General
-
Target
RNSM00438.7z
-
Size
66.5MB
-
Sample
241025-w9xqhsshqh
-
MD5
6aa1fd460f6a293bb4c678c6668023d1
-
SHA1
adf38d81d249d6905dde3936972cd0b1b1ff6fab
-
SHA256
ec32913ab37549bdee7e45ed16ab6c5ac2b52228298293fb47b86855a7a791a8
-
SHA512
0c0c7ef472287121e65504ba4e0d91805106f8ad6555553e8742b13de854369ca61ec6aa664808266c13e0c0bcc4ae4bcfd23417cd1451447f762a58a618541d
-
SSDEEP
1572864:S08JJ5gp1eUb7NeRCwxTUsv4DK3emG/i6Eza+9sFVB4+cXfy:S+jbsR1T+mOA6G19a
Malware Config
Extracted
crimsonrat
173.249.50.57
12.15.206.118
Extracted
crylock
- emails
-
ransomnote
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <title>CryLock</title> <hta:application showInTaskBar="no" APPLICATION="yes" ICON='msiexec.exe' SINGLEINSTANCE='yes' SysMenu="no" applicationname="CryLock" border="thick" contexmenu="no" scroll="no" selection="yes" singleinstance="yes" windowstate="normal" MAXIMIZEBUTTON="NO" BORDER="DIALOG" width="100" height="100" MINIMIZEBUTTON="NO"></hta:application> <script language="JavaScript"> var ud=0; var op=0xc7bf30; var zoc=0; function document.onkeydown() { var alt=window.event.altKey; if (event.keyCode==116 || event.keyCode==27 || alt && event.keyCode==115) { event.keyCode=0; event.cancelBubble=true; return false; } } function document.onblur() { alert('Attention! This important information for you!'); } function ChangeTime() { var sd = new Date('<%DOUBLE_DATETIME%>'); var dn = new Date(); if (sd.getTime()<dn.getTime()) { var dt=document.getElementById('pwr'); dt.innerHTML='<font color="red" size="5"><b>Price is raised!</b></font>'; dt.style.height=78; zoc=1; } else { var delta=sd.getTime()-dn.getTime(); delta=new Date(delta); var dd=(delta.getUTCDate()-1)+((delta.getUTCMonth())*31); var hh=delta.getUTCHours(); var mm=delta.getUTCMinutes(); var ss=delta.getUTCSeconds(); if (dd!=1) { dd=dd+' days'; } else { dd=dd+' day'; } if (hh<10) { hh='0'+hh; } if (mm<10) { mm='0'+mm; } if (ss<10) { ss='0'+ss; } var dt=document.getElementById('dt'); dt.innerHTML='<font face="monospace" color="#c2c2c2" size="4"><b>'+dd+' '+hh+':'+mm+':'+ss+'</b></font>'; } var sd = new Date('<%UNDECRYPT_DATETIME%>'); dn = new Date(); if (sd.getTime()<dn.getTime()) { var dt=document.getElementById('lctw'); dt.innerHTML='<font color="red" size="5"><b>Last chance to decrypt your files!</b></font>'; zoc=2; } else { var delta=sd.getTime()-dn.getTime(); delta=new Date(delta); var dd=(delta.getUTCDate()-1)+((delta.getUTCMonth())*31); var hh=delta.getUTCHours(); var mm=delta.getUTCMinutes(); var ss=delta.getUTCSeconds(); if (dd!=1) { dd=dd+' days'; } else { dd=dd+' day'; } if (hh<10) { hh='0'+hh; } if (mm<10) { mm='0'+mm; } if (ss<10) { ss='0'+ss; } var dt=document.getElementById('et'); dt.innerHTML='<font face="monospace" color="#c2c2c2" size="4"><b>'+dd+' '+hh+':'+mm+':'+ss+'</b></font>'; } } function getRandomArbitrary(min, max) { min = Math.ceil(min); max = Math.floor(max); return Math.floor(Math.random() * (max - min)) + min; } function Rndom() { document.getElementById("blumid").focus(); var bid=document.getElementById('blumid'); var bem=document.getElementById('blummail'); if (ud==0) { op=op-0x10; } else { op=op+0x10; } if (op<=0xc00000) { ud=1; } if (op>=0xc7bf30) { ud=0; } bid.style.backgroundColor=op; bem.style.backgroundColor=op; var xx=''; var i=0; while (i<19) { xx=xx+getRandomArbitrary(0,2); i=i+1; } if (zoc==0) { var dt=document.getElementById('rc'); rc.innerHTML='<font face="monospace" color="white" size="5"><b>'+xx+'</b></font>'; } else { if (zoc==1) { var dt=document.getElementById('rc'); rc.innerHTML='<font face="monospace" color="red" size="5"><b>Price is raised!</b></font>'; } else { var dt=document.getElementById('rc'); rc.innerHTML='<font face="monospace" color="red" size="4"><b>Price is raised!<br>Last chance to decrypt your files!</b></font>'; } } } function Start() { window.resizeTo(800,500) setInterval(ChangeTime,1000); setInterval(Rndom,100); } function copytext(s) { window.clipboardData.setData("Text",s); alert(s+' copied to clipboard'); } function Restart() { alert('Attention! This important information for you!'); } </script> <body style="background-color:#0066CC;" OnLoad="Start()"> <div id="pwr" align="center" style="position:absolute; top:10px; left:10px; width:20%; border: 2px solid #c2c2c2;"> <font color="#c7bf30"><b>Payment will be raised after</b></font> <br> <div id="dt"> <font face="monospace" color="#c2c2c2" size="4">-- days --:--:--</font> </div> </div> <div align="center" style="position:absolute; top:10px; left:170px; width:58%;"> <font face="monospace" color="white" size="4"><b>Your files have been encrypted...</b></font> </div> <div align="center" style="position:absolute; top:60px; left:170px; width:58%;"> <div id="rc"> <font face="monospace" color="white" size="5"><b>00000000000000000000</b></font> </div> </div> <div id="lctw" align="center" style="position:absolute; top:10px; left:620px; width:20%; border: 2px solid #c2c2c2;"> <font color="#c7bf30"><b>Your files will be leaked after</b></font> <br> <div id="et"> <font face="monospace" color="#c2c2c2" size="4">-- days --:--:--</font> </div> </div> <div style="background-color:white;overflow-x:hide; overflow-y:scroll; position:absolute; top:100px; left:10px; width:768px; height:320px"> Decrypt files? Write to this mails: <font face="monospace" OnClick="copytext('<%MAIN_CONTACT%>')"><b><%MAIN_CONTACT%></b></font> or <font face="monospace" OnClick="copytext ('<[email protected]>')"><b><[email protected]></b></font>. Reserve telegram <font face="monospace" OnClick="copytext('@assist_decoder')"><b>@assist_decoder</b></font>. <br> Your unique ID <font face="monospace" OnClick="copytext('[<%HID%>]')"><b>[<%HID%>] <font size="2">[copy]</font></b></font> <br> <font color="#ff0000 ">Warning! All your data was extracted and copied! If you don't contact us, it will be sold and uploaded to public sources!</font> </div> <div title="Click to copy" OnClick="copytext('[<%HID%>]')" id="blumid" style="cursor:pointer;background-color:#c7bf30; position:absolute; top:430px; left:10px; width:380px; height:20px"> <b>Your ID [<%HID%>] <font size="2">[copy]</font></b> </div> <div title="Click to copy" OnClick="copytext('<%MAIN_CONTACT%>')" id="blummail" style="cursor:pointer;background-color:#c7bf30; position:absolute; top:430px; left:400px; width:380px; height:20px"> <b>Write to <%MAIN_CONTACT%> <font size="2">[copy]</font></b> </div> </body> </html>
Extracted
urelas
1.234.83.146
133.242.129.155
218.54.31.226
218.54.30.235
218.54.31.165
Extracted
C:\Program Files\Restore-My-Files.txt
lockbit
http://lockbit-decryptor.top/?8C77A1CE29FCE870D9309D82AC4C6C42
http://lockbitks2tvnmwk.onion/?8C77A1CE29FCE870D9309D82AC4C6C42
Extracted
C:\Users\Admin\Desktop\00438\Qpinj_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Documents\Qpinj_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Music\Qpinj_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Targets
-
-
Target
RNSM00438.7z
-
Size
66.5MB
-
MD5
6aa1fd460f6a293bb4c678c6668023d1
-
SHA1
adf38d81d249d6905dde3936972cd0b1b1ff6fab
-
SHA256
ec32913ab37549bdee7e45ed16ab6c5ac2b52228298293fb47b86855a7a791a8
-
SHA512
0c0c7ef472287121e65504ba4e0d91805106f8ad6555553e8742b13de854369ca61ec6aa664808266c13e0c0bcc4ae4bcfd23417cd1451447f762a58a618541d
-
SSDEEP
1572864:S08JJ5gp1eUb7NeRCwxTUsv4DK3emG/i6Eza+9sFVB4+cXfy:S+jbsR1T+mOA6G19a
Score10/10-
Avaddon
Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.
-
Avaddon family
-
Avaddon payload
-
CrimsonRAT main payload
-
CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
-
Crimsonrat family
-
Crylock
Ransomware family, which is a new variant of Cryakl ransomware.
-
Crylock family
-
Detect MafiaWare666 ransomware
-
Detects Echelon Stealer payload
-
Disables service(s)
-
Echelon
Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
-
Echelon family
-
GandCrab payload
-
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
Gandcrab family
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Lockbit family
-
MafiaWare666 Ransomware
MafiaWare666 is ransomware written in C# with multiple variants.
-
Mafiaware666 family
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass
-
Urelas
Urelas is a trojan targeting card games.
-
Urelas family
-
VanillaRat
VanillaRat is an advanced remote administration tool coded in C#.
-
Vanillarat family
-
Xmrig family
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
ModiLoader Second Stage
-
Modifies boot configuration data using bcdedit
-
Renames multiple (238) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Vanilla Rat payload
-
XMRig Miner payload
-
Deletes backup catalog
Uses wbadmin.exe to inhibit system recovery.
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Modifies file permissions
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
Command and Scripting Interpreter: PowerShell
Using powershell.exe command.
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Network Service Discovery
Attempt to gather information on host's network.
-
Network Share Discovery
Attempt to gather information on host network.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2PowerShell
1System Services
1Service Execution
1Windows Management Instrumentation
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Direct Volume Access
1File and Directory Permissions Modification
1Impair Defenses
2Disable or Modify System Firewall
1Disable or Modify Tools
1Indicator Removal
3File Deletion
3Modify Registry
4