Overview

overview

10

Static

static

2929a107.exe

windows7_x64

10

2929a107.exe

windows10_x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2929a107.exe

  • Size

    156KB

  • Sample

    200713-68jalelat6

  • MD5

    16c0db7429d6dc0e88fc5cc50863ad88

  • SHA1

    c0259e1e3a715c34cd7b6bb678dd4ed34decfc71

  • SHA256

    d32e0d534634c106e906ffb62e5485bca9ee6023eafc3acf6777f1c48d9f8952

  • SHA512

    a073a343c2ac19d3223d73b841cfd079dc3f33a56e654ea9c34d0c4836678363421b4b04f480c58af38edf9a7211481509cc676e0881a6687c05823061bb5b84

Score
10/10
persistenceransomwarespyware

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0011-0000-1000-0000000FF1CE}-C\Read_Me.txt

Ransom Note
Attention! All your files, documents, photos, databases and other important files are encrypted The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. The server with your decryptor is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- 1. Download Tor browser - https://www.torproject.org/ 2. Install Tor browser 3. Open Tor Browser 4. Open link in TOR browser: http://7rzpyw3hflwe2c7h.onion/?QQQQQQQQ 5. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. Alternate communication channel here: http://helpqvrg3cc5mvb3.onion/
URLs

http://7rzpyw3hflwe2c7h.onion/?QQQQQQQQ

http://helpqvrg3cc5mvb3.onion/

Targets

    • Target

      2929a107.exe

    • Size

      156KB

    • MD5

      16c0db7429d6dc0e88fc5cc50863ad88

    • SHA1

      c0259e1e3a715c34cd7b6bb678dd4ed34decfc71

    • SHA256

      d32e0d534634c106e906ffb62e5485bca9ee6023eafc3acf6777f1c48d9f8952

    • SHA512

      a073a343c2ac19d3223d73b841cfd079dc3f33a56e654ea9c34d0c4836678363421b4b04f480c58af38edf9a7211481509cc676e0881a6687c05823061bb5b84

    Score
    10/10
    ransomwarepersistencespyware

    • Modifies Installed Components in the registry

      persistence

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spyware

    • Drops desktop.ini file(s)

    • Enumerates connected drives

    • Modifies service

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks