3232021_hades_rsw_4984662693543936.zip

General
Target

3232021_hades_rsw_4984662693543936.zip

Size

1MB

Sample

210323-ka7t5jjsqn

Score
10 /10
MD5

10997bc7a7bf59f8041090d1a311263a

SHA1

e6c1f47546a2a171f1a5d645437a737b84384c59

SHA256

3ed8520133ace271da2ac9bf9655151d5c7b7d5507434900c7573fbd468a521f

SHA512

7ef99fee9b9e98b9f1e12f76a05a0d8e049d986cc244dd2fcc7254c89fb7b06aa94070ccec46a831130376a75345a23feda797d091044dd5034225191437d2a6

Malware Config

Extracted

Path C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\HOW-TO-DECRYPT-gn9cj.txt
Ransom Note
[+] What happened? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has extension *.gn9cj By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant get back your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] Using a TOR browser! - Download and install TOR browser from this site: hxxps://torproject.org/ - Open our website: hxxp://khfsk3ffg3av3rha.onion - Follow the on-screen instructions Extension name: *.gn9cj ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) will make everything possible for restoring, but please do not interfere. !!! !!! !!! ��
Targets
Target

fe997a590a68d98f95ac0b6c994ba69c3b2ece9841277b7fecd9dfaa6f589a87

MD5

9fa1ba3e7d6e32f240c790753cdaaf8e

Filesize

1MB

Score
10 /10
SHA1

7bcea3fbfcb4c170c57c9050499e1fae40f5d731

SHA256

fe997a590a68d98f95ac0b6c994ba69c3b2ece9841277b7fecd9dfaa6f589a87

SHA512

8d2fb58cb8776ead15f445671431eae13a00b48921e545c7ecbf91829015d818d663d9369f181de669ebb771b113c2f675c3a156fac5ede019b5fad9cb8c65fe

Tags

Signatures

  • CryptOne packer

    Description

    Detects CryptOne packer defined in NCC blogpost.

    Tags

  • Executes dropped EXE

  • Modifies extensions of user files

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

  • Deletes itself

  • Loads dropped DLL

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Discovery
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                      Privilege Escalation
                        Tasks

                        static1

                        9/10

                        behavioral1

                        10/10

                        behavioral2

                        10/10