General

  • Target

    84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe

  • Size

    2.3MB

  • Sample

    250529-3j458shp6z

  • MD5

    7ffcd536703e1b316251cbf1047ef5f6

  • SHA1

    c9e00a62948da23bf1711dcd92be5923b46e8f06

  • SHA256

    84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e

  • SHA512

    1afe7092c6bca24a18243567d1c3a375db460eedfd793c4c98eb0b3cffc330cc04ba8fb51f781a903b19a40dbc267a7438bf55e9957a1a24b4deed2b4ffba033

  • SSDEEP

    24576:O2J4athJA6I+Prz+nGXIG1lPzHnhk59yjEGdi04J2ksswOapyCP5WecI:O2qa3ZI+Pv+GXjD25EnewO5CBW

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://i.ibb.co/rZZgvP0/rapetroons.png

Targets

    • Target

      84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e.exe

    • Size

      2.3MB

    • MD5

      7ffcd536703e1b316251cbf1047ef5f6

    • SHA1

      c9e00a62948da23bf1711dcd92be5923b46e8f06

    • SHA256

      84715cf1d82e5139d39d8aadb9580ba80393dfa0f63fa14974e4f74a3e69752e

    • SHA512

      1afe7092c6bca24a18243567d1c3a375db460eedfd793c4c98eb0b3cffc330cc04ba8fb51f781a903b19a40dbc267a7438bf55e9957a1a24b4deed2b4ffba033

    • SSDEEP

      24576:O2J4athJA6I+Prz+nGXIG1lPzHnhk59yjEGdi04J2ksswOapyCP5WecI:O2qa3ZI+Pv+GXjD25EnewO5CBW

    • Renames multiple (24264) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Drops file in Drivers directory

    • Boot or Logon Autostart Execution: Print Processors

      Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

    • Drops startup file

    • Indicator Removal: Clear Windows Event Logs

      Clear Windows Event Logs to hide the activity of an intrusion.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Drops desktop.ini file(s)

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v16

Tasks