Overview

overview

10

Static

static

ConsoleApp7.exe

windows7_x64

10

ConsoleApp7.exe

windows10_x64

10

Resubmissions

03-02-2022 13:26

220203-qpq5cahggm 3

01-02-2022 11:13

220201-nbqkjsdear 10

01-02-2022 11:12

220201-na5m3sdeak 10

31-12-2021 08:31

211231-keqg6sggb4 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ConsoleApp7.exe

  • Size

    53KB

  • Sample

    211231-keqg6sggb4

  • MD5

    b2993b2a7a1edba14742564de7e85cb2

  • SHA1

    cf7f1085978128cc082aec921d34d6d25e4ab19b

  • SHA256

    800b4455105a08833332092017909f9dd47bd4ebfb1cbddbe0b95658d03b8d64

  • SHA512

    a64951f5026a2f3bb01652bae0267b1d4b88b017a64208bb2e556a755a44e86eab0df33d43e759defe4caefc30693099b74fa1ebac90ff323ac2e555f51d892a

Score
10/10
targetcompanydiscoveryevasionransomware

Malware Config

Extracted

Path

C:\Users\Admin\RECOVERY INFORMATION.txt

Ransom Note
YOUR FILES ARE ENCRYPTED !!! TO DECRYPT, FOLLOW THE INSTRUCTIONS: To recover data you need decrypt tool. To get the decrypt tool you should: 1.In the letter include your personal ID! Send me this ID in your first email to me! 2.We can give you free test for decrypt few files (NOT VALUE) and assign the price for decryption all files! 3.After we send you instruction how to pay for decrypt tool and after payment you will receive a decryption tool! 4.We can decrypt few files in quality the evidence that we have the decoder. CONTACT US: [email protected] [email protected] YOUR PERSONAL ID: 77A2C588DF7F �

Extracted

Path

C:\$Recycle.Bin\RECOVERY INFORMATION.txt

Ransom Note
YOUR FILES ARE ENCRYPTED !!! TO DECRYPT, FOLLOW THE INSTRUCTIONS: To recover data you need decrypt tool. To get the decrypt tool you should: 1.In the letter include your personal ID! Send me this ID in your first email to me! 2.We can give you free test for decrypt few files (NOT VALUE) and assign the price for decryption all files! 3.After we send you instruction how to pay for decrypt tool and after payment you will receive a decryption tool! 4.We can decrypt few files in quality the evidence that we have the decoder. CONTACT US: [email protected] [email protected] YOUR PERSONAL ID: 5E723FBCF56B �

Targets

    • Target

      ConsoleApp7.exe

    • Size

      53KB

    • MD5

      b2993b2a7a1edba14742564de7e85cb2

    • SHA1

      cf7f1085978128cc082aec921d34d6d25e4ab19b

    • SHA256

      800b4455105a08833332092017909f9dd47bd4ebfb1cbddbe0b95658d03b8d64

    • SHA512

      a64951f5026a2f3bb01652bae0267b1d4b88b017a64208bb2e556a755a44e86eab0df33d43e759defe4caefc30693099b74fa1ebac90ff323ac2e555f51d892a

    Score
    10/10
    targetcompanydiscoveryevasionransomware

    • TargetCompany

      Ransomware which encrypts files using a combination of ChaCha20, AES-128, and Curve25519, first seen in June 2021.

      ransomwaretargetcompany

    • TargetCompany Payload

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Nirsoft

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Modifies service settings

      Alters the configuration of existing services.

      evasion

    • Stops running service(s)

      evasion

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks