Resubmissions

25-06-2021 19:07

210625-wj3es9fxde 10

24-06-2021 06:02

210624-78vvv4fkks 10

General

  • Target

    SvHost-3.exe

  • Size

    1.3MB

  • Sample

    210624-78vvv4fkks

  • MD5

    6d0cefa5b7f1744aa5dbc041c50b1709

  • SHA1

    023fe5cafe7f0b32bfaf1b3549785e4d36a13b63

  • SHA256

    c6da46d2abe90035674272a826d1203dde07338e27e3ebefc6335cbedb389019

  • SHA512

    fb3bef44b77d7d3b83c42f769236f2c7646f1642d07f3650199d6511a111b31cb917fdc9d776d0e4be5cffb374a162ce4cd09925463b94f9bf8be50501f66631

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\Decrypt-info.txt

Ransom Note
All your files are encrypted due to security problem with your computer. You should pay money to recover your files. The price depends on how fast do you message us. You should contact us via this email address: [email protected] if you didn't receive any reply, message our second email address: [email protected] We guarantee that if you make payment, all your files will be recovered. You can send few example files. We recover them for you to prove that we can recover your files. Attention: Do not rename encrypted files. Do not try to decrypt your data using third-party software, it may cause permanent data loss. The decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Targets

    • Target

      SvHost-3.exe

    • Size

      1.3MB

    • MD5

      6d0cefa5b7f1744aa5dbc041c50b1709

    • SHA1

      023fe5cafe7f0b32bfaf1b3549785e4d36a13b63

    • SHA256

      c6da46d2abe90035674272a826d1203dde07338e27e3ebefc6335cbedb389019

    • SHA512

      fb3bef44b77d7d3b83c42f769236f2c7646f1642d07f3650199d6511a111b31cb917fdc9d776d0e4be5cffb374a162ce4cd09925463b94f9bf8be50501f66631

    • Ouroboros/Zeropadypt

      Ransomware family based on open-source CryptoWire.

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v6

Tasks