General
Target

1957c3be12da913243a370f30e478579daa0ef966577c0eac23f9da581cb5ad6.bin

Size

413KB

Sample

220627-mge6bsadgk

Score
10/10
MD5

73ba54e1bf3cef8f2a46bbc2ed73cfb9

SHA1

3c9587ea9dc8039735398548fbc17ee50cf1b8b7

SHA256

1957c3be12da913243a370f30e478579daa0ef966577c0eac23f9da581cb5ad6

SHA512

e71eb7e2afe93855e448f270c3e8847ac7d46865cbd2d106de9b39567a163af0059c8ff8889a3dfe1b4c717f90f7f483e48fb421c3ea1bc9f6608be8edad950a

Malware Config

Extracted

Path

C:\How To Restore Your Files.txt

Ransom Note
You are probably wondering why you are receiving a message from me. Yesterday, duncanregional.com got breached. You are probably not aware, but over the past few days we have been exfiltrating all of your data that we could get our hands on. We took over 150GB data + patient userdata from dba servers. What happened to your files? Your network was been penetrated. All of your files were encrypted using AES-256-CTR with ChaCha8 Cipher. WARNING: Don't try to decrypt your files, shadow copies were removed, recovery methods can lead to the impossibility of recovery of the certain files. We exclusively have decryption software for your situation, no decryption software is available in the public. Pay 60,000 (USD) in XMR (Monero) to this address: 4BExj4Z7n73316oWSd6k3Wj7A12PFVUSeHoobSPpaCJVdH6Z1oRBBssemrpwW5GyRt7xi3SQCeJzUa1uFoWWNySYCxoHv13 How do you buy XMR? https://bisq.network/ to buy XMR using fiat. Alternatively use a Cryptocurrency exchange to buy XMR: https://www.kraken.com/ Use this guide: https://www.getmonero.org/ After sending the specified amount to our wallet we will provide you with the decryption keys to unlock your files. If you do not respond (24 hour deadline, starting now), or we do not receive a response from you we will start the data to our potential buyers, and leak a partial, All of your clients (patients / employers) will be informed and given proof that their data has been compromised and publish everything in a public way in multiple places and outlets to get more customers interested in buying the data and also reporting the availability of this data to the appropriate news platforms. Contact: telegram: @redeyeg0d email: yourd34d@ctemplar.com
Emails

yourd34d@ctemplar.com

URLs

https://bisq.network/

https://www.getmonero.org/

Targets
Target

1957c3be12da913243a370f30e478579daa0ef966577c0eac23f9da581cb5ad6.bin

MD5

73ba54e1bf3cef8f2a46bbc2ed73cfb9

Filesize

413KB

Score
10/10
SHA1

3c9587ea9dc8039735398548fbc17ee50cf1b8b7

SHA256

1957c3be12da913243a370f30e478579daa0ef966577c0eac23f9da581cb5ad6

SHA512

e71eb7e2afe93855e448f270c3e8847ac7d46865cbd2d106de9b39567a163af0059c8ff8889a3dfe1b4c717f90f7f483e48fb421c3ea1bc9f6608be8edad950a

Tags

Signatures

  • Babuk Locker

    Description

    RaaS first seen in 2021 initially called Vasa Locker.

    Tags

  • Deletes shadow copies

    Description

    Ransomware often targets backup files to inhibit system recovery.

    Tags

    TTPs

    File DeletionInhibit System Recovery
  • Executes dropped EXE

  • Modifies extensions of user files

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

  • Checks computer location settings

    Description

    Looks up country code configured in the registry, likely geofence.

    TTPs

    Query RegistrySystem Information Discovery
  • Loads dropped DLL

  • Enumerates connected drives

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query RegistryPeripheral Device DiscoverySystem Information Discovery
  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Initial Access
              Lateral Movement
                Persistence
                  Privilege Escalation
                    Tasks

                    static1

                    Score
                    N/A

                    behavioral1

                    Score
                    10/10

                    behavioral2

                    Score
                    10/10