Resubmissions

11-03-2021 10:45

210311-swwxrhg7f6 10

10-03-2021 22:39

210310-fs8l6vc2hj 10

28-01-2021 09:49

210128-b3gdrfb24s 10

General

  • Target

    58ccba4fb2b3ed8b5f92adddd6ee331a6afdedfc755145e0432a7cb324c28053.exe

  • Size

    29KB

  • Sample

    210128-b3gdrfb24s

  • MD5

    67e49cfcd12103b5ef2f9f331f092dbe

  • SHA1

    72cad5a81ce546b42844b5b8fc2ab55e99f2b5d4

  • SHA256

    58ccba4fb2b3ed8b5f92adddd6ee331a6afdedfc755145e0432a7cb324c28053

  • SHA512

    21fa0d1be0d5be2da8c4c68357e1e294503d87c21a304c5811669eaa9aba29b6cfcd077d083547e2f41269b12c6a8da5ad2ea0f1613d9a96917ea01c69fcb087

Score
10/10

Malware Config

Extracted

Path

C:\MSOCache\How To Restore Your Files.txt

Ransom Note
Hello! serco.com, we are the BABUK team and you have big security problems, we are not a government hackers, we are only interested in money. We've been surfing inside your network for about 3 weeks and copied more than 1 TB of your data. Down below you can see screenshots of the data we stole. We strongly recommend you to get us in touch and discuss the details of the future deal in our private chat: * How to contact us? ---------------------------------------------- 1) Download Tor browser: https://www.torproject.org/download/ 2) Open it 3) Follow this link in tor browser: http://babukq4e2p4wu4iq.onion/login.php?id=dKK7wnOiVHoXdqSrVcb1gxKpC9JICQ We can provide you any amount of proofs of data we stole, in case we do not come to any agreement or you won't text us in near five days, the data will be published in our blog. Links to this blog is private now, but how fast it become public depends only from you. http://gtmx56k4hutn3ikv.onion/?dUIel0o8kfjZf4zUHDbm About the consequences that can appear in case if you won't cooperate with us to resolve this situation: -The price of your stocks will fall down and you will loose much more money than the amount we ask. -Your partners such as NATO, or Belgian Army or anyone else won't be so happy that their secret documents are in free access in the internet. Who knows how the third party can use those documents, we are not responsible for that. -GDPR will arrange the revision of your company and the outcome they figure out will make you cry, this is a fact. -Part of your systems will stay locked and you can't recover it and few years of labor of your employees become meaningless. https://temp.sh/fVAxj/1.png https://temp.sh/VZRcj/2.png https://temp.sh/qpkLy/3.png https://temp.sh/hPkTt/4.png https://temp.sh/ENvac/5.png https://temp.sh/YzAJd/6.png https://temp.sh/eBGdx/7.png https://temp.sh/KAXUW/8.png
URLs

http://babukq4e2p4wu4iq.onion/login.php?id=dKK7wnOiVHoXdqSrVcb1gxKpC9JICQ

http://gtmx56k4hutn3ikv.onion/?dUIel0o8kfjZf4zUHDbm

https://temp.sh/fVAxj/1.png

https://temp.sh/VZRcj/2.png

https://temp.sh/qpkLy/3.png

https://temp.sh/hPkTt/4.png

https://temp.sh/ENvac/5.png

https://temp.sh/YzAJd/6.png

https://temp.sh/eBGdx/7.png

https://temp.sh/KAXUW/8.png

Targets

    • Target

      58ccba4fb2b3ed8b5f92adddd6ee331a6afdedfc755145e0432a7cb324c28053.exe

    • Size

      29KB

    • MD5

      67e49cfcd12103b5ef2f9f331f092dbe

    • SHA1

      72cad5a81ce546b42844b5b8fc2ab55e99f2b5d4

    • SHA256

      58ccba4fb2b3ed8b5f92adddd6ee331a6afdedfc755145e0432a7cb324c28053

    • SHA512

      21fa0d1be0d5be2da8c4c68357e1e294503d87c21a304c5811669eaa9aba29b6cfcd077d083547e2f41269b12c6a8da5ad2ea0f1613d9a96917ea01c69fcb087

    Score
    10/10
    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Enumerates physical storage devices

      Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

MITRE ATT&CK Enterprise v6

Tasks