General
Target

1b0c57b4_by_Libranalysis

Size

2MB

Sample

210504-p52l61fr9e

Score
10/10
MD5

1b0c57b4b2f28b92d0fa8b71b2f1bce5

SHA1

85c495a2c17dc5e8fca669c346ab5ec2560853db

SHA256

166eec273d472577682b777f9e12b63697db76c21823abf8c228a8b8b506a4b8

SHA512

e00795b3fb74c1fe8ed7d9f4698604bb7ab366cd93621174e24acc805a9e82d8d543942032d37ca9d71ad65a6f7e2eb15bfc2084f7ea927aa13307c53c6e9209

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\HOW TO RESTORE YOUR FILES.TXT

Ransom Note
All your files are encrypted We have downloaded more that 1.5TB of sensitive data from your company servers. Email me if you want to get your files back - I will do it very quickly! Contact me by email: Veranderinbt5f@protonmail.com or rogerurste@yahoo.com The subject line must contain an encryption extension or the name of your company! Do not rename encrypted files, you may lose them forever. You may be a victim of fraud. Free decryption as a guarantee. Send us up to 3 files for free decryption. The total file size should be no more than 1 MB! (not in the archive), and the files should not contain valuable information. (databases, backups, large Excel spreadsheets, etc.) !!! Do not turn off or restart the NAS equipment. This will lead to data loss !!! To contact us, we recommend that you create an email address at protonmail.com or tutanota.com Because gmail and other public email programs can block our messages! If you do not receive a response from us for a long time, check your spam folder.
Emails

Veranderinbt5f@protonmail.com

rogerurste@yahoo.com

Targets
Target

1b0c57b4_by_Libranalysis

MD5

1b0c57b4b2f28b92d0fa8b71b2f1bce5

Filesize

2MB

Score
10/10
SHA1

85c495a2c17dc5e8fca669c346ab5ec2560853db

SHA256

166eec273d472577682b777f9e12b63697db76c21823abf8c228a8b8b506a4b8

SHA512

e00795b3fb74c1fe8ed7d9f4698604bb7ab366cd93621174e24acc805a9e82d8d543942032d37ca9d71ad65a6f7e2eb15bfc2084f7ea927aa13307c53c6e9209

Tags

Signatures

  • Deletes shadow copies

    Description

    Ransomware often targets backup files to inhibit system recovery.

    Tags

    TTPs

    File DeletionInhibit System Recovery
  • Modifies extensions of user files

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

  • Drops startup file

  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files

Related Tasks

MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
    Discovery
      Execution
        Exfiltration
          Initial Access
            Lateral Movement
              Persistence
                Privilege Escalation
                  Tasks

                  static1

                  Score
                  8/10

                  behavioral1

                  Score
                  10/10

                  behavioral2

                  Score
                  10/10