General

  • Target

    e69149c02a0f24731559d5bec3c1bdbe916cd2829751025845fe48ea01966b82.bin

  • Size

    410KB

  • Sample

    220627-mgevkaccf3

  • MD5

    4dc689389054b8aae01c162fb7fec051

  • SHA1

    fd4356fd980f837a813515321fe5f54d5625258b

  • SHA256

    e69149c02a0f24731559d5bec3c1bdbe916cd2829751025845fe48ea01966b82

  • SHA512

    e924f802421f24447ace77bce1ff7f24f11ea852ae00cc624d17bec6f6e675eb258923cd7897f5307c3346b1f08d9cea978dd980344c8905b14b1b88631895c1

Score
10/10

Malware Config

Extracted

Path

C:\How To Restore Your Files.txt

Ransom Note
You are probably wondering why you are receiving a message from me. Yesterday, duncanregional.com got breached. You are probably not aware, but over the past few days we have been exfiltrating all of your data that we could get our hands on. We took over 150GB data + patient userdata from dba servers. What happened to your files? Your network was been penetrated. All of your files were encrypted using AES-256-CTR with ChaCha8 Cipher. WARNING: Don't try to decrypt your files, shadow copies were removed, recovery methods can lead to the impossibility of recovery of the certain files. We exclusively have decryption software for your situation, no decryption software is available in the public. Pay 60,000 (USD) in XMR (Monero) to this address: 4BExj4Z7n73316oWSd6k3Wj7A12PFVUSeHoobSPpaCJVdH6Z1oRBBssemrpwW5GyRt7xi3SQCeJzUa1uFoWWNySYCxoHv13 How do you buy XMR? https://bisq.network/ to buy XMR using fiat. Alternatively use a Cryptocurrency exchange to buy XMR: https://www.kraken.com/ Use this guide: https://www.getmonero.org/ After sending the specified amount to our wallet we will provide you with the decryption keys to unlock your files. If you do not respond (24 hour deadline, starting now), or we do not receive a response from you we will start the data to our potential buyers, and leak a partial, All of your clients (patients / employers) will be informed and given proof that their data has been compromised and publish everything in a public way in multiple places and outlets to get more customers interested in buying the data and also reporting the availability of this data to the appropriate news platforms. Contact: telegram: @redeyeg0d email: yourd34d@ctemplar.com
Emails

yourd34d@ctemplar.com

URLs

https://bisq.network/

https://www.getmonero.org/

Targets

    • Target

      e69149c02a0f24731559d5bec3c1bdbe916cd2829751025845fe48ea01966b82.bin

    • Size

      410KB

    • MD5

      4dc689389054b8aae01c162fb7fec051

    • SHA1

      fd4356fd980f837a813515321fe5f54d5625258b

    • SHA256

      e69149c02a0f24731559d5bec3c1bdbe916cd2829751025845fe48ea01966b82

    • SHA512

      e924f802421f24447ace77bce1ff7f24f11ea852ae00cc624d17bec6f6e675eb258923cd7897f5307c3346b1f08d9cea978dd980344c8905b14b1b88631895c1

    Score
    10/10
    • Babuk Locker

      RaaS first seen in 2021 initially called Vasa Locker.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

File Deletion

2
T1107

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Impact

Inhibit System Recovery

2
T1490

Tasks