6519161656475648.zip

General
Target

6519161656475648.zip

Size

269KB

Sample

201102-qebnyska7j

Score
10 /10
MD5

aa3ab34486bf3e25975f25d26939cbd7

SHA1

59bc02c88e67307176e11872144fbaf66642d68e

SHA256

dc7c8616f018d61814286b93d64d66b4ee0121884fa09b9d14ff2bc243ace913

SHA512

298243a6c6f9062a8ce14f2a0cb4bdaf2d616c00717584cf1b6fc8f0b6f7e411a1c0ecef33a185b4199e74d9b3702a23ed36df345aad7ee939bdf2ca58c44921

Malware Config

Extracted

Path C:\$Recycle.Bin\S-1-5-21-3825035466-2522850611-591511364-1000\HOW TO RESTORE FILES.TXT
Ransom Note
Hello, friend. All your files were encrypted. If you want to restore them, please email us : petro@ctemplar.com
Emails

petro@ctemplar.com

Extracted

Path C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\HOW TO RESTORE FILES.TXT
Ransom Note
Hello, friend. All your files were encrypted. If you want to restore them, please email us : petro@ctemplar.com Your hash: 593235305054517A4F44556D5A57356B5054456D615751394D535A706344307 84E5451754E6A45754E7A45754E54456D61325635505441314D55557A4D5468 42517A51794D6B4647526A5642515446444E446B794D6A67304E5546464F546 C424D4545324D3055774E444178517A6B314E6A457A4D4545794D6A4A464F44 4242526A497A51546377526A633352546B7A4D6A6777526A4642516A59774E5 559774E7A41334E6B49304E6B4E4452455531526B4A45515449304D7A6B304D 4545324E5451774F544E444E304A434D54597A4D7A684552446842517A4A434 E6A59314F4451334E6A4E454E7A45794D6A4A474D7A4E434D6A677952545243 52554931516B55354E7A46424D454D34515445304E7A51334E6B45334D544A4 34D7A52424E6B56444D5451784D545A454E6A5A4652546734524467304F5556 424E6B4E434D6A6847516A6C434E6A424652455243516A5245516A457952444 1344E6A633251305A4452444D32525552464E3045354E455245524455304E7A 6846517A4E424F4467324F554E444D44676D64476C745A543077534334674D5 53075494455785579346D64584E7950575A6B59546B324F5749304A6E5A7662 4431444F6C77674D5463754D7A6448596938794E5455754E7A464859676F41
Emails

petro@ctemplar.com

Targets
Target

a188e147ba147455ce5e3a6eb8ac1a46bdd58588de7af53d4ad542c6986491f4

MD5

3265b2b0afc6d2ad0bdd55af8edb9b37

Filesize

483KB

Score
10 /10
SHA1

24272beb676d956ec8a65b95a2615c9075fa9869

SHA256

a188e147ba147455ce5e3a6eb8ac1a46bdd58588de7af53d4ad542c6986491f4

SHA512

28f99da799b43a5fd060b5cab411911b54ceeb51e612ec6213c2b8003ee6de29bc46683ba04507c0e8a92e9fbec4be5cecbc8918618db9c15f231a5be806cb94

Tags

Signatures

  • RegretLocker

    Description

    Ransomware first reported on Twitter in October 2020.

    Tags

  • Deletes shadow copies

    Description

    Ransomware often targets backup files to inhibit system recovery.

    Tags

    TTPs

    File Deletion Inhibit System Recovery
  • Modifies extensions of user files

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry
  • Drops desktop.ini file(s)

  • Enumerates connected drives

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query Registry Peripheral Device Discovery System Information Discovery
  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Modifies service

    Tags

    TTPs

    Modify Registry Modify Existing Service

Related Tasks

MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Execution
      Exfiltration
        Initial Access
          Lateral Movement
            Privilege Escalation