Overview

overview

10

Static

static

1

RNSM00440.7z

windows10-2004-x64

Sharing

Copy URL
Twitter E-mail

General

  • Target

    RNSM00440.7z

  • Size

    83.7MB

  • Sample

    241024-zcnccstckb

  • MD5

    075245de36e675fca5b3b7bbbe2559aa

  • SHA1

    1c194f80535d39509f318bb6cee62b904bd3ec7d

  • SHA256

    3505d0b242e1b4ffa9d11c5769494ea7314ec48dcb27b1b34900f60a10430249

  • SHA512

    052d0c44f6d618b4a3ceaae700f7d0fe4fb720965e797c210d9d1fab6e75ff0b905ca2a0dd6cb7fe2838c7f835f89e2a9b23522c7a5c5d09f531ded6f02e3a91

  • SSDEEP

    1572864:Fr0PvDw4YpeQwkYquZmWyVbU2lGzZmPA7IGIxjumOahRDjPAT60olU+SbBWvDzF9:GPrBYBYqVWyVo2lGVmAkZuB8NE6BlU+J

Score
10/10
avaddonconticrimsonratdjvugandcrabnetwirenjratprometheusthanoszgratagilenetbackdoorbotnetdefense_evasiondiscoveryevasionexecutionimpactpersistenceprivilege_escalationpyinstallerransomwareratstealertrojanupx

Malware Config

Extracted

Family

crimsonrat

C2

134.119.181.142

130.5.26.108

104.144.198.105

Extracted

Path

C:\Users\Admin\Downloads\UFVgTf_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ********* DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ********* All your documents, photos, databases and other important files have been encrypted and have the extension: .BAbEcbaebd You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - {{link}} | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- 6424DB15F046C7B64601922982916DC754F05549C5AC6FB75EAF73D70FFF01135434A5AB4B8E0E1EC8DEF791937B61F911CD7EDEC95C14D37CE51BD49E4937AE1D50BE662DD10671F6573AEB00FAD078BE65CA357534983E70F5127FA960BBCE42A6700A8A6B2DE18790FC32BF4045D7DFA40D77E1855C7A96649AD069E8AFC0919B01A9EDC23F92171EB509BDD8B207065E1E143E9D4F1FB1D6F2F8F8380B025D8D5FE85ABE952F79C9C917F9BD3C489D6FADC29F6BE3D69334EA771CB3AA4D245723850685C90394B6D6AE68DFB13D8EB5F91232240627872EC20AF52F2CC68B8CE4F94F1D22BFCF05EB2ECF60257EC7642D92D32F7C8B81429D612520C7823F8F584A0DE29771684E3D8ABB48597CF7DD07E4CB6DFE9CF0F064A5DAA024FF9AD814890355FB205E42F9E6C4B80DB9169A6E2C821059C90744163F569A7F70983CA0902CA3E61E7131CDA7D5BEAED9684D5AD4FC033901A9CFE1BA860F7C9F7FB369BFC8F16DDBA4234AA8A7903A3DF02E3C7DBF11D53B974A39A8E580033F1D79D8981F498AB65301EE01537B3100AEDF8ED99BC5D06849720BDE419233C5A23C1E82EA3224E9BDD23CC8CECCCDA1174AD19377F76893DCCCB9DFDDC8EA260D94532F62E1846284D1AA37BAC45FCC9E89598C17EDD89F8E264CB91C3F2E089E898EAA407C05A3BC4CE6235A795C9F3256C0288148E0B487F7556ADCDD2806 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * 4cpFTHLIlyW94mGUiBKHmicMcjoqjBG

Extracted

Family

djvu

C2

http://asvb.top/nddddhsspen6/get.php

Attributes
  • extension

    .paas

  • offline_id

    LQbDo3EfIVHxGuJOWRJdmxgY66rD6kiyqz4tzyt1

  • payload_url

    http://asvb.top/files/penelop/updatewin1.exe

    http://asvb.top/files/penelop/updatewin2.exe

    http://asvb.top/files/penelop/updatewin.exe

    http://asvb.top/files/penelop/3.exe

    http://asvb.top/files/penelop/4.exe

    http://asvb.top/files/penelop/5.exe

  • ransomnote

    ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-B0FsLNO3fN Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0300ewgfDd

rsa_pubkey.plain

Extracted

Path

F:\ukRcI_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .BAbEcbaebd You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MjcwMS1LSlpHOHFGZVpoS0tFQURMV1FZckdIbEx3cEx1K1d5ZUxGcjFRSzMrYzl2aExtTFowTzYrMVhsdDdTL3ViNGJUUWs2dXhsb2pSQjV1eXVXY3FZNVRxYmdkVjVYdTQ0VmxiVVRUWVo4V0lHeWp1cUZncExOQVVOMWd2ek0yOEYxaFEwUlZLcVMyZDBLNlpXODRuK09ERUxTdG1vSVZ2VUtWQTVKR0NvbWoxc1lhUWhGNXpma0l4K014KzBaeFBManE1bmk5Tml6YmRYVnBGNXBDSkRMTzQzNlN6MnJOaUNDMXBhSXd4ZlkzVXJZYWt6N0c0VXZkaDFMRWZHY3dtM2x4ejlFUlVlTDhuenlzYnpqekVXS012S0F5bVBQODcwaGJiMEkxQUE0UmxEc0dlV2xPU3MzRmxjQmFOVTBUZWwvMnRHVTJDak1vOWJTRmNQQ0t2ZHRsemMxTUVGcTRVZURncDRoOUh3YlRtcnE3bjVublFlZWVaV0pLZE4yQW5zYkZac09iVks1WXRnT2N4YVd0ZjQwb2tlYWUzdXZUTzdNcHRyeEV0UTZYdGh5Ymx1MHRDcnZvQ3FQdk44V0ZHU2gwT0xiSzZ6MDdBMktYdUgxYWpQRnNYT2huTjYyYjF6RUZaK1RVRjFRT2xRWUlyT0VKWm5vUWRQb2J0cEJRUFptVFVzTGR4RVNGQkk0L0ZQck1pdW83TGYxb1VhQWNUKzZnanRYNGNuTW5saVN3UFI3WjAyU1BReXdSQVJLYlFnZGsyNVplb1FWTHhhVmkxS3VIK29PMU9GMXQ2NkFEblo2eVpjTFM5ZmhyNkVKck45WnE5cmtEZjVJcklneTlYelQ3UWIrbWFCVXVzQmdGUnBrYkdzT3lDNFZIdFhMb2IyeDVRMjcyZDhndmhCR2lPRGNBSUZaNGgxd0xwQkdNQXU5enQ1MWp6bUV4TDRJU25MNTFaRTI3UXM2Y01Jb2JNa3dvNFFzczkrZkZWT1NObzd4L0hSem1hVk5sQmp3cCtPMWhKUGpWdksxbHQvenVXZTREZjc3L09pdGlvaXlWTGN2U0p6R25jZUxnZ0NUVklmdHEvb1hYZXZ6WXl6ZGg3amV1MWhjc215UCtjdTJsVXRjQjJXNlQ4bmMreGR6VmVBaWdtUzNvdmpxYmtlY092MnhtbkZvaWR4NFByeHRIZXI2QnV4QURSTFZHU0x4NGQzaE45d0RYOU1rekZ1VVV4OW03M2JEUGhUczBuMzlxaTNKRkpvOHBVbUM4Njl2NFY4RGRqS2I1czFpcUt4L0RGYVJXNGZrcWY3b21JQ3FqRUJrN2c1UmZCUTJ4U2ZEVW1lRlI3ZWVjdE1HYXdYclJ6OUlTejByMEZDR3J2Rk9LdGxvbkxEaFpFVTZrbEgwc1hnVWk4WWdGVTZ2Z0kwY3lPWXBhMnR3KzBuQmRObWVFVUtpaHBDSll3a2c5SVpCV2RSVlMwTG9kMTA1MDEzNjNMcXB0ZDYweU9DSWdDZXJlVEFRcFlCTzhLY2I1V3MxSWNjY2tiYVFSWm8wQlZkZmRaYURsaTBsL2xINTREV1Q4L3NNMkxVYTdhZWx2TnU1dStyb3lEeWE2M0pJT3N2NkFzQkNPdml1d2tuOVpGMkVLZGtrZkNmV0Y0SUc4Ym82OHMwaFlOUG1qZEpOTkUzOHVKcjRiaFQ4RnlTcWliWnl5bVdpaUQyMmVEcnQvdTRVME94bHVkcFJKd1YySDVFUndueWNOWTVvbEE5TUJRT1RsbWJmTU5oNGkxbkd3b3p6S3NqMVFKTEc3RjN5N2pucFF6WXBKS0J1cnowc2JMRVIyV2x4ZGFrdEtiMUpVdHR5eSthbHFsMFFFV251SzNWL0RFUk4yQkNEdjlTWFRHNVFnaHJENkR5ODRhTmdPWmhFbTUvdWJEeFFLd2VCbW1FYnhpdlJCTXBFSmNaZ0dDU1dwUTdWK0E4NGdSRzRxcUdEc0dvcXh0ZGYwSjFzbXo0U1hUQVF0Wkh6dDVQUmZBZWVVQzFVV0FUMEgvTEhnakkzQXZxRVRwV1UwYVQ3WHFJdGM3bTVQazlhNkROYVdMQmV4VkRpZzA5YkhpNkg1TzZXaklMR1I1UkdPeC9XUFNCa0lmd2w2QUlsTWtFdFJ5VXdVdDdwcW9OZmV2U1FWOG0wREs3RWRjNSs4OW5zd1V0cEpJVDB2bG1NbHVlaFRQazFPNUVWdHVkaTVrZGtueWgyRG5vd2t6c0Z6VlE9PQ== -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * Xqol83s63aTb
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Family

netwire

C2

haija.mine.nu:1339

Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    C4

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • offline_keylogger

    true

  • password

    qays1122

  • registry_autorun

    false

  • use_mutex

    false

Extracted

Path

C:\Program Files\readme.txt

Family

conti

Ransom Note
All of your files are currently encrypted by CONTI strain. As you know (if you don't - just "google it"), all of the data that has been encrypted by our software cannot be recovered by any means without contacting our team directly. If you try to use any additional recovery software - the files might be damaged, so if you are willing to try - try it on the data of the lowest value. To make sure that we REALLY CAN get your data back - we offer you to decrypt 2 random files completely free of charge. You can contact our team directly for further instructions through our website : TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/ HTTPS VERSION : https://contirecovery.best YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded a pack of your internal data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us as soon as possible. ---BEGIN ID--- 2uO0jY99SkGsycZT4aXV1iSXpAVYFMXiI61gHloQIdDkja8WMzoA5e9kGdXEcwbg ---END ID---
URLs

http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/

https://contirecovery.best

Extracted

Path

C:\Users\Admin\Desktop\RESTORE_FILES_INFO.txt

Family

prometheus

Ransom Note
YOUR COMPANY NETWORK HAS BEEN HACKED All your important files have been encrypted! Your files are safe! Only modified.(AES) No software available on internet can help you. We are the only ones able to decrypt your files. -------------------------------------------------------------------------------- We also gathered highly confidential/personal data. These data are currently stored on a private server. Files are also encrypted and stored securely. -------------------------------------------------------------------------------- As a result of working with us, you will receive: Fully automatic decryptor, all your data will be recovered within a few hours after it's run. Server with your data will be immediately destroyed after your payment. Save time and continue working. You will can send us 2-3 non-important files and we will decrypt it for free to prove we are able to give your files back. -------------------------------------------------------------------------------- !!!!!!!!!!!!!!!!!!!!!!!! If you decide not to work with us: All data on your computers will remain encrypted forever. YOUR DATA ON OUR SERVER AND WE WILL RELEASE YOUR DATA TO PUBLIC OR RE-SELLER! So you can expect your data to be publicly available in the near future.. The price will increase over time. !!!!!!!!!!!!!!!!!!!!!!!!! -------------------------------------------------------------------------------- It doesn't matter to us what you choose. We only seek money and our goal is not to damage your reputation or prevent your business from running. Write to us now and we will provide the best prices. Instructions for contacting us: 1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site. 2. Press "Download Tor", then press "Download Tor Browser Bundle", install it. 3. Open the Tor browser. Copy the link http://promethw27cbrcot.onion/ticket.php?track=AA4-MX4-GGQD and paste it in the Tor browser. 7. Start a chat and follow the further instructions. Attention! Any attempt to restore your files with third-party software will corrupt it. Modify or rename files will result in a loose of data. If you decide to try anyway, make copies before that Key Identifier: BEURc6RHGaghfPkRl9sp0Yk1mL2u0hRPvEy/Vpzrwui0H+WaNfMl4zZpeSfvnEUFfh7OohyCJ/EIiMK11eFvGrHTlpbLuLO53nD8w6w7v2q4t3ZHklGydwt0RI9HWGy0hgAyPCIRbd5Vxm9uXfbfa19yKu93hZXhrsXUWvg8FziRrvPWVYgTY/NnrE2EMKrsYY1w3stKKRRLGN1J93xefMRbPEJmsDxSTuugIqTgz3PeMI0m7M32O5Y2fqo3XW7GS5NWrBni5Lq19WtapWWm/sc8299KAqjfJLJXDR6nxONRHVqRVDpoEtBzHOPPwxmKnIYCq7buXm8VkXS3g54Ks0cUWLHFlBob3Tb0JwbbAYsOnqHMxQTOqSzZOkMexhrq0r3hjb/4/e6/1zSPs9y3pTFzVKhfNtfM7HWW6aZxLB2xpYEkuJtQD0+beRXigrQzSQa+zuwDoCEiLsodtBDeDfmQ74J+vPBSFo1q4vNXa5psW7EIIFD/mSsvoLO62/x+ch7eo9r8AlMs/FZWVDD9Qiztq2WhPT15frU7QIOMLw3LqjxmfM5ddkqsINgwoRCwofWXXmEkn06/C06bPj8i98fu1JbAQX6YIrk5w283tJQUj8Xo6YPeUoC3XuCyEuuhD1HgJgDNoMBZBvr7uJxYAsfD6QNKssZyfXHn1PAvX0w=
URLs

http://promethw27cbrcot.onion/ticket.php?track=AA4-MX4-GGQD

Targets

    • Target

      RNSM00440.7z

    • Size

      83.7MB

    • MD5

      075245de36e675fca5b3b7bbbe2559aa

    • SHA1

      1c194f80535d39509f318bb6cee62b904bd3ec7d

    • SHA256

      3505d0b242e1b4ffa9d11c5769494ea7314ec48dcb27b1b34900f60a10430249

    • SHA512

      052d0c44f6d618b4a3ceaae700f7d0fe4fb720965e797c210d9d1fab6e75ff0b905ca2a0dd6cb7fe2838c7f835f89e2a9b23522c7a5c5d09f531ded6f02e3a91

    • SSDEEP

      1572864:Fr0PvDw4YpeQwkYquZmWyVbU2lGzZmPA7IGIxjumOahRDjPAT60olU+SbBWvDzF9:GPrBYBYqVWyVo2lGVmAkZuB8NE6BlU+J

    Score
    10/10
    avaddonconticrimsonratdjvugandcrabnetwirenjratprometheusthanoszgratagilenetbackdoorbotnetdefense_evasiondiscoveryevasionexecutionimpactpersistenceprivilege_escalationpyinstallerransomwareratstealertrojanupx

    • Avaddon

      Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.

      ransomwareavaddon

    • Avaddon payload

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Conti Ransomware

      Ransomware generally thought to be a successor to Ryuk.

      ransomwareconti

    • CrimsonRAT main payload

    • CrimsonRat

      Crimson RAT is a malware linked to a Pakistani-linked threat actor.

      ratcrimsonrat

    • Detect ZGRat V2

    • Detected Djvu ransomware

    • Disables service(s)

      evasionexecution

    • Djvu Ransomware

      Ransomware which is a variant of the STOP family.

      ransomwaredjvu

    • GandCrab payload

    • Gandcrab

      Gandcrab is a Trojan horse that encrypts files on a computer.

      ransomwarebackdoorgandcrab

    • NetWire RAT payload

      rat

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

      botnetstealernetwire

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Prometheus Ransomware

      Ransomware family mostly targeting manufacturing industry and claims to be affiliated with REvil.

      ransomwareprometheus

    • Thanos Ransomware

      Ransomware-as-a-service (RaaS) sold through underground forums.

      ransomwarethanos

    • Thanos executable

    • ZGRat

      ZGRat is remote access trojan written in C#.

      ratzgrat

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Clears Windows event logs

      evasionransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Creates new service(s)

      persistenceexecution

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Downloads MZ/PE file

    • Downloads PsExec from SysInternals website

      Sysinternals tools like PsExec are often leveraged maliciously by malware families due to being commonly used by testers/administrators.

    • Modifies Windows Firewall

      evasion

    • Stops running service(s)

      evasionexecution

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Executes dropped EXE

    • Modifies file permissions

      discovery

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

      agilenet

    • Uses the VBS compiler for execution

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Network Service Discovery

      Attempt to gather information on host's network.

      discovery

    • Enumerates processes with tasklist

      discovery

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

3
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

System Services

3
T1569

Service Execution

3
T1569.002

Windows Management Instrumentation

1
T1047

Persistence

Create or Modify System Process

4
T1543

Windows Service

4
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Access Token Manipulation

1
T1134

Create Process with Token

1
T1134.002

Create or Modify System Process

4
T1543

Windows Service

4
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Access Token Manipulation

1
T1134

Create Process with Token

1
T1134.002

Direct Volume Access

1
T1006

File and Directory Permissions Modification

1
T1222

Impair Defenses

2
T1562

Disable or Modify System Firewall

1
T1562.004

Indicator Removal

4
T1070

Clear Windows Event Logs

1
T1070.001

File Deletion

3
T1070.004

Modify Registry

1
T1112

Credential Access

Discovery

Network Service Discovery

1
T1046

Peripheral Device Discovery

1
T1120

Process Discovery

1
T1057

Query Registry

1
T1012

Remote System Discovery

1
T1018

System Information Discovery

1
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Inhibit System Recovery

3
T1490

Service Stop

2
T1489

Tasks