General
-
Target
RNSM00346.7z
-
Size
7.8MB
-
Sample
241110-tgeywszhja
-
MD5
dfcfe5e31652e77e5ce8e1147352b153
-
SHA1
72b3a2b3db894426a1a31606a475aede7cbe546a
-
SHA256
d9ee637eb3e5c900c4997f3d2dbe86883a86fa32064cf9f29d227fca7d9d429d
-
SHA512
7d1d4693c5f85c354f784814b51ec955a834eba6e0d063138ffbaaf3ac7c7ca9dcc69cf90b1df6cff9edab9505e48f79ab4c05ba39f83da43da526ef92dfeb1f
-
SSDEEP
196608:YFX30UAEo6Pd5lpAYoP8J9sTVPjz3izEbKPCHuvFFioCHr9nKM:YFX3plGp8J+TNjTizEbKPPTanx
Static task
static1
Behavioral task
behavioral1
Sample
RNSM00346.7z
Resource
win7-20240903-en
Malware Config
Extracted
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
osimiri@yandex.com - Password:
strongnetwork2020
Extracted
F:\$RECYCLE.BIN\SQAEVMXZ-DECRYPT.txt
http://gandcrabmfe6mnef.onion/1786662e82c401c
Extracted
azorult
http://admin.svapofit.com/azs/index.php
Extracted
azorult
http://allods-down.site/yumi/index.php
Targets
-
-
Target
RNSM00346.7z
-
Size
7.8MB
-
MD5
dfcfe5e31652e77e5ce8e1147352b153
-
SHA1
72b3a2b3db894426a1a31606a475aede7cbe546a
-
SHA256
d9ee637eb3e5c900c4997f3d2dbe86883a86fa32064cf9f29d227fca7d9d429d
-
SHA512
7d1d4693c5f85c354f784814b51ec955a834eba6e0d063138ffbaaf3ac7c7ca9dcc69cf90b1df6cff9edab9505e48f79ab4c05ba39f83da43da526ef92dfeb1f
-
SSDEEP
196608:YFX30UAEo6Pd5lpAYoP8J9sTVPjz3izEbKPCHuvFFioCHr9nKM:YFX3plGp8J+TNjTizEbKPPTanx
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Azorult family
-
Gandcrab family
-
Hawkeye family
-
Jigsaw Ransomware
Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.
-
Jigsaw family
-
Locky (Osiris variant)
Variant of the Locky ransomware seen in the wild since early 2017.
-
Locky family
-
Locky_osiris family
-
Modifies WinLogon for persistence
-
Troldesh family
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Detected Nirsoft tools
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Renames multiple (2032) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Credentials from Password Stores: Windows Credential Manager
Suspicious access to Credentials History.
-
Drops startup file
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook accounts
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Indicator Removal: File Deletion
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops autorun.inf file
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in System32 directory
-
Sets desktop wallpaper using registry
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Indicator Removal
2File Deletion
2Modify Registry
5Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
6Credentials In Files
5Credentials in Registry
1