Overview

overview

10

Static

static

291bea114e...48.exe

windows7_x64

3

291bea114e...48.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    291bea114eb566d39f69d8c2af059548.exe

  • Size

    45KB

  • Sample

    211019-rs1nmagac5

  • MD5

    291bea114eb566d39f69d8c2af059548

  • SHA1

    5a9fd8d8a1aa9e9ea1e6a01a55808b1040fae01a

  • SHA256

    daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e

  • SHA512

    e1df169940c3024bf20623088bfc5eb1c2b46763c247731a4a9b40770b37a2eb3dd7fc9246fe05337565676d1029e7236caa5876efe8576c6d58929a42e1b725

Score
10/10
evasionransomwarespywarestealertrojan

Malware Config

Extracted

Path

C:\read-me.txt

Ransom Note
All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV | 3. Create Ticket ---------------------------------------------------------------------------------------- Note! This link is available via Tor Browser only. ------------------------------------------------------------ or http://helpqvrg3cc5mvb3.onion/ Your ID ���2F 8A 73 14 F8 0A 0E 46 12 F4 76 7F DC A7 5F 05 9B 61 47 FF D7 FC 2C E3 24 5D 67 BA 8D B8 BE F5 78 DA EA 18 A0 48 F1 52 01 8A CA 85 D1 44 DF 52 9D 53 18 84 00 8A 1F 16 59 6A FA B8 D7 A0 12 7D 38 C5 A3 59 C2 57 47 52 0C E7 9E 8E D0 89 76 81 48 D5 96 E4 EB 5B D0 FF 33 0D DA B8 9C BB 1B 4A 61 D2 B9 46 49 FC 5A F0 DD 7A CF 40 2E 47 02 A3 6B CF 19 8C D6 B7 11 D4 86 EA 7B AF 17 84 FF B7 C5 DC BA 41 EA B7 32 72 73 55 7C 70 1A CA 86 BC 20 DD E6 11 A5 C3 DE 03 B8 38 82 DA 03 69 52 82 33 F3 18 C8 30 06 0E 7F AD 63 1B 94 4D F3 48 EC E6 B1 0E B7 E6 7B 64 7A FC 29 97 0A 6E 0E 2F 87 95 59 2E 92 EC 7C 67 67 5E 06 32 EF 84 57 0B 20 A0 A4 8F 00 C4 8B 64 58 3A 91 91 EE E6 14 03 3E 1C 0D FB 9D 48 FE BA 96 00 9B BA 7D 94 F3 7B 61 E5 B5 11 BE 30 A9 69 B7 79 44 EB AB E0 58 EB 64
URLs

http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV

http://helpqvrg3cc5mvb3.onion/

Targets

    • Target

      291bea114eb566d39f69d8c2af059548.exe

    • Size

      45KB

    • MD5

      291bea114eb566d39f69d8c2af059548

    • SHA1

      5a9fd8d8a1aa9e9ea1e6a01a55808b1040fae01a

    • SHA256

      daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e

    • SHA512

      e1df169940c3024bf20623088bfc5eb1c2b46763c247731a4a9b40770b37a2eb3dd7fc9246fe05337565676d1029e7236caa5876efe8576c6d58929a42e1b725

    Score
    10/10
    evasionransomwarespywarestealertrojan

    • Turns off Windows Defender SpyNet reporting

      evasion

    • Windows security bypass

      evasiontrojan

    • Nirsoft

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Windows security modification

      evasiontrojan

    • Drops desktop.ini file(s)

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Disabling Security Tools

3
T1089

Modify Registry

3
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks