General

  • Target

    644fd4c06b04899ca4b1c432c2139c68aeeb4fb9a0bf7f51eee3c26e30c1c1f2.bin

  • Size

    140KB

  • Sample

    200907-52bvxsslhn

  • MD5

    cb4eb930077d38e517886b9f44d73d01

  • SHA1

    720f309a06cb0941661e6d52b8f7a13dcb977c58

  • SHA256

    644fd4c06b04899ca4b1c432c2139c68aeeb4fb9a0bf7f51eee3c26e30c1c1f2

  • SHA512

    0dd96955bb3d5ecb591e77a84238fa7d6e18d657e10d14654d77d4c1a15cbb511f6a61e1b33e12f7088bd0d5048471d7205aba5c66e091e328dfa854ccaec583

Score
10/10

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0011-0000-1000-0000000FF1CE}-C\readme.txt

Ransom Note
Attention! Your network has been locked All files on each host has been encrypted For this server all encrypted files have extension: .SNwyR ---- You cant open or work with encrypted files while it encrypted All backups has been deleted or formatted, do not worry, we can help you restore your files We use strongest encryption algoriths, the only way to return your files back - contact us and receive decryption program. Do not worry about guarantees - you can decrypt any 3 files FOR FREE as guarantee ---- Contact us: [email protected] or [email protected] And attach in first letter this file or just send all info below (copy all info!): key: eyJleHQiOiIuU053eVIiLCJrZXkiOiJKMElrck9JTW9DVnFaTjdhRTFHOUtzdkUrS2N2dU9YVHVUTXZmV1lQMW9SUzZjaW1xbkFGWG9nR3UvUHd5TTlzOUZOZGRXeWVRV2pack90TzhGWDRWQkZ1eHlXZHNvNFVtVXN0QjVNOFNxdkQwZW9mL3NvMkJNVnRjTUpqcjVUWGJYektVdDNyamRtekRqRHppQXN5Yjc5NGtYNENuelFsR0pacmduNnlKem1ROHc2dng0aUhnRU9NQld2cWxxb1ozeUxSVThPSTh3RS8xWjFYYUdYRDFaTjBmNWx1SUZ6SG8wNG1XeHBnSXdMUDdhNUx4dFdsSnNkenRBLy9SSUNkT2FBVGl5QWRMZGgxNlpQRStKVXYwUzdyRmJraEFDdWF1OWFqcFZZR0RUNDc3aGg3ZEswYWFPMHNMVWpIUm1pc0NMVHB3VTg0cVBpaUtZZzV1MURuYWRRdnNIdEN2MktXMEIxRmJsdTV4MmxyaFE4YVBQMUN0dGUzS0tlMHJFOEYxTHRwaFJaSzlNWit3YVpCNkg0SThEQXU3YmlmaTh5UUN2cGpNQ1BGSFVRQ3RDRjFwemw2Umg4eGozNEd6UjRkaU5MeDBWYWEvTmJsb2F4WTM1NGxISkttZEFzUEJxdlI0a0NMUlVoV1VjSEJtS1hMNWcwb3JaTzVHTnp2QlBvUVVSRk1Rd1RFRFJHcEFUUGYwQThsb3RvbXJxaHFRazJiS0FKSjdCeU5TSWc4MmdlOEZweHZOeFNxbjVpOEJrUWZsWTh4Y3lQaFRVS3RoRXc0eUIxVnZzN25NVEQwTHMzTTJNendScEhuU1ZBVU9YRzd1TklnV0dGNU83Tjlhd2VLQ1k4RDYyS3lnMTlLbkZJOXJrbks2cXd2eEUxS0FNTVlwR2kzWEhnWXYxQT0iLCJuZXR3b3JrIjoidHJ1ZSIsInN1YmlkIjoiNTQ4MyIsImxhbmciOiJlbi1VUwAifQ== personal id: AX90F0H4

Extracted

Path

C:\Users\Admin\.oracle_jre_usage\readme.txt

Ransom Note
Attention! Your network has been locked All files on each host has been encrypted For this server all encrypted files have extension: .tulCp ---- You cant open or work with encrypted files while it encrypted All backups has been deleted or formatted, do not worry, we can help you restore your files We use strongest encryption algoriths, the only way to return your files back - contact us and receive decryption program. Do not worry about guarantees - you can decrypt any 3 files FOR FREE as guarantee ---- Contact us: [email protected] or [email protected] And attach in first letter this file or just send all info below (copy all info!): key: eyJleHQiOiIudHVsQ3AiLCJrZXkiOiI4NDA5UU15RWxwaUo5UEg2Q29aNklPTHlsY28xVG81bWllNHA0aXRZNndYdkxLVFF3L2Z5azd1dkp6OHAzdkFJWDBuclRiT3QxcG05VHVtdlJPbkVCdldMVmcvbXlZakJvTkF0WmN2M251c2lQMHBrSWo2TThLa01yUHYrYXpTVFV0YUhaRHhvM1pSU2NvaTZicGk5VmF0TEFJQWhaL0k4dE5uK0NGcGVIejkxTkVXaGMyb0xSRUt1ZWxsb3FVR052TkZkcENEbGVMWkRFdmt4TFJXT2RmUm4vaGk5QjZoNTFkblVaY3pEV2p4R0xxTU9KVGs1TlY1dEYyOUUzUG1ndTlwaHVQVEhyY1JMTVRlUDIxVzVLQlJLWm9EQXNlSmI5R0N1R0lTVFA2a0RIaEdwa3o2VnBRSHBraXJXcG85czhUMHhHclE5RnV5WkJKZVh2STNySGF4UlJZb25UQlZJN252Tk5tUFY4WXZyd09sSFppR0sxS1dIY09sUmNubDRRRmExa1ZCMGhQSEZDOUYyRmFtWk1KTEVSRkZTdk5UeWVqMzZPREROMkEwYUI0WGxxaWJZaEM2eFp6NEJWd1VOYzlKdm5VQjg3d1ZTcVN6WTVOSmpGZUdjbEF2aGhqYkFrS053MWlPVzB0TVRDWWExaGVBZzJJSEd4K0pmZVNxd1Y3L0lHMVlmdTNxb2toQVcveVBnT0JGWXU4SzdCK1JGUEJqZXhjcTZjZGJZayt5WmdCUkp2VHNFaS9PcDhZMmtFRzFTMFNlVVg1OFVmZDZlbGl1UmxyWVBnOFM2RDJSYWxYOTk5K3hxemNlakwvT3BYVEdrelhpVlpmV2h4Y1IzRlhNQ2ppOVVtKzRNRXFaWFZGMUhBWlJoSjQxNE1NYTFibkdGSlNiaWVaMD0iLCJuZXR3b3JrIjoidHJ1ZSIsInN1YmlkIjoiNTQ4MyIsImxhbmciOiJlbi1VUwAifQ== personal id: AX90F0H4

Targets

    • Target

      644fd4c06b04899ca4b1c432c2139c68aeeb4fb9a0bf7f51eee3c26e30c1c1f2.bin

    • Size

      140KB

    • MD5

      cb4eb930077d38e517886b9f44d73d01

    • SHA1

      720f309a06cb0941661e6d52b8f7a13dcb977c58

    • SHA256

      644fd4c06b04899ca4b1c432c2139c68aeeb4fb9a0bf7f51eee3c26e30c1c1f2

    • SHA512

      0dd96955bb3d5ecb591e77a84238fa7d6e18d657e10d14654d77d4c1a15cbb511f6a61e1b33e12f7088bd0d5048471d7205aba5c66e091e328dfa854ccaec583

    Score
    10/10
    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Enumerates connected drives

    • Modifies service

MITRE ATT&CK Enterprise v6

Tasks