Overview

overview

10

Static

static

trig_e7c9e...e3.exe

windows7-x64

6

trig_e7c9e...e3.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    trig_e7c9ec3048d3ea5b16dce3.exe

  • Size

    1.1MB

  • Sample

    221129-s57s5scf83

  • MD5

    2de26af68d2d6d73dae987eb2cdedd6e

  • SHA1

    34d7fdb906b79f2912598378359668c57e65bb5d

  • SHA256

    e7c9ec3048d3ea5b16dce31ec01fd0f1a965f5ae1cbc1276d35e224831d307fc

  • SHA512

    e85e9c998042e1292312450ef44a9b913b8a67e1ee329fa1dbafc588b6cf1f6aa796fe694b6ae856d5b1c96c65fed71cf8ddee674c6ea49716f9788babc8fc57

  • SSDEEP

    24576:kYj5E9T+xHeQhNmYOnW8FQrbID+u9v8zKLU:t5E9LQvRrtSvCUU

Score
10/10
discoverypersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\appdata\local\temp\how_to_decrypt.hta

Ransom Note
 --START_OF_DATA-- 40434C41444944413033383044414237393636314537464133464431383136383346303432324234313934324539353745393936443533363630463732433543344230343135460000001641463532443238312D454639312D3346344445464243000006F2000002002D24C698F3AF7328DBA01EED619A97C32C463575EEA85A59BC3D28E95E2405B592A1C15E0F72B1702B290E21757CD3886FC78A9E0ADA091D2D1A81CB0CC30B7D13703FEB9F73DDBEB602888CE4592B3A55C5DCBA2EAA2FD4C5E1CF1574BA1E15F3E69AA59263176DBA2C6EB45877F55B6DEA9EB2E7567A1B03C49A4637EC02D362D0E9769E6B8D1842B9A1FF35FA4AEA629A0287F216A45FEE6E287200102A1DE8B952BB1D0A956BF9776AB93994886C11B0F6CF174CA301B25111E7578A9B3CC04E082CE53A12C26CE7681D2B5A1881F79C85D95FEDD28469089AE0D3B6B579F2FD489C29E0462AFBBB22EEA94638ABBB759BC6C1D01F6A5DFAF8FDE1098D1CFC380F493504A6D1BF2D8E255BF46A21E4F912D94442C8C9141EF7FB2AC8A0B350CD0965105A8FDF7818FF98D8BF5E9D737C090707EB09B21550FD15823501A6A0BF632DE70E04F639F03D0735A372455E6664824CCD3422D14B829CF7D1286AC8D7A826B40D31591131ED3C54AAC781045668A7CA995998DC961FAEDCA2B91B918E036017A554C8211A246D4A9E22C98BFD5B0DFCB3251A3B2C4F73E75A5084D9F399181A25EEA77F17383FD39CC298F54672F53CBDDCFEB6B43181518904FD4BAC67266E646D72AAD9F550BCF25B7C8E01FECF37A3010EC8E7D662512AEEF8E9D6CC1792135BE5CEABBC0EF4E9C7230F732EA6D2B8D0821C58C46ECF9174C5000004EA9468940B033B60FB2C963401028FBBDDA137B15EE21361FCD12E73B9ADC9476AB6B0ACC4AFF544D9C7D60F3950D340B54F4D79A202F374E058FABF452284DE81A700388FCC1BC901DF928746ED226AD8C4684BDCFC6838EA28281A8F7250BA6DD6AA962C6B891D7EF37AEF427895C886F62A1C1D60924D6D1123CCB06C3733DC2909024B5458EB4F84595E37C3CF7590C815E52039CFF17DEC8CEE2E357C02117602FDDE21BAC671FB00F7E2142CC536F0290F1B02B174A151AE9B9235F5C8D0A407DA937143898A865C2A2BD9943C3D2DD835A18672D079E0ACFC607B10B798CACE52DAE6CC1B0B30311812CA2CF7C4D1E31ECF5464DB69D5F46213BB0CC0EB0934B5B5FF91141A21CFE763861A102C16FEF238EE8102409C7A59933E9CF4B060F7913BD6E8350E9F0909CAFFB8F962B04EB135AB72661E13D05549A547C22DCCB2B68B06F4F924DB07A0875F487D2699C3E8DDB4BB3EDE5DD3F923536D40036D6B440F0F8830AE816FE64EA07F5DBA5D7B1E92510DE14B87F095870FA41DDF39A60D7799621660A65463C602B01346D42ED97FC39E297F729777B896E4BE2A28199CF885B2A345B9893001B6226860CB4E347C06C67F1A2AB8C