General

  • Target

    7f4dba54da91c99423b5862088da784363c7edc76d63e26d72270cd1fdf6dbec.exe

  • Size

    14KB

  • Sample

    210906-ptkyfsecak

  • MD5

    e9b1631a77d5b557acef3be265819134

  • SHA1

    bd7cfbaea73febf51e4b9c838bfe99f023ee8cc3

  • SHA256

    7f4dba54da91c99423b5862088da784363c7edc76d63e26d72270cd1fdf6dbec

  • SHA512

    0f2ebb6f8875950027b0a8a0c7e5ef4eb4ef0d9fe7998325e6dc0fb2a8e0bd4c1cfd11c57bb68441bb0dc89175e51c397c61be90122ab2fb50fa68f534f89a63

Malware Config

Extracted

Path

C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\#Decrypt#.txt

Ransom Note
Hello my dear friend Unfortunately for you, a major IT security weakness left you open to attack, your files have been encrypted If you want to restore them, install ICQ software on your PC https://icq.com/windows/ or on your mobile phone search in Appstore / Google market ICQ Write to our ICQ @zipzipulya https://icq.im/zipzipulya Skype Zip Zipulya Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. We are always ready to cooperate and find the best way to solve your problem. The faster you write, the more favorable the conditions will be for you. Our company values its reputation. We give all guarantees of your files decryption IF WE DONT SEE MESSAGES FROM YOU IN 72 HOURS - WE WILL SELL YOUR DATABASES AND IMPORTANT INFORMATION TO YOUR COMPETITORS,AFTER YOU WILL SEE IT AT OPEN SOURCE AND DARKNET We respect your time and waiting for respond from your side tell your unique ID BGD25QjSRyzls4iU5mj3hHdoeleWa2bwpSFvVBfToxWBz4oVgsxJFz64doGwjqK/XHl+Lls5wkfC4c/F0O4XVIskA9Jj89lr66HNBIbWWKcfarFjsiYQnrk9z3aqQOXtnBBDbmeU9seTN0ABwJ0PDIEVGhTwk566+MzjJbBvML/T1vRkksYrYUf3nhlP27cHFWqmLZUtkNPZzSyix+RrbLpUZeelrRttwjH7nijnObDYZ1DnuNpEV2SX4izL1wdXsuIRNh0Jneh9lZAgho7kp9yBcI5N5D2p9rBx39aNCYyX6vSpr8qSLr08OWDObC/jJStEFnF+Kffs9TPTxAYBkPV4IDXIpHNoHmui2VwPHsh6OMFYw3FaYeokknb6Fk6zyV69H0w77oIWyRMkhN+GfIyoGMYRbwwJxBAwL1QsDUv6mgtbp7GxGhOgfZbSqMEShz7F9Q8tmUJ7Ef3HWxvpihDxk6vgqg0aPJAV03dXgcUdHxG49BgrCfB0nSmoW+X2uh1c1W/GclR8qYmQnQBtbCrFl/m5Nf7mEIYkayTCN+KxqXZPiNz83F/F1onZTu1NxCq7V1X0lykzzptKjpb2K1K8de9hi6mwpIFXq5sPDQS82a+5lop/9gFfMQYyPNUz4I2NoWsfvpN2S0RikRdpyn6oSfL83v1BZMNl2bX4H9SVtSHIR442YmTSoTVMUf3azl25LZx4ghcTgvLN2IfHDVq/2k6birYziGh0r51sKyprS9Y1nled36ktFnKHqR20Q9Eozh51C99ghsUKiWk46kQpUEDiKZFUyfIiyxpD9vAwcWtPkYaM0uiXSR45Oyna689jmCNvCR5XORXifAyToZxeP2AERU/5b+ZeKVpgWcPPvz2ZBpis02HPMIIjS64L+HQe/4KQvXtM7kkDlWyzh9SCsz8R0fqF4UBcsVk19ZxWtfedv/MDmo7HkeXhU+V7kdKhj2RkWK8pxhumlnk4s0LstsJmKmMLDZyu6giSzPndwW2KakwitfYFwIbG4KjhKKNx73QnXyLRuI5dJ3Ee+W/ZyAKu79OTqW17Kg3XVwY3/oX3Le0pmgGUoyCUsFm+uXoZNc6c6rDSNssguItTAe9AhoqxmtzBzDoWzvkfRR95UklWlrabIkbGlRAO7cBC7qSnO11AeY1SsrJlKWRdrGqOlcXI1KJpACB1xg1iAw/xPM4VW/ssU629PekO7Dm4PJpgT4tF0uB3JzdmGFZFVDd8k6CrOvMZYyfn5TqUQaKS9mCteDHcURloGRdkNtK3LuR1ISa2lkV+rCho5/EeVTm2Z0yEEeH27Q8RFkSdBSfVe5W/gteTCFJJZi274vwHDZahxYUCI8huigover9tnA==
URLs

https://icq.com/windows/

https://icq.im/zipzipulya

Extracted

Path

C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\#Decrypt#.txt

Ransom Note
Hello my dear friend Unfortunately for you, a major IT security weakness left you open to attack, your files have been encrypted If you want to restore them, install ICQ software on your PC https://icq.com/windows/ or on your mobile phone search in Appstore / Google market ICQ Write to our ICQ @zipzipulya https://icq.im/zipzipulya Skype Zip Zipulya Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. We are always ready to cooperate and find the best way to solve your problem. The faster you write, the more favorable the conditions will be for you. Our company values its reputation. We give all guarantees of your files decryption IF WE DONT SEE MESSAGES FROM YOU IN 72 HOURS - WE WILL SELL YOUR DATABASES AND IMPORTANT INFORMATION TO YOUR COMPETITORS,AFTER YOU WILL SEE IT AT OPEN SOURCE AND DARKNET We respect your time and waiting for respond from your side tell your unique ID E/QvgYlaS+zi9VklGtUZ2tV6/VRvj18xXLbXpzOlWgTWUipUTiC1fgpPFSC0tWW8EuB37dPNaC3h6IS9qaJJOdz7ru1mt/vseq0xOh98zKbalILPGZr1+2WK0wJzg+WxrAzLR60r8wX8vh5vMbBc0lXmazgEZTzilCf+qCZPpM0ccKoEFAdQbOKGQpFZom0gRKYjVTuF+kjxP1EGC4bJEDCbvabeXYss57S8pqC6tyagkC/n/p5aYfnwpAKAIlJKqQYSplJFfqKjRF9DzsmuYlg3tkP+53s1ZDl3GvvJKzmZkE8yujqz7ni8DWwmK0YL56wTrpJ9PJZiemz5uBmuFmbK5UiqWIuG7IVMeNNggKCAm0JDfLQxuBGHtcp5QoI/oF5PeQgHZak++GuHi5Jbbc1MeYhC8xWAtDk7/TQEeRmsjqR9lQIqiCpNWPHvQ/b4RHTfcd0Y4Uvv74Jbl8N7Nv6T0bMMn6Ghtl08bUH8lD3dZ4EpvG5z82weIW8bZY7EJistqYVPPILySKHavXOgyn0se9xeWS61bkY4YLFKYlGRhX2IrQq+DbCJp1StXLwgclSNOwZPcY9F0q+e/2THAQ1hs5WwNHozSZvK1U8V7tdB2PdmwlJG+TtPP+DOW3qwDelwm6gCqlFf75v+kcqngRKLQqH8gg0dJQy2dBIzIpCbb5SGE0gA7fqMKiZtLD03pWgPqWSsedij2yjMclqqvMPyGM/hKeo1al71mWemCj8vNwreh0+c6boyx+mhYfxsy3z31LNG3mEsU5BXfaiciDhNvmCFMw2SztbysqbNL/T8LsbMJSJbMbuNmJ5tIY7+59OLVtOkYCC4VxzLI4q8nr9PPM8rQ5YKTIQMcKvkkKHRSoE35Y4tM3vc6GC8Bm7Xh9JuCp+xz53JpHJn/rC0C56QYyx1L5X4uYJEhPWdAkF8H64GQXAdiL5dwde3/qhr002MBo7z6SVeReeOoYj/Y+7VsiRVUMqNYaL4cCvI7PJYCtE8+MNNdvpIGuT0Dh6WETSmdPVlvouvse9piKy/tftwrgJJmLNcBdLJJFAb0FMuMCMJuuVWzWwiZHkB+CbQExTcF9wrFqvGindm/WOWpYb8GaEc2Ij41CekUPRFj1KRf0369SQqcUWm9y1jcSocKtY0fB1MGspw5k4n6/hu/itFNyJwir0A95EaJHS7RTfR0MwVkkWnoLaLQ+ht6tp7ehP6qMfCsjCIu4bVredOiQrHXQ5sNrkua/KxtrTNQSMPQygZrcB+HmRnFJUroJw+cWopeR1AsZ6C4FFF+Ytn4MPLq+O8YS+w0SPlF6Mot6v1tY+aqJyFRtqi9ktszXCDiU0aD7t3mCQw+8lVofXAIQ==
URLs

https://icq.com/windows/

https://icq.im/zipzipulya

Targets

    • Target

      7f4dba54da91c99423b5862088da784363c7edc76d63e26d72270cd1fdf6dbec.exe

    • Size

      14KB

    • MD5

      e9b1631a77d5b557acef3be265819134

    • SHA1

      bd7cfbaea73febf51e4b9c838bfe99f023ee8cc3

    • SHA256

      7f4dba54da91c99423b5862088da784363c7edc76d63e26d72270cd1fdf6dbec

    • SHA512

      0f2ebb6f8875950027b0a8a0c7e5ef4eb4ef0d9fe7998325e6dc0fb2a8e0bd4c1cfd11c57bb68441bb0dc89175e51c397c61be90122ab2fb50fa68f534f89a63

    • Registers COM server for autorun

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Sets file execution options in registry

    • Deletes itself

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Installs/modifies Browser Helper Object

      BHOs are DLL modules which act as plugins for Internet Explorer.

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

2
T1060

Browser Extensions

1
T1176

Defense Evasion

File Deletion

2
T1107

Modify Registry

3
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Collection

Data from Local System

1
T1005

Impact

Inhibit System Recovery

2
T1490

Tasks