Overview

overview

10

Static

static

1

RNSM00446.7z

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    RNSM00446.7z

  • Size

    68.4MB

  • Sample

    241015-zwd8ss1elr

  • MD5

    3f1f1933521d96cb2a537eb57f0b8f4b

  • SHA1

    24b372467e9a2ad7aeac32ddac4aa71f22f3833c

  • SHA256

    b964e2c619289523043166d503c2f16b7b350f49533bc72d986adf09377bced0

  • SHA512

    251905f5fc6d738a8465ddda9d82cc357f9d2197fa9a7023447145b19587d1b8be56cfc7f0481f879a74bd9a4cd1777c929c90b76740de88bf4a083ca0ff0e82

  • SSDEEP

    1572864:WK6vBCJ4ynaQtuzbKsm5v5P04ljYEKR7sttLlxmi3bzvBZVdr:WK6vkfaBm5cCYTsHLlJf/

Score
10/10
contimafiaware666nullmixerredlinesectopratanicananewaniagilenetaspackv2defense_evasiondiscoverydropperevasionexecutionexploitinfostealerpersistenceprivilege_escalationransomwareratspywarestealertrojanupxvmprotect

Malware Config

Extracted

Family

nullmixer

C2

http://motiwa.xyz/

Extracted

Family

redline

Botnet

Ani

C2

yaklalau.xyz:80

Extracted

Family

redline

Botnet

NewAni

C2

changidwia.xyz:80

Extracted

Path

C:\ProgramData\readme.txt

Family

conti

Ransom Note
All of your files are currently encrypted by CONTI ransomware. If you try to use any additional recovery software - the files might be damaged or lost. To make sure that we REALLY CAN recover data - we offer you to decrypt samples. You can contact us for further instructions through: Our website TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/ HTTPS VERSION : https://contirecovery.xyz YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded your data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us ASAP ---BEGIN ID--- YJaSholYVyutPPmyHu1jkidZ2xceLUHCW7WzIzQQK1Gs21y5y6bqil2j0EQGGRDv ---END ID---
URLs

http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/

https://contirecovery.xyz

Extracted

Family

redline

Botnet

Cana

C2

176.111.174.254:56328

Targets

    • Target

      RNSM00446.7z

    • Size

      68.4MB

    • MD5

      3f1f1933521d96cb2a537eb57f0b8f4b

    • SHA1

      24b372467e9a2ad7aeac32ddac4aa71f22f3833c

    • SHA256

      b964e2c619289523043166d503c2f16b7b350f49533bc72d986adf09377bced0

    • SHA512

      251905f5fc6d738a8465ddda9d82cc357f9d2197fa9a7023447145b19587d1b8be56cfc7f0481f879a74bd9a4cd1777c929c90b76740de88bf4a083ca0ff0e82

    • SSDEEP

      1572864:WK6vBCJ4ynaQtuzbKsm5v5P04ljYEKR7sttLlxmi3bzvBZVdr:WK6vkfaBm5cCYTsHLlJf/

    Score
    10/10
    contimafiaware666nullmixerredlinesectopratanicananewaniagilenetaspackv2defense_evasiondiscoverydropperevasionexecutionexploitinfostealerpersistenceprivilege_escalationransomwareratspywarestealertrojanupxvmprotect

    • Conti Ransomware

      Ransomware generally thought to be a successor to Ryuk.

      ransomwareconti

    • Detect MafiaWare666 ransomware

    • MafiaWare666 Ransomware

      MafiaWare666 is ransomware written in C# with multiple variants.

      ransomwaremafiaware666

    • Modifies WinLogon for persistence

      persistence

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • NullMixer

      NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

      droppernullmixer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

      trojanratsectoprat

    • SectopRAT payload

    • UAC bypass

      evasiontrojan

    • Clears Windows event logs

      evasionransomware

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Renames multiple (153) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Disables Task Manager via registry modification

      evasion

    • Modifies Windows Firewall

      evasion

    • Possible privilege escalation attempt

      exploit

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

      agilenet

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan

    • Drops desktop.ini file(s)

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

      defense_evasion

    • Power Settings

      powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

      persistence

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Power Settings

1
T1653

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

File and Directory Permissions Modification

1
T1222

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Impair Defenses

3
T1562

Disable or Modify System Firewall

1
T1562.004

Disable or Modify Tools

2
T1562.001

Indicator Removal

2
T1070

Clear Windows Event Logs

1
T1070.001

File Deletion

1
T1070.004

Modify Registry

6
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

2
T1012

System Information Discovery

4
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Time Discovery

1
T1124

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Defacement

1
T1491

Tasks