Overview

overview

10

Static

static

10

8ab7965415...ee.exe

windows7-x64

10

8ab7965415...ee.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    8015716177.zip

  • Size

    124KB

  • Sample

    220926-whltyacfgn

  • MD5

    df75ac92ce6f775ff84bc49218719923

  • SHA1

    c859da5eed877cf89c6eaf15808282471b34a121

  • SHA256

    c1e2b767b92ac6b08f82da3bee833ca3fa3aeeeeab1f4301f8c18e8e68068b81

  • SHA512

    a49e74c0e7ca60cae7caf3425f7661b0874120196c59acc248634f4f9424ea5e725b46252df0c730ba42e5700229f9e049cb1ba0e80f6bfa5716f7858d131a5b

  • SSDEEP

    3072:fcyrCo9joXE1ijHFgU6Juiu58zLqqMY8Vpa/D02q:fcsCopoES56JKUqqKp++

Score
10/10
zeppelinpersistenceransomware

Malware Config

Extracted

Path

C:\Users\Public\Desktop\HOW_TO_RECOVER_DATA.hta

Ransom Note
🔒 YOUR FILES HAVE BEEN ENCRYPTED 🔒 Your ID to decrypt: Contact us: | Unfortunately for you, due to a serious vulnerability in IT security, you are vulnerable to attacks! To decrypt files, you need to get a private key. The only copy of the secret key that can be used to decrypt files is on a private server. The server will destroy the key within after the encryption is completed. To save the key for a longer period, you can contact us and provide your ID! In addition, we collect strictly confidential/personal data. This data is also stored on a private server. Your data will be deleted only after payment! If you decide not to pay, we will publish your data to everyone or resellers. So you can expect your data to become publicly available in the near future! It's just a business and we only care about making a profit! The only way to get your files back is to contact us for further instructions! To establish a trust relationship, you can send 1 file for test decryption (no more than 5 MB) ⇓ ⇓ ⇓ ⇓ ⇓ ⇓ ⇓ ⇓ Do not waste your time searching for other decryption methods - THERE ARE NONE, you will pay more for your time! Every day the price of decryption increases! Do not rename encrypted files. Do not use third-party programs to decrypt files - they can only do harm! After payment, you get a decoder (.exe), you only need to run it, and it will do everything by itself. I only accept Bitcoins! You can learn how to buy them on the Internet.

Targets

    • Target

      8ab79654152668be2c10be9cb17d941685e7733628dd7d38d6979516a75682ee

    • Size

      218KB

    • MD5

      b8845a76e3942ff4d20ba4660ae926bb

    • SHA1

      eb90f945087c270a2ecc11753180ba4ecc270696

    • SHA256

      8ab79654152668be2c10be9cb17d941685e7733628dd7d38d6979516a75682ee

    • SHA512

      9e2eda3dfe3bbdf149707eefe67d889fc88e0aa45ae23023367a8914b8feabd1badb043dfb5f8301541d4489d31b79164380a5ac8031662156c639008c26c4fc

    • SSDEEP

      6144:aC61i972rJmciP98f2H64DQFu/U3buRKlemZ9DnGAe/Ix3Sd7+:aK972I/Gf2a4DQFu/U3buRKlemZ9DnG9

    Score
    10/10
    zeppelinpersistenceransomware

    • Detects Zeppelin payload

    • Zeppelin Ransomware

      Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.

      ransomwarezeppelin

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks