Overview

overview

10

Static

static

RL.exe

windows7_x64

10

RL.exe

windows10_x64

10

Resubmissions

30/09/2022, 10:35

220930-mm59psebhl 6

29/09/2022, 13:01

220929-p9fcxaahd8 6

17/12/2021, 18:47

211217-xfnq7aegfp 10

16/12/2021, 14:14

211216-rj2vbsccc8 10

16/12/2021, 14:07

211216-re4s5achhj 10

Analysis

  • max time kernel
    236s
  • max time network
    123s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    16/12/2021, 14:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RL.exe

  • Size

    333KB

  • MD5

    981f7a4bb2592bffcbdf543a742cb1a2

  • SHA1

    64d97d061583e343ce7a02a4b905281d95ff0bba

  • SHA256

    4e64776e3c8b0f6e432fb300b8f7d95b10d1a8ec223d15e1462d64cdde555c50

  • SHA512

    b0be15a1d8a80506de3b615f1c5713a9acaf46b9577187f6c1dbfa6539b0641ebc4c83178a3c4bed2342d5e8bea4c910b30853d1e91b87b824d4f9173b46397b

Score
10/10
ransomware

Malware Config

Extracted

Path

C:\Readme.txt

Ransom Note
[+] RL Wana-XD ! [+] Don't worry, you can return all your files! The only method of recovering files is to purchase decrypt tool and unique key for you. Please note that you'll never restore your data without payment. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: RLOeXGCf=4ED=igNkTvoOygG8=xxHu [KEEP IT]

Signatures

  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\RL.exe
    "C:\Users\Admin\AppData\Local\Temp\RL.exe"
    1⤵
    • Enumerates connected drives
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    PID:3692
  • C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Readme.txt
    1⤵
    • Opens file in notepad (likely ransom note)
    PID:2000
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:2220

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/3692-115-0x00000146809A0000-0x00000146809A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3692-117-0x000001469B020000-0x000001469B022000-memory.dmp

      Filesize

      8KB

      Download