Overview

overview

10

Static

static

1

sample.html

windows11-21h2-x64

Resubmissions

10-04-2024 19:40

240410-ydkgescg9z 1

10-04-2024 19:27

240410-x6ewzace5s 10

10-04-2024 19:16

240410-xzannshb36 6

10-04-2024 19:04

240410-xq4kdsca2y 10

10-04-2024 18:56

240410-xlmq3sbg4y 10

10-04-2024 18:54

240410-xka1wsbf9s 7

10-04-2024 18:49

240410-xga7gsgd82 6

10-04-2024 18:41

240410-xbrmaabd2x 8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    sample

  • Size

    467KB

  • Sample

    240410-x6ewzace5s

  • MD5

    12b9d6652e7d1689ed510c50c53bd38c

  • SHA1

    013a1cc01a97a97d9b18dfbafcfec91a57e6232a

  • SHA256

    4b1aa26e12d9f06ba494ad2e2223466c8ddc5bc61b5f189630dffea54f3d93ce

  • SHA512

    0ce40b9a4d137d99330f7bc2776734d121d485d3f1e3af23ede4bbebead330c30de2c4568029303259812d591ef7bbc52bd1f16d8912dd5ea006523008346e7c

  • SSDEEP

    6144:DFoiM/iMTiMkiMriM2iMSiMliMziMViMuMt:D2iciiiViQibiRimiIiOiXMt

Score
10/10
badrabbitcrimsonratcryptolockerdarkcometagilenetevasionpersistenceransomwarerattrojan

Malware Config

Extracted

Family

crimsonrat

C2

185.136.161.124

Targets

    • Target

      sample

    • Size

      467KB

    • MD5

      12b9d6652e7d1689ed510c50c53bd38c

    • SHA1

      013a1cc01a97a97d9b18dfbafcfec91a57e6232a

    • SHA256

      4b1aa26e12d9f06ba494ad2e2223466c8ddc5bc61b5f189630dffea54f3d93ce

    • SHA512

      0ce40b9a4d137d99330f7bc2776734d121d485d3f1e3af23ede4bbebead330c30de2c4568029303259812d591ef7bbc52bd1f16d8912dd5ea006523008346e7c

    • SSDEEP

      6144:DFoiM/iMTiMkiMriM2iMSiMliMziMViMuMt:D2iciiiViQibiRimiIiOiXMt

    Score
    10/10
    badrabbitcrimsonratcryptolockerdarkcometagilenetevasionpersistenceransomwarerattrojan

    • BadRabbit

      Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.

      ransomwarebadrabbit

    • CrimsonRAT main payload

    • CrimsonRat

      Crimson RAT is a malware linked to a Pakistani-linked threat actor.

      ratcrimsonrat

    • CryptoLocker

      Ransomware family with multiple variants.

      ransomwarecryptolocker

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

      trojanratdarkcomet

    • Modifies WinLogon for persistence

      persistence

    • UAC bypass

      evasiontrojan

    • Disables RegEdit via registry modification

      evasion

    • Disables Task Manager via registry modification

      evasion

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

      evasion

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies system executable filetype association

      persistence

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

      agilenet

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Scheduled Task/Job

1
T1053

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Scheduled Task/Job

1
T1053

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Modify Registry

5
T1112

Credential Access

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

3
T1012

System Information Discovery

4
T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks