Analysis

  • max time kernel
    55s
  • max time network
    69s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    03-08-2020 14:59

General

  • Target

    ransomware.exe

  • Size

    5MB

  • MD5

    e3204b2e61223989b1562f5dee40eee0

  • SHA1

    7bd50a3b0e3f9b4a543f750869ca3ee29b4798e1

  • SHA256

    1ee39f6cd500940ad97c444778dc717361e01ce5579a28d761aedae86e85af64

  • SHA512

    19df0eb4c803e6eeb41abb1fb425f4d9cd6e4262aaeb8bbf7eb959a30f3db2533fd6aed13e055a9781371e9de37de4212d80a32862798368e5dd798763012bc4

Score
10/10

Malware Config

Extracted

Path

C:\Documents and Settings\read_me.txt

Family

deathransom

Ransom Note
--= DEATHRANSOM =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS***** All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email death@firemail.cc and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email death@cumallover.me death@firemail.cc Your LOCK-ID: 8zYanJ5G8TBffvdKgLC2ws+4L+6+OfLep34sb2aFrnajCBMZvKOkt+kBPMcKFN1Gv1T0U9gR6DCcGzha1DWnsv1SI3QNwsXCrKBD0ilV6HZ76sOgjd87fBTbJgAZJzG1p4OBffNOi65PZvAZUBK5qCMivWkXFi8S5AnptHAtDTI8DmxiCiVR2Dvdw1N2XmcBzEQzpmN+V3nov/HWTvtmiqospVq03AawcSIuElq047UGtGaA4LcvzDKe0ivrQ24+nfc35NRYBGQbQvlNjzQSox23xFPtfewxrpecUyONmpzJhcE1He1/xMHMZgnB0tZ0HP3M55bJnAsPM79yyDA9C2vuOr6qgDb0H5ye/63IArTiWz5gWDwNai6Wq0Ddhr1fOaHbYVOM8SCwhHho7WTb7iwzHifb2f+/Tac+F2HhHAbH5JKaaaDO9fJe3AfPFXIRPKZc1f4gNx956G40ZqNfWF3DaIvKvwO1Hc5eE6kw+x1UUti64v/6/sxOBZfhPZt96Upo/I+o0TZZ+mvlUIgLTopz0XEqfG26zGkKOE+kcSgJrxd9Sbe2PMJVfprn2PO6fQk0/IcGV8JoUzfi0mzsx6W33ULPdbwbeH7aoyqy1gkWWJB3iN2/wPURsgUI5uiv0b9eiPpKfSjahYzDdVXqpisittni9W/HCN/BVAJV+fX3mjJLvP1LSiGlaxCYVA4OWI0bKuikAtNXVASeRdXR1g== >>>How to obtain bitcoin: The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/ >>> Free decryption as guarantee! Before paying you send us up to 1 file for free decryption. We recommeded to send pictures, text files, sheets, etc. (files no more than 1mb) IN ORDER TO PREVENT DATA DAMAGE: 1. Do not rename encrypted files. 2. Do not try to decrypt your data using third party software, it may cause permanent data loss. 3. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Emails

death@firemail.cc

death@cumallover.me

Signatures

  • DeathRansom

    Ransomware family first seen at the start of 2020. Initial versions did not actually encrypt files.

  • Modifies extensions of user files 6 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Drops desktop.ini file(s) 26 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ransomware.exe
    "C:\Users\Admin\AppData\Local\Temp\ransomware.exe"
    1⤵
    • Modifies extensions of user files
    • Drops desktop.ini file(s)
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    PID:240
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 240 -s 752
      2⤵
      • Program crash
      PID:1040

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads