Extracted

• • Target

    RNSM00444.7z

  • Size

    60.2MB

  • MD5

    8d5f6c6746238d28a1073cbb4f020a74

  • SHA1

    bdedfc8f61016e3fa3201ce0f501c42324c0786f

  • SHA256

    84746e0b57050f68a3aa093b75731cf3aa321fb41534d55392525b105d164a54

  • SHA512

    c1a359269836364730cc84a4a90bf2a1e9fd4933f7d1cb48194a8d1c99c15429e86a177f0ff4ea33a025e8583f108f4b01ea52d7341918ab339bf29a7d8ec256

  • SSDEEP

    1572864:KzWRBEEP/N7M4wNhmpqdsALScA/CWHemATVzltiXGp9FMyf1+Y0ab:Rnb/N5qm1ALMHemalPL0ab

  Score

  10^/10

  crimsonratmafiaware666zgratcredential_accessdefense_evasiondiscoveryevasionexecutionpersistenceprivilege_escalationransomwareratspywarestealertrojanupx

  • CrimsonRat

    Crimson RAT is a malware linked to a Pakistani-linked threat actor.

    ratcrimsonrat

  • Detect MafiaWare666 ransomware

  • Detect ZGRat V2

  • Disables service(s)

    evasionexecution

  • MafiaWare666 Ransomware

    MafiaWare666 is ransomware written in C# with multiple variants.

    ransomwaremafiaware666

  • Modifies WinLogon for persistence

    persistence

  • UAC bypass

    evasiontrojan

  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat

  • Renames multiple (1246) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Disables Task Manager via registry modification

    evasion

  • Downloads MZ/PE file

  • Downloads PsExec from SysInternals website

    Sysinternals tools like PsExec are often leveraged maliciously by malware families due to being commonly used by testers/administrators.

  • Modifies Windows Firewall

    evasion

  • Stops running service(s)

    evasionexecution

  • System Binary Proxy Execution: Regsvcs/Regasm

    Abuse Regasm to proxy execution of malicious code.

    defense_evasion

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Credentials from Password Stores: Windows Credential Manager

    Suspicious access to Credentials History.

    credential_accessstealer

  • Executes dropped EXE

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Checks whether UAC is enabled

    evasiontrojan

  • Drops desktop.ini file(s)

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Network Service Discovery

    Attempt to gather information on host's network.

    discovery

  • Sets desktop wallpaper using registry

    ransomware

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  behavioral1