Analysis
-
max time kernel
155s -
max time network
131s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
20-10-2021 09:41
General
-
Target
BuildS.exe
-
Size
53KB
-
MD5
d0feecd8202129bb9c19823a04cd93ce
-
SHA1
631b2e3c26dfa53778d881e592cc9e499e7f98bb
-
SHA256
0dc4a2e2f49b2a6265a3c011d186a6f79ca8356d49d1c687465a5d994b6db38a
-
SHA512
03676f15ee822f550e2dc5e979d205ce0f154d2e1062a7d8257931ca945c6f536de913f28f4abc0a399a0b1bacd380cbff3f26d0ec597c0d7593f349b121e097
Score
10/10
Malware Config
Extracted
Path
C:\how_to_back_files.html
Ransom Note
<html>
<style type="text/css">
body {
background-color: #f5f5f5;
}
h1, h3{
text-align: center;
text-transform: uppercase;
font-weight: normal;
}
/*---*/
.tabs1{
display: block;
margin: auto;
}
.tabs1 .head{
text-align: center;
float: top;
padding: 0px;
text-transform: uppercase;
font-weight: normal;
display: block;
background: #81bef7;
color: #DF0101;
font-size: 30px;
}
.tabs1 .identi {
font-size: 10px;
text-align: center;
float: top;
padding: 15px;
display: block;
background: #81bef7;
color: #DFDFDF;
}
.tabs .content {
background: #f5f5f5;
/*text-align: center;*/
color: #000000;
padding: 25px 15px;
font-size: 15px;
font-weight: 400;
line-height: 20px; }
.tabs .content a {
color: #df0130;
font-size: 23px;
font-style: italic;
text-decoration: none;
line-height: 35px; }
.tabs .content .text{
padding: 25px;
line-height: 1.2;
}
</style>
<body>
<div class="tabs1">
<div class="head" ><b>Your personal ID:</b></div>
<div class="identi">
<span style="width:1000px; color: #ffffff; font-size: 10px;">����������2A C1 D5 CA E5 F2 CA 35 B4 D9 42 EB F9 13 A6 15
84 F7 E5 D2 5C 7F CE D5 35 1F D5 E8 BE 0A BD BE
D9 7A E8 28 0F ED 76 40 6F 35 D7 AD BD A9 46 C5
80 12 53 66 8B 9D 72 83 A2 E6 CF B5 B6 51 D2 77
BA CF 0B 08 99 D3 F8 74 64 B8 E8 CF 37 BA FC 9C
77 83 BE A3 AA F0 17 71 7E 28 38 92 E5 3C 93 9B
9F 6E 9F 26 9B 10 AF 74 CB C5 02 BE 92 F8 A9 DF
C8 BD 5E 71 16 83 CF 7E 37 29 B5 39 56 71 0E 6C
EB 59 F6 4E BD 90 D0 61 F8 B6 9E 97 29 18 63 D0
47 C7 50 2D 4E E0 D8 39 54 9A A9 E4 FC BF 73 3F
F8 A0 CC 92 90 45 DB 5A BB 64 87 28 26 EA 75 C6
5F A2 E6 E6 EF FA 4A 24 1C B0 D7 8D 54 F9 54 F0
2C BE 12 15 3F 26 85 ED E9 13 AB 34 C1 2B B9 F6
2C 1F 63 20 7E 44 15 81 97 50 16 B9 72 40 4F FE
00 BD 9A 1A 51 B2 68 D7 9A 13 B0 CB 52 7C 8B E2
81 33 CA 8B F8 66 17 E1 38 69 72 54 1A 7C 62 73
</span> <br>
<!-- !!! dont changing this !!! -->
</div>
</div>
<!-- -->
<div class="tabs">
<!--tab-->
<div class="tab">
<div id="tab-content1" class="content">
<div class="text">
<!--text data -->
<b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br>
<b>All your important files have been encrypted!</b><br><br>
<hr>
Your files are safe! Only modified. (RSA+AES)<br><br>
ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br>
WILL PERMANENTLY CORRUPT IT.<br>
DO NOT MODIFY ENCRYPTED FILES.<br>
DO NOT RENAME ENCRYPTED FILES.<br><br>
No software available on internet can help you. We are the only ones able to<br>
solve your problem.<br><br>
We gathered highly confidential/personal data. These data are currently stored on<br>
a private server. This server will be immediately destroyed after your payment.<br>
If you decide to not pay, we will release your data to public or re-seller.<br>
So you can expect your data to be publicly available in the near future..<br><br>
We only seek money and our goal is not to damage your reputation or prevent<br>
your business from running.<br><br>
You will can send us 2-3 non-important files and we will decrypt it for free<br>
to prove we are able to give your files back.<br><br>
<!--text data -->
<hr>
<b>Contact us for price and get decryption software.</b><br><br>
<a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</a><br>
* Note that this server is available via Tor browser only<br><br>
Follow the instructions to open the link:<br>
1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br>
2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br>
3. Now you have Tor browser. In the Tor Browser open <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion
</a><br>
4. Start a chat and follow the further instructions. <br><br>
<hr>
<b>If you can not use the above link, use the email:</b><br>
<a href="ithelp05@decorous.cyou ">ithelp05@decorous.cyou </a>
<br><a href="ithelp05@wholeness.business">ithelp05@wholeness.business</a>
<br>
<b>* To contact us, create a new free email account on the site:</b> <a href="https://protonmail.com">protonmail.com<br> <hr>
<b>
IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br>
</div>
</div>
</div>
<!--tab-->
<!--text data -->
</div>
</div>
<!--tab-->
</div>
</div>
</body>
</html>
�����������
Emails
href="ithelp05@decorous.cyou
">ithelp05@decorous.cyou
href="ithelp05@wholeness.business">ithelp05@wholeness.business</a>
Signatures
-
Modifies extensions of user files 6 IoCs
Ransomware generally changes the extension on encrypted files.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Drops desktop.ini file(s) 27 IoCs
-
Drops file in Program Files directory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\BuildS.exe"C:\Users\Admin\AppData\Local\Temp\BuildS.exe"1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1628-54-0x0000000076B61000-0x0000000076B63000-memory.dmpFilesize
8KB