Overview

overview

10

Static

static

8

b236068ab9...e8.exe

windows7_x64

10

b236068ab9...e8.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    b236068ab96144198a99444a0c8c4ea42e8cde9667e56e8e1402de8a4030ebe8

  • Size

    228KB

  • Sample

    220706-kbrwtsafaj

  • MD5

    707c69692402945982492eede5c829ca

  • SHA1

    1e2da40c770722385982f6f0a49a4920f69870ba

  • SHA256

    b236068ab96144198a99444a0c8c4ea42e8cde9667e56e8e1402de8a4030ebe8

  • SHA512

    5373029d7fad0c36c0f7dfeaafddaf869c7f5f53d07b4b81e0af7a32764a7fd24299bdb05ea000efdc6c840b6e5f19613315fa1185d19161d7342a4b065e8164

Score
10/10
aspackv2discoverypersistenceransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\#HOW_TO_DECRYPT#.txt

Ransom Note
ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ==================================================================================================== Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third party software will be fatal for your files! ==================================================================================================== To receive the private key and decryption program follow the instructions below: 1. Write to our skype - RICARDOMILOS DECRYPTION Also you can write ICQ live chat which works 24/7 @RicardoMilosGachimuchi Install ICQ software on your PC https://icq.com/windows/ or on your mobile phone search in Appstore / Google market ICQ Write to our ICQ @RicardoMilosGachimuchi https://icq.im/RicardoMilosGachimuchi 2. Our company values its reputation. We give all guarantees of your files decryption, such as test decryption some of them We respect your time and waiting for respond from your side tell your MachineID: 2913756387 and LaunchID: 8d3cfdf369 ====================================================================================================
URLs

https://icq.com/windows/

https://icq.im/RicardoMilosGachimuchi

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\#HOW_TO_DECRYPT#.txt

Ransom Note
ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ==================================================================================================== Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third party software will be fatal for your files! ==================================================================================================== To receive the private key and decryption program follow the instructions below: 1. Write to our skype - RICARDOMILOS DECRYPTION Also you can write ICQ live chat which works 24/7 @RicardoMilosGachimuchi Install ICQ software on your PC https://icq.com/windows/ or on your mobile phone search in Appstore / Google market ICQ Write to our ICQ @RicardoMilosGachimuchi https://icq.im/RicardoMilosGachimuchi 2. Our company values its reputation. We give all guarantees of your files decryption, such as test decryption some of them We respect your time and waiting for respond from your side tell your MachineID: 3051920028 and LaunchID: 912c993735 ====================================================================================================
URLs

https://icq.com/windows/

https://icq.im/RicardoMilosGachimuchi

Targets

    • Target

      b236068ab96144198a99444a0c8c4ea42e8cde9667e56e8e1402de8a4030ebe8

    • Size

      228KB

    • MD5

      707c69692402945982492eede5c829ca

    • SHA1

      1e2da40c770722385982f6f0a49a4920f69870ba

    • SHA256

      b236068ab96144198a99444a0c8c4ea42e8cde9667e56e8e1402de8a4030ebe8

    • SHA512

      5373029d7fad0c36c0f7dfeaafddaf869c7f5f53d07b4b81e0af7a32764a7fd24299bdb05ea000efdc6c840b6e5f19613315fa1185d19161d7342a4b065e8164

    Score
    10/10
    discoverypersistenceransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Modifies file permissions

      discovery

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

File Deletion

2
T1107

File Permissions Modification

1
T1222

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2
T1490

Tasks