
Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Renames multiple (2015) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Boot or Logon Autostart Execution: Port Monitors
Adversaries may use port monitors to run an adversary supplied DLL during system boot for persistence or privilege escalation.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
-
-
Target
Documents/Ransomware.Locky/Locky
-
Size
180KB
-
MD5
b06d9dd17c69ed2ae75d9e40b2631b42
-
SHA1
b606aaa402bfe4a15ef80165e964d384f25564e4
-
SHA256
bc98c8b22461a2c2631b2feec399208fdc4ecd1cd2229066c2f385caa958daa3
-
SHA512
8e54aca4feb51611142c1f2bf303200113604013c2603eea22d72d00297cb1cb40a2ef11f5129989cd14f90e495db79bffd15bd6282ff564c4af7975b1610c1c
-
SSDEEP
3072:gzWgfLlUc7CIJ1tkZaQyjhOosc8MKi6KDXnLCtyAR0u1cZ86:gdLl4wkZa/UDiD7ukst1H6
Score10/10 -
-
-
Target
Documents/Ransomware.Mamba/131.exe
-
Size
2.3MB
-
MD5
409d80bb94645fbc4a1fa61c07806883
-
SHA1
4080bb3a28c2946fd9b72f6b51fe15de74cbb1e1
-
SHA256
2ecc525177ed52c74ddaaacd47ad513450e85c01f2616bf179be5b576164bf63
-
SHA512
a99a2f17d9fbb1da9fb993b976df63afa74317666eca46d1f04e7e6e24149547d1ac7210f673caeae9b23a900528ad6ad0a7b98780eff458d3d505029a06e9ba
-
SSDEEP
49152:XM16E7qUoM5NWX7DP+1egOhcraQzK6j97V:c16/rM5oW1ZrRz
Score1/10 -
-
-
Target
Documents/Ransomware.Matsnu/Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .com_
-
Size
102KB
-
MD5
1b2d2a4b97c7c2727d571bbf9376f54f
-
SHA1
1fc29938ec5c209ba900247d2919069b320d33b0
-
SHA256
7634433f8fcf4d13fb46d680802e48eeb160e0f51e228cae058436845976381e
-
SHA512
506fc96423e5e2e38078806591e09a6eb3cf924eb748af528f7315aa0b929890823798a3ef2a5809c14023c3ff8a3db36277bc90c7b099218422aafa4e0c2ee0
-
SSDEEP
1536:jj+Rj1lGIXKSmE17v97yiqHGMRPtbsLW8/V2k12v1/BDxVyCfCrCAc:jjw6Sf0iqmMnb2W02v3mCf4Nc
Score7/10-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
Documents/Ransomware.Petrwrap/Ransomware.Petrwrap/027cc450ef5f8c5f653329641ec1fed9.exe
-
Size
353KB
-
MD5
71b6a493388e7d0b40c83ce903bc6b04
-
SHA1
34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d
-
SHA256
027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745
-
SHA512
072205eca5099d9269f358fe534b370ff21a4f12d7938d6d2e2713f69310f0698e53b8aff062849f0b2a521f68bee097c1840993825d2a5a3aa8cf4145911c6f
-
SSDEEP
6144:y/Bt80VmNTBo/x95ZjAetGDN3VFNq7pC+9OqFoK30b3ni5rdQY/CdUOs2:y/X4NTS/x9jNG+w+9OqFoK323qdQYKUG
Score10/10-
mimikatz is an open source tool to dump credentials on Windows
-
Blocklisted process makes network request
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
-
-
Target
027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745_98STJd8lju.bin
-
Size
353KB
-
MD5
71b6a493388e7d0b40c83ce903bc6b04
-
SHA1
34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d
-
SHA256
027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745
-
SHA512
072205eca5099d9269f358fe534b370ff21a4f12d7938d6d2e2713f69310f0698e53b8aff062849f0b2a521f68bee097c1840993825d2a5a3aa8cf4145911c6f
-
SSDEEP
6144:y/Bt80VmNTBo/x95ZjAetGDN3VFNq7pC+9OqFoK30b3ni5rdQY/CdUOs2:y/X4NTS/x9jNG+w+9OqFoK323qdQYKUG
Score10/10-
mimikatz is an open source tool to dump credentials on Windows
-
Blocklisted process makes network request
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
-
-
Target
ee29b9c01318a1e23836b949942db14d4811246fdae2f41df9f0dcd922c63bc6.bin
-
Size
13KB
-
MD5
0487382a4daf8eb9660f1c67e30f8b25
-
SHA1
736752744122a0b5ee4b95ddad634dd225dc0f73
-
SHA256
ee29b9c01318a1e23836b949942db14d4811246fdae2f41df9f0dcd922c63bc6
-
SHA512
e1e7d81d54efd526139ea8ac792ed2035c8e70f040319c0b65f723431d31077c7a6927553890c99151f2354f51c4020ed94e0e2e5d56386c2fc4828e95869106
-
SSDEEP
192:ScIsmNvaHz65bP/U/njs3NH0Z0UvDVE6Az6XVHBycT6iLMUpJ2seCYHlfeb:SPXTmnjs3BU9A27BNLMUTb
Score3/10 -
-
-
Target
fe2e5d0543b4c8769e401ec216d78a5a3547dfd426fd47e097df04a5f7d6d206_OFkNP1kKL9.bin
-
Size
6KB
-
MD5
415fe69bf32634ca98fa07633f4118e1
-
SHA1
101cc1cb56c407d5b9149f2c3b8523350d23ba84
-
SHA256
fe2e5d0543b4c8769e401ec216d78a5a3547dfd426fd47e097df04a5f7d6d206
-
SHA512
e40ad6adcbdfc47ebf0745aed10a5c6c64d5759a0164dbd7ffb64439deffe710c26a8fd91e8d205f3b2f0c417d70d4e82d5f91874bc6f8bbc9ff123b72c2e692
-
SSDEEP
48:3aT4qf+8xWmXLEEPjH3UNTaOOHG0WomFS/bOhkWTl:3w/xWjFazGMrzQ
Score4/10 -
-
-
Target
Documents/Ransomware.Petrwrap/Ransomware.Petrwrap/myguy.hta
-
Size
13KB
-
MD5
0487382a4daf8eb9660f1c67e30f8b25
-
SHA1
736752744122a0b5ee4b95ddad634dd225dc0f73
-
SHA256
ee29b9c01318a1e23836b949942db14d4811246fdae2f41df9f0dcd922c63bc6
-
SHA512
e1e7d81d54efd526139ea8ac792ed2035c8e70f040319c0b65f723431d31077c7a6927553890c99151f2354f51c4020ed94e0e2e5d56386c2fc4828e95869106
-
SSDEEP
192:ScIsmNvaHz65bP/U/njs3NH0Z0UvDVE6Az6XVHBycT6iLMUpJ2seCYHlfeb:SPXTmnjs3BU9A27BNLMUTb
Score10/10-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
-
-
Target
Documents/Ransomware.Petrwrap/Ransomware.Petrwrap/svchost.exe
-
Size
704KB
-
MD5
d2ec63b63e88ece47fbaab1ca22da1ef
-
SHA1
dd52fcc042a44a2af9e43c15a8e520b54128cdc8
-
SHA256
e5c643f1d8ecc0fd739d0bbe4a1c6c7de2601d86ab0fff74fd89c40908654be5
-
SHA512
89d9e63d5f3b34be3d25317933031815a42c039fbee30ce8c86f8b1b7c6ca9ccfc8731da99b9246381a2c05a95ada423f4944ff72111eb0451a44e9dcb3e053e
-
SSDEEP
12288:rue4X2Uz0DsetgxLdsCHvX8XYJWs6XS1bFLDw1P86jZpMV7uikFg:v+2UzSgxLdsCHmQb6XSbFLDs06jZulus
Score7/10-
Drops startup file
-
Drops desktop.ini file(s)
-
-
-
Target
Documents/Ransomware.Petya/Ransomware.Petya/26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739.exe
