Overview

overview

10

Static

static

dfbd62a3d1...le.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample

  • Size

    14KB

  • Sample

    211020-k4ef7sggg7

  • MD5

    3355ace345e98406bdb331ccad568386

  • SHA1

    81d5888bb8d43d88315c040be1f51db6bb5cf64c

  • SHA256

    dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178

  • SHA512

    55223ee6f387252a401e62cd5b619afafcb3d63cb33cd1b9a12d782dadc9e68b95062363863f70f13eb28f751da710b78161f7efda464d66b1f98741e56f50e1

Score
10/10
prolockransomwarespywarestealer

Malware Config

Extracted

Path

C:\[HOW TO RECOVER FILES].TXT

Family

prolock

Ransom Note
Your files have been encrypted by ProLock Ransomware using RSA-2048 algorithm. [.:Nothing personal just business:.] No one can help you to restore files without our special decryption tool. To get your files back you have to pay the decryption fee in BTC. The final price depends on how fast you write to us. 1. Download TOR browser: https://www.torproject.org/ 2. Install the TOR Browser. 3. Open the TOR Browser. 4. Open our website in the TOR browser: msaoyrayohnp32tcgwcanhjouetb5k54aekgnwg7dcvtgtecpumrxpqd.onion 5. Login using your ID D8756FE07320C1859F44 ***If you have any problems connecting or using TOR network: contact our support by email support981723721@protonmail.com [You'll receive instructions and price inside] The decryption keys will be stored for 1 month. We also have gathered your sensitive data. We would share it in case you refuse to pay. Decryption using third party software is impossible. Attempts to self-decrypting files will result in the loss of your data.
Emails

support981723721@protonmail.com

URLs

http://msaoyrayohnp32tcgwcanhjouetb5k54aekgnwg7dcvtgtecpumrxpqd.onion

Targets

    • Target

      dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample

    • Size

      14KB

    • MD5

      3355ace345e98406bdb331ccad568386

    • SHA1

      81d5888bb8d43d88315c040be1f51db6bb5cf64c

    • SHA256

      dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178

    • SHA512

      55223ee6f387252a401e62cd5b619afafcb3d63cb33cd1b9a12d782dadc9e68b95062363863f70f13eb28f751da710b78161f7efda464d66b1f98741e56f50e1

    Score
    10/10
    prolockransomwarespywarestealer

    • ProLock Ransomware

      Rebranded update of PwndLocker first seen in March 2020.

      ransomwareprolock

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

2
T1107

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

2
T1012

Peripheral Device Discovery

2
T1120

System Information Discovery

3
T1082

Remote System Discovery

1
T1018

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2
T1490

Tasks