Overview

overview

10

Static

static

Endermanch...it.exe

windows10-2004-x64

Resubmissions

04-09-2022 20:34

220904-zcdsxsddbq 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    [email protected]

  • Size

    431KB

  • Sample

    220904-zcdsxsddbq

  • MD5

    fbbdc39af1139aebba4da004475e8839

  • SHA1

    de5c8d858e6e41da715dca1c019df0bfb92d32c0

  • SHA256

    630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da

  • SHA512

    74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87

  • SSDEEP

    12288:BHNTywFAvN86pLbqWRKHZKfErrZJyZ0yqsGO3XR63:vT56NbqWRwZaEr3yt2O3XR63

Score
10/10
badrabbitmimikatzbootkitpersistenceransomware

Malware Config

Extracted

Path

C:\Readme.txt

Ransom Note
Oops! Your files have been encrypted. If you see this text, your files are no longer accessible. You might have been looking for a way to recover your files. Don't waste your time. No one will be able to recover them without our decryption service. We guarantee that you can recover all your files safely. All you need to do is submit the payment and get the decryption password. Visit our web service at caforssztxqzf2nm.onion Your personal installation key#2: ZjTblU4MbC0S/7yhamiL4vWL92fLHywjDZYhSSO84L5vNNNRTlsEHos9N6yLtBIx km/RSPKbO/VJxfDZIOEQY/fPr+HCy0bB8Rwg3L1NqFj0DnI4bf/yfMgV2vOSxxOV gO5Xzx+WuS0ys/+dYTZ8Jl7WMmDu+njLvBQK8f/5ewMLXJOPZtY++Cep7z/llyhY rbFs4OL09TCXuleiBtXOAihrVHHqzkYLpAvwX0Tue6IfQmcAootDO3VgBKGt8NUQ yVIqgb36FRonY9HtsvD2VVIaS2bXeqqKgPZ/rhIs+mylk6iZooIhVf4z2hykCT8C YMPF1Ljuxow1Bq6gMPBjDfGi9slgWN8fGg==
URLs

http://caforssztxqzf2nm.onion

Targets

    • Target

      [email protected]

    • Size

      431KB

    • MD5

      fbbdc39af1139aebba4da004475e8839

    • SHA1

      de5c8d858e6e41da715dca1c019df0bfb92d32c0

    • SHA256

      630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da

    • SHA512

      74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87

    • SSDEEP

      12288:BHNTywFAvN86pLbqWRKHZKfErrZJyZ0yqsGO3XR63:vT56NbqWRwZaEr3yt2O3XR63

    Score
    10/10
    badrabbitmimikatzbootkitpersistenceransomware

    • BadRabbit

      Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.

      ransomwarebadrabbit

    • Mimikatz

      mimikatz is an open source tool to dump credentials on Windows.

      mimikatz

    • mimikatz is an open source tool to dump credentials on Windows

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Loads dropped DLL

    • Drops desktop.ini file(s)

    • Legitimate hosting services abused for malware hosting/C2

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence
    behavioral1

MITRE ATT&CK Enterprise v6

Tasks