Overview

overview

10

Static

static

HEUR-Troja...9b.exe

windows7-x64

10

HEUR-Troja...9b.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    HEUR-Trojan.MSIL.Diztakun.gen-5e85f99fa8cd28b0cf1d9c5dbfe47c82ff1ada5727c5bf5007a11e8e9890cb9b.exe

  • Size

    216KB

  • Sample

    220929-pq7m2sagb7

  • MD5

    d06622833d3ee1c907d90bccec01ec74

  • SHA1

    dcdc748bb8a8cb4d16c2d88e40fbd634b2396d42

  • SHA256

    5e85f99fa8cd28b0cf1d9c5dbfe47c82ff1ada5727c5bf5007a11e8e9890cb9b

  • SHA512

    119822dcc655cf9a9bd708992811cdb46d216ca5e77fb1f461290e37545cb348ea0ccd232ee1fb1c42d4ad91ec16aa93bbdf75829807c61934d97a8f84feb735

  • SSDEEP

    3072:o7DtWs7prq6+ouCpk2mpcWJ0r+QNTBf8JMzmmsoltIrRuw+mqv9j1MWLQKq7:o7Jpldk1cWQRNTB0izmDAtS

Score
10/10
discoveryevasionexploitpersistenceransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\readme.txt

Ransom Note
Ooops! All your important files are encrypted! All you important files are encrypted with AES 256 algoritm. No one can help you to restore files without our special decryptor. All repair tools are useless. If you want to restore some your files for free write to email and attach 2-3 encrypted files (non-archived and your files should not contain valuable information like databases, backups, large excel sheets etc.) You have to pay $300 in bitcoin to decrypt other files. As soon as we get bitcoins you'll get all your decrypted data back. P.S. Remember we are not scammers Contact: 1.Download tor browser (https://www.torproject.org/) 2.Create account on mail2tor (http://mail2tor2zyjdctd.onion/) 3.Write e-mail to us (CobraLocker@mail2tor.com) That's all Good luck and have fun
Emails

CobraLocker@mail2tor.com

URLs

http://mail2tor2zyjdctd.onion/

Targets

    • Target

      HEUR-Trojan.MSIL.Diztakun.gen-5e85f99fa8cd28b0cf1d9c5dbfe47c82ff1ada5727c5bf5007a11e8e9890cb9b.exe

    • Size

      216KB

    • MD5

      d06622833d3ee1c907d90bccec01ec74

    • SHA1

      dcdc748bb8a8cb4d16c2d88e40fbd634b2396d42

    • SHA256

      5e85f99fa8cd28b0cf1d9c5dbfe47c82ff1ada5727c5bf5007a11e8e9890cb9b

    • SHA512

      119822dcc655cf9a9bd708992811cdb46d216ca5e77fb1f461290e37545cb348ea0ccd232ee1fb1c42d4ad91ec16aa93bbdf75829807c61934d97a8f84feb735

    • SSDEEP

      3072:o7DtWs7prq6+ouCpk2mpcWJ0r+QNTBf8JMzmmsoltIrRuw+mqv9j1MWLQKq7:o7Jpldk1cWQRNTB0izmDAtS

    Score
    10/10
    discoveryevasionexploitpersistenceransomware

    • Modifies WinLogon for persistence

      persistence

    • Disables RegEdit via registry modification

      evasion

    • Disables Task Manager via registry modification

      evasion

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Possible privilege escalation attempt

      exploit

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Drops desktop.ini file(s)

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1
T1004

Hidden Files and Directories

1
T1158

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

File Permissions Modification

1
T1222

Hidden Files and Directories

1
T1158

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks