Resubmissions

28-09-2022 13:07

220928-qc3ydafhg6 10

28-09-2022 11:50

220928-nzkn7sfgb6 10

General

  • Target

    6066e91a9b651a9061d3f0941e6686ff476e5e84e11a51ec3bcae049d84b366b.exe

  • Size

    666KB

  • Sample

    220928-nzkn7sfgb6

  • MD5

    48fab78d6f4e0f8a499d6a27d38f7f8b

  • SHA1

    b6c11eed15ac5c0c28e094715310f9c51ae15093

  • SHA256

    6066e91a9b651a9061d3f0941e6686ff476e5e84e11a51ec3bcae049d84b366b

  • SHA512

    03f13959df51eac1f167303e3978c66d8a5f093541bbb9ba7c8c717bcfccffc6a1d2429a4c53ddb9ddd0588ae53ad310ab3553b6e06ba7959984acb0b4739e80

  • SSDEEP

    12288:ZYW1LNT35lDbK/LIVaN8+T7vwqyqhYMhWt918vulA2C9+m:dd35lDbKDIwWUDyqS5om3C9+

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\!-Recovery_Instructions-!.html

Ransom Note
<!DOCTYPE html> <html lang="en"> <head> <meta charset='utf-8'> <meta name='viewport' content='width=device-width,initial-scale=1'> <title></title> <style> html, body { background-color: #1a1a1a; } body { padding-top: 1rem !important; font-size: 1.3rem; color: white; } #text h2 { font-size: 2rem; font-weight: 600; line-height: 1.125; } .container { max-width: 1152px; flex-grow: 1; margin: 0 auto; position: relative; width: auto; } .box { background-color: #242424; display: block; padding: 1.25rem; border: 1px solid #303030; } a { color: #00b4d8; text-decoration: none; } a:hover { text-decoration: underline; } li { margin-bottom: 10px; } </style> </head> <body> <div class='container'> <div class='box'> <div id='text'> <h2>If you get this message, your network was hacked!</h2> <p>After we gained full access to your servers, we first downloaded a large amount of sensitive data and then encrypted all the data stored on them.</p> <p>That includes personal information on your clients, partners, your personnel, accounting documents, and other crucial files that are necessary for your company to work normally.</p> <p>We used modern complicated algorithms, so you or any recovery service will not be able to decrypt files without our help, wasting time on these attempts instead of negotiations can be fatal for your company.</p> <p>Make sure to act within <span style='color:#f4a261;'>72</span> hours or the negotiations will be considered failed!</p> <p>Inform your superior management about what's going on.</p> <p> Contact us for price and get decryption software.</p> <p> Contact us by email:<p> <h2>[email protected]</h2> </p>If you will get no answer within 24 hours contact us by our alternate emails:</p> <h2>[email protected]</h2> </p>To verify the possibility of the recovery of your files we can decrypted 1-3 file for free.</p> </p>Attach file to the letter (no more than 5Mb).</p> <h2>If you and us succeed the negotiations we will grant you:</h2> <ul> <li>complete confidentiality, we will keep in secret any information regarding to attack, your company will act as if nothing had happened.</li> <li>comprehensive information about vulnerabilities of your network and security report.</li> <li>software and instructions to decrypt all the data that was encrypted.</li> <li>all sensitive downloaded data will be permanently deleted from our cloud storage and we will provide an erasure log.</li> </ul> <h2>Our options if you act like nothing's happening, refuse to make a deal or fail the negotiations:</h2> <ul> <li>inform the media and independent journalists about what happened to your servers. To prove it we'll publish a chunk of private data that you should have ciphered if you care about potential breaches. Moreover, your company will inevitably take decent reputational loss which is hard to assess precisely.</li> <li>inform your clients, employees, partners by phone, e-mail, sms and social networks that you haven't prevent their data leakage. You will violate laws about private data protection.</li> <li>start DDOS attack on you website and infrastructures.</li> <li>personal data stored will be put on sale on the Darknet to find anyone interested to buy useful information regarding your company. It could be data mining agencies or your market competitors.</li> <li>publish all the discovered vulnerabilities found in your network, so anyone will do anything with it.</li> </ul> <h2>Why pay us?</h2> <p>We care about our reputation. You are welcome to google our cases up and be sure that we don't have a single case of failure to provide what we promissed.</p> <p>Turning this issue to a bug bounty will save your private information, reputation and will allow you to use the security report and avoid this kind of situations in future.</p> <h2>Your personal ID</p> 14F078FDE0FAFB0890997E3086F4FDD04E8C384203E1454BA3E1EF0D1FBCCA89D5921A4EC27DC0174197E1931365B511D513BD36E34525CA1D21A27FDBD65837<br>91147BE3C885B1CC20DDDF3B091210BCDBCAC8A9139AD56FD1BAD44B1966FBD67266DA6A1384FA8B0198060882C214FCCD6D88AECB0B4712CB386A236F82<br>F43BFB58F7B4BE758512B6A6033877BCF4238387E15E647F8496CA43A3D595A2094F4613C90B0FEF7AEE5F8D7A0592FFBF49E1D3720435DF93DFB3793D64<br>D1C13EDA194A1E98BCCA8C8C8D446B45DC624333F19867C194855DA02F96D9FA13679688C2C44EE0DA39793C5F43F935B5A65C36CAF80C0747CF8146F09C<br>4DB4C3EDEE54F8F3048CB0707A4A0246AB915B85533A1741241B3173AC37C207FA575C565AD8F1F9A82E09374BD87B1A76E23D506CCE56D5AE9EEFD661B5<br>6908AEE9E687EA8F9B23363F35EE2C443B763D67FC7CE1A40BD19B4D94BCE16A1F89F0806433DFF3FB6955C4AA47BF45BBB54C0B825BE36714C7DF3F3C28<br>AF02C9A3CCE1E5901333EF666E17251B20BDBAB03448F86A29EC73C96BE82CDD2E26E4EADE0551D3FDF6377D06295BD09314DB47ACF8594652A160FD8376<br>ABBD3654B1108F095E7AE1DD741A412D1B3E2E57AE40ECA483317C7C5FDFBFA55BB8A785F149E4C561D34DBD70BC81B1541747411C452D4E66B10FB24FFA<br>26D2899AC732802FE7B0F42B965F
Emails

<h2>[email protected]</h2>

<h2>[email protected]</h2>

Extracted

Path

C:\!-Recovery_Instructions-!.html

Ransom Note
<!DOCTYPE html> <html lang="en"> <head> <meta charset='utf-8'> <meta name='viewport' content='width=device-width,initial-scale=1'> <title></title> <style> html, body { background-color: #1a1a1a; } body { padding-top: 1rem !important; font-size: 1.3rem; color: white; } #text h2 { font-size: 2rem; font-weight: 600; line-height: 1.125; } .container { max-width: 1152px; flex-grow: 1; margin: 0 auto; position: relative; width: auto; } .box { background-color: #242424; display: block; padding: 1.25rem; border: 1px solid #303030; } a { color: #00b4d8; text-decoration: none; } a:hover { text-decoration: underline; } li { margin-bottom: 10px; } </style> </head> <body> <div class='container'> <div class='box'> <div id='text'> <h2>If you get this message, your network was hacked!</h2> <p>After we gained full access to your servers, we first downloaded a large amount of sensitive data and then encrypted all the data stored on them.</p> <p>That includes personal information on your clients, partners, your personnel, accounting documents, and other crucial files that are necessary for your company to work normally.</p> <p>We used modern complicated algorithms, so you or any recovery service will not be able to decrypt files without our help, wasting time on these attempts instead of negotiations can be fatal for your company.</p> <p>Make sure to act within <span style='color:#f4a261;'>72</span> hours or the negotiations will be considered failed!</p> <p>Inform your superior management about what's going on.</p> <p> Contact us for price and get decryption software.</p> <p> Contact us by email:<p> <h2>[email protected]</h2> </p>If you will get no answer within 24 hours contact us by our alternate emails:</p> <h2>[email protected]</h2> </p>To verify the possibility of the recovery of your files we can decrypted 1-3 file for free.</p> </p>Attach file to the letter (no more than 5Mb).</p> <h2>If you and us succeed the negotiations we will grant you:</h2> <ul> <li>complete confidentiality, we will keep in secret any information regarding to attack, your company will act as if nothing had happened.</li> <li>comprehensive information about vulnerabilities of your network and security report.</li> <li>software and instructions to decrypt all the data that was encrypted.</li> <li>all sensitive downloaded data will be permanently deleted from our cloud storage and we will provide an erasure log.</li> </ul> <h2>Our options if you act like nothing's happening, refuse to make a deal or fail the negotiations:</h2> <ul> <li>inform the media and independent journalists about what happened to your servers. To prove it we'll publish a chunk of private data that you should have ciphered if you care about potential breaches. Moreover, your company will inevitably take decent reputational loss which is hard to assess precisely.</li> <li>inform your clients, employees, partners by phone, e-mail, sms and social networks that you haven't prevent their data leakage. You will violate laws about private data protection.</li> <li>start DDOS attack on you website and infrastructures.</li> <li>personal data stored will be put on sale on the Darknet to find anyone interested to buy useful information regarding your company. It could be data mining agencies or your market competitors.</li> <li>publish all the discovered vulnerabilities found in your network, so anyone will do anything with it.</li> </ul> <h2>Why pay us?</h2> <p>We care about our reputation. You are welcome to google our cases up and be sure that we don't have a single case of failure to provide what we promissed.</p> <p>Turning this issue to a bug bounty will save your private information, reputation and will allow you to use the security report and avoid this kind of situations in future.</p> <h2>Your personal ID</p> E811D8F62964697CFE8AF2EDF06261BB1A6EF6E648F3F11ABDBCB3661761536955727984E670BCD6B9591664960864ED6CD85A86E6A5BA260688A6DAA4466B95<br>B4BD15AB1161124BC14030F75CECE388BFAF53468129CACF5FE4B3A77DC8D9F294960426A64F6AD2671B748043F8ACC6A8832514F203A386811E519B2ACF<br>495AAD180E737532647CF2590C53B4E285FEAF6B5363777B6FF92E7E8B515A30ED0A84A75D987BD55A61632B1FA7A5244B31524CFC525306A92DBDDE2230<br>F2990C71518B4AEA86F6ED3ECCC78E849476E85690B5CA20E00BE699A75BC169BC1A30BF8B9A277DD57A7A2140D6137E37409E02C8B620CCB1FCEFEF71AA<br>72704517F60C3EFEB25F72D542C9C04567CA28E8B35EEB3E779072CB9F258282C77A5F481457599E5BA6C5BE8FD22AB74E42B5C39F255A2DA01473C67A5A<br>991557ECD64B84FC7B298AF46A1D81D2B29E8750368E3DF371735AB40571B5254B695FB51D6EE4B79CF302F14B26FB4F3511C20486F1C950DBA9D8459452<br>276B8D61359554063726C005AEE136DDC19245C2494CCC5EED0A51C93EABE72F272F12C3BC310D39C6FA38631A25FBB70BD0A7AF7506A1E1268359F7C7ED<br>1B9DF17837248F44E1F5F65FE9F39B499423D9945CC50B64BCDD9F096200DD003405E6E24C1C8B9774B7384F0D6E9EEA57D54EAF5791396785FCBADCAC6D<br>A0091DCCB7CE3635A19562A1CC85
Emails

<h2>[email protected]</h2>

<h2>[email protected]</h2>

Targets

    • Target

      6066e91a9b651a9061d3f0941e6686ff476e5e84e11a51ec3bcae049d84b366b.exe

    • Size

      666KB

    • MD5

      48fab78d6f4e0f8a499d6a27d38f7f8b

    • SHA1

      b6c11eed15ac5c0c28e094715310f9c51ae15093

    • SHA256

      6066e91a9b651a9061d3f0941e6686ff476e5e84e11a51ec3bcae049d84b366b

    • SHA512

      03f13959df51eac1f167303e3978c66d8a5f093541bbb9ba7c8c717bcfccffc6a1d2429a4c53ddb9ddd0588ae53ad310ab3553b6e06ba7959984acb0b4739e80

    • SSDEEP

      12288:ZYW1LNT35lDbK/LIVaN8+T7vwqyqhYMhWt918vulA2C9+m:dd35lDbKDIwWUDyqS5om3C9+

    • MedusaLocker

      Ransomware with several variants first seen in September 2019.

    • MedusaLocker payload

    • UAC bypass

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Checks whether UAC is enabled

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

MITRE ATT&CK Enterprise v6

Tasks