Overview

overview

10

Static

static

7

444.exe

windows7_x64

10

444.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    444.exe

  • Size

    2.2MB

  • Sample

    210219-mxb43kvcga

  • MD5

    eb154d544f8cb7aeac7700100bfe7c1a

  • SHA1

    5bc2d79943de6b47768db926704e21e88cb95aa2

  • SHA256

    e97c6e05b1a3d287151638ffe86229597b188f9aa6d34db255f08dbc11dbfbd8

  • SHA512

    22964c627143afba28b6b4f05bb93867edabe9842090c85cbc193ef957e26a2cf60660e6f98fbeb8218f5876cfcdb382094c537539e7709014ddc9bef8a2d165

Score
10/10
discoveryevasionpersistenceransomwarethemidatrojan

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\HOW_TO_RECOVER_YOUR_FILES.txt

Ransom Note
Your files is safely locked and automatically backup on our servers to unlock your files and get your password send this exact amount in 48 hours: 10 BTC ATTENTION: You just have 48 hours at the end of this period if you not pay this fee all of your personal files and data will be published on our WALL OF SHAME as public on internet. YOU CAN CONTACT WITH US INSTANT OVER ON TELEGRAM: AlumniLocker Bitcoin address for payment: 35LikWJCjvfHWDZezZXswgqNeuT6gv36YM All your data will UNLOCK automatically after the payment if you have any problem or question feel free to contact with us after the payment. TELEGRAM: AlumniLocker E-MAIL: [email protected] WALL OF SHAME URL: http://alumnilou7kzo4vzdedsoe6wnxoggbzsxk7qgnmmlsrf4mzuqchwsjid.onion IMPORTANT NOTE: DO NOT CONTACT WITH US BEFORE THE PAYMENT! We not reply messages without payment proof if you want to get answer have to send your payment proof as a screenshot. WHERE YOU CAN GET BITCOIN? www.localbitcoins.com www.paxful.com www.binance.com www.coinbase.com Key Identifier: SBylrZZY2rCNTq17EDhLqAGo6TEqvXsIRxu0X0yK0FOPh+FMIXZ5sV9xs1vBQe3G5lHGK04EC546y3uVZiprd884T/hm3uJAwGK5htbTVPn3GWtgt46YRNcOfHhqS0hfPiZ02zQ7z4/4lCRVDGzVrTBGKWXi9LZUFzThfJprgJS9tPu5mXCY0oB5ZF2BMte06/l2Grs1OwE9dXAnfzfs8C4XT5wf0ua8F2Qlf8YT8NfVU6I55PkEeJsrOGjC8J92it5YOIuQm9eFpWH7+oKT57N22gWmGqsCg8O5TMXSlLOA0nu23C6d6fcZRN47luPI9BkURrcqRYzWSO4FwdwGfPD2c9WAAAwbjPpdavPqQhN3tNOSXXLcdbEJabtQBVAF0QpdddlGmEfTv2hjG5PFC4T62Mcn5WKyCRLAgXq9C8C/sDDR3jecuP1aS2A6zMZOd+/69iVbR+V2pz6mo9lYuV+vCPZK3oLE51F0+ygSrCC8/Ctmak4Jeh7eZUDyUkaKYMCnoQvc8XgCZttTCIFj02hj08N5Bd1eIkBQVTU/pHq0cVRqVeZLgcBkwBzXCdsFg5m2k07NgUyZrDktkt9k0Zw+DliL/nGlfkdY/WS1XV9rk7RwnXYAedbaI7FadnGBLj6MtjwyRx1MAt69eS5LuM5q/ywkm6zD1jxUTzQULM4=
Wallets

35LikWJCjvfHWDZezZXswgqNeuT6gv36YM

URLs

http://alumnilou7kzo4vzdedsoe6wnxoggbzsxk7qgnmmlsrf4mzuqchwsjid.onion

Extracted

Path

C:\Users\Admin\Desktop\HOW_TO_RECOVER_YOUR_FILES.txt

Ransom Note
Your files is safely locked and automatically backup on our servers to unlock your files and get your password send this exact amount in 48 hours: 10 BTC ATTENTION: You just have 48 hours at the end of this period if you not pay this fee all of your personal files and data will be published on our WALL OF SHAME as public on internet. YOU CAN CONTACT WITH US INSTANT OVER ON TELEGRAM: AlumniLocker Bitcoin address for payment: 35LikWJCjvfHWDZezZXswgqNeuT6gv36YM All your data will UNLOCK automatically after the payment if you have any problem or question feel free to contact with us after the payment. TELEGRAM: AlumniLocker E-MAIL: [email protected] WALL OF SHAME URL: http://alumnilou7kzo4vzdedsoe6wnxoggbzsxk7qgnmmlsrf4mzuqchwsjid.onion IMPORTANT NOTE: DO NOT CONTACT WITH US BEFORE THE PAYMENT! We not reply messages without payment proof if you want to get answer have to send your payment proof as a screenshot. WHERE YOU CAN GET BITCOIN? www.localbitcoins.com www.paxful.com www.binance.com www.coinbase.com Key Identifier: SBylrZZY2rCNTq17EDhLqAGo6TEqvXsIRxu0X0yK0FOPh+FMIXZ5sV9xs1vBQe3G5lHGK04EC546y3uVZiprd884T/hm3uJAwGK5htbTVPn3GWtgt46YRNcOfHhqS0hfPiZ02zQ7z4/4lCRVDGzVrTBGKWXi9LZUFzThfJprgJS9tPu5mXCY0oB5ZF2BMte06/l2Grs1OwE9dXAnfzfs8C4XT5wf0ua8F2Qlf8YT8NfVU6I55PkEeJsrOGjC8J92it5YOIuQm9eFpWH7+oKT57N22gWmGqsCg8O5TMXSlLOA0nu23C6d6fcZRN47luPI9BkURrcqRYzWSO4FwdwGfPD2c9WAAAwbjPpdavPqQhN3tNOSXXLcdbEJabtQBVAF0QpdddlGmEfTv2hjG5PFC4T62Mcn5WKyCRLAgXq9C8C/sDDR3jecuP1aS2A6zMZOd+/69iVbR+V2pz6mo9lYuV+vCPZK3oLE51F0+ygSrCC8/Ctmak4Jeh7eZUDyUkaKYMCnoQvc8XgCZttTCIFj02hj08N5Bd1eIkBQVTU/pHq0cVRqVeZLgcBkwBzXCdsFg5m2k07NgUyZrDktkt9k0Zw+DliL/nGlfkdY/WS1XV9rk7RwnXYAedbaI7FadnGBLj6MtjwyRx1MAt69eS5LuM5q/ywkm6zD1jxUTzQULM4= Number of files that were processed is: 478
Wallets

35LikWJCjvfHWDZezZXswgqNeuT6gv36YM

URLs

http://alumnilou7kzo4vzdedsoe6wnxoggbzsxk7qgnmmlsrf4mzuqchwsjid.onion

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\HOW_TO_RECOVER_YOUR_FILES.txt

Ransom Note
Your files is safely locked and automatically backup on our servers to unlock your files and get your password send this exact amount in 48 hours: 10 BTC ATTENTION: You just have 48 hours at the end of this period if you not pay this fee all of your personal files and data will be published on our WALL OF SHAME as public on internet. YOU CAN CONTACT WITH US INSTANT OVER ON TELEGRAM: AlumniLocker Bitcoin address for payment: 35LikWJCjvfHWDZezZXswgqNeuT6gv36YM All your data will UNLOCK automatically after the payment if you have any problem or question feel free to contact with us after the payment. TELEGRAM: AlumniLocker E-MAIL: [email protected] WALL OF SHAME URL: http://alumnilou7kzo4vzdedsoe6wnxoggbzsxk7qgnmmlsrf4mzuqchwsjid.onion IMPORTANT NOTE: DO NOT CONTACT WITH US BEFORE THE PAYMENT! We not reply messages without payment proof if you want to get answer have to send your payment proof as a screenshot. WHERE YOU CAN GET BITCOIN? www.localbitcoins.com www.paxful.com www.binance.com www.coinbase.com Key Identifier: iXmNfDd/Sf/yVYhho1ZNHZgU0TFoIjhX7OPZ3tbuS8mWzGX397EtwErPgQsaPPswvEAntdz9OkEEnK6O4a93EFUNyj2w1ChzDWhtusnaHxcKBOkuzSEaVVPed6F4Etsu3GfE0ePXOD/CS0Kuc/iRYwBhwTxG14dk2o7td6CJ4R/jiszh9XMQXQSjYCcjPCzdwW1ZHEB++IooKiFCEHTYouQKdfew+X4junrAkWASqjjfS8s1sIG6B/2S9JXDrQLld1JKIxczv4vML9pX6IGED9fkh046vEyLjisltk7Yl4pqilOFtwWec6R1eUMIjHTct71WmZzHtnRePNa6bzuNJezo664k84ty5E2HfrLJNugJ8mTHniMxhYb2esLOgtWyMg/xTY+Lr7Kp4gX7igVtGOWMdoEAoUJlCSyu+vMWXQDkoUv2btrTmsd1rqbEipIEVo9WvtNUEL1F1T213JvRix4DLm/EnwlmkAYbFQX1nM7zQVAQAXTNS0dA+AFOdKXlxnpe7ryzTZqnzbvTctp7OQU7/eg6PwqcxNR4JD3IIh47op5CQeYcvLqUExLBG3UthP+8TrdWx6h01xsPIT4zOd+X7Fs7zmncuJqq1dl7Smbd4KvxcFQeEWlqxy9KGwkRnlUqXy5OXuCJsN2w6ichIJN/0Lajxu6PeoZkXr22kco=
Wallets

35LikWJCjvfHWDZezZXswgqNeuT6gv36YM

URLs

http://alumnilou7kzo4vzdedsoe6wnxoggbzsxk7qgnmmlsrf4mzuqchwsjid.onion

Extracted

Path

C:\Users\Admin\Desktop\HOW_TO_RECOVER_YOUR_FILES.txt

Ransom Note
Your files is safely locked and automatically backup on our servers to unlock your files and get your password send this exact amount in 48 hours: 10 BTC ATTENTION: You just have 48 hours at the end of this period if you not pay this fee all of your personal files and data will be published on our WALL OF SHAME as public on internet. YOU CAN CONTACT WITH US INSTANT OVER ON TELEGRAM: AlumniLocker Bitcoin address for payment: 35LikWJCjvfHWDZezZXswgqNeuT6gv36YM All your data will UNLOCK automatically after the payment if you have any problem or question feel free to contact with us after the payment. TELEGRAM: AlumniLocker E-MAIL: [email protected] WALL OF SHAME URL: http://alumnilou7kzo4vzdedsoe6wnxoggbzsxk7qgnmmlsrf4mzuqchwsjid.onion IMPORTANT NOTE: DO NOT CONTACT WITH US BEFORE THE PAYMENT! We not reply messages without payment proof if you want to get answer have to send your payment proof as a screenshot. WHERE YOU CAN GET BITCOIN? www.localbitcoins.com www.paxful.com www.binance.com www.coinbase.com Key Identifier: iXmNfDd/Sf/yVYhho1ZNHZgU0TFoIjhX7OPZ3tbuS8mWzGX397EtwErPgQsaPPswvEAntdz9OkEEnK6O4a93EFUNyj2w1ChzDWhtusnaHxcKBOkuzSEaVVPed6F4Etsu3GfE0ePXOD/CS0Kuc/iRYwBhwTxG14dk2o7td6CJ4R/jiszh9XMQXQSjYCcjPCzdwW1ZHEB++IooKiFCEHTYouQKdfew+X4junrAkWASqjjfS8s1sIG6B/2S9JXDrQLld1JKIxczv4vML9pX6IGED9fkh046vEyLjisltk7Yl4pqilOFtwWec6R1eUMIjHTct71WmZzHtnRePNa6bzuNJezo664k84ty5E2HfrLJNugJ8mTHniMxhYb2esLOgtWyMg/xTY+Lr7Kp4gX7igVtGOWMdoEAoUJlCSyu+vMWXQDkoUv2btrTmsd1rqbEipIEVo9WvtNUEL1F1T213JvRix4DLm/EnwlmkAYbFQX1nM7zQVAQAXTNS0dA+AFOdKXlxnpe7ryzTZqnzbvTctp7OQU7/eg6PwqcxNR4JD3IIh47op5CQeYcvLqUExLBG3UthP+8TrdWx6h01xsPIT4zOd+X7Fs7zmncuJqq1dl7Smbd4KvxcFQeEWlqxy9KGwkRnlUqXy5OXuCJsN2w6ichIJN/0Lajxu6PeoZkXr22kco= Number of files that were processed is: 1782
Wallets

35LikWJCjvfHWDZezZXswgqNeuT6gv36YM

URLs

http://alumnilou7kzo4vzdedsoe6wnxoggbzsxk7qgnmmlsrf4mzuqchwsjid.onion

Targets

    • Target

      444.exe

    • Size

      2.2MB

    • MD5

      eb154d544f8cb7aeac7700100bfe7c1a

    • SHA1

      5bc2d79943de6b47768db926704e21e88cb95aa2

    • SHA256

      e97c6e05b1a3d287151638ffe86229597b188f9aa6d34db255f08dbc11dbfbd8

    • SHA512

      22964c627143afba28b6b4f05bb93867edabe9842090c85cbc193ef957e26a2cf60660e6f98fbeb8218f5876cfcdb382094c537539e7709014ddc9bef8a2d165

    Score
    10/10
    evasionpersistenceransomwarethemidatrojandiscovery

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Modifies Windows Firewall

      evasion

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Drops startup file

    • Modifies file permissions

      discovery

    • themida

      Detects Themida, Advanced Windows software protection system.

      themida

    • Checks whether UAC is enabled

      evasiontrojan

    • Drops desktop.ini file(s)

    • Modifies WinLogon

      persistence

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks