f32f50289e094e4ad347912d4a13edf1ba4ee273a9f330d2d6e81226a1ffe6eb

General

Target

ecfPJqv.bin.zip
Size

25KB
Sample

220214-s41y7sbcbl
MD5

7c347349047a69e1e0098e2f9b3edc98
SHA1

957d3881bcd64125967ade06c956bbbc75eca7ed
SHA256

f32f50289e094e4ad347912d4a13edf1ba4ee273a9f330d2d6e81226a1ffe6eb
SHA512

0fcbb9d2988c86742bdab155d9a603f8004f8db0743376fa4d7250583457d2d5fc44f01bb629afae9e97f97b443c1b7f7df44f7f2129f25c06a4df72778bd9c5

Score

10^/10

Malware Config

Extracted

Path

C:\$Recycle.Bin\README_5326619.txt

Ransom Note

Ooops, your important files are encrypted. Your personal Id: miPvdwmABIEdOM0LLl0YKeqSNtHnv1clloxAncivcMQcVsvPkLKD68fYre2I8vPRYaHTlJV3DB1OidHXeuVeSHFXF47/rO2bvWNv2YKBDwSrXGvKhXCk0h4bzSYw05lh5tljWuT5K4S43/Q5fLi3LOkrny/aPIQSoxr6oBBH0qr39L3gxzytesNZJZf5iDb22sN01ckOAeKztfzuc7vW6YiU9dIML3XkG+oNpVJmBUrZy5gmR9+VMYKTQE6tAbNnkYz4jdU9ojEwz4mepUmHOnIWKIeRAasf4vO2U/B6GlHfSO6g1HELxL9TglnGbbq1vmjig/dezlXS5Is1Kqtw7w==&ZW4tVVNfNTMyNjYxOV9BZG1pbl8yLzE0LzIwMjIgMzo0MTo0MiBQTV9XaW4gN19ibHBvX2VjZlBKcXY= If you see this text, then your files are no longer accessible, because they have been encrypted. Perhaps you are busy looking for a way to recover your files, but don't waste your time. Nobody can recover your files without our decryption service. We guarantee that you can recover all your files safely and easily. All you need to do is submit the payment and purchase the decryption key. Please follow the instructions: 1. Send $300 worth of Bitcoin to following address: 33Ui4qyDn3UNJgjY8UJJLsC5xydbQTgQKP 2. Send your Bitcoin wallet ID and personal id to e-mail [email protected]. ��

Emails

[email protected]

Wallets

33Ui4qyDn3UNJgjY8UJJLsC5xydbQTgQKP

Extracted

Path

C:\$Recycle.Bin\README_7639322.txt

Ransom Note

Ooops, your important files are encrypted. Your personal Id: eCWUVkbhLdcs0hkrcpL8Qc17pjCYeaqf77ms8COqk5sa71WfPo33oYhztUn+ytkuPnciXjk9tZsY//TxHfDuHN56Lz1/L/7RQA3WuRpTnpTFQFTl4iP+JovFo46gWXQFbKDOTgnelRy6XxranDgJTUGq744mu5zuXGeLwBHIifAxAvbBesuao1SkIGifHaVcDebfQfRtVXaGxw8IW1luOqD0cLE7WLPhjvG8o/p680q+b/ZPBryMQpWdDaR+BEfLeuU5bqjniVUPK05VfR1rydJmrqkLQ6pICr5QKUvmtNVRsdgmINlH1qcHheMPF4BRdWMgimE44J210ggYW3F+ag==&ZW4tVVNfNzYzOTMyMl9BZG1pbl8yLzE0LzIwMjIgNDo0MTo0MCBQTV9XaW4gMTBfYmxwb19lY2ZQSnF2 If you see this text, then your files are no longer accessible, because they have been encrypted. Perhaps you are busy looking for a way to recover your files, but don't waste your time. Nobody can recover your files without our decryption service. We guarantee that you can recover all your files safely and easily. All you need to do is submit the payment and purchase the decryption key. Please follow the instructions: 1. Send $300 worth of Bitcoin to following address: 33Ui4qyDn3UNJgjY8UJJLsC5xydbQTgQKP 2. Send your Bitcoin wallet ID and personal id to e-mail [email protected]. ��

Emails

[email protected]

Wallets

33Ui4qyDn3UNJgjY8UJJLsC5xydbQTgQKP

Targets

- Target
  
  ecfPJqv.bin
- Size
  
  53KB
- MD5
  
  11fea5d1914bb2a69c21d33e4d57075e
- SHA1
  
  0805389d789d5d7cc1445c0b49563f8646975613
- SHA256
  
  9378b1a61cd599f6b2f21f7449d6cf35d260a7096aa1fdb9dfa2743457dfc9fc
- SHA512
  
  43fd021fd27a2cb5d56da23ab5dfe27efce0d57252ae25f139277f90658f2350153c781433d2dd4913bb5f79660ce861613d31d143d3ed207bc7b42ad1854bbe
Score

10^/10

evasion persistence ransomware
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Disables Task Manager via registry modification
  evasion
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
behavioral1 behavioral2