Overview

overview

10

Static

static

VideoEditor.exe

windows7_x64

10

VideoEditor.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    VideoEditor.exe

  • Size

    62.5MB

  • Sample

    210717-aq8h1lg1jn

  • MD5

    47f28401a14becddbe633c1e95754654

  • SHA1

    8ca31622ca013007b0fd9e9280474dfd07d5425a

  • SHA256

    7f3f8582de407318c0bfdae79e5a925005a58b84e52a1a153d9937c4b2b1d2f7

  • SHA512

    639a0e0b5a72b8f355cb835070b49f0ec89548cc59db51ecdd69d497e14989b7e15b596b74068381510cf9894315b53d4bd3ce006a25d649135e051e4fed8eb1

Score
10/10
raccoon9afd92222900c3bb59b8fcdc4f4e81e4045a6acbbootkitdiscoveryevasionpersistenceransomwarespywarestealertrojanupx

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\HELP_ME_RECOVER_MY_FILES.txt

Ransom Note
$$$ RAVACK RANSOMWARE ATTACK $$$ Atention! all your important files were encrypted! To get your files back send 0.02 Bitcoins and contact us with proof of payment and your Unique Identifier Key. We will send you a decryption tool with your personal decryption password. Where can you buy Bitcoins: https://www.coinbase.com https://localbitcoins.com Contact: unlockransomware@protonmail.com. You can send us any of your files by mail and we will prove to you that we can safely decrypt everything. After 48 hours, all files on your computer will be destroyed, without the possibility of recovery. Also we stole some of your personal data that we after will publish if you do not pay. Bitcoin wallet to make the transfer to is: 3FuA6nChPEEiSYnpHyVKuYcSh5Cxx8W44Q3FuA6nChPEEiSYnpHyVKuYcSh5Cxx8W44Q Unique Identifier Key (must be sent to us together with proof of payment): ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ XH+77WHfOaTf+xHcnv7YWVC9x8dyOioTbAWdyS/U+nTYuBrqor/KTNCUAisTwQjMqLNYDi8AUFu4b56296IujP9bQd+MV42De+gIOi6B/Uu56P2Q/C462Ij3PlGqD+fsk0T36XCeATATAzm64igF+apfMucIEoE+/tlFxX/fN1Pi4Im82C1dgvi7XZq0IDrsmuyhqzPR63uXiEDoD58miARxnEZVsarYY2N+nih9h7J84m90cItxRI5qhxIoX3X/OgTQRaiWjNFMberDbcGrgzJdV0juwIgXUnmypxm81JjSliD9Gm4MjsPLxYSdDOajHgt+wx104rFOVDSE6LDnug== ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Emails

unlockransomware@protonmail.com

Extracted

Family

raccoon

Botnet

9afd92222900c3bb59b8fcdc4f4e81e4045a6acb

Attributes
  • url4cnc

    https://drive.google.com/uc?export=download&id=1jN5ZmsLRZEQEtxsUIIVXnSOKaqBdnX6Z

rc4.plain
rc4.plain

Extracted

Path

C:\Users\Admin\Desktop\HELP_ME_RECOVER_MY_FILES.txt

Ransom Note
$$$ RAVACK RANSOMWARE ATTACK $$$ Atention! all your important files were encrypted! To get your files back send 0.02 Bitcoins and contact us with proof of payment and your Unique Identifier Key. We will send you a decryption tool with your personal decryption password. Where can you buy Bitcoins: https://www.coinbase.com https://localbitcoins.com Contact: unlockransomware@protonmail.com. You can send us any of your files by mail and we will prove to you that we can safely decrypt everything. After 48 hours, all files on your computer will be destroyed, without the possibility of recovery. Also we stole some of your personal data that we after will publish if you do not pay. Bitcoin wallet to make the transfer to is: 3FuA6nChPEEiSYnpHyVKuYcSh5Cxx8W44Q3FuA6nChPEEiSYnpHyVKuYcSh5Cxx8W44Q Unique Identifier Key (must be sent to us together with proof of payment): ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ iMWLqBe2t7epQTWU9oWUU2E0qD+sjlOXsHDOVs8WO+OrR9saa/EIK3CywThE2J3hSMKgGSTgGz88vg2PqJ9YfHfmsotJy+L9hOBsqrLyF0DAKmWn7ttyLGkjwc4ysF4xUR2GRWPdRqZ7F/tU6sstjn1zAlEGPD+2fc1aG4PIiL9M6FO1siQ/2VuMdZdn8iCBa6KlHIByyxf2iuQTzSCxdD5OkvN2Ezagur0Hb2UV60RjPLiqoVWqHm6PvLsxvoosNrL3SOsGqUDw0ivWwjF+eIZkR1GECfypQOv/mjPTaC/wISNd9KE6FlIm8mHV3o+v4r/a+RVAgmUJhHgCtknKjQ== ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Emails

unlockransomware@protonmail.com

Targets

    • Target

      VideoEditor.exe

    • Size

      62.5MB

    • MD5

      47f28401a14becddbe633c1e95754654

    • SHA1

      8ca31622ca013007b0fd9e9280474dfd07d5425a

    • SHA256

      7f3f8582de407318c0bfdae79e5a925005a58b84e52a1a153d9937c4b2b1d2f7

    • SHA512

      639a0e0b5a72b8f355cb835070b49f0ec89548cc59db51ecdd69d497e14989b7e15b596b74068381510cf9894315b53d4bd3ce006a25d649135e051e4fed8eb1

    Score
    10/10
    raccoon9afd92222900c3bb59b8fcdc4f4e81e4045a6acbbootkitdiscoveryevasionpersistenceransomwarespywarestealertrojanupx

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

      stealerraccoon

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Disables Task Manager via registry modification

      evasion

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

1
T1067

Privilege Escalation

Defense Evasion

File Deletion

2
T1107

Virtualization/Sandbox Evasion

2
T1497

Modify Registry

2
T1112

Install Root Certificate

1
T1130

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

5
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

4
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Inhibit System Recovery

2
T1490

Tasks