General
-
Target
PCCooker_x64.7z
-
Size
17.2MB
-
Sample
240907-w5qfmszhjc
-
MD5
ec953931a543fc3972ac8e2b003f76eb
-
SHA1
29836069fc9b614b2c65b10f6a9f8c6fe48b11ae
-
SHA256
0af783217a1279bf57eaea781dbe6d546ceb86cd02edc232e3892ff5f560d314
-
SHA512
8da5c8e7a7e1e1b20509b302848c0b58b3a9a73e769844c9b77831d085d7157e241b6c661b2cb7788caa0759bd3e311b1120f5e6919d5f78524c804d18411f50
-
SSDEEP
393216:QjSMq0bSZZAyJ1kDIWMoXwNQcJXLIXeVFcVDIjegWgZfTCgAJD3XiZ:Q1RbSZVkDmoX7cBLrVFcAvkvJDHiZ
Static task
static1
Behavioral task
behavioral1
Sample
PCCooker_x64.exe
Resource
win10v2004-20240802-en
Malware Config
Extracted
marsstealer
Default
kenesrakishev.net/wp-admin/admin-ajax.php
Extracted
C:\Users\Public\Documents\RGNR_EC2FACB9.txt
1BKK8bsFfG3YxTd3N15GxaYfHopoThXoY4
https://tox.chat/download.html
Extracted
xworm
5.0
outside-sand.gl.at.ply.gg:31300
VQd9MfbX4V71RInT
-
Install_directory
%AppData%
-
install_file
USB.exe
Extracted
cryptbot
fivexx5ht.top
analforeverlovyu.top
-
url_path
/v1/upload.php
Extracted
stealc
valenciga
http://185.215.113.17
-
url_path
/2fb6c2cc8dce150a.php
Extracted
lumma
https://complaintsipzzx.shop/api
Targets
-
-
Target
PCCooker_x64.exe
-
Size
22.4MB
-
MD5
317c5fe16b5314d1921930e300d9ea39
-
SHA1
65eb02c735bbbf1faf212662539fbf88a00a271f
-
SHA256
d850d741582546a3d0ea2ad5d25e0766781f315cd37e6c58f7262df571cd0c40
-
SHA512
31751379ad7f6c55d87e9a5c1f56e6211d515b7d9ae055af962ed6f9205f5abad302c2e47dd56325abff85327ec3b7f9a6cf76ed34b8cbe1da06549c622c7031
-
SSDEEP
49152:yIT4lj7Rl9HFoDi+3JK5CS2bV5IRtyrp63FDysl28Wvp/pUOmrscrdXuMIgqJ95+:yI6
-
Detect Xworm Payload
-
Modifies security service
-
Phorphiex payload
-
RagnarLocker
Ransomware first seen at the end of 2019, which has been used in targetted attacks against multiple companies.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Detected Nirsoft tools
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
Renames multiple (7656) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Squirrelwaffle payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Credentials from Password Stores: Windows Credential Manager
Suspicious access to Credentials History.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Enumerates processes with tasklist
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1System Services
1Service Execution
1Windows Management Instrumentation
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Defense Evasion
Direct Volume Access
1Impair Defenses
3Disable or Modify Tools
2Indicator Removal
2File Deletion
2Modify Registry
4Pre-OS Boot
1Bootkit
1Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1