ioc[.]one - OSINT Cyber Threat Intelligence Database

Embargo ransomware: Rock’n’Rust

Tags

cmtmf-attack-pattern:

Boot Or Logon Autostart Execution Command-Line Interface Develop Capabilities Obfuscated Files Or Information Scheduled Task/Job

attack-pattern:

Data Boot Or Logon Autostart Execution - T1547 Command-Line Interface - T1605 Data Encrypted For Impact - T1471 Data Encrypted For Impact - T1486 Develop Capabilities - T1587 Disable Or Modify Tools - T1562.001 Disable Or Modify Tools - T1629.003 Domain Account - T1087.002 Domain Account - T1136.002 Domain Accounts - T1078.002 Encrypted/Encoded File - T1027.013 File And Directory Discovery - T1420 File Deletion - T1070.004 File Deletion - T1630.002 Impair Defenses - T1562 Impair Defenses - T1629 Inhibit System Recovery - T1490 Malware - T1587.001 Malware - T1588.001 Obfuscated Files Or Information - T1406 Powershell - T1059.001 Registry Run Keys / Startup Folder - T1547.001 Rundll32 - T1218.011 Safe Mode Boot - T1562.009 Scheduled Task - T1053.005 Scheduled Task/Job - T1603 Service Execution - T1569.002 Software - T1592.002 System Services - T1569 Windows Command Shell - T1059.003 Windows Service - T1543.003 Tool - T1588.002 Command-Line Interface - T1059 Create Account - T1136 File And Directory Discovery - T1083 File Deletion - T1107 Indicator Removal On Host - T1070 Modify Registry - T1112 Network Share Discovery - T1135 Obfuscated Files Or Information - T1027 Powershell - T1086 Registry Run Keys / Start Folder - T1060 Rundll32 - T1085 Scheduled Task - T1053 Service Execution - T1035 Command-Line Interface

Show in Graph

Common Information

Type	Value
UUID	1bf722e7-f3b6-4ee6-a3ee-7b8833cb48d7
Fingerprint	b61420ffc034e644
Analysis status	DONE
Considered CTI value	2
Text language
Published	Oct. 23, 2024, midnight
Added to db	Oct. 24, 2024, 8:01 a.m.
Last updated	Nov. 17, 2024, 6:56 p.m.
Headline	Embargo ransomware: Rock’n’Rust
Title	Embargo ransomware: Rock’n’Rust
Detected Hints/Tags/Attributes	119/2/76

Source URLs

	Redirection	Url
Details	Source	https://www.welivesecurity.com/en/eset-research/embargo-ransomware-rocknrust/

URL Provider

Details	Provider	Source level domain
Details	welivesecurity.com	www.welivesecurity.com

RSS Feed

Details	Id	Enabled	Feed title	Url	Added to db
Details	33	✔	WeLiveSecurity	https://blog.eset.com/feed	2024-08-30 22:08

Attributes

Details	Type	#Events	Value
Details	Domain	114	eset.com
Details	Email	69	threatintel@eset.com
Details	File	11	how_to_recover_files.txt
Details	File	2	praxisbackup.exe
Details	File	3	pay.exe
Details	File	1	c:\windows\praxisbackup.exe
Details	File	1	c:\windows\debug\pay.exe
Details	File	1	c:\windows\debug\fail.txt
Details	File	1	c:\windows\debug\stop.exe
Details	File	2	c:\windows\sysmon64.sys
Details	File	3	stop.exe
Details	File	1	fail.exe
Details	File	3	fail.txt
Details	File	105	bcdedit.exe
Details	File	5	probmon.sys
Details	File	2	c:\windows\system32\drivers\sysprox.sys
Details	File	53	ekrn.exe
Details	File	199	firefox.exe
Details	File	3	eraagent.exe
Details	File	1	dtest.dll
Details	File	1	fxc.exe
Details	File	1	fdasvc.exe
Details	File	5	win32.exe
Details	File	1	sysmon64.sys
Details	File	1	sysprox.sys
Details	File	409	c:\windows\system32\cmd.exe
Details	File	1018	rundll32.exe
Details	File	1	c:\windows\debug\dtest.dll
Details	File	7	sentinelagent.exe
Details	File	4	sentinelagentworker.exe
Details	File	6	sentinelservicehost.exe
Details	File	5	sentinelstaticengine.exe
Details	File	3	logprocessorservice.exe
Details	File	6	sentinelstaticenginescanner.exe
Details	File	4	sentinelhelperservice.exe
Details	File	3	sentinelbrowsernativehost.exe
Details	File	1	logcollector.exe
Details	File	1	sentinelmemoryscanner.exe
Details	File	1	sentinelranger.exe
Details	File	1	sentinelremediation.exe
Details	File	1	sentinelremoteshellhost.exe
Details	File	1	sentinelscanfromcontextmenu.exe
Details	File	6	cylancesvc.exe
Details	File	20	wrsa.exe
Details	File	13	x64.exe
Details	File	198	msmpeng.exe
Details	File	2	dsa.exe
Details	File	2	ds_monitor.exe
Details	File	5	notifier.exe
Details	File	16	coreserviceshell.exe
Details	File	1	epprotectedservice.exe
Details	File	1	epintegrationservice.exe
Details	File	4	bdredline.exe
Details	File	5	epsecurityservice.exe
Details	File	3	epupdateservice.exe
Details	sha1	1	a88758892ed21dd1704e5528ad2d8036fee4102c
Details	IPv4	27	3.0.0.4
Details	MITRE ATT&CK Techniques	96	T1587.001
Details	MITRE ATT&CK Techniques	333	T1059.003
Details	MITRE ATT&CK Techniques	460	T1059.001
Details	MITRE ATT&CK Techniques	275	T1053.005
Details	MITRE ATT&CK Techniques	174	T1569.002
Details	MITRE ATT&CK Techniques	380	T1547.001
Details	MITRE ATT&CK Techniques	20	T1136.002
Details	MITRE ATT&CK Techniques	298	T1562.001
Details	MITRE ATT&CK Techniques	28	T1562.009
Details	MITRE ATT&CK Techniques	297	T1070.004
Details	MITRE ATT&CK Techniques	550	T1112
Details	MITRE ATT&CK Techniques	13	T1027.013
Details	MITRE ATT&CK Techniques	176	T1135
Details	MITRE ATT&CK Techniques	585	T1083
Details	MITRE ATT&CK Techniques	276	T1490
Details	MITRE ATT&CK Techniques	472	T1486
Details	Windows Registry Key	3	HKLM\SYSTEM\ControlSet001\services
Details	Windows Registry Key	1	HKLM\SYSTEM\CurrentControlSet\Control\Safeboot\Network\WinDefend
Details	Windows Registry Key	1	HKLM\SYSTEM\CurrentControlSet\Control\Safeboot\Network\irnagentd