General
-
Target
ctrsys.exe
-
Size
183KB
-
Sample
240820-kq45pssgkh
-
MD5
3870e4591ce517d956771e23c361582d
-
SHA1
28d09d35d3e5a8490ef4a4ebaa36262fa411afba
-
SHA256
2c85d7c4dd069fff494edd19387d56e54a52f6ef1b557f3d775f999410eb5a4d
-
SHA512
61dc0f9ca1a81170ef6aa4e514432079ebf12509eb615a191dae9f0e801d95748adf1cfd7d03dc5035dddd809458b0d42453b3fd51ca29cca3b8776a430de2d1
-
SSDEEP
3072:8FuxfutjURbpYkH+wWtaiEGlIQZboLRG9ua/aHyvXgQd2md:8FEgjUXr7NGlVbAh
Malware Config
Extracted
C:\MNYHU2Jh1.README.txt
https://coinatmradar.com
https://www.moonpay.com/buy
https://tox.chat/download.html
Targets
-
-
Target
ctrsys.exe
-
Size
183KB
-
MD5
3870e4591ce517d956771e23c361582d
-
SHA1
28d09d35d3e5a8490ef4a4ebaa36262fa411afba
-
SHA256
2c85d7c4dd069fff494edd19387d56e54a52f6ef1b557f3d775f999410eb5a4d
-
SHA512
61dc0f9ca1a81170ef6aa4e514432079ebf12509eb615a191dae9f0e801d95748adf1cfd7d03dc5035dddd809458b0d42453b3fd51ca29cca3b8776a430de2d1
-
SSDEEP
3072:8FuxfutjURbpYkH+wWtaiEGlIQZboLRG9ua/aHyvXgQd2md:8FEgjUXr7NGlVbAh
Score10/10-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Rule to detect Lockbit 3.0 ransomware Windows payload
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Renames multiple (364) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads WinSCP keys stored on the system
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Indicator Removal: File Deletion
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Sets desktop wallpaper using registry
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
5Credentials In Files
4Credentials in Registry
1