Overview

overview

10

Static

static

895vv53.exe

windows7_x64

10

895vv53.exe

windows10_x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    895vv53.exe

  • Size

    156KB

  • Sample

    200713-capbkejmcs

  • MD5

    b2db5eaaf79d25dcc3673294d6e1c927

  • SHA1

    50ee9391673600390cd63c0935013aa2b571a47c

  • SHA256

    77ed644af65306cd4cea3eddf6019e5626fe16cbbd0f8c49d76dd21e9683ae5f

  • SHA512

    9fe8c3ad8e8637798429549c3b02f6ae1aa9290a31d5d45f213c6a05923ac53cd9ad43a1c2aea05cb4ee1af4ad0090ee3f558b50659e0b8688e3a540c9f53f7a

Score
10/10
persistenceransomwarespyware

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0011-0000-1000-0000000FF1CE}-C\Read_Me.txt

Ransom Note
Attention! All your files, documents, photos, databases and other important files are encrypted The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. The server with your decryptor is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- 1. Download Tor browser - https://www.torproject.org/ 2. Install Tor browser 3. Open Tor Browser 4. Open link in TOR browser: http://7rzpyw3hflwe2c7h.onion/?AAAAAAAA 5. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. Alternate communication channel here: http://helpqvrg3cc5mvb3.onion/
URLs

http://7rzpyw3hflwe2c7h.onion/?AAAAAAAA

http://helpqvrg3cc5mvb3.onion/

Targets

    • Target

      895vv53.exe

    • Size

      156KB

    • MD5

      b2db5eaaf79d25dcc3673294d6e1c927

    • SHA1

      50ee9391673600390cd63c0935013aa2b571a47c

    • SHA256

      77ed644af65306cd4cea3eddf6019e5626fe16cbbd0f8c49d76dd21e9683ae5f

    • SHA512

      9fe8c3ad8e8637798429549c3b02f6ae1aa9290a31d5d45f213c6a05923ac53cd9ad43a1c2aea05cb4ee1af4ad0090ee3f558b50659e0b8688e3a540c9f53f7a

    Score
    10/10
    ransomwarepersistencespyware

    • Modifies Installed Components in the registry

      persistence

    • Registers COM server for autorun

      persistence

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spyware

    • Drops desktop.ini file(s)

    • Enumerates connected drives

    • Modifies service

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks