Overview

overview

10

Static

static

10

d0003c88c3...54.exe

windows7-x64

10

d0003c88c3...54.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    d0003c88c3a7786f3642ec903ce98f4027badaba69b7c3bb2e90a6e4e9587f54

  • Size

    2.3MB

  • Sample

    221020-j5pswsdca5

  • MD5

    2fa3c5b2e6a0c465045fe8dd7f55dd9a

  • SHA1

    1e6ea91491804da44db10be25bd1ea36baa0b362

  • SHA256

    d0003c88c3a7786f3642ec903ce98f4027badaba69b7c3bb2e90a6e4e9587f54

  • SHA512

    12f2aaa7cf2055d0a15470d926690dc558d5b6a1eb7dd9f1e450ddbdd1c5389670aea7c39e800f86840f0a558b86ba023beb82d6ba66557a1882e6491b1865e1

  • SSDEEP

    49152:zwKNchAjMta5q1SRNyYvgkCzS8QpWRjoYS8KXrTBt6z8zQBmL2eC8AE:MKtjMoq0IG8QpWRjZaPEFnem

Score
10/10
snatchransomwarespywarestealerupx

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\HOW TO RESTORE YOUR FILES.TXT

Ransom Note
Dear Management CMHA We inform you that your network has undergone a penetration test, during which we encrypted your files and downloaded more than 300 GB of your data (most from your PD), including: Accounting Confidential documents Personal data Copy of some mailboxes Important! Do not try to decrypt the files yourself or using third-party utilities. The only program that can decrypt them is our decryptor, which you can request from the contacts below. Any other program will only damage files in such a way that it will be impossible to restore them. You can get all the necessary evidence, discuss with us possible solutions to this problem and request a decryptor by using the contacts below. Please be advised that if we don't receive a response from you within 3 days, we reserve the right to publish files to the public. Contact us: [email protected] or [email protected] Additional ways to communicate in tox chat tox id:83E6E3CFEC0E4C8E7F7B6E01F6E86CF70AE8D4E75A59126A2C52FE9F568B4072CA78EF2B3C97 =========================================================== Customer service TOX ID: 0FF26770BFAEAD95194506E6970CC1C395B04159038D785DE316F05CE6DE67324C6038727A58 Only emergency! Use if support is not responding

Targets

    • Target

      d0003c88c3a7786f3642ec903ce98f4027badaba69b7c3bb2e90a6e4e9587f54

    • Size

      2.3MB

    • MD5

      2fa3c5b2e6a0c465045fe8dd7f55dd9a

    • SHA1

      1e6ea91491804da44db10be25bd1ea36baa0b362

    • SHA256

      d0003c88c3a7786f3642ec903ce98f4027badaba69b7c3bb2e90a6e4e9587f54

    • SHA512

      12f2aaa7cf2055d0a15470d926690dc558d5b6a1eb7dd9f1e450ddbdd1c5389670aea7c39e800f86840f0a558b86ba023beb82d6ba66557a1882e6491b1865e1

    • SSDEEP

      49152:zwKNchAjMta5q1SRNyYvgkCzS8QpWRjoYS8KXrTBt6z8zQBmL2eC8AE:MKtjMoq0IG8QpWRjZaPEFnem

    Score
    10/10
    snatchransomwarespywarestealerupx

    • Detecting the common Go functions and variables names used by Snatch ransomware

    • Snatch Ransomware

      Ransomware family generally distributed through RDP bruteforce attacks.

      ransomwaresnatch

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer
    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks