Overview

overview

10

Static

static

E_WIN.exe

windows7-x64

10

E_WIN.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    E_WIN.bin

  • Size

    92KB

  • Sample

    221116-wpx6jsgc41

  • MD5

    7cdc8057b3fe13b069b8db93fdde1764

  • SHA1

    8ddd3c69fe3935e4903a2b397bc6f0de772a1bcb

  • SHA256

    393a7a313548a4edc025fb47c6c8e614ecc2b41db880ecb59f20cf238e9a864c

  • SHA512

    7a7778b03a681bad08722019d27c2ca56609cbe6ec6e976b2d08e402b7ec5f2c7ad7d935632c0958b15b42d3dd066b1bd03707a778d77592a29b92adae684801

  • SSDEEP

    1536:y8JknEUnj2zfGN2/PEiTsrQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2XsfzK7g:ynlnj2S+hTsrQLOJgY8Zp8LHD4XWaNHY

Score
10/10
darkylockransomware

Malware Config

Extracted

Path

C:\Restore-My-Files.txt
Family

darkylock
Ransom Note ---------- Hello ----------- ***WELCOME TO DARKY LOCK *** Your computers and servers are encrypted, and backups are deleted. We use strong encryption algorithms, so no one has yet been able to decrypt their files without our participation. The only way to decrypt your files is to purchase a universal decoder from us, which will restore all the encrypted data and your network. Follow our instructions below, and you will recover all your data: 1) Pay 0.005 bitcoin to 1E6cvG6iEbufvYspsDa3XQ3WJgEMvRTm9i 2) Send us message with transaction id to darkylock@tutanota.com 3) Launch decrypt_bit.exe, which our support will send you through email What guarantees? ------------------ We value our reputation. If we will not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is tested by time and will decrypt all your data. ------------------ !!! DO NOT TRY TO RECOVER ANY FILES YOURSELF. WE WILL NOT BE ABLE TO RESTORE THEM!!!
Emails

darkylock@tutanota.com
Wallets

1E6cvG6iEbufvYspsDa3XQ3WJgEMvRTm9i

Targets

    • Target

      E_WIN.bin

    • Size

      92KB

    • MD5

      7cdc8057b3fe13b069b8db93fdde1764

    • SHA1

      8ddd3c69fe3935e4903a2b397bc6f0de772a1bcb

    • SHA256

      393a7a313548a4edc025fb47c6c8e614ecc2b41db880ecb59f20cf238e9a864c

    • SHA512

      7a7778b03a681bad08722019d27c2ca56609cbe6ec6e976b2d08e402b7ec5f2c7ad7d935632c0958b15b42d3dd066b1bd03707a778d77592a29b92adae684801

    • SSDEEP

      1536:y8JknEUnj2zfGN2/PEiTsrQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2XsfzK7g:ynlnj2S+hTsrQLOJgY8Zp8LHD4XWaNHY

    Score
    10/10
    darkylockransomware

    • DarkyLock

      Ransomware family first seen in July 2022.

      ransomwaredarkylock

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral1behavioral2

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Defense Evasion

        Discovery

        Execution

          Exfiltration

            Impact

            Initial Access

              Lateral Movement

                Persistence

                  Privilege Escalation

                    Tasks