Overview

overview

10

Static

static

1

RNSM00466.7z

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    RNSM00466.7z

  • Size

    83.9MB

  • Sample

    241007-yb4ghssbmm

  • MD5

    add9b95cfef4f7b5e89946205f16a572

  • SHA1

    077667fb23e0b48936714b8d4a54f162203a934a

  • SHA256

    133c0ba06c58e2b694c42135545d7554b3d6e37ad752bd6a3fa97b5577cd6033

  • SHA512

    8e69d5e07614b498e3ddc2bb4ce79b734dd215e75dfa72dabb6e138f2e50824975e7af86302d15c988022217968cbb45937d663612640d0025fa25b44570a364

  • SSDEEP

    1572864:yXbfmaPS2DP0IVADQh/BX6xJWyoszrxhh/R88bfax/XOc:+bfmrq/hpqLoszrFR12xX7

Score
10/10
darkcometgandcrablockfilemafiaware666nullmixerredlinesectopratcanadomani2pcagilenetaspackv2backdoordefense_evasiondiscoverydropperevasionexecutionimpactinfostealerpersistenceransomwarerattrojanupx

Malware Config

Extracted

Family

gandcrab

C2

http://gdcbghvjyqy7jclk.onion.top/

Extracted

Family

darkcomet

Botnet

pc

C2

host12365485454.ddns.net:1604

192.168.0.125:1604
Mutex

DC_MUTEX-Q8QDW8F

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    locQi1ySlvoS

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    micro update

Extracted

Family

nullmixer

C2

http://motiwa.xyz/

Extracted

Family

redline

Botnet

Cana

C2

176.111.174.254:56328

Extracted

Family

redline

Botnet

DomAni2

C2

flestriche.xyz:80

Extracted

Path

C:\ProgramData\Package Cache\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\packages\vcRuntimeMinimum_x86\HowToRestoreMyFiles.txt

Ransom Note
All data in your machine turned to useless binary code. Your databases and important files have been downloaded and will be published after 12 days if not paid. To return files and prevent publishing email us at: [email protected], [email protected] (send copy to both). Tips: *No one else can help you , don't waste your business time. *You ask for proof that we have your data , and you can see our old target that their data have been published. *If not paid after 12 days Google your company name and you will see your private data in there, happy will legal and business challenges of data leak after. *For decryption anyone/any company offering help will get extra fee(some times even more than ours!)added to ours or simplly will scam you (dont pay us after getting test file, lie and scam you) so if you wanna intermediary chose a trusted one to avoid scams, and get your data. *For decryption you send a few sample files for test before any payment. We won't be available for long. Dont play with encrypted files that will corrupt them and make unrecoverable. Use google translate (if you don't know english) Your key: ltwZIOPHyIhhJZVQfLbstDE7PPouSvx1hUHQFsJ7rJ0HVfG98aCv0DwraHgqSaGHMtY2vmpGjIZSF1lApOuP9zHhmYe13JF5QUo/iqHPRhjxLdj9dKKl0YHEHxmUAk5euNjf1oOtjX1hyqnYkOeN+9jHzK1tFP/FwqC4VgAf4uQ=

Extracted

Path

\Device\HarddiskVolume1\Read_Me!_.txt

Ransom Note
All Your Files Encrypted With Strongest Encryption Algorithm ! If You Really Need Your Files Please Send Us E-mail To Get Decryption Tools and Instructions You Must Send Some Locked Files To Us For Decryption Test(Before Paying) ! If You Do Not E-mail Us And Do Not Need Your Files After A whlie Our Servers Will Remove Your Decrypion Keys From Servers !!! Your Unique ID: fJ30ex Email Address: [email protected] Attention!!! Subject Your Unique ID Do Not Edit Or Rename Encrypted Files. If You Do Not E-mail Us After 48 Hours Decryption Fee Will Double. Do Not Try To Decrypt Files By Third-Party Or Data Recovery Softwares It May Damage Files. In Case Of Trying To Decrypt Files With Third-Party Sofwares,This May Make The Decryption Harder So Prices Will Be Rise.

Targets

    • Target

      RNSM00466.7z

    • Size

      83.9MB

    • MD5

      add9b95cfef4f7b5e89946205f16a572

    • SHA1

      077667fb23e0b48936714b8d4a54f162203a934a

    • SHA256

      133c0ba06c58e2b694c42135545d7554b3d6e37ad752bd6a3fa97b5577cd6033

    • SHA512

      8e69d5e07614b498e3ddc2bb4ce79b734dd215e75dfa72dabb6e138f2e50824975e7af86302d15c988022217968cbb45937d663612640d0025fa25b44570a364

    • SSDEEP

      1572864:yXbfmaPS2DP0IVADQh/BX6xJWyoszrxhh/R88bfax/XOc:+bfmrq/hpqLoszrFR12xX7

    Score
    10/10
    darkcometgandcrablockfilemafiaware666nullmixerredlinesectopratcanadomani2pcagilenetaspackv2backdoordefense_evasiondiscoverydropperevasionexecutionimpactinfostealerpersistenceransomwarerattrojanupx

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

      trojanratdarkcomet

    • Detect LockFile payload

    • Detect MafiaWare666 ransomware

    • Disables service(s)

      evasionexecution

    • GandCrab payload

    • Gandcrab

      Gandcrab is a Trojan horse that encrypts files on a computer.

      ransomwarebackdoorgandcrab

    • LockFile

      LockFile is a new ransomware that emerged in July 2021 with ProxyShell vulnerabilties.

      ransomwarelockfile

    • MafiaWare666 Ransomware

      MafiaWare666 is ransomware written in C# with multiple variants.

      ransomwaremafiaware666

    • Modifies WinLogon for persistence

      persistence

    • Modifies firewall policy service

      evasion

    • Modifies security service

      evasion

    • NullMixer

      NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

      droppernullmixer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

      trojanratsectoprat

    • SectopRAT payload

    • Windows security bypass

      evasiontrojan

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • Disables RegEdit via registry modification

      evasion

    • Modifies Windows Firewall

      evasion

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

      evasion

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

      agilenet

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

      defense_evasion

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Program crash

    • Uses Tor communications

      Malware can proxy its traffic through Tor for more anonymity.

    • Enumerates processes with tasklist

      discovery

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

System Services

1
T1569

Service Execution

1
T1569.002

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

4
T1543

Windows Service

4
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

4
T1543

Windows Service

4
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

File and Directory Permissions Modification

1
T1222

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Impair Defenses

4
T1562

Disable or Modify System Firewall

2
T1562.004

Disable or Modify Tools

2
T1562.001

Indicator Removal

2
T1070

File Deletion

2
T1070.004

Modify Registry

8
T1112

Credential Access

Discovery

Peripheral Device Discovery

2
T1120

Process Discovery

1
T1057

Query Registry

5
T1012

Remote System Discovery

1
T1018

System Information Discovery

6
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Command and Control

Proxy

1
T1090

Web Service

1
T1102

Exfiltration

Impact

Inhibit System Recovery

1
T1490

Service Stop

1
T1489

Tasks