Analysis
-
max time kernel
134s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
07-10-2022 14:25
General
-
Target
NFs.exe
-
Size
53KB
-
MD5
59e3542c4d5293a1a12b2bb6cb357d92
-
SHA1
f31322bc47eec5f5c7da0e46f23fb868c982daa1
-
SHA256
facc02c8d7a9927e3e1276f8122a2656136af1b8817511ed350b678b46407098
-
SHA512
85609e3598058b066af991bd8b665d4c9cda4e8b1de5429c20af354ee32fb29d7c3c1debcfcdd2fea760d1df29c3aaf3bc2d0e072601ed142661b9ef4313a939
-
SSDEEP
768:F6vuye1kVtGBk6P/v7nWlHznbkVwrEKD9yDwxVSHrowNI2tG6o/t84B5YW:F4eytM3alnawrRIwxVSHMweio3+
Score
10/10
Malware Config
Extracted
Path
C:\how_to_back_files.html
Ransom Note
<html>
<style type="text/css">
body {
background-color: #f5f5f5;
}
h1, h3{
text-align: center;
text-transform: uppercase;
font-weight: normal;
}
/*---*/
.tabs1{
display: block;
margin: auto;
}
.tabs1 .head{
text-align: center;
float: top;
padding: 0px;
text-transform: uppercase;
font-weight: normal;
display: block;
background: #81bef7;
color: #DF0101;
font-size: 30px;
}
.tabs1 .identi {
font-size: 10px;
text-align: center;
float: top;
padding: 15px;
display: block;
background: #81bef7;
color: #DFDFDF;
}
.tabs .content {
background: #f5f5f5;
/*text-align: center;*/
color: #000000;
padding: 25px 15px;
font-size: 15px;
font-weight: 400;
line-height: 20px; }
.tabs .content a {
color: #df0130;
font-size: 23px;
font-style: italic;
text-decoration: none;
line-height: 35px; }
.tabs .content .text{
padding: 25px;
line-height: 1.2;
}
</style>
<body>
<div class="tabs1">
<div class="head" ><b>Your personal ID:</b></div>
<div class="identi">
<span style="width:1000px; color: #ffffff; font-size: 10px;">����������14 FE 6F C7 8C A8 80 3D 98 7B 74 C9 29 1E E5 E6
B9 93 48 BA 87 5D A4 A1 57 96 F6 3B 0F C8 C2 9C
D0 C0 60 15 50 C0 66 79 2B 4F CA A8 4C 0E 47 59
25 3B FD 03 8C 5A 99 BF 63 7C 48 65 F7 36 02 C1
44 2E 9F 24 AD 6E 2E FE 59 53 9B 98 10 4B F6 86
6F A0 3B D7 31 7E 3A 89 8F 5D EB F1 C2 42 9A A5
35 63 13 A3 59 C3 F7 C0 96 65 E2 34 33 95 75 74
F6 E8 56 10 43 B8 28 34 5F C6 D7 CE 22 91 E4 D5
76 2F 07 41 4D E5 A3 4C A0 4D 1D E2 1C 1E 31 D1
01 15 40 7E AE 83 A9 9D 5E 80 84 8D 68 72 70 94
A3 F7 D0 02 A3 79 66 96 8E 27 AA 96 94 C8 1D 09
60 1F A2 11 55 BF 28 43 D7 64 A5 C9 9F 97 4C F8
A4 26 C0 68 14 6C 71 9C 19 CE E7 65 8E 42 CD 36
C4 70 DB 6E EB DA 34 C0 B8 55 05 7B 60 25 0E 10
00 F1 53 FC 51 06 6A AB 20 F9 99 38 31 D8 59 6F
80 DE 8F FF 67 E6 6C 90 62 F6 36 7D 01 64 ED 42
</span> <br>
<!-- !!! dont changing this !!! -->
</div>
</div>
<!-- -->
<div class="tabs">
<!--tab-->
<div class="tab">
<div id="tab-content1" class="content">
<div class="text">
<!--text data -->
<b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br>
<b>All your important files have been encrypted!</b><br><br>
<hr>
Your files are safe! Only modified. (RSA+AES)<br><br>
ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br>
WILL PERMANENTLY CORRUPT IT.<br>
DO NOT MODIFY ENCRYPTED FILES.<br>
DO NOT RENAME ENCRYPTED FILES.<br><br>
No software available on internet can help you. We are the only ones able to<br>
solve your problem.<br><br>
We gathered highly confidential/personal data. These data are currently stored on<br>
a private server. This server will be immediately destroyed after your payment.<br>
If you decide to not pay, we will release your data to public or re-seller.<br>
So you can expect your data to be publicly available in the near future..<br><br>
We only seek money and our goal is not to damage your reputation or prevent<br>
your business from running.<br><br>
You will can send us 2-3 non-important files and we will decrypt it for free<br>
to prove we are able to give your files back.<br><br>
<!--text data -->
<hr>
<b>Contact us for price and get decryption software.</b><br><br>
<a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</a><br>
* Note that this server is available via Tor browser only<br><br>
Follow the instructions to open the link:<br>
1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br>
2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br>
3. Now you have Tor browser. In the Tor Browser open <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion<br>
</a>
4. Start a chat and follow the further instructions. <br>
<hr>
<b>If you can not use the above link, use the email:</b><br>
<a href="[email protected] ">[email protected] </a> <br>
<a href="[email protected] ">[email protected] </a> <br>
<p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br>
<b>
IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br>
</div>
</div>
</div>
<!--tab-->
<!--text data -->
</div>
</div>
<!--tab-->
</div>
</div>
</body>
</html>
Emails
Extracted
Path
C:\Users\Admin\Desktop\how_to_back_files.html
Family
medusalocker
Ransom Note
Your personal ID:
����������14 FE 6F C7 8C A8 80 3D 98 7B 74 C9 29 1E E5 E6 B9 93 48 BA 87 5D A4 A1 57 96 F6 3B 0F C8 C2 9C D0 C0 60 15 50 C0 66 79 2B 4F CA A8 4C 0E 47 59 25 3B FD 03 8C 5A 99 BF 63 7C 48 65 F7 36 02 C1 44 2E 9F 24 AD 6E 2E FE 59 53 9B 98 10 4B F6 86 6F A0 3B D7 31 7E 3A 89 8F 5D EB F1 C2 42 9A A5 35 63 13 A3 59 C3 F7 C0 96 65 E2 34 33 95 75 74 F6 E8 56 10 43 B8 28 34 5F C6 D7 CE 22 91 E4 D5 76 2F 07 41 4D E5 A3 4C A0 4D 1D E2 1C 1E 31 D1 01 15 40 7E AE 83 A9 9D 5E 80 84 8D 68 72 70 94 A3 F7 D0 02 A3 79 66 96 8E 27 AA 96 94 C8 1D 09 60 1F A2 11 55 BF 28 43 D7 64 A5 C9 9F 97 4C F8 A4 26 C0 68 14 6C 71 9C 19 CE E7 65 8E 42 CD 36 C4 70 DB 6E EB DA 34 C0 B8 55 05 7B 60 25 0E 10 00 F1 53 FC 51 06 6A AB 20 F9 99 38 31 D8 59 6F 80 DE 8F FF 67 E6 6C 90 62 F6 36 7D 01 64 ED 42
/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\
All your important files have been encrypted!
Your files are safe! Only modified. (RSA+AES)
ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE
WILL PERMANENTLY CORRUPT IT.
DO NOT MODIFY ENCRYPTED FILES.
DO NOT RENAME ENCRYPTED FILES.
No software available on internet can help you. We are the only ones able to
solve your problem.
We gathered highly confidential/personal data. These data are currently stored on
a private server. This server will be immediately destroyed after your payment.
If you decide to not pay, we will release your data to public or re-seller.
So you can expect your data to be publicly available in the near future..
We only seek money and our goal is not to damage your reputation or prevent
your business from running.
You will can send us 2-3 non-important files and we will decrypt it for free
to prove we are able to give your files back.
Contact us for price and get decryption software.
qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion
* Note that this server is available via Tor browser only
Follow the instructions to open the link:
1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.
2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.
3. Now you have Tor browser. In the Tor Browser open qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion
4. Start a chat and follow the further instructions.
If you can not use the above link, use the email:
[email protected]
[email protected]
* To contact us, create a new free email account on the site: protonmail.com
IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.
Signatures
-
GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
-
MedusaLocker
Ransomware with several variants first seen in September 2019.
-
Modifies extensions of user files 4 IoCs
Ransomware generally changes the extension on encrypted files.
-
Deletes itself 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies Internet Explorer settings 1 TTPs 33 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 8 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\NFs.exe"C:\Users\Admin\AppData\Local\Temp\NFs.exe"1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\NFs.exe > nul2⤵
- Deletes itself
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\how_to_back_files.html1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1788 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5d808fe92c5972b46da7d11772d7f5d01
SHA12fcecc697ef5e7e45eee839d0d551931e48598cd
SHA256af934d2a296c5f87232fa52e83b92364c6133eb91a4a6081230f951b8026e7fa
SHA5123002a1ca23ed6eb90cd290f7c25d8d2a09bd5f9114e70b08ed8fdc7bf9847a2e93d26b6581fb2347dc99a741ec0a4106d5bccda12371bfbeda14c4b14938300a
-
-
Filesize
8KB
-
Filesize
56KB