Overview

overview

10

Static

static

1

RNSM00427.7z

windows10-2004-x64

10

Resubmissions

27-10-2024 15:46

241027-s71gvawqhm 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    RNSM00427.7z

  • Size

    67.7MB

  • Sample

    241027-s71gvawqhm

  • MD5

    573ecb2b0c178101333226b58a598405

  • SHA1

    dd6f8e4a8e6fde2ece292247ca286aeb2e1be2c0

  • SHA256

    1b4db01337060068acef0e5906b390e9b7102efb194c1f72a5ea7a9b2e2c27db

  • SHA512

    3d1f5f568f579a5b5e3ec69303f39c89bbea61aa060bb44e3eec409759d8d62358439f50b80a076d9d5bd0f141473d92e75e446d184a9775ebf9d44c68596f6a

  • SSDEEP

    1572864:obkPM3DDlUg8opzMTHZQMeBmNUFJVJOn6yJL+vJVs6XctX:8nlH8iMTHTbNUXv66JVZXctX

Score
10/10
dearcryzeppelindiscoveryevasionpersistenceprivilege_escalationpyinstallerransomwarespywarestealerupxvmprotect

Malware Config

Extracted

Path

C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\readme.txt

Family

dearcry

Ransom Note
Your file has been encrypted! If you want to decrypt, please contact us. [email protected] or [email protected] And please send me the following hash! 2133c369fb115ea61eebd7b62768decf

Targets

    • Target

      RNSM00427.7z

    • Size

      67.7MB

    • MD5

      573ecb2b0c178101333226b58a598405

    • SHA1

      dd6f8e4a8e6fde2ece292247ca286aeb2e1be2c0

    • SHA256

      1b4db01337060068acef0e5906b390e9b7102efb194c1f72a5ea7a9b2e2c27db

    • SHA512

      3d1f5f568f579a5b5e3ec69303f39c89bbea61aa060bb44e3eec409759d8d62358439f50b80a076d9d5bd0f141473d92e75e446d184a9775ebf9d44c68596f6a

    • SSDEEP

      1572864:obkPM3DDlUg8opzMTHZQMeBmNUFJVJOn6yJL+vJVs6XctX:8nlH8iMTHTbNUXv66JVZXctX

    Score
    10/10
    dearcryzeppelindiscoveryevasionpersistenceprivilege_escalationpyinstallerransomwarespywarestealerupxvmprotect

    • DearCry

      DearCry is a ransomware first seen after the 2021 Microsoft Exchange hacks.

      ransomwaredearcry

    • Dearcry family

      dearcry

    • Detects Zeppelin payload

    • Zeppelin Ransomware

      Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.

      ransomwarezeppelin

    • Zeppelin family

      zeppelin

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Renames multiple (2433) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Disables Task Manager via registry modification

      evasion

    • Modifies Windows Firewall

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Adds Run key to start application

      persistence

    • Checks for any installed AV software in registry

    • Drops desktop.ini file(s)

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Network Service Discovery

      Attempt to gather information on host's network.

      discovery

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

1
T1112

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Network Service Discovery

1
T1046

Peripheral Device Discovery

1
T1120

Query Registry

7
T1012

Software Discovery

1
T1518

Security Software Discovery

1
T1518.001

System Information Discovery

6
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Virtualization/Sandbox Evasion

2
T1497

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Tasks