General

  • Target

    e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.zip

  • Size

    511KB

  • Sample

    220522-fjkehaafel

  • MD5

    c2687984537722fd10b62cb8e4e57dd1

  • SHA1

    572851c5b7f0cef4489f7476deb2d9bd4a2638e9

  • SHA256

    e545dc8318489cae80e1d5b4f45b2c6d12d195db529fbebb8a135db4ac9300f3

  • SHA512

    ffbd73f460fda5fa17dc6b35c5a621208fde92e750042641f9d09110b51be9f07ae1127de0291ed1191c8c2f5ea0f73ba70bc6be179ff54f86e41057a772b8e3

Malware Config

Extracted

Path

C:\Read_Me!_.txt

Ransom Note
All Your Files Encrypted And Sensitive Data Downloaded (Financial Documents,Contracts,Invoices etc.. ). To Get Decryption Tools You Should Buy Our Decrption Tools And Then We Will Send You Decryption Tools And Delete Your Sensitive Data From Our Servers. If Payment Is Not Made We have to Publish Your Sensitive Data If Necessary Sell Them And Send Them To Your Competitors And After A While Our Servers Will Remove Your Decrypion Keys From Servers. Your Files Encrypted With Strongest Encryption Algorithm So Without Our Decryption Tools Nobody Can't Help You So Do Not Waste Your Time In Vain! Your ID: xN3kKP Email Address: FreedomTeam@mail.ee In Case Of Problem With First Email Write Us E-mail At : Freedom29@Tutanota.com Send Your ID In Email And Check Spam Folder. This Is Just Business To Get Benefits, If Do Not Contact Us After 48 Hours Decryption Price Will x2. What Guarantee Do We Give You ? You Should Send Some Encrypted Files To Us For Decryption Test. ---------------------------------------------------------------------- Attention! Do Not Edit Or Rename Encrypted Files. Do Not Try To Decrypt Files By Third-Party Or Data Recovery Softwares It May Damage Files. In Case Of Trying To Decrypt Files With Third-Party Sofwares,This May Make The Decryption Harder So Prices Will Be Rise. ---------------------------------------------------------------------- How To Buy Bitcoin : Buy Bitcoin Instructions At LocalBitcoins : https://localbitcoins.com/guides/how-to-buy-bitcoins Buy Bitcoin Instructions At Coindesk And Get More Info By Searching At Google : https://www.coindesk.com/learn/how-can-i-buy-bitcoin/
Emails

FreedomTeam@mail.ee

Freedom29@Tutanota.com

Targets

    • Target

      e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f.exe

    • Size

      1.1MB

    • MD5

      a67baae890d64e81a3f0b250884c8521

    • SHA1

      c41e3830637b1bf722d0dbd5a9207571f33e69d5

    • SHA256

      e7927efd913a50c9d5885f2b39bbcfba576e1ecafa5679c58a0f613653c6651f

    • SHA512

      e71a26b408a302a08a9e478d1c0f20a138b6b8ff9a564c8d4dbe3e504da3ca7cb7e29dea4878cc248fc82c575dab94951654a6f3c925b07a3b82b8782478bf23

    • UAC bypass

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies Windows Firewall

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Modify Existing Service

1
T1031

Scheduled Task

1
T1053

Privilege Escalation

Bypass User Account Control

1
T1088

Scheduled Task

1
T1053

Defense Evasion

Bypass User Account Control

1
T1088

Disabling Security Tools

1
T1089

Modify Registry

2
T1112

File Deletion

1
T1107

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

4
T1082

Peripheral Device Discovery

1
T1120

Process Discovery

1
T1057

Collection

Data from Local System

1
T1005

Impact

Inhibit System Recovery

1
T1490

Tasks