Overview

overview

10

Static

static

7e6cd2bf82...in.exe

windows7_x64

10

7e6cd2bf82...in.exe

windows10_x64

10

Resubmissions

01-02-2022 11:14

220201-nb6a1adebm 3

05-01-2022 11:54

220105-n2wjgsaegq 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    7e6cd2bf820d81c9389c549cfe482bcdb1b57c5f39d53b63cd1efb79699e7ae6.bin

  • Size

    75KB

  • Sample

    220105-n2wjgsaegq

  • MD5

    a765dbcbac57a712e2eb748fe6fd5e7c

  • SHA1

    59c51f9d5f699b6aa6b3e37fcd93da87ce79d815

  • SHA256

    7e6cd2bf820d81c9389c549cfe482bcdb1b57c5f39d53b63cd1efb79699e7ae6

  • SHA512

    9ab1aa09e965014b56aadeddbe38b44de343942857431b6490a53b143b9232f6da3415d6245ee774a35538196ad000c66fdc673db98fb84bd7615af04a7e1a8c

Score
10/10
targetcompanyevasionpersistenceransomware

Malware Config

Extracted

Path

C:\Users\Admin\RECOVERY INFORMATION.txt

Ransom Note
YOUR FILES ARE ENCRYPTED !!! TO DECRYPT, FOLLOW THE INSTRUCTIONS: To recover data you need decrypt tool. To get the decrypt tool you should: 1.In the letter include your personal ID! Send me this ID in your first email to me! 2.We can give you free test for decrypt few files (NOT VALUE) and assign the price for decryption all files! 3.After we send you instruction how to pay for decrypt tool and after payment you will receive a decryption tool! 4.We can decrypt few files in quality the evidence that we have the decoder. CONTACT US: [email protected] [email protected] YOUR PERSONAL ID: 558B95374764 �

Extracted

Path

C:\$Recycle.Bin\RECOVERY INFORMATION.txt

Ransom Note
YOUR FILES ARE ENCRYPTED !!! TO DECRYPT, FOLLOW THE INSTRUCTIONS: To recover data you need decrypt tool. To get the decrypt tool you should: 1.In the letter include your personal ID! Send me this ID in your first email to me! 2.We can give you free test for decrypt few files (NOT VALUE) and assign the price for decryption all files! 3.After we send you instruction how to pay for decrypt tool and after payment you will receive a decryption tool! 4.We can decrypt few files in quality the evidence that we have the decoder. CONTACT US: [email protected] [email protected] YOUR PERSONAL ID: 0630D6481BAD �

Targets

    • Target

      7e6cd2bf820d81c9389c549cfe482bcdb1b57c5f39d53b63cd1efb79699e7ae6.bin

    • Size

      75KB

    • MD5

      a765dbcbac57a712e2eb748fe6fd5e7c

    • SHA1

      59c51f9d5f699b6aa6b3e37fcd93da87ce79d815

    • SHA256

      7e6cd2bf820d81c9389c549cfe482bcdb1b57c5f39d53b63cd1efb79699e7ae6

    • SHA512

      9ab1aa09e965014b56aadeddbe38b44de343942857431b6490a53b143b9232f6da3415d6245ee774a35538196ad000c66fdc673db98fb84bd7615af04a7e1a8c

    Score
    10/10
    targetcompanyevasionpersistenceransomware

    • Modifies WinLogon for persistence

      persistence

    • TargetCompany

      Ransomware which encrypts files using a combination of ChaCha20, AES-128, and Curve25519, first seen in June 2021.

      ransomwaretargetcompany

    • TargetCompany Payload

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Modifies service settings

      Alters the configuration of existing services.

      evasion

    • Stops running service(s)

      evasion

    • Loads dropped DLL

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks