Overview

overview

10

Static

static

1

RNSM00448.7z

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    RNSM00448.7z

  • Size

    135.7MB

  • Sample

    241015-zj8a4szhjl

  • MD5

    3c7ad9d140d2e5c7da26565eb851df15

  • SHA1

    b2620d38f219febef3477ab6aa34d4a74da27b65

  • SHA256

    09cdb500c947f6f1e7ebf55cea2061991c60e53cefac392813ff14110b883714

  • SHA512

    cdc6a50fb7118022a631d17e064cce5b984aec210c5c22b81d693741fc1971ccdbc8d0765288ee4c6f3b30f7f5975794f39fec372cd19e2951b9324a795941f6

  • SSDEEP

    3145728:QhAMTQWaKp/Z8v3bvJOHcLAlvac+NNzSlug5V2wYA:kxQ2grwHcWaTroDMA

Score
10/10
44calibercontidjvumafiaware666nullmixerredlinerevengeratsectopratsodinokibividarzeppelin$2a$12$vaot8alflxuznxaalznsloktytqs9xk6zze5tweoukcmya96uqwt2890canadomani2nyancatrevenge6861aspackv2defense_evasiondiscoverydropperevasionexecutionimpactinfostealerpersistenceprivilege_escalationransomwareratspywarestealertrojanupx

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$12$vaot8ALFLXuZNXaaLZnSlOKtytQs9XK6ZZe5twEouKcmYA96uqWt2

Campaign

6861

Decoy

shiftinspiration.com

gasolspecialisten.se

gratispresent.se

epwritescom.wordpress.com

drnice.de

bricotienda.com

associacioesportivapolitg.cat

nosuchthingasgovernment.com

team-montage.dk

body-armour.online

profectis.de

drfoyle.com

faronics.com

myhostcloud.com

parkcf.nl

colorofhorses.com

lykkeliv.net

smithmediastrategies.com

bookspeopleplaces.com

psc.de
Attributes
  • net

    true

  • pid

    $2a$12$vaot8ALFLXuZNXaaLZnSlOKtytQs9XK6ZZe5twEouKcmYA96uqWt2

  • prc

    msaccess

    thebat

    sql

    mspub

    steam

    synctime

    outlook

    agntsvc

    tbirdconfig

    firefox

    wordpad

    oracle

    visio

    infopath

    ocautoupds

    dbsnmp

    ocssd

    thunderbird

    isqlplussvc

    powerpnt

    dbeng50

    ocomm

    mydesktopqos

    xfssvccon

    encsvc

    excel

    mydesktopservice

    winword

    sqbcoreservice

    onenote

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    6861

  • svc

    backup

    mepocs

    svc$

    veeam

    memtas

    vss

    sophos

    sql

Extracted

Family

djvu

C2

http://astdg.top/nddddhsspen6/get.php

http://securebiz.org/raud/get.php
Attributes
  • extension

    .zqqw

  • offline_id

    vm44NzSFuQur9eHklQ3YBUraVfy1szN1yvv5Jwt1

  • payload_url

    http://dgos.top/dl/build2.exe

  • ransomnote

    ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-fhnNOAYC8Z Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0312ewgfDd

rsa_pubkey.plain
rsa_pubkey.plain

Extracted

Family

nullmixer

C2

http://wxkeww.xyz/

Extracted

Path

C:\Program Files (x86)\readme.txt

Family

conti

Ransom Note
All of your files are currently encrypted by CONTI strain. As you know (if you don't - just "google it"), all of the data that has been encrypted by our software cannot be recovered by any means without contacting our team directly. If you try to use any additional recovery software - the files might be damaged, so if you are willing to try - try it on the data of the lowest value. To make sure that we REALLY CAN get your data back - we offer you to decrypt 2 random files completely free of charge. You can contact our team directly for further instructions through our website : TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/ HTTPS VERSION : https://contirecovery.xyz/ YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded a pack of your internal data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us as soon as possible. ---BEGIN ID--- UER3GkowzzbBdoDPcmyBX9VeFqJwjP3eaRdqiYnKkc9wCu2jcHrnl8Vstgl447Ve ---END ID---
URLs

http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/

https://contirecovery.xyz/

Extracted

Family

vidar

Version

39.4

Botnet

890

C2

https://sergeevih43.tumblr.com/

Attributes
  • profile_id

    890

Extracted

Family

redline

Botnet

Cana

C2

176.111.174.254:56328

Extracted

Family

redline

Botnet

DomAni2

C2

flestriche.xyz:80

Extracted

Family

revengerat

Botnet

NyanCatRevenge

C2

dontreachme.duckdns.org:3601

Mutex

159ffe7d99124a92baa

Targets

    • Target

      RNSM00448.7z

    • Size

      135.7MB

    • MD5

      3c7ad9d140d2e5c7da26565eb851df15

    • SHA1

      b2620d38f219febef3477ab6aa34d4a74da27b65

    • SHA256

      09cdb500c947f6f1e7ebf55cea2061991c60e53cefac392813ff14110b883714

    • SHA512

      cdc6a50fb7118022a631d17e064cce5b984aec210c5c22b81d693741fc1971ccdbc8d0765288ee4c6f3b30f7f5975794f39fec372cd19e2951b9324a795941f6

    • SSDEEP

      3145728:QhAMTQWaKp/Z8v3bvJOHcLAlvac+NNzSlug5V2wYA:kxQ2grwHcWaTroDMA

    Score
    10/10
    44calibercontidjvumafiaware666nullmixerredlinerevengeratsectopratsodinokibividarzeppelin$2a$12$vaot8alflxuznxaalznsloktytqs9xk6zze5tweoukcmya96uqwt2890canadomani2nyancatrevenge6861aspackv2defense_evasiondiscoverydropperevasionexecutionimpactinfostealerpersistenceprivilege_escalationransomwareratspywarestealertrojanupx

    • 44Caliber

      An open source infostealer written in C#.

      stealer44caliber

    • Conti Ransomware

      Ransomware generally thought to be a successor to Ryuk.

      ransomwareconti

    • Detect MafiaWare666 ransomware

    • Detected Djvu ransomware

    • Detects Zeppelin payload

    • Djvu Ransomware

      Ransomware which is a variant of the STOP family.

      ransomwaredjvu

    • MafiaWare666 Ransomware

      MafiaWare666 is ransomware written in C# with multiple variants.

      ransomwaremafiaware666

    • NullMixer

      NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

      droppernullmixer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • RevengeRAT

      Remote-access trojan with a wide range of capabilities.

      trojanrevengerat

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

      trojanratsectoprat

    • SectopRAT payload

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Zeppelin Ransomware

      Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.

      ransomwarezeppelin

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • Renames multiple (65) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Vidar Stealer

      stealer

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Modifies Windows Firewall

      evasion

    • Stops running service(s)

      evasionexecution

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Uses the VBS compiler for execution

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Indicator Removal: Clear Persistence

      Clear artifacts associated with previously established persistence like scheduletasks on a host.

      defense_evasion

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

      defense_evasion

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

System Services

1
T1569

Service Execution

1
T1569.002

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Access Token Manipulation

1
T1134

Create Process with Token

1
T1134.002

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Access Token Manipulation

1
T1134

Create Process with Token

1
T1134.002

Direct Volume Access

1
T1006

File and Directory Permissions Modification

1
T1222

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Impair Defenses

2
T1562

Disable or Modify System Firewall

1
T1562.004

Indicator Removal

4
T1070

Clear Persistence

1
T1070.009

File Deletion

3
T1070.004

Modify Registry

1
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Peripheral Device Discovery

2
T1120

Query Registry

4
T1012

System Information Discovery

5
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

2
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Inhibit System Recovery

2
T1490

Service Stop

1
T1489

Tasks