General
-
Target
RNSM00434.7z
-
Size
16.1MB
-
Sample
241026-pbbl3askbx
-
MD5
e37bb4ebaf0d415c7684817e3dc11099
-
SHA1
060136443c2979ed9f8b8a0b48c3c337db2231a6
-
SHA256
77641998342582b73bcfe6d0e223187d46ad5e9da3db68bbb8aa16a4d3f47a60
-
SHA512
dc5c96964884ee514ee518253cce117d1429eff3c98c2ff2036d328efdcbe9e6e0d962891481aa17c89b293668f92f3d7bebcc2b6810c17e63d3a9fbf319054a
-
SSDEEP
393216:CHLWLyEAHXGO6IVyNwR0qDQ6j3F+SAxM1sjwiWykdn:CqyHm7q0cYfxMz5ykdn
Malware Config
Extracted
crimsonrat
5.189.134.216
Extracted
azorult
http://host1714380.hostland.pro/index.php
Extracted
C:\Program Files\dotnet\Restore-My-Files.txt
lockbit
http://lockbit-decryptor.top/?81E8147429949C38D431BE7AA02CD87A
http://lockbitks2tvnmwk.onion/?81E8147429949C38D431BE7AA02CD87A
Extracted
urelas
1.234.83.146
133.242.129.155
218.54.31.226
218.54.31.165
112.175.88.207
112.175.88.208
Extracted
C:\ProgramData\readme.txt
conti
http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/
https://contirecovery.top/
Extracted
C:\Users\Default\Downloads\247544-Readme.txt
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion
Targets
-
-
Target
RNSM00434.7z
-
Size
16.1MB
-
MD5
e37bb4ebaf0d415c7684817e3dc11099
-
SHA1
060136443c2979ed9f8b8a0b48c3c337db2231a6
-
SHA256
77641998342582b73bcfe6d0e223187d46ad5e9da3db68bbb8aa16a4d3f47a60
-
SHA512
dc5c96964884ee514ee518253cce117d1429eff3c98c2ff2036d328efdcbe9e6e0d962891481aa17c89b293668f92f3d7bebcc2b6810c17e63d3a9fbf319054a
-
SSDEEP
393216:CHLWLyEAHXGO6IVyNwR0qDQ6j3F+SAxM1sjwiWykdn:CqyHm7q0cYfxMz5ykdn
Score10/10-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Azorult family
-
Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
-
Conti family
-
CrimsonRAT main payload
-
CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
-
Crimsonrat family
-
Disables service(s)
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Lockbit family
-
Modifies WinLogon for persistence
-
Modifies Windows Defender Real-time Protection settings
-
UAC bypass
-
Urelas
Urelas is a trojan targeting card games.
-
Urelas family
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit
-
Deletes backup catalog
Uses wbadmin.exe to inhibit system recovery.
-
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Modifies Windows Firewall
-
Executes dropped EXE
-
Impair Defenses: Safe Mode Boot
-
Loads dropped DLL
-
VMProtect packed file
Detects executables packed with VMProtect commercial packer.
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
Command and Scripting Interpreter: PowerShell
Using powershell.exe command.
-
Drops desktop.ini file(s)
-
Sets desktop wallpaper using registry
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2PowerShell
1System Services
1Service Execution
1Windows Management Instrumentation
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
3Windows Service
3Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
3Windows Service
3Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Direct Volume Access
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
2Safe Mode Boot
1Indicator Removal
3File Deletion
3Modify Registry
7