1E8C98ACF036FD12EDF7F01BCE16582CC52F606ABA7681C7C6DECE9F087778F987B18AF53F792F507E43F2F4FEE300805128BEE2A23BE6401ABF1D8839637C4BD454537AA86CDFEBF37725D2E203AB1D702D3A8491F61D2085D9723EEEBA362BD705AB8260AD08A786003BB97182EB7EEC6F693CE9843C7ABE06F1EFB72BFDA1B98CF5202FEB13D90BDB281E1A19469D8A48D49640E0E182733EDC5861237DE2E236ADBC69D5171EC5DCF2F2A2B7A31D49ABE574B2BC75DCB70F017EB0716ACC8D31CBA113651548735304050910BFEAE750879A6B4F04D0698ECE5307C1215FB2C153F292B3779C6AD0B30E5B9D9122467E4CFA1788AB43D367ACFDFD755B92FC757F39D6226F91ACE1978FB7B872DBAD57FFE10D5B6B49A6BD72CE3067B2E4CE85AD75D7C0AF84FD9B40644EC614DF974302789705CFEB9AF9D4C695606E50273F27EDEA530CA4F83649276A15DE537AD7D6AC8B62728809CB663C216C8487D91234952C03EDB09897266EC602372C5918D01ADEB7078E9AC47DD826FD34638739627575FCC2848A59A2CB71C16E517319ABDD68250BC98CD18EE42CC2776369D930A8D0005DFDC86B91D4A4FB25E5F72B11C1ED5D0769A15D3F354099EA5E63CF3AA3DAEC86E501030057BA0FE7AEE20E159A98E6A3F80759089FB910167C81A8D36AC191B56DF2BB8246542205D9D4E492554FB21208C15568BCEE30784B8CECE02B96243E1BFA08F8BE31B8E211F3FEDD3E54F70241897747E8B39612C39EAFE4291E4951D6D397AF79A74934F0D7D627D7568A9996821357051FCFDC1B691529BEBCE245781C78201989290F83F0FD6FD8197C77DE00D3F0F4ADD1789C20E07D66C42595FCBFB422D504CCD2E09449766D89BEF0FF346B1B9EFF48D7297A666EC7BEB6AEB0920C3B5759620DFC02A1DBCB1B9600D3D3EC37D429CB03E0D54DE0F40194B734EC8CB146881CF62B4F1E46A63B5831CD1CF455F202FEB901C5E4CC4A456AC81A9E4093ADF03B32ED8EE73340B821AB26472CD1286D13BB3BFD96AB2C8D18745955990897091059A8E9D76E7D6389353EFD36029671452CCB56F7AAF9C1BE74C3BD654FF301585726FE49D3184E6E4EB2C496E479FDFC2A0B863E4BF46BB6A7BAD073336B188ED1C06783C440B130B9E29330AACBF1D4DB2EDF81DC6EE4A4AA1BFF227481B68E2853BCD71BF86F31F545BDB644142959CD47CD9FB58F35CB215AAC6D24EBC5D8307AA2ACF3070DCA6E803184163B9209867D09C96294B700AC366424270E4F21A013B943112D92FA811FCCD269090A08B65120CE5915C98341D14532EF81520F47B0190888A3F9E0000008633373030374446353636444339414545423633364136353435443133393430319BBA997F047C0AA4E81CB873DCC8012FFCC108F49AB9FB6C17836D77ABE069C84645353842333546423836334145323036424433464238304333393546313637 --END_OF_DATA-- the entire network is encrypted your business is losing money ▲ All documents, databases, backups and other critical data were encrypted and leaked ▲ The program uses a secure AES algorithm, which makes decryption impossible without contacting us ▲ If you refuse to negotiate, the data will be auctioned off To recover your data, please follow the instructions 1 Download Tor Browser Download 2 Open decryption page Copy 3 Auth using this key Copy The price depends on how soon you will contact us Need help? ● Don't doubt You can decrypt 3 files for free as a guarantee ● Don't waste time Decryption price increases every hour ● Don't contact resellers They resell our services at a premium ● Don't recover files Additional recovery software will damage your data var authkey = ''; var email = 'phandaledr@onionmail.org'; var url = 'http://3x55o3u2b7cjs54eifja5m3ottxntlubhjzt6k6htp5nrocjmsxxh7ad.onion/'; var vid = 'UNITED_ELECTRIC_SUPPLY'; var cid = 'AF52D281-EF91-3F4DEFBC'; var uniqueid; function Start() { window.resizeTo(658,500); if (vid == '') { uniqueid = cid; } else { uniqueid = vid; } } function copytext(s) { window.clipboardData.setData("Text", s); alert('Auth Key copied to clipboard'); }; function openpage(url) { window.clipboardData.setData("Text", url); alert('URL copied to buffer. Open it in TOR Browser'); } function help() { window.clipboardData.setData("Text", uniqueid); alert('If you have trouble with the main contacts, write to '+email+'. Your ID copied to buffer'); } function document.onkeydown() { var alt = window.event.altKey; if (event.keyCode == 116 || event.keyCode == 27 || alt && event.keyCode == 115) { event.keyCode = 0; event.cancelBubble = true; return false; } } Start(); var authkey = ''; var email = 'phandaledr@onionmail.org'; var url = 'http://3x55o3u2b7cjs54eifja5m3ottxntlubhjzt6k6htp5nrocjmsxxh7ad.onion/'; var vid = 'UNITED_ELECTRIC_SUPPLY'; var cid = 'AF52D281-EF91-3F4DEFBC'; var uniqueid; function Start() { window.resizeTo(658,500); if (vid == '') { uniqueid = cid; } else { uniqueid = vid; } } function copytext(s) { window.clipboardData.setData("Text", s); alert('Auth Key copied to clipboard'); }; function openpage(url) { window.clipboardData.setData("Text", url); alert('URL copied to buffer. Open it in TOR Browser'); } function help() { window.clipboardData.setData("Text", uniqueid); alert('If you have trouble with the main contacts, write to '+email+'. Your ID copied to buffer'); } function document.onkeydown() { var alt = window.event.altKey; if (event.keyCode == 116 || event.keyCode == 27 || alt && event.keyCode == 115) { event.keyCode = 0; event.cancelBubble = true; return false; } } Start();
Emails

phandaledr@onionmail.org

URLs

http://3x55o3u2b7cjs54eifja5m3ottxntlubhjzt6k6htp5nrocjmsxxh7ad.onion/

Targets

    • Target

      trig_e7c9ec3048d3ea5b16dce3.exe

    • Size

      1.1MB

    • MD5

      2de26af68d2d6d73dae987eb2cdedd6e

    • SHA1

      34d7fdb906b79f2912598378359668c57e65bb5d

    • SHA256

      e7c9ec3048d3ea5b16dce31ec01fd0f1a965f5ae1cbc1276d35e224831d307fc

    • SHA512

      e85e9c998042e1292312450ef44a9b913b8a67e1ee329fa1dbafc588b6cf1f6aa796fe694b6ae856d5b1c96c65fed71cf8ddee674c6ea49716f9788babc8fc57

    • SSDEEP

      24576:kYj5E9T+xHeQhNmYOnW8FQrbID+u9v8zKLU:t5E9LQvRrtSvCUU

    Score
    10/10
    persistencediscoveryransomwarespywarestealer

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Creates a large amount of network flows

      This may indicate a network scan to discover remotely running services.

      discovery

    • Drops desktop.ini file(s)

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Network Service Scanning

1
T1046

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks