Overview

overview

10

Static

static

1DB0F1BC49...AA.exe

windows7-x64

10

1DB0F1BC49...AA.exe

windows10-2004-x64

10

Resubmissions

04-10-2022 20:15

221004-y1y84acfap 10

04-10-2022 18:07

221004-wqfynacagq 1

04-10-2022 17:17

221004-vtrc5abfc8 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    1DB0F1BC49327D3FD4527A2C58F63AAA.fil

  • Size

    10KB

  • Sample

    221004-y1y84acfap

  • MD5

    1db0f1bc49327d3fd4527a2c58f63aaa

  • SHA1

    4cc6ec7675e87c6a95ecd4625ccb5f7b156d6e28

  • SHA256

    2497c19fc0d51f7e9150792e207ff173ab33c7041a1bbd930bac2815e7fada84

  • SHA512

    5733576873c19de5b2d770a4423f2f4cd8e8408418e94a13c3df0b9fb8a51972e72d8cef35ff7ce940c917132285b98a656dd8b7bcf14c90354c74fb588f3c32

  • SSDEEP

    192:pPCXxU4TtXGp7m2gSQ2LX/tFKkiKG0Rt0UEoLLCoNzpkpWvnWi:pP+U4TAp7jgSlLX/tFBfGE9zmWvnW

Score
10/10
targetcompanydiscoveryevasionpersistenceransomware

Malware Config

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-999675638-2867687379-27515722-1000\RECOVERY FILES.txt

Ransom Note
YOUR FILES ARE ENCRYPTED !!! TO DECRYPT, FOLLOW THE INSTRUCTIONS: To recover data you need decrypt tool. To get the decrypt tool you should: 1.In the letter include your personal ID! Send me this ID in your first email to me! 2.We can give you free test for decrypt few files (NOT VALUE) and assign the price for decryption all files! 3.After we send you instruction how to pay for decrypt tool and after payment you will receive a decryption tool! 4.We can decrypt few files in quality the evidence that we have the decoder. Do not rename, do not use third-party software or the data will be permanently damaged CONTACT US: [email protected] If first email will not reply in 24 hours then contact with reserve address: [email protected] YOUR PERSONAL ID: 7A556E2F5391 In case of non-payment of the ransom, your data may be published in the public domain. Our page in twitter with data leaks: https://twitter.com/mallox_leaks �
URLs

https://twitter.com/mallox_leaks

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-2891029575-1462575-1165213807-1000\RECOVERY FILES.txt

Ransom Note
YOUR FILES ARE ENCRYPTED !!! TO DECRYPT, FOLLOW THE INSTRUCTIONS: To recover data you need decrypt tool. To get the decrypt tool you should: 1.In the letter include your personal ID! Send me this ID in your first email to me! 2.We can give you free test for decrypt few files (NOT VALUE) and assign the price for decryption all files! 3.After we send you instruction how to pay for decrypt tool and after payment you will receive a decryption tool! 4.We can decrypt few files in quality the evidence that we have the decoder. Do not rename, do not use third-party software or the data will be permanently damaged CONTACT US: [email protected] If first email will not reply in 24 hours then contact with reserve address: [email protected] YOUR PERSONAL ID: 20E342F8E71B In case of non-payment of the ransom, your data may be published in the public domain. Our page in twitter with data leaks: https://twitter.com/mallox_leaks �
URLs

https://twitter.com/mallox_leaks

Targets

    • Target

      1DB0F1BC49327D3FD4527A2C58F63AAA.fil

    • Size

      10KB

    • MD5

      1db0f1bc49327d3fd4527a2c58f63aaa

    • SHA1

      4cc6ec7675e87c6a95ecd4625ccb5f7b156d6e28

    • SHA256

      2497c19fc0d51f7e9150792e207ff173ab33c7041a1bbd930bac2815e7fada84

    • SHA512

      5733576873c19de5b2d770a4423f2f4cd8e8408418e94a13c3df0b9fb8a51972e72d8cef35ff7ce940c917132285b98a656dd8b7bcf14c90354c74fb588f3c32

    • SSDEEP

      192:pPCXxU4TtXGp7m2gSQ2LX/tFKkiKG0Rt0UEoLLCoNzpkpWvnWi:pP+U4TAp7jgSlLX/tFBfGE9zmWvnW

    Score
    10/10
    targetcompanydiscoveryevasionpersistenceransomware

    • TargetCompany

      Ransomware which encrypts files using a combination of ChaCha20, AES-128, and Curve25519, first seen in June 2021.

      ransomwaretargetcompany

    • TargetCompany payload

    • Clears Windows event logs

      evasionransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Modifies service settings

      Alters the configuration of existing services.

      evasion

    • Stops running service(s)

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Modifies file permissions

      discovery

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks