Resubmissions
29-12-2021 12:45
211229-py8v3sdddn 1029-12-2021 11:51
211229-n1lb5addbm 829-12-2021 11:50
211229-nzsptaegg6 129-12-2021 11:24
211229-nh59ksege9 128-12-2021 11:54
211228-n21s7sdgg2 828-12-2021 11:53
211228-n2tpwscdbj 128-12-2021 11:51
211228-nz82sscdaq 128-12-2021 11:38
211228-nryk4acdal 1028-12-2021 11:37
211228-nq735sdge9 1General
-
Target
https://www.youtube.com/channel/UCn2OJocEFxegDrjKZMIfnLw
-
Sample
211229-py8v3sdddn
Static task
static1
URLScan task
urlscan1
Sample
https://www.youtube.com/channel/UCn2OJocEFxegDrjKZMIfnLw
Behavioral task
behavioral1
Sample
https://www.youtube.com/channel/UCn2OJocEFxegDrjKZMIfnLw
Resource
win10-en-20211208
Malware Config
Extracted
C:\NMOCWROPZB-MANUAL.txt
gandcrab
http://gandcrabmfe6mnef.onion/6e509012a873ad6d
Extracted
Protocol: ftp- Host:
109.248.203.81 - Port:
21 - Username:
alex - Password:
easypassword
Extracted
lokibot
http://blesblochem.com/two/gates1/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
https://www.youtube.com/channel/UCn2OJocEFxegDrjKZMIfnLw
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
-
Modifies visiblity of hidden/system files in Explorer
-
Grants admin privileges
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request
-
Blocks application from running via registry modification
Adds application to list of disallowed applications.
-
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Disables use of System Restore points
-
Drops file in Drivers directory
-
Executes dropped EXE
-
Modifies Installed Components in the registry
-
Modifies Windows Firewall
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Sets DLL path for service in the registry
-
Sets file execution options in registry
-
Stops running service(s)
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Modifies file permissions
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Modifies WinLogon
-
Drops autorun.inf file
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in System32 directory
-
Sets desktop wallpaper using registry
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
3Hidden Files and Directories
3Account Manipulation
1Registry Run Keys / Startup Folder
4Winlogon Helper DLL
1Scheduled Task
1Defense Evasion
Modify Registry
12Disabling Security Tools
3Hidden Files and Directories
3Bypass User Account Control
1File Deletion
2Impair Defenses
1File Permissions Modification
1