Overview

overview

10

Static

static

enc.exe

windows7_x64

9

enc.exe

windows10-2004_x64

10

Resubmissions

29/06/2022, 11:24

220629-nh7seahbap 10

29/06/2022, 10:55

220629-m1cvbaghfq 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    enc (1).zip

  • Size

    2.8MB

  • Sample

    220629-nh7seahbap

  • MD5

    9df3d2d1096f43068eece8dde8524346

  • SHA1

    28be128c31966c5ca361e790d2bdd16f957e2805

  • SHA256

    8b02927265e5ec4e7da20d1a45187ed80fcc5a8de9c2bef830eeb844b395a786

  • SHA512

    296ce6f5fa82c762390019def058193a81fe44305041087e13bc171160769c77c59ab8fb0d12d8534777fa6d6ea50619062a25bde56788123475034c6c903c59

Score
10/10
persistenceransomware

Malware Config

Extracted

Path

C:\\OnHnnBvUej-RECOVER-README.txt

Ransom Note
-- Agenda Your network/system was encrypted. Encrypted files have new extension. -- Compromising and sensitive data We have downloaded compromising and sensitive data from you system/network If you refuse to communicate with us and we do not come to an agreementyour data will be published. Data includes: - Employees personal dataCVsDLSSN. - Complete network map including credentials for local and remote services. - Financial information including clients databillsbudgetsannual reportsbank statements. - Complete datagrams/schemas/drawings for manufacturing in solidworks format - And more... -- Warning 1) If you modify files - our decrypt software won't able to recover data 2) If you use third party software - you can damage/modify files (see item 1) 3) You need cipher key / our decrypt software to restore you files. 4) The police or authorities will not be able to help you get the cipher key. We encourage you to consider your decisions. -- Recovery 1) Download tor browser: https://www.torproject.org/download/ 2) Go to domain 3) Enter credentials -- Credentials Extension: OnHnnBvUej Domain: login: bd61eb78-64a3-4ee0-9a8e-543b8bc12b5e password: 14158620-fb98-4889-87cb-f5251368fc21%!(EXTRA string=same as login)

Targets

    • Target

      enc.exe

    • Size

      7.7MB

    • MD5

      a7ab0969bf6641cd0c7228ae95f6d217

    • SHA1

      002971b6d178698bf7930b5b89c201750d80a07e

    • SHA256

      117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464

    • SHA512

      7e1cce428e3b80b60635c354801af6e86354c9437ba7a661ca6a922c17057a16439a97d1ea11873eb359c05018df9eb6040b72fa97b30cf4d04cae56bf052b8a

    Score
    10/10
    persistenceransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks