af3b9d5de82a924b2177d69965dff7cb98f5adca28dd4a50e844d96dadd528d1

General

Target

razspy.exe
Size

17KB
Sample

240828-xrz9csshnl
MD5

c9122b326a11741382964a64acbbb43e
SHA1

216bac6bee35ce03407349a23eb6a618bf95082d
SHA256

af3b9d5de82a924b2177d69965dff7cb98f5adca28dd4a50e844d96dadd528d1
SHA512

1fcc4fd64ca6eaeeee0be91d4bc067bed2f5e6716d05a2a74b90e702b1110d8cb81d32995ffededc0a67fc3ed725df3cad8424ddc17a33c7a040902687ab6102
SSDEEP

192:3YQ9IeQOGWJvSdDk9iMeqh6c+e0zigZIkGoskKjgEDkZ5qcL/e3Q5tfuNKA:3YQmeQLWJvlI/DvzAZDg7m39

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\Videos\README.txt

Ransom Note

~~~ Your files have been encrypted! ~~~. Using advanced AES256 encryption technique your databases, documents, photos and other important files have been encrypted. See for yourself! look at any file with .raz extension. You cannot recover these files yourself. Do not waste your time. Nobody can recover your files. Only we can!. We can decrypt these files, we can guarantee that your files can be decrypted, but you have little time. Payment for the decryption is ~$70 We can restore your systems in less than 6 hours if you pay now. However, we will not decrypt your system if; - You go to police and report us. >>> If you report us AFTER decryption, we WILL attack you again!!!<<< Do not delete or modify encrypted files, it will cause problems when recovery! Sent the personal ID to [email protected] We will provide payment information, once payment is done, we will sent you a decryptor! If you do not pay, we will publish your data online! >>> Your personal ID: WOG0-29LX-3IDM-PY1Y-RALX-RQFW-QBF1-B30T <<<

Emails

[email protected]

Extracted

Path

C:\Users\Admin\Pictures\Camera Roll\README.txt

Ransom Note

~~~ Your files have been encrypted! ~~~. Using advanced AES256 encryption technique your databases, documents, photos and other important files have been encrypted. See for yourself! look at any file with .raz extension. You cannot recover these files yourself. Do not waste your time. Nobody can recover your files. Only we can!. We can decrypt these files, we can guarantee that your files can be decrypted, but you have little time. Payment for the decryption is ~$70 We can restore your systems in less than 6 hours if you pay now. However, we will not decrypt your system if; - You go to police and report us. >>> If you report us AFTER decryption, we WILL attack you again!!!<<< Do not delete or modify encrypted files, it will cause problems when recovery! Sent the personal ID to [email protected] We will provide payment information, once payment is done, we will sent you a decryptor! If you do not pay, we will publish your data online! >>> Your personal ID: OBRP-DO7W-KYRM-UQL7-RB6T-DVV9-GO96-E27E <<<

Emails

[email protected]

Targets

- Target
  
  razspy.exe
- Size
  
  17KB
- MD5
  
  c9122b326a11741382964a64acbbb43e
- SHA1
  
  216bac6bee35ce03407349a23eb6a618bf95082d
- SHA256
  
  af3b9d5de82a924b2177d69965dff7cb98f5adca28dd4a50e844d96dadd528d1
- SHA512
  
  1fcc4fd64ca6eaeeee0be91d4bc067bed2f5e6716d05a2a74b90e702b1110d8cb81d32995ffededc0a67fc3ed725df3cad8424ddc17a33c7a040902687ab6102
- SSDEEP
  
  192:3YQ9IeQOGWJvSdDk9iMeqh6c+e0zigZIkGoskKjgEDkZ5qcL/e3Q5tfuNKA:3YQmeQLWJvlI/DvzAZDg7m39
Score

10^/10

defense_evasion evasion execution impact persistence ransomware spyware stealer
- Razr Ransomware
  Detects Razr Ransomware.
  ransomware
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Renames multiple (5887) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Downloads MZ/PE file
- Drops file in Drivers directory
- Boot or Logon Autostart Execution: Print Processors
  Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation.
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
- Sets desktop wallpaper using registry
  ransomware
behavioral1 behavioral2