Overview

overview

10

Static

static

054ce01f56...in.exe

windows7_x64

10

054ce01f56...in.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin

  • Size

    1.3MB

  • Sample

    200923-f35awlzg5j

  • MD5

    f4c92c5896d92368dab37f277f74220a

  • SHA1

    e5763d7e58f39b9f2130abcfadaa34e5e46b04a9

  • SHA256

    054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9

  • SHA512

    99d06cd0288d892c1e018439e75a5f62ad909a1a6d35de4101a1fa99d55ea3c34685857e39cc385f9aedd0d4f027dc3592d1605919b91bc0a44ea8126343b0e5

Score
10/10
evasionpersistenceransomwarespyware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Visio\Recover files.hta

Ransom Note
Your personal ID ☣Your files are encrypted!☣ ⬇ To decrypt, follow the instructions below.⬇ To recover data you need decrypt tool. To get the decrypt tool you should: Send 3 crypted test image or text file or document to [email protected] Or alternate mail [email protected] In the letter include your personal ID (look at the beginning of this document). Send me this ID in your first email to me. We will give you free test for decrypt few files (NOT VALUE) and assign the price for decryption all files. After we send you instruction how to pay for decrypt tool and after payment you will receive a decrypt tool and instructions how to use it We can decrypt few files in quality the evidence that we have the decoder. MOST IMPORTANT!!! Do not contact other services that promise to decrypt your files, this is fraud on their part! They will buy a decoder from us, and you will pay more for his services. No one, except [email protected] ([email protected]), will decrypt your files. Only [email protected] ([email protected]) can decrypt your files Do not trust anyone besides [email protected] ([email protected]) Antivirus programs can delete this document and you can not contact us later. Attempts to self-decrypting files will result in the loss of your data Decoders other users are not compatible with your data, because each user's unique encryption key

Targets

    • Target

      054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9.bin

    • Size

      1.3MB

    • MD5

      f4c92c5896d92368dab37f277f74220a

    • SHA1

      e5763d7e58f39b9f2130abcfadaa34e5e46b04a9

    • SHA256

      054ce01f56fced98721576017754aa60fb81309babaab7bf53aaec39d2c1fbc9

    • SHA512

      99d06cd0288d892c1e018439e75a5f62ad909a1a6d35de4101a1fa99d55ea3c34685857e39cc385f9aedd0d4f027dc3592d1605919b91bc0a44ea8126343b0e5

    Score
    10/10
    evasionpersistenceransomwarespyware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Blocklisted process makes network request

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Stops running service(s)

      evasion

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spyware

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks