Overview

overview

10

Static

static

1

Cryp_RAT.rtf

windows7-x64

10

Cryp_RAT.rtf

windows10-2004-x64

4

Analysis

  • max time kernel
    122s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    09-11-2024 19:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Cryp_RAT.rtf

  • Size

    662KB

  • MD5

    1fc2941b70df9dd6cdf4cb82af740fe9

  • SHA1

    e5d18e3487ca2d5037215c0e0ebfaf7ccae1c655

  • SHA256

    44b87df9f68f5a3084c7d80c1c7492ca5209e816a4e83fdbd6e2fcb6f1ff936f

  • SHA512

    d5da156e406093bfd398d78a36962360ed6918d6b96e641843e7eeddbd6fe41c0a1681bf0a4fe9e31be22d7b1e16267e62abafc9c14d1dea223e72f3ef810081

  • SSDEEP

    12288:6NtcndUa0XzmFe4lT+F4qZDGefM4qeF4C:6Oua0XzmFFI+7Z4VT

Score
10/10
lockbitneshtadefense_evasiondiscoverypersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\TdGeIqAUn.README.txt

Family

lockbit

Ransom Note
~~~ LockBit 3.0 the world's fastest ransomware since 2019~~~ >>>> Your data are stolen and encrypted The data will be published on TOR website if you do not pay the ransom If you not pay Payment:BITCOIN AFTER SEND BITCOIN Contact [email protected]

Signatures

  • Detect Neshta payload 7 IoCs
  • Lockbit

    Ransomware family with multiple variants released since late 2019.

    ransomwarelockbit
  • Lockbit family
    lockbit
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Neshta family
    neshta
  • Renames multiple (317) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 32 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 2 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Office loads VBA resources, possible macro or embedded object present
  • Launches Equation Editor 1 TTPs 2 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies registry class 6 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 37 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Cryp_RAT.rtf"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:2084
  • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
    "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
    1⤵
    • System Location Discovery: System Language Discovery
    • Launches Equation Editor
    PID:2724
  • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
    "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
    1⤵
    • System Location Discovery: System Language Discovery
    • Launches Equation Editor
    • Suspicious use of WriteProcessMemory
    PID:2796
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c%tmp%\Client.exe A C
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2684
      • C:\Users\Admin\AppData\Local\Temp\Client.exe
        C:\Users\Admin\AppData\Local\Temp\Client.exe A C
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Modifies system executable filetype association
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:2636
        • C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe
          "C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe" A C
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2600
          • C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe
            "C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops desktop.ini file(s)
            • Sets desktop wallpaper using registry
            • System Location Discovery: System Language Discovery
            • Modifies Control Panel
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: RenamesItself
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:988
            • C:\ProgramData\69BB.tmp
              "C:\ProgramData\69BB.tmp"
              6⤵
              • Executes dropped EXE
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:1916
              • C:\Windows\svchost.com
                "C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\69BB.tmp >> NUL
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Drops file in Program Files directory
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:2260
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\System32\cmd.exe /C DEL /F /Q C:\PROGRA~3\69BB.tmp >> NUL
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1780
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x14c
    1⤵
      PID:352

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\$Recycle.Bin\S-1-5-21-1846800975-3917212583-2893086201-1000\KKKKKKKKKKK
      Filesize

      129B

      MD5

      10ccea80be2cade9008a7eb13d0361b2

      SHA1

      fa7013e37939eb3e50c2f585dbe10c50a5e1fc95

      SHA256

      8acca1c01ebb498d0243a9ef07bbb7e626d94a31e6748478c182dca6d1f77bb2

      SHA512

      a19ade88b277dff35fecca1da70e78d97b85cdfc5ecc6717bcb247b0ef1f18bf2460515f8e70fb7e8d583aff407fb3f742cea2b71a88323e2145438fc0f7bf44

      Download Submit

    • C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE
      Filesize

      859KB

      MD5

      02ee6a3424782531461fb2f10713d3c1

      SHA1

      b581a2c365d93ebb629e8363fd9f69afc673123f

      SHA256

      ead58c483cb20bcd57464f8a4929079539d634f469b213054bf737d227c026dc

      SHA512

      6c9272cb1b6bde3ee887e1463ab30ea76568cb1a285d11393337b78c4ad1c3b7e6ce47646a92ab6d70bff4b02ab9d699b84af9437b720e52dcd35579fe2693ec

      Download Submit

    • C:\TdGeIqAUn.README.txt
      Filesize

      289B

      MD5

      47bf1514a0892e2468125cbf3b32caa9

      SHA1

      c3c24479ebefd9a0a05b0db879941951a702c77b

      SHA256

      a0c4eeae47956b19b2667ae5c94a154fc5002a78dea22e028049ece1d7a0c920

      SHA512

      252d78c25d9d5bd3eece76ce940cfadd6f80a81f59fea34c37495388cba4baccf1982cc2098cba28ee933b1d18cfbaa485b9e0fafa1791edfc5c86dd463329aa

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D9FBEE.wmf
      Filesize

      316B

      MD5

      95bb648d6eb9265eeaf0f889731b1e23

      SHA1

      631d60a024835f4e53ceb9d0a987ce52fe517df4

      SHA256

      9639441a9d36e7e4fda980961b75eeb334540b8cfbcee71eb3cd857e0a838e0c

      SHA512

      184414ea68092124290049282147070a86172833359404ee26199a36083d720e291d55bb85e4ae1d02504ce841efbc646760e7cc5af4088a253aed7b2665c420

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe
      Filesize

      282KB

      MD5

      035a441e07c7d7797cccfc92a988e156

      SHA1

      7d33fe3c6e43ae0440db5fc51d7d9fe653379902

      SHA256

      f00b211b5f93e23409e9383930c79990949b3671b1c1e0dc00208bb1c8f1e10d

      SHA512

      9b10c302581fed3b186ee9ad598ba98597318ae09a538eaedab7bffa0db5d4dea82d1a2ae4e320e210575763073f0e58be9416e8758ab495b02f9a54360a6636

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\3582-490\DDDDDDDDDD
      Filesize

      282KB

      MD5

      fb8b7d00715bfb4bf6818ece19bc5f5b

      SHA1

      31b16dbdd5e2f39e8c52288dd08d49f4463254a8

      SHA256

      23f5ae3dfaa5c5b1eda7f6a839d2a3b2a075816b17d51315f99b0024d7884db5

      SHA512

      4be3401c6adcda96a44669e7891ed5d884c601b121e5c92cb16412944a245dfd7696a374825f8de611a9bcbefc9c81471864754bfe23931aff1b67d571f14801

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Client.exe
      Filesize

      323KB

      MD5

      2b9a1b7a5e13b8672655d0a09ce50217

      SHA1

      2b62dbb4edbc5460bb42e790ca1a4ba7a4821362

      SHA256

      f6c559c031b7b16b1edf34b38e74b6bf3a7106ca34881d7f5c63b8e0d7ac3694

      SHA512

      db34521fbd83a5c9a3671f2ed14854e98c83256a8e16b809d7a165754e5f02c3c6b7dd1f4e994be7e859da5a5a852b5a93d4846cefbc6985d81a56a34a766f52

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\~$yp_RAT.rtf
      Filesize

      405B

      MD5

      ca5b0d889e6f9471bb28c71ce0ca6f8a

      SHA1

      660a2caeae6c9ac26c755e704883ecae1b4d5032

      SHA256

      194b780fa6ab17eb510a3806b8eb96f66a44a27f583369e42291af19e4e6772d

      SHA512

      70666ab7bbadf30d7b9164828180c2c0738295553f96c9b4ef204abff453b885acafc41248acc0f47e481f88de1166aa1b03e1da9ca57a7c42ac63bd7e3474f9

      Download Submit

    • C:\Windows\svchost.com
      Filesize

      40KB

      MD5

      27cc46f9e49226bff7bd9d80ceb6f00b

      SHA1

      ce38b70cb368a5047c32a63f5c1942e04e1d8d3d

      SHA256

      91a8a010b76f69ec29934c4d0fa207c54850daa5941aeccea941d46e0525fc27

      SHA512

      c3a9d7886aa34ef77bffdc55c5aa59eff8eed4367b514606f197590cf63deadf5f1e83b4aaf5d87e668e5e5f710ee0737b7cf64416892fcdfc6430f28b356f65

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-1846800975-3917212583-2893086201-1000\DDDDDDDDDDD
      Filesize

      129B

      MD5

      f4d4f5fade343f1298fa34816d58c4e8

      SHA1

      280288e9b44c12a8a0e89fe7e3201019c20bea99

      SHA256

      baf77d46b0b0808b7eea0512d39031c2514f1c44f0051dbd23de82b392fcce1c

      SHA512

      6b90713c9cdba913d766688a9cbd0c0beb0c865342d64a4f1aaf09468b8cfde6ffb9360c30579c1e7b0274f02d7ff3bb25f3569689f891895e195daa21e1baea

      Download Submit

    • \PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
      Filesize

      252KB

      MD5

      9e2b9928c89a9d0da1d3e8f4bd96afa7

      SHA1

      ec66cda99f44b62470c6930e5afda061579cde35

      SHA256

      8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

      SHA512

      2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

      Download Submit

    • \ProgramData\69BB.tmp
      Filesize

      14KB

      MD5

      294e9f64cb1642dd89229fff0592856b

      SHA1

      97b148c27f3da29ba7b18d6aee8a0db9102f47c9

      SHA256

      917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

      SHA512

      b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

      Download Submit

    • \Users\Admin\AppData\Local\Temp\ose00000.exe
      Filesize

      145KB

      MD5

      9d10f99a6712e28f8acd5641e3a7ea6b

      SHA1

      835e982347db919a681ba12f3891f62152e50f0d

      SHA256

      70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc

      SHA512

      2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

      Download Submit

    • memory/988-62-0x0000000000400000-0x0000000000428000-memory.dmp

      Filesize

      160KB

      Download

    • memory/988-254-0x0000000000400000-0x0000000000428000-memory.dmp

      Filesize

      160KB

      Download

    • memory/988-47-0x0000000000400000-0x0000000000428000-memory.dmp

      Filesize

      160KB

      Download

    • memory/988-45-0x0000000000400000-0x0000000000428000-memory.dmp

      Filesize

      160KB

      Download

    • memory/988-43-0x0000000000400000-0x0000000000428000-memory.dmp

      Filesize

      160KB

      Download

    • memory/988-41-0x0000000000400000-0x0000000000428000-memory.dmp

      Filesize

      160KB

      Download

    • memory/988-54-0x0000000000400000-0x0000000000428000-memory.dmp

      Filesize

      160KB

      Download

    • memory/988-998-0x0000000000400000-0x0000000000428000-memory.dmp

      Filesize

      160KB

      Download

    • memory/988-59-0x0000000000400000-0x0000000000428000-memory.dmp

      Filesize

      160KB

      Download

    • memory/988-50-0x0000000000400000-0x0000000000428000-memory.dmp

      Filesize

      160KB

      Download

    • memory/988-995-0x0000000000400000-0x0000000000428000-memory.dmp

      Filesize

      160KB

      Download

    • memory/988-224-0x0000000000400000-0x0000000000428000-memory.dmp

      Filesize

      160KB

      Download

    • memory/988-52-0x0000000000400000-0x0000000000428000-memory.dmp

      Filesize

      160KB

      Download

    • memory/988-39-0x0000000000400000-0x0000000000428000-memory.dmp

      Filesize

      160KB

      Download

    • memory/988-37-0x0000000000400000-0x0000000000428000-memory.dmp

      Filesize

      160KB

      Download

    • memory/988-49-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/988-35-0x0000000000400000-0x0000000000428000-memory.dmp

      Filesize

      160KB

      Download

    • memory/988-981-0x0000000000400000-0x0000000000428000-memory.dmp

      Filesize

      160KB

      Download

    • memory/988-979-0x0000000000400000-0x0000000000428000-memory.dmp

      Filesize

      160KB

      Download

    • memory/2084-100-0x00000000713CD000-0x00000000713D8000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2084-0-0x000000002F6F1000-0x000000002F6F2000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2084-2-0x00000000713CD000-0x00000000713D8000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2084-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2260-1095-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

      Download

    • memory/2260-1099-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

      Download

    • memory/2600-33-0x0000000000210000-0x0000000000222000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2600-28-0x00000000002C0000-0x000000000030C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/2636-1094-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

      Download

    • memory/2636-1097-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

      Download