Overview

overview

10

Static

static

lsass.exe

windows7_x64

10

lsass.exe

windows10_x64

9

Sharing

Copy URL
Twitter E-mail

General

  • Target

    lsass.exe

  • Size

    115KB

  • Sample

    210408-nwgl3k13nj

  • MD5

    5a73d01f81ff11ec92dbc2233c05e15f

  • SHA1

    1a05f691f72406155136ecfdf5ddee8e9bfa20ce

  • SHA256

    68ea179770a48ab47976303c9b6db79df2a5213b505fa913201ee6ceabf63a76

  • SHA512

    b58097ddc44ef98d7db107634c1fc8db18b0e1828096e8304aa5864bc14fda3fdc82d69c631c8af39cfbc32a23d6795b3a9d4b717f99860fa7b6bb048fcaecf1

Score
10/10
ransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\DecryptGuide.txt

Ransom Note
[ATTENTION] All of your files are encrypted with RSA-2048 and AES-128 ciphers. Decrypting of your files is only possible with the private key and decrypt program. Backups were either encrypted. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation. No decryption software is available in the public. DO NOT RESET OR SHUTDOWN -files may be damaged. DO NOT DELETE this file. To confirm your decryption software, please send 2 or 3 different random files and you will get them decrypted. To get decryption, please contact us. ha7medtit@tutanota.com or araujosantos@protonmail.com You will receive btc address for payment in the reply letter. !!!Your CODE is : AAABAFxXlqBiGEoIVCFtKr20ZRvXxz
Emails

ha7medtit@tutanota.com

araujosantos@protonmail.com

Targets

    • Target

      lsass.exe

    • Size

      115KB

    • MD5

      5a73d01f81ff11ec92dbc2233c05e15f

    • SHA1

      1a05f691f72406155136ecfdf5ddee8e9bfa20ce

    • SHA256

      68ea179770a48ab47976303c9b6db79df2a5213b505fa913201ee6ceabf63a76

    • SHA512

      b58097ddc44ef98d7db107634c1fc8db18b0e1828096e8304aa5864bc14fda3fdc82d69c631c8af39cfbc32a23d6795b3a9d4b717f99860fa7b6bb048fcaecf1

    Score
    10/10
    ransomwarespywarestealer

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

2
T1107

Credential Access

Credentials in Files

1
T1081

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2
T1490

Tasks