Overview

overview

10

Static

static

6

f0fbd0654d...le.exe

windows7_x64

10

f0fbd0654d...le.exe

windows10_x64

9

Resubmissions

19-11-2020 14:39

201119-59epbrqadx 10

19-11-2020 14:22

201119-ff99dc42e6 10

19-11-2020 14:16

201119-298y5e8ncj 9

Sharing

Copy URL
Twitter E-mail

General

  • Target

    f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample

  • Size

    1.8MB

  • Sample

    201119-ff99dc42e6

  • MD5

    10d7151b9ee53b8da8ee6f85001ffb20

  • SHA1

    76d33ef58ea7b012342d975d871db64840da9675

  • SHA256

    f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093

  • SHA512

    1c6d2d7f509b462b5d48db61817ee42a7204d10141c59394eb190d0dba733b831a6344bb85197dfac358939379e640c9f38732d376e28f92e187806ca574d10f

Score
10/10
persistenceransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OPENTHIS.html

Ransom Note
Critical Error! Your files have been corrupted! Follow these directions to easily restore them: 1. Purchase around $200 in Bitcoin (BTC). To learn more about Bitcoin, visit https://bitcoin.org/en/buy or https://buy.bitcoin.com 2. Send the new Bitcoin to the following address: 14BfVG4vH71NLmhu7vFKi9EMmeZFoiAsYP 3. Contact our Tech Support team at insupport@messagesafe.io and explain your issue. 4. After confirming your Bitcoin transfer, we will send you a file-repair tool to fix your entire system. 5. Run our file-cleaner and wait... Your data will be restored. To test our services, you may send up to 2 files for repairing before making the Bitcoin transfer. Estimated repair time after Bitcoin transfer: 24 hours
Emails

insupport@messagesafe.io

Wallets

14BfVG4vH71NLmhu7vFKi9EMmeZFoiAsYP

URLs

https://bitcoin.org/en/buy

https://buy.bitcoin.com

Targets

    • Target

      f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample

    • Size

      1.8MB

    • MD5

      10d7151b9ee53b8da8ee6f85001ffb20

    • SHA1

      76d33ef58ea7b012342d975d871db64840da9675

    • SHA256

      f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093

    • SHA512

      1c6d2d7f509b462b5d48db61817ee42a7204d10141c59394eb190d0dba733b831a6344bb85197dfac358939379e640c9f38732d376e28f92e187806ca574d10f

    Score
    10/10
    persistenceransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Grants admin privileges

      Uses net.exe to modify the user's privileges.

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Drops startup file

    • Modifies service

      persistence
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Account Manipulation

1
T1098

Modify Existing Service

1
T1031

Privilege Escalation

Defense Evasion

File Deletion

2
T1107

Modify Registry

2
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2
T1490

Tasks