Overview

overview

10

Static

static

3

sample.exe

windows7_x64

10

sample.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    79f4c2aa9c3cdae4b02b1ab8e8df8e6e0d6a02c692991c0ee83a110260940038.bin.sample.gz

  • Size

    30.2MB

  • Sample

    210707-zr9byvhhex

  • MD5

    f186e7fead302a4f31c73c8980fad54b

  • SHA1

    c17f09e8f8767443a8c2c7e62ed7ad341dc8d4db

  • SHA256

    2ae2d174af3118073f10bbc6288efedcfebf9f4fa69ad823fec3dc69a7b37cc3

  • SHA512

    0d6b1f77f6d1ee57acdabc2e90b08c9bf9e01303373d41e2cc20b1f0b133e6cf51423b22a48b9eb500d0b6451a0bc78181f60db3159f58c7652965f47d0af62a

Score
10/10
evasionpyinstallerransomwarespywarestealer

Malware Config

Extracted

Path

C:\Windows\Vss\GoodMorning.txt

Ransom Note
Good Morning!! All your Files Have Been Encrypted You can not protect your system I want help you You must pay an amount of bitcoin to decrypt your files If you want restore your files or you want my help send this ID : E9CC0CBDD to this email :Goood.Morning@mailfence.com If you didn't recieve any message , write message to this email : GooodMorning@tutanota.com or this : GoodMorning9@cock.li !!!!!!! I forget to tell this , never try decrypt your files by yourself , maybe you lost them forever and do not rename them
Emails

Goood.Morning@mailfence.com

GooodMorning@tutanota.com

GoodMorning9@cock.li

Extracted

Path

C:\Windows\Vss\GoodMorning.txt

Ransom Note
Good Morning!! All your Files Have Been Encrypted You can not protect your system I want help you You must pay an amount of bitcoin to decrypt your files If you want restore your files or you want my help send this ID : 2B40674E3 to this email :Goood.Morning@mailfence.com If you didn't recieve any message , write message to this email : GooodMorning@tutanota.com or this : GoodMorning9@cock.li !!!!!!! I forget to tell this , never try decrypt your files by yourself , maybe you lost them forever and do not rename them
Emails

Goood.Morning@mailfence.com

GooodMorning@tutanota.com

GoodMorning9@cock.li

Targets

    • Target

      sample

    • Size

      30.2MB

    • MD5

      931d8cc9acda477fb505d9a2c09f581e

    • SHA1

      748b9874c2f818a76ba55abecc90beb382b9b24f

    • SHA256

      79f4c2aa9c3cdae4b02b1ab8e8df8e6e0d6a02c692991c0ee83a110260940038

    • SHA512

      767cbfd0cc99cecdf942d146954dd62d66ea7ac98b2003025218ac1263b8a4e07804bbbc55329789b77682766e75a1370661630639fb0a3b4f636604bc844fe7

    Score
    10/10
    evasionransomwarespywarestealer

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Disables Task Manager via registry modification

      evasion

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

2
T1107

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2
T1490

Tasks