General

  • Target

    009d18bf6d98a4b8a8686e7b6441528c70a89f1d7031db0b9241dddfe568825a

  • Size

    92KB

  • Sample

    221105-m34e2shfaj

  • MD5

    aa42bd09c30e971fce6d9f77ffdfc314

  • SHA1

    bb831173ae3969f21f873c00b7f284d571e670ba

  • SHA256

    009d18bf6d98a4b8a8686e7b6441528c70a89f1d7031db0b9241dddfe568825a

  • SHA512

    916bd3ec123416215ffe3922cd23fc0ee0061d993b83e41bd04a3df94d7c3a2b1c6edbce59045f64e91f47089e08916c702bc2fb7a052980cf69cbea70b23482

  • SSDEEP

    1536:mBwl+KXpsqN5vlwWYyhY9S4AyX6byKlAAM325h6/bTjFFkffGa2kgmpZQ:Qw+asqN5aW/hLN2KlAzYsPj0GU

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note
YOUR FILES ARE ENCRYPTED 1024 Don't worry, you can return all your files! If you want to restore them, write to the mail: bkpdata@msgsafe.io YOUR ID bkpdata@onionmail.org ATTENTION! We recommend you contact us directly to avoid overpaying agents Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Emails

bkpdata@msgsafe.io

bkpdata@onionmail.org

Targets

    • Target

      009d18bf6d98a4b8a8686e7b6441528c70a89f1d7031db0b9241dddfe568825a

    • Size

      92KB

    • MD5

      aa42bd09c30e971fce6d9f77ffdfc314

    • SHA1

      bb831173ae3969f21f873c00b7f284d571e670ba

    • SHA256

      009d18bf6d98a4b8a8686e7b6441528c70a89f1d7031db0b9241dddfe568825a

    • SHA512

      916bd3ec123416215ffe3922cd23fc0ee0061d993b83e41bd04a3df94d7c3a2b1c6edbce59045f64e91f47089e08916c702bc2fb7a052980cf69cbea70b23482

    • SSDEEP

      1536:mBwl+KXpsqN5vlwWYyhY9S4AyX6byKlAAM325h6/bTjFFkffGa2kgmpZQ:Qw+asqN5aW/hLN2KlAzYsPj0GU

    • Dharma

      Dharma is a ransomware that uses security software installation to hide malicious activities.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

File Deletion

2
T1107

Modify Registry

2
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Collection

Data from Local System

1
T1005

Impact

Inhibit System Recovery

2
T1490

Tasks