General

  • Target

    pcnew.exe

  • Size

    20KB

  • Sample

    201105-cw59cdyspj

  • MD5

    1f8cef7b1f327e19ec561d1b80583d2d

  • SHA1

    96795527c65711c13aef7f2cda3b5a0ff5779137

  • SHA256

    c6ee0c5549619ebf81f7878da18a6e29ff315be7d0fb3d9b79b84717405c87f6

  • SHA512

    2bdb59b8ca921b7def3547c622a4357398566c475ed1c77aad4fe91f1171ddee1b0d3524463ead12a10bba19fb5e23dcad3b00e948c8bde585d315906fd782e2

Malware Config

Extracted

Path

C:\22912339014610\Read_Me.txt

Ransom Note
Attention! All your files, documents, photos, databases and other important files are encrypted The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. The server with your decryptor is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- 1. Download Tor browser - https://www.torproject.org/ 2. Install Tor browser 3. Open Tor Browser 4. Open link in TOR browser: http://25xb3kc6azicbbuo.onion/?XNDSIXND 5. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. Alternate communication channel here: http://helpqvrg3cc5mvb3.onion/
URLs

http://25xb3kc6azicbbuo.onion/?XNDSIXND

http://helpqvrg3cc5mvb3.onion/

Extracted

Path

C:\115802396715453\Read_Me.txt

Ransom Note
Attention! All your files, documents, photos, databases and other important files are encrypted The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. The server with your decryptor is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- 1. Download Tor browser - https://www.torproject.org/ 2. Install Tor browser 3. Open Tor Browser 4. Open link in TOR browser: http://25xb3kc6azicbbuo.onion/?IJLMOQRT 5. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. Alternate communication channel here: http://helpqvrg3cc5mvb3.onion/
URLs

http://25xb3kc6azicbbuo.onion/?IJLMOQRT

http://helpqvrg3cc5mvb3.onion/

Targets

    • Target

      pcnew.exe

    • Size

      20KB

    • MD5

      1f8cef7b1f327e19ec561d1b80583d2d

    • SHA1

      96795527c65711c13aef7f2cda3b5a0ff5779137

    • SHA256

      c6ee0c5549619ebf81f7878da18a6e29ff315be7d0fb3d9b79b84717405c87f6

    • SHA512

      2bdb59b8ca921b7def3547c622a4357398566c475ed1c77aad4fe91f1171ddee1b0d3524463ead12a10bba19fb5e23dcad3b00e948c8bde585d315906fd782e2

    • Phorphiex Worm

      Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.

    • Windows security bypass

    • Executes dropped EXE

    • Modifies Installed Components in the registry

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Windows security modification

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Modifies service

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

2
T1060

Modify Existing Service

1
T1031

Defense Evasion

Disabling Security Tools

2
T1089

Modify Registry

5
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Collection

Data from Local System

1
T1005

Tasks