General
Target

006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8

Size

79KB

Sample

220327-m622dsggd8

Score
10/10
MD5

2023e84c9a5810a991e60ac9b81bece1

SHA1

7f3e50e8aa05499d006c8141633aee5f78031c37

SHA256

006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8

SHA512

7e22fbfb1cf70d20caeb3809ff00399b0ec6595c1538b4fee14df6370eae5d6c6b600d28085407b139d7523de15ebffff6810817d51e11e2920cb235d667dc91

Malware Config

Extracted

Path

C:\How To Restore Your Files.txt

Ransom Note
What Happened to My Computer? Your important files are encrypted. Many of your documents, photos, videos, databases and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your files without Can I Recover My Files? Sure. We guarantee that you can recover all your files safely and easily. But you have not so enough time.if you want to decrypt all your files, you need to pay. You only have 3 days to submit the payment. After that the price will be doubled. Also, if you don't pay in 7 days, you won't be able to recover your files forever. How Do I Pay? Payment is accepted in Monero only. If you don't know what Monero is, please Google for information on how to buy and pay for Monero. Send $10000 worth of monero to this address: 88w1ijCZgdKW7aM8a6eNerd8p5ZSDCWD76HNCe1TTbKQMczjeqc78idSUH8Qesz7tVQExowELg7bQUA8yrfRr1zC2ZiC5rY Your encrypted ID:eXt1a60JmqREPRDdf2xqleWGQxeBwU After the payment is completed, please send the payment picture and ID to email. Email address:edcvbghjikm@protonmail.com After we confirm your payment amount, we will reply to the decryption program to your email address. Warning: Don't try to decrypt by yourself, you may permanently damage your files. If not decrypted after seven days, your data will be published on the Internet.
Emails

address:edcvbghjikm@protonmail.com

Targets
Target

006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8

MD5

2023e84c9a5810a991e60ac9b81bece1

Filesize

79KB

Score
10/10
SHA1

7f3e50e8aa05499d006c8141633aee5f78031c37

SHA256

006ac52f969957fcc9e3cf9249a1b87872dc1e874acadbcfcae7c09332c302c8

SHA512

7e22fbfb1cf70d20caeb3809ff00399b0ec6595c1538b4fee14df6370eae5d6c6b600d28085407b139d7523de15ebffff6810817d51e11e2920cb235d667dc91

Tags

Signatures

  • Babuk Locker

    Description

    RaaS first seen in 2021 initially called Vasa Locker.

    Tags

  • Deletes shadow copies

    Description

    Ransomware often targets backup files to inhibit system recovery.

    Tags

    TTPs

    File DeletionInhibit System Recovery
  • Modifies extensions of user files

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

  • Checks computer location settings

    Description

    Looks up country code configured in the registry, likely geofence.

    TTPs

    Query RegistrySystem Information Discovery
  • Enumerates connected drives

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query RegistryPeripheral Device DiscoverySystem Information Discovery

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Initial Access
              Lateral Movement
                Persistence
                  Privilege Escalation
                    Tasks

                    static1

                    Score
                    N/A

                    behavioral1

                    Score
                    10/10

                    behavioral2

                    Score
                    10/10