Overview

overview

10

Static

static

3

samples4.zip

windows7-x64

1

samples4.zip

windows10-2004-x64

1

0e60d49a96...01.exe

windows7-x64

0e60d49a96...01.exe

windows10-2004-x64

1ce5dd21fb...1e.exe

windows7-x64

10

1ce5dd21fb...1e.exe

windows10-2004-x64

10

3c73425d02...e6.exe

windows7-x64

6

3c73425d02...e6.exe

windows10-2004-x64

6

5df6314b5c...5b.exe

windows7-x64

10

5df6314b5c...5b.exe

windows10-2004-x64

10

5ee5166c02...93.exe

windows7-x64

10

5ee5166c02...93.exe

windows10-2004-x64

10

5f7cdd8c28...02.exe

windows7-x64

7

5f7cdd8c28...02.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    121s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    01-01-2024 15:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1ce5dd21fbff44289d22647277a94f2611ee661cdcab323548caa0a7082ddc7d/1ce5dd21fbff44289d22647277a94f2611e.exe

  • Size

    919KB

  • MD5

    28e242e4680d33a2757aa2353cb84f8d

  • SHA1

    6b949c3f919d530410beb7082a41e1f30bc5ea3e

  • SHA256

    1ce5dd21fbff44289d22647277a94f2611ee661cdcab323548caa0a7082ddc7d

  • SHA512

    c00ce7ff6bc841533f3b18b3de8e864dc34e3370912b3bfc924b31e51e505b19422c61685d606861fdd7b25e6ba7a97aa42a7dd0d4bf18bc24863ec09b3d54e2

  • SSDEEP

    24576:PYl48Rnd+xEhyXOmBjuGh3HZDCixvP/Fg:+N5d+GhoOSVh3FCkvP/

Score
10/10
ransomware

Malware Config

Extracted

Path

\Device\HarddiskVolume1\How To Restore Your Files.txt

Ransom Note
!!! Your network is infected by the RTM Locker command!!! All your documents, photos, reports, customer and employee data, databases and other important files are encrypted and you cannot decrypt them yourself. They are also on our servers! But don't worry, we will help you recover all your files! The only way to recover your files is to buy our dedicated software. Only we can provide you with this software, and only we can recover your files! You can contact us by downloading and installing the TOR browser (https://www.torproject.org/download/languages/) We value our reputation. If we do not fulfill our work and obligations, no one will pay us. It's not in our interest. All of our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. ================================================= ============================================== Login link: http://3wugtklp46ufx7dnr6j5cd6ate7wnvnivsyvwuni7hqcqt7hm5r72nid.onion/1D85262A4B3F59090972E7EE7804FC641E9CBB6D65E5F4B376DF37D6180CD1/connect For authorization you need to enter your ID. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Warning!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! If you do not contact the support team within 48 hours, your data will be published in the public domain, and data compromising you will be sent to your competitors, as well as to the relevant regulatory authorities. ================================================================================================ You can also contact us at tox. You can download it here: https://tox.chat/download.html Our contact: A0FE105A82525ECB94DD2977B4A1F8A5A7CF82F12D720DD8C8D9CCA3F98B6F52D911126AC1DF ================================================================================================ DO NOT ATTEMPT TO RECOVER THE FILES YOURSELF! DO NOT MODIFY ENCRYPTED FILES! OTHERWISE YOU MAY LOSE ALL YOUR FILES FOREVER! ================================================================================================
URLs

http://3wugtklp46ufx7dnr6j5cd6ate7wnvnivsyvwuni7hqcqt7hm5r72nid.onion/1D85262A4B3F59090972E7EE7804FC641E9CBB6D65E5F4B376DF37D6180CD1/connect

https://tox.chat/download.html

Signatures

  • Deletes itself 1 IoCs
  • Drops desktop.ini file(s) 15 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1ce5dd21fbff44289d22647277a94f2611ee661cdcab323548caa0a7082ddc7d\1ce5dd21fbff44289d22647277a94f2611e.exe
    "C:\Users\Admin\AppData\Local\Temp\1ce5dd21fbff44289d22647277a94f2611ee661cdcab323548caa0a7082ddc7d\1ce5dd21fbff44289d22647277a94f2611e.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2416
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2668
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c PING -n 5 127.0.0.1 > NUL && del "C:\Users\Admin\AppData\Local\Temp\1ce5dd21fbff44289d22647277a94f2611ee661cdcab323548caa0a7082ddc7d\1ce5dd21fbff44289d22647277a94f2611e.exe"
        2⤵
        • Deletes itself
        • Suspicious use of WriteProcessMemory
        PID:2636
        • C:\Windows\SysWOW64\PING.EXE
          PING -n 5 127.0.0.1
          3⤵
          • Runs ping.exe
          PID:884

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • \Device\HarddiskVolume1\How To Restore Your Files.txt
      Filesize

      1KB

      MD5

      c8b110d3f49f601e037cd3b4202b19ca

      SHA1

      20f651c7f04be96c45eb6e67eca5dc3df77f29b8

      SHA256

      054fe0faa37a430feea7842321374d7fc10706742f7b0b22a84aa755b22cad76

      SHA512

      2f3808cc65da403f65b59c2694d6683e2d7ab8b66b6088cc5a422dafe40a4fecbdaf28c62b9fda90981c9de24ce4d04da74d441361f275107c3f364b031ba4b9

      Download Submit