Overview

overview

10

Static

static

1

RNSM00412.7z

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    RNSM00412.7z

  • Size

    14.5MB

  • Sample

    241028-vf595a1rel

  • MD5

    8ecd8c9e7d8141401a10ed5cd5b066a9

  • SHA1

    15d22e6233335814edaaa15189a24203ebac6090

  • SHA256

    6e611394ed96ae4daff1cbec71ad8c01db72f34aa7f284f2711c008ea2718c32

  • SHA512

    99a5b3e99c97a04f7041f458cacf4b837dab0dde05474d37ca28055f6c8521dbb009fcd149e48ed0648ec11ec43d210ec414c4e212fe904a21ba5c4f031b287a

  • SSDEEP

    393216:nqXv1gM4dDChl4/mLCDkFaUqGlMZivm5Y6K:qfuylJCDeaLOUu

Score
10/10
burancontimodiloaderquasarzeppelindiapocredential_accessdefense_evasiondiscoveryevasionexecutionimpactpersistenceprivilege_escalationransomwarespywarestealertrojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

diapo

C2

martinou.ddns.net:4782

192.168.1.58:4782
Mutex

QSR_MUTEX_ZioP8Y2W1XRiJhpyGu

Attributes
  • encryption_key

    boWo6nW09VJiDKtOxlIE

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    svchost

  • subdirectory

    SubDir

Extracted

Path

C:\Program Files (x86)\readme.txt

Family

conti

Ransom Note
All of your files are currently encrypted by CONTI ransomware. If you try to use any additional recovery software - the files might be damaged or lost. To make sure that we REALLY CAN recover data - we offer you to decrypt samples. You can contact us for further instructions through: Our email [email protected] Our website TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://m232fdxbfmbrcehbrj5iayknxnggf6niqfj6x4iedrgtab4qupzjlaid.onion HTTPS VERSION : contirecovery.best YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded your data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us ASAP ---BEGIN ID--- sRttGzzkzsoiC9s8LgcrQk64ew7H47a5JSjCsLGbwdijogjulfu3RO9XBJbfEgCZ ---END ID---
URLs

http://m232fdxbfmbrcehbrj5iayknxnggf6niqfj6x4iedrgtab4qupzjlaid.onion

https://contirecovery.best

Extracted

Path

C:\Program Files\7-Zip\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note
!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: [email protected] Reserved email: [email protected] Your personal ID: F3A-B4B-09E Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Targets

    • Target

      RNSM00412.7z

    • Size

      14.5MB

    • MD5

      8ecd8c9e7d8141401a10ed5cd5b066a9

    • SHA1

      15d22e6233335814edaaa15189a24203ebac6090

    • SHA256

      6e611394ed96ae4daff1cbec71ad8c01db72f34aa7f284f2711c008ea2718c32

    • SHA512

      99a5b3e99c97a04f7041f458cacf4b837dab0dde05474d37ca28055f6c8521dbb009fcd149e48ed0648ec11ec43d210ec414c4e212fe904a21ba5c4f031b287a

    • SSDEEP

      393216:nqXv1gM4dDChl4/mLCDkFaUqGlMZivm5Y6K:qfuylJCDeaLOUu

    Score
    10/10
    burancontimodiloaderquasarzeppelindiapocredential_accessdefense_evasiondiscoveryevasionexecutionimpactpersistenceprivilege_escalationransomwarespywarestealertrojan

    • Buran

      Ransomware-as-a-service based on the VegaLocker family first identified in 2019.

      ransomwareburan

    • Buran family

      buran

    • Conti Ransomware

      Ransomware generally thought to be a successor to Ryuk.

      ransomwareconti

    • Conti family

      conti

    • Detects Zeppelin payload

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

      trojanmodiloader

    • Modiloader family

      modiloader

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar family

      quasar

    • Quasar payload

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • UAC bypass

      evasiontrojan

    • Zeppelin Ransomware

      Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.

      ransomwarezeppelin

    • Zeppelin family

      zeppelin

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Enumerates VirtualBox DLL files

    • Looks for VirtualBox drivers on disk

      evasion

    • ModiLoader First Stage

    • Renames multiple (2068) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Looks for VMWare drivers on disk

      evasion

    • Manipulates Digital Signatures

      Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

      credential_accessstealer

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Checks for any installed AV software in registry

    • Deobfuscate/Decode Files or Information

      Payload decoded via CertUtil.

      defense_evasion

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Uses Tor communications

      Malware can proxy its traffic through Tor for more anonymity.

    • Drops file in System32 directory

    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Deobfuscate/Decode Files or Information

1
T1140

Direct Volume Access

1
T1006

Impair Defenses

2
T1562

Disable or Modify System Firewall

1
T1562.004

Disable or Modify Tools

1
T1562.001

Indicator Removal

2
T1070

File Deletion

2
T1070.004

Modify Registry

3
T1112

Subvert Trust Controls

1
T1553

SIP and Trust Provider Hijacking

1
T1553.003

Virtualization/Sandbox Evasion

3
T1497

Credential Access

Credentials from Password Stores

2
T1555

Credentials from Web Browsers

1
T1555.003

Windows Credential Manager

1
T1555.004

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

File and Directory Discovery

3
T1083

Peripheral Device Discovery

2
T1120

Query Registry

4
T1012

Remote System Discovery

1
T1018

Software Discovery

1
T1518

Security Software Discovery

1
T1518.001

System Information Discovery

5
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Virtualization/Sandbox Evasion

3
T1497

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Proxy

1
T1090

Web Service

1
T1102

Exfiltration

Impact

Inhibit System Recovery

2
T1490

Tasks