Overview

overview

10

Static

static

4cae449450...58.exe

windows7_x64

10

4cae449450...58.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.zip

  • Size

    66KB

  • Sample

    200628-v618yhl3an

  • MD5

    06bac88cfcace2c206e05ebc4020e088

  • SHA1

    e57a4a5586c9fe6ebbe168fe919d89fdb53d846e

  • SHA256

    72abe5d96b5943a52c8e819c04b9886c92c6abb296a23103b27ffa1b9f160bd5

  • SHA512

    0f9cb5ea2e461bb15bed7c664996c64442bf42882a78f20f2f6cc474e69b85c206761cb31a09d78960ef895c09cee770a1d9eabc4fcfdbb0b81191b61b88161d

Score
10/10
evasionransomware

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0011-0000-1000-0000000FF1CE}-C\!TXDOT_READ_ME!.txt

Ransom Note
Greetings, Texas Department of Transportation! Read this message CAREFULLY and contact someone from IT department. Your files are securely ENCRYPTED. No third party decryption software EXISTS. MODIFICATION or RENAMING encrypted files may cause decryption failure. You can send us an encrypted file (not greater than 400KB) and we will decrypt it FOR FREE, so you have no doubts in possibility to restore all files from all affected systems ANY TIME. Encrypted file SHOULD NOT contain sensitive information (technical, backups, databases, large documents). The rest of data will be available after the PAYMENT. Infrastructure rebuild will cost you MUCH more. Contact us ONLY if you officially represent the whole affected network. The ONLY attachments we accept are non archived encrypted files for test decryption. Speak ENGLISH when contacting us. Mail us: [email protected] We kindly ask you not to use GMAIL, YAHOO or LIVE to contact us. The PRICE depends on how quickly you do it. �

Targets

    • Target

      4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458

    • Size

      156KB

    • MD5

      fcd21c6fca3b9378961aa1865bee7ecb

    • SHA1

      0abaa05da2a05977e0baf68838cff1712f1789e0

    • SHA256

      4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458

    • SHA512

      e39c1f965f6faeaa33dfec6eba23fbfff14b287f4777797ea79480bb037d6d806516bda7046315e051961fce12e935ac546819c1e0bef5c33568d68955a9792a

    Score
    10/10
    ransomwareevasion

    • Clears Windows event logs

      evasionransomware

    • Deletes system backup catalog

      Ransomware often tries to delete backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Disables use of System Restore points

      evasion
    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks