General

  • Target

    5521250278604800.zip

  • Size

    71KB

  • Sample

    211020-lqr1taghb5

  • MD5

    9e41a6912cb0b2ce755538602481038c

  • SHA1

    3d75f9a82c5c889280a43dc6409058b66aa20c13

  • SHA256

    43fba9b9b5d580914e6a0ecb62ed0a8ab1f5d5bb5a5a8ffd8efac748837f9bb5

  • SHA512

    4122e0952bf1b84348477f96d33904d15c65c2d98aa1cdbfd7aaf5664f0fdbb0d92834324f14cdb09b37bb054bce593fdc38e944dc7f417ac22ed03c69b62a20

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\!TXDOT_READ_ME!.txt

Ransom Note
Greetings, Texas Department of Transportation! Read this message CAREFULLY and contact someone from IT department. Your files are securely ENCRYPTED. No third party decryption software EXISTS. MODIFICATION or RENAMING encrypted files may cause decryption failure. You can send us an encrypted file (not greater than 400KB) and we will decrypt it FOR FREE, so you have no doubts in possibility to restore all files from all affected systems ANY TIME. Encrypted file SHOULD NOT contain sensitive information (technical, backups, databases, large documents). The rest of data will be available after the PAYMENT. Infrastructure rebuild will cost you MUCH more. Contact us ONLY if you officially represent the whole affected network. The ONLY attachments we accept are non archived encrypted files for test decryption. Speak ENGLISH when contacting us. Mail us: txdot911@protonmail.com We kindly ask you not to use GMAIL, YAHOO or LIVE to contact us. The PRICE depends on how quickly you do it. �
Emails

txdot911@protonmail.com

Targets

    • Target

      480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7

    • Size

      156KB

    • MD5

      9832040cb9c0aa58cd12d656f82420ba

    • SHA1

      74a62abd145e9571e029db76c06c3100bfb3f4a9

    • SHA256

      480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7

    • SHA512

      f41ea39996bd4dd11d6df8250754612068e52e42da6c737340b0d73e71d487a2f9074ea0394957f34bb3cbc72a0cb3aa479b91a7c4177089ccdc1578a232cf49

    • Deletes NTFS Change Journal

      The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.

    • RansomEXX Ransomware

      Targeted ransomware with variants which affect Windows and Linux systems.

    • Clears Windows event logs

    • Modifies boot configuration data using bcdedit

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

    • Disables use of System Restore points

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Overwrites deleted data with Cipher tool

      Cipher is a Windows tool which be used to securely wipe deallocated HDD space, preventing recovery of deleted data.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

MITRE ATT&CK Matrix ATT&CK v6

Execution

Command-Line Interface

1
T1059

Defense Evasion

Indicator Removal on Host

1
T1070

File Deletion

1
T1107

Discovery

Query Registry

2
T1012

Peripheral Device Discovery

2
T1120

System Information Discovery

3
T1082

Impact

Inhibit System Recovery

5
T1490

Data Destruction

1
T1485

Tasks