Overview

overview

10

Static

static

1

RNSM00422.7z

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    RNSM00422.7z

  • Size

    15.8MB

  • Sample

    241027-tnshkaxkg1

  • MD5

    89d6c2eb7075a803f32f961cd0a84fa6

  • SHA1

    fe2b68e4cebd253682638996261d02c8337a7a46

  • SHA256

    351e791501d38c3670ea34996879efd92c921df3296077dd25d972b4790e4e5f

  • SHA512

    260f1346264064fc4b0ba25594c184c93017c47b7af6135d726e0c560d1d90e6395bc02ec7da6d90497562ddeac52d0efa8ef05fb5d67af98732d51270e347ec

  • SSDEEP

    393216:L+XTElA+HgPV6LWfLsTgFJ7YCqmCllCVT+TwKz+OQN1ZHA:K4VHwV7LRKLEkK7Zg

Score
10/10
agentteslahellokittymodiloaderxmrigdefense_evasiondiscoveryevasionexecutionimpactkeyloggerminerpersistenceprivilege_escalationransomwarespywarestealertrojan

Malware Config

Extracted

Path

C:\Users\Admin\Contacts\read_me_lkdtt.txt

Ransom Note
Hello CEMIG! All your fileservers, HyperV infrastructure and backups have been encrypted! Trying to decrypt or modify the files with programs other than our decryptor can lead to permanent loss of data! The only way to recover your files is by cooperating with us. To prove our seriousness, we can decrypt 1 non-critical file for free as proof. We have over 10 TB data of your private files, databases, personal data... etc, you have 24 hours to contact us, another way we publish this information in public channels, and this site will be unavailable. -- Contact with us by method below 1) Open this website in TOR browser: http://x6gjpqs4jjvgpfvhghdz2dk7be34emyzluimticj5s5fexf4wa65ngad.onion/0c04b15081595448821e25e8dd07423d9927fa54cd56d8797ea4d1315a682692 2) Follow instructions in chat.
URLs

http://x6gjpqs4jjvgpfvhghdz2dk7be34emyzluimticj5s5fexf4wa65ngad.onion/0c04b15081595448821e25e8dd07423d9927fa54cd56d8797ea4d1315a682692

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.privateemail.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    mmm777

Targets

    • Target

      RNSM00422.7z

    • Size

      15.8MB

    • MD5

      89d6c2eb7075a803f32f961cd0a84fa6

    • SHA1

      fe2b68e4cebd253682638996261d02c8337a7a46

    • SHA256

      351e791501d38c3670ea34996879efd92c921df3296077dd25d972b4790e4e5f

    • SHA512

      260f1346264064fc4b0ba25594c184c93017c47b7af6135d726e0c560d1d90e6395bc02ec7da6d90497562ddeac52d0efa8ef05fb5d67af98732d51270e347ec

    • SSDEEP

      393216:L+XTElA+HgPV6LWfLsTgFJ7YCqmCllCVT+TwKz+OQN1ZHA:K4VHwV7LRKLEkK7Zg

    Score
    10/10
    agentteslahellokittymodiloaderxmrigdefense_evasiondiscoveryevasionexecutionimpactkeyloggerminerpersistenceprivilege_escalationransomwarespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Agenttesla family

      agenttesla

    • HelloKitty Ransomware

      Ransomware family which has been active since late 2020, and in early 2021 a variant compromised the CDProjektRed game studio.

      ransomwarehellokitty

    • Hellokitty family

      hellokitty

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

      trojanmodiloader

    • Modifies WinLogon for persistence

      persistence

    • Modiloader family

      modiloader

    • UAC bypass

      evasiontrojan

    • Xmrig family

      xmrig

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • AgentTesla payload

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • ModiLoader Second Stage

    • Renames multiple (160) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • XMRig Miner payload

      miner

    • Adds policy Run key to start application

      persistence

    • Disables RegEdit via registry modification

      evasion

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Cryptocurrency Miner

      Makes network request to known mining pool URL.

      miner

    • Executes dropped EXE

    • Impair Defenses: Safe Mode Boot

      defense_evasion

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Hijack Execution Flow: Executable Installer File Permissions Weakness

      Possible Turn off User Account Control's privilege elevation for standard users.

      defense_evasionpersistenceprivilege_escalation

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1
T1091

Execution

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Hijack Execution Flow

1
T1574

Executable Installer File Permissions Weakness

1
T1574.005

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Hijack Execution Flow

1
T1574

Executable Installer File Permissions Weakness

1
T1574.005

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

File and Directory Permissions Modification

1
T1222

Hijack Execution Flow

1
T1574

Executable Installer File Permissions Weakness

1
T1574.005

Impair Defenses

2
T1562

Disable or Modify Tools

1
T1562.001

Safe Mode Boot

1
T1562.009

Indicator Removal

1
T1070

File Deletion

1
T1070.004

Modify Registry

6
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

Peripheral Device Discovery

2
T1120

Query Registry

4
T1012

System Information Discovery

6
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Defacement

1
T1491

Inhibit System Recovery

1
T1490

Tasks