Overview

overview

10

Static

static

1

Cryp_RAT.rtf

windows7-x64

10

Cryp_RAT.rtf

windows10-2004-x64

10

Resubmissions

19-07-2024 11:43

240719-nvvnlssera 10

19-07-2024 11:41

240719-ntv8rasemg 4

19-07-2024 11:40

240719-ntaxtasekf 10

19-07-2024 11:40

240719-ns1rvaygrn 1

19-07-2024 11:30

240719-nmj7xasbqe 10

Analysis

  • max time kernel
    69s
  • max time network
    68s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    19-07-2024 11:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Cryp_RAT.rtf

  • Size

    662KB

  • MD5

    1fc2941b70df9dd6cdf4cb82af740fe9

  • SHA1

    e5d18e3487ca2d5037215c0e0ebfaf7ccae1c655

  • SHA256

    44b87df9f68f5a3084c7d80c1c7492ca5209e816a4e83fdbd6e2fcb6f1ff936f

  • SHA512

    d5da156e406093bfd398d78a36962360ed6918d6b96e641843e7eeddbd6fe41c0a1681bf0a4fe9e31be22d7b1e16267e62abafc9c14d1dea223e72f3ef810081

  • SSDEEP

    12288:6NtcndUa0XzmFe4lT+F4qZDGefM4qeF4C:6Oua0XzmFFI+7Z4VT

Score
10/10
lockbitneshtapersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\TdGeIqAUn.README.txt

Family

lockbit

Ransom Note
~~~ LockBit 3.0 the world's fastest ransomware since 2019~~~ >>>> Your data are stolen and encrypted The data will be published on TOR website if you do not pay the ransom If you not pay Payment:BITCOIN AFTER SEND BITCOIN Contact [email protected]

Signatures

  • Detect Neshta payload 8 IoCs
  • Lockbit

    Ransomware family with multiple variants released since late 2019.

    ransomwarelockbit
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Renames multiple (318) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Executes dropped EXE 8 IoCs
  • Loads dropped DLL 33 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 2 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Launches Equation Editor 1 TTPs 2 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies registry class 7 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 49 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Cryp_RAT.rtf"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:2652
  • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
    "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
    1⤵
    • Launches Equation Editor
    PID:2688
  • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
    "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
    1⤵
    • Launches Equation Editor
    • Suspicious use of WriteProcessMemory
    PID:1728
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c%tmp%\Client.exe A C
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2868
      • C:\Users\Admin\AppData\Local\Temp\Client.exe
        C:\Users\Admin\AppData\Local\Temp\Client.exe A C
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Modifies system executable filetype association
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:2428
        • C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe
          "C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe" A C
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetThreadContext
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2604
          • C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe
            "C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops desktop.ini file(s)
            • Sets desktop wallpaper using registry
            • Modifies Control Panel
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: RenamesItself
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:320
            • C:\ProgramData\65B5.tmp
              "C:\ProgramData\65B5.tmp"
              6⤵
              • Executes dropped EXE
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious use of WriteProcessMemory
              PID:1008
              • C:\Windows\svchost.com
                "C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\65B5.tmp >> NUL
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Drops file in Program Files directory
                • Drops file in Windows directory
                • Suspicious use of WriteProcessMemory
                PID:2196
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\System32\cmd.exe /C DEL /F /Q C:\PROGRA~3\65B5.tmp >> NUL
                  8⤵
                    PID:2020
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\TdGeIqAUn.README.txt
      1⤵
      • Opens file in notepad (likely ransom note)
      PID:1716
    • C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\DismountPublish.dxf.TdGeIqAUn
      1⤵
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1740
      • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\Desktop\DismountPublish.dxf.TdGeIqAUn"
        2⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:3024
        • C:\Windows\svchost.com
          "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AcroRd32.exe" C:\Users\Admin\Desktop\DismountPublish.dxf.TdGeIqAUn
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in Windows directory
          • Suspicious use of WriteProcessMemory
          PID:1936
          • C:\Users\Admin\AppData\Local\Temp\3582-490\AcroRd32.exe
            C:\Users\Admin\AppData\Local\Temp\3582-490\AcroRd32.exe C:\Users\Admin\Desktop\DismountPublish.dxf.TdGeIqAUn
            4⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:680
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x14c
      1⤵
        PID:1708

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\$Recycle.Bin\S-1-5-21-2958949473-3205530200-1453100116-1000\AAAAAAAAAAA
        Filesize

        129B

        MD5

        d508b41637f4ed81a3b0c68d7ee65e56

        SHA1

        5905730f2b356cdcb25de7025a91e39704d3be09

        SHA256

        5970804613e945f5e5b195e359d082e02a889ebfb28f370c766e8b64c0e95d56

        SHA512

        b18a10f2fa07c7f09cdece73b97bfaf58bed33a3ecc1b8b20d8d63c18302357c3e76dd23b871103fc5cbad87b74f1284475bc383613fe2334e3233af37230753

        Download Submit

      • C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE
        Filesize

        859KB

        MD5

        02ee6a3424782531461fb2f10713d3c1

        SHA1

        b581a2c365d93ebb629e8363fd9f69afc673123f

        SHA256

        ead58c483cb20bcd57464f8a4929079539d634f469b213054bf737d227c026dc

        SHA512

        6c9272cb1b6bde3ee887e1463ab30ea76568cb1a285d11393337b78c4ad1c3b7e6ce47646a92ab6d70bff4b02ab9d699b84af9437b720e52dcd35579fe2693ec

        Download Submit

      • C:\TdGeIqAUn.README.txt
        Filesize

        289B

        MD5

        47bf1514a0892e2468125cbf3b32caa9

        SHA1

        c3c24479ebefd9a0a05b0db879941951a702c77b

        SHA256

        a0c4eeae47956b19b2667ae5c94a154fc5002a78dea22e028049ece1d7a0c920

        SHA512

        252d78c25d9d5bd3eece76ce940cfadd6f80a81f59fea34c37495388cba4baccf1982cc2098cba28ee933b1d18cfbaa485b9e0fafa1791edfc5c86dd463329aa

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D0AFADA9.wmf
        Filesize

        316B

        MD5

        95bb648d6eb9265eeaf0f889731b1e23

        SHA1

        631d60a024835f4e53ceb9d0a987ce52fe517df4

        SHA256

        9639441a9d36e7e4fda980961b75eeb334540b8cfbcee71eb3cd857e0a838e0c

        SHA512

        184414ea68092124290049282147070a86172833359404ee26199a36083d720e291d55bb85e4ae1d02504ce841efbc646760e7cc5af4088a253aed7b2665c420

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\3582-490\DDDDDDDDDD
        Filesize

        282KB

        MD5

        34f4bc0052ae24ef7e476b4fddbc2692

        SHA1

        a8578e9baca1b08d634e86db0f3042043a95cae8

        SHA256

        2957cb695d619e06de2ce7597c6cf61cdfd1b87d1aeed9f199ad9700a5663df4

        SHA512

        01fefff7819889459db55297e5d18934477dbc2576c42309d5e834cc9b6005dbb41f08eedb6bbfa31547dd254537401f64b08a4e7e46f8a9934a8e851ad7188a

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Client.exe
        Filesize

        323KB

        MD5

        2b9a1b7a5e13b8672655d0a09ce50217

        SHA1

        2b62dbb4edbc5460bb42e790ca1a4ba7a4821362

        SHA256

