Overview

overview

10

Static

static

f4234a501e...0b.rar

windows10-1703-x64

10

Resubmissions

19-09-2022 14:04

220919-rdc9sacaf4 10

19-09-2022 14:03

220919-rcs9lsfghq 3

19-09-2022 14:02

220919-rca32acab4 3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.rar

  • Size

    196KB

  • Sample

    220919-rdc9sacaf4

  • MD5

    7d02973013bf5377f423f087a9acbada

  • SHA1

    5517c3a070261201db6c3b703cf4e1437b4fa454

  • SHA256

    a316efdb45d99ce940a32167e72016ad0250ec12748bf488ab16b7fcba847614

  • SHA512

    ac8cba1fa7060daec32d5ccdeeb31681d04dab0677e475d4d58f3c53fe823aa51fd33bba647cc5dfd1e3255bc5507439705e916305fcfc042111dbb405ff7925

  • SSDEEP

    3072:1KlUDpRtml4HtFJhtsHGHVPZ1vzTtMwEIc+UYNOCxfHtPoyRGnH7H9xbF/026Mj:154l4CmHVPPPtMPHYki7QH7Hzb76Mj

Score
10/10
fantomevasionransomwarespywarestealer

Malware Config

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-1099808672-3828198950-1535142148-1000\DECRYPT_YOUR_FILES.HTML

Ransom Note
<html> <head> <style> body{ background-color: #3366CC; } h1 { background-color: RGB(249, 201, 16); } p { background-color: maroon; color: white; } </style> </head> <body> <center> <h1><b> Attention ! All your files </b> have been encrypted. </h1></br> <p> Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br> That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br> Getting a decryption of your files is - SIMPLY task.</br></br> That all what you need:</br> 1. Sent Your ID_KEY on mailbox [email protected] or [email protected] </br> 2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br> 3. Pay our services. </br> 4. GET software with passwords for decrypt you files.</br> 5. Make measures to prevent this type situations again.</br></br> IMPORTANT(1)</br> Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br> IMPORTANT(2) </br> We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption. </p> <p> Your ID_KEY: <br> </p> <table width="1024" border="0"> <tbody> <tr> <td><p>ZkWr5ZdRm/Z8EMoo4cVitWxtitEUK3sPgHPyvVVYbs1hkTpN6Z28se5vmhzVyBxcpzWz5THSh5k1+SqO0QAXoKG8QZkAveGiD/18UzqzWMNu8okWOJMgmaE9kQa5UM2Pn6/EMaerYJNjlnCSHkQj5yJ3xwN9P8iSgqavKNnaVevGi9GV14tLsttw6KP+NepIHxwwr0/T3ha8he62HUwqZ2y+pd24OtoIpTPs36kWbUTAXzp1KG1uFTOA7c8g3C4bHwwTw0IBM1NvZotNcygwQIoABKEt/7hbAwIu6mqhMz7DZEN2ZO56o7RL1AbdLRoBSZ/N4+65twKP5wgWGhDO6A==ZW4tVVM=</p></td> </tr> </tbody> </table> </center></html></body>

Targets

    • Target

      f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.rar

    • Size

      196KB

    • MD5

      7d02973013bf5377f423f087a9acbada

    • SHA1

      5517c3a070261201db6c3b703cf4e1437b4fa454

    • SHA256

      a316efdb45d99ce940a32167e72016ad0250ec12748bf488ab16b7fcba847614

    • SHA512

      ac8cba1fa7060daec32d5ccdeeb31681d04dab0677e475d4d58f3c53fe823aa51fd33bba647cc5dfd1e3255bc5507439705e916305fcfc042111dbb405ff7925

    • SSDEEP

      3072:1KlUDpRtml4HtFJhtsHGHVPZ1vzTtMwEIc+UYNOCxfHtPoyRGnH7H9xbF/026Mj:154l4CmHVPPPtMPHYki7QH7Hzb76Mj

    Score
    10/10
    fantomevasionransomwarespywarestealer

    • Fantom

      Ransomware which hides encryption process behind fake Windows Update screen.

      ransomwarefantom

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Disables Task Manager via registry modification

      evasion

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1

MITRE ATT&CK Enterprise v6

Tasks