efb0f928648e6988c29bb03bb6b14f2760870f3040f0195ca1c6ad8ac5fa2dee

General

Target

ransomito.exe
Size

2.1MB
MD5

f48a1057059028a65f2ec37e90d4deec
SHA1

ca8c5636aa98948c3b25153188b98967cc65a42b
SHA256

efb0f928648e6988c29bb03bb6b14f2760870f3040f0195ca1c6ad8ac5fa2dee
SHA512

57d62b07741effba928c92d39b5bd2dfc9c341b237ab1f83ba33e9cdba079a14bec1bbf63333b18f964e982bc510f615314f4426c258538e5be80f0a36c2b0a2

Score

8^/10

evasion ransomware spyware stealer

Malware Config

Signatures

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ransomito.exe

Disables Task Manager via registry modification
evasion

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\AddGrant.png => C:\Users\Admin\Pictures\AddGrant.png.PAY2DECRYPTRLDDFrqzQvFS1TQVHVTg8i2	ransomito.exe
File renamed	C:\Users\Admin\Pictures\UnlockUnprotect.raw => C:\Users\Admin\Pictures\UnlockUnprotect.raw.PAY2DECRYPTRLDDFrqzQvFS1TQVHVTg8i2	ransomito.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 23 IoCs

description	ioc	Process
File created	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	ransomito.exe
File created	C:\Users\Admin\Pictures\desktop.ini	ransomito.exe
File created	C:\Users\Admin\Music\desktop.ini	ransomito.exe
File created	C:\Users\Public\desktop.ini	ransomito.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	ransomito.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	ransomito.exe
File created	C:\Users\Admin\Documents\desktop.ini	ransomito.exe
File created	C:\Users\Public\AccountPictures\desktop.ini	ransomito.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	ransomito.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	ransomito.exe
File created	C:\Users\Admin\Desktop\desktop.ini	ransomito.exe
File created	C:\Users\Public\Desktop\desktop.ini	ransomito.exe
File created	C:\Users\Public\Documents\desktop.ini	ransomito.exe
File created	C:\Users\Public\Libraries\desktop.ini	ransomito.exe
File created	C:\Users\Admin\Downloads\desktop.ini	ransomito.exe
File created	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	ransomito.exe
File created	C:\Users\Public\Downloads\desktop.ini	ransomito.exe
File created	C:\Users\Public\Music\desktop.ini	ransomito.exe
File created	C:\Users\Public\Pictures\desktop.ini	ransomito.exe
File created	C:\Users\Public\Videos\desktop.ini	ransomito.exe
File created	C:\Users\Admin\3D Objects\desktop.ini	ransomito.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	ransomito.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	ransomito.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3696	1608	WerFault.exe	78

C:\Users\Admin\AppData\Local\Temp\ransomito.exe
"C:\Users\Admin\AppData\Local\Temp\ransomito.exe"
1⤵
- Disables RegEdit via registry modification
- Modifies extensions of user files
- Drops desktop.ini file(s)
PID:1608
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1608 -s 892
  2⤵
  - Program crash
  PID:3696