General

  • Target

    b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe

  • Size

    29KB

  • Sample

    210118-m5wtlxk3x2

  • MD5

    c6ec91aaa2bba2deb31fb645a2f9b9e4

  • SHA1

    a921f8a827897250ebbc9847ea113f56dbb1c18d

  • SHA256

    b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0

  • SHA512

    13571cf45881b5d4ef0904f2aa0e091e9fe895bf038b71075f09a051318cf052e0737ad1fab5549e5143e866fda816ce282a2330dea128357e201948b8ce7019

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\READ_ME.hta

Ransom Note
E P S I L O N Ransomware ⠀ As you can see, all your files got encrypted. Thats why your files are no longer readable. If you want them back, please contact us at our email below. You can send us a couple of files and we will return the restored ones to prove that only we can do it. [email protected] You can ask for more details and more help by email. You can learn more about bitcoin and encryption on wikipedia. https://wikipedia.org/wiki/Bitcoinhttps://wikipedia.org/wiki/Encryption ⠀ If you already submited your payement, you will receive your private key and another decryption key with the special decryption software. More informations: 1. the infection was due to vulnerabilities in your software. 2. our goal is to return your data, but if you don't contact us, we will not succeed. IMPORTANT: 1. if you want to make sure that it is impossible to recover files using third-party software, do this not on all files, otherwise you may lose all data. 2. only communication through our email can guarantee file recover for you. We are not responsible for the actions of third parties who promise to help you - most often they are scammers. 3. please, do not try to rename encrypted files.
URLs

https://wikipedia.org/wiki/Bitcoinhttps://wikipedia.org/wiki/Encryption

Targets

    • Target

      b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0.exe

    • Size

      29KB

    • MD5

      c6ec91aaa2bba2deb31fb645a2f9b9e4

    • SHA1

      a921f8a827897250ebbc9847ea113f56dbb1c18d

    • SHA256

      b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0

    • SHA512

      13571cf45881b5d4ef0904f2aa0e091e9fe895bf038b71075f09a051318cf052e0737ad1fab5549e5143e866fda816ce282a2330dea128357e201948b8ce7019

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

File Deletion

2
T1107

Modify Registry

2
T1112

Credential Access

Credentials in Files

1
T1081

Collection

Data from Local System

1
T1005

Impact

Inhibit System Recovery

2
T1490

Tasks