Overview

overview

10

Static

static

8

cadbbf76fd...le.exe

windows7_x64

10

cadbbf76fd...le.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample

  • Size

    369KB

  • Sample

    210218-4g6b8z6m52

  • MD5

    df919a46da2377f913e99fa5d4997ae9

  • SHA1

    03cd2235f0e68f297020dd40ad48395fad78bd8d

  • SHA256

    cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536

  • SHA512

    22870750ef402c958353faefaaa77d4549c3d3a6f1f0bf36da77d881db0d0f5ebdb758e5cef21629f407d80e155dad62de747c472624424436125ba3835e9a61

Score
10/10
evasionpersistenceransomwarespywareupx

Malware Config

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-3825035466-2522850611-591511364-1000\HOW_TO_RETURN_FILES.txt

Ransom Note
Dear manager, your database server has been locked, your databases files are encrypted and you have unfortunately "lost" all your data, Encryption was produced using unique key AES-256 generated for this server. To decrypt files you need to obtain the decryption key and tool. All encrypted files ends with .charm To obtain the program for this server, which will decrypt all files, you need to write me to email: "[email protected]" Before payment you can send us one small file (100..500 kilobytes) and we will decrypt it - it's your guarantee that we have decryption tool. And send us your userkey We don't know who are you, All what we need is some money. Don't panic if we don't answer you during 24 hours. It means that we didn't received your letter and write us again. You can use one of that bitcoin exchangers for transfering bitcoin: https://localbitcoins.com https://www.kraken.com You dont need install bitcoin programs - you need only use one of this exchangers or other exchanger that you can find in www.google.com for your country. Please use english language in your letters. If you don't speak english then use https://translate.google.com to translate your letter on english language. You don't have enough time to think each day payment will increase and after one week your key will be deleted and your files will be locked forever. USERKEY: kZLnCucHvzB6094DFvYv/scHXO3lH8+q2SlGrWjRi80WNMlBxDbT/2H/petXbjN4frj+i1RsgLBAdbiVS5IXGLR8dt7hERf5SKyiDzD3+2q00PjYosmxkNzs+ysI82jmvdOvlVKCejlbKSCXF59JKhKxjYPxjzrLLExIkyplTbu3liT+sJ6/DSeQENfWrVLzk9aL/LNB8Njw/oUp/LinIVTA7e2prhrWwOG5xfSVyQaxlt1pjP9XiOmP2cAhRjImlc9ICG7QWR68ZhAHLKhtKWFRM7dpI2fgFSDxnTbikpGHO70BBp1GoXK6rJSdJt4OAu4adwxrVZsjBR08HtlAlQ==

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-1985363256-3005190890-1182679451-1000\HOW_TO_RETURN_FILES.txt

Ransom Note
Dear manager, your database server has been locked, your databases files are encrypted and you have unfortunately "lost" all your data, Encryption was produced using unique key AES-256 generated for this server. To decrypt files you need to obtain the decryption key and tool. All encrypted files ends with .charm To obtain the program for this server, which will decrypt all files, you need to write me to email: "[email protected]" Before payment you can send us one small file (100..500 kilobytes) and we will decrypt it - it's your guarantee that we have decryption tool. And send us your userkey We don't know who are you, All what we need is some money. Don't panic if we don't answer you during 24 hours. It means that we didn't received your letter and write us again. You can use one of that bitcoin exchangers for transfering bitcoin: https://localbitcoins.com https://www.kraken.com You dont need install bitcoin programs - you need only use one of this exchangers or other exchanger that you can find in www.google.com for your country. Please use english language in your letters. If you don't speak english then use https://translate.google.com to translate your letter on english language. You don't have enough time to think each day payment will increase and after one week your key will be deleted and your files will be locked forever. USERKEY: j92xYyLZ2hUU4FwOF2bixUvmJPUjvO2WMwwGDR2xsEv9MNpLR9wqdF2IxUteHr+w2oqSAiWToKT942Dv87697KAyfZEsxFnudxWoee+5NpNcIlPdQT3pgWi7ZDHnRkGjKZDbiOuOXzdGeKwOFxPCZUOKFpdOfRMtl2PrU6W+8PyCEUygNbIilpl3NQy2XMiIM29UtLmNSBDmaRuinTJy9pwqTeCBl9lOtGVpYwkMeHScorY/sTEW0siEHNemhKIi/DbQa7tU6CkDTmZzLmygAbR/XUO0zRloCWjdGpqO730OH+EbLK54Q61TM0gYZ0MYmEl5z4SXK3pnltfYzULF5g==

Targets

    • Target

      cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample

    • Size

      369KB

    • MD5

      df919a46da2377f913e99fa5d4997ae9

    • SHA1

      03cd2235f0e68f297020dd40ad48395fad78bd8d

    • SHA256

      cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536

    • SHA512

      22870750ef402c958353faefaaa77d4549c3d3a6f1f0bf36da77d881db0d0f5ebdb758e5cef21629f407d80e155dad62de747c472624424436125ba3835e9a61

    Score
    10/10
    evasionpersistenceransomwarespyware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies Installed Components in the registry

      persistence

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Stops running service(s)

      evasion

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spyware

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks