Overview

overview

10

Static

static

1

RNSM00432.7z

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    RNSM00432.7z

  • Size

    31.2MB

  • Sample

    241026-pk5lha1rek

  • MD5

    be484eefb48a6c7ea47da9807a26f1d9

  • SHA1

    92e843045bc7f796706a5c7c8af65bcc919e01da

  • SHA256

    ba1d49f1423ab5fb6918cb61bf61b5acc50bd1ad99838a3dbba59af99e629e77

  • SHA512

    2ed6f29decd1916963048e57f99c1d5b340a0961b9edcbeab1d6f01fa527a853cac797f457ba92363003ee8392d829a4d5f345b83bba426223250c4eea5547a5

  • SSDEEP

    786432:6513OAEXjyZZp2jHShJxZs81quWVahRSItfZUjWkO3:q3OAGjyZb2jH2JxZ7dsERSEfZ9z

Score
10/10
crimsonratlegionlockerurelasbootkitdiscoveryevasionpersistencepyinstallerransomwareratspywarestealerthemidatrojanvmprotect

Malware Config

Extracted

Family

crimsonrat

C2

167.86.89.53

Extracted

Family

urelas

C2

112.175.88.207

112.175.88.208

Extracted

Path

C:\Users\Admin\Desktop\readme.txt

Ransom Note
---=== Ranzy Locker 1.1 ===--- Attention! Your network has been locked. Your computers and server are locked now. All encrypted files have extension: .ranzy ---- How to restore my files? ---- All files on each host in your network encrypted with strongest encryption algorithms Backups are deleted or formatted, do not worry, we can help you restore your files Files can be decrypted only with private key - this key stored on our servers You have only one way for return your files back - contact us and receive universal decryption program Do not worry about guarantees - you can decrypt any 3 files FOR FREE as guarantee ---- How to get your files back ---- You have 2 ways for open our website and contact with us: 1. Open via any browser (this way can be blocked so its better to use way 2) a. Open any browser. b. Open our website: https://ranzylock.hk/2X258GEF 2. Open via TOR Browser a. Download TOR Browser here: https://www.torproject.org/download/ b. Open TOR website: http://a6a5b4ppnkrio3nikyutfexbc6y5dc6kfhj3jr32kdwbryr2lempkuyd.onion/2X258GEF !! This page can be open only in TOR Browser. All instructions how to decrypt your files you can find on our website. !! This is only way to get your files back - do not use third-party company or software because you can lose all your files. ---- Data Leak Attention ---- !!! All your sensitive data was downloaded to our servers !!! In case you decide not to contact with us, we publish your sensitive data in our blog or sold !!! Only we can delete your files from our servers !!! Only we can restore all your files without any LOSS ---- Recovery information ---- key: eyJleHQiOiIucmFuenkiLCJuZXR3b3JrIjoidHJ1ZSIsInN1YmlkIjoiNzM2NzUiLCJsYW5nIjoiZW4tVVMAIn0= personal id: 5XWRN16O
URLs

https://ranzylock.hk/2X258GEF

http://a6a5b4ppnkrio3nikyutfexbc6y5dc6kfhj3jr32kdwbryr2lempkuyd.onion/2X258GEF

Extracted

Path

C:\Users\Admin\3D Objects\LOCKY-README.txt

Ransom Note
Please be adviced: All your files, pictures document and data has been encrypted with Military Grade Encryption RSA AES-256. Your information is not lost. But Encrypted. In order for you to restore your files you have to purchase Decrypter. Follow this steps to restore your files. 1* Download the Tor Browser. ( Just type in google "Download Tor" ). 2* Browse to URL : http://pylockyrkumqih5l.onion/index.php 3* Purchase the Decryptor to restore your files. It is very simple. If you don't believe that we can restore your files, then you can restore 1 file of image format for free. Be aware the time is ticking. Price will be doubled every 96 hours so use it wisely. Your unique ID : 0HGTU0H382FT120W CAUTION: Please do not try to modify or delete any encrypted file as it will be hard to restore it. SUPPORT: You can contact support to help decrypt your files for you. Click on support at http://pylockyrkumqih5l.onion/index.php --------BEGIN BIT KEY--------- l9HkbenVeZpuunQ2XEqgMMS29YG8+zot5DGek6L6NKWmRDJcxEVmzZ4y0MQcmQCjc3BPCXEj4+Xm P5qir+QLZQtsQcV7dLWQRTOJ/61Mvo3yxMf8rZLipYy0vIthZoZv3/rMWnEMmL9etbD2kGfbQ8Ju VaeQplsx7d6vbuJUMcXp9qABPHLBvYm4jQENj95AvhHx3SVrbsXNz0/TPhMoGi+NRA3wnYyIaXSH XmHTePnb2IXeGqF5WskzqZBqDxA/iq4k1A3fex4k9c3BoVJ4H18DBgB/G1f+ZlAHannfrF0jxPjn YHsOxGYFtLr7zV9gmwwcl0w4d3Jflw4ebmvNxQ== --------END BIT KEY----------- ------------------------------ BEGIN FRENCH ------------------------------ S'il vous plaît soyez avisé: Tous vos fichiers, images, documents et données ont été cryptés avec Military Grade Encryption RSA AES-256. Vos informations ne sont pas perdues. Mais chiffré. Afin de vous permettre de restaurer vos fichiers, vous devez acheter Decrypter. Suivez ces étapes pour restaurer vos fichiers. 1 * Téléchargez le navigateur Tor. (Il suffit de taper google "Télécharger Tor"). 2 * Aller à l'URL: http://pylockyrkumqih5l.onion/index.php 3 * Achetez le Decryptor pour restaurer vos fichiers. C'est très simple. Si vous ne croyez pas que nous pouvons restaurer vos fichiers, alors vous pouvez restaurer 1 fichier de format d'image gratuitement. Soyez conscient que le temps est compté. Le prix sera doublé toutes les 96 heures, alors utilisez-le à bon escient. Votre ID unique: 0HGTU0H382FT120W MISE EN GARDE: N'essayez pas de modifier ou de supprimer un fichier crypté, car il sera difficile de le restaurer. SOUTIEN: Vous pouvez contacter le support pour aider à déchiffrer vos fichiers pour vous. Cliquez sur support à http://pylockyrkumqih5l.onion/index.php ------------------------------ END FRENCH ------------------------------ ------------------------------ BEGIN ITALIAN ------------------------------ Si prega di essere avvisati: Tutti i tuoi file, immagini, documenti e dati sono stati crittografati con Military Grade Encryption RSA AES-256. Le tue informazioni non sono perse. Ma crittografato. Per poter ripristinare i tuoi file devi acquistare Decrypter. Seguire questa procedura per ripristinare i file. 1 * Scarica il Tor Browser. (Basta digitare su google "Download Tor"). 2 * Passa a URL: http://pylockyrkumqih5l.onion/index.php 3 * Acquista Decryptor per ripristinare i tuoi file. È molto semplice Se non credi che possiamo ripristinare i tuoi file, puoi ripristinare 1 file di formato immagine gratuitamente. Sii consapevole che il tempo stringe. Il prezzo sarà raddoppiato ogni 96 ore, quindi usalo saggiamente. Il tuo ID univoco: 0HGTU0H382FT120W ATTENZIONE: Si prega di non provare a modificare o eliminare alcun file crittografato in quanto sarà difficile ripristinarlo. SUPPORTO: È possibile contattare l'assistenza per decrittografare i file per conto dell'utente. Clicca sul supporto in http://pylockyrkumqih5l.onion/index.php ------------------------------ END ITALIAN ------------------------------ ------------------------------ BEGIN KOREAN ------------------------------ 조언을 받으십시오 : 모든 파일, 사진 문서 및 데이터는 군용 등급 암호화 RSA AES-256으로 암호화되어 있습니다. 귀하의 정보는 손실되지 않습니다. 그러나 암호화. 파일을 복원하려면 Decrypter를 구입해야합니다. 이 단계에 따라 파일을 복원하십시오. 1 * Tor 브라우저를 다운로드하십시오. (구글에 "Tor 다운로드"만 입력하면됩니다.) 2 * URL 찾아보기 : http://pylockyrkumqih5l.onion/index.php 3 * 파일을 복원하려면 Decryptor를 구입하십시오. 그것은 매우 간단합니다. 파일을 복원 할 수 있다고 생각지 않으면 이미지 형식의 파일 1 개를 무료로 복원 할 수 있습니다. 시간이 똑딱 거리고 있다는 것을 알아 두십시오. 가격은 96 시간마다 두 배가되므로 현명하게 사용하십시오. 고유 ID : 0HGTU0H382FT120W 주의: 암호화 된 파일을 수정하거나 삭제하지 마십시오. 복원하기가 어려울 수 있습니다. 지원하다: 지원 센터에 문의하여 파일의 암호를 해독하는 데 도움을받을 수 있습니다. http://pylockyrkumqih5l.onion/index.php에서 지원을 클릭하십시오. ------------------------------ END KOREAN ------------------------------
URLs

http://pylockyrkumqih5l.onion/index.php

http://pylockyrkumqih5l.onion/index.php에서

Extracted

Path

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\first_party_sets.db

Ransom Note
Please be adviced: All your files, pictures document and data has been encrypted with Military Grade Encryption RSA AES-256. Your information is not lost. But Encrypted. In order for you to restore your files you have to purchase Decrypter. Follow this steps to restore your files. 1* Download the Tor Browser. ( Just type in google "Download Tor" ). 2* Browse to URL : http://pylockyrkumqih5l.onion/index.php 3* Purchase the Decryptor to restore your files. It is very simple. If you don't believe that we can restore your files, then you can restore 1 file of image format for free. Be aware the time is ticking. Price will be doubled every 96 hours so use it wisely. Your unique ID : 0HGTU0H382FT120W CAUTION: Please do not try to modify or delete any encrypted file as it will be hard to restore it. SUPPORT: You can contact support to help decrypt your files for you. Click on support at http://pylockyrkumqih5l.onion/index.php --------BEGIN BIT KEY--------- l9HkbenVeZpuunQ2XEqgMMS29YG8+zot5DGek6L6NKWmRDJcxEVmzZ4y0MQcmQCjc3BPCXEj4+Xm P5qir+QLZQtsQcV7dLWQRTOJ/61Mvo3yxMf8rZLipYy0vIthZoZv3/rMWnEMmL9etbD2kGfbQ8Ju VaeQplsx7d6vbuJUMcXp9qABPHLBvYm4jQENj95AvhHx3SVrbsXNz0/TPhMoGi+NRA3wnYyIaXSH XmHTePnb2IXeGqF5WskzqZBqDxA/iq4k1A3fex4k9c3BoVJ4H18DBgB/G1f+ZlAHannfrF0jxPjn YHsOxGYFtLr7zV9gmwwcl0w4d3Jflw4ebmvNxQ== --------END BIT KEY----------- ------------------------------ BEGIN FRENCH ------------------------------ S'il vous plaît soyez avisé: Tous vos fichiers, images, documents et données ont été cryptés avec Military Grade Encryption RSA AES-256. Vos informations ne sont pas perdues. Mais chiffré. Afin de vous permettre de restaurer vos fichiers, vous devez acheter Decrypter. Suivez ces étapes pour restaurer vos fichiers. 1 * Téléchargez le navigateur Tor. (Il suffit de taper google "Télécharger Tor"). 2 * Aller à l'URL: http://pylockyrkumqih5l.onion/index.php 3 * Achetez le Decryptor pour restaurer vos fichiers. C'est très simple. Si vous ne croyez pas que nous pouvons restaurer vos fichiers, alors vous pouvez restaurer 1 fichier de format d'image gratuitement. Soyez conscient que le temps est compté. Le prix sera doublé toutes les 96 heures, alors utilisez-le à bon escient. Votre ID unique: 0HGTU0H382FT120W MISE EN GARDE: N'essayez pas de modifier ou de supprimer un fichier crypté, car il sera difficile de le restaurer. SOUTIEN: Vous pouvez contacter le support pour aider à déchiffrer vos fichiers pour vous. Cliquez sur support à http://pylockyrkumqih5l.onion/index.php ------------------------------ END FRENCH ------------------------------ ------------------------------ BEGIN ITALIAN ------------------------------ Si prega di essere avvisati: Tutti i tuoi file, immagini, documenti e dati sono stati crittografati con Military Grade Encryption RSA AES-256. Le tue informazioni non sono perse. Ma crittografato. Per poter ripristinare i tuoi file devi acquistare Decrypter. Seguire questa procedura per ripristinare i file. 1 * Scarica il Tor Browser. (Basta digitare su google "Download Tor"). 2 * Passa a URL: http://pylockyrkumqih5l.onion/index.php 3 * Acquista Decryptor per ripristinare i tuoi file. È molto semplice Se non credi che possiamo ripristinare i tuoi file, puoi ripristinare 1 file di formato immagine gratuitamente. Sii consapevole che il tempo stringe. Il prezzo sarà raddoppiato ogni 96 ore, quindi usalo saggiamente. Il tuo ID univoco: 0HGTU0H382FT120W ATTENZIONE: Si prega di non provare a modificare o eliminare alcun file crittografato in quanto sarà difficile ripristinarlo. SUPPORTO: È possibile contattare l'assistenza per decrittografare i file per conto dell'utente. Clicca sul supporto in http://pylockyrkumqih5l.onion/index.php ------------------------------ END ITALIAN ------------------------------ ------------------------------ BEGIN KOREAN ------------------------------ 조언을 받으십시오 : 모든 파일, 사진 문서 및 데이터는 군용 등급 암호화 RSA AES-256으로 암호화되어 있습니다. 귀하의 정보는 손실되지 않습니다. 그러나 암호화. 파일을 복원하려면 Decrypter를 구입해야합니다. 이 단계에 따라 파일을 복원하십시오. 1 * Tor 브라우저를 다운로드하십시오. (구글에 "Tor 다운로드"만 입력하면됩니다.) 2 * URL 찾아보기 : http://pylockyrkumqih5l.onion/index.php 3 * 파일을 복원하려면 Decryptor를 구입하십시오. 그것은 매우 간단합니다. 파일을 복원 할 수 있다고 생각지 않으면 이미지 형식의 파일 1 개를 무료로 복원 할 수 있습니다. 시간이 똑딱 거리고 있다는 것을 알아 두십시오. 가격은 96 시간마다 두 배가되므로 현명하게 사용하십시오. 고유 ID : 0HGTU0H382FT120W 주의: 암호화 된 파일을 수정하거나 삭제하지 마십시오. 복원하기가 어려울 수 있습니다. 지원하다: 지원 센터에 문의하여 파일의 암호를 해독하는 데 도움을받을 수 있습니다. http://pylockyrkumqih5l.onion/index.php에서 지원을 클릭하십시오. ------------------------------ END KOREAN ------------------------------
URLs

http://pylockyrkumqih5l.onion/index.php

http://pylockyrkumqih5l.onion/index.php에서

Extracted

Path

C:\Users\Admin\Desktop\LegionReadMe.txt

Ransom Note
Ooops! All your important files are encrypted! What happend to my computer? All your important files are encrypted. No one can help you to restore files without our special decryptor If you want to restore some of your files for free write to email (contact is at the bottom of the sheet) and attach 4-5 encrypted files. You have to pay $120 in bitcoin to decrypt other files. How to contact us? 1.Download Tor browser (https://www.torproject.org/) 2.Create account on mail2tor (http://mail2tor2zyjdctd.onion/) 3.Write email to us ([email protected]) What if i have already paid? Send your Bitcoin wallet ID to e-mail provided above Our bitcoin address 131fjhrB4wH8j6adZXudp1Wn23pR33tpAh
Wallets

131fjhrB4wH8j6adZXudp1Wn23pR33tpAh

URLs

http://mail2tor2zyjdctd.onion/

Targets

    • Target

      RNSM00432.7z

    • Size

      31.2MB

    • MD5

      be484eefb48a6c7ea47da9807a26f1d9

    • SHA1

      92e843045bc7f796706a5c7c8af65bcc919e01da

    • SHA256

      ba1d49f1423ab5fb6918cb61bf61b5acc50bd1ad99838a3dbba59af99e629e77

    • SHA512

      2ed6f29decd1916963048e57f99c1d5b340a0961b9edcbeab1d6f01fa527a853cac797f457ba92363003ee8392d829a4d5f345b83bba426223250c4eea5547a5

    • SSDEEP

      786432:6513OAEXjyZZp2jHShJxZs81quWVahRSItfZUjWkO3:q3OAGjyZb2jH2JxZ7dsERSEfZ9z

    Score
    10/10
    crimsonratlegionlockerurelasbootkitdiscoveryevasionpersistencepyinstallerransomwareratspywarestealerthemidatrojanvmprotect

    • CrimsonRat

      Crimson RAT is a malware linked to a Pakistani-linked threat actor.

      ratcrimsonrat

    • Crimsonrat family

      crimsonrat

    • Detected LegionLocker ransomware

      Sample contains strings associated with the LegionLocker family.

      ransomware

    • LegionLocker

      Ransomware family active in 2021.

      ransomwarelegionlocker

    • Legionlocker family

      legionlocker

    • Modifies WinLogon for persistence

      persistence

    • Modifies visibility of file extensions in Explorer

      evasion

    • Modifies visiblity of hidden/system files in Explorer

      evasion

    • Urelas

      Urelas is a trojan targeting card games.

      trojanurelas

    • Urelas family

      urelas

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Renames multiple (174) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Disables RegEdit via registry modification

      evasion

    • Disables use of System Restore points

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Modifies system executable filetype association

      persistence

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Defense Evasion

File and Directory Permissions Modification

1
T1222

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Modify Registry

6
T1112

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Peripheral Device Discovery

2
T1120

Query Registry

6
T1012

System Information Discovery

6
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Virtualization/Sandbox Evasion

2
T1497

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

1
T1490

Tasks