Resubmissions

31-10-2024 02:19

241031-crvzeswkft 10

30-10-2024 03:56

241030-ehgrjsvldt 10

General

  • Target

    Win32.KeyPass.zip

  • Size

    1.3MB

  • Sample

    241030-ehgrjsvldt

  • MD5

    f831ffa7faa4da66482aa252536e1b0f

  • SHA1

    aa305bd6962ebf06e26462d25140691585f85341

  • SHA256

    8f8f3834abab12ebd792487a89e45bdb8c8f41b51f232dfb3edb8e8140c9ff8f

  • SHA512

    3bf39aeb6c52de76aa864fb7d810cb4adbd2c7e0a2b91e8b6865967843044d628ca66a4531c720e5cd75dfb82a371e467f823819c0d9d559bd371efeec1d962a

  • SSDEEP

    24576:k5yq9y9qttzFVPyDcYwohuvh0GsGkjHkevwLfK4uiIP/nMPbcdKK:cH3FVP8hphuF2Hk1LfK4InMLK

Malware Config

Extracted

Path

C:\MSOCache\!!!DECRYPTION__KEYPASS__INFO!!!.txt

Ransom Note
Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .KEYPASS The only method of recovering files is to purchase an decrypt software and unique private key. After purchase you will start decrypt software, enter your unique private key and it will decrypt all your data. Only we can give you this key and only we can recover your files. You need to contact us by e-mail [email protected] send us your personal ID and wait for further instructions. For you to be sure, that we can decrypt your files - you can send us a 1-3 any not very big encrypted files and we will send you back it in a original form FREE. Price for decryption $300. This price avaliable if you contact us first 72 hours. E-mail address to contact us: [email protected] Reserve e-mail address to contact us: [email protected] Your personal id: 6se9RaIxXF9m70zWmx7nL3bVRp691w4SNY8UCir0

Targets

    • Target

      Win32.KeyPass.zip

    • Size

      1.3MB

    • MD5

      f831ffa7faa4da66482aa252536e1b0f

    • SHA1

      aa305bd6962ebf06e26462d25140691585f85341

    • SHA256

      8f8f3834abab12ebd792487a89e45bdb8c8f41b51f232dfb3edb8e8140c9ff8f

    • SHA512

      3bf39aeb6c52de76aa864fb7d810cb4adbd2c7e0a2b91e8b6865967843044d628ca66a4531c720e5cd75dfb82a371e467f823819c0d9d559bd371efeec1d962a

    • SSDEEP

      24576:k5yq9y9qttzFVPyDcYwohuvh0GsGkjHkevwLfK4uiIP/nMPbcdKK:cH3FVP8hphuF2Hk1LfK4InMLK

    • RMS

      Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

    • RevengeRAT

      Remote-access trojan with a wide range of capabilities.

    • Revengerat family

    • Rms family

    • Grants admin privileges

      Uses net.exe to modify the user's privileges.

    • Remote Service Session Hijacking: RDP Hijacking

      Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.

    • RevengeRat Executable

    • Downloads MZ/PE file

    • Modifies Windows Firewall

    • Path Permission

      Adversaries may modify directory permissions/attributes to evade access control lists (ACLs) and access protected files.

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Stops running service(s)

    • Modifies file permissions

    • Uses the VBS compiler for execution

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Gatekeeper Bypass

      Adversaries may modify file attributes and subvert Gatekeeper functionality to evade user prompts and execute untrusted programs. Gatekeeper is a set of technologies that act as layer of Apples security model to ensure only trusted applications are executed on a host.

    • Indicator Removal: Clear Persistence

      Clear artifacts associated with previously established persistence like scheduletasks on a host.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Password Policy Discovery

      Attempt to access detailed information about the password policy used within an enterprise network.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer) may leave traces to indicate to what was done within a network and how. Removal of these files can occur.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      Win32.KeyPass.bin

    • Size

      2.8MB

    • MD5

      6999c944d1c98b2739d015448c99a291

    • SHA1

      d9beb50b51c30c02326ea761b5f1ab158c73b12c

    • SHA256

      35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282

    • SHA512

      ab883364a8907636c00a4d263670cd495d0e6c521283d40c68d47398163c6ee6647cfbbc2142005121735d9edf0b414ddac6ea468f30db87018c831eaa327276

    • SSDEEP

      49152:0u1ImfQE5L1PtWHeHoQAOs1dKvHHg/o2S1pj798JGKCO8C/eZRwCr:dzV5JPtWHeHoIs1dGHHx2S1998JGKCOC

    • Renames multiple (9818) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

    • Deletes itself

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

MITRE ATT&CK Enterprise v15

Tasks