General
-
Target
PCCookerx64.exe
-
Size
22.4MB
-
Sample
240919-qeryws1alq
-
MD5
317c5fe16b5314d1921930e300d9ea39
-
SHA1
65eb02c735bbbf1faf212662539fbf88a00a271f
-
SHA256
d850d741582546a3d0ea2ad5d25e0766781f315cd37e6c58f7262df571cd0c40
-
SHA512
31751379ad7f6c55d87e9a5c1f56e6211d515b7d9ae055af962ed6f9205f5abad302c2e47dd56325abff85327ec3b7f9a6cf76ed34b8cbe1da06549c622c7031
-
SSDEEP
49152:yIT4lj7Rl9HFoDi+3JK5CS2bV5IRtyrp63FDysl28Wvp/pUOmrscrdXuMIgqJ95+:yI6
Static task
static1
Behavioral task
behavioral1
Sample
PCCookerx64.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
PCCookerx64.exe
Resource
win10v2004-20240802-en
Malware Config
Extracted
marsstealer
Default
kenesrakishev.net/wp-admin/admin-ajax.php
Extracted
C:\Users\Public\Documents\RGNR_9F2668B3.txt
1BKK8bsFfG3YxTd3N15GxaYfHopoThXoY4
https://tox.chat/download.html
Extracted
xworm
5.0
outside-sand.gl.at.ply.gg:31300
uGoUQjcjqoZsiRJZ
-
Install_directory
%AppData%
-
install_file
USB.exe
Extracted
stealc
cry
http://193.176.190.41
-
url_path
/2fa883eebd632382.php
Extracted
stealc
default
http://193.176.190.41
-
url_path
/2fa883eebd632382.php
Extracted
redline
LogsDiller Cloud (TG: @logsdillabot)
147.45.47.36:14537
Extracted
phorphiex
http://185.215.113.66/
http://77.91.77.92/
http://91.202.233.141/
0xCa90599132C4D88907Bd8E046540284aa468a035
TRuGGXNDM1cavQ1AqMQHG8yfxP4QWVSMN6
qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r
XryzFMFVpDUvU7famUGf214EXD3xNUSmQf
LLeT2zkStY3cvxMBFhoWXkG5VuZPoezduv
rwc4LVd9ABpULQ1CuCpDkgX2xVB1fUijyb
4AtjkCVKbtEC3UEN77SQHuH9i1XkzNiRi5VCbA2XGsJh46nJSXfGQn4GjLuupCqmC57Lo7LvKmFUyRfhtJSvKvuw3h9ReKK
15TssKwtjMtwy4vDLcLsQUZUD2B9f7eDjw85sBNVC5LRPPnC
17hgMFyLDwMjxWqw5GhijhnPdJDyFDqecY
ltc1qt0n3f0t7vz9k0mvcswk477shrxwjhf9sj5ykrp
3PMiLynrGVZ8oEqvoqC4hXD67B1WoALR4pc
3FerB8kUraAVGCVCNkgv57zTBjUGjAUkU3
DLUzwvyxN1RrwjByUPPzVMdfxNRPGVRMMA
t1J6GCPCiHW1eRdjJgDDu6b1vSVmL5U7Twh
stars125f3mw4xd9htpsq4zj5w5ezm5gags37yxxh6mj
bnb1epx67ne4vckqmaj4gwke8m322f4yjr6eh52wqw
bc1qmpkehfffkr6phuklsksnd7nhgx0369sxu772m3
bitcoincash:qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r
GBQJMXYXPRIWFMXIFJR35ZB7LRKMB4PHCIUAUFR3TKUL6RDBZVLZEUJ3
-
mutex
55a4er5wo
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
Extracted
djvu
http://cajgtus.com/test1/get.php
-
extension
.watz
-
offline_id
Lc3VTezPWbMhuVAQFzJUdeA68PwI7UDpc5aKHYt1
- payload_url
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://wetransfer.com/downloads/abe121434ad837dd5bdd03878a14485820240531135509/34284d Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0874PsawqS
Targets
-
-
Target
PCCookerx64.exe
-
Size
22.4MB
-
MD5
317c5fe16b5314d1921930e300d9ea39
-
SHA1
65eb02c735bbbf1faf212662539fbf88a00a271f
-
SHA256
d850d741582546a3d0ea2ad5d25e0766781f315cd37e6c58f7262df571cd0c40
-
SHA512
31751379ad7f6c55d87e9a5c1f56e6211d515b7d9ae055af962ed6f9205f5abad302c2e47dd56325abff85327ec3b7f9a6cf76ed34b8cbe1da06549c622c7031
-
SSDEEP
49152:yIT4lj7Rl9HFoDi+3JK5CS2bV5IRtyrp63FDysl28Wvp/pUOmrscrdXuMIgqJ95+:yI6
-
Detect Xworm Payload
-
Detected Djvu ransomware
-
Modifies security service
-
Phorphiex payload
-
RagnarLocker
Ransomware first seen at the end of 2019, which has been used in targetted attacks against multiple companies.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (7825) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Squirrelwaffle payload
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Credentials from Password Stores: Windows Credential Manager
Suspicious access to Credentials History.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies file permissions
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1System Services
1Service Execution
1Windows Management Instrumentation
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Defense Evasion
Direct Volume Access
1File and Directory Permissions Modification
1Impair Defenses
3Disable or Modify Tools
2Indicator Removal
2File Deletion
2Modify Registry
5Pre-OS Boot
1Bootkit
1Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1