Malware sandboxing report by Hatching Triage

Sharing

Copy URL

Twitter E-mail

General

Target

6519161656475648.zip
Size

269KB
Sample

201102-qebnyska7j
MD5

aa3ab34486bf3e25975f25d26939cbd7
SHA1

59bc02c88e67307176e11872144fbaf66642d68e
SHA256

dc7c8616f018d61814286b93d64d66b4ee0121884fa09b9d14ff2bc243ace913
SHA512

298243a6c6f9062a8ce14f2a0cb4bdaf2d616c00717584cf1b6fc8f0b6f7e411a1c0ecef33a185b4199e74d9b3702a23ed36df345aad7ee939bdf2ca58c44921

Score

10^/10

Malware Config

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-3825035466-2522850611-591511364-1000\HOW TO RESTORE FILES.TXT

Ransom Note

Hello, friend. All your files were encrypted. If you want to restore them, please email us : petro@ctemplar.com

Emails

petro@ctemplar.com

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\HOW TO RESTORE FILES.TXT

Ransom Note

Hello, friend. All your files were encrypted. If you want to restore them, please email us : petro@ctemplar.com Your hash: 593235305054517A4F44556D5A57356B5054456D615751394D535A706344307 84E5451754E6A45754E7A45754E54456D61325635505441314D55557A4D5468 42517A51794D6B4647526A5642515446444E446B794D6A67304E5546464F546 C424D4545324D3055774E444178517A6B314E6A457A4D4545794D6A4A464F44 4242526A497A51546377526A633352546B7A4D6A6777526A4642516A59774E5 559774E7A41334E6B49304E6B4E4452455531526B4A45515449304D7A6B304D 4545324E5451774F544E444E304A434D54597A4D7A684552446842517A4A434 E6A59314F4451334E6A4E454E7A45794D6A4A474D7A4E434D6A677952545243 52554931516B55354E7A46424D454D34515445304E7A51334E6B45334D544A4 34D7A52424E6B56444D5451784D545A454E6A5A4652546734524467304F5556 424E6B4E434D6A6847516A6C434E6A424652455243516A5245516A457952444 1344E6A633251305A4452444D32525552464E3045354E455245524455304E7A 6846517A4E424F4467324F554E444D44676D64476C745A543077534334674D5 53075494455785579346D64584E7950575A6B59546B324F5749304A6E5A7662 4431444F6C77674D5463754D7A6448596938794E5455754E7A464859676F41

Emails

petro@ctemplar.com

Targets

- Target
  
  a188e147ba147455ce5e3a6eb8ac1a46bdd58588de7af53d4ad542c6986491f4
- Size
  
  483KB
- MD5
  
  3265b2b0afc6d2ad0bdd55af8edb9b37
- SHA1
  
  24272beb676d956ec8a65b95a2615c9075fa9869
- SHA256
  
  a188e147ba147455ce5e3a6eb8ac1a46bdd58588de7af53d4ad542c6986491f4
- SHA512
  
  28f99da799b43a5fd060b5cab411911b54ceeb51e612ec6213c2b8003ee6de29bc46683ba04507c0e8a92e9fbec4be5cecbc8918618db9c15f231a5be806cb94
Score

10^/10

regretlocker persistence ransomware spyware
- RegretLocker
  Ransomware first reported on Twitter in October 2020.
  ransomware regretlocker
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Modifies service
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix

Collection

Data from Local System

T1005

Command and Control

Credential Access

Credentials in Files

T1081

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Execution

Exfiltration

Impact

Inhibit System Recovery

T1490

Initial Access

Lateral Movement

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

RegretLocker

Deletes shadow copies

Modifies extensions of user files

Loads dropped DLL

Reads user/profile data of web browsers

Adds Run key to start application

Drops desktop.ini file(s)

Enumerates connected drives

Looks up external IP address via web service

Modifies service

MITRE ATT&CK Matrix

Tasks

static1

behavioral1

behavioral2