a.zip

General
Target

a.zip

Size

1MB

Sample

211020-lnlq1sgha9

Score
10 /10
MD5

05bda4bb2537515927645759f4492004

SHA1

fe892cd96ac631a15b9cbc93acfee9bb857ff4c5

SHA256

34601e5edf184f46c37314559e0a361cbce3aadc451e09f8b84020232fa710ad

SHA512

b0e5708bf3c9fdc7cbb137985f6766b2c654de790fc909d0785a94101640dcd1628414b9fc71f58682ebd4a8736358b6218a1597be57bd27595e48e54dee9b29

Malware Config

Extracted

Path \??\Z:\Boot\HOW_TO_RECOVER_DATA.html
Ransom Note
<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">2AA3FB9DAEE617228608CF4231C89769B639B360F3DE50E53444A777CB728DE887BEFDF74D6EBB782E2FAF84A430C3E71A717653D779A1B08A4999D0896DF340<br>99E312C798939E4512F9F12C227FFACAAEDEAED4CDAAF81673577F75AB3090AAB8DE42A9A3989BA9D811FEEA110972DB796A7185359BE2E5CD888DF75C80<br>D1AB0DEA83245E513E66F2E5556BA372474C36A9EDB8A3DC837E3CC117EA22F976ACA46E26D93456DE0DE9543ED880436F8529C6A6BAA8FD6642AAA2DEF6<br>17E95EF1FA4CAA65682EF2602F9A0415EAA9FE84DE36975E4AD20EAB19321B0ABB2F096857E28A07A4CE33552493BAB726A155DB46AD1B72D0EB7545278B<br>865BE9361A3DA031F35D0C4F4D901F761CBC070B46B8F4A37794BDE6885C0484FCA4F75BCBBA428C84265DCC53F7D652350196C4E56318753CE1102B11A3<br>39911B790843062898DEBFEBE407AC2E58148EBC66D307483257A2795232077816023880B96F1F23C7BEDDA5FE3FAD0FA3CCF2A0585527DE9580FB113DE8<br>723E663261AE6BEE48678E221F8D753D98764445E19631C164A25D85308E24AD4C0914F368F4F7801F8D054F1D68EA6AAB8A6335094EFA60193565F08448<br>CF8E060FFFB31EDE6326F27D0644A54467C8E49C6CB5FBFA811B0C9A920E95204F50266B7EAEC29CE5C9E9E4B7E083914185898F5C29D0FD383ABE7EDF95<br>A56229B9AA65003D516D09F82E4C</span> <br> <!-- !!! dont changing this !!! --> </div> </div> <!-- --> <div class="tabs"> <!--tab--> <div class="tab"> <div id="tab-content1" class="content"> <div class="text"> <!--text data --> <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br> <!--text data --> <hr> <b>Contact us for price and get decryption software.</b><br><br> <a>.onion</a><br> * Note that this server is available via Tor browser only<br><br> Follow the instructions to open the link:<br> 1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br> 2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br> 3. Now you have Tor browser. In the Tor Browser open <a>.onion </a><br> 4. Start a chat and follow the further instructions. <br><br> <hr> <b>If you can not use the above link, use the email:</b><br> <a href="behappy123456@cock.li ">behappy123456@cock.li </a> <br><a href="chinchoppa2299gayspilsss@yopmail.com">chinchoppa2299gayspilsss@yopmail.com</a> <br> <b>* To contact us, create a new free email account on the site:</b> <a href="https://protonmail.com">protonmail.com<br> <hr> <b> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> </div> </div> </div> <!--tab--> <!--text data --> </div> </div> <!--tab--> </div> </div> </body> </html>
Emails

href="behappy123456@cock.li

">behappy123456@cock.li

href="chinchoppa2299gayspilsss@yopmail.com">chinchoppa2299gayspilsss@yopmail.com</a>

Extracted

Path C:\Boot\HOW_TO_RECOVER_DATA.html
Ransom Note
<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">6567B43AA1D1B9C404182703C02CEEAFCB92F29FAC6A173FFE4C1ABFDCC6CFCD3B800650084195DEACBCE2AFC07878104F6F36BAC36E308DB4418A42CBB5D14F<br>511E43A35E0A7CC8815D2B0FF3510A97627A30CD3EDB72E541EA9EDB839068E7FA350F0312BD720BD25CFF8C4D5069D6276394ABA61196B1678AF3FBA52E<br>CB049803C28857092FCC26CA9438B3E436126C57E8F67EDFB946F5F4CF70434CD7B1732E65E8A49E9DCE9A1635D94B788FD951F6D2DA8429FEF329FE5435<br>BF4467CC007E23BEF3BAF77BC4CFAC21677FC0F31547FDD63D305D976A1030EFED32556180319371FF2350A3199FE8813AAF79B1E4B302AF9E730530A09A<br>04D108510938AB5BC129FC05926378A6C41C531A8CE692E6D388B1A84A95615A935E806176A935C76F416BDF83BFA08EEF1DA694C8896694B1F8CA08BCB4<br>FCA38CD75166DC6BE260BC9AF5939959BBDB35135D42B56DCF3651B949612077FB67F4C03B64B742243F56D6DB6FA212DA26DAE2528C0C7C8BAD0654D2B7<br>419F80ACA4A9CD6A416E45F9C7F6A5F5B48CF73AE6C87B6DA19F6423757E4817211572E61993554CC5B4A08DD318DAFAFE9A3EBCE7067D9134D26194D35F<br>426817123C1D37A6FA08ECF2F68A86E34615E5D93385F9AF18AE44E0CDB1CB0E45E1CE4F94399828AB7F9905AAEB1F4D2B801986137107BFCDFD68AAAF7B<br>A0438CCBD7A36C08E521996F6BAD</span> <br> <!-- !!! dont changing this !!! --> </div> </div> <!-- --> <div class="tabs"> <!--tab--> <div class="tab"> <div id="tab-content1" class="content"> <div class="text"> <!--text data --> <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br> <!--text data --> <hr> <b>Contact us for price and get decryption software.</b><br><br> <a>.onion</a><br> * Note that this server is available via Tor browser only<br><br> Follow the instructions to open the link:<br> 1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br> 2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br> 3. Now you have Tor browser. In the Tor Browser open <a>.onion </a><br> 4. Start a chat and follow the further instructions. <br><br> <hr> <b>If you can not use the above link, use the email:</b><br> <a href="behappy123456@cock.li ">behappy123456@cock.li </a> <br><a href="chinchoppa2299gayspilsss@yopmail.com">chinchoppa2299gayspilsss@yopmail.com</a> <br> <b>* To contact us, create a new free email account on the site:</b> <a href="https://protonmail.com">protonmail.com<br> <hr> <b> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> </div> </div> </div> <!--tab--> <!--text data --> </div> </div> <!--tab--> </div> </div> </body> </html>
Emails

href="behappy123456@cock.li

">behappy123456@cock.li

href="chinchoppa2299gayspilsss@yopmail.com">chinchoppa2299gayspilsss@yopmail.com</a>

Extracted

Path \??\Z:\Boot\HOW_TO_RECOVER_DATA.html
Ransom Note
<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">CA8137EB96C768D50ED8DCE214A56E619CEB900374E2EE34B02455BFD8438FC96342F4AA8073491DFD7206493748B22964C5A1D78897DF4C04E7850340DDCF5F<br>4FFA2C43486F90059C7A702FCBDE92AC7CB30A875A478ECCE7BEF529E1A0A246DD66A01DA8D5D8DD62EE674EEFA2D8520489610941DC509683A043FC543B<br>63A2B97FF7D73FF4F57C414813CD0041E13FC5DB9C80930DDAE86548ABAC15F1BFD8E4F8FF0F6286250E1C2666BFCEE480F4B091CA10DB02C294CEDF7D8D<br>B4D66125BBEF32E9021ED453467E66DA60BC6C9D9DDF863EB1F2FCB2C34C870FFC7E3707F3158C57481433A18540D715C1DD4440935023709187AEA3E14B<br>EBD59B3114A69E411EF583CEF6B4A7ABC4CD5CA7B88B6AC867BA6FA2BC3847EE20946FEF65BDB82A5BEDE4D93B39EE7C1E2135C26B2A2541A16D3F549CA6<br>2442882EBB5E739E1BCB5BEB09FBBBCB63645DCF04D16C037D8765B18A0DC8BEAE218B51C3A6A6D1EC00295F210179CFDB422F1478DCC67F31DFE7F54DB1<br>638284062293F59200BCE0030F8272F629FC75F6F5D3203BFF123CDF46C4D6325B03A9C18224C5825DC9E491F078A55C5414C625CB9D2AE64CDCD7F27F5B<br>96B9087941E73968B1B6737A38D14164667D327FDD6F56FC7428603AB8EE6EF99FBF608A8631F2BED98E1FB9FC3934BC67880743E7C294DADD23B796AEF2<br>30FAB86CC9B6AD2B6C4C61C7632F</span> <br> <!-- !!! dont changing this !!! --> </div> </div> <!-- --> <div class="tabs"> <!--tab--> <div class="tab"> <div id="tab-content1" class="content"> <div class="text"> <!--text data --> <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br> <!--text data --> <hr> <b>Contact us for price and get decryption software.</b><br><br> <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</a><br> * Note that this server is available via Tor browser only<br><br> Follow the instructions to open the link:<br> 1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br> 2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br> 3. Now you have Tor browser. In the Tor Browser open <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion </a><br> 4. Start a chat and follow the further instructions. <br><br> <hr> <b>If you can not use the above link, use the email:</b><br> <a href="ithelp05@decorous.cyou ">ithelp05@decorous.cyou </a> <br><a href="ithelp05@wholeness.business">ithelp05@wholeness.business</a> <br> <b>* To contact us, create a new free email account on the site:</b> <a href="https://protonmail.com">protonmail.com<br> <hr> <b> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> </div> </div> </div> <!--tab--> <!--text data --> </div> </div> <!--tab--> </div> </div> </body> </html>
Emails

href="ithelp05@decorous.cyou

">ithelp05@decorous.cyou

href="ithelp05@wholeness.business">ithelp05@wholeness.business</a>

Extracted

Path C:\Boot\HOW_TO_RECOVER_DATA.html
Ransom Note
<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">7D369EE23A7C569863D9278D2E930E9CB0B1B5400AD42CF6FF4516A402EB9D73C7EB59B10D3378A412C95CB138BC0DAFB7121C5C0B45CCD0EB1BCA1B513902F8<br>AB7FB539E844BB03BD2C74C71B2B907C365652DA62B6730B8A4317CD079B912C99466D8C9CF9ED1BF4EC958B6800F4B086635A1F5E3DDD3FDA9FBC7DABFB<br>D1E7488117BAD12B3C810473EFE95328D33DE81EDE400F552E81F3E5D0C3189584C66902240315ED2BFF551D462E59A3D3B5AEFCEB73BEBF37E236DAD52C<br>C032F61B68572122B10FB9B3E4F784AED5B9B7336EA8869C08FFD3B68BD76F70DDF382C46A97636F21072964DD733C7042E804F2D7833232BF5C7CA442ED<br>C9171BD6A34A7327F1A584D70C59E519F314763B088F8ADC538F07B41657A5EAA30051B87E68AD90C146FE237506130CD008FBC40277300C90D3E808E729<br>19AE9493F60CB5F0125E8CEA30D60F59FF754C2CF3C55E59B61F0776748C4A7EF124EB2CF909C8C2C3EE34B66D41A9F94DDAF043E4201C42C552ABFD7ED0<br>FD865DE3DA8175E0088A34AB06BC9F76A6E678B1A9D0962AAC3B0447B3A20F89B2C71C726AF8F823D30743C3080EE3078E7C581A5A7B5292607B8AE49922<br>352F9260F3CC16CF98C10767D4AACB499FF93F7A3B97FBC63302A2933CBCFE27FADDC939E4B56A9F43C5062EDB3114FE8AA20BA44D4C0829E611ABC57FC2<br>BC9745B5515F2E94B04695E86C8E</span> <br> <!-- !!! dont changing this !!! --> </div> </div> <!-- --> <div class="tabs"> <!--tab--> <div class="tab"> <div id="tab-content1" class="content"> <div class="text"> <!--text data --> <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br> <!--text data --> <hr> <b>Contact us for price and get decryption software.</b><br><br> <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</a><br> * Note that this server is available via Tor browser only<br><br> Follow the instructions to open the link:<br> 1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br> 2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br> 3. Now you have Tor browser. In the Tor Browser open <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion </a><br> 4. Start a chat and follow the further instructions. <br><br> <hr> <b>If you can not use the above link, use the email:</b><br> <a href="ithelp05@decorous.cyou ">ithelp05@decorous.cyou </a> <br><a href="ithelp05@wholeness.business">ithelp05@wholeness.business</a> <br> <b>* To contact us, create a new free email account on the site:</b> <a href="https://protonmail.com">protonmail.com<br> <hr> <b> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> </div> </div> </div> <!--tab--> <!--text data --> </div> </div> <!--tab--> </div> </div> </body> </html>
Emails

href="ithelp05@decorous.cyou

">ithelp05@decorous.cyou

href="ithelp05@wholeness.business">ithelp05@wholeness.business</a>

Extracted

Path C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\HOW_TO_RECOVER_DATA.html
Ransom Note
<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">D00BA3395A922D020FCF84623D8CB91AFCA649C03D9065AB8C2F40B517B65076513D0B5C6FD13013BFDFB93BF41EE8CCD89C33287A0A0D25C489E265A7E148D7<br>B747AF881231E28150CD874478F3822341EDAF0DBE4E8B9330C547434E7156BC94169317A7441A34ADBDBFDAD2F110AD6F0D5F83AC8A8CA38C3AC889D8D1<br>476C44F2A1F31AD5F113D010E60A0D7174CDEF0A9007BAFA57E2C2CED3EA07F86EE72315B4748349F1FE2B426D84967AECDBE99A1B496DE1B0ACE0E29093<br>A403AA03111AC0A4B6CC5926BD5FFDEF2B59B37E652109CEAB763FAC97EB21EFF7440017FF742BF7A5C879125A2A745B4A6DDA58F71C61F73677237E2C04<br>C60176705E255FEA9D41753E662688FF119E275A5509DA657AA2EDAB12CE3B0A3888624CB4FF39523DEC31BC64ACEC91A660F0D30FF9AE32DB67CDBA836B<br>F435979875B076A9B0B75A3AFFFE1CE786658016B7DD29FD92BAD9D24A0F97FD357B506DC0577A54DD2397762C172B5A90290F5F0DC08DBB8571BAEACE50<br>1450EEA8ECBFEE8E86CAEA0026F4247935190CEB4CE7019C1DF14C214684885808B5866A6D1ACA7AF9FDB620DE585A162CE2989FFED323754F94548E44FB<br>D454893501DF0489CEFF090262EC4295035C561E5A586B51F2E9A2771D6BB5FDB604655BB4CD83FF59539A784DEC4970BE319F4ED2F841E9EAEA6D6F0FA3<br>0BD49EB3A0DB80DA7E9806425C2A</span> <br> <!-- !!! dont changing this !!! --> </div> </div> <!-- --> <div class="tabs"> <!--tab--> <div class="tab"> <div id="tab-content1" class="content"> <div class="text"> <!--text data --> <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br> <!--text data --> <hr> <b>Contact us for price and get decryption software.</b><br><br> <a>.onion</a><br> * Note that this server is available via Tor browser only<br><br> Follow the instructions to open the link:<br> 1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br> 2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br> 3. Now you have Tor browser. In the Tor Browser open <a>.onion </a><br> 4. Start a chat and follow the further instructions. <br><br> <hr> <b>If you can not use the above link, use the email:</b><br> <a href="coleman.dec@tutanota.com ">coleman.dec@tutanota.com </a> <br><a href="lauracc@msgsafe.io">lauracc@msgsafe.io</a> <br> <b>* To contact us, create a new free email account on the site:</b> <a href="https://protonmail.com">protonmail.com<br> <hr> <b> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> </div> </div> </div> <!--tab--> <!--text data --> </div> </div> <!--tab--> </div> </div> </body> </html>
Emails

href="coleman.dec@tutanota.com

">coleman.dec@tutanota.com

href="lauracc@msgsafe.io">lauracc@msgsafe.io</a>

Extracted

Path C:\Boot\HOW_TO_RECOVER_DATA.html
Ransom Note
<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">938F438BF2473F534E3E7E318E0CD533B40809700CAC89745D69B3017D735215DD8CD5C6CD45A89567231217A3C63F691E7946E74A2F213DC4E3FC9AB896EA7B<br>F1519190CDB41E2E71C64BA0E82250A6697847E007A50AD262A1FC71A93510B44D9C895E2FF4D482A6B6A333E584E225F1D88DA94A14A5A58F5E57DC0377<br>8A9F3D7FAABEDCFA7404CD018BF33DA37520D2CECC79F10556FE9BD8768493260103F2FC1F48EB2F23F33727818D881C3FA9E477C7C3D3A0062BCFC0CB10<br>DB4AEF8A75516B2D757575E66726C9848D2A3C63362CE375222E8180F8B68F3243E5CBA61343BC167F36BA3FB35F35134D4CA256712E6FF2AECCD317265C<br>7D94F6ACD80355B278A64DD2240FAD9BA110D30E9F161418CC7AFE4E8B0A2B5D50F06C60AC1789F1208B8FF2686319095AF5EDA449F76D15367E24BFB941<br>E49F18BE7F51EC51E9DDD42DA03B9E13C4526CD8CFF0E3ABA5B83FE9042BE94753A32BE958BB081767EA03C4B82A9129B150234D0C60689A7E310D549CB5<br>19D332A77BDB91AD87580F4614E5A8A03FC1A4AD700EC1367854D2C929CAFBB5E0AA46545FC320DD8A83D59527BCC057A27F53A9F558DFD7D01C442ECB32<br>30117BA79979D74F466D971D694D1563FCEF6981D8BF06CD50D79E74732281884CDD697A01A6AA23D5E6480DC8375FBF249BE33F0D55832FE3FEF6113DF2<br>F0BA067256415026096290D0A80B</span> <br> <!-- !!! dont changing this !!! --> </div> </div> <!-- --> <div class="tabs"> <!--tab--> <div class="tab"> <div id="tab-content1" class="content"> <div class="text"> <!--text data --> <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br> <!--text data --> <hr> <b>Contact us for price and get decryption software.</b><br><br> <a>.onion</a><br> * Note that this server is available via Tor browser only<br><br> Follow the instructions to open the link:<br> 1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br> 2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br> 3. Now you have Tor browser. In the Tor Browser open <a>.onion </a><br> 4. Start a chat and follow the further instructions. <br><br> <hr> <b>If you can not use the above link, use the email:</b><br> <a href="coleman.dec@tutanota.com ">coleman.dec@tutanota.com </a> <br><a href="lauracc@msgsafe.io">lauracc@msgsafe.io</a> <br> <b>* To contact us, create a new free email account on the site:</b> <a href="https://protonmail.com">protonmail.com<br> <hr> <b> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> </div> </div> </div> <!--tab--> <!--text data --> </div> </div> <!--tab--> </div> </div> </body> </html>
Emails

href="coleman.dec@tutanota.com

">coleman.dec@tutanota.com

href="lauracc@msgsafe.io">lauracc@msgsafe.io</a>

Extracted

Path \??\Z:\Boot\HOW_TO_RECOVER_DATA.html
Ransom Note
<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">E633913101D05DB377453BBD5B76BAFD01022D5BAF91A6AD651A3820C1F162C2F3FB7473F5E01C060179495CF5E31B16A297B2FC6CC20E525F5F44AE88E68A38<br>B917EE30F047CDC57C75304455A0BC44E29F0CABBB5667277CA82547C489C878B2E52297AFAC769F91D21C3513C6B14312C6DA363E225C314EF53B62E28D<br>28FE8A43E608D270FD1691A7B0632E1257D0328B0AEDB07421DAEB2C94046DFA2101AF709FF41735115AA0C20B506941B7147B58FDCEB15787A2486ACDBE<br>C8A30021691DD97F0AFD868EA215682B9F19AD553A78FBEE4F5A86A5C23E154E52E4A1C36BAB8E494BEEC5F471FBB32730E852E6388A85F3E6FF4FDD96D6<br>FE95BCE92F8886B683A95A44C14ADE487F345E0ECF0C247E818209980003552989E9B00CD8558FE03FC1C027DE42516243EAB7EE212FA8188FC1C6911F1E<br>B3EC89B27A8677C2948653F6C80033CD2AA9D657C3514B324596EDCC17AB685E838A4FF6F681CC562FCB50A71EC28AEAF3473B1B50DD28C3C3B1E3D382FC<br>1B66CC8EC99904F708A1C817CD5DB4BF7B60B47F8CC59F269C1282EE4D01E80D5B2CB1E0D8B46B7C1A43FEC3047EBA0DBB9715690B645D4EEE479ACEDAA0<br>B0BC44BC34711BF7F4B3598F730BEEDA3920658C8976490E43A6946B7A44D4B78763D5C5A794730446232EA479796F839B2102613E0C47E65378779CB5D5<br>FA6E6DD053F6C8423DE45C98E99F</span> <br> <!-- !!! dont changing this !!! --> </div> </div> <!-- --> <div class="tabs"> <!--tab--> <div class="tab"> <div id="tab-content1" class="content"> <div class="text"> <!--text data --> <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br> <!--text data --> <hr> <b>Contact us for price and get decryption software.</b><br><br> <a>.onion</a><br> * Note that this server is available via Tor browser only<br><br> Follow the instructions to open the link:<br> 1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br> 2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br> 3. Now you have Tor browser. In the Tor Browser open <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion </a><br> 4. Start a chat and follow the further instructions. <br><br> <hr> <b>If you can not use the above link, use the email:</b><br> <a href="help_24_decr1@outlook.com ">help_24_decr1@outlook.com </a> <br><a href="help_24_decr2@outlook.com">help_24_decr2@outlook.com</a> <br> <b>* To contact us, create a new free email account on the site:</b> <a href="https://protonmail.com">protonmail.com<br> <hr> <b> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> </div> </div> </div> <!--tab--> <!--text data --> </div> </div> <!--tab--> </div> </div> </body> </html>
Emails

href="help_24_decr1@outlook.com

">help_24_decr1@outlook.com

href="help_24_decr2@outlook.com">help_24_decr2@outlook.com</a>

Extracted

Path C:\Boot\HOW_TO_RECOVER_DATA.html
Ransom Note
<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">8601BA2175B24F9144BF309E9882FA75490CDBABE4F5B7AA31F2D0E9FDB28D2594A8F89B4F3D84A2AFA8537D1FF803C0A57E0AB9717B50C7B356AAA8548344C5<br>3292C07AA85D94D7F7A4F8E7CB7F0A6BD6709CE3FBB79F36C4DA5D113B08986CF8F6ED56DB06AD1474072CAB060F9A501AD1DF35B36AA31AD350F2011361<br>46924C0B1DF07745FBD4089958AB13054258F36D92C23F9EE5E87932B7A323A40D988AD460E69325178CDA8022FC2309889C8F1116253887D57925CC4C91<br>639D408E3B946CFF1CE32B784BFF126703CED1CC052341C64F5B7771857DE9E7DE33EE5B3B95EAC32EFB1B7A8B226F7764252BB09191DE5849A83DF1ADB1<br>6C9772401A34EB9952D71D0241B50AF2C48E56DBDA1CEF37AEA1C0956187A251BD9E2B31A3799E241CC20B5ED973BA09AE3CB25687D979A9859EAB43F86C<br>A3C90744DECBF412C80160A6FC25AE65EBDB1C24B142096567AA5C9D981008A1D35B8901D07BF0550FD4D319BA0EAA91AAB48EDBA6D31B43C2300C024CFE<br>B127EDEDEF580ABF0FA6826FB603DC9A8AE9DC45786BDCF46D70AF42483F1EDD05AB5F80E887B7F165856201140044F67AAA47694D0D2C1B81C73A2919F4<br>1BCDCD9BF3D323CD952F48217B71456FED9F328E35B12657DE0215990511DF3E1E25491985589F9B851B3FBF1C74E86C48A2B2754259C48F2B399A6D871F<br>783F0E4D77658126552003AC6509</span> <br> <!-- !!! dont changing this !!! --> </div> </div> <!-- --> <div class="tabs"> <!--tab--> <div class="tab"> <div id="tab-content1" class="content"> <div class="text"> <!--text data --> <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br> <!--text data --> <hr> <b>Contact us for price and get decryption software.</b><br><br> <a>.onion</a><br> * Note that this server is available via Tor browser only<br><br> Follow the instructions to open the link:<br> 1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br> 2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br> 3. Now you have Tor browser. In the Tor Browser open <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion </a><br> 4. Start a chat and follow the further instructions. <br><br> <hr> <b>If you can not use the above link, use the email:</b><br> <a href="help_24_decr1@outlook.com ">help_24_decr1@outlook.com </a> <br><a href="help_24_decr2@outlook.com">help_24_decr2@outlook.com</a> <br> <b>* To contact us, create a new free email account on the site:</b> <a href="https://protonmail.com">protonmail.com<br> <hr> <b> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> </div> </div> </div> <!--tab--> <!--text data --> </div> </div> <!--tab--> </div> </div> </body> </html>
Emails

href="help_24_decr1@outlook.com

">help_24_decr1@outlook.com

href="help_24_decr2@outlook.com">help_24_decr2@outlook.com</a>

Targets
Target

B.exe

MD5

c17b2c3980926b02136c0a5fb5dfdaa3

Filesize

669KB

Score
10/10
SHA1

938eb1b7f1d985d134957443d4c43ad551727b89

SHA256

4d2b250eb1691bd116eb0004a6b4526afe62631551d6d31d4da482ab5ec3b021

SHA512

f770b1dfd74e58ff9d67f0e91ac070e92251598efc45863acf827098cc52f2868c7e2698fd5b0a3a178ea1d1446d32882dfd0601526dbfb27df1251d76c5881b

Tags

Signatures

  • MedusaLocker

    Description

    Ransomware with several variants first seen in September 2019.

    Tags

  • MedusaLocker Payload

  • UAC bypass

    Tags

    TTPs

    Bypass User Account ControlDisabling Security ToolsModify Registry
  • Deletes shadow copies

    Description

    Ransomware often targets backup files to inhibit system recovery.

    Tags

    TTPs

    File DeletionInhibit System Recovery
  • Executes dropped EXE

  • Modifies extensions of user files

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Checks whether UAC is enabled

    Tags

    TTPs

    System Information Discovery
  • Drops desktop.ini file(s)

  • Enumerates connected drives

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query RegistryPeripheral Device DiscoverySystem Information Discovery

Related Tasks

Target

Build.exe

MD5

b446b1c86f3d27bb39783f9d3a112a40

Filesize

669KB

Score
10/10
SHA1

d9f66f8db27686f4f3b2c7d17557c84077ac801f

SHA256

1f5eefc1feb47e11e53f82055ca0921fc1b1299dffa7972c6faeff1904fdad1d

SHA512

c2b7682c265060c1c62be0b4dceba7fed6882b9fdc9cbbd1d379608a482bf215d81a2a3c03cc2df709bc936ee7d06ff1250dde92808bd0e0d1f1ee3410c35d9a

Tags

Signatures

  • MedusaLocker

    Description

    Ransomware with several variants first seen in September 2019.

    Tags

  • MedusaLocker Payload

  • UAC bypass

    Tags

    TTPs

    Bypass User Account ControlDisabling Security ToolsModify Registry
  • Deletes shadow copies

    Description

    Ransomware often targets backup files to inhibit system recovery.

    Tags

    TTPs

    File DeletionInhibit System Recovery
  • Executes dropped EXE

  • Modifies extensions of user files

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Checks whether UAC is enabled

    Tags

    TTPs

    System Information Discovery
  • Drops desktop.ini file(s)

  • Enumerates connected drives

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query RegistryPeripheral Device DiscoverySystem Information Discovery

Related Tasks

Target

READ.exe

MD5

5ec29d96f5fefb2d726f9e120786eaa9

Filesize

669KB

Score
10/10
SHA1

3f8d050bd4e823b1f2c681856d1ae6d9007d5861

SHA256

8ee1f51602f957fa82c7e9c0d834d28873307a0c576ab8c7cc99ca85fcf43b2e

SHA512

e21682f2bfee29cd0c0765a10463b2f57bde5996fa367ee2b8b6f7fae9bf5703aec24319ddf2e33890b352331f8fedda41d79ff04ec8a881a6469f6bdba0d5ff

Tags

Signatures

  • MedusaLocker

    Description

    Ransomware with several variants first seen in September 2019.

    Tags

  • MedusaLocker Payload

  • UAC bypass

    Tags

    TTPs

    Bypass User Account ControlDisabling Security ToolsModify Registry
  • Deletes shadow copies

    Description

    Ransomware often targets backup files to inhibit system recovery.

    Tags

    TTPs

    File DeletionInhibit System Recovery
  • Executes dropped EXE

  • Modifies extensions of user files

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Checks whether UAC is enabled

    Tags

    TTPs

    System Information Discovery
  • Drops desktop.ini file(s)

  • Enumerates connected drives

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query RegistryPeripheral Device DiscoverySystem Information Discovery

Related Tasks

Target

rb.exe

MD5

ae286ff258c5ec1d15a4fd3f64875d5b

Filesize

669KB

Score
10/10
SHA1

576b9e76e385b389f859ee4bde2d12776bbaedca

SHA256

ce0facb2c24c71a20117e27af3aed9d6815500eeadba6e79b472bef539d82769

SHA512

f2cf299e20571701ab7a7ad82103317279e8378f114e3de76b22580eb5e8263a025af1fb653b27323645e0ac63983dcbf6f609154a16e8e9d6c81531c369183b

Tags

Signatures

  • MedusaLocker

    Description

    Ransomware with several variants first seen in September 2019.

    Tags

  • MedusaLocker Payload

  • UAC bypass

    Tags

    TTPs

    Bypass User Account ControlDisabling Security ToolsModify Registry
  • Deletes shadow copies

    Description

    Ransomware often targets backup files to inhibit system recovery.

    Tags

    TTPs

    File DeletionInhibit System Recovery
  • Executes dropped EXE

  • Modifies extensions of user files

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Checks whether UAC is enabled

    Tags

    TTPs

    System Information Discovery
  • Drops desktop.ini file(s)

  • Enumerates connected drives

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query RegistryPeripheral Device DiscoverySystem Information Discovery

Related Tasks

MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Execution
      Exfiltration
        Initial Access
          Lateral Movement
            Persistence
              Privilege Escalation