Overview

overview

10

Static

static

1

RNSM00342.7z

windows7-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    RNSM00342.7z

  • Size

    13.6MB

  • Sample

    241110-vmjdya1fpg

  • MD5

    3a822d6a03521e050a7f4bdc49000d96

  • SHA1

    38034e38558275f8eb940b3cbffcc502397e6055

  • SHA256

    601558763a1331f16d0194f29c90d6e301df0d143ad915cf9b760c28e767a947

  • SHA512

    13f7ef4b35e2e5448768d0ee5582f28a64c4f0b3c1aa060c0e46f7b6a8f9ffa616d43510b9c9b925b0d711bd2c7c1728eb2f2b4007d4ef25da497ee0e14b414c

  • SSDEEP

    196608:qQ3+79K9+vx5QqlZRkOKWPe7KdtH+nVLVedGoRZzrw96QqrGrhONNg6VN8CaUgkk:qZ7KcflvkdL8F+V5N4VefsXg6VBYd

Score
10/10
azorulthawkeyemimikatztroldeshzgratcollectioncredential_accessdefense_evasiondiscoveryevasionexecutionimpactinfostealerkeyloggerpersistenceprivilege_escalationransomwareratspywarestealertrojanupx

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    mikeaboyland

Extracted

Family

azorult

C2

http://kosovo.duckdns.org/file/index.php

Extracted

Family

azorult

C2

http://admin.svapofit.com/azs/index.php

Extracted

Path

C:\MSOCache\!!!DECRYPTION__KEYPASS__INFO!!!.txt

Ransom Note
Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .KEYPASS The only method of recovering files is to purchase an decrypt software and unique private key. After purchase you will start decrypt software, enter your unique private key and it will decrypt all your data. Only we can give you this key and only we can recover your files. You need to contact us by e-mail [email protected] send us your personal ID and wait for further instructions. For you to be sure, that we can decrypt your files - you can send us a 1-3 any not very big encrypted files and we will send you back it in a original form FREE. Price for decryption $300. This price avaliable if you contact us first 72 hours. E-mail address to contact us: [email protected] Reserve e-mail address to contact us: [email protected] Your personal id: 6se9RaIxXF9m70zWmx7nL3bVRp691w4SNY8UCir0

Targets

    • Target

      RNSM00342.7z

    • Size

      13.6MB

    • MD5

      3a822d6a03521e050a7f4bdc49000d96

    • SHA1

      38034e38558275f8eb940b3cbffcc502397e6055

    • SHA256

      601558763a1331f16d0194f29c90d6e301df0d143ad915cf9b760c28e767a947

    • SHA512

      13f7ef4b35e2e5448768d0ee5582f28a64c4f0b3c1aa060c0e46f7b6a8f9ffa616d43510b9c9b925b0d711bd2c7c1728eb2f2b4007d4ef25da497ee0e14b414c

    • SSDEEP

      196608:qQ3+79K9+vx5QqlZRkOKWPe7KdtH+nVLVedGoRZzrw96QqrGrhONNg6VN8CaUgkk:qZ7KcflvkdL8F+V5N4VefsXg6VBYd

    Score
    10/10
    azorulthawkeyemimikatztroldeshzgratcollectioncredential_accessdefense_evasiondiscoveryevasionexecutionimpactinfostealerkeyloggerpersistenceprivilege_escalationransomwareratspywarestealertrojanupx

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

      trojaninfostealerazorult

    • Azorult family

      azorult

    • Detect ZGRat V2

    • HawkEye

      HawkEye is a malware kit that has seen continuous development since at least 2013.

      keyloggertrojanstealerspywarehawkeye

    • Hawkeye family

      hawkeye

    • Mimikatz

      mimikatz is an open source tool to dump credentials on Windows.

      mimikatz

    • Mimikatz family

      mimikatz

    • Modifies WinLogon for persistence

      persistence

    • Modifies visibility of file extensions in Explorer

      evasion

    • Modifies visiblity of hidden/system files in Explorer

      evasion

    • Troldesh family

      troldesh

    • Troldesh, Shade, Encoder.858

      Troldesh is a ransomware spread by malspam.

      ransomwaretrojantroldesh

    • ZGRat

      ZGRat is remote access trojan written in C#.

      ratzgrat

    • Zgrat family

      zgrat

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Renames multiple (251) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • mimikatz is an open source tool to dump credentials on Windows

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Disables RegEdit via registry modification

      evasion

    • Disables use of System Restore points

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

      credential_accessstealer

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies system executable filetype association

      persistence

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook accounts

      collection

    • Accesses Microsoft Outlook profiles

      collection

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Creates a large amount of network flows

      This may indicate a network scan to discover remotely running services.

      discovery

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

3
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

2
T1546

Accessibility Features

1
T1546.008

Change Default File Association

1
T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

3
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

2
T1546

Accessibility Features

1
T1546.008

Change Default File Association

1
T1546.001

Defense Evasion

Direct Volume Access

1
T1006

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Indicator Removal

2
T1070

File Deletion

2
T1070.004

Modify Registry

9
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Credentials from Password Stores

2
T1555

Credentials from Web Browsers

1
T1555.003

Windows Credential Manager

1
T1555.004

Unsecured Credentials

6
T1552

Credentials In Files

5
T1552.001

Credentials in Registry

1
T1552.002

Discovery

Browser Information Discovery

1
T1217

Network Service Discovery

1
T1046

Peripheral Device Discovery

1
T1120

Query Registry

4
T1012

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

5
T1005

Email Collection

2
T1114

Command and Control

Exfiltration

Impact

Inhibit System Recovery

4
T1490

Tasks