Overview

overview

10

Static

static

10

razrusheniye.exe

windows7-x64

10

razrusheniye.exe

windows10-2004-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    razrusheniye.exe

  • Size

    21KB

  • Sample

    240913-zc8cjayakd

  • MD5

    916b310031e147c6258f89b8727cdac8

  • SHA1

    a16f36eccd471ce2c4cee9388949b7a648e3bacd

  • SHA256

    0af088e71cd40a89584020f9cb5080c85b6e859bafd866710dadda6438d1cb74

  • SHA512

    1197774e65e0e7251692395c5a58f466f5aa1eac6c908ba368622e73263172b2896f2575368499aad445ab0fc2129c43ae1385a5ee3adee1c4dd243d90d3d911

  • SSDEEP

    384:m7EBb05b+XJoQgyksqKIHgwiKU+aouAGV9Rq2d:mzBQgHFiK3Gvg

Score
10/10
razrpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\Videos\README.txt

Ransom Note
~~~ You became victim of the razrusheniye ransomware! ~~~. Using AES-256-CBC encryption, your databases, documents, photos and other important files have been encrypted! This means you will not be able to access them unless you decrypt them. See for yourself! Look at any file with the .raz extension and its content! You cannot recover these files yourself. That's not how cryptography works. Do not waste your time. Nobody can recover your files besides us! If you fulfil the following, you are eligible for a 50% discount! - You do NOT contact ANYONE about this incident. - You contact us in UNDER than 6 hours. We can decrypt these files, we can guarantee that your system will be just as new! Payment for the restoration of your system is $70 (with the 50% discount it's $35) We can restore your systems in less than 6 hours if you pay now. However, we will not decrypt your system if; - You go to police and report us. >>> If you report us AFTER restoration, we WILL attack you again!!! <<< Do not delete or modify encrypted files, it will cause problems when restoring your system! Send the personal ID to [email protected] via email. We will provide payment information, once payment is done, we will sent you a decryptor! If you do not pay, you will NEVER get your data back and sensitive information will be leaked online! By sensitive information we mean passwords, and similar! Q: How can i be sure you won't scam me? A: You can send us 3 files (not bigger than 3MB) and we will decrypt it, and send it back to you. You can then decide if you want to restore the rest by paying $70 (with the 50% discount its $35) >>> Your personal ID is: 4V8O-5AW2-T9Y3-M76Q-M9BC-4Z4Z-K7ZT-O2RX <<<

Extracted

Path

C:\Users\Admin\Pictures\Camera Roll\README.txt

Ransom Note
~~~ You became victim of the razrusheniye ransomware! ~~~. Using AES-256-CBC encryption, your databases, documents, photos and other important files have been encrypted! This means you will not be able to access them unless you decrypt them. See for yourself! Look at any file with the .raz extension and its content! You cannot recover these files yourself. That's not how cryptography works. Do not waste your time. Nobody can recover your files besides us! If you fulfil the following, you are eligible for a 50% discount! - You do NOT contact ANYONE about this incident. - You contact us in UNDER than 6 hours. We can decrypt these files, we can guarantee that your system will be just as new! Payment for the restoration of your system is $70 (with the 50% discount it's $35) We can restore your systems in less than 6 hours if you pay now. However, we will not decrypt your system if; - You go to police and report us. >>> If you report us AFTER restoration, we WILL attack you again!!! <<< Do not delete or modify encrypted files, it will cause problems when restoring your system! Send the personal ID to [email protected] via email. We will provide payment information, once payment is done, we will sent you a decryptor! If you do not pay, you will NEVER get your data back and sensitive information will be leaked online! By sensitive information we mean passwords, and similar! Q: How can i be sure you won't scam me? A: You can send us 3 files (not bigger than 3MB) and we will decrypt it, and send it back to you. You can then decide if you want to restore the rest by paying $70 (with the 50% discount its $35) >>> Your personal ID is: BLZU-HI87-OP49-YYOU-OUB9-UJDJ-I0QD-J4KT <<<

Targets

    • Target

      razrusheniye.exe

    • Size

      21KB

    • MD5

      916b310031e147c6258f89b8727cdac8

    • SHA1

      a16f36eccd471ce2c4cee9388949b7a648e3bacd

    • SHA256

      0af088e71cd40a89584020f9cb5080c85b6e859bafd866710dadda6438d1cb74

    • SHA512

      1197774e65e0e7251692395c5a58f466f5aa1eac6c908ba368622e73263172b2896f2575368499aad445ab0fc2129c43ae1385a5ee3adee1c4dd243d90d3d911

    • SSDEEP

      384:m7EBb05b+XJoQgyksqKIHgwiKU+aouAGV9Rq2d:mzBQgHFiK3Gvg

    Score
    10/10
    persistenceransomwarespywarestealer

    • Renames multiple (4325) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Drops file in Drivers directory

    • Boot or Logon Autostart Execution: Print Processors

      Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation.

      persistence

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks