General

  • Target

    9f2349c23dadb14899049f44ef4750f1b3bb2d796e84012811a3ded1ec330f13

  • Size

    1MB

  • Sample

    220724-sef8hagba8

  • MD5

    6fccb7f6581e2519f14e858b597d8b5b

  • SHA1

    5cec2dbbf7af2c1a547bcce36deb06e8a2bc491b

  • SHA256

    9f2349c23dadb14899049f44ef4750f1b3bb2d796e84012811a3ded1ec330f13

  • SHA512

    2c936900e8ec067dac4a5b28ed77de2bab4a90f373e776026eee8b213cb15817fd5ff83134bd2d8c9bc5edff57b7a80d1265ed566a49b0fc4946bd8e8f6fad9b

Malware Config

Extracted

Path

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note YOUR FILES ARE ENCRYPTED Don't worry,you can return all your files! If you want to restore them, follow this link: zombietry4o3nzeh.onion/?ticket=6aWH6i3Gxp3cXPpqzl_B29CE706 Use Tor Browser to access this address. If you have not been answered via the link within 12 hours, write to us by e-mail: admin@spacedatas.com Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Emails

admin@spacedatas.com

URLs

http://zombietry4o3nzeh.onion/?ticket=6aWH6i3Gxp3cXPpqzl_B29CE706

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note YOUR FILES ARE ENCRYPTED Don't worry,you can return all your files! If you want to restore them, follow this link: zombietry4o3nzeh.onion/?ticket=6aWH6i3Gxp3cXPpqzl_ABAD1BB4 Use Tor Browser to access this address. If you have not been answered via the link within 12 hours, write to us by e-mail: admin@spacedatas.com Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Emails

admin@spacedatas.com

URLs

http://zombietry4o3nzeh.onion/?ticket=6aWH6i3Gxp3cXPpqzl_ABAD1BB4

Targets

    • Target

      9f2349c23dadb14899049f44ef4750f1b3bb2d796e84012811a3ded1ec330f13

    • Size

      1MB

    • MD5

      6fccb7f6581e2519f14e858b597d8b5b

    • SHA1

      5cec2dbbf7af2c1a547bcce36deb06e8a2bc491b

    • SHA256

      9f2349c23dadb14899049f44ef4750f1b3bb2d796e84012811a3ded1ec330f13

    • SHA512

      2c936900e8ec067dac4a5b28ed77de2bab4a90f373e776026eee8b213cb15817fd5ff83134bd2d8c9bc5edff57b7a80d1265ed566a49b0fc4946bd8e8f6fad9b

    • Dharma

      Dharma is a ransomware that uses security software installation to hide malicious activities.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Drops file in System32 directory

MITRE ATT&CK Matrix

Command and Control

    Credential Access

    Execution

      Exfiltration

        Initial Access

          Lateral Movement

            Privilege Escalation

              Tasks