Overview

overview

10

Static

static

5f2cc1bce3...in.exe

windows7_x64

10

5f2cc1bce3...in.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin

  • Size

    324KB

  • Sample

    200516-me54zapfrx

  • MD5

    142a9f0015e581fc7b88db66eec5bf77

  • SHA1

    c9dae1b23c711ef916a55616bf0bd558c51ce97c

  • SHA256

    5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2

  • SHA512

    9cc7d6f6fc0c67a9bd48511094ae1fd16eb04a8876be62c4ab2c319a4b4a6108feb7528a1830e6182bafa3b53b6edb6322fef42827fb25001fd1629ba7c9521a

Score
10/10
persistenceransomwarespyware

Malware Config

Extracted

Path

C:\697CB8-DECRYPT.txt

Ransom Note
---= SHADOW CRYPTOR =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .697CB8 The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. You only have 7 days of payment time, after which the password will be automatically destroyed by the system. You can contact us by the following ways: ---------------------------------------------------------------------------------------- EMAIL:[email protected] REPEAT:[email protected] ---------------------------------------------------------------------------------------- ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN ENCRYPT KEY--- uy/f7j0ziu3yOrclC7HlhFjZVX7DRkBuKqNJlGkzqIIJ1lo47nbejiWx6GO2/h5qTqNkKvld6IXgwrIUf7+Avvod071rZ7Nbu7b06eVHMiHf4yTJZWmU8O8dClJ6HFP0iAveGaaekksN7eFS/HuEnLxkmPftUQGV1zsWfxxb+tARJle5PM4vh3nzROTcTtOT1CTp99C+CDxj+piNuUPeAvyKIX1iddVJ+ehlNkFh/Jr5dQggpYmzsLG3oirNxuaSbC901eDAU/CY/RZPtQUmgualdyFFd/+eLfEedhe0w03so8wHrwhRbzVkyZLBpzc3rgtJ7POA5ZJ9tdCQPfh8BfZrCoc6KZQ1Ek12aSwPilxW6Al4bS9nQyE64CcxAub3413R8nSsUardKryGs2hO5PADFwt2GN8STwxNtof9GBT9wAeX4kH52rNr6JpOdN0f/Ybltj4tCsePkIHCP6juAbCjUQmyy6xKk8xooOEyIZnGCJcYVe54u1ToKCzwX0JWDpSeFreDuh6m3dA8jm96nIVykCA/+C7G5xhccmojHHcmTaITIGmtUKrUadXfYtLuGRVXGeFrAXycXvx5cJkieQYDnBfLVjQvuT/gGfOdN6vuaiu5v1qy27NauMpP+XcvZDPKTn8hs7gBgSAE38Kvq03Uwa8Wn3HIZYyK9U9YjR0nSaIMMPM5qdqXGief4jC7ajMidmTMuj42G6ksSioaGKwKOnnmdNxw+3xM1/Er7UJyo7J/AFsJfjqgBCRftQmG7oUHKXGePDmC0eF+tQ2Ctbn4rKtBU4VUlqmMLnRbLfV5Mi/+V4+HOitr2YZo0P4iKaDhQGUaHkju2/PxdanCzbqsYPp3IWfqB8ZNxs7AOKHVzysSbnBQUtGtFmIJ9OXWiJkOjAEOX1Wcx/hmnifrpaeQFeLmmb4mXCNtlFkcxbV72ykFmyP+ctzPNdwY9BfJYykFlSu44U743V2MKpbBj7rWRQs2cKjB+M/O9f6VZSWg/F7Dzc1Q6zADkQNerqMBAhoymaq9cPd5i4CbSuyXZ36Gp2x4J7dQVFezMEDRBZQfSfJwbWd+llGWsW4P3YcX57L4xq+XibL2csLqOgofRChvMmPONZH7jLRyLiApudxkFE8taTdHEjqPHOIjyQeCyE0GRCFdgdNxTio9EAZde5xUhn9ibauC2ngn9BgONTPrG4E7tw6vy3T2uiP6XAM5u9FdQKijOsgf9qoL1iAvI8U6SzuxeZF4u0scqZCxiF3I91+gopu5dSLxph0d9goD+4OcGelycISRFai61vow/7on5AXr/1oGW9AC3hpfA7VxTqS6K5pnac5eigiP69e8mNurw3uib8pAKvRdMZi3VCSR8G6MagJqJYIz/XT1l1NhznPKLSULnpKUYgiF9DFr94b0oD5G6T0mT0jhghpF2kQ/dX2lJiCQXIkjGcGWe7CnAF5X/Pu03Df74rMM/HfHEp4wym7maYSkeboISLuFDCVeBQr3WGI3nyHDrUh+exNUK7J1wmsFlVmcCmqyqvakpH5VILpvgJBsLKKzEYg2fmSYQbX+tC1/TQCEZKwQPxubVRj7qylprDQVfY/OonSVMjiL2j+g/HTMpyfrcPhJ5pW3J+GSveKhH6aovHwePCtf5cxbojjnXXOf+yHOvzyVTojWFEKDQQVUMtFK95bhfx4C1MjRkKptvjd3o7oBPBQ= ---END ENCRYPT KEY---
Emails

EMAIL:[email protected]

REPEAT:[email protected]

Extracted

Path

C:\2D7313-DECRYPT.txt

Ransom Note
---= SHADOW CRYPTOR =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .2D7313 The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. You only have 7 days of payment time, after which the password will be automatically destroyed by the system. You can contact us by the following ways: ---------------------------------------------------------------------------------------- EMAIL:[email protected] REPEAT:[email protected] ---------------------------------------------------------------------------------------- ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN ENCRYPT KEY--- uy/f7j0ziu3yOrclC7HlhFjZVX7DRkBuKqNJlGkzqIIJ1lo47nbejiWx6GO2/h5qTqNkKvld6IXgwrIUf7+Avvod071rZ7Nbu7b06eVHMiHf4yTJZWmU8O8dClJ6HFP0iAveGaaekksN7eFS/HuEnLxkmPftUQGV1zsWfxxb+tARJle5PM4vh3nzROTcTtOT1CTp99C+CDxj+piNuUPeAvyKIX1iddVJ+ehlNkFh/Jr5dQggpYmzsLG3oirNxuaSbC901eDAU/CY/RZPtQUmgualdyFFd/+eLfEedhe0w03so8wHrwhRbzVkyZLBpzc3rgtJ7POA5ZJ9tdCQPfh8BfZrCoc6KZQ1Ek12aSwPilxW6Al4bS9nQyE64CcxAub3413R8nSsUardKryGs2hO5PADFwt2GN8STwxNtof9GBT9wAeX4kH52rNr6JpOdN0f/Ybltj4tCsePkIHCP6juAbCjUQmyy6xKk8xooOEyIZnGCJcYVe54u1ToKCzwX0JWDpSeFreDuh6m3dA8jm96nIVykCA/+C7G5xhccmojHHcmTaITIGmtUKrUadXfYtLuGRVXGeFrAXycXvx5cJkieQYDnBfLVjQvuT/gGfOdN6vuaiu5v1qy27NauMpP+XcvZDPKTn8hs7gBgSAE38Kvq03Uwa8Wn3HIZYyK9U9YjR0nSaIMMPM5qdqXGief4jC7ajMidmTMuj42G6ksSioaGKwKOnnmdNxw+3xM1/Er7UJyo7J/AFsJfjqgBCRftQmG7oUHKXGePDmC0eF+tQ2Ctbn4rKtBU4VUlqmMLnRbLfV5Mi/+V4+HOitr2YZo0P4iKaDhQGUaHkju2/PxdanCzbqsYPp3IWfqB8ZNxs7AOKHVzysSbnBQUtGtFmIJ9OXWiJkOjAEOX1Wcx/hmnifrpaeQFeLmmb4mXCNtlFkcxbV72ykFmyP+ctzPNdwY9BfJYykFlSu44U743V2MKpbBj7rWRQs2cKjB+M/O9f6VZSWg/F7Dzc1Q6zADkQNerqMBAhoymaq9cPd5i4CbSuyXZ36Gp2x4J7dQVFezMEDRBZQfSfJwbWd+llGWsW4P3YcX57L4xq+XibL2csLqOgofRChvMmPONZH7jLRyLiApudxkFE8taTdHEjqPHOIjyQeCyE0GRCFdgdNxTio9EAZde5xUhn9ibauC2ngn9BgONTPrG4E7tw6vy3T2uiP6XAM5u9FdQKijOsgf9qoL1iAvI8U6SzuxeZF4u0scqZCxiF3I91+gopu5dSLxph0d9goD+4OcGelycISRFai61vow/7on5AXr/1oGW9AC3hpfA7VxTqS6K5pnac5eigiP69e8mNurw3uib8pAKvRdMZi3VCSR8G6MagJqJYIz/XT1l1NhznPKLSULnpKUYgiF9DFr94b0oD5G6T0mT0jhghpF2kQ/dX2lJiCQXIkjGcGWe7CnAF5X/Pu03Df74rMM/HfHEp4wym7maYSkeboISLuFDCVeBQr3WGI3nyHDrUh+exNUK7J1wmsFlVmcCmqyqvakpH5VILpvgJBsLKKzEYg2fmSYQbX+tC1/TQCEZKwQPxubVRj7qylprDQVfY/OonSVMjiL2j+g/HTMpyfrcPhJ5pW3J+GSveKhH6aovHwePCtf5cxbojjnXXOf+yHOvzyVTojWFEKDQQVUMtFK95bhfx4C1MjRkKptvjd3o7oBPBQ= ---END ENCRYPT KEY---
Emails

EMAIL:[email protected]

REPEAT:[email protected]

Targets

    • Target

      5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin

    • Size

      324KB

    • MD5

      142a9f0015e581fc7b88db66eec5bf77

    • SHA1

      c9dae1b23c711ef916a55616bf0bd558c51ce97c

    • SHA256

      5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2

    • SHA512

      9cc7d6f6fc0c67a9bd48511094ae1fd16eb04a8876be62c4ab2c319a4b4a6108feb7528a1830e6182bafa3b53b6edb6322fef42827fb25001fd1629ba7c9521a

    Score
    10/10
    ransomwarepersistencespyware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spyware

    • Modifies service

      persistence
    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks