General
-
Target
ComputerRaper.exe
-
Size
85.4MB
-
Sample
241124-aqkqysvjcx
-
MD5
bdb24ed9f869fcd462b316148514fc5b
-
SHA1
83935122b626378a3149e9036cd751514add4b52
-
SHA256
83875ea85b183c609c5ddcd92afe62265745192a417b80524f12741fc028aca0
-
SHA512
12fdb77a75debeacbc4b98cac45d09a7bcc378bd9bd51bbc035838b99c1d595660d5c0961a2d041b2e8359f3b5b096f589d39453ada9874436411b94b8b0d611
-
SSDEEP
1572864:NUkskQ1oOZrCqix58TkbajhXBFEQT9VotzcJ97:N/NQbCbmXXEUvoM97
Static task
static1
Behavioral task
behavioral1
Sample
ComputerRaper.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
ComputerRaper.exe
Resource
win10v2004-20241007-en
Malware Config
Extracted
C:\Users\QWYXODCYVL-MANUAL.txt
gandcrab
http://gandcrabmfe6mnef.onion/42eb3d0753fcf297
Extracted
C:\Users\Public\Pictures\_R_E_A_D___T_H_I_S___NHTGWHH3_.txt
cerber
http://xpcx6erilkjced3j.onion/CF01-DC0A-6411-0098-BE31
http://xpcx6erilkjced3j.1n5mod.top/CF01-DC0A-6411-0098-BE31
http://xpcx6erilkjced3j.19kdeh.top/CF01-DC0A-6411-0098-BE31
http://xpcx6erilkjced3j.1mpsnr.top/CF01-DC0A-6411-0098-BE31
http://xpcx6erilkjced3j.18ey8e.top/CF01-DC0A-6411-0098-BE31
http://xpcx6erilkjced3j.17gcun.top/CF01-DC0A-6411-0098-BE31
Targets
-
-
Target
ComputerRaper.exe
-
Size
85.4MB
-
MD5
bdb24ed9f869fcd462b316148514fc5b
-
SHA1
83935122b626378a3149e9036cd751514add4b52
-
SHA256
83875ea85b183c609c5ddcd92afe62265745192a417b80524f12741fc028aca0
-
SHA512
12fdb77a75debeacbc4b98cac45d09a7bcc378bd9bd51bbc035838b99c1d595660d5c0961a2d041b2e8359f3b5b096f589d39453ada9874436411b94b8b0d611
-
SSDEEP
1572864:NUkskQ1oOZrCqix58TkbajhXBFEQT9VotzcJ97:N/NQbCbmXXEUvoM97
-
BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
-
Badrabbit family
-
Cerber family
-
Chimera
Ransomware which infects local and network files, often distributed via Dropbox links.
-
Chimera Ransomware Loader DLL
Drops/unpacks executable file which resembles Chimera's Loader.dll.
-
Chimera family
-
Cryptolocker family
-
Gandcrab family
-
Mimikatz family
-
Modifies WinLogon for persistence
-
Troldesh family
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
mimikatz is an open source tool to dump credentials on Windows
-
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Impair Defenses: Safe Mode Boot
-
Loads dropped DLL
-
Modifies file permissions
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Modifies WinLogon
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Sets desktop wallpaper using registry
-
MITRE ATT&CK Enterprise v15
Execution
Scheduled Task/Job
1Scheduled Task
1Windows Management Instrumentation
1Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Direct Volume Access
1File and Directory Permissions Modification
2Windows File and Directory Permissions Modification
1Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
2Disable or Modify System Firewall
1Safe Mode Boot
1Indicator Removal
2File Deletion
2Modify Registry
8Pre-OS Boot
1Bootkit
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1