ioc[.]one - OSINT Cyber Threat Intelligence Database

Ransom Cartel Ransomware: A Possible Connection With REvil

Tags

cmtmf-attack-pattern:	Boot Or Logon Autostart Execution Command And Scripting Interpreter Obfuscated Files Or Information
country:	France Japan
attack-pattern:	Data Direct /Etc/Passwd And /Etc/Shadow - T1003.008 Archive Collected Data - T1560 Archive Collected Data - T1532 Archive Via Utility - T1560.001 Boot Or Logon Autostart Execution - T1547 Clear Command History - T1070.003 Clear Windows Event Logs - T1070.001 Command And Scripting Interpreter - T1623 Credentials - T1589.001 Credentials From Password Stores - T1555 Credentials From Web Browsers - T1555.003 Credentials From Web Browsers - T1503 Data Encrypted For Impact - T1471 Data Encrypted For Impact - T1486 Disable Or Modify System Firewall - T1562.004 Dns - T1071.004 Dns - T1590.002 Domains - T1583.001 Domains - T1584.001 Exfiltration Over Web Service - T1567 Exfiltration To Cloud Storage - T1567.002 Exploitation For Privilege Escalation - T1404 Exploits - T1587.004 Exploits - T1588.005 File And Directory Discovery - T1420 File And Directory Permissions Modification - T1222 File Deletion - T1070.004 File Deletion - T1630.002 Hardware - T1592.001 Impair Defenses - T1562 Impair Defenses - T1629 Indicator Removal On Host - T1630 Ingress Tool Transfer - T1544 Linux And Mac File And Directory Permissions Modification - T1222.002 Local Account - T1087.001 Local Account - T1136.001 Lsass Memory - T1003.001 Malware - T1587.001 Malware - T1588.001 Obfuscated Files Or Information - T1406 Multi-Hop Proxy - T1090.003 Pass The Hash - T1550.002 Password Cracking - T1110.002 Powershell - T1059.001 Registry Run Keys / Startup Folder - T1547.001 Remote Access Software - T1663 Remote Desktop Protocol - T1021.001 Rundll32 - T1218.011 Server - T1583.004 Server - T1584.004 Software - T1592.002 Ssh - T1021.004 Vnc - T1021.005 Windows Command Shell - T1059.003 Use Alternate Authentication Material - T1550 Tool - T1588.002 Account Discovery - T1087 Account Manipulation - T1098 Bits Jobs - T1197 Clear Command History - T1146 Command-Line Interface - T1059 Connection Proxy - T1090 Create Account - T1136 Credential Dumping - T1003 Exploitation For Privilege Escalation - T1068 External Remote Services - T1133 File And Directory Discovery - T1083 File Deletion - T1107 Indicator Removal On Host - T1070 Remote File Copy - T1105 Modify Registry - T1112 Multi-Hop Proxy - T1188 Network Service Scanning - T1046 Network Share Discovery - T1135 Obfuscated Files Or Information - T1027 Pass The Hash - T1075 Powershell - T1086 Remote Access Tools - T1219 Remote Desktop Protocol - T1076 Remote Services - T1021 Rundll32 - T1085 Signed Binary Proxy Execution - T1218 Third-Party Software - T1072 Valid Accounts - T1078 External Remote Services Indicator Removal On Host Valid Accounts

Show in Graph

Common Information

Type	Value
UUID	9f779c63-a23d-4e05-a480-0c52c042ca64
Fingerprint	849411f385aca757
Analysis status	DONE
Considered CTI value	2
Text language
Published	Oct. 14, 2022, 1 p.m.
Added to db	Oct. 15, 2022, 8:50 a.m.
Last updated	Nov. 17, 2024, 6:56 p.m.
Headline	Ransom Cartel Ransomware: A Possible Connection With REvil
Title	Ransom Cartel Ransomware: A Possible Connection With REvil
Detected Hints/Tags/Attributes	202/3/52

Source URLs

	Redirection	Url
Details	Source	https://unit42.paloaltonetworks.com/ransom-cartel-ransomware/?web_view=true

URL Provider

Details	Provider	Source level domain
Details	paloaltonetworks.com	unit42.paloaltonetworks.com

RSS Feed

Details	Id	Enabled	Feed title	Url	Added to db
Details	163	✔	—	https://media.cert.europa.eu/rss?type=category&id=Malware&language=en&duplicates=false	2024-08-30 22:08

Attributes

Details	Type	#Events	Value
Details	File	1018	rundll32.exe
Details	File	2125	cmd.exe
Details	File	22	runonce.exe
Details	File	40	7z.exe
Details	File	33	tor.exe
Details	File	28	ssh.exe
Details	File	193	ntuser.dat
Details	File	40	netscan.exe
Details	sha256	2	55e4d509de5b0f1ea888ff87eb0d190c328a559d7cc5653c46947e57c0f01ec5
Details	sha256	2	2411a74b343bbe51b2243985d5edaaabe2ba70e0c923305353037d1f442a91f5
Details	sha256	2	6a2bd52a5d68a7250d1de481dcce91a32f54824c1c540f0a040d05f757220cd3
Details	sha256	2	9935da29f3e4e503e4a4712379ccd9963a730ccc304c2fec31e8276db35e82e8
Details	sha256	2	bf93b029cca0de4b6f32e98aeebd8fd690964816978a0eb13a085a80d4b6bf4e
Details	IPv4	2	185.239.222.240
Details	IPv4	2	108.62.103.193
Details	IPv4	7	185.129.62.62
Details	IPv4	2	185.143.223.13
Details	IPv4	2	185.253.163.23
Details	MITRE ATT&CK Techniques	306	T1078
Details	MITRE ATT&CK Techniques	191	T1133
Details	MITRE ATT&CK Techniques	50	T1072
Details	MITRE ATT&CK Techniques	460	T1059.001
Details	MITRE ATT&CK Techniques	333	T1059.003
Details	MITRE ATT&CK Techniques	15	T1003.008
Details	MITRE ATT&CK Techniques	51	T1136.001
Details	MITRE ATT&CK Techniques	112	T1098
Details	MITRE ATT&CK Techniques	380	T1547.001
Details	MITRE ATT&CK Techniques	40	T1197
Details	MITRE ATT&CK Techniques	208	T1068
Details	MITRE ATT&CK Techniques	35	T1222.002
Details	MITRE ATT&CK Techniques	550	T1112
Details	MITRE ATT&CK Techniques	92	T1070.001
Details	MITRE ATT&CK Techniques	119	T1218.011
Details	MITRE ATT&CK Techniques	70	T1562.004
Details	MITRE ATT&CK Techniques	297	T1070.004
Details	MITRE ATT&CK Techniques	21	T1070.003
Details	MITRE ATT&CK Techniques	627	T1027
Details	MITRE ATT&CK Techniques	173	T1003.001
Details	MITRE ATT&CK Techniques	125	T1555.003
Details	MITRE ATT&CK Techniques	168	T1046
Details	MITRE ATT&CK Techniques	585	T1083
Details	MITRE ATT&CK Techniques	176	T1135
Details	MITRE ATT&CK Techniques	72	T1087.001
Details	MITRE ATT&CK Techniques	59	T1021.004
Details	MITRE ATT&CK Techniques	38	T1550.002
Details	MITRE ATT&CK Techniques	160	T1021.001
Details	MITRE ATT&CK Techniques	116	T1560.001
Details	MITRE ATT&CK Techniques	100	T1567.002
Details	MITRE ATT&CK Techniques	141	T1219
Details	MITRE ATT&CK Techniques	48	T1090.003
Details	MITRE ATT&CK Techniques	492	T1105
Details	MITRE ATT&CK Techniques	472	T1486