Overview

overview

10

Static

static

7

123.exe

windows7_x64

10

123.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    123.exe

  • Size

    9.3MB

  • Sample

    210506-vtze7pgdv6

  • MD5

    49e1e065b2d619c84ce34f2bf5b04105

  • SHA1

    3b4c8300fcc847c715a6f8d9606c3daabfa9365d

  • SHA256

    c7c2bb08529df1ea16244dfed79a60c039426c69823ee24731213011460ee82d

  • SHA512

    d28e8663ee08923b0b4ba8729329bd25ca054db648f3fb43aa037e1cc87e725954450f5d132457dc506836f03d8c5faa3c2031b2624a7be011037179e6ef06b1

Score
10/10
evasionransomwarespywarestealerthemidatrojan

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\@LegionReadMe@.txt

Ransom Note
Ooops! All your important files are encrypted! What happend to my computer? All your important files are encrypted. No one can help you to restore files without our special decryptor Backups were either encrypted or deleted or backup disks were formatted. Shadow copies also removed. If you want to restore some of your files for free write to email (contact is at the bottom of the sheet) and attach 4-5 encrypted files. You have to pay $120 in bitcoin to decrypt other files. How to contact us? 1.Download Tor browser (https://www.torproject.org/) 2.Create account on mail2tor (http://mail2tor2zyjdctd.onion/) 3.Write email to us (CobraLocker@mail2tor.com) What if i have already paid? Send your Bitcoin wallet ID to e-mail provided above P.S. Do not modify encrypted files Our bitcoin address 131fjhrB4wH8j6adZXudp1Wn23pR33tpAh
Emails

CobraLocker@mail2tor.com

Wallets

131fjhrB4wH8j6adZXudp1Wn23pR33tpAh

URLs

http://mail2tor2zyjdctd.onion/

Targets

    • Target

      123.exe

    • Size

      9.3MB

    • MD5

      49e1e065b2d619c84ce34f2bf5b04105

    • SHA1

      3b4c8300fcc847c715a6f8d9606c3daabfa9365d

    • SHA256

      c7c2bb08529df1ea16244dfed79a60c039426c69823ee24731213011460ee82d

    • SHA512

      d28e8663ee08923b0b4ba8729329bd25ca054db648f3fb43aa037e1cc87e725954450f5d132457dc506836f03d8c5faa3c2031b2624a7be011037179e6ef06b1

    Score
    10/10
    evasionransomwarespywarestealerthemidatrojan

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Checks whether UAC is enabled

      evasiontrojan

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

2
T1107

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

3
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2
T1490

Tasks