General
-
Target
RNSM00472.7z
-
Size
46.1MB
-
Sample
240925-y8k2fawdlr
-
MD5
e71a3dbd999bf53c3c820819fce516d1
-
SHA1
d7d0ea53cc45f81bd4efa0fe8c4bf0c1ade096aa
-
SHA256
e54915db3dea53ce4044e5f7e0ae8c8f010dc1f62cc8b09054ed01f79e559ab3
-
SHA512
bb9159041b28bd87203244e4d1bca7b62f76f43e0e107c50230c02aecf00c688ecde0814622070c68655a25eabf4566ee02ed7c2e62c4f425139c8b248f494f6
-
SSDEEP
786432:joDk3ebC2AfOlxjhalhB8MFk70E8U9oTSq96Mbp69PHhX624TkIjwFTRCyQ:juyebCvOLgKKg0w9EPkPBX65TkIM7CyQ
Static task
static1
Behavioral task
behavioral1
Sample
RNSM00472.7z
Resource
win10v2004-20240910-en
Malware Config
Extracted
C:\Program Files\Crashpad\HOW TO RESTORE YOUR FILES.TXT
https://tox.chat/
Extracted
redline
ANYTHING U WANT
3.235.181.77:80
Extracted
nanocore
1.2.2.0
darkrig.ddns.net:54984
127.0.0.1:54984
a4e9a3b2-293f-477b-9774-458e8f942810
-
activate_away_mode
true
-
backup_connection_host
127.0.0.1
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2018-09-09T20:42:26.979636536Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
true
-
connect_delay
4000
-
connection_port
54984
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
a4e9a3b2-293f-477b-9774-458e8f942810
-
mutex_timeout
5000
-
prevent_system_sleep
true
-
primary_connection_host
darkrig.ddns.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Extracted
njrat
0.6.4
By Dz
fathiyassin22.ddns.net:1177
d5a38e9b5f206c41f8851bf04a251d26
-
reg_key
d5a38e9b5f206c41f8851bf04a251d26
-
splitter
|'|'|
Extracted
njrat
0.7d
Run RunPE
-
splitter
|'|'|
Extracted
urelas
1.234.83.146
133.242.129.155
218.54.31.226
218.54.30.235
218.54.31.165
112.175.88.207
112.175.88.208
Extracted
C:\Users\Public\how_to_back_files.html
Extracted
C:\info.hta
http://www.w3.org/TR/html4/strict.dtd'>
Targets
-
-
Target
RNSM00472.7z
-
Size
46.1MB
-
MD5
e71a3dbd999bf53c3c820819fce516d1
-
SHA1
d7d0ea53cc45f81bd4efa0fe8c4bf0c1ade096aa
-
SHA256
e54915db3dea53ce4044e5f7e0ae8c8f010dc1f62cc8b09054ed01f79e559ab3
-
SHA512
bb9159041b28bd87203244e4d1bca7b62f76f43e0e107c50230c02aecf00c688ecde0814622070c68655a25eabf4566ee02ed7c2e62c4f425139c8b248f494f6
-
SSDEEP
786432:joDk3ebC2AfOlxjhalhB8MFk70E8U9oTSq96Mbp69PHhX624TkIjwFTRCyQ:juyebCvOLgKKg0w9EPkPBX65TkIM7CyQ
-
Detecting the common Go functions and variables names used by Snatch ransomware
-
GandCrab payload
-
Modifies WinLogon for persistence
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
SectopRAT payload
-
Snatch Ransomware
Ransomware family generally distributed through RDP bruteforce attacks.
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit
-
Renames multiple (69) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Downloads MZ/PE file
-
Modifies Windows Firewall
-
ACProtect 1.3x - 1.4x DLL software
Detects file using ACProtect software.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Credentials from Password Stores: Windows Credential Manager
Suspicious access to Credentials History.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Indicator Removal: File Deletion
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Uses Tor communications
Malware can proxy its traffic through Tor for more anonymity.
-
Drops autorun.inf file
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1Scheduled Task/Job
1Scheduled Task
1Windows Management Instrumentation
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Direct Volume Access
1Impair Defenses
1Disable or Modify System Firewall
1Indicator Removal
4File Deletion
4Modify Registry
2Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1