977083fc01e2982258eac0a13e56cd697d9f6941f5a365e9d02d544fc3e15000

General

Target

977083fc01e2982258eac0a13e56cd697d9f6941f5a365e9d02d544fc3e15000.exe
Size

718KB
Sample

221227-mlhr1seg45
MD5

16deea31a988e7af71001c2eda8ad614
SHA1

8d992884b713b56d1edbf40306b2e11dc54f9887
SHA256

977083fc01e2982258eac0a13e56cd697d9f6941f5a365e9d02d544fc3e15000
SHA512

143955d3098dd547e32e908d9ccd5155b877eca8ae9d9f5db4d36609977ce3cb27fcb0b2956db3c3eb4b916809b869e85883d5dcaa5bc80ce620089e615a8d78
SSDEEP

12288:LURRIEFPULfzlsH5HCSSv5zEWptZrilt:LiRIEF6zlsu5AWpttilt

Score

10^/10

Malware Config

Extracted

Path

C:\ProgramData\#BlackHunt_ReadMe.hta

Ransom Note

YOUR WHOLE NETWORK HAS BEEN PENETRATED BY Black Hunt ! We also have uploaded your sensitive data, which we Will leak or sell in case of no cooperation! Restore your data possible only buying private key from us ATTENTION remember, there are many middle man services out there pretending that they can recover or decrypt your files , whom neither will contact us or scam you, Remember we are first and last solution for your files otherwise you will only waste money and time trying to decrypt your files without our decryptor and through third party softwares will make your files completely useless, there is no third party decryptor since we are the only key holders we have uploaded many critical data and information from your machines , we won't leak or sell any of them in Case of successful Corporation, however if we don't hear from you in 14 days we will either sell or leak your data in many forums Remain all of your files untouched, do not change their name, extension and... CONTACT US Your system is offline. in order to contact us you can email this address [email protected] this ID ( 3O6YNpkxJ017jXqT ) for the title of your email. If you weren't able to contact us whitin 24 hours please email: [email protected] , [email protected] Check your data situation in http://sdjf982lkjsdvcjlksaf2kjhlksvvnktyoiasuc92lf.onion

Emails

[email protected]

URLs

http://sdjf982lkjsdvcjlksaf2kjhlksvvnktyoiasuc92lf.onion

Targets

- Target
  
  977083fc01e2982258eac0a13e56cd697d9f6941f5a365e9d02d544fc3e15000.exe
- Size
  
  718KB
- MD5
  
  16deea31a988e7af71001c2eda8ad614
- SHA1
  
  8d992884b713b56d1edbf40306b2e11dc54f9887
- SHA256
  
  977083fc01e2982258eac0a13e56cd697d9f6941f5a365e9d02d544fc3e15000
- SHA512
  
  143955d3098dd547e32e908d9ccd5155b877eca8ae9d9f5db4d36609977ce3cb27fcb0b2956db3c3eb4b916809b869e85883d5dcaa5bc80ce620089e615a8d78
- SSDEEP
  
  12288:LURRIEFPULfzlsH5HCSSv5zEWptZrilt:LiRIEF6zlsu5AWpttilt
Score

10^/10

evasion persistence ransomware trojan
- Deletes NTFS Change Journal
  The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.
  ransomware
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- UAC bypass
  evasion trojan
- Clears Windows event logs
  evasion ransomware
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Deletes backup catalog
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Disables Task Manager via registry modification
  evasion
- Disables use of System Restore points
  evasion
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Sets desktop wallpaper using registry
  ransomware
behavioral1 behavioral2