General
-
Target
krunker.iohacks.cc
-
Size
30.9MB
-
Sample
240414-z65thadh33
-
MD5
2850f1cb75953d9e0232344f6a13bf48
-
SHA1
141ab8929fbe01031ab1e559d880440ae931cc16
-
SHA256
892f11af94dea87bc8a85acdb092c74541b0ab63c8fcc1823ba7987c82c6e9ba
-
SHA512
25551eb0fbca013bcebd514eb72185e157a07f116a6973bfe4b728febcefc7044a816c5c70048c3fda2eeb4ce53b52bd7b19ef1ef851a0f4fc90451e60540d6d
-
SSDEEP
786432:j8Zic+QKJObt2u8xQYcLpoTEjoAsM0D0EHShV/:j8YQzB8xQzLp+nAV0BK
Static task
static1
Malware Config
Extracted
Protocol: ftp- Host:
files.000webhost.com - Port:
21 - Username:
fcb-aws-host-4
Extracted
C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
wannacry
12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
Extracted
C:\PerfLogs\DECRYPT-FILES.txt
maze
http://aoacugmutagkwctu.onion/6cc30cc08dfc6cca
https://mazedecrypt.top/6cc30cc08dfc6cca
Extracted
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\_R_E_A_D___T_H_I_S___RVYX1ZZ1_.txt
cerber
http://xpcx6erilkjced3j.onion/8598-CF9E-9570-0098-B7E6
http://xpcx6erilkjced3j.1n5mod.top/8598-CF9E-9570-0098-B7E6
http://xpcx6erilkjced3j.19kdeh.top/8598-CF9E-9570-0098-B7E6
http://xpcx6erilkjced3j.1mpsnr.top/8598-CF9E-9570-0098-B7E6
http://xpcx6erilkjced3j.18ey8e.top/8598-CF9E-9570-0098-B7E6
http://xpcx6erilkjced3j.17gcun.top/8598-CF9E-9570-0098-B7E6
Targets
-
-
Target
krunker.iohacks.cc
-
Size
30.9MB
-
MD5
2850f1cb75953d9e0232344f6a13bf48
-
SHA1
141ab8929fbe01031ab1e559d880440ae931cc16
-
SHA256
892f11af94dea87bc8a85acdb092c74541b0ab63c8fcc1823ba7987c82c6e9ba
-
SHA512
25551eb0fbca013bcebd514eb72185e157a07f116a6973bfe4b728febcefc7044a816c5c70048c3fda2eeb4ce53b52bd7b19ef1ef851a0f4fc90451e60540d6d
-
SSDEEP
786432:j8Zic+QKJObt2u8xQYcLpoTEjoAsM0D0EHShV/:j8YQzB8xQzLp+nAV0BK
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detect Neshta payload
-
Detect ZGRat V1
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Quasar payload
-
Contacts a large (1158) amount of remote hosts
This may indicate a network scan to discover remotely running services.
-
Downloads MZ/PE file
-
Modifies Windows Firewall
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies file permissions
-
Modifies system executable filetype association
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops autorun.inf file
Malware can abuse Windows Autorun to spread further via attached volumes.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Change Default File Association
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Change Default File Association
1Scheduled Task/Job
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1File and Directory Permissions Modification
1Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
2Disable or Modify System Firewall
1Disable or Modify Tools
1Indicator Removal
1File Deletion
1Modify Registry
5Scripting
1