General

  • Target

    351a60540598985eb6bc5e9e3a29faffd451700736a0056195f12ac0e3e56428

  • Size

    56KB

  • Sample

    220211-hvp58sdgfl

  • MD5

    c0eb95eb8e28064da2bce67c829fe598

  • SHA1

    97953f4e1e0001155c05ce73ed7dba6fa77b0807

  • SHA256

    351a60540598985eb6bc5e9e3a29faffd451700736a0056195f12ac0e3e56428

  • SHA512

    6efeb4eda76b4807cd8f40d70d796721d9e885e82cba12244c96b0786eda962ee6885d4321b742c16df950c3301dc15abf594f92aae4c5ecd0ef1cc4270c4dcd

Malware Config

Extracted

Path

C:\how_to_back_files.html

Ransom Note
<html> <style type="text/css"> body { background-color: #404040; } { margin: 0; padding: 0; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ width: 800px; display: block; margin: auto; position: relative; } .tabs1 .head{ text-align: center; float: top; text-transform: uppercase; font-weight: normal; display: block; padding: 15px; color: #000000; background: #4A83FD; } .tabs1 .identi { margin-left: 15px; line-height: 13px; font-size: 13px; text-align: center; float: top; display: block; padding: 15px; background: #303030; color: #DFDFDF; } /*---*/ .tabs{ width: 800px; display: block; margin: auto; position: relative; } .tabs .tab{ float: left; display: block; } .tabs .tab>input[type="radio"] { position: absolute; top: -9999px; left: -9999px; } .tabs .tab>label { display: block; padding: 6px 21px; font-size: 18x; text-transform: uppercase; cursor: pointer; position: relative; color: #FFF; background: #4A83FD; } .tabs .content { z-index: 0;/* or display: none; */ overflow: hidden; width: 800px; /*padding: 25px;*/ position: absolute; top: 32px; left: 0; background: #303030; color: #DFDFDF; opacity:0; transition: opacity 400ms ease-out; } .tabs .content .text{ width: 700px; padding: 25px; } .tabs>.tab>[id^="tab"]:checked + label { top: 0; background: #303030; color: #F5F5F5; } .tabs>.tab>[id^="tab"]:checked ~ [id^="tab-content"] { z-index: 1;/* or display: block; */ opacity: 1; transition: opacity 400ms ease-out; } </style> <head> <meta charset="utf-8"> <title>HOW TO DECRYPT YOUR FILES</title> </head> <body> <div class="tabs1"> <div class="head" ><h3>Your personal ID</h3></div> <div class="identi"> <pre>���������������06 A1 2F 51 7B 10 C2 BD 26 AF 06 38 C9 FF 06 56 27 C1 B6 2E 38 8D 3D 54 92 BD 20 E4 BA 68 4B A6 C2 7E CC 93 1A 8F 04 FA CF BD C6 BB 3A 8C 88 3A 5C 88 27 B1 26 79 C6 7D 89 3B 2D D3 AC 3D E2 1D 94 B3 A5 D0 50 CD 83 DE C4 69 FF CD DB DC F8 09 69 67 B6 7E FA 3C BF 08 BB AA BC 30 E6 31 CD 4F FA 58 05 52 89 E2 50 9E AC A6 02 DA 3F B7 EF D9 0B 0D 38 E3 52 69 8B 18 0D A1 C0 36 B2 4F 6E AE C1 3F 4F 6F BA 13 7A C0 3D A1 8A 34 E7 51 7E 8A 83 5B C6 A0 D7 DD CD 3E B6 14 A3 E3 9E E5 3B 54 32 80 A2 56 4B 2A 1E C7 37 E8 9C 3E 43 C6 66 46 AA 79 C7 02 7B FE 70 84 9A C8 BC 0E EA 19 00 12 D0 0A 60 E6 05 CB 88 DD 1A B7 40 3B 56 39 A1 E0 6F 2B 5A CC 62 77 22 36 8A E2 8E 33 A3 29 46 00 DC 9E F2 50 0C F6 A5 56 75 2D CA 4A 18 9F 10 BA 08 16 12 0A 43 66 86 88 79 AB BD CF 68 A9 0E E5 </pre><!-- !!! dont changing this !!! --> </div> </div> <!-- --> <div class="tabs"> <!--tab--> <div class="tab"> <input type="radio" name="tabs" checked="checked" id="tab1" /> <label for="tab1">English</label> <div id="tab-content1" class="content"> <h1>&#9760; Your files are encrypted! &#9760;</h1> <hr/> <h3>All your important data has been encrypted.</h3> <br/> <div class="text"> <!--text data --> To recover data you need decryptor.</br> To get the decryptor you should:</br> <h1 align="left">pay to decrypt your busines network(all computers) - 10 BTC:</h1> <div align="left"> <h1>site for buy bitcoin:<br> </h1> </div> <div align="left"> <strong>Buy 10 BTC on one of these sites</strong> </div> <div align="left"> <ol> <li><strong>https://localbitcoins.com</strong></li> <li><strong>https://www.coinbase.com</strong></li> <li><strong>https://xchange.cc</strong></li> </ol> </div> <div align="left"> <h1>bitcoin adress to pay:<br> </h1> </div> <div align="left">123mK1a2TkCJdTtZqQGBEDNQ5GnjdwDNdj</div> <div align="left"><strong>Send 10 BTC for decrypt</strong></div> </div> <div> <h1>After the payment: </h1> </div> <div><p>Send screenshot of payment to <span class="mark">[email protected] or [email protected]</span>. In the letter include your personal ID (look at the beginning of this document).</p> </div> <div> <h1 align="center">After you will receive a decryptor and instructions</h1> </div> <center>Attention!</center></br> <ul> <li>Only our team can decrypt your files.</li> <li>No Payment = No decryption!</li> <li>You really get decryptor after payment. As a guarantee you can send 1 test image or text file on our email(In letter include your personal ID)</li> <li>Do not attempt to remove programm or run any antivirus tools! This doesn't help :)</li> <li>Decoders of other users are not compatible with your data, because each infected computer have unique encryption key!!!</li> <li>Attempts to self-decrypting files will ressult in the loss of your data.</li> </ul> <!--text data --> </div> </div> </div> <!--tab--> </ul> <!--text data --> </div> </div> <!--tab--> </div> </div> </body> </html> �����������
Emails

class="mark">[email protected]

[email protected]</span>

Extracted

Path

C:\how_to_back_files.html

Ransom Note
<html> <style type="text/css"> body { background-color: #404040; } { margin: 0; padding: 0; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ width: 800px; display: block; margin: auto; position: relative; } .tabs1 .head{ text-align: center; float: top; text-transform: uppercase; font-weight: normal; display: block; padding: 15px; color: #000000; background: #4A83FD; } .tabs1 .identi { margin-left: 15px; line-height: 13px; font-size: 13px; text-align: center; float: top; display: block; padding: 15px; background: #303030; color: #DFDFDF; } /*---*/ .tabs{ width: 800px; display: block; margin: auto; position: relative; } .tabs .tab{ float: left; display: block; } .tabs .tab>input[type="radio"] { position: absolute; top: -9999px; left: -9999px; } .tabs .tab>label { display: block; padding: 6px 21px; font-size: 18x; text-transform: uppercase; cursor: pointer; position: relative; color: #FFF; background: #4A83FD; } .tabs .content { z-index: 0;/* or display: none; */ overflow: hidden; width: 800px; /*padding: 25px;*/ position: absolute; top: 32px; left: 0; background: #303030; color: #DFDFDF; opacity:0; transition: opacity 400ms ease-out; } .tabs .content .text{ width: 700px; padding: 25px; } .tabs>.tab>[id^="tab"]:checked + label { top: 0; background: #303030; color: #F5F5F5; } .tabs>.tab>[id^="tab"]:checked ~ [id^="tab-content"] { z-index: 1;/* or display: block; */ opacity: 1; transition: opacity 400ms ease-out; } </style> <head> <meta charset="utf-8"> <title>HOW TO DECRYPT YOUR FILES</title> </head> <body> <div class="tabs1"> <div class="head" ><h3>Your personal ID</h3></div> <div class="identi"> <pre>���������������6F DD DC 3E AC 3C D0 48 52 1C 29 52 24 0B 25 80 6A F8 17 A9 D4 B7 F9 DD CB DB 7A 8D 05 C6 6B 2C AF 23 9D 25 80 1F 53 C7 EB 04 5C 58 15 22 21 AC 0B 77 89 BE BA 21 88 65 41 67 11 A4 F1 27 49 F2 CA 9D 1B B1 0F A2 85 A8 37 BA F9 F6 C2 6E 11 4F D5 09 47 85 A8 E5 61 CB 9E C1 BA 72 CD 40 A1 39 62 2F 06 8B 4A BB 83 9F D2 51 48 AF 7D 2A 84 B3 E3 F7 C8 95 63 5D E7 92 29 D7 CB 9B 66 C6 8D 5E 98 68 B5 1C 09 38 C5 00 2D 46 DE 81 B3 55 DF DE 03 48 A2 7E 64 28 1F C1 40 80 BD 60 A2 8F 4F B3 95 3A 3F 17 50 94 7E 0F 83 35 E3 A5 71 EC 37 BD 6E 64 39 D8 FC A6 68 AD 81 AB 5A CA CF 2D 52 EB 7B D2 02 CC 4B FB 23 30 98 9D 98 CF F9 57 AE EF 95 0F CD 8A 17 2E 32 E6 D4 53 4C F4 44 1B DA 3A 6C 63 42 6D 19 A1 2A 0F A2 BB D8 B7 A4 30 47 51 7C 03 E7 D6 B4 57 64 82 90 DA 4D 32 26 E6 AF 78 </pre><!-- !!! dont changing this !!! --> </div> </div> <!-- --> <div class="tabs"> <!--tab--> <div class="tab"> <input type="radio" name="tabs" checked="checked" id="tab1" /> <label for="tab1">English</label> <div id="tab-content1" class="content"> <h1>&#9760; Your files are encrypted! &#9760;</h1> <hr/> <h3>All your important data has been encrypted.</h3> <br/> <div class="text"> <!--text data --> To recover data you need decryptor.</br> To get the decryptor you should:</br> <h1 align="left">pay to decrypt your busines network(all computers) - 10 BTC:</h1> <div align="left"> <h1>site for buy bitcoin:<br> </h1> </div> <div align="left"> <strong>Buy 10 BTC on one of these sites</strong> </div> <div align="left"> <ol> <li><strong>https://localbitcoins.com</strong></li> <li><strong>https://www.coinbase.com</strong></li> <li><strong>https://xchange.cc</strong></li> </ol> </div> <div align="left"> <h1>bitcoin adress to pay:<br> </h1> </div> <div align="left">123mK1a2TkCJdTtZqQGBEDNQ5GnjdwDNdj</div> <div align="left"><strong>Send 10 BTC for decrypt</strong></div> </div> <div> <h1>After the payment: </h1> </div> <div><p>Send screenshot of payment to <span class="mark">[email protected] or [email protected]</span>. In the letter include your personal ID (look at the beginning of this document).</p> </div> <div> <h1 align="center">After you will receive a decryptor and instructions</h1> </div> <center>Attention!</center></br> <ul> <li>Only our team can decrypt your files.</li> <li>No Payment = No decryption!</li> <li>You really get decryptor after payment. As a guarantee you can send 1 test image or text file on our email(In letter include your personal ID)</li> <li>Do not attempt to remove programm or run any antivirus tools! This doesn't help :)</li> <li>Decoders of other users are not compatible with your data, because each infected computer have unique encryption key!!!</li> <li>Attempts to self-decrypting files will ressult in the loss of your data.</li> </ul> <!--text data --> </div> </div> </div> <!--tab--> </ul> <!--text data --> </div> </div> <!--tab--> </div> </div> </body> </html> �����������
Emails

class="mark">[email protected]

[email protected]</span>

Targets

    • Target

      351a60540598985eb6bc5e9e3a29faffd451700736a0056195f12ac0e3e56428

    • Size

      56KB

    • MD5

      c0eb95eb8e28064da2bce67c829fe598

    • SHA1

      97953f4e1e0001155c05ce73ed7dba6fa77b0807

    • SHA256

      351a60540598985eb6bc5e9e3a29faffd451700736a0056195f12ac0e3e56428

    • SHA512

      6efeb4eda76b4807cd8f40d70d796721d9e885e82cba12244c96b0786eda962ee6885d4321b742c16df950c3301dc15abf594f92aae4c5ecd0ef1cc4270c4dcd

MITRE ATT&CK Enterprise v6

Tasks