Resubmissions

17-05-2024 14:06

240517-reh7esbc83 10

17-05-2024 14:05

240517-rdxnesbb2x 10

17-05-2024 14:04

240517-rdkc4aba91 10

17-05-2024 14:00

240517-raznlsbc33 10

09-01-2022 14:18

220109-rl99gsdee2 10

General

  • Target

    00ed4c347cd62526226363a0aceb851b2ef7e3a4da78433a28f2cd6cbd5f1b99.bin

  • Size

    66KB

  • Sample

    220109-rl99gsdee2

  • MD5

    2c26b319e378755596f0ac6d293798c8

  • SHA1

    280a4cfcf5dd87898c3731b680efe061bdb7a9fe

  • SHA256

    00ed4c347cd62526226363a0aceb851b2ef7e3a4da78433a28f2cd6cbd5f1b99

  • SHA512

    0c2b53a3fed1dbbae64e7f1e7c17a89b5dc607ba40caecd5496e18ffd84cdad844e926742d9fc82a715d6e8b01a1c483d97d54f5be1f2d6997107946f2a3fe4b

Score
10/10

Malware Config

Extracted

Path

\??\c:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\RecoveryManual.html

Ransom Note
<html> <head> <title>RECOVERY MANUAL</title> </head> <body> <h1>Your ClientId:</h1> <b> <pre> acc47d8e8c2a4ba5c4c325fca35d0ae43795710dddb764d8eb0e40e1d5779858 </pre> </b> <hr/> If you are here, you want to know what happened.<br><br> We infiltrated your network, controlled it for a while, examined your data, downloaded sensitive information and finally encrypted your computers.<br> Your files are safe, but encrypted. Any attempt to decrypt files with third-party software will permanently corrupt content.<br><br> <b>What now?</b><br><br> We advise you to be in touch and start negotiations, otherwise your confidential data will be published on few our news sites and promoted in all possible ways.<br> Data publication and even the fact of this leak for sure will lead to significant losses for your company: <ul> <li>government fines <li>lawsuits and as a result legal claims payments <li>additional expenses on law services <li>data recovery </ul> Also you shouldn't underestimate huge damage for your reputation, which can cause crash of equity prices, clients withdrawal and other negative consequences.<br><br> <b>But don't panic! We are doing business, not war.</b><br><br> We can unlock your data and keep everything in secret. All, what we want is a ransom.<br><br> If we can reach an agreement, you also get: <ul> <li>security report <li>full file tree of compromised data <li>downloaded data unrecoverable deletion <li>support with unlocking and network protection advice. </ul> <b>How can you contact us?</b><br> Visit our support chat. It is simple, secure and you can set a password to avoid intervention of unauthorised persons.<br> <a href="http://evl425tkt4hkwryyplvqu6bn6slfow3fa4xwgvwe5t4zf6gizs3ewuyd.onion/?cid=acc47d8e8c2a4ba5c4c325fca35d0ae43795710dddb764d8eb0e40e1d5779858">http://evl425tkt4hkwryyplvqu6bn6slfow3fa4xwgvwe5t4zf6gizs3ewuyd.onion/?cid=acc47d8e8c2a4ba5c4c325fca35d0ae43795710dddb764d8eb0e40e1d5779858</a> <ul> <li>Password field should be blank for the first login. <li>Note that this server is available via Tor browser only. </ul> Follow the instructions to open the link: <ol> <li>Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor Project website. <li>Press "Download Tor", then press "Download Tor Browser Bundle", install and run it. <li>Now you have Tor browser. In the Tor Browser open "http://evl425tkt4hkwryyplvqu6bn6slfow3fa4xwgvwe5t4zf6gizs3ewuyd.onion/?cid=acc47d8e8c2a4ba5c4c325fca35d0ae43795710dddb764d8eb0e40e1d5779858". <li>Start a chat and introduce yourself (Company name and your position). </ol> Password field should be blank for the first login. You can ask an operator to set password later. </body> </html>

Extracted

Path

\??\c:\odt\RecoveryManual.html

Ransom Note
<html> <head> <title>RECOVERY MANUAL</title> </head> <body> <h1>Your ClientId:</h1> <b> <pre> acc47d8e8c2a4ba5c4c325fca35d0ae42c8c6c10daa377daeb0e40e1d577984a </pre> </b> <hr/> If you are here, you want to know what happened.<br><br> We infiltrated your network, controlled it for a while, examined your data, downloaded sensitive information and finally encrypted your computers.<br> Your files are safe, but encrypted. Any attempt to decrypt files with third-party software will permanently corrupt content.<br><br> <b>What now?</b><br><br> We advise you to be in touch and start negotiations, otherwise your confidential data will be published on few our news sites and promoted in all possible ways.<br> Data publication and even the fact of this leak for sure will lead to significant losses for your company: <ul> <li>government fines <li>lawsuits and as a result legal claims payments <li>additional expenses on law services <li>data recovery </ul> Also you shouldn't underestimate huge damage for your reputation, which can cause crash of equity prices, clients withdrawal and other negative consequences.<br><br> <b>But don't panic! We are doing business, not war.</b><br><br> We can unlock your data and keep everything in secret. All, what we want is a ransom.<br><br> If we can reach an agreement, you also get: <ul> <li>security report <li>full file tree of compromised data <li>downloaded data unrecoverable deletion <li>support with unlocking and network protection advice. </ul> <b>How can you contact us?</b><br> Visit our support chat. It is simple, secure and you can set a password to avoid intervention of unauthorised persons.<br> <a href="http://evl425tkt4hkwryyplvqu6bn6slfow3fa4xwgvwe5t4zf6gizs3ewuyd.onion/?cid=acc47d8e8c2a4ba5c4c325fca35d0ae42c8c6c10daa377daeb0e40e1d577984a">http://evl425tkt4hkwryyplvqu6bn6slfow3fa4xwgvwe5t4zf6gizs3ewuyd.onion/?cid=acc47d8e8c2a4ba5c4c325fca35d0ae42c8c6c10daa377daeb0e40e1d577984a</a> <ul> <li>Password field should be blank for the first login. <li>Note that this server is available via Tor browser only. </ul> Follow the instructions to open the link: <ol> <li>Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor Project website. <li>Press "Download Tor", then press "Download Tor Browser Bundle", install and run it. <li>Now you have Tor browser. In the Tor Browser open "http://evl425tkt4hkwryyplvqu6bn6slfow3fa4xwgvwe5t4zf6gizs3ewuyd.onion/?cid=acc47d8e8c2a4ba5c4c325fca35d0ae42c8c6c10daa377daeb0e40e1d577984a". <li>Start a chat and introduce yourself (Company name and your position). </ol> Password field should be blank for the first login. You can ask an operator to set password later. </body> </html>

Targets

    • Target

      00ed4c347cd62526226363a0aceb851b2ef7e3a4da78433a28f2cd6cbd5f1b99.bin

    • Size

      66KB

    • MD5

      2c26b319e378755596f0ac6d293798c8

    • SHA1

      280a4cfcf5dd87898c3731b680efe061bdb7a9fe

    • SHA256

      00ed4c347cd62526226363a0aceb851b2ef7e3a4da78433a28f2cd6cbd5f1b99

    • SHA512

      0c2b53a3fed1dbbae64e7f1e7c17a89b5dc607ba40caecd5496e18ffd84cdad844e926742d9fc82a715d6e8b01a1c483d97d54f5be1f2d6997107946f2a3fe4b

    Score
    10/10
    • MountLocker Ransomware

      Ransomware family first seen in late 2020, which threatens to leak files if ransom is not paid.

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Deletes itself

    • Drops desktop.ini file(s)

MITRE ATT&CK Enterprise v6

Tasks