059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample

General
Target

059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample

Size

28KB

Sample

211020-k6zvxsggh2

Score
10 /10
MD5

90cd7b4a952a6c929bd006f74125fb8c

SHA1

827e2e64857d77c18d26980a69ab54683ec6e7de

SHA256

059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5

SHA512

3e8a6bf872900f8b2cdb395aa71ada4d7999e5e2f9717d5761c26fee41f8d686e8d171e210f2f4e2535eedcd9122e1e7ab5c31ead255c6950ed0f99d8b040a73

Malware Config

Extracted

Path C:\[HOW TO RECOVER FILES].TXT
Family prolock
Ransom Note
Your files have been encrypted by ProLock Ransomware using RSA-2048 algorithm. [.:Nothing personal just business:.] No one can help you to restore files without our special decryption tool. To get your files back you have to pay the decryption fee in BTC. The final price depends on how fast you write to us. 1. Download TOR browser: https://www.torproject.org/ 2. Install the TOR Browser. 3. Open the TOR Browser. 4. Open our website in the TOR browser: msaoyrayohnp32tcgwcanhjouetb5k54aekgnwg7dcvtgtecpumrxpqd.onion 5. Login using your ID D8756FE07320C1859F44 ***If you have any problems connecting or using TOR network: contact our support by email support981723721@protonmail.com [You'll receive instructions and price inside] The decryption keys will be stored for 1 month. We also have gathered your sensitive data. We would share it in case you refuse to pay. Decryption using third party software is impossible. Attempts to self-decrypting files will result in the loss of your data.
Emails

support981723721@protonmail.com

URLs

http://msaoyrayohnp32tcgwcanhjouetb5k54aekgnwg7dcvtgtecpumrxpqd.onion

Targets
Target

059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5.sample

MD5

90cd7b4a952a6c929bd006f74125fb8c

Filesize

28KB

Score
10/10
SHA1

827e2e64857d77c18d26980a69ab54683ec6e7de

SHA256

059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5

SHA512

3e8a6bf872900f8b2cdb395aa71ada4d7999e5e2f9717d5761c26fee41f8d686e8d171e210f2f4e2535eedcd9122e1e7ab5c31ead255c6950ed0f99d8b040a73

Tags

Signatures

  • ProLock Ransomware

    Description

    Rebranded update of PwndLocker first seen in March 2020.

    Tags

  • Deletes shadow copies

    Description

    Ransomware often targets backup files to inhibit system recovery.

    Tags

    TTPs

    File DeletionInhibit System Recovery
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Drops desktop.ini file(s)

  • Enumerates connected drives

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query RegistryPeripheral Device DiscoverySystem Information Discovery

Related Tasks

MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
    Execution
      Exfiltration
        Initial Access
          Lateral Movement
            Persistence
              Privilege Escalation
                Tasks

                static1