General

  • Target

    sample1.zip

  • Size

    9KB

  • Sample

    211027-ktq29abbd8

  • MD5

    3965d7736e0743be34167a40d2cfc254

  • SHA1

    2836eec65f0a72c234ebf2e0389934316ad70036

  • SHA256

    89887eed284bfd0444ab36df7302b5b5732898d1a32e11440ec39c059dba4e3d

  • SHA512

    9c118512eeb73510ac8868064079c4a0ffe0e4d37db9c30aa0bdba7ce8d2ef4e0cff72a69fa90dcd943386c739199fbc6f2076f98a586a97ce366c356957383d

Malware Config

Extracted

Path

C:\[HOW TO RECOVER FILES].TXT

Family

prolock

Ransom Note
Your files have been encrypted by ProLock Ransomware using RSA-2048 algorithm. [.:Nothing personal just business:.] No one can help you to restore files without our special decryption tool. To get your files back you have to pay the decryption fee in BTC. The final price depends on how fast you write to us. 1. Download TOR browser: https://www.torproject.org/ 2. Install the TOR Browser. 3. Open the TOR Browser. 4. Open our website in the TOR browser: msaoyrayohnp32tcgwcanhjouetb5k54aekgnwg7dcvtgtecpumrxpqd.onion 5. Login using your ID D8756FE07320C1859F44 ***If you have any problems connecting or using TOR network: contact our support by email support981723721@protonmail.com [You'll receive instructions and price inside] The decryption keys will be stored for 1 month. We also have gathered your sensitive data. We would share it in case you refuse to pay. Decryption using third party software is impossible. Attempts to self-decrypting files will result in the loss of your data.
Emails

support981723721@protonmail.com

URLs

http://msaoyrayohnp32tcgwcanhjouetb5k54aekgnwg7dcvtgtecpumrxpqd.onion

Targets

    • Target

      dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178.sample

    • Size

      14KB

    • MD5

      3355ace345e98406bdb331ccad568386

    • SHA1

      81d5888bb8d43d88315c040be1f51db6bb5cf64c

    • SHA256

      dfbd62a3d1b239601e17a5533e5cef53036647901f3fb72be76d92063e279178

    • SHA512

      55223ee6f387252a401e62cd5b619afafcb3d63cb33cd1b9a12d782dadc9e68b95062363863f70f13eb28f751da710b78161f7efda464d66b1f98741e56f50e1

    • ProLock Ransomware

      Rebranded update of PwndLocker first seen in March 2020.

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies Installed Components in the registry

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Sets service image path in registry

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

3
T1060

Defense Evasion

File Deletion

2
T1107

Modify Registry

3
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

4
T1012

Peripheral Device Discovery

2
T1120

System Information Discovery

5
T1082

Remote System Discovery

1
T1018

Collection

Data from Local System

1
T1005

Impact

Inhibit System Recovery

2
T1490

Tasks