ransomexx_win | 1699dd3b24dd5a405449a60f94b0043731deaa749d4899f2f927d913c624895b

General

Target

1699dd3b24dd5a405449a60f94b0043731deaa749d4899f2f927d913c624895b.bin.sample
Size

5.4MB
Sample

211130-qrtm9afafl
MD5

bf8dafaedf5b031ba01200e2ec608f96
SHA1

3e6689dc6a8a717b4114a7fe65bba594c597c7b9
SHA256

1699dd3b24dd5a405449a60f94b0043731deaa749d4899f2f927d913c624895b
SHA512

625535d71b2ca8a547924f08357eda1dc1d669b6c4ae1d0a436af1435fb9af58f24b63cde71588cee1785e36bb950c8c412db9c1e0541e65d11f2a13955fe7f6

Score

10^/10

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\!TXDOT_READ_ME!.txt

Ransom Note

Greetings, Texas Department of Transportation! Read this message CAREFULLY and contact someone from IT department. Your files are securely ENCRYPTED. No third party decryption software EXISTS. MODIFICATION or RENAMING encrypted files may cause decryption failure. You can send us an encrypted file (not greater than 400KB) and we will decrypt it FOR FREE, so you have no doubts in possibility to restore all files from all affected systems ANY TIME. Encrypted file SHOULD NOT contain sensitive information (technical, backups, databases, large documents). The rest of data will be available after the PAYMENT. Infrastructure rebuild will cost you MUCH more. Contact us ONLY if you officially represent the whole affected network. The ONLY attachments we accept are non archived encrypted files for test decryption. Speak ENGLISH when contacting us. Mail us: [email protected] We kindly ask you not to use GMAIL, YAHOO or LIVE to contact us. The PRICE depends on how quickly you do it. �

Emails

[email protected]

Targets

- Target
  
  1699dd3b24dd5a405449a60f94b0043731deaa749d4899f2f927d913c624895b.bin.sample
- Size
  
  5.4MB
- MD5
  
  bf8dafaedf5b031ba01200e2ec608f96
- SHA1
  
  3e6689dc6a8a717b4114a7fe65bba594c597c7b9
- SHA256
  
  1699dd3b24dd5a405449a60f94b0043731deaa749d4899f2f927d913c624895b
- SHA512
  
  625535d71b2ca8a547924f08357eda1dc1d669b6c4ae1d0a436af1435fb9af58f24b63cde71588cee1785e36bb950c8c412db9c1e0541e65d11f2a13955fe7f6
Score

10^/10

ransomexx_win evasion ransomware vmprotect
- Deletes NTFS Change Journal
  The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.
  ransomware
- RansomEXX Ransomware
  Targeted ransomware with variants which affect Windows and Linux systems.
  ransomware ransomexx_win
- Clears Windows event logs
  evasion ransomware
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Deletes backup catalog
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Disables use of System Restore points
  evasion
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Overwrites deleted data with Cipher tool
  Cipher is a Windows tool which be used to securely wipe deallocated HDD space, preventing recovery of deleted data.
  ransomware
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral1 behavioral2