Resubmissions

20-03-2022 09:45

220320-lref4sbghm 10

20-03-2022 08:52

220320-ks5t1sbca7 10

20-03-2022 07:17

220320-h4fyxsaee6 10

20-03-2022 06:45

220320-hjkrdaabg5 10

General

  • Target

    13160edab74cc2dd34653920d4bf56e487fea2fd6adf8249e0be9215ced902b4

  • Size

    2.6MB

  • Sample

    220320-ks5t1sbca7

  • MD5

    7f6060451f81564336bd5d9e5c95797a

  • SHA1

    70c756af084d013e703d5e1c0f561eea6cb2f781

  • SHA256

    13160edab74cc2dd34653920d4bf56e487fea2fd6adf8249e0be9215ced902b4

  • SHA512

    c5263836ef7264e48e4166042827340244fe430b490ad41acde7fef378757731e7d3fecfe05c5d75695d32dcba7a13db86bea36366c5f4fb1e0ea3e321032abf

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\sample.txt

Family

ryuk

Ransom Note
%PDF-1.4\\n%%%c%c\\n\" ascii wide \n $s8 = \"%Y-%m-%dT%H:%M:%S+0000\" ascii wide \n $s9 = \"rctrl_renwnd32\" ascii wide \n $s10 = \"NetUIHWND\" ascii wide \n $s11 = \"homePostalAddress\" ascii wide \n $s12 = \"/EXPORT;OVERRIDE;START=-%d;END=-%d;FOLDER=%s;OUT=\" ascii wide \n $s13 = \"Re:|FWD:|AW:|FYI:|NT|QUE:\" ascii wide \n $s14 = \"IPM.Note\" ascii wide \n $s15 = \"MAPILogonEx\" ascii wide \n $s16 = \"pipe\\\\The Bat! %d CmdLine\" ascii wide \n $s17 = \"PowerShellRunner.dll\" ascii wide \n $s18 = \"cmd container\" ascii wide \n $s19 = \"mapid.tlb\" ascii wide nocase \n $s20 = \"Content-Type: F)*+\" ascii wide fullword \n condition: \n 5 of them \n }","comment":"","description":"","mitre_techniques":[],"campaigns":[{"id":"d9ba4fe0-ae46-11ea-9477-02d538d9640e","name":"Operation Outlook Backdoor","description":"The campaign was discovered in 2018 and does not use command and control servers to interact with the remote access Trojan installed on the victim but instead uses malicious PDF documents which are transmitted via email. The threat actors have used the backdoor since at least 2013 to stay under the radar in an attempt to steal sensitive information. The attacks are able to go unnoticed by interacting with Microsoft Outlook using the Messaging Application Programming Interface (MAPI).","threat_level_id":2,"kb_article_link":null,"coverage":{"dat_version":{"min":3629}},"updated_on":"2021-05-07T09:35:07.000Z","external_analysis":{"links":["https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf"]},"is_coat":1,"created_on":"2020-06-14T13:56:31.000Z"}]},{"id":"553f5c1e-a363-4b45-8eac-425444a78b00","type":"vulnerability","category":"External analysis","value":"CVE-2019-1003029","comment":"A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.53 and earlier","description":"","mitre_techniques":[],"campaigns":[{"id":"6f03a212-a5c5-4146-ac93-b57af6ebcf57","name":"Multiple Vulnerabilities And Tactics Used To Spread Capoae Malware","description":"The Capoae malicious software exploited multiple vulnerabilities and used weak credentials to attack Oracle WebLogic, ThinkPHP, WordPress, and Jenkins servers. Web shells, port scanners, and XMRig mining software were dropped onto the infected systems to mine for digital currency and find additional devices to infect. The malware maintained persistence by adding an entry to crontab and adding a public key into the SSH authorized_keys file. \r\n\r\nMcAfee’s ATR Team gathers and analyzes information from multiple open and closed sources before disseminating intelligence reports. This campaign was researched by Akamai Technologies and shared publicly https://www.akamai.com/blog/security/capoae-malware-ramps-up-uses-multiple-vulnerabilities-and-tactics-to-spread","threat_level_id":3,"kb_article_link":null,"coverage":null,"updated_on":"2021-09-22T21:08:45.000Z","external_analysis":{"links":["https://www.akamai.com/blog/security/capoae-malware-ramps-up-uses-multiple-vulnerabilities-and-tactics-to-spread"]},"is_coat":0,"created_on":"2021-09-22T21:08:45.000Z"}]},{"id":"55424f67-afc2-11eb-9d72-02d538d9640e","type":"yara","category":"Artifacts dropped","value":"rule turla_outlook_gen { \n meta: \n author = \"ESET Research\" \n date = \"22-08-2018\" \n description = \"Turla Outlook malware\" \n reference = \"https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf\" \n source = \"https://github.com/eset/malware-ioc/\" \n contact = \"github@eset.com\" \n license = \"BSD 2-Clause\" \n strings: \n $s1 = \"Outlook\" ascii wide \n $s2 = \"Outlook Express\" ascii wide \n $s3 = \"Outlook watchdog\" ascii wide \n $s4 = \"Software\\\\RIT\\\\The Bat!\" ascii wide \n $s5 = \"Mail Event Window\" ascii wide \n $s6 = \"Software\\\\Mozilla\\\\Mozilla Thunderbird\\\\Profiles\" ascii wide \n $s7 = \"%%PDF-1.4\\n%%%c%c\\n\" ascii wide \n $s8 = \"%Y-%m-%dT%H:%M:%S+0000\" ascii wide \n $s9 = \"rctrl_renwnd32\" ascii wide \n $s10 = \"NetUIHWND\" ascii wide \n $s11 = \"homePostalAddress\" ascii wide \n $s12 = \"/EXPORT;OVERRIDE;START=-%d;END=-%d;FOLDER=%s;OUT=\" ascii wide \n $s13 = \"Re:|FWD:|AW:|FYI:|NT|QUE:\" ascii wide \n $s14 = \"IPM.Note\" ascii wide \n $s15 = \"MAPILogonEx\" ascii wide \n $s16 = \"pipe\\\\The Bat! %d CmdLine\" ascii wide \n $s17 = \"PowerShellRunner.dll\" ascii wide \n $s18 = \"cmd container\" ascii wide \n $s19 = \"mapid.tlb\" ascii wide nocase \n $s20 = \"Content-Type: F)*+\" ascii wide fullword \n condition: \n 5 of them \n }","comment":"","description":"","mitre_techniques":[],"campaigns":[{"id":"d9ba4fe0-ae46-11ea-9477-02d538d9640e","name":"Operation Outlook Backdoor","description":"The campaign was discovered in 2018 and does not use command and control servers to interact with the remote access Trojan installed on the victim but instead uses malicious PDF documents which are transmitted via email. The threat actors have used the backdoor since at least 2013 to stay under the radar in an attempt to steal sensitive information. The attacks are able to go unnoticed by interacting with Microsoft Outlook using the Messaging Application Programming Interface (MAPI).","threat_level_id":2,"kb_article_link":null,"coverage":{"dat_version":{"min":3629}},"updated_on":"2021-05-07T09:35:07.000Z","external_analysis":{"links":["https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf"]},"is_coat":1,"created_on":"2020-06-14T13:56:31.000Z"}]},{"id":"55459d45-afc2-11eb-9d72-02d538d9640e","type":"yara","category":"Artifacts dropped","value":"rule turla_outlook_gen { \n meta: \n author = \"ESET Research\" \n date = \"22-08-2018\" \n description = \"Turla Outlook malware\" \n reference = \"https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf\" \n source = \"https://github.com/eset/malware-ioc/\" \n contact = \"github@eset.com\" \n license = \"BSD 2-Clause\" \n strings: \n $s1 = \"Outlook\" ascii wide \n $s2 = \"Outlook Express\" ascii wide \n $s3 = \"Outlook watchdog\" ascii wide \n $s4 = \"Software\\\\RIT\\\\The Bat!\" ascii wide \n $s5 = \"Mail Event Window\" ascii wide \n $s6 = \"Software\\\\Mozilla\\\\Mozilla Thunderbird\\\\Profiles\" ascii wide \n $s7 = \"%%PDF-1.4\\n%%%c%c\\n\" ascii wide \n $s8 = \"%Y-%m-%dT%H:%M:%S+0000\" ascii wide \n $s9 = \"rctrl_renwnd32\" ascii wide \n $s10 = \"NetUIHWND\" ascii wide \n $s11 = \"homePostalAddress\" ascii wide \n $s12 = \"/EXPORT;OVERRIDE;START=-%d;END=-%d;FOLDER=%s;OUT=\" ascii wide \n $s13 = \"Re:|FWD:|AW:|FYI:|NT|QUE:\" ascii wide \n $s14 = \"IPM.Note\" ascii wide \n $s15 = \"MAPILogonEx\" ascii wide \n $s16 = \"pipe\\\\The Bat! %d CmdLine\" ascii wide \n $s17 = \"PowerShellRunner.dll\" ascii wide \n $s18 = \"cmd