        f6c559c031b7b16b1edf34b38e74b6bf3a7106ca34881d7f5c63b8e0d7ac3694

        SHA512

        db34521fbd83a5c9a3671f2ed14854e98c83256a8e16b809d7a165754e5f02c3c6b7dd1f4e994be7e859da5a5a852b5a93d4846cefbc6985d81a56a34a766f52

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\~$yp_RAT.rtf
        Filesize

        405B

        MD5

        d14cfdbf905da52eb250287ec69f51d9

        SHA1

        c55333d39eec5719e6f190c0d72801f8562e1b5b

        SHA256

        83e3f72fadee6ed1481d7f9b8e48e2f526335e4c9d5c9998646bf8a97a3f269b

        SHA512

        6d6b01cc47ee867e1cb89f9da1b0a6f7d74ae83d5f6da3c78468851c6d18ae415795b30a7f3958d052b2e9ca0220a3837fc50ccd4ed123c606ea5b0afac79e08

        Download Submit

      • C:\Windows\svchost.com
        Filesize

        40KB

        MD5

        27cc46f9e49226bff7bd9d80ceb6f00b

        SHA1

        ce38b70cb368a5047c32a63f5c1942e04e1d8d3d

        SHA256

        91a8a010b76f69ec29934c4d0fa207c54850daa5941aeccea941d46e0525fc27

        SHA512

        c3a9d7886aa34ef77bffdc55c5aa59eff8eed4367b514606f197590cf63deadf5f1e83b4aaf5d87e668e5e5f710ee0737b7cf64416892fcdfc6430f28b356f65

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-2958949473-3205530200-1453100116-1000\DDDDDDDDDDD
        Filesize

        129B

        MD5

        5c427eaf0a8d4972e035caf7f47fcb30

        SHA1

        b5ff9e2f94edd68116d9a53eb97c2f04d2f80cbd

        SHA256

        5ac49d6e67bea069cc5d02f5a5af41085b5c728c385d3d14f23c463c3c5b2224

        SHA512

        f1ebf13e0beb68f923620eef162a28464147b8ce43b6d5aa025d68890ba89601d97ba13fae3ad0a9001e21a608d161f9c8ea962f6bfbc14488d0ebb44dde9a1a

        Download Submit

      • \PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
        Filesize

        252KB

        MD5

        9e2b9928c89a9d0da1d3e8f4bd96afa7

        SHA1

        ec66cda99f44b62470c6930e5afda061579cde35

        SHA256

        8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

        SHA512

        2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

        Download Submit

      • \ProgramData\65B5.tmp
        Filesize

        14KB

        MD5

        294e9f64cb1642dd89229fff0592856b

        SHA1

        97b148c27f3da29ba7b18d6aee8a0db9102f47c9

        SHA256

        917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

        SHA512

        b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

        Download Submit

      • \Users\Admin\AppData\Local\Temp\3582-490\Client.exe
        Filesize

        282KB

        MD5

        035a441e07c7d7797cccfc92a988e156

        SHA1

        7d33fe3c6e43ae0440db5fc51d7d9fe653379902

        SHA256

        f00b211b5f93e23409e9383930c79990949b3671b1c1e0dc00208bb1c8f1e10d

        SHA512

        9b10c302581fed3b186ee9ad598ba98597318ae09a538eaedab7bffa0db5d4dea82d1a2ae4e320e210575763073f0e58be9416e8758ab495b02f9a54360a6636

        Download Submit

      • \Users\Admin\AppData\Local\Temp\ose00000.exe
        Filesize

        145KB

        MD5

        9d10f99a6712e28f8acd5641e3a7ea6b

        SHA1

        835e982347db919a681ba12f3891f62152e50f0d

        SHA256

        70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc

        SHA512

        2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

        Download Submit

      • memory/320-994-0x0000000000400000-0x0000000000428000-memory.dmp

        Filesize

        160KB

        Download

      • memory/320-318-0x0000000000400000-0x0000000000428000-memory.dmp

        Filesize

        160KB

        Download

      • memory/320-37-0x0000000000400000-0x0000000000428000-memory.dmp

        Filesize

        160KB

        Download

      • memory/320-35-0x0000000000400000-0x0000000000428000-memory.dmp

        Filesize

        160KB

        Download

      • memory/320-33-0x0000000000400000-0x0000000000428000-memory.dmp

        Filesize

        160KB

        Download

      • memory/320-31-0x0000000000400000-0x0000000000428000-memory.dmp

        Filesize

        160KB

        Download

      • memory/320-58-0x0000000000400000-0x0000000000428000-memory.dmp

        Filesize

        160KB

        Download

      • memory/320-55-0x0000000000400000-0x0000000000428000-memory.dmp

        Filesize

        160KB

        Download

      • memory/320-50-0x0000000000400000-0x0000000000428000-memory.dmp

        Filesize

        160KB

        Download

      • memory/320-991-0x0000000000400000-0x0000000000428000-memory.dmp

        Filesize

        160KB

        Download

      • memory/320-41-0x0000000000400000-0x0000000000428000-memory.dmp

        Filesize

        160KB

        Download

      • memory/320-48-0x0000000000400000-0x0000000000428000-memory.dmp

        Filesize

        160KB

        Download

      • memory/320-45-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/320-263-0x0000000000400000-0x0000000000428000-memory.dmp

        Filesize

        160KB

        Download

      • memory/320-46-0x0000000000400000-0x0000000000428000-memory.dmp

        Filesize

        160KB

        Download

      • memory/320-39-0x0000000000400000-0x0000000000428000-memory.dmp

        Filesize

        160KB

        Download

      • memory/320-43-0x0000000000400000-0x0000000000428000-memory.dmp

        Filesize

        160KB

        Download

      • memory/320-971-0x0000000000400000-0x0000000000428000-memory.dmp

        Filesize

        160KB

        Download

      • memory/320-969-0x0000000000400000-0x0000000000428000-memory.dmp

        Filesize

        160KB

        Download

      • memory/320-993-0x0000000000400000-0x0000000000428000-memory.dmp

        Filesize

        160KB

        Download

      • memory/1936-1104-0x0000000000400000-0x000000000041B000-memory.dmp

        Filesize

        108KB

        Download

      • memory/2196-1092-0x0000000000400000-0x000000000041B000-memory.dmp

        Filesize

        108KB

        Download

      • memory/2428-1090-0x0000000000400000-0x000000000041B000-memory.dmp

        Filesize

        108KB

        Download

      • memory/2428-1094-0x0000000000400000-0x000000000041B000-memory.dmp

        Filesize

        108KB

        Download

      • memory/2604-29-0x00000000001D0000-0x00000000001E2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2604-24-0x0000000001220000-0x000000000126C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/2652-0-0x000000002F161000-0x000000002F162000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2652-69-0x0000000070C3D000-0x0000000070C48000-memory.dmp

        Filesize

        44KB

        Download

      • memory/2652-2-0x0000000070C3D000-0x0000000070C48000-memory.dmp

        Filesize

        44KB

        Download

      • memory/2652-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3024-1098-0x0000000000400000-0x000000000041B000-memory.dmp

        Filesize

        108KB

        Download