Resubmissions

19-01-2023 10:17

230119-mbpsksff79 10

14-11-2022 04:26

221114-e2qhsseg47 10

20-01-2022 19:02

220120-xptc2abbh7 10

General

  • Target

    c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.bin

  • Size

    2.9MB

  • Sample

    221114-e2qhsseg47

  • MD5

    ccde3fe374a219ed3a85a0bf548542c3

  • SHA1

    c1187fe0eaddee995773d6c66bcb558536e9b62c

  • SHA256

    c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40

  • SHA512

    94852c04d6f627b35a7486de166648eb43373850b862e1958e676c53fd5dc37103659fe28e2b51f2fffd815ded2745d8793d8158543ff14b1e1f0cafe2a3c63c

  • SSDEEP

    49152:4dwE1vCCeShiBHJFIPiEPE3bvk6Ca89388YhwjfJNt/RgaJ2wtb:WwE1253IPiYE3bnCa8Hzj5vwwtb

Malware Config

Extracted

Family

blackcat

Credentials
  • Username:
    NANOFOCUS.LOCAL\Administrator
  • Password:
    368CkbIna?#
Attributes
  • enable_network_discovery

    true

  • enable_self_propagation

    true

  • enable_set_wallpaper

    true

  • extension

    mfqssdj

  • note_file_name

    RECOVER-${EXTENSION}-FILES.txt

  • note_full_text

    >> What happened? Important files on your network was ENCRYPTED and now they have "${EXTENSION}" extension. In order to recover your files you need to follow instructions below. >> Sensitive Data Sensitive data on your system was DOWNLOADED. If you DON'T WANT your sensitive data to be PUBLISHED you have to act quickly. Data includes: - Employees personal data, CVs, DL, SSN. - Complete network map including credentials for local and remote services. - Private financial information including: clients data, bills, budgets, annual reports, bank statements. - Manufacturing documents including: datagrams, schemas, drawings in solidworks format. - Source code. -And more... >> CAUTION DO NOT MODIFY ENCRYPTED FILES YOURSELF. DO NOT USE THIRD PARTY SOFTWARE TO RESTORE YOUR DATA. YOU MAY DAMAGE YOUR FILES, IT WILL RESULT IN PERMANENT DATA LOSS. >> What should I do next? Follow these simple steps to get everything back to normal: 1) Download and install Tor Browser from: https://torproject.org/ 2) Navigate to: http://b4twqa2mvob3s6uvuyfra5xk3qgps2v5kkt7k2qnb7rpdu3j4fkntead.onion/?access-key=${ACCESS_KEY}

rsa_pubkey.plain

Extracted

Path

C:\RECOVER-mfqssdj-FILES.txt

Ransom Note
>> What happened? Important files on your network was ENCRYPTED and now they have "mfqssdj" extension. In order to recover your files you need to follow instructions below. >> Sensitive Data Sensitive data on your system was DOWNLOADED. If you DON'T WANT your sensitive data to be PUBLISHED you have to act quickly. Data includes: - Employees personal data, CVs, DL, SSN. - Complete network map including credentials for local and remote services. - Private financial information including: clients data, bills, budgets, annual reports, bank statements. - Manufacturing documents including: datagrams, schemas, drawings in solidworks format. - Source code. -And more... >> CAUTION DO NOT MODIFY ENCRYPTED FILES YOURSELF. DO NOT USE THIRD PARTY SOFTWARE TO RESTORE YOUR DATA. YOU MAY DAMAGE YOUR FILES, IT WILL RESULT IN PERMANENT DATA LOSS. >> What should I do next? Follow these simple steps to get everything back to normal: 1) Download and install Tor Browser from: https://torproject.org/ 2) Navigate to: http://b4twqa2mvob3s6uvuyfra5xk3qgps2v5kkt7k2qnb7rpdu3j4fkntead.onion/?access-key=RrffeR4CVartLMYTErq9%2FPVD%2Fz4sez5toskePW0P8urvDeotAomkbpUCg6JYW4MMxbX73YDPXMk3wQW0oSYnXGy5aGuT9ZPXpJKPaE6kYN9nNcxMBi92FcIv80rEpVUY9S5ukN796JGSdG%2BeWBVgx6nvw2vlhogyu35Ht2Iz6r6Zcc4J4mdX6RuzKXu5eny7saSaH0LMN6GYnIUfTF5UMR%2BtUchaTLOHyU5i1FnYeueodio9ECm8BgQ5Hbb3%2BIWlgrlEf4htHAwvPwCn2ld8lheacG87vkFKekfFCGErE5lNgNr12JSohBq1tH%2B3O8gw%2FG86wBsC46qR82KshQKpzQ%3D%3D
URLs

http://b4twqa2mvob3s6uvuyfra5xk3qgps2v5kkt7k2qnb7rpdu3j4fkntead.onion/?access-key=RrffeR4CVartLMYTErq9%2FPVD%2Fz4sez5toskePW0P8urvDeotAomkbpUCg6JYW4MMxbX73YDPXMk3wQW0oSYnXGy5aGuT9ZPXpJKPaE6kYN9nNcxMBi92FcIv80rEpVUY9S5ukN796JGSdG%2BeWBVgx6nvw2vlhogyu35Ht2Iz6r6Zcc4J4mdX6RuzKXu5eny7saSaH0LMN6GYnIUfTF5UMR%2BtUchaTLOHyU5i1FnYeueodio9ECm8BgQ5Hbb3%2BIWlgrlEf4htHAwvPwCn2ld8lheacG87vkFKekfFCGErE5lNgNr12JSohBq1tH%2B3O8gw%2FG86wBsC46qR82KshQKpzQ%3D%3D

Extracted

Path

C:\Users\Admin\Searches\RECOVER-mfqssdj-FILES.txt

Ransom Note
>> What happened? Important files on your network was ENCRYPTED and now they have "mfqssdj" extension. In order to recover your files you need to follow instructions below. >> Sensitive Data Sensitive data on your system was DOWNLOADED. If you DON'T WANT your sensitive data to be PUBLISHED you have to act quickly. Data includes: - Employees personal data, CVs, DL, SSN. - Complete network map including credentials for local and remote services. - Private financial information including: clients data, bills, budgets, annual reports, bank statements. - Manufacturing documents including: datagrams, schemas, drawings in solidworks format. - Source code. -And more... >> CAUTION DO NOT MODIFY ENCRYPTED FILES YOURSELF. DO NOT USE THIRD PARTY SOFTWARE TO RESTORE YOUR DATA. YOU MAY DAMAGE YOUR FILES, IT WILL RESULT IN PERMANENT DATA LOSS. >> What should I do next? Follow these simple steps to get everything back to normal: 1) Download and install Tor Browser from: https://torproject.org/ 2) Navigate to: http://b4twqa2mvob3s6uvuyfra5xk3qgps2v5kkt7k2qnb7rpdu3j4fkntead.onion/?access-key=cAPELqDsLGJdtvehxxlyhJ5CQfLTSKKFns74YjQWw8fvIQAsq6frqD5lS0BpfvoVGzWMpsUIWeucBxx%2B9aQXvRT29VpQa1fccyBNL3tbjmmLu%2BEatuLhU3NBo8yP6BG63YqpQ4qT%2BUhqJZQxq7iQAnjK8US6q7rWq9LSpaSUZXQRnyQFh7uZHKvSw0K2YpQd2fncQ3BEOTC7nluR0wpowFDYh47FV%2ByccMt6vdK7JgNXAj4DsB5zkE9LDB5tBFp5bVPlhxdp7JxKj9Ct34Epz7T0nIoHAbUMn4efw9SBbC1mCPg3ReiWMh9JANpVY711mSefKfRVokxqiVTXAmycjA%3D%3D
URLs

http://b4twqa2mvob3s6uvuyfra5xk3qgps2v5kkt7k2qnb7rpdu3j4fkntead.onion/?access-key=cAPELqDsLGJdtvehxxlyhJ5CQfLTSKKFns74YjQWw8fvIQAsq6frqD5lS0BpfvoVGzWMpsUIWeucBxx%2B9aQXvRT29VpQa1fccyBNL3tbjmmLu%2BEatuLhU3NBo8yP6BG63YqpQ4qT%2BUhqJZQxq7iQAnjK8US6q7rWq9LSpaSUZXQRnyQFh7uZHKvSw0K2YpQd2fncQ3BEOTC7nluR0wpowFDYh47FV%2ByccMt6vdK7JgNXAj4DsB5zkE9LDB5tBFp5bVPlhxdp7JxKj9Ct34Epz7T0nIoHAbUMn4efw9SBbC1mCPg3ReiWMh9JANpVY711mSefKfRVokxqiVTXAmycjA%3D%3D

Targets

    • Target

      c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.bin

    • Size

      2.9MB

    • MD5

      ccde3fe374a219ed3a85a0bf548542c3

    • SHA1

      c1187fe0eaddee995773d6c66bcb558536e9b62c

    • SHA256

      c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40

    • SHA512

      94852c04d6f627b35a7486de166648eb43373850b862e1958e676c53fd5dc37103659fe28e2b51f2fffd815ded2745d8793d8158543ff14b1e1f0cafe2a3c63c

    • SSDEEP

      49152:4dwE1vCCeShiBHJFIPiEPE3bvk6Ca89388YhwjfJNt/RgaJ2wtb:WwE1253IPiYE3bnCa8Hzj5vwwtb

    Score
    10/10
    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies boot configuration data using bcdedit

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

MITRE ATT&CK Enterprise v6

Tasks