Overview

overview

10

Static

static

1

RNSM00286.7z

windows7-x64

Sharing

Copy URL
Twitter E-mail

General

  • Target

    RNSM00286.7z

  • Size

    7.5MB

  • Sample

    241119-wnbwxsyqes

  • MD5

    e9447647726a88a70f0dc67ae416e17b

  • SHA1

    d644e20c30052bf957d3d0171f61c2f32e85a265

  • SHA256

    a4e94a78ab31afc40468da08add417199669e94dd05cfb4d6c3eb1dae8f6490d

  • SHA512

    9bcadcfed393d25f0ae302c73aba97f18ea4c653613709269fdbab2dc5264e40299db8dfc1d7df8fe56671b414f60f63ce1f557b24c311781631f57411e4fed4

  • SSDEEP

    196608:uMeUa1P4CIExcOre/z4fDjpkKltFce1hUPjE8ab:NeUat1IwcJ/zUP7lseXd8ab

Score
10/10
xtremeratdefense_evasiondiscoveryevasionexecutionimpactpersistenceransomwareratspywareupx

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+ihhcj.txt

Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 Key , both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So , there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: * http://t54ndnku456ngkwsudqer.wallymac.com/7B574CE5AE5C6BD * http://po4dbsjbneljhrlbvaueqrgveatv.bonmawp.at/7B574CE5AE5C6BD * http://hrfgd74nfksjdcnnklnwefvdsf.materdunst.com/7B574CE5AE5C6BD If for some reasons the addresses are not available, follow these steps 1 Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2 After a successful installation, run the browser 3 Type in the address bar: xlowfznrg4wf7dli.onion/7B574CE5AE5C6BD 4 Follow the instructions on the site IMPORTANT INFORMATION Your personal pages http://t54ndnku456ngkwsudqer.wallymac.com/7B574CE5AE5C6BD http://po4dbsjbneljhrlbvaueqrgveatv.bonmawp.at/7B574CE5AE5C6BD http://hrfgd74nfksjdcnnklnwefvdsf.materdunst.com/7B574CE5AE5C6BD Your personal pages TOR Browser xlowfznrg4wf7dli. onion/7B574CE5AE5C6BD
URLs

http://t54ndnku456ngkwsudqer.wallymac.com/7B574CE5AE5C6BD

http://po4dbsjbneljhrlbvaueqrgveatv.bonmawp.at/7B574CE5AE5C6BD

http://hrfgd74nfksjdcnnklnwefvdsf.materdunst.com/7B574CE5AE5C6BD

http://xlowfznrg4wf7dli.onion/7B574CE5AE5C6BD

Extracted

Family

xtremerat

C2

flashplayerupdate.sytes.net

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\HELP_RECOVER_instructions+aqg.txt

Ransom Note
__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-4096. More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server. What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://pren874bwsdbmbwe.returnyourfiless.ru/BAC3B4B424FB5DAB 2. http://i4sdmjn4fsdsdqfhu12l.orbyscabz.com/BAC3B4B424FB5DAB 3. http://rr48nfhdj5wedsm99324.tuttianent.at/BAC3B4B424FB5DAB If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser and wait for initialization 3. Type in the address bar: yez2o5lwqkmlv5lc.onion/BAC3B4B424FB5DAB 4. Follow the instructions on the site. !!! IMPORTANT INFORMATION: !!! Your personal pages: http://pren874bwsdbmbwe.returnyourfiless.ru/BAC3B4B424FB5DAB http://i4sdmjn4fsdsdqfhu12l.orbyscabz.com/BAC3B4B424FB5DAB http://rr48nfhdj5wedsm99324.tuttianent.at/BAC3B4B424FB5DAB !!! Your personal page Tor-Browser: yez2o5lwqkmlv5lc.onion/BAC3B4B424FB5DAB !!! Your personal identification ID: BAC3B4B424FB5DAB
URLs

http://pren874bwsdbmbwe.returnyourfiless.ru/BAC3B4B424FB5DAB

http://i4sdmjn4fsdsdqfhu12l.orbyscabz.com/BAC3B4B424FB5DAB

http://rr48nfhdj5wedsm99324.tuttianent.at/BAC3B4B424FB5DAB

http://yez2o5lwqkmlv5lc.onion/BAC3B4B424FB5DAB

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+lwocl.txt

Ransom Note
__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-4096. More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://prest54538hnksjn4kjfwdbhwere.hotchunman.com/BAC3B4B424FB5DAB 2. http://b4youfred5485jgsa3453f.italazudda.com/BAC3B4B424FB5DAB 3. http://5rport45vcdef345adfkksawe.bematvocal.at/BAC3B4B424FB5DAB If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser and wait for initialization 3. Type in the address bar: fwgrhsao3aoml7ej.onion/BAC3B4B424FB5DAB 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://prest54538hnksjn4kjfwdbhwere.hotchunman.com/BAC3B4B424FB5DAB http://b4youfred5485jgsa3453f.italazudda.com/BAC3B4B424FB5DAB http://5rport45vcdef345adfkksawe.bematvocal.at/BAC3B4B424FB5DAB *-*-* Your personal page Tor-Browser: fwgrhsao3aoml7ej.ONION/BAC3B4B424FB5DAB *-*-* Your personal identification ID: BAC3B4B424FB5DAB
URLs

http://prest54538hnksjn4kjfwdbhwere.hotchunman.com/BAC3B4B424FB5DAB

http://b4youfred5485jgsa3453f.italazudda.com/BAC3B4B424FB5DAB

http://5rport45vcdef345adfkksawe.bematvocal.at/BAC3B4B424FB5DAB

http://fwgrhsao3aoml7ej.onion/BAC3B4B424FB5DAB

http://fwgrhsao3aoml7ej.ONION/BAC3B4B424FB5DAB

Targets

    • Target

      RNSM00286.7z

    • Size

      7.5MB

    • MD5

      e9447647726a88a70f0dc67ae416e17b

    • SHA1

      d644e20c30052bf957d3d0171f61c2f32e85a265

    • SHA256

      a4e94a78ab31afc40468da08add417199669e94dd05cfb4d6c3eb1dae8f6490d

    • SHA512

      9bcadcfed393d25f0ae302c73aba97f18ea4c653613709269fdbab2dc5264e40299db8dfc1d7df8fe56671b414f60f63ce1f557b24c311781631f57411e4fed4

    • SSDEEP

      196608:uMeUa1P4CIExcOre/z4fDjpkKltFce1hUPjE8ab:NeUat1IwcJ/zUP7lseXd8ab

    Score
    10/10
    xtremeratdefense_evasiondiscoveryevasionexecutionimpactpersistenceransomwareratspywareupx

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • XtremeRAT

      The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

      persistencespywareratxtremerat

    • Xtremerat family

      xtremerat

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Modifies Windows Firewall

      evasion

    • Executes dropped EXE

    • Loads dropped DLL

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

      defense_evasion

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1

MITRE ATT&CK Enterprise v15

Tasks