Overview

overview

10

Static

static

sample.exe

windows7_x64

10

sample.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    af24612700c0105cf990148b19e5140314a55701c7022ccd2811e8ee29d68d74.bin.sample.gz

  • Size

    15KB

  • Sample

    220217-wnmcnacha2

  • MD5

    9b4e1ae962380ff1fe65d2ec52ebe55f

  • SHA1

    18cdb240ed6a012ad4631d32648356e8a1bcee4c

  • SHA256

    012532729ad9c1e9495a65d1961a9f66cb7b5ae6c6aa18b919241e0029091d42

  • SHA512

    00def0eb7932d0e0771106aa6fe0318c1c179f17982718837c30486952c65336d6bf9727e1eb21ad2ef45a847dee6620ede04f58afbc3ac65adb999585910208

Score
10/10
ransomwarespywarestealer

Malware Config

Extracted

Path

C:\restore-files.txt

Ransom Note
╔════════════════╗ ═╣ What happened? ╠═ ╚════════════════╝ All of your important files have been encrypted and all sensitive data was stolen. The only way to restore your files and keep your data from going public is to contact us. After a payment has been made you will be given access to decryption software. As a quarantee we will decrypt 3 files for free. If you don't contact us within 72 hours the price will be doubled. ╔══════════════╗ ═╣ Instructions ╠═ ╚══════════════╝ - Download qTOX messanger from https://qtox.github.io/ - Send message to this Tox ID: 3728E933284CE638D06FCF1CBE921096E102508BD370D6D23137D3271EE5733825F63F56805E Your message should contain your Unique Key: 53566134903697098455
URLs

https://qtox.github.io/

Targets

    • Target

      sample

    • Size

      30KB

    • MD5

      2222479d681f7a554976a9797f315fd2

    • SHA1

      d535dfc613ab1081dcf0bb9dd92c0f533fa3a6b5

    • SHA256

      af24612700c0105cf990148b19e5140314a55701c7022ccd2811e8ee29d68d74

    • SHA512

      5dbf583e232d662cebbc191e7e9b2c73bfd04e0c455f599b88c5428354f777ea4cf47b8a06551b34519912861d05d78c4b2e2159a6e330749a943c7476925fc4

    Score
    10/10
    ransomwarespywarestealer

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer
    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks