Overview

overview

10

Static

static

DirectX_Up...in.exe

windows7_x64

10

DirectX_Up...in.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    DirectX_Update.bin.zip

  • Size

    199KB

  • Sample

    200823-88h7nmjfv2

  • MD5

    b154be4d4240bc2896faf1b55f364c1a

  • SHA1

    3be652636aa080bef9e48b8af266a97c5632cfe7

  • SHA256

    5dd45efe2b08a6566739cb61978ea7f0ce3badc64220475c6e62eadb16938278

  • SHA512

    3b2d2a0ae54083a6bf698c8754cf14a44d77494807905c39f34ee3c896eea2b50437ab3bb97fc2a825b6ea50c2c8a3e7dbae6fb744631d3e82912a174ce44b07

Score
10/10
persistenceransomware

Malware Config

Extracted

Path

C:\ATTENTION-feeef-README.txt

Ransom Note
Sorry, but your files are locked due to a critical error in your system. If you yourself want to decrypt the files - you will lose them FOREVER. You have to pay BITCOINS to get your file decoder. DO NOT TAKE TIME, you have SEVERAL DAYS to pay, otherwise the cost of the decoder will double. How to do it is written below. If you cannot do it yourself, then search the Internet for file recovery services in your country or city. Go to the page through the browser: http://restore-now.top/online-chat/ If your site does not open, then download the TOR browser (https://torproject.org/). If you can�t access the download page of the TOR browser, then download the VPN! After you install the TOR browser on your computer go to the site: http://i6jppiczqa5moqfl57gssi33npwfseqppdsnz7rriiv7suf4pf4w42id.onion After going to the site, enter the information: Your ID: 67622281495 Personal key: bWxsbG0oSGt0cHUoPT49OTk5Pzg7QDwoSkEnOTw8Njk6PidOaUM2aXlFJw== Your Email
URLs

http://restore-now.top/online-chat/

http://i6jppiczqa5moqfl57gssi33npwfseqppdsnz7rriiv7suf4pf4w42id.onion

Extracted

Path

C:\ATTENTION-acbbf-README.txt

Ransom Note
Sorry, but your files are locked due to a critical error in your system. If you yourself want to decrypt the files - you will lose them FOREVER. You have to pay BITCOINS to get your file decoder. DO NOT TAKE TIME, you have SEVERAL DAYS to pay, otherwise the cost of the decoder will double. How to do it is written below. If you cannot do it yourself, then search the Internet for file recovery services in your country or city. Go to the page through the browser: http://restore-now.top/online-chat/ If your site does not open, then download the TOR browser (https://torproject.org/). If you can�t access the download page of the TOR browser, then download the VPN! After you install the TOR browser on your computer go to the site: http://i6jppiczqa5moqfl57gssi33npwfseqppdsnz7rriiv7suf4pf4w42id.onion After going to the site, enter the information: Your ID: 09302895631 Personal key: aGppaW0oSGt0cHUoN0A6Nzk/QDw9OjgoSkEnOTw8Njk6PydOaUM2aXlFJw== Your Email
URLs

http://restore-now.top/online-chat/

http://i6jppiczqa5moqfl57gssi33npwfseqppdsnz7rriiv7suf4pf4w42id.onion

Targets

    • Target

      DirectX_Update.bin

    • Size

      401KB

    • MD5

      feaccffc7990693228933d5a5f67b833

    • SHA1

      adcad8fe079bfcfdcf09cca72920d5e93d61594a

    • SHA256

      30718dcdb6fc8e48a442f5b1f63e413e69f6cf2a279fed1c7c80e9517a133317

    • SHA512

      739151a037f3a27699c4f14df4e613e0f86bc6e39988fbceb978935c6a048de3c4ce8117b413a17bc8a1a1d0f4dbb5867a96eb5d0fa369c020a8c39e40535c03

    Score
    10/10
    ransomwarepersistence

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Legitimate hosting services abused for malware hosting/C2

    • Modifies service

      persistence
    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks