General
-
Target
PCCooker_x64.exe
-
Size
22.4MB
-
Sample
240919-awlv7s1eqa
-
MD5
317c5fe16b5314d1921930e300d9ea39
-
SHA1
65eb02c735bbbf1faf212662539fbf88a00a271f
-
SHA256
d850d741582546a3d0ea2ad5d25e0766781f315cd37e6c58f7262df571cd0c40
-
SHA512
31751379ad7f6c55d87e9a5c1f56e6211d515b7d9ae055af962ed6f9205f5abad302c2e47dd56325abff85327ec3b7f9a6cf76ed34b8cbe1da06549c622c7031
-
SSDEEP
49152:yIT4lj7Rl9HFoDi+3JK5CS2bV5IRtyrp63FDysl28Wvp/pUOmrscrdXuMIgqJ95+:yI6
Static task
static1
Behavioral task
behavioral1
Sample
PCCooker_x64.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
PCCooker_x64.exe
Resource
win7-20240708-en
Behavioral task
behavioral3
Sample
PCCooker_x64.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral4
Sample
PCCooker_x64.exe
Resource
win11-20240802-en
Malware Config
Extracted
C:\Users\Public\Documents\RGNR_CC283BC6.txt
1BKK8bsFfG3YxTd3N15GxaYfHopoThXoY4
https://tox.chat/download.html
Extracted
phorphiex
http://185.215.113.66/
http://77.91.77.92/
http://91.202.233.141/
0xCa90599132C4D88907Bd8E046540284aa468a035
TRuGGXNDM1cavQ1AqMQHG8yfxP4QWVSMN6
qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r
XryzFMFVpDUvU7famUGf214EXD3xNUSmQf
LLeT2zkStY3cvxMBFhoWXkG5VuZPoezduv
rwc4LVd9ABpULQ1CuCpDkgX2xVB1fUijyb
4AtjkCVKbtEC3UEN77SQHuH9i1XkzNiRi5VCbA2XGsJh46nJSXfGQn4GjLuupCqmC57Lo7LvKmFUyRfhtJSvKvuw3h9ReKK
15TssKwtjMtwy4vDLcLsQUZUD2B9f7eDjw85sBNVC5LRPPnC
17hgMFyLDwMjxWqw5GhijhnPdJDyFDqecY
ltc1qt0n3f0t7vz9k0mvcswk477shrxwjhf9sj5ykrp
3PMiLynrGVZ8oEqvoqC4hXD67B1WoALR4pc
3FerB8kUraAVGCVCNkgv57zTBjUGjAUkU3
DLUzwvyxN1RrwjByUPPzVMdfxNRPGVRMMA
t1J6GCPCiHW1eRdjJgDDu6b1vSVmL5U7Twh
stars125f3mw4xd9htpsq4zj5w5ezm5gags37yxxh6mj
bnb1epx67ne4vckqmaj4gwke8m322f4yjr6eh52wqw
bc1qmpkehfffkr6phuklsksnd7nhgx0369sxu772m3
bitcoincash:qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r
GBQJMXYXPRIWFMXIFJR35ZB7LRKMB4PHCIUAUFR3TKUL6RDBZVLZEUJ3
-
mutex
55a4er5wo
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
Extracted
xworm
5.0
outside-sand.gl.at.ply.gg:31300
uGoUQjcjqoZsiRJZ
-
Install_directory
%AppData%
-
install_file
USB.exe
Extracted
marsstealer
Default
Targets
-
-
Target
PCCooker_x64.exe
-
Size
22.4MB
-
MD5
317c5fe16b5314d1921930e300d9ea39
-
SHA1
65eb02c735bbbf1faf212662539fbf88a00a271f
-
SHA256
d850d741582546a3d0ea2ad5d25e0766781f315cd37e6c58f7262df571cd0c40
-
SHA512
31751379ad7f6c55d87e9a5c1f56e6211d515b7d9ae055af962ed6f9205f5abad302c2e47dd56325abff85327ec3b7f9a6cf76ed34b8cbe1da06549c622c7031
-
SSDEEP
49152:yIT4lj7Rl9HFoDi+3JK5CS2bV5IRtyrp63FDysl28Wvp/pUOmrscrdXuMIgqJ95+:yI6
-
Detect Xworm Payload
-
Modifies security service
-
Phorphiex payload
-
RagnarLocker
Ransomware first seen at the end of 2019, which has been used in targetted attacks against multiple companies.
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (1996) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Squirrelwaffle payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1System Services
1Service Execution
1Windows Management Instrumentation
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Defense Evasion
Direct Volume Access
1Impair Defenses
3Disable or Modify Tools
2Indicator Removal
2File Deletion
2Modify Registry
4Pre-OS Boot
1Bootkit
1