General

  • Target

    06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.exe

  • Size

    27KB

  • Sample

    210120-5tcynbb182

  • MD5

    015e93d82958f4edbc4c8807eeefc430

  • SHA1

    9517634369b86197f14ae25ffa69a138ab6fe446

  • SHA256

    06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6

  • SHA512

    fa9fc3f5565eb6f84331fb068b70b110aefd87d73ec5c9fabda0819886dca3617dbe4b712eda1a68254352f931cd6bca6c4878d515a793697ae410e19884ebbd

Score
10/10

Malware Config

Extracted

Path

C:\MSOCache\DECR.TXT

Ransom Note
----------- [ Hello! ] -------------> ******BY VASA LOCKER****** What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted from your network and copied. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - a universal decoder. This program will restore your entire network. Follow our instructions below and you will recover all your data. If you continue to ignore this for a long time, we will start reporting the hack to mainstream media and posting your data to the dark web. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. Go to the site and contact us. How to contact us? ---------------------------------------------- Using EMAIL: 1) Open your mail 2) Write us: babukrip@protonmail.ch YOUR PERSONAL ID, ATTACH IT: 68cec336353fd2a20ada2b48cf14dc1ff5ec6d4dc81d6f01706bd6839edcd0a330e182b45c3bc25262b8dc0682d770ed3aabd477167e85d214f9ce8bdb5cf2fa5d8a21cf9082fb0369dbe26e0b74666aa1cdb1b7b35b97ff5a56ef079544c9ad59261f6ce39866bba761fc6dfed8aabc4e142277e5eae052f54b86d92bc3edddd600a2ebae6dfff4f606eea50a2adb05 !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !
Emails

babukrip@protonmail.ch

Extracted

Path

\??\M:\DECR.TXT

Ransom Note
----------- [ Hello! ] -------------> ******BY VASA LOCKER****** What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted from your network and copied. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - a universal decoder. This program will restore your entire network. Follow our instructions below and you will recover all your data. If you continue to ignore this for a long time, we will start reporting the hack to mainstream media and posting your data to the dark web. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. Go to the site and contact us. How to contact us? ---------------------------------------------- Using EMAIL: 1) Open your mail 2) Write us: babukrip@protonmail.ch YOUR PERSONAL ID, ATTACH IT: 76aeabd3ac86093455b0158b5ee87436360a456d0edf0775e6fd9e555271891c27c6d1a1873241f27c2eb90356fedcd6bf213fc92334c2346d13fceb53ddaa4ad0792a92663e33078fc8ad007e46b594bcbd1fa6fb2b9ce31ddf302dc041aa6dff3d7fece77d0cce5775c7c46ef24b46bf78faceeec4eefb99d874ad59921eb58727b89ef11bfbfec942bbe660987105 !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !
Emails

babukrip@protonmail.ch

Targets

    • Target

      06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.exe

    • Size

      27KB

    • MD5

      015e93d82958f4edbc4c8807eeefc430

    • SHA1

      9517634369b86197f14ae25ffa69a138ab6fe446

    • SHA256

      06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6

    • SHA512

      fa9fc3f5565eb6f84331fb068b70b110aefd87d73ec5c9fabda0819886dca3617dbe4b712eda1a68254352f931cd6bca6c4878d515a793697ae410e19884ebbd

    Score
    10/10
    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Drops startup file

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

MITRE ATT&CK Matrix ATT&CK v6

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Tasks