General

  • Target

    074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe

  • Size

    242KB

  • Sample

    210416-qf93e4jd22

  • MD5

    c5d02a59e543e126359998b982e87d45

  • SHA1

    e6960b254e0215493a29471949b1ff84b6da1b59

  • SHA256

    074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51

  • SHA512

    6fc4f510ab3f13e0ab49d0b46b4b7a440de33b693ba6d20c6459dd59721363fbbda59975a51f78fa85d2f452fcc519595b83d80ae580c00ab75d80adbc214721

Score
10/10

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\!files-recovery.txt

Ransom Note
---> ? Corona Viruse ? <--- !Attention! Please read this important instruction. All your content, files, photos, documents, databases, and other important files are encrypted. All your encrypted files have extension: .covid This is all very sad. The only method of recovering files is to purchase an unique private Key. Only we can give you this Key and only we can recover your files. The server with your hHkey is in a closed network. You can get there by the following ways: - - - [1] - Download TOR browser link - > https://www.torproject.org [2] - Install TOR browser on your computer [3] - Open TOR browser [4] - When you open personal page, upload hid.dat file [5] - You can find this file in any encrypted folder [6] - You can find this file on your desktop [7] - Follow instruction on personal page [8] - Warning: this website is available via TOR Browser only! [9] - Also! At this page you will be able to restore any one file for free! [*] - In Tor Browser open personal page here: http://silveoa6gm.temp.swtest.ru/gate.php?advertid=7&name=BAT847R6DTUBSX - - - [*] - Alternative Browser : http://silveoa6gm.temp.swtest.ru/gate.php?advertid=7&name=BAT847R6DTUBSX
URLs

http://silveoa6gm.temp.swtest.ru/gate.php?advertid=7&name=BAT847R6DTUBSX

Extracted

Path

C:\Users\Public\Videos\Sample Videos\!files-recovery.txt

Ransom Note
---> ? Corona Viruse ? <--- !Attention! Please read this important instruction. All your content, files, photos, documents, databases, and other important files are encrypted. All your encrypted files have extension: .covid This is all very sad. The only method of recovering files is to purchase an unique private Key. Only we can give you this Key and only we can recover your files. The server with your hHkey is in a closed network. You can get there by the following ways: - - - [1] - Download TOR browser link - > https://www.torproject.org [2] - Install TOR browser on your computer [3] - Open TOR browser [4] - When you open personal page, upload hid.dat file [5] - You can find this file in any encrypted folder [6] - You can find this file on your desktop [7] - Follow instruction on personal page [8] - Warning: this website is available via TOR Browser only! [9] - Also! At this page you will be able to restore any one file for free! [*] - In Tor Browser open personal page here: http://silveoa6gm.temp.swtest.ru/gate.php?advertid=7&name=RORLGF2TRYJKRN - - - [*] - Alternative Browser : http://silveoa6gm.temp.swtest.ru/gate.php?advertid=7&name=RORLGF2TRYJKRN
URLs

http://silveoa6gm.temp.swtest.ru/gate.php?advertid=7&name=RORLGF2TRYJKRN

Targets

    • Target

      074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe

    • Size

      242KB

    • MD5

      c5d02a59e543e126359998b982e87d45

    • SHA1

      e6960b254e0215493a29471949b1ff84b6da1b59

    • SHA256

      074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51

    • SHA512

      6fc4f510ab3f13e0ab49d0b46b4b7a440de33b693ba6d20c6459dd59721363fbbda59975a51f78fa85d2f452fcc519595b83d80ae580c00ab75d80adbc214721

    Score
    10/10
    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Executes dropped EXE

    • Adds Run key to start application

    • Drops desktop.ini file(s)

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

File Deletion

2
T1107

Modify Registry

1
T1112

Discovery

System Information Discovery

1
T1082

Impact

Inhibit System Recovery

2
T1490

Tasks