a653a4d7a1dd36b965591b6f55584ba3d73124eccc92e94ce28a71a0f0415f5a

General

Target

a653a4d7a1dd36b965591b6f55584ba3d73124eccc92e94ce28a71a0f0415f5a
Size

126KB
Sample

210525-wsna8dqx82
MD5

e1ff64f0910b1e31a12a17ecc9173250
SHA1

edee8ab5e9edae3c6f7fbff32151c9d9e2c7f360
SHA256

a653a4d7a1dd36b965591b6f55584ba3d73124eccc92e94ce28a71a0f0415f5a
SHA512

10364700d1dd533bbf2345908067129386e119cb434ceaff55282a2ee2cc58fc9ddfca40fbc3e333dd4394436eabeb5c29268c088f94eec95abc69921af48428

Score

10^/10

ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\READ_ME.crypted.txt

Ransom Note

Your files are encrypted. If you want to unlock them send 50$ worth of bitcoin to this address: 36yFAmBGNDowqjXxbaPA2F3byPUoxWfZyz After that email your transaction ID, pc code and username to: [email protected] After that wait for our response and we will send you your unique password and decryptor. Encrypted files: C:\Users\Admin\Desktop\CompareDebug.jfif C:\Users\Admin\Desktop\CompareSend.wvx C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\Desktop\DisconnectReceive.lock C:\Users\Admin\Desktop\ExportWait.eps C:\Users\Admin\Desktop\GroupSave.mpa C:\Users\Admin\Desktop\MountRestore.mht C:\Users\Admin\Desktop\MountWait.ADT C:\Users\Admin\Desktop\NewWait.aif C:\Users\Admin\Desktop\OpenExit.mp3 C:\Users\Admin\Desktop\PublishRedo.js C:\Users\Admin\Desktop\RedoImport.au3 C:\Users\Admin\Desktop\RedoStop.ini C:\Users\Admin\Desktop\RemoveRestore.emf C:\Users\Admin\Desktop\RenameConvertTo.dll C:\Users\Admin\Desktop\RepairHide.wmf C:\Users\Admin\Desktop\RequestEnable.htm C:\Users\Admin\Desktop\RevokeFind.vdw C:\Users\Admin\Desktop\SendStart.wpl C:\Users\Admin\Desktop\SyncBlock.mhtml C:\Users\Admin\Desktop\UninstallComplete.vsdm C:\Users\Admin\Desktop\UnprotectComplete.jtx C:\Users\Admin\Desktop\UseConvertFrom.wma C:\Users\Admin\Desktop\WatchEnable.cfg C:\Users\Admin\Pictures\ConvertToClear.crw C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\Pictures\DismountUnlock.pcx C:\Users\Admin\Pictures\GetEdit.dib C:\Users\Admin\Pictures\OpenSearch.pcx C:\Users\Admin\Pictures\OptimizeConvertTo.gif C:\Users\Admin\Pictures\RegisterCheckpoint.dxf C:\Users\Admin\Pictures\ResizeCheckpoint.wmf C:\Users\Admin\Pictures\RestoreGroup.eps C:\Users\Admin\Pictures\SplitConvertTo.pcx C:\Users\Admin\Pictures\TraceMerge.jpg C:\Users\Admin\Pictures\UnlockCompress.dxf C:\Users\Admin\Pictures\Wallpaper.jpg C:\Users\Admin\Documents\AddOpen.vsd C:\Users\Admin\Documents\Are.docx C:\Users\Admin\Documents\DenyAdd.vsx C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\Documents\DismountInvoke.pot C:\Users\Admin\Documents\ExportPing.xps C:\Users\Admin\Documents\Files.docx C:\Users\Admin\Documents\FindJoin.pdf C:\Users\Admin\Documents\GroupComplete.vstx C:\Users\Admin\Documents\InstallSave.vdx C:\Users\Admin\Documents\InvokeUnprotect.xps C:\Users\Admin\Documents\MeasurePublish.docx C:\Users\Admin\Documents\MoveFormat.xlt C:\Users\Admin\Documents\Opened.docx C:\Users\Admin\Documents\OpenRegister.ppt C:\Users\Admin\Documents\ProtectDisconnect.pptm C:\Users\Admin\Documents\ProtectUnlock.vsw C:\Users\Admin\Documents\PushRedo.dotm C:\Users\Admin\Documents\Recently.docx C:\Users\Admin\Documents\RepairLimit.xla C:\Users\Admin\Documents\RequestSet.vsdx C:\Users\Admin\Documents\ResolvePublish.xps C:\Users\Admin\Documents\RestartPop.vdw C:\Users\Admin\Documents\RevokeSend.vsdx C:\Users\Admin\Documents\SearchStart.vssx C:\Users\Admin\Documents\SkipGrant.docx C:\Users\Admin\Documents\These.docx C:\Users\Admin\Documents\UnprotectAssert.txt C:\Users\Admin\Documents\UnprotectResize.xlt C:\Users\Admin\Documents\WaitBackup.mhtml C:\Users\Admin\Documents\WriteInvoke.pub

Emails

[email protected]

Wallets

36yFAmBGNDowqjXxbaPA2F3byPUoxWfZyz

Extracted

Path

C:\Users\Admin\Desktop\READ_ME.crypted.txt

Ransom Note

Your files are encrypted. If you want to unlock them send 50$ worth of bitcoin to this address: 36yFAmBGNDowqjXxbaPA2F3byPUoxWfZyz After that email your transaction ID, pc code and username to: [email protected] After that wait for our response and we will send you your unique password and decryptor. Encrypted files: C:\Users\Admin\Desktop\AssertOut.docx C:\Users\Admin\Desktop\CopyMerge.sys C:\Users\Admin\Desktop\DebugGrant.mov C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\Desktop\DisconnectSubmit.dotx C:\Users\Admin\Desktop\ExitDisable.mid C:\Users\Admin\Desktop\ExpandConfirm.vstx C:\Users\Admin\Desktop\ExportDisable.mpg C:\Users\Admin\Desktop\GroupMove.xps C:\Users\Admin\Desktop\GroupUpdate.cr2 C:\Users\Admin\Desktop\ImportConvert.asx C:\Users\Admin\Desktop\LimitSet.3gp2 C:\Users\Admin\Desktop\MountSwitch.jpeg C:\Users\Admin\Desktop\MoveExit.tif C:\Users\Admin\Desktop\MovePush.bmp C:\Users\Admin\Desktop\OutInstall.midi C:\Users\Admin\Desktop\PopImport.js C:\Users\Admin\Desktop\PublishBlock.jfif C:\Users\Admin\Desktop\RequestEnable.docx C:\Users\Admin\Desktop\ResetLock.wmv C:\Users\Admin\Desktop\RestartDeny.ppsm C:\Users\Admin\Desktop\RestoreUndo.css C:\Users\Admin\Desktop\SaveClose.temp C:\Users\Admin\Desktop\SkipFind.vssx C:\Users\Admin\Desktop\StopMove.midi C:\Users\Admin\Desktop\TraceOut.dwfx C:\Users\Admin\Desktop\UnlockEdit.cmd C:\Users\Admin\Desktop\UnlockStop.cmd C:\Users\Admin\Desktop\WatchDebug.ttc C:\Users\Admin\Pictures\AddPop.svg C:\Users\Admin\Pictures\CompressEnter.crw C:\Users\Admin\Pictures\ConvertExport.dxf C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\Pictures\DisableUnpublish.bmp C:\Users\Admin\Pictures\DisconnectSwitch.tif C:\Users\Admin\Pictures\EnableSend.gif C:\Users\Admin\Pictures\FormatFind.dxf C:\Users\Admin\Pictures\GetBlock.raw C:\Users\Admin\Pictures\HideOut.raw C:\Users\Admin\Pictures\HideTrace.crw C:\Users\Admin\Pictures\ImportAdd.ico C:\Users\Admin\Pictures\InstallAssert.tiff C:\Users\Admin\Pictures\LockWait.dwg C:\Users\Admin\Pictures\MoveUpdate.crw C:\Users\Admin\Pictures\OpenDisconnect.emz C:\Users\Admin\Pictures\PingBlock.wmf C:\Users\Admin\Pictures\PublishBlock.wmf C:\Users\Admin\Pictures\SaveWrite.ico C:\Users\Admin\Pictures\SelectClose.emz C:\Users\Admin\Pictures\SelectLock.svgz C:\Users\Admin\Pictures\ShowCompare.bmp C:\Users\Admin\Pictures\ShowConvert.jpg C:\Users\Admin\Pictures\UninstallSuspend.dxf C:\Users\Admin\Pictures\UseWait.svg C:\Users\Admin\Pictures\Wallpaper.jpg C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\Documents\AddFind.mht C:\Users\Admin\Documents\Are.docx C:\Users\Admin\Documents\AssertLimit.vstx C:\Users\Admin\Documents\CompareRedo.pptm C:\Users\Admin\Documents\ConnectUnpublish.dotm C:\Users\Admin\Documents\DenySync.html C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\Documents\Files.docx C:\Users\Admin\Documents\FindBlock.rtf C:\Users\Admin\Documents\GrantMerge.vst C:\Users\Admin\Documents\GroupUnpublish.odp C:\Users\Admin\Documents\LimitWatch.ppsm C:\Users\Admin\Documents\LockPing.dotx C:\Users\Admin\Documents\MeasureRegister.vsw C:\Users\Admin\Documents\MoveClose.xls C:\Users\Admin\Documents\MoveRevoke.docm C:\Users\Admin\Documents\OpenConvertTo.odt C:\Users\Admin\Documents\Opened.docx C:\Users\Admin\Documents\OpenMerge.pptx C:\Users\Admin\Documents\PopRegister.mhtml C:\Users\Admin\Documents\PublishRevoke.xlt C:\Users\Admin\Documents\PushBackup.mhtml C:\Users\Admin\Documents\PushDeny.xlsm C:\Users\Admin\Documents\ReceiveUse.mpp C:\Users\Admin\Documents\Recently.docx C:\Users\Admin\Documents\RegisterDisconnect.pptm C:\Users\Admin\Documents\RemoveSync.pub C:\Users\Admin\Documents\RepairEdit.pptm C:\Users\Admin\Documents\RepairResize.vsw C:\Users\Admin\Documents\RequestExit.wps C:\Users\Admin\Documents\RestoreFormat.pps C:\Users\Admin\Documents\RevokeRequest.ods C:\Users\Admin\Documents\RevokeUnregister.vsdm C:\Users\Admin\Documents\SelectPing.xla C:\Users\Admin\Documents\SendPing.vdx C:\Users\Admin\Documents\SkipTest.mht C:\Users\Admin\Documents\SubmitExpand.wps C:\Users\Admin\Documents\These.docx C:\Users\Admin\Documents\UnblockDismount.dot C:\Users\Admin\Documents\UnlockGrant.vdx C:\Users\Admin\Documents\UnpublishShow.xlsx C:\Users\Admin\Documents\UpdateSkip.rtf C:\Users\Admin\Documents\UseMerge.csv

Emails

[email protected]

Wallets

36yFAmBGNDowqjXxbaPA2F3byPUoxWfZyz

Targets

- Target
  
  a653a4d7a1dd36b965591b6f55584ba3d73124eccc92e94ce28a71a0f0415f5a
- Size
  
  126KB
- MD5
  
  e1ff64f0910b1e31a12a17ecc9173250
- SHA1
  
  edee8ab5e9edae3c6f7fbff32151c9d9e2c7f360
- SHA256
  
  a653a4d7a1dd36b965591b6f55584ba3d73124eccc92e94ce28a71a0f0415f5a
- SHA512
  
  10364700d1dd533bbf2345908067129386e119cb434ceaff55282a2ee2cc58fc9ddfca40fbc3e333dd4394436eabeb5c29268c088f94eec95abc69921af48428
Score

10^/10

ransomware
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Drops desktop.ini file(s)
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Resubmissions

Sharing

General

Malware Config

Extracted

Extracted

Targets

Modifies extensions of user files

Drops desktop.ini file(s)

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2