Overview

overview

10

Static

static

10

razrusheniye.exe

windows7-x64

10

razrusheniye.exe

windows10-2004-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    razrusheniye.exe

  • Size

    22KB

  • Sample

    240909-razcvatgnf

  • MD5

    d3ddd7cbed9722f45a8b50217569a97f

  • SHA1

    88292e03db8d452a45f6bd82847f93df509dcfee

  • SHA256

    db245efb35591021b55e100f7c70fb6541d232263192fb19bacaaa48b3c91a0a

  • SHA512

    92a0e45e98a350af5f9fc06c7424b16388e187d259465ee8e2b2b53aae2902ef89ff32af26348821f5e913548f632e217ff7fe7fc01d550e496f23a7de8c6449

  • SSDEEP

    384:j7H3dlJn8EXbqeWyxubr6I/jyaIkAjiKkUT/2aoddnI0FURFPog:jb1MeBu/IviKknd/FUHPog

Score
10/10
razrpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\Videos\README.txt

Ransom Note
~~~ You became victim of the razrusheniye ransomware! ~~~. Using AES-256-CBC encryption, your databases, documents, photos and other important files have been encrypted! This means you will not be able to access them unless you decrypt them. See for yourself! Look at any file with the .raz extension and its content! You cannot recover these files yourself. That's not how cryptography works. Do not waste your time. Nobody can recover your files besides us! If you fulfil the following, you are eligible for a 50% discount! - You do NOT contact ANYONE about this incident. - You contact us in UNDER than 6 hours. We can decrypt these files, we can guarantee that your system will be just as new! Payment for the restoration of your system is $70 (with the 50% discount it's $35) We can restore your systems in less than 6 hours if you pay now. However, we will not decrypt your system if; - You go to police and report us. >>> If you report us AFTER restoration, we WILL attack you again!!! <<< Do not delete or modify encrypted files, it will cause problems when restoring your system! Send the personal ID to [email protected] via email. We will provide payment information, once payment is done, we will sent you a decryptor! If you do not pay, you will NEVER get your data back and sensitive information will be leaked online! By sensitive information we mean passwords, and similar! Q: How can i be sure you won't scam me? A: You can send us 3 files (not bigger than 3MB) and we will decrypt it, and send it back to you. You can then decide if you want to restore the rest by paying $70 (with the 50% discount its $35) >>> Your personal ID is: 3OCM-BTOZ-928E-2WIF-AYSC-MYRZ-GXJM-HSJ6 <<<

Extracted

Path

C:\Users\Admin\Pictures\Camera Roll\README.txt

Ransom Note
~~~ You became victim of the razrusheniye ransomware! ~~~. Using AES-256-CBC encryption, your databases, documents, photos and other important files have been encrypted! This means you will not be able to access them unless you decrypt them. See for yourself! Look at any file with the .raz extension and its content! You cannot recover these files yourself. That's not how cryptography works. Do not waste your time. Nobody can recover your files besides us! If you fulfil the following, you are eligible for a 50% discount! - You do NOT contact ANYONE about this incident. - You contact us in UNDER than 6 hours. We can decrypt these files, we can guarantee that your system will be just as new! Payment for the restoration of your system is $70 (with the 50% discount it's $35) We can restore your systems in less than 6 hours if you pay now. However, we will not decrypt your system if; - You go to police and report us. >>> If you report us AFTER restoration, we WILL attack you again!!! <<< Do not delete or modify encrypted files, it will cause problems when restoring your system! Send the personal ID to [email protected] via email. We will provide payment information, once payment is done, we will sent you a decryptor! If you do not pay, you will NEVER get your data back and sensitive information will be leaked online! By sensitive information we mean passwords, and similar! Q: How can i be sure you won't scam me? A: You can send us 3 files (not bigger than 3MB) and we will decrypt it, and send it back to you. You can then decide if you want to restore the rest by paying $70 (with the 50% discount its $35) >>> Your personal ID is: 0JD6-OFYP-6AL5-VB4E-XD6F-ZXFZ-MU25-DCNT <<<

Targets

    • Target

      razrusheniye.exe

    • Size

      22KB

    • MD5

      d3ddd7cbed9722f45a8b50217569a97f

    • SHA1

      88292e03db8d452a45f6bd82847f93df509dcfee

    • SHA256

      db245efb35591021b55e100f7c70fb6541d232263192fb19bacaaa48b3c91a0a

    • SHA512

      92a0e45e98a350af5f9fc06c7424b16388e187d259465ee8e2b2b53aae2902ef89ff32af26348821f5e913548f632e217ff7fe7fc01d550e496f23a7de8c6449

    • SSDEEP

      384:j7H3dlJn8EXbqeWyxubr6I/jyaIkAjiKkUT/2aoddnI0FURFPog:jb1MeBu/IviKknd/FUHPog

    Score
    10/10
    persistenceransomwarespywarestealer

    • Renames multiple (4293) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Drops file in Drivers directory

    • Boot or Logon Autostart Execution: Print Processors

      Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation.

      persistence

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks