Overview

overview

10

Static

static

8

ransomware

windows7_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    XINOF.exe

  • Size

    561KB

  • Sample

    200712-n3srnqmcha

  • MD5

    ff23cd4f45d231f8af9f23a2e730bee6

  • SHA1

    0eea13dc19ab5de9ec7ffd81ef89bddf5994f6ef

  • SHA256

    4ce5dda2c3d39cc6c22058add4b64fbedc20f11ba06768b0a3b959f20c88f5fa

  • SHA512

    78c90354ca919c7bdce56034b1a432e7c3a0860b9faf9d351f74c50c3a8521c343a29d5c9c8babbedcc741acdc4138dc6e3cdc2c8e337f97ed5b99cf583102e8

Score
10/10
discoveryevasionpersistenceransomwarespyware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\How To Decrypt Files.hta

Ransom Note
All your files have been encrypted!All your files have been encrypted due to a security problem with your PC. If you want to restore them, please send an email to [email protected] The crypter person username : Thunder You have to pay for decryption in Bitcoin. The price depends on how fast you contact us. After payment we will send you the decryption tool. You have to 48 hours(2 Day) To contact or paying us After that, you have to Pay Double . What is our decryption guarantee? Before paying you can send us up to 3 test files for free decryption. The total size of files must be less than 2Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/ Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. Do not pay any money before decrypting the test files. If your decryption, is not done after payment, report the username on website (along with evidence such as transfer id) Regards-FonixTeam

Targets

    • Target

      XINOF.exe

    • Size

      561KB

    • MD5

      ff23cd4f45d231f8af9f23a2e730bee6

    • SHA1

      0eea13dc19ab5de9ec7ffd81ef89bddf5994f6ef

    • SHA256

      4ce5dda2c3d39cc6c22058add4b64fbedc20f11ba06768b0a3b959f20c88f5fa

    • SHA512

      78c90354ca919c7bdce56034b1a432e7c3a0860b9faf9d351f74c50c3a8521c343a29d5c9c8babbedcc741acdc4138dc6e3cdc2c8e337f97ed5b99cf583102e8

    Score
    10/10
    discoveryevasionpersistenceransomwarespyware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Disables Task Manager via registry modification

      evasion

    • Disables taskbar notifications via registry modification

      evasion

    • Modifies Installed Components in the registry

      persistence

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Drops startup file

    • Modifies file permissions

      discovery

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spyware

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral1

MITRE ATT&CK Enterprise v6

Tasks