Overview

overview

10

Static

static

8

d85188c58acb39...in.exe

windows7_x64

10

d85188c58acb39...in.exe

windows10_x64

10
General
Target

d85188c58acb395ae88ad2be1f48044090eb03f125c97692c20787b933bbbd1a.bin

Size

2MB

Sample

210317-6vkqva8c6a

Score
10/10
MD5

1a2978ce842c0d4c2fc309801cbbcabb

SHA1

45adb2e2ee26e9221b76e71180dc955b7c9eff70

SHA256

d85188c58acb395ae88ad2be1f48044090eb03f125c97692c20787b933bbbd1a

SHA512

5cefd6c89153259835cdd0e4be1c68bf61ccf25c63c8a2bcf78e0bcbde354ca588e39e06699820ca4da488f3e69a14e04f89d25cd1be6c01c80fb210f9da23ac

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\HOW TO RESTORE YOUR FILES.TXT
Ransom Note
Hello! All your files are encrypted and only we can decrypt them. Contact us: legalrestore@airmail.cc or master1restore@cock.li Write us if you want to return your files - we can do it very quickly! The header of letter must contain extension of encrypted files. We always reply within 24 hours. If not - check spam folder, resend your letter or try send letter from another email service (like protonmail.com). Attention! Do not rename or edit encrypted files: you may have permanent data loss. Do not edit or delete any virtual machines files To prove that we can recover your files, we am ready to decrypt any three files (less than 1Mb) for free (except databases, Excel and backups). HURRY UP! If you do not email us in the next 48 hours then your data may be lost permanently.
Emails

legalrestore@airmail.cc

master1restore@cock.li
Targets
Target

d85188c58acb395ae88ad2be1f48044090eb03f125c97692c20787b933bbbd1a.bin

MD5

1a2978ce842c0d4c2fc309801cbbcabb

Filesize

2MB

Score
10/10
SHA1

45adb2e2ee26e9221b76e71180dc955b7c9eff70

SHA256

d85188c58acb395ae88ad2be1f48044090eb03f125c97692c20787b933bbbd1a

SHA512

5cefd6c89153259835cdd0e4be1c68bf61ccf25c63c8a2bcf78e0bcbde354ca588e39e06699820ca4da488f3e69a14e04f89d25cd1be6c01c80fb210f9da23ac

Tags

Signatures

  • Detecting the common Go functions and variables names used by Snatch ransomware

  • Snatch Ransomware

    Description

    Ransomware family generally distributed through RDP bruteforce attacks.

    Tags

  • Deletes shadow copies

    Description

    Ransomware often targets backup files to inhibit system recovery.

    Tags

    TTPs

    File DeletionInhibit System Recovery

  • Modifies extensions of user files

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

  • UPX packed file

    Description

    Detects executables packed with UPX/modified UPX open source packer.

    Tags

  • Drops startup file

  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files

Related Tasks

behavioral1behavioral2
MITRE ATT&CK Matrix
Collection
Command and Control
    Credential Access
    Defense Evasion
    Discovery
      Execution
        Exfiltration
          Impact
          Initial Access
            Lateral Movement
              Persistence
                Privilege Escalation
                  Tasks

                  static1

                  Score
                  8/10

                  behavioral1

                  Score
                  10/10

                  behavioral2

                  Score
                  10/10