Overview

overview

10

Static

static

1

RNSM00264.7z

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    RNSM00264.7z

  • Size

    56.8MB

  • Sample

    250224-3ccgmstmx8

  • MD5

    aebeddadf5d1bf3d6bf63c8b06a6063d

  • SHA1

    c6351a70408845884dc43ebac2eb734313f34446

  • SHA256

    253dab229ca405a8bfb225b38679aa47975a5dcfd3d98ee202140e2f2a40bb72

  • SHA512

    d1a68451a50e9e2e15ced0658b30adfc49b05d18e86e70730811dc1e0a4b97eafbb65eb5ebefe10eb2d9b7e30db480d136a7500099000cf1735f10b68535a410

  • SSDEEP

    1572864:5mFL5w8AnHt2922jTstBaCy03akEgjmfYy9lsmprGJ+s9:IWhHt2922jTstBa8akEgiYYsmpo+s9

Score
10/10
njratteslacryptxoristhackeddefense_evasiondiscoveryexecutionimpactpersistenceransomwaretrojanupx

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

rundll32.hopto.org:5552

Mutex

7fb49cec2da6d08e8721e67c0a84cf68

Attributes
  • reg_key

    7fb49cec2da6d08e8721e67c0a84cf68

  • splitter

    |'|'|

Extracted

Path

C:\Program Files\7-Zip\Lang\_RECoVERY_+lfhbu.txt

Family

teslacrypt

Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with AES More information about the encryption keys using AES can be found here: http://en.wikipedia.org/wiki/AES How did this happen ? !!! Specially for your PC was generated personal AES KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://yyre45dbvn2nhbefbmh.begumvelic.at/BF66BC39531A969 2. http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/BF66BC39531A969 3. http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/BF66BC39531A969 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/BF66BC39531A969 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://yyre45dbvn2nhbefbmh.begumvelic.at/BF66BC39531A969 http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/BF66BC39531A969 http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/BF66BC39531A969 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/BF66BC39531A969
URLs

http://yyre45dbvn2nhbefbmh.begumvelic.at/BF66BC39531A969

http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/BF66BC39531A969

http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/BF66BC39531A969

http://xlowfznrg4wf7dli.ONION/BF66BC39531A969

Targets

    • Target

      RNSM00264.7z

    • Size

      56.8MB

    • MD5

      aebeddadf5d1bf3d6bf63c8b06a6063d

    • SHA1

      c6351a70408845884dc43ebac2eb734313f34446

    • SHA256

      253dab229ca405a8bfb225b38679aa47975a5dcfd3d98ee202140e2f2a40bb72

    • SHA512

      d1a68451a50e9e2e15ced0658b30adfc49b05d18e86e70730811dc1e0a4b97eafbb65eb5ebefe10eb2d9b7e30db480d136a7500099000cf1735f10b68535a410

    • SSDEEP

      1572864:5mFL5w8AnHt2922jTstBaCy03akEgjmfYy9lsmprGJ+s9:IWhHt2922jTstBa8akEgiYYsmpo+s9

    Score
    10/10
    njratteslacryptxoristhackeddefense_evasiondiscoveryexecutionimpactpersistenceransomwaretrojanupx

    • Detected Xorist Ransomware

    • Njrat family

      njrat

    • TeslaCrypt, AlphaCrypt

      Ransomware based on CryptoLocker. Shut down by the developers in 2016.

      ransomwareteslacrypt

    • Teslacrypt family

      teslacrypt

    • Xorist Ransomware

      Xorist is a ransomware first seen in 2020.

      ransomwarexorist

    • Xorist family

      xorist

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Grants admin privileges

      Uses net.exe to modify the user's privileges.

    • Renames multiple (1141) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Adds policy Run key to start application

      persistence

    • Contacts a large (546) amount of remote hosts

      This may indicate a network scan to discover remotely running services.

      discovery

    • Modifies Windows Firewall

      defense_evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

      defense_evasion

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Network Share Discovery

      Attempt to gather information on host network.

      discovery

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

1
T1047

Persistence

Account Manipulation

1
T1098

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Privilege Escalation

Account Manipulation

1
T1098

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Defense Evasion

Direct Volume Access

1
T1006

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Indicator Removal

3
T1070

File Deletion

3
T1070.004

Modify Registry

4
T1112

Credential Access

Discovery

Network Service Discovery

1
T1046

Network Share Discovery

1
T1135

Peripheral Device Discovery

1
T1120

Permission Groups Discovery

1
T1069

Local Groups

1
T1069.001

Query Registry

3
T1012

Remote System Discovery

1
T1018

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

2
T1490

Tasks