4e64776e3c8b0f6e432fb300b8f7d95b10d1a8ec223d15e1462d64cdde555c50

Target

RL.exe
Size

333KB
MD5

981f7a4bb2592bffcbdf543a742cb1a2
SHA1

64d97d061583e343ce7a02a4b905281d95ff0bba
SHA256

4e64776e3c8b0f6e432fb300b8f7d95b10d1a8ec223d15e1462d64cdde555c50
SHA512

b0be15a1d8a80506de3b615f1c5713a9acaf46b9577187f6c1dbfa6539b0641ebc4c83178a3c4bed2342d5e8bea4c910b30853d1e91b87b824d4f9173b46397b

Score

10^/10

ransomware

Malware Config

Extracted

Path

C:\Readme.txt

Ransom Note

[+] RL Wana-XD ! [+] Don't worry, you can return all your files! The only method of recovering files is to purchase decrypt tool and unique key for you. Please note that you'll never restore your data without payment. To get this software you need write on our e-mail: Wana-XD@bk.ru Reserve e-mail address to contact us: RL000@protonmail.ch Your personal ID: gWnhMKpcu+h+GkPPsy@NsPD8dhmeGV [KEEP IT]

Emails

Wana-XD@bk.ru

RL000@protonmail.ch

Signatures

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip-api.com
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1868 1584 WerFault.exe RL.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

WerFault.exe

pid process

1868 WerFault.exe
1868 WerFault.exe
1868 WerFault.exe
1868 WerFault.exe
1868 WerFault.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

RL.exeWerFault.exe

description pid process

Token: SeDebugPrivilege 1584 RL.exe
Token: SeDebugPrivilege 1868 WerFault.exe

flow	ioc
4	ip-api.com

pid	pid_target	process	target process
1868	1584	WerFault.exe	RL.exe

pid	process
1868	WerFault.exe
1868	WerFault.exe
1868	WerFault.exe
1868	WerFault.exe
1868	WerFault.exe

description	pid	process
Token: SeDebugPrivilege	1584	RL.exe
Token: SeDebugPrivilege	1868	WerFault.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

RL.exe

description	pid	process	target process
PID 1584 wrote to memory of 1868	1584	RL.exe	WerFault.exe
PID 1584 wrote to memory of 1868	1584	RL.exe	WerFault.exe
PID 1584 wrote to memory of 1868	1584	RL.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\RL.exe
"C:\Users\Admin\AppData\Local\Temp\RL.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1584

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1584 -s 1296
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1868

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1584-55-0x0000000000830000-0x0000000000831000-memory.dmp

Filesize
4KB

Download
memory/1584-57-0x000000001B880000-0x000000001B882000-memory.dmp

Filesize
8KB

Download
memory/1868-58-0x0000000000000000-mapping.dmp

Download
memory/1868-59-0x000007FEFC3A1000-0x000007FEFC3A3000-memory.dmp

Filesize
8KB

Download
memory/1868-60-0x0000000001C20000-0x0000000001C21000-memory.dmp

Filesize
4KB

Download