Overview

overview

10

Static

static

3

razrusheniye.exe

windows7-x64

10

Resubmissions

03/08/2024, 05:16

240803-fx73qavamp 10

03/08/2024, 02:05

240803-cjazaathlf 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    razrusheniye.exe

  • Size

    19KB

  • Sample

    240803-fx73qavamp

  • MD5

    16b6afdcc2f1a7351c51b8a8ee02f7d4

  • SHA1

    9eebbdc51c218f350ab3944c5d90f053851131aa

  • SHA256

    fccb2f8c7338203218e669dda9cecfa67230a37f23036bcff8732ea3ad581079

  • SHA512

    607a5ebb96fb8b600fe9f37c48e2f3916cffd38a6bd0f857f7538eb923e05b6eb488a76a3f4d57825d5fa1f63c7980452bc403b4bbc7d6780f134eca30e35a3c

  • SSDEEP

    192:T8qlBulfDKXlZ+uWD44lzaGxGUeLoHJEzSfNcx0uwNQR78Dzf0sVEcNKE5tfUXNv:wKBunvU4Zaykoi+fbzf0sRKR9kDG1

Score
10/10
persistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\Videos\README.txt

Ransom Note
~~~ Your files have been encrypted! ~~~. Using advanced AES256 encryption technique your databases, documents, photos and other important files have been encrypted. See for yourself! look at any file with .raz extension. You cannot recover these files yourself. Do not waste your time. Nobody can recover your files. Only we can!. We can decrypt these files, we can guarantee that your files can be decrypted, but you have little time. Payment for the decryption is ~$70 We can restore your systems in less than 6 hours if you pay now. However, we will not decrypt your system if; - You go to police and report us. >>> If you report us AFTER decryption, we WILL attack you again! <<< Do not delete or modify encrypted files, it will cause problems when recovery! Sent the personal ID to [email protected] We will provide payment information, once payment is done, we will sent you a decryptor! Good luck! >>> Your personal ID: CNEJ-13TI-3LX0-5HF6-6HF9-BRN3-4BMS-I9Y <<<

Targets

    • Target

      razrusheniye.exe

    • Size

      19KB

    • MD5

      16b6afdcc2f1a7351c51b8a8ee02f7d4

    • SHA1

      9eebbdc51c218f350ab3944c5d90f053851131aa

    • SHA256

      fccb2f8c7338203218e669dda9cecfa67230a37f23036bcff8732ea3ad581079

    • SHA512

      607a5ebb96fb8b600fe9f37c48e2f3916cffd38a6bd0f857f7538eb923e05b6eb488a76a3f4d57825d5fa1f63c7980452bc403b4bbc7d6780f134eca30e35a3c

    • SSDEEP

      192:T8qlBulfDKXlZ+uWD44lzaGxGUeLoHJEzSfNcx0uwNQR78Dzf0sVEcNKE5tfUXNv:wKBunvU4Zaykoi+fbzf0sRKR9kDG1

    Score
    10/10
    persistenceransomwarespywarestealer

    • Renames multiple (4749) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Drops file in Drivers directory

    • Boot or Logon Autostart Execution: Print Processors

      Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation.

      persistence

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops file in System32 directory

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks