dmalocker | b2b3244147fe99552144847d8561eda14c6751e9afda58fc3039c5d11a4b44af

General

Target

b2b3244147fe99552144847d8561eda14c6751e9afda58fc3039c5d11a4b44af.sample
Size

216KB
Sample

210726-lj3k5tgd9n
MD5

832814b3212fd82fbced6afd72b4e8dc
SHA1

be3b021f3bd5b86a3d126e1b5d7bde4ccdad6ae5
SHA256

b2b3244147fe99552144847d8561eda14c6751e9afda58fc3039c5d11a4b44af
SHA512

19f8db46f1095516b3300f933c9b4ea7ecc9c671ecb22eae0a6806e18daf7ad19687b610c52822e27144a6b05270e1e333ff74ea0a58175a9b17c85a016b2ff8

Score

10^/10

Malware Config

Extracted

Path

C:\ProgramData\cryptinfo.txt

Ransom Note

Attention! ! ! All of your copies of your system have been permanently deleted and the data on all partitions and workstations have been encrypted! Stay calm. You can recover all your data by making a payment of 10 BTC (7000 GBP) in Bitcoin currency in order to receive a decryption key. In order to purchase Bitcions you can use https://coincafe.com/signup.php After buying BTC send the equivalent of 10 BTC (7000 GBP) to our BTC adress: 1DtyvLb1pDzXVoaVnJLAFzBJN6b4gcJSdR After payment contact us to receive your decryption key. In mail title write your unique ID: DMALOCK 31:74:71:30:36:43:72:21 Our e-mail: [email protected] ATTENTION! To ensure you that you can recover your data we are able to decrypt two files of your choice that are not larger than 1MB! ATTENTION! Even if your antivirus has removed our program, your data may be still recovered!

Emails

[email protected]

Wallets

1DtyvLb1pDzXVoaVnJLAFzBJN6b4gcJSdR

Targets

- Target
  
  b2b3244147fe99552144847d8561eda14c6751e9afda58fc3039c5d11a4b44af.sample
- Size
  
  216KB
- MD5
  
  832814b3212fd82fbced6afd72b4e8dc
- SHA1
  
  be3b021f3bd5b86a3d126e1b5d7bde4ccdad6ae5
- SHA256
  
  b2b3244147fe99552144847d8561eda14c6751e9afda58fc3039c5d11a4b44af
- SHA512
  
  19f8db46f1095516b3300f933c9b4ea7ecc9c671ecb22eae0a6806e18daf7ad19687b610c52822e27144a6b05270e1e333ff74ea0a58175a9b17c85a016b2ff8
Score

10^/10

dmalocker persistence ransomware
- DMA Locker
  Ransomware family with some advanced features, like encryption of unmapped network shares.
  ransomware dmalocker
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

DMA Locker

Adds Run key to start application

Drops desktop.ini file(s)

Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2