General

  • Target

    MoleculeV_.bin.zip

  • Size

    326KB

  • Sample

    211121-tr655ahba4

  • MD5

    c877aac2e331c95cca9a21397f56e3b6

  • SHA1

    682bbd52fae049a34a473a871ef547d65f4293f6

  • SHA256

    5808f60c452afaac69a4de6a345209e168a79b2a0c67de5ed0c227e6c4d2cc1c

  • SHA512

    9b8ab14fdce3d45b5930ea11204d2cba1841a8cbe19603250172e836d8e64a39096ec27f5f278710c338158a8595a3f970b2c11ebf14d5dfd24d5e7fca4587d0

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\READ_IT.txt

Ransom Note
What happened to your files? All your files are encrypted with RSA-4096, Read more on https://en.wikipedia.org/wiki/RSA_(cryptosystem) RSA is an algorithm used by modern computers to encrypt and decrypt the data. RSA is an asymmetric cryptographic algorithm. Asymmetric means that there are two different keys. This is also called public key cryptography, because one of the keys can be given to anyone: 1 - We encrypted your files with our Public key 2 - You can decrypt, the encrypted files with specific Private key and your private key is in our hands ( It's not possible to recover your files without our private key ) Is it possible to get back your data? Yes, We have a decrypter with the private key. We have one option to get all your data back. "Follow the instructions to get all your data back: Step 1 : You must send us 80$ worth of Bitcoin for your affected system Step 2 : After you sent us the bitcoin our system automatically decrypt all you files and our software will delete itself Our Bitcoin address is: 1AcXKNDs71c1QZgVNvFZVwQgWNBQDjvT4H Where to buy Bitcoin? The easiest way is LocalBitcoins, but you can find more websites to buy bitcoin using Google Search: buy bitcoin online MMoga.com Bitcoin gift cards is a fast way to buy bitcoins
Wallets

1AcXKNDs71c1QZgVNvFZVwQgWNBQDjvT4H

Targets

    • Target

      MoleculeV_.bin

    • Size

      461KB

    • MD5

      bb09e9b8daef63d4ebe21fcb2519c5d5

    • SHA1

      9adacd3ed8963404925d72efa1acca50dd9673b8

    • SHA256

      d47e0056a7336be404b2ddf56bdb6897046f6a6ddb0f38bb9f6674ca4c3eaf15

    • SHA512

      18f6d6023d1922a6e81833ef294e7fba4dde436fd67727d30a5f7c9f0b564cd940dca58217222f54454d2177a2fd4303389f4d4e4cd6e2d0290309cfc85f6267

    • Modifies Windows Defender Real-time Protection settings

    • Clears Windows event logs

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies boot configuration data using bcdedit

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

    • Executes dropped EXE

    • Deletes itself

    • Drops startup file

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Legitimate hosting services abused for malware hosting/C2

    • Sets desktop wallpaper using registry

MITRE ATT&CK Matrix ATT&CK v6

Execution

Command-Line Interface

1
T1059

Persistence

Modify Existing Service

1
T1031

Defense Evasion

Modify Registry

2
T1112

Disabling Security Tools

1
T1089

Indicator Removal on Host

1
T1070

File Deletion

3
T1107

Discovery

System Information Discovery

2
T1082

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

Command and Control

Web Service

1
T1102

Impact

Inhibit System Recovery

4
T1490

Defacement

1
T1491

Tasks