SayLessRnm Window.exe

General
Target

SayLessRnm Window.exe

Size

557KB

Sample

211009-g4aw8sfae6

Score
10 /10
MD5

52c527df9e7554e940c3c45b4e9b3e30

SHA1

ae182f41baae6a5f3c05803933ba77578772233c

SHA256

a6339f9ef7c91bc792626ff3765a46809dcada083c93a7e63fd01b0e91c1bb90

SHA512

eabb6293309e5ac13a9530efe8f3f75d6fa1102a6fed2a1825022fff584836796fc6eab97b42fe88cb618c987907b2c3224cfa79bec8b8f332f72a0f9412752c

Malware Config

Extracted

Path C:\Users\Admin\Desktop\SAYLESS-RANSOMWARE.saylessrsnm.txt
Ransom Note
Your computer has been infected by SayLess-Ransomware. All your data and files have been encrypted with a MILITARY-GRADE LEVEL ENCRYPTION. To unlock them, send 500$ to the BTC adress below to get decryption key and restore your data... Or else your files are lost! DO NOT TURN OFF YOUR PC, IF YOU SO ALL YOUR FILES WILL BE CORRUPTED FOREVER. Encryption Log: ==================================== C:\Users\Admin\Desktop\AssertOptimize.rtf C:\Users\Admin\Desktop\CheckpointUnblock.mhtml C:\Users\Admin\Desktop\ConfirmApprove.crw C:\Users\Admin\Desktop\ConvertToPublish.xlsx C:\Users\Admin\Desktop\DebugSkip.png C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\Desktop\DisableExpand.midi C:\Users\Admin\Desktop\DismountPing.htm C:\Users\Admin\Desktop\ExportSave.midi C:\Users\Admin\Desktop\FindMount.DVR-MS C:\Users\Admin\Desktop\GrantImport.doc C:\Users\Admin\Desktop\InstallCopy.bat C:\Users\Admin\Desktop\InstallFind.scf C:\Users\Admin\Desktop\MeasureSplit.ps1 C:\Users\Admin\Desktop\MoveHide.mp4 C:\Users\Admin\Desktop\OutEnter.mp4 C:\Users\Admin\Desktop\RedoTrace.edrwx C:\Users\Admin\Desktop\RenameDisconnect.odp C:\Users\Admin\Desktop\SkipAdd.png C:\Users\Admin\Desktop\SplitProtect.pot C:\Users\Admin\Desktop\StepPublish.MTS C:\Users\Admin\Desktop\UndoAdd.eprtx C:\Users\Admin\Desktop\UnregisterSwitch.rmi C:\Users\Admin\Desktop\UnregisterUndo.pps C:\Users\Admin\Pictures\AddGet.dwg C:\Users\Admin\Pictures\BlockDisable.dxf C:\Users\Admin\Pictures\CheckpointSelect.dxf C:\Users\Admin\Pictures\CompressStart.eps C:\Users\Admin\Pictures\ConnectEnable.dib C:\Users\Admin\Pictures\ConvertExit.svg C:\Users\Admin\Pictures\ConvertToOpen.dib C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\Pictures\DisconnectBlock.eps C:\Users\Admin\Pictures\DismountNew.wmf C:\Users\Admin\Pictures\EnterUninstall.tif C:\Users\Admin\Pictures\ExportPop.eps C:\Users\Admin\Pictures\HidePing.emf C:\Users\Admin\Pictures\HideReset.ico C:\Users\Admin\Pictures\MeasureDebug.tif C:\Users\Admin\Pictures\OpenTrace.tif C:\Users\Admin\Pictures\ProtectConfirm.png C:\Users\Admin\Pictures\ProtectSync.bmp C:\Users\Admin\Pictures\PublishCompare.dwg C:\Users\Admin\Pictures\PushCheckpoint.ico C:\Users\Admin\Pictures\RegisterReset.bmp C:\Users\Admin\Pictures\ResolveEdit.emf C:\Users\Admin\Pictures\SendHide.pcx C:\Users\Admin\Pictures\StepConvertFrom.png C:\Users\Admin\Pictures\SuspendClose.emz C:\Users\Admin\Pictures\UnblockInvoke.tif C:\Users\Admin\Pictures\UpdateConvertTo.jpg C:\Users\Admin\Pictures\Wallpaper.jpg C:\Users\Admin\Documents\Are.docx C:\Users\Admin\Documents\BlockApprove.vsd C:\Users\Admin\Documents\CompleteFind.wps C:\Users\Admin\Documents\ConfirmExit.mpp C:\Users\Admin\Documents\ConvertToDisconnect.wps C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\Documents\DismountInitialize.ppt C:\Users\Admin\Documents\ExitRegister.vsw C:\Users\Admin\Documents\ExitSend.odt C:\Users\Admin\Documents\ExitSuspend.xlt C:\Users\Admin\Documents\Files.docx C:\Users\Admin\Documents\GrantSend.vsw C:\Users\Admin\Documents\LimitRegister.doc C:\Users\Admin\Documents\MeasureSuspend.rtf C:\Users\Admin\Documents\Opened.docx C:\Users\Admin\Documents\Recently.docx C:\Users\Admin\Documents\RegisterSplit.ppt C:\Users\Admin\Documents\RevokeOptimize.pot C:\Users\Admin\Documents\SendFormat.potm C:\Users\Admin\Documents\SuspendDeny.ppsx C:\Users\Admin\Documents\These.docx C:\Users\Admin\Documents\UnlockWrite.ods C:\Users\Admin\Documents\UnregisterExit.vsdx C:\Users\Admin\Documents\UseResolve.pptx C:\Users\Admin\Documents\WritePing.docx

Extracted

Path C:\Users\Admin\Desktop\SAYLESS-RANSOMWARE.saylessrsnm.txt
Ransom Note
Your computer has been infected by SayLess-Ransomware. All your data and files have been encrypted with a MILITARY-GRADE LEVEL ENCRYPTION. To unlock them, send 500$ to the BTC adress below to get decryption key and restore your data... Or else your files are lost! DO NOT TURN OFF YOUR PC, IF YOU SO ALL YOUR FILES WILL BE CORRUPTED FOREVER. Encryption Log: ==================================== C:\Users\Admin\Desktop\AddRemove.mid C:\Users\Admin\Desktop\CompressJoin.ocx C:\Users\Admin\Desktop\CopyPing.3gpp C:\Users\Admin\Desktop\DebugPush.xla C:\Users\Admin\Desktop\DenyUnlock.ppsm C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\Desktop\DisableOut.au3 C:\Users\Admin\Desktop\EditCopy.kix C:\Users\Admin\Desktop\EnableTrace.ini C:\Users\Admin\Desktop\EnterEnable.crw C:\Users\Admin\Desktop\JoinDisable.mpv2 C:\Users\Admin\Desktop\JoinFormat.iso C:\Users\Admin\Desktop\MeasureUse.html C:\Users\Admin\Desktop\MountSubmit.ttf C:\Users\Admin\Desktop\MoveResume.doc C:\Users\Admin\Desktop\ProtectRead.ppt C:\Users\Admin\Desktop\RedoConvertTo.wma C:\Users\Admin\Desktop\RepairShow.au3 C:\Users\Admin\Desktop\RestartClose.vstm C:\Users\Admin\Desktop\ResumeRegister.scf C:\Users\Admin\Desktop\StartClose.wdp C:\Users\Admin\Desktop\StopGrant.i64 C:\Users\Admin\Desktop\SwitchStart.AAC C:\Users\Admin\Desktop\SyncMerge.xlsx C:\Users\Admin\Desktop\UnprotectClose.mht C:\Users\Admin\Desktop\UnregisterResolve.ADT C:\Users\Admin\Desktop\WatchFormat.dxf C:\Users\Admin\Pictures\CompressAssert.tiff C:\Users\Admin\Pictures\ConvertToCompare.gif C:\Users\Admin\Pictures\DenySwitch.svgz C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\Pictures\EditPush.emz C:\Users\Admin\Pictures\ExportCompare.jpg C:\Users\Admin\Pictures\FindDisconnect.eps C:\Users\Admin\Pictures\ImportFind.pcx C:\Users\Admin\Pictures\InvokeSelect.ico C:\Users\Admin\Pictures\InvokeUnregister.tif C:\Users\Admin\Pictures\LockRead.crw C:\Users\Admin\Pictures\LockResume.jpeg C:\Users\Admin\Pictures\OutConvert.crw C:\Users\Admin\Pictures\PingDebug.crw C:\Users\Admin\Pictures\RenameCopy.pcx C:\Users\Admin\Pictures\ResolveAssert.tif C:\Users\Admin\Pictures\ResolveEnable.png C:\Users\Admin\Pictures\SyncReceive.dib C:\Users\Admin\Pictures\UninstallRename.jpg C:\Users\Admin\Pictures\UnlockMerge.tiff C:\Users\Admin\Pictures\Wallpaper.jpg C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\Documents\AddProtect.vssm C:\Users\Admin\Documents\Are.docx C:\Users\Admin\Documents\AssertExport.vsw C:\Users\Admin\Documents\BackupConvertTo.mpp C:\Users\Admin\Documents\BlockApprove.vsd C:\Users\Admin\Documents\CompleteFind.vstx C:\Users\Admin\Documents\ConnectWrite.dot C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\Documents\Files.docx C:\Users\Admin\Documents\FormatRedo.pub C:\Users\Admin\Documents\HideRestore.vssx C:\Users\Admin\Documents\InitializeRevoke.potm C:\Users\Admin\Documents\JoinUninstall.odt C:\Users\Admin\Documents\OpenBlock.potx C:\Users\Admin\Documents\Opened.docx C:\Users\Admin\Documents\OutMove.dotx C:\Users\Admin\Documents\OutResize.ods C:\Users\Admin\Documents\PingSplit.potm C:\Users\Admin\Documents\PublishResolve.dotx C:\Users\Admin\Documents\Recently.docx C:\Users\Admin\Documents\RedoResize.mht C:\Users\Admin\Documents\RegisterTest.vsw C:\Users\Admin\Documents\RegisterWrite.pps C:\Users\Admin\Documents\ResizeCheckpoint.pptm C:\Users\Admin\Documents\ResizeExit.htm C:\Users\Admin\Documents\ResumeMeasure.csv C:\Users\Admin\Documents\ResumeSync.vstx C:\Users\Admin\Documents\RevokeStart.pptx C:\Users\Admin\Documents\SaveUninstall.odp C:\Users\Admin\Documents\SaveUnregister.pptx C:\Users\Admin\Documents\StepEnable.html C:\Users\Admin\Documents\SubmitResume.dot C:\Users\Admin\Documents\SubmitSearch.pub C:\Users\Admin\Documents\SubmitUnprotect.xlsm C:\Users\Admin\Documents\SuspendReset.xlt C:\Users\Admin\Documents\These.docx C:\Users\Admin\Documents\WriteDisable.txt
Targets
Target

SayLessRnm Window.exe

MD5

52c527df9e7554e940c3c45b4e9b3e30

Filesize

557KB

Score
10/10
SHA1

ae182f41baae6a5f3c05803933ba77578772233c

SHA256

a6339f9ef7c91bc792626ff3765a46809dcada083c93a7e63fd01b0e91c1bb90

SHA512

eabb6293309e5ac13a9530efe8f3f75d6fa1102a6fed2a1825022fff584836796fc6eab97b42fe88cb618c987907b2c3224cfa79bec8b8f332f72a0f9412752c

Tags

Signatures

  • Modifies extensions of user files

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

  • Drops desktop.ini file(s)

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Discovery
            Execution
              Exfiltration
                Impact
                  Initial Access
                    Lateral Movement
                      Persistence
                        Privilege Escalation
                          Tasks

                          static1

                          behavioral1

                          10/10

                          behavioral2

                          10/10