Resubmissions

24-02-2022 16:15

220224-tql4kadcf3 10

24-02-2022 03:08

220224-dmw7csbgg3 10

General

  • Target

    43564aa0-94f8-11ec-9d1d-005056a01a83.exe

  • Size

    3.1MB

  • Sample

    220224-tql4kadcf3

  • MD5

    d5d2c4ac6c724cd63b69ca054713e278

  • SHA1

    f32d791ec9e6385a91b45942c230f52aff1626df

  • SHA256

    4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382

  • SHA512

    9c2e86ff9da4e8b8e7caa62cd298f5725a459151dc655845fe614bf33639ed975850b3e9ae204d8a9d145a86214c35a486c06787a7ad8a88a85d121d3ee50c91

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\read_me.html

Ransom Note
<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> </head> <body> <p><b>"The only thing that we learn from new elections is we learned nothing from the old!"</b></p> <hr> <hr> <p>Thank you for your vote! All your files, documents, photoes, videos, databases etc. have been successfully encrypted!</p> <p>Now your computer has a special ID:<b> 6ca64b10-9595-11ec-90f0-6e24649026a6</b></p> <p></p> <hr> <p>Do not try to decrypt then by yourself - it's impossible! </p> <p>It's just a business and we care only about getting benefits. The only way to get your files back is to contact us and get further instuctions. </p> <p>To prove that we have a decryptor send us any encrypted file (less than 650 kbytes) and we'll send you it back being decrypted. This is our guarantee. </p> <p>NOTE: <i>Do not send file with sensitive content. In the email write us your computer's special ID (mentioned above).</i> </p> <hr> <hr> <p> So if you want to get your files back contact us: </p> <p> 1) [email protected] </p> <p> 2) [email protected] - if we dont't answer you during 3 days </p> <hr> <p><b><i>Have a nice day!</i></b></p> </body> </html>

Extracted

Path

C:\Users\Admin\Desktop\read_me.html

Ransom Note
<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> </head> <body> <p><b>"The only thing that we learn from new elections is we learned nothing from the old!"</b></p> <hr> <hr> <p>Thank you for your vote! All your files, documents, photoes, videos, databases etc. have been successfully encrypted!</p> <p>Now your computer has a special ID:<b> 0a90e112-958d-11ec-95ff-46ac0546711c</b></p> <p></p> <hr> <p>Do not try to decrypt then by yourself - it's impossible! </p> <p>It's just a business and we care only about getting benefits. The only way to get your files back is to contact us and get further instuctions. </p> <p>To prove that we have a decryptor send us any encrypted file (less than 650 kbytes) and we'll send you it back being decrypted. This is our guarantee. </p> <p>NOTE: <i>Do not send file with sensitive content. In the email write us your computer's special ID (mentioned above).</i> </p> <hr> <hr> <p> So if you want to get your files back contact us: </p> <p> 1) [email protected] </p> <p> 2) [email protected] - if we dont't answer you during 3 days </p> <hr> <p><b><i>Have a nice day!</i></b></p> </body> </html>

Targets

    • Target

      43564aa0-94f8-11ec-9d1d-005056a01a83.exe

    • Size

      3.1MB

    • MD5

      d5d2c4ac6c724cd63b69ca054713e278

    • SHA1

      f32d791ec9e6385a91b45942c230f52aff1626df

    • SHA256

      4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382

    • SHA512

      9c2e86ff9da4e8b8e7caa62cd298f5725a459151dc655845fe614bf33639ed975850b3e9ae204d8a9d145a86214c35a486c06787a7ad8a88a85d121d3ee50c91

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

MITRE ATT&CK Enterprise v6

Tasks