Overview

overview

10

Static

static

3

razspy.exe

windows7-x64

10

razspy.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    razspy.exe

  • Size

    17KB

  • Sample

    240820-trxaxs1gpg

  • MD5

    01c6e0390faaed56ef1095f3ad261788

  • SHA1

    d68aaa71f61aabc94d7c764f31f431a60d400d47

  • SHA256

    80f8cfd2a62ba62b09d7ccfed9d92b0bb47fdc10cbe72c6f2d929513747970c2

  • SHA512

    dacef740eaf36e4fdaccac857542316657fb13a641747013f2d95acef1c4d7fd945b5f156265651d692ab34aac8d9204fb716ceea39cc0722a2ec5a29a98a4bb

  • SSDEEP

    192:p+VZRQY9ME6tRr99f65P7UqyjPkeKfFSgOlV7SajUrt07Sj5wcx/e3Q5tfnkTeIr:kRQYotJK5PI7Mtf2pSfwSdnm3S

Score
10/10
persistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\Videos\README.txt

Ransom Note
~~~ Your files have been encrypted! ~~~. Using advanced AES256 encryption technique your databases, documents, photos and other important files have been encrypted. See for yourself! look at any file with .raz extension. You cannot recover these files yourself. Do not waste your time. Nobody can recover your files. Only we can!. We can decrypt these files, we can guarantee that your files can be decrypted, but you have little time. Payment for the decryption is ~$70 We can restore your systems in less than 6 hours if you pay now. However, we will not decrypt your system if; - You go to police and report us. >>> If you report us AFTER decryption, we WILL attack you again!!!<<< Do not delete or modify encrypted files, it will cause problems when recovery! Sent the personal ID to [email protected] We will provide payment information, once payment is done, we will sent you a decryptor! If you do not pay, we will publish your data online! >>> Your personal ID: YI21-8CXS-ULFM-LG1M-B382-MYU8-GWWT-I25 <<<

Extracted

Path

C:\Users\Admin\Pictures\Camera Roll\README.txt

Ransom Note
~~~ Your files have been encrypted! ~~~. Using advanced AES256 encryption technique your databases, documents, photos and other important files have been encrypted. See for yourself! look at any file with .raz extension. You cannot recover these files yourself. Do not waste your time. Nobody can recover your files. Only we can!. We can decrypt these files, we can guarantee that your files can be decrypted, but you have little time. Payment for the decryption is ~$70 We can restore your systems in less than 6 hours if you pay now. However, we will not decrypt your system if; - You go to police and report us. >>> If you report us AFTER decryption, we WILL attack you again!!!<<< Do not delete or modify encrypted files, it will cause problems when recovery! Sent the personal ID to [email protected] We will provide payment information, once payment is done, we will sent you a decryptor! If you do not pay, we will publish your data online! >>> Your personal ID: EWJ9-KH78-GWVQ-RWE0-5PHH-NFK9-ZERN-7NY <<<

Targets

    • Target

      razspy.exe

    • Size

      17KB

    • MD5

      01c6e0390faaed56ef1095f3ad261788

    • SHA1

      d68aaa71f61aabc94d7c764f31f431a60d400d47

    • SHA256

      80f8cfd2a62ba62b09d7ccfed9d92b0bb47fdc10cbe72c6f2d929513747970c2

    • SHA512

      dacef740eaf36e4fdaccac857542316657fb13a641747013f2d95acef1c4d7fd945b5f156265651d692ab34aac8d9204fb716ceea39cc0722a2ec5a29a98a4bb

    • SSDEEP

      192:p+VZRQY9ME6tRr99f65P7UqyjPkeKfFSgOlV7SajUrt07Sj5wcx/e3Q5tfnkTeIr:kRQYotJK5PI7Mtf2pSfwSdnm3S

    Score
    10/10
    persistenceransomwarespywarestealer

    • Renames multiple (4741) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Drops file in Drivers directory

    • Boot or Logon Autostart Execution: Print Processors

      Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation.

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks