Overview

overview

10

Static

static

10

36c3-malwa.../1.exe

windows7_x64

10

36c3-malwa.../1.exe

windows10-2004_x64

10

36c3-malwa...86.exe

windows7_x64

10

36c3-malwa...86.exe

windows10-2004_x64

10

36c3-malwa...52.dll

windows7_x64

1

36c3-malwa...52.dll

windows10-2004_x64

6

36c3-malwa...V2.exe

windows7_x64

10

36c3-malwa...V2.exe

windows10-2004_x64

10

36c3-malwa....9.exe

windows7_x64

10

36c3-malwa....9.exe

windows10-2004_x64

10

36c3-malwa...aa.exe

windows7_x64

10

36c3-malwa...aa.exe

windows10-2004_x64

10

36c3-malwa...ty.exe

windows7_x64

10

36c3-malwa...ty.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    13f476ec8dba856b93c2b799dbf9994191d14e9dbc2c6d75c9ec3d8054144b3f

  • Size

    8.0MB

  • Sample

    220603-c8ct6sfgf8

  • MD5

    1447196091a1b5792811a694da2bdc65

  • SHA1

    b8cd3d0ff55914d5014f422fe6e27e6236338c21

  • SHA256

    13f476ec8dba856b93c2b799dbf9994191d14e9dbc2c6d75c9ec3d8054144b3f

  • SHA512

    8b410babfa8b75fde87b2b82ea2315168734c0749b2423c2582d8761997d4260a0187cd9ff88dbdc3c90606898c54c56268acb46bc318ef4a6d7128d804021aa

Score
10/10
buransalitysodinokibiwannacry231089backdoordiscoveryevasionpersistenceransomwarespywarestealertrojanupxworm

Malware Config

Extracted

Family

sodinokibi

Botnet

23

Campaign

1089

C2

mazift.dk

marmarabasin.com

advance-refle.com

veggienessa.com

cssp-mediation.org

liepertgrafikweb.at

arazi.eus

jobkiwi.com.ng

quitescorting.com

heimdalbygg.no

5pointpt.com

thegrinningmanmusical.com

innervisions-id.com

vedsegaard.dk

atelierkomon.com

grafikstudio-visuell.de

futurenetworking.com

akwaba-safaris.com

cp-bap.de

iron-mine.ru
Attributes
  • net

    true

  • pid

    23

  • prc

    outlook

    mydesktopservice

    steam

    encsvc

    thebat

    wordpa

    dbeng50

    ocssd

    powerpnt

    infopath

    firefox

    xfssvccon

    visio

    dbsnmp

    msaccess

    ocautoupds

    synctime

    isqlplussvc

    thunderbird

    tbirdconfig

    oracle

    sqbcoreservice

    excel

    winword

    onenote

    mydesktopqos

    ocomm

    agntsvc

    mspub

    sql

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    1089

  • svc

    backup

    vss

    sql

    memtas

    veeam

    svc$

    sophos

    mepocs

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note
!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: stopcrypt@cock.email and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: stopcrypt@cock.email Reserved email: decryptor@cock.email Your personal ID: 10D-252-DE7 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Emails

stopcrypt@cock.email

decryptor@cock.email

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note
!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: stopcrypt@cock.email and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: stopcrypt@cock.email Reserved email: decryptor@cock.email Your personal ID: 4C2-345-092 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Emails

stopcrypt@cock.email

decryptor@cock.email

Extracted

Path

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\README_5OAXN_DATA.txt

Ransom Note
Hello! Your all your files are encrypted and only I can decrypt them. Contact for me e-mail: support4568@mail.fr or support7164@firemail.cc Write me if you want to return your files - I can do it very quickly! The header of the letter must contain the extension of the encryptor Do not rename encrypted files. You may lose your files permanently. You may be a victim of fraud. To prove that I can recover your files, I am ready to decrypt any three files for free (except databases, Excel and backups) !!! Do not turn off or restart the NAS equipment. This will result in data loss !!!
Emails

support4568@mail.fr

support7164@firemail.cc

Extracted

Path

C:\Documents and Settings\read_me.txt

Ransom Note
????????????????????????? ??????DEATHRansom ??????? ????????????????????????? Hello dear friend, Your files were encrypted! You have only 12 hours to decrypt it In case of no answer our team will delete your decryption password Write back to our e-mail: deathransom@airmail.cc In your message you have to write: 1. YOU LOCK-ID: qDAoWjigsgNyx787tXTkPDeEW6Igjp0hWJNpFubW9yAK+rpw+pZszIucJgewgVo9bRmpcrlpqvnB/t76j36yLh8SyqweLjxWotjSoL0ETObBYyCujoU4MUJZPMp9MpU9YISo337D7zizgfayCSS2sxKGmykeU+2NLTGn7rbXaSpq8cdDBTOvwn7ANbZ9XQN2nrdM30H1piGChvlLe885Qs9c3Hoxi17uT+p2N7CktEpNd+xSDkfi0Y+BSJSM6mzvs8F0yvFHA4xyMX/Cwoau/n7+f8cOzDzv/YeTVO91p9njz2JEMTECjBQ2fy3LyImmmVvAy6YG7+gfzfHVtH98uD4nfOWx8n77KJCxUdAefubwtafkfGSX4LX279FL4x78abb0tAhBdMxizIVBNyRdsr0B7iDJzNw8NVrxaI8xUWz/KGVhnqSLMtvU9c4ztDJ7RrciFDS63MTMWv3UQUEQg5vJIxlotw+NhQnEt8YiHbB1llMgHnYz/BPWXM1KRRUCGbdLW00zHmt3yksJQ2mUXUELkOmBfUUR00cU9yudynBabnb117GlzbwHxNCsKTb0DJzyz+RqLnMoL4d8Dm3A20+HOtUcrb7SS/qfZ4fAvb9QSfk5MMBnKq+MwtDBQl2VTXcMTwVkL54aVLax3PWn3LllcIMXzCALcTIb5wk59WSmvHo3TssIX8BTMIMahtUi4fxg2WJL8LFYsJdh6UnFOQ== 2. Time when you have paid 0.1 btc to this bitcoin wallet: 1J9CG9KtJZVx1dHsVcSu8cxMTbLsqeXM5N After payment our team will decrypt your files immediatly Free decryption as guarantee: 1. File must be less than 1MB 2. Only .txt or .lnk files, no databases 3. Only 1 files How to obtain bitcoin: The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/
Emails

deathransom@airmail.cc

Wallets

1J9CG9KtJZVx1dHsVcSu8cxMTbLsqeXM5N

Extracted

Path

C:\Documents and Settings\read_me.txt

Ransom Note
????????????????????????? ??????DEATHRansom ??????? ????????????????????????? Hello dear friend, Your files were encrypted! You have only 12 hours to decrypt it In case of no answer our team will delete your decryption password Write back to our e-mail: deathransom@airmail.cc In your message you have to write: 1. YOU LOCK-ID: J9EIHwke5UFxrpeq2ieFmHQYd9xRMkLnEHn030IZTXAtNOd5ds0VE7ZIF3KRwNx/yFPYOik5TD1j2R/jYuODA0C1pGPqnMbIn6JeZL88ws+SzBx9t3jODIAk9mfF9sj9DMRCBBDj3uyfWrKtcOz8O5qokXSDHB1fXJDfivM1FpgOQlXl1w57wQMWchGjW70NITUR6LZjcN5EUE8XttTSrKNBjY2ZjSrnXgvSIYBkR/hbLQv3jefZ+UJecFa2AK0f+0gA//1L+0D7+QUi4BIha6lx9GxxPOt71PLQ4Y6bs1L2kMF04AS4XcidjIgYINrPu1+xzs0YHQw/hAvhKYj5lAEQlay6PR2YUe/BinAdgZtvuzsdtaIzNnJ2fpypg4LqrDoMg/jvhoCgt1zJh8+NaU0QbOP2t1DmE3JsPzWcYrhAd/eQaRxvnDads+acmKomxl5fS8PZpLNxGnfPsqN8SHCOI/7AVo3aJEZ4DUXSJyS/IXTAbUXK8lcPMCZt+G+ncTxnHDHKfet0/LxSEglOi5er4apomsf1ZMP1b52l1IlV0dwrACDH9+XADtgD/7vcmq9EZZ/dZHe+5nZlMTSoENgs71682Hrnkl+EleWGmUwuEznYrBr/vf8bCXpjm0ryczOUEmgEs6hM6CanBdm9CQQc7MrM4fs4LtGlywo1YurNvbSwQMzq7syqyiczI5K+iPRfpLVRhf6e7ur0hcJTng== 2. Time when you have paid 0.1 btc to this bitcoin wallet: 1J9CG9KtJZVx1dHsVcSu8cxMTbLsqeXM5N After payment our team will decrypt your files immediatly Free decryption as guarantee: 1. File must be less than 1MB 2. Only .txt or .lnk files, no databases 3. Only 1 files How to obtain bitcoin: The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/
Emails

deathransom@airmail.cc

Wallets

1J9CG9KtJZVx1dHsVcSu8cxMTbLsqeXM5N

Extracted

Path

C:\Users\Admin\Desktop\!!ÊàêÐàñøèôðîâàòüÝòóÏàðàøó.txt

Ransom Note
You files have been encrypted using RC6 Algorythm. For decrypt contact to adren.kutospov.97@tutanota.com You have a 10 hours to contact us. If your contacts after 10 hours - your files has flushed to toilet!
Emails

adren.kutospov.97@tutanota.com

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\36c3-malwarexchg-part3\@Please_Read_Me@.txt

Family

wannacry

Ransom Note
Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94 Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �
Wallets

13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Targets

    • Target

      36c3-malwarexchg-part3/1.exe

    • Size

      477KB

    • MD5

      a1b5dc4fd2cd2b54498faf42fe9b5e50

    • SHA1

      46edeab30fe0696422edad230116c51d5b145aa3

    • SHA256

      533e14cb3a1434f68321fb9fd2a2e66d0a12ce16f792ee47e77edf8eb2aeac21

    • SHA512

      6316f72a06960def5f9f086b4a258adf8dad7396524597fa23f2b781b87418b1009b5b8f7a67e90406739e2bdf3db873254ace84b64c6b569bda8c0435821848

    Score
    10/10
    buranevasionpersistenceransomware

    • Buran

      Ransomware-as-a-service based on the VegaLocker family first identified in 2019.

      ransomwareburan

    • Clears Windows event logs

      evasionransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

    • Target

      36c3-malwarexchg-part3/5oaxnx86.exe

    • Size

      1.1MB

    • MD5

      6b91b9d9660180bc67106a78ad63ab1c

    • SHA1

      68ae10ad50721aa915944020cfe1eaa30d28c6e1

    • SHA256

      2a1eca5bba62227a6d1f4fb1686b8c65ba2e6fbdc457de6f6771df72d30e8023

    • SHA512

      e5aab3db9dfdc1449d6dbec83930936acd881885bcca84786309bb4ae3d9d47ef02ccde86e30ff6c182bff9557545afb7b6ef785ef5b2cd6baf11e5b8bbc0036

    Score
    10/10
    ransomwarespywarestealerupx

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Deletes itself

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer
    behavioral3behavioral4

    • Target

      36c3-malwarexchg-part3/6cb6fda0b353d411a30c5b945e53ea52

    • Size

      164KB

    • MD5

      6cb6fda0b353d411a30c5b945e53ea52

    • SHA1

      3ec48a25d70153e7bc09d39a93e5f725861da655

    • SHA256

      bace25c1ec587d099b4c566b1a07978dd9cb3bd67c2acaa55d2e4644a7877070

    • SHA512

      1b53d536ef48d5c0a0a6a0136a3d12f155d11b7a5a6f8be9c034bf78a2ccefc7a4d0e8e24e0936e64889e1039bf167a563d37f8ddb742080b5037c65f251811c

    Score
    6/10

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral5behavioral6

    • Target

      36c3-malwarexchg-part3/DR_V2.exe

    • Size

      201KB

    • MD5

      4ba2e1d4cf7a86753f9f8174b3bc74c8

    • SHA1

      742128fab2ad05f8f52a4c6f43b39a25fcc161a6

    • SHA256

      66ee3840a9722d3912b73e477d1a11fd0e5468769ba17e5e71873fd519e76def

    • SHA512

      83a596cdeec0c9560436ec8f10b5368ffc6c62a060e5fe3dcb628f3b76c2b659f57b0b9782c28b7f992e71aa9590b55ac622a38ef4ff33892129cb551346ef6e

    Score
    10/10
    ransomware

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Drops desktop.ini file(s)

    • Legitimate hosting services abused for malware hosting/C2

    behavioral7behavioral8

    • Target

      36c3-malwarexchg-part3/GandCrabV5.0.9.bin

    • Size

      165KB

    • MD5

      119fc3356fd91b84ce3195f4914ce53e

    • SHA1

      e71024b789e25f79b50b9d79409ba0c85597cf35

    • SHA256

      bd5d3ebe6150f53c1535e1667a18bbd4831751a414e7518dc8e1d15a19db95b3

    • SHA512

      44495f89eb6f8942dc63b1d70c8202b7ca3bcec0e7f35be4e10b13f28de01deee254435549c85c13a468bb713f558c0efab6c702ca69ea8ebe1cc9360aeb132f

    Score
    10/10
    ransomwareupx

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral9behavioral10

    • Target

      36c3-malwarexchg-part3/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

    • Size

      3.4MB

    • MD5

      84c82835a5d21bbcf75a61706d8ab549

    • SHA1

      5ff465afaabcbf0150d1a3ab2c2e74f3a4426467

    • SHA256

      ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

    • SHA512

      90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244

    Score
    10/10
    wannacrydiscoverypersistenceransomwarespywarestealerworm

    • Wannacry

      WannaCry is a ransomware cryptoworm.

      ransomwarewormwannacry

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Drops startup file

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Sets desktop wallpaper using registry

      ransomware
    behavioral11behavioral12

    • Target

      36c3-malwarexchg-part3/pinebook-sality.exe

    • Size

      97KB

    • MD5

      4987bcfb27bbf54852fea8c71f1b952b

    • SHA1

      0e4d3c37abca7f9098fe0fbbfba3e325576aa3a5

    • SHA256

      37f1b6394a408e0a959b82ff118a526c1362b4ddc1db5da03c9ffa70acaebff4

    • SHA512

      9acd9626fd6b4084acdb054ddcee9acda55dbd4fc9f569006a7f6daea6ff71848873fc843f741e3c641b105835049e02a7b71b4f6a74003f9085d06577b4692e

    Score
    10/10
    salitybackdoorevasiontrojanupx

    • Modifies firewall policy service

      evasion

    • Sality

      Sality is backdoor written in C++, first discovered in 2003.

      backdoorsality

    • UAC bypass

      evasiontrojan

    • Windows security bypass

      evasiontrojan

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Windows security modification

      evasiontrojan

    • Checks whether UAC is enabled

      evasiontrojan

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    behavioral13behavioral14

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

1
T1091

Execution

Persistence

Registry Run Keys / Startup Folder

2
T1060

Hidden Files and Directories

2
T1158

Modify Existing Service

1
T1031

Privilege Escalation

Bypass User Account Control

1
T1088

Defense Evasion

Indicator Removal on Host

1
T1070

File Deletion

6
T1107

Modify Registry

10
T1112

Install Root Certificate

1
T1130

Hidden Files and Directories

2
T1158

File Permissions Modification

1
T1222

Bypass User Account Control

1
T1088

Disabling Security Tools

3
T1089

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

4
T1012

System Information Discovery

9
T1082

Peripheral Device Discovery

3
T1120

Remote System Discovery

1
T1018

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Web Service

2
T1102

Impact

Inhibit System Recovery

6
T1490

Defacement

1
T1491

Tasks