The file RAND_NAME.exe, is an updated version (V.2) of the ransomware MegaCortex. Similar to version 1 (V.1), this new version (V.2) of MegaCortex is also compiled using Microsoft Visual C++ and uses the mbedcrypto library to carry out its file encryption algorithms. RAND_NAME.exe is observed to be digitally signed with a valid signature from ABADAN PIZZA LTD and acts as a loader to a module named payload.dll which is found encrypted and embedded within its body. The DLL module has two export functions, “start” and “ss2” which the MegaCortex loader uses to carry out its ransomware functionality.
RAND_NAME.exe Loader Functionality
Similar to version 1, this new version of MegaCortex (V.2) is also compiled using Microsoft Visual C++ and uses mbedcrypto to carry out its file encryption algorithms. The MegaCortex loader binary RAND_NAME.exe is also observed to be digitally signed with a valid signature from ABADAN PIZZA LTD.
The MegaCortex binary RAND_NAME.exe acts as a loader to an embedded module named payload.dll, whose name is derived from its export table. The module payload.dll is found encrypted and embedded within the body of RAND_NAME.exe.
The code in payload.dll’s “start” function initially verifies if the process is running with “administrator” privilege, if not it will invoke ShellExecuteExA with “runas” to ensure it has the proper privileges. Next, it disables file system redirection of the current thread and adjusts the token privileges of the current process to enable SeDebugPrivilege for DLL injection.
payload.dll’s “ss2” export is only activated and called when the loader binary (RAND_NAME.exe) is executed with the correct base64 key as stated above in the export function start. The “ss2” export starts by getting the available number of processors. The number of worker threads created to conduct file encryption depends upon the number of available processors.
Malware Hash (MD5/SHA1/SH256)