Overview

overview

10

Static

static

e475d8d45a...94.dll

windows7_x64

10

e475d8d45a...94.dll

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    e475d8d45a50f22007579f49e0b79d88ea302d71f429ea1c0f2f8f76f60b9594

  • Size

    89KB

  • Sample

    220511-268aqsfbfq

  • MD5

    f974efbf6b643894e4b49b45059f0356

  • SHA1

    c7d16c92e93810d548850271090b9f2966afd45b

  • SHA256

    e475d8d45a50f22007579f49e0b79d88ea302d71f429ea1c0f2f8f76f60b9594

  • SHA512

    6ce76c69bf412f0e9f011cc5030fcadfe158c1ee14b73d14cd625b7aff99747817dbdd621a4773963b9fd9cdda47bd21dcca9fb508763981b7fd1300487ba692

Score
10/10
lockyevasionransomware

Malware Config

Extracted

Path

C:\!!Read_me_How_To_Recover_My_Files.html

Ransom Note
<!DOCTYPE html><h1>#ALL YOUR FILES ARE ENCRYPTED AND STOLEN BY RAGNAROK</h1>Dear Sir<br><br>Your files are encrypted with RSA4096 and AES encryption algorithm. <br>But don't worry, you can return all your files!! follow the instructions to recover your files <br><br>Cooperate with us and get the decrypter program as soon as possible will be your best solution.<br>Only our software can decrypt all your encrypted files.<br><br>What guarantees you have?<br>We take our reputation seriously. We reject any form of deception</br>You can send one of your encrypted file from your PC and we decrypt it for free. <br>But we can decrypt only 1 file for free. File must not contain any valuable information.<br>Basic price for per computer is $980.Discount 50% available if you contact us in 72 hours, that's price for you is $490.<br>When hiring third-party negotiators or recovery companies. listen to what they tell you. try to think.<br> Are they really interested in solving your problems or are they just thinking about their profit and ambitions?<br><br>By the way.We have stolen lots of your company and your private data which includes doc,xls,pdf,jpg,mdf,sql,pst...<br>Here we upload sample files of your company and your private data on our blog :<br>http://6ss5vvdhmnhfux6xoerulzuu73ur52v6hcmvaiphohbtgvw2nnzflnid.onion<br>We promise that if you don't pay within a week, we will package and publish all of your company and your data on our website.<br>We also promise we can decrypt all of your data and delete all your files on internet after your payment.<br>Such leaks of information lead to losses for the company. fines and lawsuits. And don't forget that information can fall into the hands of competitors!<br>For us this is just business and to prove to you our seriousness.<br><br>Our e-mail:<br> [email protected]<br><br> Reserve e-mail:<br>[email protected] <br>[email protected]<br><br>Device ID:<br> ==AAA81M2EjLw4yNyEjLwEDLTdFRHNlWZdFLERTNFZkM3czN3czM4IjRDdjQ3gzQ4UkMFBDO4gTRDFUMChDREVDOwYUQChDREVUQ2YjQ1UTO3AjNEJzNxQURCVzMxAzNERERGNDR5UEM0gTM0EjRzQERyEERERkNwEUQDNTR0UTNDRUN4cTN0YzNENzM1IjRCVUM5UkRxUDRDJTN3IjM5MzN0U0QyMTQxMURyYkR0MUR2IDOGZTMBNDMFNzN0UDO4YDO4EjRDJUO0MUQxIkQwQEMzUzMwcjM1E0QGJTODRTR2UzNCJTRwIkMyE0MGVzQxITM4UzN0EEOxEEM3QURGVTM4YTR4ITQ5AjM3EzM5QUNBFUOxM0QBR0M2QUOwcDOyY0M3UUNyMDRyUzQycDRxYUNGhTNxUkQ2ATO2MDOwgTQ1MENycTOEZUODJjR4QzNxgzMyUkNCVkN0EDNCRkN5UzN1IjNyEzN4MURzYkRBNTQCJzMChzM2UTNykjM0UkN0QUQFZjNGVDO2E0QDVEMCdjN4AzM3YURCVzNxUDMGBzQ0cjQGZTRFNTQGhDNCFDMyIEREJEOBFUR5cTN2ATMwIjQ5UDR0MkQBVDMDdTM3gTMyYUOykTR4EzQwYTNFZEO1gzMyMTNCNjMDlDRwMzM2YUM2gTOwU0MFNkR4EDOyY0NycDMxUkQGVTQGJEO2MjMzUjNzQ0QwUDRGdjR0MEM5UDRGRkQDJERGFkN4M0Q5EjQxMUMzQkQBdjN0kzN2YzNyADRwcDMEhTRDRUM1IDO5MTNENDOzMDMyYDR4AjNwkjRzYzM5czQDJEMBJTO0IjR5kTQ0EjNxYjQ4E0QyAzQERzNCJEM0EER5UkMCFjQ4kTQFBTQBRjN5QzNxcjRwETNBZEOCRUMwI0M0YTQ1AzQ5ITNBhTM0YUOzQjM5IkQ3gTOyIzN0QjRGdjQDNTM5AzMxUDO3cDRFJDMyI0QzEDRGJjMFZkN1UEMzEjM1YUQyIzMxQERCNDMyI0Q5UzQ1cTQDVkNCBDMyEzQ1MUQCJ0MyYUOCJzMFFkN5M0NzEzN4IjM2QzN4YUNCVjM5YjQDBDM1IkRyIzMGlzNEVERCdjM4UkNwYjMxQjMDljQ2cjMEBTRxUzQFZkNwMTM2IzMyMzQ2YTOzQDM5UTQ0UEOBhDRGNkMzMTRDJkM4YUNDF0Q2QzM2MTQBVTNERUMGVEMBN0QyU0NwETM4UTOyAjQ1EzQChDOwYTQDJDN5IzQxIUR5IzQGJERDlTO5EURwYEMzQDO5MzQ5EkRClDO2YEMDhTNxMkMwAzQCJUMxU0M5QEOGNTM2MTM3ETR0kDRDZERwUkNEZUNFhDMChjMFhTQ5ADRxM0MCdzNDhDRFNDMDZzNwkjQ1QUNzATOyEjNwwCN3EUQCFDM5IEMwMjMwYUMykTRDlTMDREMzADR2gzQGlDNCNjMwI0NyQTR3UzMBFEOFJjR0kTRGV0QyUzQ5EkR4gDMzITMzEkNyYUMEJDO4QTQ2kDNCZEOFdjQzUEOwIER3gTR3UURxUjQBNUMGhzMwYEOGZDNyY0MCVzQGBjREBDOGFUM3kDOCNEN3Y0MDhjMBRjRBR0NGVENxUUOwAzQEVkQGFDOEZzMxETNxQUM5AjR0MDOyMEOEdDM2MjNEN0NGFUQ4MTNFhjNzczQ2MENGZzQzY0NwI0NGNTN1cjQyIzN0gzN0gDRxU0M2MkMERDRwgzQ5YEOyQTMzAzM4YUOxE0MFRkRFJ0N0QUMGZDOCREMDFzMGhjM5gjRzUzNBBjQ2ITN4gjR0QENyYjN0cTN5ATN3UkNFhDO1Q0Q3MTN2UDOzUkN5YjRyQUO1MTMGVUO5IkMFFUMCV0QBBDR5UTQFFkMzQEM1cTQBJTQ0MDMyIzNwEENGVEMxIkRFNzQCVUN1ADR3I0QDJ0MxYjN4cTO2ETNGZ0M3U0QzgTRENjRGNzMyIDRFFERxYEMzIURDR0M4ATQDljNEBDOEREMCZkQwQUO0QUM5UUN4QUM5ITO0IDM4YUNDBTQ2gjQFZzN4EUQ1YjNDV0QwYDOzkTR0QkQ4kTQxMDRDNzM2QDNCJjRwEEOBZ0NGJDM3kjN5YEMBVURzM0M1IUMygzNCFEMBFDN5QkRDlTO4ITMzIDN0EERxEzM0EkM0YDMGVDRDJjR0QzQGdTQ2MEOGRDNyUDMwE0MGdTNyYTQyEUO0MERGRkRBZDRGBDM4EUOEFTMwQENENjNxUEMyUTQ2UDRwQjM0cTN4EzM2ITM2AjN0AjMwgTN2ITOGR0NCBDNyETQwMDN4YkMFBTQzkzM3czQwI0NGhDR1UkNycDRGZ0QFFENykjMEBDN3YDRyYERCRTOzQDMFBDM4gTM0AzMCZzQ4IzQxkjRwIER0gTMCJzQ0kDNFhDOyMTQFdjRzADM3I0N1UkM0gDNGlTNCdDRxITQycjR2UTREVUQ0UUR4ADM5IUO2UkQBdTR4gDRzYTMFJDR4EURzMUMwIEO1YDR5EER4ETMBVDMwQTN0UDMERzQzgTRyIzNFZDOBRzQyADR5YURGRkR4ATOFVjQFZkRxYUM3YjR1EzQxIDR1QjRDV0N0gTN0AzQGdjRyQTRGZTQ4kDN3QUQ4YUMGNDRDFkMDBDOwYzQCZDR4U0N3QUNBFUOwEUOxEkRCFTMBFDRzQTM0IjRwkzQxYEOFRkRFNUO0UjMChjQEBjQGVUN3QzN2M0M2kTQFNjQwAjQzMEOBZEN5UkRDJERxI0M3UEO3QUQ1EDO4ETRzYkN
Emails

[email protected]<br><br>

e-mail:<br>[email protected]

<br>[email protected]<br><br>Device

Extracted

Path

C:\!!Read_me_How_To_Recover_My_Files.html

Ransom Note
<!DOCTYPE html><h1>#ALL YOUR FILES ARE ENCRYPTED AND STOLEN BY RAGNAROK</h1>Dear Sir<br><br>Your files are encrypted with RSA4096 and AES encryption algorithm. <br>But don't worry, you can return all your files!! follow the instructions to recover your files <br><br>Cooperate with us and get the decrypter program as soon as possible will be your best solution.<br>Only our software can decrypt all your encrypted files.<br><br>What guarantees you have?<br>We take our reputation seriously. We reject any form of deception</br>You can send one of your encrypted file from your PC and we decrypt it for free. <br>But we can decrypt only 1 file for free. File must not contain any valuable information.<br>Basic price for per computer is $980.Discount 50% available if you contact us in 72 hours, that's price for you is $490.<br>When hiring third-party negotiators or recovery companies. listen to what they tell you. try to think.<br> Are they really interested in solving your problems or are they just thinking about their profit and ambitions?<br><br>By the way.We have stolen lots of your company and your private data which includes doc,xls,pdf,jpg,mdf,sql,pst...<br>Here we upload sample files of your company and your private data on our blog :<br>http://6ss5vvdhmnhfux6xoerulzuu73ur52v6hcmvaiphohbtgvw2nnzflnid.onion<br>We promise that if you don't pay within a week, we will package and publish all of your company and your data on our website.<br>We also promise we can decrypt all of your data and delete all your files on internet after your payment.<br>Such leaks of information lead to losses for the company. fines and lawsuits. And don't forget that information can fall into the hands of competitors!<br>For us this is just business and to prove to you our seriousness.<br><br>Our e-mail:<br> [email protected]<br><br> Reserve e-mail:<br>[email protected] <br>[email protected]<br><br>Device ID:<br> ==AAA8FN4EjLw4yNyEjLwEDLCRFUSxESTZELyQ0NCJUQ1kjNyQDMDFUNBFDOBhTNFNUMzkzMwMkRBJkRzIUQBJjNBVDRxMDM2IzMGFEN5YzMzYDM2QDNBBTN4MEM2EzN0YDRFVDNCFzNEdzNDJDRDZkM5MjQxIzNDFDOEVzM3YjRCNkR2YkN5IENFhzM0IEN3EjQFdzM0gjN3cjQ1MzMzETRyQkMBZUR0UkRFRTQGRkNBRTR4UDM3YURGNjQ5IzM3I0M2ATR3gDOGBDN5kjQ3kTM3IER2QUQ3YjQ3AjQEZERENEM4kTN1UUR2UENDVERzATMxkjMzMkMyEEM3QkN2YTM3IkNFNkR3MkMyUzN0EkMwYTMDVEMwYzM2UkMFVDNwQkNBNjQ3QUQyIUMDVUMElTR5EzQ3ETRENDN0AjN5gTR3czMBNjR1EER3kDOwUkRCZUO0kzMDVTQ0QzN1gzNyE0NzIENDBTO0cTQ0IkQ0YkNFFkQDFjQ0MkQ5cTO5kTQCRkQ4EjNBdzNzATRCJTRENjQ2UUQBNjM0QjMGZEODlzMFdTMykTN4QkQGRDMCJkNzY0NGVzN3gjQ5QkMDdjQFRUR1ETQBRDN5EUNBJzNykzQDNjRzkTMGhjMGFTNzQ0NFhjNGRkRCNEN4UURDZjMxcTRzMjQwEUO5MjQFFEOGVkNDVTOyUjN2QEOCBDOGVDRxQEOygjMwUkR3MUQGNjMFJzNERDOBVTNwETR2MUN2kTQEdDOxITMFVUOyATQBVjM3UURBhTODVEM3cjN3QkQ3YERyI0Q5kTM0UjR3I0Q4Q0QBZzN0ETO5UDO5cTMzMkMwgjQ3IUN2ADN5EEM4UDNzcTQBREM5Q0NwUjR2EUNEV0MERTOwMUOFVkR4cDM2AjQxAjMzMUQzQzQCBDNFVEN0AjQ2QTN3E0QycTM0MUOBFTN0AzMBN0Q4cjR0kjRwQjRzUUQCVEMFNzMxIkMBBjRwETMCljQyM0MCdTQ5I0QEF0NCNkQyUTM0YURBF0NzgjRyIkRzIDO5UTM5IkR4MDRyMkRFdDOyITNCN0N2MjMzIjQCRUOEF0QEFEN0kTOEFjMwgTR0QUOzETOGZTN5IjQDdTNDRTR4gzN0YEO0MURCdzM0YEMyIjR4YzM2U0QEVTMGhDMGZDMEVTMwEDO1kTO4QkNwMDM0IjQFFzMCZ0M1EDOGhTMwkjR3QTQ1kDMFljNGFzNwIDR1YTMGJjRCRTR5MEM3ADOyMENwQDOwIDMGFzN4UDOxIUOwkjQwITR3kjN2UUN0I0NFFzN1QjN1YzQDZER1YDODJEOzUERzMDNDVTR0MjR4UDM0ADNyEUMDZEMwkDODFURDFENBNjQ5gzN1M0MBNkM5UkREhDR1Q0QGJTO1IDRyYTO4YzM2wSRwUkRDV0NzY0NzkDNEBTOCNjNCZkNxUTQxADOEVTO5IkR3ADRCBzM5YzQBdDO1IzQ4ITRDNTNGJjN2ATQDJkN2cDR0QENClDOzQURERTREBTNyIjQxQTRFFjQBBzMzMjQBRkRDNTMCJ0QwkDO3MzMwATMDdjRENkMzIUO0kDM5QUQFFTQyEkRDFUOzYTO3MDOGJzQDNTQ5UTQzATQyYkQwEkQGJDMzYDOERENFFjQxEDOCVEMFZUN3MjR5MDO5czM2UzNFZ0N4cDNEBDRDFTQ4YDMCNDO5MEOxUTRwYjM4ETQ4UUOxkjRFRENxkjREljQGRTMGJkQ0E0Q1kjMEJjQEBTOxMUNGVDM2EjN3cjNBVDN1QDRBRTQGREM5IkQ4MkREFTM1E0MzIDNxYzM2YkQClTOxIER2YTOFRENDRUO1YUNwYkRxMDO0IjQzYjMyUUQ0cDN0gzM4UTQ5YkRyI0Q0M0MwUjQDFDOyY0Q3UDN2UzNxIjMDVkN1cjNzU0M1IUN1UENwQDNzM0NwATNGR0QGJkR4QjNEBTM4ADN4IUN5kTMCdjN1YkNBF0NwITRzEkQDV0N4UDOBVkN3MkRwM0QxE0Q0YkMEFUM0MzMDlzQGNTMxMUNEZDOxIEMzMDNBdDRzcTQ0AjRFNUNxYUR5E0QCRjRFVTQ3E0QBNzM5YzQDdTM2kzN3UUQ5EzNEdDRyIEODVTNCZTQwIjRyEkRzQkMFNzMyIDNENkM2YTO4gDO0QjR1EDRENTOFFzMGlTOBNzNBRjNFZkNDRDN0kTMyUUOxI0N2ITOFRjN0IENEFDR2ETM2EUQ3ADMwITOwQjQ1YTO4YzMwgTMwYDO3ATQzMjNzgDO2AzQBNTOEZTODFzQ3UDRClzQ0M0MDRDNzMEN0YDNClTM5QDR1EDRBZUMzcjR2YjRFdjQFZjQzEDR0YkNGRUO3IUQ4YDM0IURFNkQCNDREN0QEN0QGJTMykDM2UzQxYzN0YUQ0kDOFhzNGJjMxADN5MENyUkRBhDRFRUM4EDMEJTM1AjR2kTR4QDO4EDOzIjM2YUQ0ATQDJEOFNkMDF0NEFjRzEUNCJUNwkTN5UDO0QTR2czN1YDREFDNFFTO4MTR1Y0MxQUOwEjR0MURGZTNDREMBhjQGFTN4EzN4EUQ5ADOzEzQxEzMClDR0IzNBJTNykjNCN0MzcjNFRTNCVUOGRUQ0QTQFVkMFNTQCN0QGBTMzgzNCJURzIDNGBTREVURChzQ5ETMyUkMzM0NFNEOzIkMBZ0Q3IDOyAjQCNzQzEzNDZUMDREM4EEMFlTMGFkN2ITNFZUM2cDN2IkQwgjRyEEMzYEOBZ0Q0YUMxEkRDNjQxY0NFJkR0QUMGJ0M
Emails

[email protected]<br><br>

e-mail:<br>[email protected]

<br>[email protected]<br><br>Device

Targets

    • Target

      e475d8d45a50f22007579f49e0b79d88ea302d71f429ea1c0f2f8f76f60b9594

    • Size

      89KB

    • MD5

      f974efbf6b643894e4b49b45059f0356

    • SHA1

      c7d16c92e93810d548850271090b9f2966afd45b

    • SHA256

      e475d8d45a50f22007579f49e0b79d88ea302d71f429ea1c0f2f8f76f60b9594

    • SHA512

      6ce76c69bf412f0e9f011cc5030fcadfe158c1ee14b73d14cd625b7aff99747817dbdd621a4773963b9fd9cdda47bd21dcca9fb508763981b7fd1300487ba692

    Score
    10/10
    lockyevasionransomware

    • Locky

      Ransomware strain released in 2016, with advanced features like anti-analysis.

      ransomwarelocky

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Blocklisted process makes network request

    • Modifies Windows Firewall

      evasion

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks