General
-
Target
PCCooker_x64.exe
-
Size
22.4MB
-
Sample
240925-1zz54stcme
-
MD5
317c5fe16b5314d1921930e300d9ea39
-
SHA1
65eb02c735bbbf1faf212662539fbf88a00a271f
-
SHA256
d850d741582546a3d0ea2ad5d25e0766781f315cd37e6c58f7262df571cd0c40
-
SHA512
31751379ad7f6c55d87e9a5c1f56e6211d515b7d9ae055af962ed6f9205f5abad302c2e47dd56325abff85327ec3b7f9a6cf76ed34b8cbe1da06549c622c7031
-
SSDEEP
49152:yIT4lj7Rl9HFoDi+3JK5CS2bV5IRtyrp63FDysl28Wvp/pUOmrscrdXuMIgqJ95+:yI6
Static task
static1
Behavioral task
behavioral1
Sample
PCCooker_x64.exe
Resource
win10-20240611-en
Behavioral task
behavioral2
Sample
PCCooker_x64.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
PCCooker_x64.exe
Resource
win11-20240802-en
Malware Config
Extracted
marsstealer
Default
Extracted
C:\Users\Public\Documents\RGNR_BC248C0F.txt
1BKK8bsFfG3YxTd3N15GxaYfHopoThXoY4
https://tox.chat/download.html
Extracted
xworm
5.0
outside-sand.gl.at.ply.gg:31300
uGoUQjcjqoZsiRJZ
-
Install_directory
%AppData%
-
install_file
USB.exe
Extracted
redline
ddoz
185.215.113.25:13686
Extracted
redline
test
45.9.91.71:46967
Targets
-
-
Target
PCCooker_x64.exe
-
Size
22.4MB
-
MD5
317c5fe16b5314d1921930e300d9ea39
-
SHA1
65eb02c735bbbf1faf212662539fbf88a00a271f
-
SHA256
d850d741582546a3d0ea2ad5d25e0766781f315cd37e6c58f7262df571cd0c40
-
SHA512
31751379ad7f6c55d87e9a5c1f56e6211d515b7d9ae055af962ed6f9205f5abad302c2e47dd56325abff85327ec3b7f9a6cf76ed34b8cbe1da06549c622c7031
-
SSDEEP
49152:yIT4lj7Rl9HFoDi+3JK5CS2bV5IRtyrp63FDysl28Wvp/pUOmrscrdXuMIgqJ95+:yI6
-
Detect Xworm Payload
-
Phorphiex payload
-
RagnarLocker
Ransomware first seen at the end of 2019, which has been used in targetted attacks against multiple companies.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (503) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Squirrelwaffle payload
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Direct Volume Access
1Indicator Removal
2File Deletion
2Modify Registry
1Pre-OS Boot
1Bootkit
1