Overview

overview

10

Static

static

369398deff...b4.exe

windows7-x64

10

369398deff...b4.exe

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    369398deff9e11a852c3fd414b6288c380b554ccfee1aa16f8e23c8db8f760b4

  • Size

    642KB

  • Sample

    221126-kyaaasff33

  • MD5

    a9d1f6ab9f83e46f0a3c6b1d2b8cafd2

  • SHA1

    a1204f18c910fff65daa7f43d31a3fef5f2910d1

  • SHA256

    369398deff9e11a852c3fd414b6288c380b554ccfee1aa16f8e23c8db8f760b4

  • SHA512

    2dc3b0449a66baff43b1f3b1fe94f9b71deb9b6eaf98b34b5d8fa44ddbe952cfa264de5eea96899f2d2bc6e46bb491042f8244c86ddfc2bc6f65ae053885b981

  • SSDEEP

    12288:vJOVDKwcJrtkw74Iv5Qb40r2EmT806Vb7KQnOlY0UOFeRIn:vYVDJorqwEIBQsRoBNKysY0/MRIn

Score
10/10
ransomware

Malware Config

Extracted

Path

C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\Decrypt All Files ssnfhdd.txt

Ransom Note
Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://uwm2wosrob3gplxy.onion.cab or http://uwm2wosrob3gplxy.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://uwm2wosrob3gplxy.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. 4PYROIN-7JSKMOB-AP2ESP6-J6KBF4C-KLLSNSM-THFZEF3-7SVPEIU-ML6UUP7 WAYSUOH-CVK64NA-CDF3NXZ-XMX52Y3-LD65EXZ-GJFML4Q-AZ75JTJ-ZXXEYTR HZXENGY-C3EXLUM-J4WCW6P-Q6HDYSU-5ZH7CKQ-LVEIWMD-L3BQH5Q-7VGE2O2 Follow the instructions on the server.
URLs

http://uwm2wosrob3gplxy.onion.cab

http://uwm2wosrob3gplxy.tor2web.org

http://uwm2wosrob3gplxy.onion/

Extracted

Path

C:\Users\Admin\Documents\Decrypt All Files ssnfhdd.txt

Ransom Note
Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://uwm2wosrob3gplxy.onion.cab or http://uwm2wosrob3gplxy.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://uwm2wosrob3gplxy.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. 4PYROIN-7JSKMOB-AP2ESP6-J6KBF4C-KLLSNSM-THFZEF3-7SVPEIU-ML6UUP7 WAYSUOH-CVK64NA-CDF3NXZ-XMX52Y3-LD65EXZ-GJFML4Q-AZ75JTJ-ZXXEYTR HZXENGY-C3EXLUM-J4WCW6P-Q6HDYSU-5ZH734Q-DLEIWMD-L3BQH5Q-7VGE6JP Follow the instructions on the server.
URLs

http://uwm2wosrob3gplxy.onion.cab

http://uwm2wosrob3gplxy.tor2web.org

http://uwm2wosrob3gplxy.onion/

Targets

    • Target

      369398deff9e11a852c3fd414b6288c380b554ccfee1aa16f8e23c8db8f760b4

    • Size

      642KB

    • MD5

      a9d1f6ab9f83e46f0a3c6b1d2b8cafd2

    • SHA1

      a1204f18c910fff65daa7f43d31a3fef5f2910d1

    • SHA256

      369398deff9e11a852c3fd414b6288c380b554ccfee1aa16f8e23c8db8f760b4

    • SHA512

      2dc3b0449a66baff43b1f3b1fe94f9b71deb9b6eaf98b34b5d8fa44ddbe952cfa264de5eea96899f2d2bc6e46bb491042f8244c86ddfc2bc6f65ae053885b981

    • SSDEEP

      12288:vJOVDKwcJrtkw74Iv5Qb40r2EmT806Vb7KQnOlY0UOFeRIn:vYVDJorqwEIBQsRoBNKysY0/MRIn

    Score
    10/10
    ransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Drops desktop.ini file(s)

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks