General

  • Target

    240816-rstv3sk633_pw_infected.zip

  • Size

    92KB

  • Sample

    240819-brx84szbrq

  • MD5

    e3f2aabc5b61d7dc60915fa71eca81b3

  • SHA1

    a591d3c06de042826c5fc607e89c1a500dd4f601

  • SHA256

    e424e3ac235b4bdc894157a32a057aef20ed23600cbf68c205afaaf6d97eb965

  • SHA512

    4ef7d0150a24d7b3e1ea52d3d07dacbed3fb3c70b9c96f8fef4513de328b24729ab8f26a30e8c0669ceb4f695a5fee29ab4b05d25d25d289d36160f593f2553e

  • SSDEEP

    1536:QkfdHaUdUY8dkOT6bd/ox/GGfN8x3npM31c7whkzPvhFzLt23mQXZe6lWjaUPUO3:bdHaU4qI8d/ox+GF8x97whGvl25Ze6Hy

Malware Config

Extracted

Path

C:\Program Files\Java\jdk1.7.0_80\ ATTENTION! ALL YOUR FILES ARE ENCRYPTED!.TXT

Ransom Note
ATTENTION! All your important files are encrypted with our "RDanger Ransomware". Don't worry, you can return all your files! The only one method of recovering files for you is to purchase decrypt tool and unique key. This software will decrypt all your encrypted files after your payment in cryptocurrency. What guarantees do you have? You can send one of your encrypted files from your PC and we will decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Discount 50% available if you contact us by email first 72 hours. Be sure that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 24 hours. Write to email: myEmailThere Our reserved email: 2myEmailThere Your personal ID: F05-FC7-6C7

Extracted

Path

C:\Program Files\Crashpad\ ATTENTION! ALL YOUR FILES ARE ENCRYPTED!.TXT

Ransom Note
ATTENTION! All your important files are encrypted with our "RDanger Ransomware". Don't worry, you can return all your files! The only one method of recovering files for you is to purchase decrypt tool and unique key. This software will decrypt all your encrypted files after your payment in cryptocurrency. What guarantees do you have? You can send one of your encrypted files from your PC and we will decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Discount 50% available if you contact us by email first 72 hours. Be sure that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 24 hours. Write to email: myEmailThere Our reserved email: 2myEmailThere Your personal ID: CA5-DD3-670

Targets

    • Target

      d601d4e08bf2fd6e275b93ed87cb05846b0d914263aeeae35bf0bb0d0f353bcc

    • Size

      94KB

    • MD5

      002a5619993588ab6b47990c7a4a237f

    • SHA1

      7d9aefdfdc745a196e29ec879d774d46d6194291

    • SHA256

      d601d4e08bf2fd6e275b93ed87cb05846b0d914263aeeae35bf0bb0d0f353bcc

    • SHA512

      4d964cb86e6cf5164ef0f514ff65346aa5680e7574e0b2d3501801295d66fcc5407999f86e915c624678e78e1602425432697d1cb523b5900feb9c127858b892

    • SSDEEP

      1536:rG39cG5yGQE0yRAo4CBsleM4Xu5Z/N/I+e7d/Cdjzr0MKwqlenOu7A/YcHT:m5xQEizCOeM4XClJI+WwUxJlenbC

    • Detects Zeppelin payload

    • Zeppelin Ransomware

      Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Renames multiple (7405) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Deletes itself

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

MITRE ATT&CK Enterprise v15

Tasks