Overview

overview

10

Static

static

InternalCr...ga.exe

windows7_x64

10

InternalCr...ga.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    InternalCrossContextDelega.exe

  • Size

    429KB

  • Sample

    220114-grf8gsefc9

  • MD5

    22367699e131a9d98f842a1003fd193a

  • SHA1

    c275084d65f845b4d957c05b874fade071193468

  • SHA256

    a7018ff4aaaaebda06615da54ab7d3dcfe06ffda501254eb9654aa27152629bb

  • SHA512

    26aedfe2eede18f72425f37d57fde838466345187f1df365528b0798a2f323badfbbb4f3b5571c4ea554cdb757dc0b7b2f7c87f5ae88c6e2cee41eaa92b6e828

Score
10/10
targetcompanyevasionransomware

Malware Config

Extracted

Path

C:\Users\Admin\RECOVERY INFORMATION.txt

Ransom Note
YOUR FILES ARE ENCRYPTED !!! TO DECRYPT, FOLLOW THE INSTRUCTIONS: To recover data you need decrypt tool. To get the decrypt tool you should: 1.In the letter include your personal ID! Send me this ID in your first email to me! 2.We can give you free test for decrypt few files (NOT VALUE) and assign the price for decryption all files! 3.After we send you instruction how to pay for decrypt tool and after payment you will receive a decryption tool! 4.We can decrypt few files in quality the evidence that we have the decoder. CONTACT US: recohelper@cock.li mallox@tutanota.com YOUR PERSONAL ID: 80323638DFC1 �
Emails

recohelper@cock.li

mallox@tutanota.com

Extracted

Path

C:\$Recycle.Bin\RECOVERY INFORMATION.txt

Ransom Note
YOUR FILES ARE ENCRYPTED !!! TO DECRYPT, FOLLOW THE INSTRUCTIONS: To recover data you need decrypt tool. To get the decrypt tool you should: 1.In the letter include your personal ID! Send me this ID in your first email to me! 2.We can give you free test for decrypt few files (NOT VALUE) and assign the price for decryption all files! 3.After we send you instruction how to pay for decrypt tool and after payment you will receive a decryption tool! 4.We can decrypt few files in quality the evidence that we have the decoder. CONTACT US: recohelper@cock.li mallox@tutanota.com YOUR PERSONAL ID: 8CC5CEF4A363 �
Emails

recohelper@cock.li

mallox@tutanota.com

Targets

    • Target

      InternalCrossContextDelega.exe

    • Size

      429KB

    • MD5

      22367699e131a9d98f842a1003fd193a

    • SHA1

      c275084d65f845b4d957c05b874fade071193468

    • SHA256

      a7018ff4aaaaebda06615da54ab7d3dcfe06ffda501254eb9654aa27152629bb

    • SHA512

      26aedfe2eede18f72425f37d57fde838466345187f1df365528b0798a2f323badfbbb4f3b5571c4ea554cdb757dc0b7b2f7c87f5ae88c6e2cee41eaa92b6e828

    Score
    10/10
    targetcompanyevasionransomware

    • TargetCompany

      Ransomware which encrypts files using a combination of ChaCha20, AES-128, and Curve25519, first seen in June 2021.

      ransomwaretargetcompany

    • TargetCompany Payload

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Modifies service settings

      Alters the configuration of existing services.

      evasion

    • Stops running service(s)

      evasion

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

2
T1031

Privilege Escalation

Defense Evasion

File Deletion

2
T1107

Impair Defenses

1
T1562

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Remote System Discovery

1
T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

3
T1490

Service Stop

1
T1489

Tasks