Resubmissions

09-10-2021 11:33

211009-nn4ypsfcbm 10

09-10-2021 06:21

211009-g4aw8sfae6 10

General

  • Target

    SayLessRnm Window.exe

  • Size

    557KB

  • Sample

    211009-g4aw8sfae6

  • MD5

    52c527df9e7554e940c3c45b4e9b3e30

  • SHA1

    ae182f41baae6a5f3c05803933ba77578772233c

  • SHA256

    a6339f9ef7c91bc792626ff3765a46809dcada083c93a7e63fd01b0e91c1bb90

  • SHA512

    eabb6293309e5ac13a9530efe8f3f75d6fa1102a6fed2a1825022fff584836796fc6eab97b42fe88cb618c987907b2c3224cfa79bec8b8f332f72a0f9412752c

Score
10/10

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\SAYLESS-RANSOMWARE.saylessrsnm.txt

Ransom Note
Your computer has been infected by SayLess-Ransomware. All your data and files have been encrypted with a MILITARY-GRADE LEVEL ENCRYPTION. To unlock them, send 500$ to the BTC adress below to get decryption key and restore your data... Or else your files are lost! DO NOT TURN OFF YOUR PC, IF YOU SO ALL YOUR FILES WILL BE CORRUPTED FOREVER. Encryption Log: ==================================== C:\Users\Admin\Desktop\AssertOptimize.rtf C:\Users\Admin\Desktop\CheckpointUnblock.mhtml C:\Users\Admin\Desktop\ConfirmApprove.crw C:\Users\Admin\Desktop\ConvertToPublish.xlsx C:\Users\Admin\Desktop\DebugSkip.png C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\Desktop\DisableExpand.midi C:\Users\Admin\Desktop\DismountPing.htm C:\Users\Admin\Desktop\ExportSave.midi C:\Users\Admin\Desktop\FindMount.DVR-MS C:\Users\Admin\Desktop\GrantImport.doc C:\Users\Admin\Desktop\InstallCopy.bat C:\Users\Admin\Desktop\InstallFind.scf C:\Users\Admin\Desktop\MeasureSplit.ps1 C:\Users\Admin\Desktop\MoveHide.mp4 C:\Users\Admin\Desktop\OutEnter.mp4 C:\Users\Admin\Desktop\RedoTrace.edrwx C:\Users\Admin\Desktop\RenameDisconnect.odp C:\Users\Admin\Desktop\SkipAdd.png C:\Users\Admin\Desktop\SplitProtect.pot C:\Users\Admin\Desktop\StepPublish.MTS C:\Users\Admin\Desktop\UndoAdd.eprtx C:\Users\Admin\Desktop\UnregisterSwitch.rmi C:\Users\Admin\Desktop\UnregisterUndo.pps C:\Users\Admin\Pictures\AddGet.dwg C:\Users\Admin\Pictures\BlockDisable.dxf C:\Users\Admin\Pictures\CheckpointSelect.dxf C:\Users\Admin\Pictures\CompressStart.eps C:\Users\Admin\Pictures\ConnectEnable.dib C:\Users\Admin\Pictures\ConvertExit.svg C:\Users\Admin\Pictures\ConvertToOpen.dib C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\Pictures\DisconnectBlock.eps C:\Users\Admin\Pictures\DismountNew.wmf C:\Users\Admin\Pictures\EnterUninstall.tif C:\Users\Admin\Pictures\ExportPop.eps C:\Users\Admin\Pictures\HidePing.emf C:\Users\Admin\Pictures\HideReset.ico C:\Users\Admin\Pictures\MeasureDebug.tif C:\Users\Admin\Pictures\OpenTrace.tif C:\Users\Admin\Pictures\ProtectConfirm.png C:\Users\Admin\Pictures\ProtectSync.bmp C:\Users\Admin\Pictures\PublishCompare.dwg C:\Users\Admin\Pictures\PushCheckpoint.ico C:\Users\Admin\Pictures\RegisterReset.bmp C:\Users\Admin\Pictures\ResolveEdit.emf C:\Users\Admin\Pictures\SendHide.pcx C:\Users\Admin\Pictures\StepConvertFrom.png C:\Users\Admin\Pictures\SuspendClose.emz C:\Users\Admin\Pictures\UnblockInvoke.tif C:\Users\Admin\Pictures\UpdateConvertTo.jpg C:\Users\Admin\Pictures\Wallpaper.jpg C:\Users\Admin\Documents\Are.docx C:\Users\Admin\Documents\BlockApprove.vsd C:\Users\Admin\Documents\CompleteFind.wps C:\Users\Admin\Documents\ConfirmExit.mpp C:\Users\Admin\Documents\ConvertToDisconnect.wps C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\Documents\DismountInitialize.ppt C:\Users\Admin\Documents\ExitRegister.vsw C:\Users\Admin\Documents\ExitSend.odt C:\Users\Admin\Documents\ExitSuspend.xlt C:\Users\Admin\Documents\Files.docx C:\Users\Admin\Documents\GrantSend.vsw C:\Users\Admin\Documents\LimitRegister.doc C:\Users\Admin\Documents\MeasureSuspend.rtf C:\Users\Admin\Documents\Opened.docx C:\Users\Admin\Documents\Recently.docx C:\Users\Admin\Documents\RegisterSplit.ppt C:\Users\Admin\Documents\RevokeOptimize.pot C:\Users\Admin\Documents\SendFormat.potm C:\Users\Admin\Documents\SuspendDeny.ppsx C:\Users\Admin\Documents\These.docx C:\Users\Admin\Documents\UnlockWrite.ods C:\Users\Admin\Documents\UnregisterExit.vsdx C:\Users\Admin\Documents\UseResolve.pptx C:\Users\Admin\Documents\WritePing.docx

Extracted

Path

C:\Users\Admin\Desktop\SAYLESS-RANSOMWARE.saylessrsnm.txt

Ransom Note
Your computer has been infected by SayLess-Ransomware. All your data and files have been encrypted with a MILITARY-GRADE LEVEL ENCRYPTION. To unlock them, send 500$ to the BTC adress below to get decryption key and restore your data... Or else your files are lost! DO NOT TURN OFF YOUR PC, IF YOU SO ALL YOUR FILES WILL BE CORRUPTED FOREVER. Encryption Log: ==================================== C:\Users\Admin\Desktop\AddRemove.mid C:\Users\Admin\Desktop\CompressJoin.ocx C:\Users\Admin\Desktop\CopyPing.3gpp C:\Users\Admin\Desktop\DebugPush.xla C:\Users\Admin\Desktop\DenyUnlock.ppsm C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\Desktop\DisableOut.au3 C:\Users\Admin\Desktop\EditCopy.kix C:\Users\Admin\Desktop\EnableTrace.ini C:\Users\Admin\Desktop\EnterEnable.crw C:\Users\Admin\Desktop\JoinDisable.mpv2 C:\Users\Admin\Desktop\JoinFormat.iso C:\Users\Admin\Desktop\MeasureUse.html C:\Users\Admin\Desktop\MountSubmit.ttf C:\Users\Admin\Desktop\MoveResume.doc C:\Users\Admin\Desktop\ProtectRead.ppt C:\Users\Admin\Desktop\RedoConvertTo.wma C:\Users\Admin\Desktop\RepairShow.au3 C:\Users\Admin\Desktop\RestartClose.vstm C:\Users\Admin\Desktop\ResumeRegister.scf C:\Users\Admin\Desktop\StartClose.wdp C:\Users\Admin\Desktop\StopGrant.i64 C:\Users\Admin\Desktop\SwitchStart.AAC C:\Users\Admin\Desktop\SyncMerge.xlsx C:\Users\Admin\Desktop\UnprotectClose.mht C:\Users\Admin\Desktop\UnregisterResolve.ADT C:\Users\Admin\Desktop\WatchFormat.dxf C:\Users\Admin\Pictures\CompressAssert.tiff C:\Users\Admin\Pictures\ConvertToCompare.gif C:\Users\Admin\Pictures\DenySwitch.svgz C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\Pictures\EditPush.emz C:\Users\Admin\Pictures\ExportCompare.jpg C:\Users\Admin\Pictures\FindDisconnect.eps C:\Users\Admin\Pictures\ImportFind.pcx C:\Users\Admin\Pictures\InvokeSelect.ico C:\Users\Admin\Pictures\InvokeUnregister.tif C:\Users\Admin\Pictures\LockRead.crw C:\Users\Admin\Pictures\LockResume.jpeg C:\Users\Admin\Pictures\OutConvert.crw C:\Users\Admin\Pictures\PingDebug.crw C:\Users\Admin\Pictures\RenameCopy.pcx C:\Users\Admin\Pictures\ResolveAssert.tif C:\Users\Admin\Pictures\ResolveEnable.png C:\Users\Admin\Pictures\SyncReceive.dib C:\Users\Admin\Pictures\UninstallRename.jpg C:\Users\Admin\Pictures\UnlockMerge.tiff C:\Users\Admin\Pictures\Wallpaper.jpg C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\Documents\AddProtect.vssm C:\Users\Admin\Documents\Are.docx C:\Users\Admin\Documents\AssertExport.vsw C:\Users\Admin\Documents\BackupConvertTo.mpp C:\Users\Admin\Documents\BlockApprove.vsd C:\Users\Admin\Documents\CompleteFind.vstx C:\Users\Admin\Documents\ConnectWrite.dot C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\Documents\Files.docx C:\Users\Admin\Documents\FormatRedo.pub C:\Users\Admin\Documents\HideRestore.vssx C:\Users\Admin\Documents\InitializeRevoke.potm C:\Users\Admin\Documents\JoinUninstall.odt C:\Users\Admin\Documents\OpenBlock.potx C:\Users\Admin\Documents\Opened.docx C:\Users\Admin\Documents\OutMove.dotx C:\Users\Admin\Documents\OutResize.ods C:\Users\Admin\Documents\PingSplit.potm C:\Users\Admin\Documents\PublishResolve.dotx C:\Users\Admin\Documents\Recently.docx C:\Users\Admin\Documents\RedoResize.mht C:\Users\Admin\Documents\RegisterTest.vsw C:\Users\Admin\Documents\RegisterWrite.pps C:\Users\Admin\Documents\ResizeCheckpoint.pptm C:\Users\Admin\Documents\ResizeExit.htm C:\Users\Admin\Documents\ResumeMeasure.csv C:\Users\Admin\Documents\ResumeSync.vstx C:\Users\Admin\Documents\RevokeStart.pptx C:\Users\Admin\Documents\SaveUninstall.odp C:\Users\Admin\Documents\SaveUnregister.pptx C:\Users\Admin\Documents\StepEnable.html C:\Users\Admin\Documents\SubmitResume.dot C:\Users\Admin\Documents\SubmitSearch.pub C:\Users\Admin\Documents\SubmitUnprotect.xlsm C:\Users\Admin\Documents\SuspendReset.xlt C:\Users\Admin\Documents\These.docx C:\Users\Admin\Documents\WriteDisable.txt

Targets

    • Target

      SayLessRnm Window.exe

    • Size

      557KB

    • MD5

      52c527df9e7554e940c3c45b4e9b3e30

    • SHA1

      ae182f41baae6a5f3c05803933ba77578772233c

    • SHA256

      a6339f9ef7c91bc792626ff3765a46809dcada083c93a7e63fd01b0e91c1bb90

    • SHA512

      eabb6293309e5ac13a9530efe8f3f75d6fa1102a6fed2a1825022fff584836796fc6eab97b42fe88cb618c987907b2c3224cfa79bec8b8f332f72a0f9412752c

    Score
    10/10
    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Drops desktop.ini file(s)

MITRE ATT&CK Matrix

Tasks