container\" ascii wide \n $s19 = \"mapid.tlb\" ascii wide nocase \n $s20 = \"Content-Type: F)*+\" ascii wide fullword \n condition: \n 5 of them \n }","comment":"","description":"","mitre_techniques":[],"campaigns":[{"id":"d9ba4fe0-ae46-11ea-9477-02d538d9640e","name":"Operation Outlook Backdoor","description":"The campaign was discovered in 2018 and does not use command and control servers to interact with the remote access Trojan installed on the victim but instead uses malicious PDF documents which are transmitted via email. The threat actors have used the backdoor since at least 2013 to stay under the radar in an attempt to steal sensitive information. The attacks are able to go unnoticed by interacting with Microsoft Outlook using the Messaging Application Programming Interface (MAPI).","threat_level_id":2,"kb_article_link":null,"coverage":{"dat_version":{"min":3629}},"updated_on":"2021-05-07T09:35:07.000Z","external_analysis":{"links":["https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf"]},"is_coat":1,"created_on":"2020-06-14T13:56:31.000Z"}]},{"id":"5548bf24-afc2-11eb-9d72-02d538d9640e","type":"yara","category":"Artifacts dropped","value":"rule turla_outlook_gen { \n meta: \n author = \"ESET Research\" \n date = \"22-08-2018\" \n description = \"Turla Outlook malware\" \n reference = \"https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf\" \n source = \"https://github.com/eset/malware-ioc/\" \n contact = \"github@eset.com\" \n license = \"BSD 2-Clause\" \n strings: \n $s1 = \"Outlook\" ascii wide \n $s2 = \"Outlook Express\" ascii wide \n $s3 = \"Outlook watchdog\" ascii wide \n $s4 = \"Software\\\\RIT\\\\The Bat!\" ascii wide \n $s5 = \"Mail Event Window\" ascii wide \n $s6 = \"Software\\\\Mozilla\\\\Mozilla Thunderbird\\\\Profiles\" ascii wide \n $s7 = \"%%PDF-1.4\\n%%%c%c\\n\" ascii wide \n $s8 = \"%Y-%m-%dT%H:%M:%S+0000\" ascii wide \n $s9 = \"rctrl_renwnd32\" ascii wide \n $s10 = \"NetUIHWND\" ascii wide \n $s11 = \"homePostalAddress\" ascii wide \n $s12 = \"/EXPORT;OVERRIDE;START=-%d;END=-%d;FOLDER=%s;OUT=\" ascii wide \n $s13 = \"Re:|FWD:|AW:|FYI:|NT|QUE:\" ascii wide \n $s14 = \"IPM.Note\" ascii wide \n $s15 = \"MAPILogonEx\" ascii wide \n $s16 = \"pipe\\\\The Bat! %d CmdLine\" ascii wide \n $s17 = \"PowerShellRunner.dll\" ascii wide \n $s18 = \"cmd container\" ascii wide \n $s19 = \"mapid.tlb\" ascii wide nocase \n $s20 = \"Content-Type: F)*+\" ascii wide fullword \n condition: \n 5 of them \n }","comment":"","description":"","mitre_techniques":[],"campaigns":[{"id":"d9ba4fe0-ae46-11ea-9477-02d538d9640e","name":"Operation Outlook Backdoor","description":"The campaign was discovered in 2018 and does not use command and control servers to interact with the remote access Trojan installed on the victim but instead uses malicious PDF documents which are transmitted via email. The threat actors have used the backdoor since at least 2013 to stay under the radar in an attempt to steal sensitive information. The attacks are able to go unnoticed by interacting with Microsoft Outlook using the Messaging Application Programming Interface (MAPI).","threat_level_id":2,"kb_article_link":null,"coverage":{"dat_version":{"min":3629}},"updated_on":"2021-05-07T09:35:07.000Z","external_analysis":{"links":["https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf"]},"is_coat":1,"created_on":"2020-06-14T13:56:31.000Z"}]},{"id":"554c1128-afc2-11eb-9d72-02d538d9640e","type":"yara","category":"Artifacts dropped","value":"rule turla_outlook_gen { \n meta: \n author = \"ESET Research\" \n date = \"22-08-2018\" \n description = \"Turla Outlook malware\" \n reference = \"https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf\" \n source = \"https://github.com/eset/malware-ioc/\" \n contact = \"github@eset.com\" \n license = \"BSD 2-Clause\" \n strings: \n $s1 = \"Outlook\" ascii wide \n $s2 = \"Outlook Express\" ascii wide \n $s3 = \"Outlook watchdog\" ascii wide \n $s4 = \"Software\\\\RIT\\\\The Bat!\" ascii wide \n $s5 = \"Mail Event Window\" ascii wide \n $s6 = \"Software\\\\Mozilla\\\\Mozilla Thunderbird\\\\Profiles\" ascii wide \n $s7 = \"%%PDF-1.4\\n%%%c%c\\n\" ascii wide \n $s8 = \"%Y-%m-%dT%H:%M:%S+0000\" ascii wide \n $s9 = \"rctrl_renwnd32\" ascii wide \n $s10 = \"NetUIHWND\" ascii wide \n $s11 = \"homePostalAddress\" ascii wide \n $s12 = \"/EXPORT;OVERRIDE;START=-%d;END=-%d;FOLDER=%s;OUT=\" ascii wide \n $s13 = \"Re:|FWD:|AW:|FYI:|NT|QUE:\" ascii wide \n $s14 = \"IPM.Note\" ascii wide \n $s15 = \"MAPILogonEx\" ascii wide \n $s16 = \"pipe\\\\The Bat! %d CmdLine\" ascii wide \n $s17 = \"PowerShellRunner.dll\" ascii wide \n $s18 = \"cmd container\" ascii wide \n $s19 = \"mapid.tlb\" ascii wide nocase \n $s20 = \"Content-Type: F)*+\" ascii wide fullword \n condition: \n 5 of them \n }","comment":"","description":"","mitre_techniques":[],"campaigns":[{"id":"d9ba4fe0-ae46-11ea-9477-02d538d9640e","name":"Operation Outlook Backdoor","description":"The campaign was discovered in 2018 and does not use command and control servers to interact with the remote access Trojan installed on the victim but instead uses malicious PDF documents which are transmitted via email. The threat actors have used the backdoor since at least 2013 to stay under the radar in an attempt to steal sensitive information. The attacks are able to go unnoticed by interacting with Microsoft Outlook using the Messaging Application Programming Interface (MAPI).","threat_level_id":2,"kb_article_link":null,"coverage":{"dat_version":{"min":3629}},"updated_on":"2021-05-07T09:35:07.000Z","external_analysis":{"links":["https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf"]},"is_coat":1,"created_on":"2020-06-14T13:56:31.000Z"}]},{"id":"554f1351-afc2-11eb-9d72-02d538d9640e","type":"yara","category":"Artifacts dropped","value":"rule turla_outlook_gen { \n meta: \n author = \"ESET Research\" \n date = \"22-08-2018\" \n description = \"Turla Outlook malware\" \n reference = \"https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf\" \n source = \"https://github.com/eset/malware-ioc/\" \n contact = \"github@eset.com\" \n license = \"BSD 2-Clause\" \n strings: \n $s1 = \"Outlook\" ascii wide \n $s2 = \"Outlook Express\" ascii wide \n $s3 = \"Outlook watchdog\" ascii wide \n $s4 = \"Software\\\\RIT\\\\The Bat!\" ascii wide \n $s5 = \"Mail Event Window\" ascii wide \n $s6 = \"Software\\\\Mozilla\\\\Mozilla Thunderbird\\\\Profiles\" ascii wide \n $s7 = \"%%PDF-1.4\\n%%%c%c\\n\" ascii wide \n $s8 = \"%Y-%m-%dT%H:%M:%S+0000\" ascii wide \n $s9 = \"rctrl_renwnd32\" ascii wide \n $s10 = \"NetUIHWND\" ascii wide \n $s11 = \"homePostalAddress\" ascii wide \n $s12 = \"/EXPORT;OVERRIDE;START=-%d;END=-%d;FOLDER=%s;OUT=\" ascii wide \n $s13 = \"Re:|FWD:|AW:|FYI:|NT|QUE:\" ascii wide \n $s14 = \"IPM.Note\" ascii wide \n $s15 = \"MAPILogonEx\" ascii wide \n $s16 = \"pipe\\\\The Bat! %d CmdLine\" ascii wide \n $s17 = \"PowerShellRunner.dll\" ascii wide \n $s18 = \"cmd container\" ascii wide \n $s19 = \"mapid.tlb\" ascii wide nocase \n $s20 = \"Content-Type: F)*+\" ascii wide fullword \n condition: \n 5 of them \n }","comment":"","description":"","mitre_techniques":[],"campaigns":[{"id":"d9ba4fe0-ae46-11ea-9477-02d538d9640e","name":"Operation Outlook Backdoor","description":"The campaign was discovered in 2018 and does not use command and control servers to
Emails

\"github@eset.com\"

\"cdoman@cadosecurity.com\"\r\n

URLs

https://www.akamai.com/blog/security/capoae-malware-ramps-up-uses-multiple-vulnerabilities-and-tactics-to-spread","threat_level_id":3,"kb_article_link":null,"coverage":null,"updated_on":"2021-09-22T21:08:45.000Z","external_analysis":{"links":["https://www.akamai.com/blog/security/capoae-malware-ramps-up-uses-multiple-vulnerabilities-and-tactics-to-spread"]},"is_coat":0,"created_on":"2021-09-22T21:08:45.000Z"}]},{"id":"55424f67-afc2-11eb-9d72-02d538d9640e","type":"yara","category":"Artifacts

https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/","threat_level_id":2,"kb_article_link":null,"coverage":null,"updated_on":"2021-07-16T21:00:52.000Z","external_analysis":{"links":["https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/","https://www.cadosecurity.com/post/triage-analysis-of-serv-u-ftp-user-backdoor-deployed-by-cve-2021-35211","https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35211"]},"is_coat":0,"created_on":"2021-07-16T21:00:52.000Z"}]},{"id":"55521ab5-afc2-11eb-9d72-02d538d9640e","type":"yara","category":"Artifacts

https://www.trellix.com/en-gb/about/newsroom/stories/threat-labs/prime-ministers-office-compromised.html","threat_level_id":1,"kb_article_link":null,"coverage":{"dat_version":{"min":4695}},"updated_on":"2022-03-10T22:12:48.000Z","external_analysis":{"links":["https://www.trellix.com/en-gb/about/newsroom/stories/threat-labs/prime-ministers-office-compromised.html","https://www.trellix.com/en-gb/about/newsroom/stories/threat-labs/looking-over-the-nation-state-actors-shoulders.html"]},"is_coat":1,"created_on":"2022-01-25T16:59:37.000Z"}]},{"id":"55587287-afc2-11eb-9d72-02d538d9640e","type":"yara","category":"Artifacts

https://unit42.paloaltonetworks.com/bazarloader-malware/.","threat_level_id":2,"kb_article_link":"https://kc.mcafee.com/corporate/index?page=content&id=KB95149","coverage":{"dat_version":{"min":4458}},"updated_on":"2022-02-21T18:23:50.000Z","external_analysis":{"links":["https://unit42.paloaltonetworks.com/bazarloader-malware/"]},"is_coat":1,"created_on":"2021-05-21T19:46:56.000Z"}]},{"id":"555b74bd-afc2-11eb-9d72-02d538d9640e","type":"yara","category":"Artifacts

https://unit42.paloaltonetworks.com/bazarloader-malware/.","threat_level_id":2,"kb_article_link":"https://kc.mcafee.com/corporate/index?page=content&id=KB95149","coverage":{"dat_version":{"min":4458}},"updated_on":"2022-02-21T18:23:50.000Z","external_analysis":{"links":["https://unit42.paloaltonetworks.com/bazarloader-malware/"]},"is_coat":1,"created_on":"2021-05-21T19:46:56.000Z"}]},{"id":"556b77d0-82d6-48e3-bc24-e19274b7298a","type":"yara","category":"Payload

https://github.com/Neo23x0/signature-base/blob/master/LICENSE\"\r\n\t\tauthor

https://www.trendmicro.com/en_us/research/21/i/cryptominer-z0miner-uses-newly-discovered-vulnerability-cve-2021.html","threat_level_id":3,"kb_article_link":null,"coverage":null,"updated_on":"2021-09-23T21:08:39.000Z","external_analysis":{"links":["https://www.trendmicro.com/en_us/research/21/i/cryptominer-z0miner-uses-newly-discovered-vulnerability-cve-2021.html"]},"is_coat":0,"created_on":"2021-09-23T05:08:48.000Z"}]},{"id":"5572c500-4fb6-4ecf-b438-558cefa2a0f1","type":"yara","category":"Payload

https://www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/","threat_level_id":2,"kb_article_link":null,"coverage":null,"updated_on":"2021-07-30T21:00:36.000Z","external_analysis":{"links":["https://www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/","https://github.com/craiu/iocs/blob/main/lemonduck/hashes.txt","https://www.microsoft.com/security/blog/2021/07/29/when-coin-miners-evolve-part-2-hunting-down-lemonduck-and-lemoncat-attacks/"]},"is_coat":0,"created_on":"2021-07-28T21:00:44.000Z"}]},{"id":"5600d974-8c73-4140-895d-664d35e4d812","type":"vulnerability","category":"External

https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html","threat_level_id":3,"kb_article_link":null,"coverage":null,"updated_on":"2021-10-20T21:08:42.000Z","external_analysis":{"links":["https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html#more"]},"is_coat":0,"created_on":"2021-10-20T21:08:42.000Z"}]},{"id":"5619e328-4e9c-4ed5-a95a-d627e0def0eb","type":"command-line","category":"Other","value":"\"CSIDL_SYSTEM\\wscript.exe\"

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine","threat_level_id":2,"kb_article_link":null,"coverage":null,"updated_on":"2022-03-10T20:06:17.000Z","external_analysis":{"links":["https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine"]},"is_coat":0,"created_on":"2022-02-01T06:14:49.000Z"}]},{"id":"56223e89-06ec-40a4-a152-24e10b3bbe8e","type":"command-line","category":"Other","value":"curl

http://45.9.148[.]182/bin/bot/chimera.cc

https://www.uptycs.com/blog/team-tnt-deploys-malicious-docker-image-on-docker-hub-with-pentesting-tools","threat_level_id":3,"kb_article_link":null,"coverage":null,"updated_on":"2021-10-19T21:08:39.000Z","external_analysis":{"links":["https://www.uptycs.com/blog/team-tnt-deploys-malicious-docker-image-on-docker-hub-with-pentesting-tools","https://securityaffairs.co/wordpress/123535/cyber-crime/teamtnt-docker-attack.html"]},"is_coat":0,"created_on":"2021-10-08T21:08:42.000Z"}]},{"id":"5625cca8-c8ea-4a20-8770-2cd1da012ec9","type":"yara","category":"Payload

https://www.manageengine.com/data-security/how-to/how-to-detect-ransomware-attacks.html\nlogsource:\n

https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\n

https://blog.talosintelligence.com/2017/05/wannacry.html\n

https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/\n

https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/\n

https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100\n

https://github.com/Neo23x0/Raccine#the-process\n

https://github.com/Neo23x0/Raccine/blob/main/yara/gen_ransomware_command_lines.yar\ntags:\n

Targets

    • Target

      13160edab74cc2dd34653920d4bf56e487fea2fd6adf8249e0be9215ced902b4

    • Size

      2.6MB

    • MD5

      7f6060451f81564336bd5d9e5c95797a

    • SHA1

      70c756af084d013e703d5e1c0f561eea6cb2f781

    • SHA256

      13160edab74cc2dd34653920d4bf56e487fea2fd6adf8249e0be9215ced902b4

    • SHA512

      c5263836ef7264e48e4166042827340244fe430b490ad41acde7fef378757731e7d3fecfe05c5d75695d32dcba7a13db86bea36366c5f4fb1e0ea3e321032abf

    • Registers COM server for autorun

    • Ryuk

      Ransomware distributed via existing botnets, often Trickbot or Emotet.

    • Executes dropped EXE

    • Sets file execution options in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Checks whether UAC is enabled

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

2
T1060

Defense Evasion

Modify Registry

2
T1112

Discovery

Query Registry

4
T1012

System Information Discovery

6
T1082

Peripheral Device Discovery

1
T1120

Command and Control

Web Service

1
T1102

Tasks