Overview

overview

10

Static

static

8

b236068ab9...e8.exe

windows7_x64

10

b236068ab9...e8.exe

windows10-2004_x64

10

Resubmissions

06-07-2022 08:05

220706-jy9vgsadgp 10

06-07-2022 06:45

220706-hh2cqsbgc3 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    b236068ab96144198a99444a0c8c4ea42e8cde9667e56e8e1402de8a4030ebe8.zip

  • Size

    225KB

  • Sample

    220706-hh2cqsbgc3

  • MD5

    70f984d290dec4e9dcf9c0f4e7f2884d

  • SHA1

    9022e3c0fecbd1b9db2bbe5bce9616ce5bfac59e

  • SHA256

    350a0de26d6e4d0e5dc3c9b83d61e1a38ea5688a81c2c7922bfa2f6f8bc12127

  • SHA512

    1cc1eead273ef307a569213ae731b3afc1016dfeb5086086754dae46a128c1d43cd3666798d53c97b9995fbd95abab697e9664f36269b34e60849f9504a46a55

Score
10/10
aspackv2discoverypersistenceransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\#HOW_TO_DECRYPT#.txt

Ransom Note
ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ==================================================================================================== Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third party software will be fatal for your files! ==================================================================================================== To receive the private key and decryption program follow the instructions below: 1. Write to our skype - RICARDOMILOS DECRYPTION Also you can write ICQ live chat which works 24/7 @RicardoMilosGachimuchi Install ICQ software on your PC https://icq.com/windows/ or on your mobile phone search in Appstore / Google market ICQ Write to our ICQ @RicardoMilosGachimuchi https://icq.im/RicardoMilosGachimuchi 2. Our company values its reputation. We give all guarantees of your files decryption, such as test decryption some of them We respect your time and waiting for respond from your side tell your MachineID: 2913756387 and LaunchID: f1d3ffa752 ====================================================================================================
URLs

https://icq.com/windows/

https://icq.im/RicardoMilosGachimuchi

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\#HOW_TO_DECRYPT#.txt

Ransom Note
ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ==================================================================================================== Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third party software will be fatal for your files! ==================================================================================================== To receive the private key and decryption program follow the instructions below: 1. Write to our skype - RICARDOMILOS DECRYPTION Also you can write ICQ live chat which works 24/7 @RicardoMilosGachimuchi Install ICQ software on your PC https://icq.com/windows/ or on your mobile phone search in Appstore / Google market ICQ Write to our ICQ @RicardoMilosGachimuchi https://icq.im/RicardoMilosGachimuchi 2. Our company values its reputation. We give all guarantees of your files decryption, such as test decryption some of them We respect your time and waiting for respond from your side tell your MachineID: 2216818140 and LaunchID: e2be84a158 ====================================================================================================
URLs

https://icq.com/windows/

https://icq.im/RicardoMilosGachimuchi

Targets

    • Target

      b236068ab96144198a99444a0c8c4ea42e8cde9667e56e8e1402de8a4030ebe8

    • Size

      228KB

    • MD5

      707c69692402945982492eede5c829ca

    • SHA1

      1e2da40c770722385982f6f0a49a4920f69870ba

    • SHA256

      b236068ab96144198a99444a0c8c4ea42e8cde9667e56e8e1402de8a4030ebe8

    • SHA512

      5373029d7fad0c36c0f7dfeaafddaf869c7f5f53d07b4b81e0af7a32764a7fd24299bdb05ea000efdc6c840b6e5f19613315fa1185d19161d7342a4b065e8164

    Score
    10/10
    discoverypersistenceransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Modifies file permissions

      discovery

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Generic Ransomware Note

      Ransomware often writes a note containing information on how to pay the ransom.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

File Deletion

2
T1107

File Permissions Modification

1
T1222

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2
T1490

Tasks