ioc[.]one - OSINT Cyber Threat Intelligence Database

Is There Really Such a Thing as a Low-Paid Ransomware Operator?

Tags

cmtmf-attack-pattern:

Command And Scripting Interpreter Data Encrypted

attack-pattern:

Data Direct Bypass User Account Control - T1548.002 Command And Scripting Interpreter - T1623 Data Encrypted For Impact - T1471 Data Encrypted For Impact - T1486 Data From Local System - T1533 Domains - T1583.001 Domains - T1584.001 Email Addresses - T1589.002 Exfiltration Over Alternative Protocol - T1639 File And Directory Discovery - T1420 Inhibit System Recovery - T1490 Input Capture - T1417 Javascript - T1059.007 Keylogging - T1056.001 Keylogging - T1417.001 Malware - T1587.001 Malware - T1588.001 Process Discovery - T1424 System Information Discovery - T1426 Non-Standard Port - T1509 Non-Standard Port - T1571 Powershell - T1059.001 Server - T1583.004 Server - T1584.004 Software - T1592.002 Ssh - T1021.004 Windows Service - T1543.003 Tool - T1588.002 Bypass User Account Control - T1088 Command-Line Interface - T1059 Data Encrypted - T1022 Data From Local System - T1005 Drive-By Compromise - T1189 Execution Through Module Load - T1129 Exfiltration Over Alternative Protocol - T1048 File And Directory Discovery - T1083 Input Capture - T1056 Modify Registry - T1112 Obfuscated Files Or Information - T1027 Powershell - T1086 Process Discovery - T1057 Query Registry - T1012 Scripting - T1064 System Information Discovery - T1082 Scripting

Show in Graph

Common Information

Type	Value
UUID	75f0180c-e881-4f96-8d30-a20dee598512
Fingerprint	b6b2a0b1b5379441
Analysis status	DONE
Considered CTI value	2
Text language
Published	Oct. 18, 2021, midnight
Added to db	Sept. 11, 2022, 12:40 p.m.
Last updated	Nov. 17, 2024, 11:36 p.m.
Headline	Is There Really Such a Thing as a Low-Paid Ransomware Operator?
Title	Is There Really Such a Thing as a Low-Paid Ransomware Operator?
Detected Hints/Tags/Attributes	112/2/286

Source URLs

	Redirection	Url
Details	Source	https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/is-there-really-such-a-thing-as-a-low-paid-ransomware-operator/

URL Provider

Details	Provider	Source level domain
Details	mcafee.com	www.mcafee.com

Attributes

Details	Type	#Events	Value
Details	Domain	1175	gmail.com
Details	Domain	1	suporte01928492.redirectme.net
Details	Domain	1	suporte20082021.sytes.net
Details	Domain	1	atualziarsys.serveirc.com
Details	Domain	1	services5500.sytes.net
Details	Domain	1	suporte01092021.myftp.biz
Details	Domain	1	appmonitorplugin.sytes.net
Details	Domain	1	suportmicrowin.sytes.net
Details	Domain	17	setup.zip
Details	Email	1	retrievedata300@gmail.com
Details	Email	1	deltapaymentbitcoin@gmail.com
Details	File	208	setup.exe
Details	File	5	test2.exe
Details	File	1	bat.rar
Details	File	3	exe.rar
Details	File	1	reg.rar
Details	File	1	update.reg
Details	File	175	update.exe
Details	File	1	appmonitorplugin.rar
Details	File	24	update.bat
Details	File	1	flashplayer28_install.zip
Details	File	1	mylink.vbs
Details	File	9	2.rar
Details	File	1	windowsupdate2.rar
Details	File	4	update.rar
Details	File	75	favicon.ico
Details	File	23	1.rar
Details	File	156	1.exe
Details	File	17	setup.zip
Details	md5	2	e10713a4a5f635767dcd54d609bed977
Details	sha256	1	94fe0825f26234511b19d6f68999d8598a9c21d3e14953731ea0b5ae4ab93c4d
Details	sha256	1	e1c449aa607f70a9677fe23822204817d0ff41ed3047d951d4f34fc9c502f761
Details	sha256	1	ceb0e01d96f87af0e9b61955792139f8672cf788d506c71da968ca172ebddccd
Details	sha256	1	106118444e0a7405c13531f8cd70191f36356581d58789dfc5df3da7ba0f9223
Details	sha256	1	ae6020a06d2a95cbe91b439f4433e87d198547dec629ab0900ccfe17e729cff1
Details	sha256	1	c3776649d9c0006caba5e654fa26d3f2c603e14463443ad4a5a08e4cf6a81994
Details	sha256	1	63b6a51be736d253e26011f19bd16006d7093839b345363ef238eafcfe5e7e85
Details	sha256	1	c8d97269690d3b043fd6a47725a61c00b57e3ad8511430a0c6254f32d05f76d6
Details	sha256	1	67bc70d4141d3f6aaf8f17963d56df5cee3727a81bc54407e90fdf1a6dc8fe2a
Details	sha256	1	98a3ef26b346c4f47e5dfdba4e3e26d1ef6a4f15969f83272b918f53d456d099
Details	sha256	1	c3c306b2d51e7e4f963a6b1905b564ba0114c8ae7e4bb4656c49d358c0f2b169
Details	sha256	1	a8d7b402e78721443d268b682f8c8313e69be945b12fd71e2f795ac0bcadb353
Details	sha256	1	c3323fbd0d075bc376869b0ee26be5c5f2cd4e53c5efca8ecb565afa8828fb53
Details	sha256	1	d6c35e23b90a7720bbe9609fe3c42b67d198bf8426a247cd3bb41d22d2de6a1f
Details	sha256	1	e911c5934288567b57a6aa4f9344ed0f618ffa4f7dd3ba1221e0c42f17dd1390
Details	IPv4	1	24.152.38.205
Details	IPv4	1	149.56.147.236
Details	IPv4	1	54.38.122.66
Details	IPv4	1	149.56.38.168
Details	IPv4	1	149.56.38.170
Details	IPv4	1	24.152.36.48
Details	IPv4	1	66.70.170.191
Details	IPv4	1	66.70.209.174
Details	IPv4	1	142.44.129.70
Details	IPv4	1	51.79.107.245
Details	IPv4	1	46.105.36.189
Details	IPv4	1	178.33.108.239
Details	IPv4	1	54.39.193.37
Details	IPv4	1	24.152.37.115
Details	IPv4	1	144.217.139.134
Details	IPv4	1	24.152.36.58
Details	IPv4	1	51.38.19.201
Details	IPv4	1	51.222.97.177
Details	IPv4	1	51.222.53.150
Details	IPv4	1	144.217.45.69
Details	IPv4	2	87.98.137.173
Details	IPv4	1	144.217.199.24
Details	IPv4	1	24.152.37.19
Details	IPv4	1	144.217.29.23
Details	IPv4	1	198.50.246.8
Details	IPv4	1	54.39.163.60
Details	IPv4	1	54.39.84.55
Details	IPv4	1	24.152.36.30
Details	IPv4	1	46.105.38.67
Details	IPv4	1	24.152.37.96
Details	IPv4	1	51.79.63.229
Details	IPv4	1	178.33.107.134
Details	IPv4	1	164.132.77.246
Details	IPv4	1	54.39.163.58
Details	IPv4	1	149.56.113.76
Details	IPv4	1	51.161.120.193
Details	IPv4	1	24.152.36.210
Details	IPv4	1	176.31.37.238
Details	IPv4	1	176.31.37.237
Details	IPv4	1	24.152.36.83
Details	IPv4	1	24.152.37.8
Details	IPv4	1	51.161.76.193
Details	IPv4	1	24.152.36.117
Details	IPv4	1	137.74.246.224
Details	IPv4	1	51.79.107.134
Details	IPv4	1	51.79.44.49
Details	IPv4	1	51.222.173.152
Details	IPv4	1	51.79.124.129
Details	IPv4	1	51.79.107.242
Details	IPv4	1	51.222.173.148
Details	IPv4	1	144.217.117.172
Details	IPv4	1	54.36.82.187
Details	IPv4	1	54.39.152.91
Details	IPv4	1	54.36.82.177
Details	IPv4	1	142.44.146.178
Details	IPv4	1	54.39.221.163
Details	IPv4	1	51.79.44.57
Details	IPv4	1	149.56.38.173
Details	IPv4	1	24.152.36.46
Details	IPv4	1	51.38.19.198
Details	IPv4	1	51.79.44.59
Details	IPv4	1	198.50.246.11
Details	IPv4	1	24.152.36.35
Details	IPv4	1	24.152.36.239
Details	IPv4	1	144.217.17.186
Details	IPv4	1	66.70.209.169
Details	IPv4	1	24.152.36.158
Details	IPv4	1	54.39.84.50
Details	IPv4	1	51.38.19.200
Details	IPv4	1	144.217.45.68
Details	IPv4	1	144.217.111.5
Details	IPv4	1	54.38.164.134
Details	IPv4	1	87.98.171.7
Details	IPv4	1	51.79.124.130
Details	IPv4	1	66.70.148.142
Details	IPv4	1	51.255.119.19
Details	IPv4	1	66.70.209.168
Details	IPv4	1	54.39.239.81
Details	IPv4	1	24.152.36.98
Details	IPv4	1	51.38.192.225
Details	IPv4	1	144.217.117.10
Details	IPv4	1	144.217.189.108
Details	IPv4	1	66.70.148.136
Details	IPv4	1	51.255.55.134
Details	IPv4	1	54.39.137.73
Details	IPv4	1	66.70.148.137
Details	IPv4	1	54.36.146.230
Details	IPv4	1	51.79.107.254
Details	IPv4	1	54.39.84.52
Details	IPv4	1	144.217.61.176
Details	IPv4	1	24.152.36.150
Details	IPv4	1	51.38.19.196
Details	IPv4	1	54.39.163.57
Details	IPv4	1	46.105.36.133
Details	IPv4	1	149.56.68.191
Details	IPv4	1	24.152.36.107
Details	IPv4	1	158.69.99.10
Details	IPv4	1	51.255.55.136
Details	IPv4	1	54.39.247.244
Details	IPv4	1	149.56.147.204
Details	IPv4	1	158.69.99.15
Details	IPv4	1	144.217.32.24
Details	IPv4	1	149.56.147.205
Details	IPv4	1	144.217.32.213
Details	IPv4	1	54.39.84.53
Details	IPv4	1	79.137.115.160
Details	IPv4	1	144.217.233.98
Details	IPv4	1	51.79.44.56
Details	IPv4	1	24.152.36.195
Details	IPv4	1	142.44.146.190
Details	IPv4	1	144.217.139.13
Details	IPv4	1	54.36.82.180
Details	IPv4	1	198.50.246.14
Details	IPv4	1	137.74.246.223
Details	IPv4	1	24.152.36.176
Details	IPv4	1	51.79.107.250
Details	IPv4	2	51.161.76.196
Details	IPv4	1	198.50.246.12
Details	IPv4	1	66.70.209.170
Details	IPv4	1	66.70.148.139
Details	IPv4	1	51.222.97.189
Details	IPv4	1	54.39.84.49
Details	IPv4	1	144.217.17.185
Details	IPv4	1	142.44.129.73
Details	IPv4	1	144.217.45.67
Details	IPv4	1	24.152.36.28
Details	IPv4	1	144.217.45.64
Details	IPv4	1	24.152.37.39
Details	IPv4	1	198.27.105.3
Details	IPv4	1	51.38.8.75
Details	IPv4	1	198.50.204.38
Details	IPv4	1	54.39.221.11
Details	IPv4	1	51.161.76.197
Details	IPv4	1	54.38.122.64
Details	IPv4	1	91.134.217.71
Details	IPv4	1	24.152.36.100
Details	IPv4	1	144.217.32.26
Details	IPv4	1	198.50.246.13
Details	IPv4	1	54.36.82.188
Details	IPv4	1	54.39.84.25
Details	IPv4	1	66.70.209.171
Details	IPv4	1	51.38.218.215
Details	IPv4	1	54.39.8.92
Details	IPv4	1	51.38.19.205
Details	IPv4	1	54.39.247.228
Details	IPv4	1	24.152.36.103
Details	IPv4	1	24.152.36.104
Details	IPv4	1	51.79.44.43
Details	IPv4	1	54.39.152.202
Details	IPv4	1	66.70.134.218
Details	IPv4	1	24.152.36.25
Details	IPv4	1	149.56.113.79
Details	IPv4	1	178.32.243.48
Details	IPv4	1	144.217.45.66
Details	IPv4	1	66.70.173.72
Details	IPv4	1	176.31.37.239
Details	IPv4	1	54.38.225.81
Details	IPv4	1	158.69.4.173
Details	IPv4	1	24.152.37.189
Details	IPv4	1	54.36.146.129
Details	IPv4	1	198.50.246.15
Details	IPv4	1	51.222.102.30
Details	IPv4	1	51.79.105.91
Details	IPv4	1	51.79.9.91
Details	IPv4	1	51.222.173.151
Details	IPv4	1	51.79.107.124
Details	IPv4	1	51.222.173.142
Details	IPv4	1	144.217.17.187
Details	IPv4	1	149.56.85.98
Details	IPv4	1	51.79.107.244
Details	IPv4	1	144.217.158.195
Details	IPv4	1	24.152.36.178
Details	IPv4	1	192.95.20.74
Details	IPv4	1	51.79.117.250
Details	MITRE ATT&CK Techniques	183	T1189
Details	MITRE ATT&CK Techniques	460	T1059.001
Details	MITRE ATT&CK Techniques	93	T1059.007
Details	MITRE ATT&CK Techniques	550	T1112
Details	MITRE ATT&CK Techniques	585	T1083
Details	MITRE ATT&CK Techniques	433	T1057
Details	MITRE ATT&CK Techniques	501	T1012
Details	MITRE ATT&CK Techniques	1006	T1082
Details	MITRE ATT&CK Techniques	118	T1056.001
Details	MITRE ATT&CK Techniques	534	T1005
Details	MITRE ATT&CK Techniques	115	T1571
Details	MITRE ATT&CK Techniques	92	T1048
Details	MITRE ATT&CK Techniques	472	T1486
Details	MITRE ATT&CK Techniques	276	T1490
Details	MITRE ATT&CK Techniques	627	T1027
Details	MITRE ATT&CK Techniques	120	T1129
Details	MITRE ATT&CK Techniques	180	T1543.003
Details	Pdb	1	c:\users\workdreams\desktop\testes\crypt_final\crazy_crypt\crazy\obj\debug\appmonitorplugin.pdb
Details	Pdb	1	c:\users\workdreams\desktop\test\nopyfy-ransomware-master\nopyfy-ransomware\nopyfy-ransomware\obj\debug\nopyfy-ransomware.pdb
Details	Url	1	http://atualziarsys.serveirc.com/update4
Details	Url	1	http://services5500.sytes.net/update6/update.exe.rar
Details	Url	1	http://suporte20082021.sytes.net/update5
Details	Url	1	http://atualziarsys.serveirc.com/update4/update.exe.rar
Details	Url	1	http://suporte20082021.sytes.net/update3
Details	Url	1	http://suporte01928492.redirectme.net
Details	Url	1	http://atualziarsys.serveirc.com/update3
Details	Url	1	http://services5500.sytes.net/update8/update.exe.rar
Details	Url	1	http://suporte20082021.sytes.net/update
Details	Url	1	http://suporte20082021.sytes.net/update5/update.exe.rar
Details	Url	1	http://suporte01928492.redirectme.net/appmonitorplugin.rar
Details	Url	1	http://suporte01928492.redirectme.net/update5/update.exe.rar
Details	Url	1	http://services5500.sytes.net/update7/update.exe.rar
Details	Url	1	http://services5500.sytes.net/update8/update.bat.rar
Details	Url	1	http://suporte01092021.myftp.biz/update
Details	Url	1	http://suporte01928492.redirectme.net/update7/update.bat.rar
Details	Url	1	http://suporte01928492.redirectme.net/update7/update.exe.rar
Details	Url	1	http://suporte01092021.myftp.biz
Details	Url	1	http://services5500.sytes.net/update6/update.bat.rar
Details	Url	1	http://suporte01928492.redirectme.net/update6/update.exe.rar
Details	Url	1	http://services5500.sytes.net
Details	Url	1	http://atualziarsys.serveirc.com/update3/update.reg.rar
Details	Url	1	http://24.152.38.205/pt/flashplayer28_install.zip
Details	Url	1	http://suporte01928492.redirectme.net/update7
Details	Url	1	http://atualziarsys.serveirc.com
Details	Url	1	http://atualziarsys.serveirc.com/update3/mylink.vbs.rar
Details	Url	1	http://atualziarsys.serveirc.com/update3/update.exe.rar
Details	Url	1	http://suporte20082021.sytes.net
Details	Url	1	http://suporte20082021.sytes.net/update3/update.exe.rar
Details	Url	1	http://atualziarsys.serveirc.com/update4/update.exe2.rar
Details	Url	1	http://suporte20082021.sytes.net/update5/update.reg.rar
Details	Url	1	http://suporte01092021.myftp.biz/update/windowsupdate2.rar
Details	Url	1	http://suporte01092021.myftp.biz/update/update.rar
Details	Url	1	http://suporte01092021.myftp.biz/update5/update.exe.rar
Details	Url	1	http://suporte20082021.sytes.net/update2/update.exe.rar
Details	Url	1	http://suporte20082021.sytes.net/update/windowsupdate2.rar
Details	Url	1	http://atualziarsys.serveirc.com/update4/mylink.vbs.rar
Details	Url	1	http://atualziarsys.serveirc.com/favicon.ico
Details	Url	1	http://24.152.38.205/1.rar
Details	Url	1	http://24.152.38.205/1.exe
Details	Url	1	http://appmonitorplugin.sytes.net/appmonitorplugin.rar
Details	Url	1	http://appmonitorplugin.sytes.net
Details	Url	1	http://suporte20082021.sytes.net/appmonitorplugin.rar
Details	Url	1	http://suportmicrowin.sytes.net/appmonitorplugin.rar
Details	Url	1	http://suportmicrowin.sytes.net
Details	Url	1	http://24.152.38.205/pt/setup.zip
Details	Windows Registry Key	22	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows
Details	Yara rule	1	rule CRIME_Exfiltration_Tool_Oct2021 { meta: description = "Rule to detect tool used to exfiltrate data from victim systems" author = "TS @ McAfee Enterprise ATR" date = "2021-10-04" hash = "ceb0e01d96f87af0e9b61955792139f8672cf788d506c71da968ca172ebddccd" strings: $pattern1 = { 79 FA 44 2F 5F B1 40 69 5D 7E D6 FC 6A 61 F3 D5 2F 37 F2 4B 2F 45 49 60 F5 D4 81 0C 05 D7 A8 3D 4D D8 E6 11 8A BD E2 05 5E 4D CC FE 28 EB A2 A1 1E 98 1D B4 03 C5 A4 7E FB 6E 36 7C 7E C4 8C 5E C2 99 99 76 B5 BC 80 F2 5B EF 5D 27 03 A1 E4 C2 E3 B3 0C D2 6E 92 57 0D AF 1F 9B D7 B4 8B 38 FB 52 23 58 } $pattern2 = { B4 A6 D4 DD 1B BE A1 64 73 94 0F C2 DA 10 3C D6 45 79 DD 1A 7E BD F3 06 38 A5 9E 54 7B 13 6E 5A D1 13 83 5B 82 94 F5 3B 8C 3A 43 5E B2 A7 F6 49 A3 83 AA 07 92 DD 14 B9 C2 6C 1B CA 34 89 20 DF D3 7D A3 EF 62 60 C5 7C 54 6C A5 19 25 F6 84 E9 12 39 15 2D C0 5D 51 61 A9 06 44 34 } $pattern3 = { 26 2E 47 6A 45 A1 4D 4A FA 44 8A F8 18 94 45 9F 72 96 63 36 44 F5 FD 06 1A 64 7C 6E F1 BA 95 0F F1 ED 48 43 6D 1B D4 97 6B F8 1E E8 4A E0 9D 63 8B D2 C2 A0 1F A9 E2 2D 20 15 51 82 80 F6 69 2E B9 76 87 6C 40 45 FA DB 71 74 2B 95 79 C1 3C 74 82 A4 4A } $pattern4 = { F2 A1 13 71 3C CB 04 9A FE 35 2D B8 F9 91 60 85 51 25 E5 A0 45 C9 F6 AC 0D CA 0A B6 15 BD 34 36 7F 2C A5 15 6D CE 5C A2 86 CC C5 5E 37 DF CD C5 AA D1 4E D9 DA B3 CD B9 D1 5B A9 1D D7 9F F9 6E 94 58 8F 30 } condition: 3 of ($pattern*) }