Overview

overview

10

Static

static

ef0b62c34b...5a.exe

windows7_x64

10

ef0b62c34b...5a.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ef0b62c34bac3ea9c196ce4f96ac4aca30d91378dc465abf44a7871aa9e6775a

  • Size

    30KB

  • Sample

    220524-z4r5magdg2

  • MD5

    910635e580fd5de4759968959f6d0bb4

  • SHA1

    934fbaeebdfe9c7c5c21696bd4e288094c44eef0

  • SHA256

    ef0b62c34bac3ea9c196ce4f96ac4aca30d91378dc465abf44a7871aa9e6775a

  • SHA512

    76411000d85d8634e1efefd533fac7defb65a7278820c2df64c8b6eb6d92d03f382025afeb5e8a6e99f9de5b8b36a25106b279818c2221fae4c187c5774fd4be

Score
10/10
t1happydiscoveryevasionpersistenceransomwarespywarestealertrojan

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\HIT BY RANSOMWARE.txt

Ransom Note
---YOU'VE BEEN HIT BY A RANSOMWARE--- In order to decrypt your files, you must decompile the ransomware (which is easy) and find out the encryption method (easy aswell). Next time, think before you execute. Your next ransomware could'nt be that easy to crack and you would lose all your files :( The following parts of your disk have been encrypted: - Program Files & Program Files (x86) - System Root (Main Drive) - Application Data - Userprofile Files You don't have to send any money to anybody, so be happy :) You're still able to use your computer but you'll need to reinstall all programs. ---YOU'VE BEEN HIT BY A RANSOMWARE---

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.gmx.net
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    q!]*zZ@aWs[d)9x^c<n[

Targets

    • Target

      ef0b62c34bac3ea9c196ce4f96ac4aca30d91378dc465abf44a7871aa9e6775a

    • Size

      30KB

    • MD5

      910635e580fd5de4759968959f6d0bb4

    • SHA1

      934fbaeebdfe9c7c5c21696bd4e288094c44eef0

    • SHA256

      ef0b62c34bac3ea9c196ce4f96ac4aca30d91378dc465abf44a7871aa9e6775a

    • SHA512

      76411000d85d8634e1efefd533fac7defb65a7278820c2df64c8b6eb6d92d03f382025afeb5e8a6e99f9de5b8b36a25106b279818c2221fae4c187c5774fd4be

    Score
    10/10
    t1happydiscoveryevasionpersistenceransomwarespywarestealertrojan

    • T1Happy

      T1Happy ransomware is a cryptovirus that behaves different than its counterparts.

      trojanransomwaret1happy

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Disables RegEdit via registry modification

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Modifies file permissions

      discovery

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks