Overview

overview

10

Static

static

de9d7afe74...4f.exe

windows7_x64

10

de9d7afe74...4f.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    de9d7afe742c551522bafb785c706f4f.exe

  • Size

    1.2MB

  • Sample

    211207-p6d1nscbe8

  • MD5

    de9d7afe742c551522bafb785c706f4f

  • SHA1

    42e476b69971ee796704f5975aaacd2ecd38d9d9

  • SHA256

    5bfba90917bc5e5acd1b61ac2ffdcbbd8fec71eb7fdfb0b681207cc2371d5b94

  • SHA512

    919a426d0de0032fc52ac55ce9444721b5b238c2a94faa7b11478218d5269a23e09eca60e26d08fa50f15167de04950ec67db06a38e437a47d941e329395eaf6

Score
10/10
persistenceransomware

Malware Config

Extracted

Path

\??\M:\Boot\cs-CZ\Read_Me.txt

Ransom Note
Attention! All your files, documents, photos, databases and other important files are encrypted The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. The server with your decryptor is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- 1. Download Tor browser - https://www.torproject.org/ 2. Install Tor browser 3. Open Tor Browser 4. Open link in TOR browser: http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?101DTIYODTI 5. and open ticket ---------------------------------------------------------------------------------------- Alternate communication channel here: https://yip.su/2QstD5
URLs

http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?101DTIYODTI

https://yip.su/2QstD5

Extracted

Path

C:\Boot\bg-BG\Read_Me.txt

Ransom Note
Attention! All your files, documents, photos, databases and other important files are encrypted The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. The server with your decryptor is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- 1. Download Tor browser - https://www.torproject.org/ 2. Install Tor browser 3. Open Tor Browser 4. Open link in TOR browser: http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?101HIKMNPRS 5. and open ticket ---------------------------------------------------------------------------------------- Alternate communication channel here: https://yip.su/2QstD5
URLs

http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?101HIKMNPRS

https://yip.su/2QstD5

Targets

    • Target

      de9d7afe742c551522bafb785c706f4f.exe

    • Size

      1.2MB

    • MD5

      de9d7afe742c551522bafb785c706f4f

    • SHA1

      42e476b69971ee796704f5975aaacd2ecd38d9d9

    • SHA256

      5bfba90917bc5e5acd1b61ac2ffdcbbd8fec71eb7fdfb0b681207cc2371d5b94

    • SHA512

      919a426d0de0032fc52ac55ce9444721b5b238c2a94faa7b11478218d5269a23e09eca60e26d08fa50f15167de04950ec67db06a38e437a47d941e329395eaf6

    Score
    10/10
    persistenceransomware

    • Modifies Installed Components in the registry

      persistence

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

3
T1012

Peripheral Device Discovery

2
T1120

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks