General
-
Target
PCCooker_x64.exe
-
Size
22.4MB
-
Sample
240920-jmh8dswane
-
MD5
317c5fe16b5314d1921930e300d9ea39
-
SHA1
65eb02c735bbbf1faf212662539fbf88a00a271f
-
SHA256
d850d741582546a3d0ea2ad5d25e0766781f315cd37e6c58f7262df571cd0c40
-
SHA512
31751379ad7f6c55d87e9a5c1f56e6211d515b7d9ae055af962ed6f9205f5abad302c2e47dd56325abff85327ec3b7f9a6cf76ed34b8cbe1da06549c622c7031
-
SSDEEP
49152:yIT4lj7Rl9HFoDi+3JK5CS2bV5IRtyrp63FDysl28Wvp/pUOmrscrdXuMIgqJ95+:yI6
Static task
static1
Behavioral task
behavioral1
Sample
PCCooker_x64.exe
Resource
win10-20240404-en
Malware Config
Extracted
C:\Users\Public\Documents\RGNR_04C983E2.txt
1BKK8bsFfG3YxTd3N15GxaYfHopoThXoY4
https://tox.chat/download.html
Extracted
xworm
5.0
outside-sand.gl.at.ply.gg:31300
uGoUQjcjqoZsiRJZ
-
Install_directory
%AppData%
-
install_file
USB.exe
Targets
-
-
Target
PCCooker_x64.exe
-
Size
22.4MB
-
MD5
317c5fe16b5314d1921930e300d9ea39
-
SHA1
65eb02c735bbbf1faf212662539fbf88a00a271f
-
SHA256
d850d741582546a3d0ea2ad5d25e0766781f315cd37e6c58f7262df571cd0c40
-
SHA512
31751379ad7f6c55d87e9a5c1f56e6211d515b7d9ae055af962ed6f9205f5abad302c2e47dd56325abff85327ec3b7f9a6cf76ed34b8cbe1da06549c622c7031
-
SSDEEP
49152:yIT4lj7Rl9HFoDi+3JK5CS2bV5IRtyrp63FDysl28Wvp/pUOmrscrdXuMIgqJ95+:yI6
-
Detect Xworm Payload
-
Phorphiex payload
-
RagnarLocker
Ransomware first seen at the end of 2019, which has been used in targetted attacks against multiple companies.
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (5386) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1System Services
1Service Execution
1Windows Management Instrumentation
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Direct Volume Access
1Impair Defenses
1Indicator Removal
2File Deletion
2Modify Registry
1Pre-OS Boot
1Bootkit
1