Managed XDR

07_ransomioc.exe (ProLock, Conti, Shade, Locky, Babuk, Apocalypse, Avaddon, Bart, Cerber, Clop, Crylocker, CryptXXX, Hakbit, QNAPcrypt, AlphaCrypt, Fantom, Fsociety, Herbst, Lockbit, LockerGoga, Locklock, Phobos, Razy, Ryuk, Toxcrypt, WannaCry, TeslaCrypt, Unlock92, Chimera, Thanos, Dharma, Domino, 7ev3n, Radamant Ransomware Kit, REKTlocker, Sage, CrypVault, VenusLocker, Wildfire, Medusa, Maze, Lorenz, Ransomexx, SunCrypt, BlackCat, BlackMatter, RagnarLocker, WhiteRabbit, Diavol, Avos, Hive, Sodinokibi, ALPHV) — malware analysis report

File info

Filename
07_ransomioc.exe
File type
PE32+ executable (console) x86-64, for MS Windows
File size
2.4 MB
First seen
Last seen

Environment

win7/x64 en

Hashes

SHA1
7c1eea8e5b1d08724981d7162a09a5c71b841f09
SHA256
151659f1a61331a047c40000da1928b15cc8f685a04f140256ed11245d278ebb
MD5
e8e14aad60e070c7203a0bfb55f073d9

Malwares

  • ProLock
  • Conti
  • Shade
  • Locky
  • Babuk
  • Apocalypse
  • Avaddon
  • Bart
  • Cerber
  • Clop
  • Crylocker
  • CryptXXX
  • Hakbit
  • QNAPcrypt
  • AlphaCrypt
  • Fantom
  • Fsociety
  • Herbst
  • Lockbit
  • LockerGoga
  • Locklock
  • Phobos
  • Razy
  • Ryuk
  • Toxcrypt
  • WannaCry
  • TeslaCrypt
  • Unlock92
  • Chimera
  • Thanos
  • Dharma
  • Domino
  • 7ev3n
  • Radamant Ransomware Kit
  • REKTlocker
  • Sage
  • CrypVault
  • VenusLocker
  • Wildfire
  • Medusa
  • Maze
  • Lorenz
  • Ransomexx
  • SunCrypt
  • BlackCat
  • BlackMatter
  • RagnarLocker
  • WhiteRabbit
  • Diavol
  • Avos
  • Hive
  • Sodinokibi
  • ALPHV

Signatures

Privilege Escalation

T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1036 system_filename: Created a file named as a common system file
T1134 opens_process_token: Opens the access token associated with a process

Impact

T1486 ransomware_message: Ransomware indicators detected (possible ransom message creation)
T1486 ransomware_files: Ransomware indicators detected ProLock/Conti/GlobeImposter/BasilisqueLocker/CryptXXX/Shade/Maze/Medusa/Locky/Babuk (creates keys and the instruction on how to unlock the files)
T1486 ransomware_extensions: Ransomware(s) 7ev3n, Alcatraz, AlphaCrypt, AngryDuck, Apocalypse, Avaddon, Bart, CHIP, Cerber, Chimera, Clop, ComradeCircle, Conti, CryLocker, CrypVault, CryptXXX, CryptoMix, CryptoShield, Crysis, DXXD, Dharma, Domino, DummyLocker, Enigma, Exotic, FSociety, Fantom, Globe (aka Purga), Gremit, Hakbit, Herbst, Karma, KillerLocker, Kraken, LeChiffre, LegionLocker, LockLock, Lockbit, LockerGoga, Locky, Macop, Nuke, Odin, Phobos, Purge, QNAPCrypt, RadamantRansomwareKit, Razy, Rektlocker, Ryuk, Sage, Serpent, Shade, Teslacrypt, Thanos, ToxCrypt, Unlock92, VenusLocker, Vindows, Wannacry, WildFire indicators detected (specific extension is added to files)
T1486 ransomware_files_2: Ransomware(s) Apocalypse, BianLian, Conti, GlobeImposter, Karma, Locky, Lorenz, Maze, MedusaLocker, ProLock, RansomEXX, WaspLocker indicators detected (creates keys and the instruction on how to unlock the files)

Other

yara_rules: Static rules
ce_info: Diavol, BlackMatter, REvil note Configuration Data found
suncrypt: Detected SunCrypt ransomware
ransomware_blackcat: Detected BlackCat ransomware
blackmatter: Detected ransomware BlackMatter
ransomware_ragnarlocker: Detected RagnarLocker ransomware
ransomware_whiterabbit: Detected WhiteRabbit ransomware
ransomware_dharma: Detected Dharma ransomware
diavol: Detected Diavol ransomware
lorenz: Detected Lorenz ransomware
ransomware_avos: Detected Avos ransomware
hive: Detected Hive ransomware
revil: Ransomware REvil indicators detected
lockbit: Detected ransomware Lockbit
creates_exe: Creates executable files in the file system
creates_doc: Creates (office) documents in the file system
http_file_not_found: Attempts to download EXE or DLL file but receives HTML with an error
pe_overlay: PE file contains overlay

Related reports

Managed XDR