Analysis
-
max time kernel
152s -
max time network
129s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
20-10-2021 09:41
General
-
Target
rbs.exe
-
Size
53KB
-
MD5
c6edb2242607a0e09ac7cddc4d65443f
-
SHA1
8a09c4f1b8c930b6f3fff304e4fc6dc12639820d
-
SHA256
4ef4c2b02aeef11ca823584186903598cdf844eb1d089ca94c2aedd776e901cd
-
SHA512
4a79134da78fdf5e11323ad234764c48adc6c7269d7814b8e17373971d3de101e048a7975fb47bf946b6df71f94885ef80ded8903bf31fae49a8e5d21433d692
Score
10/10
Malware Config
Extracted
Path
C:\how_to_back_files.html
Ransom Note
<html>
<style type="text/css">
body {
background-color: #f5f5f5;
}
h1, h3{
text-align: center;
text-transform: uppercase;
font-weight: normal;
}
/*---*/
.tabs1{
display: block;
margin: auto;
}
.tabs1 .head{
text-align: center;
float: top;
padding: 0px;
text-transform: uppercase;
font-weight: normal;
display: block;
background: #81bef7;
color: #DF0101;
font-size: 30px;
}
.tabs1 .identi {
font-size: 10px;
text-align: center;
float: top;
padding: 15px;
display: block;
background: #81bef7;
color: #DFDFDF;
}
.tabs .content {
background: #f5f5f5;
/*text-align: center;*/
color: #000000;
padding: 25px 15px;
font-size: 15px;
font-weight: 400;
line-height: 20px; }
.tabs .content a {
color: #df0130;
font-size: 23px;
font-style: italic;
text-decoration: none;
line-height: 35px; }
.tabs .content .text{
padding: 25px;
line-height: 1.2;
}
</style>
<body>
<div class="tabs1">
<div class="head" ><b>Your personal ID:</b></div>
<div class="identi">
<span style="width:1000px; color: #ffffff; font-size: 10px;">����������5F FE BF 26 03 CD 19 03 DA CD 9F 7C 95 C8 3A 91
F8 96 27 ED 8F DF 5C 85 DC 9A 6E DA 46 BC 71 EA
C4 32 88 FF 6F DC 5D D2 01 67 5F D7 E3 12 1F 04
0C 09 19 2B 7B A5 A8 24 DD 2F 44 0E 2C 21 30 04
5A CD A8 12 D8 4E C2 83 97 5A C1 11 48 38 06 72
E4 B0 DB 0A 26 C8 76 89 A2 9B 74 BF CB 57 DC AC
10 FB AB 06 3B F6 93 70 07 5F 0F 0B 3A F1 36 7E
E6 68 C0 F7 CF C9 16 CB 54 A3 A9 BA 8F D1 37 5D
5F 99 4D 9E E5 9F 83 91 DB C7 9E 8F 30 AF B6 C0
B9 CD 84 A9 6B C7 BE D5 74 F6 26 F6 7E DA 9F D9
DA D6 BA 0E EE F5 3E 01 38 EA 8C 25 D5 24 1F 7D
4B 5B BD 38 AF 4A 76 E8 71 FD B1 67 65 2E 49 D9
28 51 26 C1 6B BE 1E C9 3C BB AA C5 B5 1B 13 AD
3F E7 1C E9 35 49 F6 77 86 19 77 03 B8 C3 71 C2
6F 45 4D BC 12 F8 F5 03 1F EC 55 10 2D 71 37 88
B8 44 5F B6 FF 5A EA 85 F1 7D C9 21 A4 1A CB 0D
</span> <br>
<!-- !!! dont changing this !!! -->
</div>
</div>
<!-- -->
<div class="tabs">
<!--tab-->
<div class="tab">
<div id="tab-content1" class="content">
<div class="text">
<!--text data -->
<b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br>
<b>All your important files have been encrypted!</b><br><br>
<hr>
Your files are safe! Only modified. (RSA+AES)<br><br>
ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br>
WILL PERMANENTLY CORRUPT IT.<br>
DO NOT MODIFY ENCRYPTED FILES.<br>
DO NOT RENAME ENCRYPTED FILES.<br><br>
No software available on internet can help you. We are the only ones able to<br>
solve your problem.<br><br>
We gathered highly confidential/personal data. These data are currently stored on<br>
a private server. This server will be immediately destroyed after your payment.<br>
If you decide to not pay, we will release your data to public or re-seller.<br>
So you can expect your data to be publicly available in the near future..<br><br>
We only seek money and our goal is not to damage your reputation or prevent<br>
your business from running.<br><br>
You will can send us 2-3 non-important files and we will decrypt it for free<br>
to prove we are able to give your files back.<br><br>
<!--text data -->
<hr>
<b>Contact us for price and get decryption software.</b><br><br>
<a>.onion</a><br>
* Note that this server is available via Tor browser only<br><br>
Follow the instructions to open the link:<br>
1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br>
2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br>
3. Now you have Tor browser. In the Tor Browser open <a>.onion
</a><br>
4. Start a chat and follow the further instructions. <br><br>
<hr>
<b>If you can not use the above link, use the email:</b><br>
<a href="help_24_decr1@outlook.com ">help_24_decr1@outlook.com </a>
<br><a href="help_24_decr2@outlook.com">help_24_decr2@outlook.com</a>
<br>
<b>* To contact us, create a new free email account on the site:</b> <a href="https://protonmail.com">protonmail.com<br> <hr>
<b>
IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br>
</div>
</div>
</div>
<!--tab-->
<!--text data -->
</div>
</div>
<!--tab-->
</div>
</div>
</body>
</html>
���������
Emails
href="help_24_decr1@outlook.com
">help_24_decr1@outlook.com
href="help_24_decr2@outlook.com">help_24_decr2@outlook.com</a>
Signatures
-
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Drops desktop.ini file(s) 29 IoCs
-
Drops file in Program Files directory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\rbs.exe"C:\Users\Admin\AppData\Local\Temp\rbs.exe"1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1740-54-0x00000000757E1000-0x00000000757E3000-memory.dmpFilesize
8KB