xmrig

General

Target

https://mega.nz/file/OAUwiRhB#iYo_g0GbmAd251xkG25Ctuy1r3b3YBEQPvFn2cz6MAI
Sample

241116-yjcc1asfnq

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\ROSE-RANSOMWARE-NOTE.txt

Ransom Note

Your computer is now infected with ransomware. Your file are encrypted with a secure algorithm that is impossible to crack. To recover your files you need a key. This key is generated once your file have been encrypted. To obtain the key, you must purchase it. You can do this by sending 100$ USD to this monero address: 4AFJnpC6XzL95ywZYy2h6g5zHWJZBhDNeFSf5V8MUJR7adr6fiWt811cc3nH1F6EH8554U5xhPnw71uvT54WBy3ARfZjwsD Don't know how to get monero? Here are some websites: https://www.coinbase.com/how-to-buy/monero https://localmonero.co/?language=en https://www.okx.com/buy-xmr Once you have sent the ransom to the monero address you must write an email this this email address: [email protected] In this email you will include your personal ID so we know who you are. Your personal ID is: YAtqqFhdJ Once you have completeted all of the steps, you will be provided with the key to decrypt your files. Don't know how ransomware works? Read up here: https://www.trellix.com/en-us/security-awareness/ransomware/what-is-ransomware.html https://www.checkpoint.com/cyber-hub/threat-prevention/ransomware/ https://www.trendmicro.com/vinfo/us/security/definition/Ransomware Note: Messing with the ransomware will simply make your files harder to decrypt. Deleting the webhook will make it impossible, as the key can not be generated. Good luck

Emails

[email protected]

URLs

https://localmonero.co/?language=en

https://www.okx.com/buy-xmr

https://www.trellix.com/en-us/security-awareness/ransomware/what-is-ransomware.html

https://www.checkpoint.com/cyber-hub/threat-prevention/ransomware/

https://www.trendmicro.com/vinfo/us/security/definition/Ransomware

Targets

- Target
  
  https://mega.nz/file/OAUwiRhB#iYo_g0GbmAd251xkG25Ctuy1r3b3YBEQPvFn2cz6MAI
Score

10^/10

xmrig credential_access discovery evasion execution miner persistence privilege_escalation ransomware spyware stealer upx
- Xmrig family
  xmrig
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- XMRig Miner payload
  miner
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Drops file in Drivers directory
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Credentials from Password Stores: Windows Credential Manager
  Suspicious access to Credentials History.
  credential_access stealer
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1