Resubmissions

21-01-2021 15:41

210121-3mlv3q5jpj 10

18-01-2021 10:58

210118-jg3a8twq6n 10

General

  • Target

    d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.zip

  • Size

    86KB

  • Sample

    210118-jg3a8twq6n

  • MD5

    47e3a4fdd76d4ed34b0dccf86eee4f59

  • SHA1

    66976a47b502b9e2ddca4d39f409496eeb184335

  • SHA256

    1de446ec3ae6ed984e52bd031814ec1397eb5d4f26feb38da866e5b83f6468bd

  • SHA512

    417ae8b92fa392c64bcc422878d1761308c83b2694453e56501b0f0dcfe49a40b28187a2431a96d200d5fafbf5309093f6f953fbfa8c9f615844f4782db8f1c2

Score
10/10

Malware Config

Extracted

Path

C:\readme.txt

Ransom Note
Аll оf уоur files аrе currеntlу еncrуptеd bу CОNTI rаnsоmwаrе. If you try to use any additional recovery software - the files might be damaged or lost. To make sure that we REALLY CAN recover data - we offer you to decrypt samples. You can contact us for further instructions through: Our email polzarutu1982@protonmail.com Our website TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://m232fdxbfmbrcehbrj5iayknxnggf6niqfj6x4iedrgtab4qupzjlaid.onion HTTPS VERSION : contirecovery.best YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded your data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us ASAP ---BEGIN ID--- sRttGzzkzsoiC9s8LgcrQk64ew7H47a5JSjCsLGbwdijogjulfu3RO9XBJbfEgCZ ---END ID---
Emails

polzarutu1982@protonmail.com

URLs

http://m232fdxbfmbrcehbrj5iayknxnggf6niqfj6x4iedrgtab4qupzjlaid.onion

Targets

    • Target

      d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe

    • Size

      208KB

    • MD5

      b3d6ba0aa663f699283d25ddcb6561b9

    • SHA1

      a1f27e6be62bf0af7d5bff447156b3413f0d97c8

    • SHA256

      d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c

    • SHA512

      6d3b5f75169243f44247bb6ad32d6f68d937240e0d1711373012d696729a3e44ad21336e96a5548e11605412365ad4f53d2f5c798e74f204be2c16df5ae610ef

    Score
    10/10
    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

1
T1081

Collection

Data from Local System

1
T1005

Tasks