General

  • Target

    xxxx.exe

  • Size

    66KB

  • Sample

    210512-a69sym5d1e

  • MD5

    3808f21e56dede99bc914d90aeabe47a

  • SHA1

    93cc73149d4bb34830a2cb2a3047e9267b9e3080

  • SHA256

    4a5ac3c6f8383cc33c795804ba5f7f5553c029bbb4a6d28f1e4d8fb5107902c1

  • SHA512

    4ae55145cca3a6f1ed3feff5b2bd38121e37c4cc528e08d5de771bcc4855994560bfc8c22898d73c5b259e37d2dc803615b8f6ec859e53918bd7a1ffee9316b3

Score
10/10

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\RecoveryManual.html

Ransom Note
Your ClientId: If you are here, you want to know what happened. We infiltrated your network, controlled it for a while, examined your data, downloaded sensitive information and finally encrypted your computers. Your files are safe, but encrypted. Any attempt to decrypt files with third-party software will permanently corrupt content. What now? We advise you to be in touch and start negotiations, otherwise your confidential data will be published on few our news sites and promoted in all possible ways. Data publication and even the fact of this leak for sure will lead to significant losses for your company: government fines lawsuits and as a result legal claims payments additional expenses on law services data recovery Also you shouldn't underestimate huge damage for your reputation, which can cause crash of equity prices, clients withdrawal and other negative consequences. But don't panic! We are doing business, not war. We can unlock your data and keep everything in secret. All, what we want is a ransom. If we can reach an agreement, you also get: security report full file tree of compromised data downloaded data unrecoverable deletion support with unlocking and network protection advice. How can you contact us? Visit our support chat. It is simple, secure and you can set a password to avoid intervention of unauthorised persons. http://w6ilafwwrgtrmilorzqex6pgpvfsa667fydca2wpoluj6sajka225byd.onion/?cid=879538e20b82e80052dd5f7ef9ad50777f29ea9b401bf59e2f5189fb60588831 Password field should be blank for the first login. Note that this server is available via Tor browser only. Follow the instructions to open the link: Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor Project website. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it. Now you have Tor browser. In the Tor Browser open "http://w6ilafwwrgtrmilorzqex6pgpvfsa667fydca2wpoluj6sajka225byd.onion/?cid=879538e20b82e80052dd5f7ef9ad50777f29ea9b401bf59e2f5189fb60588831". Start a chat and introduce yourself (Company name and your position). Password field should be blank for the first login. You can ask an operator to set password later.
URLs

http://w6ilafwwrgtrmilorzqex6pgpvfsa667fydca2wpoluj6sajka225byd.onion/?cid=879538e20b82e80052dd5f7ef9ad50777f29ea9b401bf59e2f5189fb60588831

Targets

    • Target

      xxxx.exe

    • Size

      66KB

    • MD5

      3808f21e56dede99bc914d90aeabe47a

    • SHA1

      93cc73149d4bb34830a2cb2a3047e9267b9e3080

    • SHA256

      4a5ac3c6f8383cc33c795804ba5f7f5553c029bbb4a6d28f1e4d8fb5107902c1

    • SHA512

      4ae55145cca3a6f1ed3feff5b2bd38121e37c4cc528e08d5de771bcc4855994560bfc8c22898d73c5b259e37d2dc803615b8f6ec859e53918bd7a1ffee9316b3

    Score
    10/10
    • MountLocker Ransomware

      Ransomware family first seen in late 2020, which threatens to leak files if ransom is not paid.

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Deletes itself

    • Drops desktop.ini file(s)

MITRE ATT&CK Enterprise v6

Tasks