Overview

overview

10

Static

static

wyooy@aol.com.exe

windows7_x64

10

wyooy@aol.com.exe

windows10_x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    wyooy@aol.com.exe

  • Size

    1.3MB

  • Sample

    210414-wmpsdm8tyj

  • MD5

    645d774a869c582b2c46beed455321d4

  • SHA1

    e94862c25377373f54ce668051df0d95d3746514

  • SHA256

    21420b8630260dae7f0ea14a319a8b3ae6910def98599109b365f710e835b9c4

  • SHA512

    2c7cc053ed79e52f7e2ae508d2d832e6efa0b9a24dc71158fbc25d829c3d9ad8aa8f5c04e7fff94152dacc04cc1d7604da147ee201d900efcbcc62fe95f15b81

Score
10/10
xmrigevasionminerransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Public\Desktop\Decrypt-me.txt

Ransom Note
All Your Files Has Been Encrypted You Have to Pay to Get Your Files Back 1-Go to C:\ProgramData\ folder and send us prvkey*.txt.key file , * might be a number (like this : prvkey3.txt.key) 2-You can send some file little than 1mb for Decryption test to trust us But the test File should not contain valuable data 3-Payment should be with Bitcoin 4-Changing Windows without saving prvkey.txt.key file will cause permanete Data loss Our Email:wyooy@tutanota.com in Case of no Answer:wyooy@aol.com
Emails

Email:wyooy@tutanota.com

Answer:wyooy@aol.com

Targets

    • Target

      wyooy@aol.com.exe

    • Size

      1.3MB

    • MD5

      645d774a869c582b2c46beed455321d4

    • SHA1

      e94862c25377373f54ce668051df0d95d3746514

    • SHA256

      21420b8630260dae7f0ea14a319a8b3ae6910def98599109b365f710e835b9c4

    • SHA512

      2c7cc053ed79e52f7e2ae508d2d832e6efa0b9a24dc71158fbc25d829c3d9ad8aa8f5c04e7fff94152dacc04cc1d7604da147ee201d900efcbcc62fe95f15b81

    Score
    10/10
    xmrigevasionminerransomwarespywarestealer

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • Drops file in Drivers directory

    • Modifies Windows Firewall

      evasion

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1
T1081

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks