Overview

overview

10

Static

static

dll64.dll

windows7_x64

10

dll64.dll

windows10_x64

10

svchost.exe

windows7_x64

10

svchost.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    sample_No2.zip

  • Size

    621KB

  • Sample

    210417-v8retm447a

  • MD5

    96be737bf47ac991c0dc9be996e0f10b

  • SHA1

    2739c52ce389aad8214224617a04e5b494c410b3

  • SHA256

    831a54f66b7645119d642dab565d86f4316752f6f2f759f9cc10737a34032ebf

  • SHA512

    20675f2b1a9cd1fd091a48b535d8f37e42001fce393d1d180f21017ce4b1f999f3488d8da1985d641ff838716124f51cfb1adadb727c4740199babe7d9481711

Score
10/10
icedidryuk2642071409bankerloaderpersistenceransomwaretrojan

Malware Config

Extracted

Family

icedid

Campaign

2642071409

C2

netmoscito2.uno

Extracted

Path

C:\RyukReadMe.txt

Family

ryuk

Ransom Note
Gentlemen! Your business is at serious risk. There is a significant hole in the security system of your company. We've easily penetrated your network. You should thank the Lord for being hacked by serious people not some stupid schoolboys or dangerous punks. They can damage all your important data just for fun. Now your files are crypted with the strongest millitary algorithms RSA4096 and AES-256. No one can help you to restore files without our special decoder. Photorec, RannohDecryptor etc. repair tools are useless and can destroy your files irreversibly. If you want to restore your files write to emails (contacts are at the bottom of the sheet) and attach 2-3 encrypted files (Less than 5 Mb each, non-archived and your files should not contain valuable information (Databases, backups, large excel sheets, etc.)). You will receive decrypted samples and our conditions how to get the decoder. Please don't forget to write the name of your company in the subject of your e-mail. You have to pay for decryption in Bitcoins. The final price depends on how fast you write to us. Every day of delay will cost you additional +0.5 BTC Nothing personal just business As soon as we get bitcoins you'll get all your decrypted data back. Moreover you will get instructions how to close the hole in security and how to avoid such problems in the future + we will recommend you special software that makes the most problems to hackers. Attention! One more time ! Do not rename encrypted files. Do not try to decrypt your data using third party software. P.S. Remember, we are not scammers. We don`t need your files and your information. But after 2 weeks all your files and keys will be deleted automatically. Just send a request immediately after infection. All data will be restored absolutely. Your warranty - decrypted samples. contact emails [email protected] or [email protected] BTC wallet: 15RLWdVnY5n1n7mTvU1zjg67wt86dhYqNj Ryuk No system is safe
Wallets

15RLWdVnY5n1n7mTvU1zjg67wt86dhYqNj

Targets

    • Target

      dll64.dll

    • Size

      43KB

    • MD5

      cfad79ca83be1a597222a14d4afb8dbd

    • SHA1

      4c2f0f0fad519bcbe7616fd0452dcfb9b0fb2081

    • SHA256

      e53d34c5a00e62c90781e918fd5a198475d259a9017cd2b1b5d9b91350c1e876

    • SHA512

      8abf010ebd670d90f06e0d2a8e92d84ff8dd3ab3cac03bb11cc5e344a26fb19afae033d86e8f77ecbe2ed0c5b960b42fe7b59a2cbd160f88fd091cd5904f1af4

    Score
    10/10
    icedid2642071409bankerloadertrojan

    • IcedID, BokBot

      IcedID is a banking trojan capable of stealing credentials.

      trojanbankericedid

    • IcedID First Stage Loader

      loader
    behavioral1behavioral2

    • Target

      svchost.exe

    • Size

      726KB

    • MD5

      8a317e1b7c9671698a8467c6a7786782

    • SHA1

      d166a8738595e3dd83c32ec30a221cda7daeac8f

    • SHA256

      59ec0fa1c554bc9d1253ab499e20eb28d19ed9aa324f642051ce3f322adfaf5f

    • SHA512

      74bbfbfe3aa43d3d3f0e58f739efdf0d9409fd09616035bd3c42fe236864437814363ffc311b0e2987afe733023b073ada7ab2cb8487d4ca2804264d487fb730

    Score
    10/10
    ryukpersistenceransomware

    • Ryuk

      Ransomware distributed via existing botnets, often Trickbot or Emotet.

      ransomwareryuk

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Deletes itself

    • Drops startup file

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

MITRE ATT&CK Enterprise v6

Tasks