General

  • Target

    Photo-064-2021.jpg.scr

  • Size

    126KB

  • Sample

    210117-6n2jv8sg32

  • MD5

    ea4cf6019062e5555d81bb5510d79b3d

  • SHA1

    0d95aa8ade975b9f85c54cdbabd08906a01e51ee

  • SHA256

    9a02671ffb82ee83b8f9afd028af3090ecd494bd7d8d7a2e2cc75f0ac187c3b8

  • SHA512

    8f1eb4eb9dd561faf05094552bf6769bbfb614de1c7c96cc568e7f45b22fdcdf7d7d7b518041e1ab15b9781ba85dca69c19b9a75cc85bd4aeea3e0540d9f17c9

Malware Config

Extracted

Path

C:\WERE_MY _FILES.txt

Ransom Note
All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ------------------------------------------------ create a ticket to any of these addresses yip.su/2QstD5 cutt.ly/0htT0he shorturl.at/GOY24 bit.ly/3399Ozf ------------------------------------------------ you can also attach a small cryptted file for a free test decrypt Additional communication method ------------------------------- 1. Download Tor browser - httpps://www.torproject.org/ 2. Install Tor browser 3. Open Tor Browser 4. Open link in TOR browser: http://helpqvrg3cc5mvb3.onion/ -------------------------------- You ID ����������61 DF A8 CA 30 39 6F A9 05 E6 3F 62 34 AC 9C 01 EA 5B C8 88 29 AF 45 D8 3A FC FC 9D BA B9 92 06 F7 A4 C1 4D F5 D2 33 05 E6 FD 6F C3 CF BB 95 85 41 1A 87 56 46 4F 99 8F F2 78 77 3D 8E 8C 2C D3 1B 0D 89 9F BE D7 18 80 19 C2 56 1F 38 54 08 71 52 67 49 E3 D2 43 CD F5 EB 4B E8 6B FC A6 F0 D5 D5 8A 90 C1 8A 27 14 F4 96 9D D6 62 24 B4 49 E1 6B 62 36 95 C3 17 0B 9B 00 44 96 49 A7 F7 C8 C0 93 83 0F 1B EB E6 6D 19 E5 F3 11 3C 25 71 BA 8A 0A C7 FE D9 90 11 2A 14 8E 5F 4C 6B 80 34 16 2B 70 2C 1F 1D 90 C2 1E 08 FC 2C 6C 19 CA 62 C8 A2 00 8B 66 04 0F 76 D2 CB 06 63 C7 D6 15 00 1A E2 5D D2 AB B0 97 E3 82 6A 65 3A 40 9D FD 71 F6 A7 04 2F 4C 42 C0 1C 76 BE EC 4B 5E F1 9E 48 62 FF 95 7F 4A 35 49 8C 93 50 EC DA 09 DC 27 A7 BB C9 BA CF 4E 3B 1B 2D 7F BA AB 9A 42 04 B1 4B 81 10 ��������������
URLs

httpps://www.torproject.org/

http://helpqvrg3cc5mvb3.onion/

Extracted

Path

C:\WERE_MY _FILES.txt

Ransom Note
All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ------------------------------------------------ create a ticket to any of these addresses yip.su/2QstD5 cutt.ly/0htT0he shorturl.at/GOY24 bit.ly/3399Ozf ------------------------------------------------ you can also attach a small cryptted file for a free test decrypt Additional communication method ------------------------------- 1. Download Tor browser - httpps://www.torproject.org/ 2. Install Tor browser 3. Open Tor Browser 4. Open link in TOR browser: http://helpqvrg3cc5mvb3.onion/ -------------------------------- You ID ����������A8 8A 58 5D 8D F6 C9 B8 C0 92 A3 BE 83 C7 F4 A5 C4 C9 3B FC 12 C4 4E 03 47 F9 AA C6 26 58 09 54 CA 52 27 E4 0D 7C 55 87 B7 61 C4 73 DC C3 66 39 86 78 47 F7 20 0A C8 69 39 C0 E5 17 88 6B 2B 0F F4 BD 65 40 57 A3 71 94 57 98 05 89 35 BB 29 BE F7 35 26 35 E6 4D 1B E3 46 1A DA 4B 92 F3 E6 32 3B 74 01 F8 92 53 EE 43 C1 22 41 D8 8D 6A 37 9E F3 D1 06 FC 48 FE 54 E2 B3 41 7B 3C F9 0A B2 EA F0 2E BD E4 4B EB F2 7C 98 7D B9 A8 87 DA 6B 90 F0 7F FE 94 C7 A9 D7 5A 8A 5B 60 81 3A 34 F7 8D 70 6B F0 C0 79 9A 43 F5 0C 80 1B 42 33 38 74 40 97 9C 06 87 5C 51 49 37 7F 83 42 E8 EE 08 2C C8 26 16 F5 8D 51 C9 26 ED 6B C8 D4 8E BD 01 25 9E 1C B3 C0 A9 36 56 67 0F 2C F7 20 08 73 38 11 E1 82 9C 05 89 D4 D5 A0 B5 E0 31 E3 24 9C B7 D8 8D 20 D9 79 D1 1B 9B 15 6A A5 6D 44 10 56 D6 27 5D ��������������
URLs

httpps://www.torproject.org/

http://helpqvrg3cc5mvb3.onion/

Targets

    • Target

      Photo-064-2021.jpg.scr

    • Size

      126KB

    • MD5

      ea4cf6019062e5555d81bb5510d79b3d

    • SHA1

      0d95aa8ade975b9f85c54cdbabd08906a01e51ee

    • SHA256

      9a02671ffb82ee83b8f9afd028af3090ecd494bd7d8d7a2e2cc75f0ac187c3b8

    • SHA512

      8f1eb4eb9dd561faf05094552bf6769bbfb614de1c7c96cc568e7f45b22fdcdf7d7d7b518041e1ab15b9781ba85dca69c19b9a75cc85bd4aeea3e0540d9f17c9

    • Modifies WinLogon for persistence

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Drops desktop.ini file(s)

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Winlogon Helper DLL

1
T1004

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

2
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

Collection

Data from Local System

1
T1005

Tasks