Antivirus detection for dropped file
Found malware configuration
Found post-exploitation toolkit Empire
Found ransom note / readme
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected LockBit ransomware
Yara detected MetasploitPayload
AI detected suspicious sample
Changes the wallpaper picture
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Found Tor onion address
Found potential ransomware demand text
Hides threads from debuggers
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Modifies existing user documents (likely ransomware behavior)
Powershell drops PE file
Sigma detected: Suspicious PowerShell Parameter Substring
Writes a notice file (html or txt) to demand a ransom
Writes to foreign memory regions
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to clear windows event logs (to hide its activities)
Contains functionality to communicate with device drivers
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Potentially Suspicious Desktop Background Change Via Registry
Uses code obfuscation techniques (call, push, ret)
Yara signature match