-
Size
225KB
-
MD5
af2379cc4d607a45ac44d62135fb7015
-
SHA1
39b6d40906c7f7f080e6befa93324dddadcbd9fa
-
SHA256
26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739
-
SHA512
69899c47d0b15f92980f79517384e83373242e045ca696c6e8f930ff6454219bf609e0d84c2f91d25dfd5ef3c28c9e099c4a3a918206e957be806a1c2e0d3e99
-
SSDEEP
6144:DCyjXhd1mialK+qoNr8PxtZE6x5v+k6f:rjXhd8ZlKOrMZE6x5b6f
Score6/10-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
-
-
Target
Documents/Ransomware.Petya/Ransomware.Petya/4c1dc737915d76b7ce579abddaba74ead6fdb5b519a1ea45308b8c49b950655c.bin
-
Size
788KB
-
MD5
a92f13f3a1b3b39833d3cc336301b713
-
SHA1
d1c62ac62e68875085b62fa651fb17d4d7313887
-
SHA256
4c1dc737915d76b7ce579abddaba74ead6fdb5b519a1ea45308b8c49b950655c
-
SHA512
361a5199b5a6321d88f6e7b66eaad3756b4ea7a706fa9dbbe3ffe29217f673d12dd1200e05f96c2175feffc6fecc7f09fda4dd6bfa0ce7bef3d9372f6a534920
-
SSDEEP
24576:z0wz1d5bAbWhrc56zQ9T4Ole+5PIuklOjB:Hd5Vhr4IMTbeGPJHjB
Score6/10-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
-
-
Target
Documents/Ransomware.Radamant/Ransomware.Radamant/DUMP_00A10000-00A1D000.exe.ViR
-
Size
52KB
-
MD5
6152709e741c4d5a5d793d35817b4c3d
-
SHA1
05ae9c76f8f85ad2247c06d26a88bbbcfff4d62e
-
SHA256
2c4c8066a1a7dfdf42c57ff4f9016f1ba05bcb004ff8b0ffc0989165d2ad30e2
-
SHA512
1e5ebd53ac942b0f06f759f936efebeeb9a74062647cd978d5112720f772f607b12ee20c02ab838104a7a947fef2fde79b0db944286d8daf2e6e6d16e10b9390
-
SSDEEP
768:UR/FcohAQFBY4JzKNkN3QZ0gGINlVOWcm:U1PhAQztJWNeCVOWc
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
out.upx
-
Size
51KB
-
MD5
8f681b52fcfe200d14c81d297a323cf7
-
SHA1
1375d3c3cb1d2ea8d6f80a2cfe11107d80ad9a34
-
SHA256
a1c1164f6b43a3592a98b29adc045f9ca37ec0624eb2f2c027bfffe24a4915d1
-
SHA512
88f936cfc95833017fefa7a342cb9b41ae7ea2e7123f7e8bb4192db53b0b48998421176132a4ead98fbb25d31d0f1ee8e0f7995d14e94ab3e094d4dcceb7ad36
-
SSDEEP
768:uElAvOs4CTfOgGYdlNGCizSHdq12UMx9s6zAKSXwa/2e:ZlafjVsrODKpKSXN
Score3/10 -
MITRE ATT&CK Matrix ATT&CK v13
Execution
Windows Management Instrumentation
1Scheduled Task/Job
2Scheduled Task
2Command and Scripting Interpreter
2PowerShell
1JavaScript
1Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Boot or Logon Autostart Execution
5Registry Run Keys / Startup Folder
4Port Monitors
1Pre-OS Boot
4Bootkit
4Scheduled Task/Job
2Scheduled Task
2Privilege Escalation
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Boot or Logon Autostart Execution
5Registry Run Keys / Startup Folder
4Port Monitors
1Scheduled Task/Job
2Scheduled Task
2Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
8Indicator Removal
2File Deletion
2Direct Volume Access
1Pre-OS Boot
4Bootkit
4