General
-
Target
RNSM00435.7z
-
Size
7.2MB
-
Sample
241025-z9q5hsslep
-
MD5
ebfbfabb47ffd00e16ebd8724c63adc5
-
SHA1
bb9c0edec43860dc1e5610716b5bc7164bde37ba
-
SHA256
fabdb10b28b5e0bd4c9b38be6292bc5966cb2dd2428486bad8f056fb4696be27
-
SHA512
1b367064fd2f9fdf8bcaa787b1cdf4ff758fb7be875e466875b956a6d8607692843c7c12316a70671eb58480726513bad2217e0cbd292987143d22777855b101
-
SSDEEP
196608:2zYGZc71m9mVl5WldX9NUc/g6thkfMLZfqoh4Za:6ZSm9mVl5WldTx2fMFBaZa
Static task
static1
Behavioral task
behavioral1
Sample
RNSM00435.7z
Resource
win10v2004-20241007-en
Malware Config
Extracted
crimsonrat
64.188.25.232
Extracted
djvu
http://asvb.top/nddddhsspen6/get.php
-
extension
.pcqq
-
offline_id
3pNdLH1399769YerBBKCxHURRAqLhaXsGw3Fbkt1
-
payload_url
http://asvb.top/files/penelop/updatewin1.exe
http://asvb.top/files/penelop/updatewin2.exe
http://asvb.top/files/penelop/updatewin.exe
http://asvb.top/files/penelop/3.exe
http://asvb.top/files/penelop/4.exe
http://asvb.top/files/penelop/5.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-TVrnNufMGq Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0296Sirj
Extracted
C:\Program Files\dotnet\Restore-My-Files.txt
lockbit
http://lockbit-decryptor.top/?9AE2456EE17245AACA2CBD635B5B9B18
http://lockbitks2tvnmwk.onion/?9AE2456EE17245AACA2CBD635B5B9B18
Extracted
vidar
38.7
904
https://HAL9THapi.faceit.comramilgame
-
profile_id
904
Extracted
urelas
112.175.88.207
112.175.88.208
Targets
-
-
Target
RNSM00435.7z
-
Size
7.2MB
-
MD5
ebfbfabb47ffd00e16ebd8724c63adc5
-
SHA1
bb9c0edec43860dc1e5610716b5bc7164bde37ba
-
SHA256
fabdb10b28b5e0bd4c9b38be6292bc5966cb2dd2428486bad8f056fb4696be27
-
SHA512
1b367064fd2f9fdf8bcaa787b1cdf4ff758fb7be875e466875b956a6d8607692843c7c12316a70671eb58480726513bad2217e0cbd292987143d22777855b101
-
SSDEEP
196608:2zYGZc71m9mVl5WldX9NUc/g6thkfMLZfqoh4Za:6ZSm9mVl5WldTx2fMFBaZa
-
CrimsonRAT main payload
-
Crimsonrat family
-
Detected Djvu ransomware
-
Djvu family
-
GandCrab payload
-
Gandcrab family
-
Lockbit family
-
Modifies WinLogon for persistence
-
Modifies visibility of file extensions in Explorer
-
Modifies visiblity of hidden/system files in Explorer
-
Urelas family
-
Vanillarat family
-
Vidar family
-
Xmrig family
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Detected Nirsoft tools
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
Modifies boot configuration data using bcdedit
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Renames multiple (3303) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Vanilla Rat payload
-
Vidar Stealer
-
XMRig Miner payload
-
Disables RegEdit via registry modification
-
Disables use of System Restore points
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Modifies file permissions
-
Modifies system executable filetype association
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2PowerShell
1System Services
1Service Execution
1Windows Management Instrumentation
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Change Default File Association
1Defense Evasion
Direct Volume Access
1File and Directory Permissions Modification
1Hide Artifacts
2Hidden Files and Directories
2Indicator Removal
3File Deletion
3Modify Registry
6Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Discovery
Browser Information Discovery
1Network Service Discovery
1Network Share Discovery
1Peripheral Device Discovery
2Query Registry
4Remote System Discovery
1System Information Discovery
4System Location Discovery
1System Language Discovery
1