Overview

overview

10

Static

static

_$.exe

windows7_x64

10

_$.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    _$.exe.zip

  • Size

    22KB

  • Sample

    210213-gsaw9fjqrs

  • MD5

    83d23f7379c2f29b200913b3b41e4a07

  • SHA1

    b3e5d9084b1e57fa02e23c46c386211201cbc86c

  • SHA256

    4c7a879639151a8b87a1476f65f88a959b9afbaebd179665f0da955e447b534d

  • SHA512

    3b21914170fbd4b578e06628c6b8f2a0f6236efb9cf6978995fb758505ef23dbd0b8094967a6b2e78e5e8fccaeea129b29acc77dd3dad07fb91b58dbf5f33c19

Score
10/10
ransomwarespyware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\info.hta

Ransom Note
🔒 ALL YOUR DATA TURNED TO USELESS BINARY CODE 🔒 Your computer is infected with a virus. Send an email [email protected] , specify in the subject your unique identifier B7TTYMZA and you will definitly be helped to recover. NOTE: You can send 2 files as proof that we can return all your data. If the provided email doesn't work, please contact us at [email protected] Algorithms used are AES and RSA. IMPORTANT: 1. The infection was due to vulnerabilities in your software. 2. If you want to make sure that it is impossible to recover files using third-party software, do this not on all files, otherwise you may lose all data. 3. Only communication through our email can guarantee file recover for you. We are not responsible for the actions of third parties who promise to help you - most often they are scammers. 4. Please, do not try to rename encrypted files. 5. Our goal is to return your data, but if you don't contact us, we will not succeed.

Extracted

Path

C:\Users\Admin\Desktop\info.hta

Ransom Note
🔒 ALL YOUR DATA TURNED TO USELESS BINARY CODE 🔒 Your computer is infected with a virus. Send an email [email protected] , specify in the subject your unique identifier ESM8IZN6 and you will definitly be helped to recover. NOTE: You can send 2 files as proof that we can return all your data. If the provided email doesn't work, please contact us at [email protected] Algorithms used are AES and RSA. IMPORTANT: 1. The infection was due to vulnerabilities in your software. 2. If you want to make sure that it is impossible to recover files using third-party software, do this not on all files, otherwise you may lose all data. 3. Only communication through our email can guarantee file recover for you. We are not responsible for the actions of third parties who promise to help you - most often they are scammers. 4. Please, do not try to rename encrypted files. 5. Our goal is to return your data, but if you don't contact us, we will not succeed.

Targets

    • Target

      _$.exe

    • Size

      50KB

    • MD5

      7c93a02c3a90f915530df1acaa07fec9

    • SHA1

      1353fc85e84a431d43e519c8eef3d789b2a84be5

    • SHA256

      db5964ee570a1cbcbd1a0c7c8a7e4aadb44f64c27061ab25fde24a7f21d73f45

    • SHA512

      e8fa76667098d6d9caf3348dfd784ad68e14f44879d0a25a087486599478debc7f337669e16b444e3e056368faf7036ff39a2c60beb408af4bca2d4d151608f2

    Score
    10/10
    ransomwarespyware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spyware

    • Drops file in System32 directory

    • Enumerates physical storage devices

      Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks