Overview

overview

10

Static

static

1

RNSM00449.7z

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    RNSM00449.7z

  • Size

    144.2MB

  • Sample

    241015-zgr64szfnm

  • MD5

    f206ad177f3f8ccc84509a938107200b

  • SHA1

    45c789c3ac7cdfc34e38e47198bf55ea49ec2dcd

  • SHA256

    a513460aca621b82a0f03d4f11297ba49e2c026a8ccb025bb838778fbd8cbf51

  • SHA512

    f79b83f6ab22cc9bac0486f68f3a9dbde4557baf69d76a99ada3732e4c2d4ba27baf6aaab9e21c555e4b78ff6915df9e21fc5269425554669a00baa9c5439a91

  • SSDEEP

    3145728:uVYBVf+gyzv13IWFhqr0Goa6s9GS+00E5bxQxFKoJY05+XVh7RAjI0j:0YbmBv13IWyr159Z0ImxFKoXaNRAjT

Score
10/10
crimsonratdiscoveryevasionexploitransomwareratupx

Malware Config

Extracted

Family

crimsonrat

C2

134.119.181.142

10.5.26.108

Extracted

Path

C:\Program Files\Common Files\microsoft shared\ink\ar-SA\!! READ ME !!.txt

Ransom Note
Good day. All your files are encrypted. For decryption contact us. Write here [email protected] reserve [email protected] jabber [email protected] We also inform that your databases, ftp server and file server were downloaded by us to our servers. If we do not receive a message from you within three days, we regard this as a refusal to negotiate. Check our platform: http://cuba4mp6ximo2zlo.onion/ * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Do not stop process of encryption, because partial encryption cannot be decrypted.
URLs

http://cuba4mp6ximo2zlo.onion/

Targets

    • Target

      RNSM00449.7z

    • Size

      144.2MB

    • MD5

      f206ad177f3f8ccc84509a938107200b

    • SHA1

      45c789c3ac7cdfc34e38e47198bf55ea49ec2dcd

    • SHA256

      a513460aca621b82a0f03d4f11297ba49e2c026a8ccb025bb838778fbd8cbf51

    • SHA512

      f79b83f6ab22cc9bac0486f68f3a9dbde4557baf69d76a99ada3732e4c2d4ba27baf6aaab9e21c555e4b78ff6915df9e21fc5269425554669a00baa9c5439a91

    • SSDEEP

      3145728:uVYBVf+gyzv13IWFhqr0Goa6s9GS+00E5bxQxFKoJY05+XVh7RAjI0j:0YbmBv13IWyr159Z0ImxFKoXaNRAjT

    Score
    10/10
    crimsonratdiscoveryevasionexploitransomwareratupx

    • CrimsonRat

      Crimson RAT is a malware linked to a Pakistani-linked threat actor.

      ratcrimsonrat

    • Disables Task Manager via registry modification

      evasion

    • Possible privilege escalation attempt

      exploit

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Modifies file permissions

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1

MITRE ATT&CK Enterprise v15

Tasks