General

  • Target

    6b97553c9dfeedcc50b19dacacf8662b68bd3f65b3fa6bed2e5cb9ae778eabd8.exe

  • Size

    215KB

  • Sample

    221202-p3ykxahf72

  • MD5

    f41306eb937e2dc08f196a61e0f6c34e

  • SHA1

    e3e6af9e1be25f86a892018f35876b48b31dcc6c

  • SHA256

    6b97553c9dfeedcc50b19dacacf8662b68bd3f65b3fa6bed2e5cb9ae778eabd8

  • SHA512

    5e28f987097ca961d6911c671dd9a0868ced5e1d7a434930d1eec242d5044978877453f3e667dfcd195e12ea381ebc21db841d99639de273a4e653b514aecc3a

  • SSDEEP

    6144:WyJE1yd7WiJmcyfpHaShzh04DQFu/U3buRKlemZ9DnGAeIS+giiK+:WU/d7WnvtLhza4DQFu/U3buRKlemZ9De

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Ransom Note
!! ALL YOUR FILES ARE ENCRYPTED!!! !!! READ AND QUICKLY PAY $ 290 in Bitcoins !!! = 0,0077 btc!!! After 2 days, the ransom will increase by 2 times!!! !!!Write to the telegram : @ letsgo600 !!! !!!Write to the telegram : @letsgo600 !!! !!!Write to the telegram : @letsgo600 !!! !!!!!!!!!!!!!!!!!!!!!!! download here to contact me https://telegram.org Bitcoin address bc1qhs2h04y80vcur0k6kgtdtfdhy26k7uwrdy86rh All your files, documents, photos, databases and other important files are encrypted. You are not able to decipher it yourself! The only way to recover files is to purchase a unique private key. Only we can provide you with this key, and only we can recover your files. To make sure that we have a decryptor and it works, write!!!Write to the telegram : @letsgo600 !!! !!! and decrypt one file for TEST 40$. But this file doesn't have to be valuable! Do you really want to recover files? !!!Write to the telegram : @letsgo600 !!! Your personal ID: DED-D5B-FC5 Attention! * Do not rename encrypted files. * Do not attempt to decrypt your data using third-party software, this may lead to irretrievable data loss. * Decrypting your files with the help of third parties may lead to an increase in the price (they add their commission to ours) or you may become a victim of scammers.

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Ransom Note
!! ALL YOUR FILES ARE ENCRYPTED!!! !!! READ AND QUICKLY PAY $ 290 in Bitcoins !!! = 0,0077 btc!!! After 2 days, the ransom will increase by 2 times!!! !!!Write to the telegram : @ letsgo600 !!! !!!Write to the telegram : @letsgo600 !!! !!!Write to the telegram : @letsgo600 !!! !!!!!!!!!!!!!!!!!!!!!!! download here to contact me https://telegram.org Bitcoin address bc1qhs2h04y80vcur0k6kgtdtfdhy26k7uwrdy86rh All your files, documents, photos, databases and other important files are encrypted. You are not able to decipher it yourself! The only way to recover files is to purchase a unique private key. Only we can provide you with this key, and only we can recover your files. To make sure that we have a decryptor and it works, write!!!Write to the telegram : @letsgo600 !!! !!! and decrypt one file for TEST 40$. But this file doesn't have to be valuable! Do you really want to recover files? !!!Write to the telegram : @letsgo600 !!! Your personal ID: 2BF-10B-D15 Attention! * Do not rename encrypted files. * Do not attempt to decrypt your data using third-party software, this may lead to irretrievable data loss. * Decrypting your files with the help of third parties may lead to an increase in the price (they add their commission to ours) or you may become a victim of scammers.

Targets

    • Target

      6b97553c9dfeedcc50b19dacacf8662b68bd3f65b3fa6bed2e5cb9ae778eabd8.exe

    • Size

      215KB

    • MD5

      f41306eb937e2dc08f196a61e0f6c34e

    • SHA1

      e3e6af9e1be25f86a892018f35876b48b31dcc6c

    • SHA256

      6b97553c9dfeedcc50b19dacacf8662b68bd3f65b3fa6bed2e5cb9ae778eabd8

    • SHA512

      5e28f987097ca961d6911c671dd9a0868ced5e1d7a434930d1eec242d5044978877453f3e667dfcd195e12ea381ebc21db841d99639de273a4e653b514aecc3a

    • SSDEEP

      6144:WyJE1yd7WiJmcyfpHaShzh04DQFu/U3buRKlemZ9DnGAeIS+giiK+:WU/d7WnvtLhza4DQFu/U3buRKlemZ9De

    • Detects Zeppelin payload

    • Zeppelin Ransomware

      Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v6

Tasks