Overview

overview

10

Static

static

7

RMTGXSC.exe

windows7-x64

10

RMTGXSC.exe

windows10-2004-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    RMTGXSC.bin.zip

  • Size

    463KB

  • Sample

    230616-jg4l5sdd6z

  • MD5

    6e97b80c0ee2bb99749062143ecc990d

  • SHA1

    418bdc9f4f86d98a5895e038eaf5085be8430d42

  • SHA256

    ab621510d52a8815cc0162c5bc29dbc525734ea29ff6586cd24abdeac6dcaec0

  • SHA512

    3945363b38858d611bd18dd77bb3e1f3d7fd09150d7d673e16f135aa5912c13e65e83ae5433a44476d96868316918550060ba86679c0c06cfd347d9fd9ae74ed

  • SSDEEP

    12288:/ygHCArzGG8P20H6e2HsODrNrXDaO4tm9m5sF5:/XHhSG420j2HRpAc9Ss/

Score
10/10
evasionransomwareupx

Malware Config

Extracted

Path

C:\Users\Admin\Favorites\Microsoft Websites\[email protected] Readme.txt

Ransom Note
Hello dear friend Your files were encrypted! Write back to our e-mails: [email protected] [email protected] In your message you have to write: 1. YOU LOCK-ID: 52C255710AF66 After payment our team will decrypt your files immediatly Free decryption as guarantee: 1. File must be less than 1MB 2. Only .txt or .lnk files, no databases 3. Only 1 files

Extracted

Path

C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\[email protected] Readme.txt

Ransom Note
Hello dear friend Your files were encrypted! Write back to our e-mails: [email protected] [email protected] In your message you have to write: 1. YOU LOCK-ID: FA48AF8140A76 After payment our team will decrypt your files immediatly Free decryption as guarantee: 1. File must be less than 1MB 2. Only .txt or .lnk files, no databases 3. Only 1 files

Targets

    • Target

      RMTGXSC.bin

    • Size

      483KB

    • MD5

      5097acd1e5dfea3d734788584b148d0a

    • SHA1

      2194df0f5d37664dcaf069e7a84b5c38fc55bbff

    • SHA256

      ce43e9b8fd7c4442c9fdbbf3a236bdb63e05b9dd23b57e1ac184a0e4e861c25c

    • SHA512

      54fb01f16a18420d2ed6232c8161b327b529965c99eda2c029bd7e80219d050b06efa1c89abe017a045aac6f9f7ffcd7ca83e8a799022adfde01c8786e455db4

    • SSDEEP

      12288:qsHzOUNUSB/o5LsI1uwajJ5yvv1l2EepGHNu4n4UUxa34EPf:diUmSB/o5d1ubcvjI4ftHX

    Score
    10/10
    evasionransomwareupx

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks