Resubmissions

18-08-2022 16:49

220818-vb3y7scbb9 10

11-08-2022 18:09

220811-wrtk5safam 10

General

  • Target

    7850996135.zip

  • Size

    201KB

  • Sample

    220811-wrtk5safam

  • MD5

    0699b5531c4fc2cee19d321270a8685b

  • SHA1

    3f2195d6496e7a476fa080a4da78750ad9eadfbe

  • SHA256

    8ec919064791aa84aad6bb1374d6c67a8f5c254820f2f9a849a78f61eb6fada2

  • SHA512

    fcb744230d0a279135007f38324bc27d09dbb0f330fff90fe0fe19571fbce353c885c86153c96ba9c72080b57cc0403af1a3256ce8cec81a7a913f9cd0a59039

  • SSDEEP

    6144:JPTudNtlyg33EW9biyHAU6cc1Ivfh3wFU:JSfyE04bWU6cc1mfhIU

Malware Config

Extracted

Path

C:\odt\README.txt

Ransom Note
Hi, since you are reading this it means you have been hacked. In addition to encrypting all your systems, deleting backups, we also downloaded 2 terabytes of confidential information. Here's what you shouldn't do: 1) Contact the police, fbi or other authorities before the end of our deal 2) Contact the recovery company so that they would conduct dialogues with us. (This can slow down the recovery, and generally put our communication to naught) 3) Do not try to decrypt the files yourself, as well as do not change the file extension yourself !!! This can lead to the impossibility of their decryption. 4) Keep us for fools) We will also stop any communication with you, and continue DDoS, calls to employees and business partners. In a few weeks, we will simply repeat our attack and delete all your data from your networks, WHICH WILL LEAD TO THEIR UNAVAILABILITY! Here's what you should do right after reading it: 1) If you are an ordinary employee, send our message to the CEO of the company, as well as to the IT department 2) If you are a CEO, or a specialist in the IT department, or another person who has weight in the company, you should contact us within 24 hours by email. We are ready to confirm all our intentions regarding DDOS, calls, and deletion of the date at your first request. As a guarantee that we can decrypt the files, we suggest that you send several files for free decryption. Mails to contact us: 1)[email protected] 2)[email protected]/10RcjlacqrOwohIlC4B05A3X8jh isUPAwdwOMgJYaJWzYM5ThOkJEeMkp8oVYjgxELfu7HuVwMqHjtwu1HuUwgCO+C3 E3g9xU/a5Y+4oIt0wSFah4imLmTN4J/xPBAAw21uni8=

Targets

    • Target

      d11793433065633b84567de403c1989640a07c9a399dd2753aaf118891ce791c

    • Size

      398KB

    • MD5

      afaf2d4ebb6dc47e79a955df5ad1fc8a

    • SHA1

      c418ce055d97928f94ba06b5de8124a601d8f632

    • SHA256

      d11793433065633b84567de403c1989640a07c9a399dd2753aaf118891ce791c

    • SHA512

      321424ac21ebdb7f759a84236cb95c533b3000b3143099e1697f4a1f534c11782dafa68e5fa9e662b973b9669c1177b69c2fd0b83455625e57aa123385f581e6

    • SSDEEP

      12288:EfaLQyGK6kAa2XgsA1RUa+jE6S3qRTjO0:EwIHnXp/O0

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

MITRE ATT&CK Enterprise v6

Tasks