5521250278604800.zip

General
Target

5521250278604800.zip

Size

71KB

Sample

211020-lqr1taghb5

Score
10 /10
MD5

9e41a6912cb0b2ce755538602481038c

SHA1

3d75f9a82c5c889280a43dc6409058b66aa20c13

SHA256

43fba9b9b5d580914e6a0ecb62ed0a8ab1f5d5bb5a5a8ffd8efac748837f9bb5

SHA512

4122e0952bf1b84348477f96d33904d15c65c2d98aa1cdbfd7aaf5664f0fdbb0d92834324f14cdb09b37bb054bce593fdc38e944dc7f417ac22ed03c69b62a20

Malware Config

Extracted

Path C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\!TXDOT_READ_ME!.txt
Ransom Note
Greetings, Texas Department of Transportation! Read this message CAREFULLY and contact someone from IT department. Your files are securely ENCRYPTED. No third party decryption software EXISTS. MODIFICATION or RENAMING encrypted files may cause decryption failure. You can send us an encrypted file (not greater than 400KB) and we will decrypt it FOR FREE, so you have no doubts in possibility to restore all files from all affected systems ANY TIME. Encrypted file SHOULD NOT contain sensitive information (technical, backups, databases, large documents). The rest of data will be available after the PAYMENT. Infrastructure rebuild will cost you MUCH more. Contact us ONLY if you officially represent the whole affected network. The ONLY attachments we accept are non archived encrypted files for test decryption. Speak ENGLISH when contacting us. Mail us: txdot911@protonmail.com We kindly ask you not to use GMAIL, YAHOO or LIVE to contact us. The PRICE depends on how quickly you do it. �
Emails

txdot911@protonmail.com

Targets
Target

480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7

MD5

9832040cb9c0aa58cd12d656f82420ba

Filesize

156KB

Score
10/10
SHA1

74a62abd145e9571e029db76c06c3100bfb3f4a9

SHA256

480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7

SHA512

f41ea39996bd4dd11d6df8250754612068e52e42da6c737340b0d73e71d487a2f9074ea0394957f34bb3cbc72a0cb3aa479b91a7c4177089ccdc1578a232cf49

Tags

Signatures

  • Deletes NTFS Change Journal

    Description

    The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.

    Tags

    TTPs

    Inhibit System RecoveryData Destruction
  • RansomEXX Ransomware

    Description

    Targeted ransomware with variants which affect Windows and Linux systems.

    Tags

  • Clears Windows event logs

    Tags

    TTPs

    Indicator Removal on Host
  • Modifies boot configuration data using bcdedit

    Tags

    TTPs

    Inhibit System Recovery
  • Deletes backup catalog

    Description

    Uses wbadmin.exe to inhibit system recovery.

    Tags

    TTPs

    Command-Line InterfaceFile DeletionInhibit System Recovery
  • Disables use of System Restore points

    Tags

    TTPs

    Inhibit System Recovery
  • Modifies extensions of user files

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

  • Overwrites deleted data with Cipher tool

    Description

    Cipher is a Windows tool which be used to securely wipe deallocated HDD space, preventing recovery of deleted data.

    Tags

    TTPs

    Inhibit System Recovery
  • Enumerates connected drives

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query RegistryPeripheral Device DiscoverySystem Information Discovery

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Exfiltration
          Initial Access
            Lateral Movement
              Persistence
                Privilege Escalation
                  Tasks

                  static1

                  behavioral1

                  10/10

                  behavioral2

                  10/10