Overview

overview

10

Static

static

3

samples4.zip

windows7-x64

1

samples4.zip

windows10-2004-x64

1

0e60d49a96...01.exe

windows7-x64

0e60d49a96...01.exe

windows10-2004-x64

1ce5dd21fb...1e.exe

windows7-x64

10

1ce5dd21fb...1e.exe

windows10-2004-x64

10

3c73425d02...e6.exe

windows7-x64

6

3c73425d02...e6.exe

windows10-2004-x64

6

5df6314b5c...5b.exe

windows7-x64

10

5df6314b5c...5b.exe

windows10-2004-x64

10

5ee5166c02...93.exe

windows7-x64

10

5ee5166c02...93.exe

windows10-2004-x64

10

5f7cdd8c28...02.exe

windows7-x64

7

5f7cdd8c28...02.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    154s
  • max time network
    161s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-01-2024 15:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1ce5dd21fbff44289d22647277a94f2611ee661cdcab323548caa0a7082ddc7d/1ce5dd21fbff44289d22647277a94f2611e.exe

  • Size

    919KB

  • MD5

    28e242e4680d33a2757aa2353cb84f8d

  • SHA1

    6b949c3f919d530410beb7082a41e1f30bc5ea3e

  • SHA256

    1ce5dd21fbff44289d22647277a94f2611ee661cdcab323548caa0a7082ddc7d

  • SHA512

    c00ce7ff6bc841533f3b18b3de8e864dc34e3370912b3bfc924b31e51e505b19422c61685d606861fdd7b25e6ba7a97aa42a7dd0d4bf18bc24863ec09b3d54e2

  • SSDEEP

    24576:PYl48Rnd+xEhyXOmBjuGh3HZDCixvP/Fg:+N5d+GhoOSVh3FCkvP/

Score
10/10
ransomware

Malware Config

Extracted

Path

F:\$RECYCLE.BIN\How To Restore Your Files.txt

Ransom Note
!!! Your network is infected by the RTM Locker command!!! All your documents, photos, reports, customer and employee data, databases and other important files are encrypted and you cannot decrypt them yourself. They are also on our servers! But don't worry, we will help you recover all your files! The only way to recover your files is to buy our dedicated software. Only we can provide you with this software, and only we can recover your files! You can contact us by downloading and installing the TOR browser (https://www.torproject.org/download/languages/) We value our reputation. If we do not fulfill our work and obligations, no one will pay us. It's not in our interest. All of our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. ================================================= ============================================== Login link: http://3wugtklp46ufx7dnr6j5cd6ate7wnvnivsyvwuni7hqcqt7hm5r72nid.onion/1D85262A4B3F59090972E7EE7804FC641E9CBB6D65E5F4B376DF37D6180CD1/connect For authorization you need to enter your ID. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Warning!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! If you do not contact the support team within 48 hours, your data will be published in the public domain, and data compromising you will be sent to your competitors, as well as to the relevant regulatory authorities. ================================================================================================ You can also contact us at tox. You can download it here: https://tox.chat/download.html Our contact: A0FE105A82525ECB94DD2977B4A1F8A5A7CF82F12D720DD8C8D9CCA3F98B6F52D911126AC1DF ================================================================================================ DO NOT ATTEMPT TO RECOVER THE FILES YOURSELF! DO NOT MODIFY ENCRYPTED FILES! OTHERWISE YOU MAY LOSE ALL YOUR FILES FOREVER! ================================================================================================
URLs

http://3wugtklp46ufx7dnr6j5cd6ate7wnvnivsyvwuni7hqcqt7hm5r72nid.onion/1D85262A4B3F59090972E7EE7804FC641E9CBB6D65E5F4B376DF37D6180CD1/connect

https://tox.chat/download.html

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops desktop.ini file(s) 18 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1ce5dd21fbff44289d22647277a94f2611ee661cdcab323548caa0a7082ddc7d\1ce5dd21fbff44289d22647277a94f2611e.exe
    "C:\Users\Admin\AppData\Local\Temp\1ce5dd21fbff44289d22647277a94f2611ee661cdcab323548caa0a7082ddc7d\1ce5dd21fbff44289d22647277a94f2611e.exe"
    1⤵
    • Checks computer location settings
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3932
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1456
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c PING -n 5 127.0.0.1 > NUL && del "C:\Users\Admin\AppData\Local\Temp\1ce5dd21fbff44289d22647277a94f2611ee661cdcab323548caa0a7082ddc7d\1ce5dd21fbff44289d22647277a94f2611e.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1852
        • C:\Windows\SysWOW64\PING.EXE
          PING -n 5 127.0.0.1
          3⤵
          • Runs ping.exe
          PID:2900
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
      1⤵
        PID:1756
      • C:\Windows\system32\printfilterpipelinesvc.exe
        C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
        1⤵
        • Drops file in System32 directory
        • Suspicious use of WriteProcessMemory
        PID:2760
        • C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
          /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{866BC266-E6DD-4B69-8033-7C456D240731}.xps" 133485973694170000
          2⤵
          • Checks processor information in registry
          • Enumerates system info in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          PID:4756

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\{110E73F9-E4FD-4D1B-BBD6-473CBB68FCB7}
        Filesize

        4KB

        MD5

        994372ec28f607569b45c8ec8adb8439

        SHA1

        31d41a96c3a9cdfcfda91d187af296ee0626f9ee

        SHA256

        cd11fb1d907a7fe591056b6f2585ca6cef475592660eadcdbfe1526a8dee6f8a

        SHA512

        5f88859108d6e1c133aae3fa4fe8b03ebae12769bdf585465ec1857e13e50c66d566c5eb5fe994041f9e4b9610950a089f3737fa067bb6e9cd7385b99b79a5d3

        Download Submit

      • F:\$RECYCLE.BIN\How To Restore Your Files.txt
        Filesize

        1KB

        MD5

        c8b110d3f49f601e037cd3b4202b19ca

        SHA1

        20f651c7f04be96c45eb6e67eca5dc3df77f29b8

        SHA256

        054fe0faa37a430feea7842321374d7fc10706742f7b0b22a84aa755b22cad76

        SHA512

        2f3808cc65da403f65b59c2694d6683e2d7ab8b66b6088cc5a422dafe40a4fecbdaf28c62b9fda90981c9de24ce4d04da74d441361f275107c3f364b031ba4b9

        Download Submit

      • memory/4756-444-0x00007FFA4F430000-0x00007FFA4F625000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/4756-440-0x00007FFA0F4B0000-0x00007FFA0F4C0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4756-436-0x00007FFA0F4B0000-0x00007FFA0F4C0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4756-439-0x00007FFA4F430000-0x00007FFA4F625000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/4756-438-0x00007FFA0F4B0000-0x00007FFA0F4C0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4756-441-0x00007FFA4F430000-0x00007FFA4F625000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/4756-435-0x00007FFA4F430000-0x00007FFA4F625000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/4756-443-0x00007FFA4F430000-0x00007FFA4F625000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/4756-442-0x00007FFA0F4B0000-0x00007FFA0F4C0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4756-437-0x00007FFA4F430000-0x00007FFA4F625000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/4756-445-0x00007FFA4F430000-0x00007FFA4F625000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/4756-448-0x00007FFA0CB50000-0x00007FFA0CB60000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4756-449-0x00007FFA0CB50000-0x00007FFA0CB60000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4756-434-0x00007FFA0F4B0000-0x00007FFA0F4C0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4756-467-0x00007FFA4F430000-0x00007FFA4F625000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/4756-468-0x00007FFA4F430000-0x00007FFA4F625000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/4756-472-0x00007FFA4F430000-0x00007FFA4F625000-memory.dmp

        Filesize

        2.0MB

        Download