Overview

overview

10

Static

static

RL.exe

windows7_x64

10

RL.exe

windows10_x64

10

Resubmissions

30/09/2022, 10:35

220930-mm59psebhl 6

29/09/2022, 13:01

220929-p9fcxaahd8 6

17/12/2021, 18:47

211217-xfnq7aegfp 10

16/12/2021, 14:14

211216-rj2vbsccc8 10

16/12/2021, 14:07

211216-re4s5achhj 10

Analysis

  • max time kernel
    122s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    16/12/2021, 14:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RL.exe

  • Size

    333KB

  • MD5

    981f7a4bb2592bffcbdf543a742cb1a2

  • SHA1

    64d97d061583e343ce7a02a4b905281d95ff0bba

  • SHA256

    4e64776e3c8b0f6e432fb300b8f7d95b10d1a8ec223d15e1462d64cdde555c50

  • SHA512

    b0be15a1d8a80506de3b615f1c5713a9acaf46b9577187f6c1dbfa6539b0641ebc4c83178a3c4bed2342d5e8bea4c910b30853d1e91b87b824d4f9173b46397b

Score
10/10
ransomware

Malware Config

Extracted

Path

C:\Readme.txt

Ransom Note
[+] RL Wana-XD ! [+] Don't worry, you can return all your files! The only method of recovering files is to purchase decrypt tool and unique key for you. Please note that you'll never restore your data without payment. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: gWnhMKpcu+h+GkPPsy@NsPD8dhmeGV [KEEP IT]

Signatures

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\RL.exe
    "C:\Users\Admin\AppData\Local\Temp\RL.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1584
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 1584 -s 1296
      2⤵
      • Program crash
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1868

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1584-55-0x0000000000830000-0x0000000000831000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1584-57-0x000000001B880000-0x000000001B882000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1868-59-0x000007FEFC3A1000-0x000007FEFC3A3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1868-60-0x0000000001C20000-0x0000000001C21000-memory.dmp

    Filesize

    4KB

    Download