General

  • Target

    977083fc01e2982258eac0a13e56cd697d9f6941f5a365e9d02d544fc3e15000.exe

  • Size

    718KB

  • Sample

    221227-mlhr1seg45

  • MD5

    16deea31a988e7af71001c2eda8ad614

  • SHA1

    8d992884b713b56d1edbf40306b2e11dc54f9887

  • SHA256

    977083fc01e2982258eac0a13e56cd697d9f6941f5a365e9d02d544fc3e15000

  • SHA512

    143955d3098dd547e32e908d9ccd5155b877eca8ae9d9f5db4d36609977ce3cb27fcb0b2956db3c3eb4b916809b869e85883d5dcaa5bc80ce620089e615a8d78

  • SSDEEP

    12288:LURRIEFPULfzlsH5HCSSv5zEWptZrilt:LiRIEF6zlsu5AWpttilt

Malware Config

Extracted

Path

C:\ProgramData\#BlackHunt_ReadMe.hta

Ransom Note
YOUR WHOLE NETWORK HAS BEEN PENETRATED BY Black Hunt ! We also have uploaded your sensitive data, which we Will leak or sell in case of no cooperation! Restore your data possible only buying private key from us ATTENTION remember, there are many middle man services out there pretending that they can recover or decrypt your files , whom neither will contact us or scam you, Remember we are first and last solution for your files otherwise you will only waste money and time trying to decrypt your files without our decryptor and through third party softwares will make your files completely useless, there is no third party decryptor since we are the only key holders we have uploaded many critical data and information from your machines , we won't leak or sell any of them in Case of successful Corporation, however if we don't hear from you in 14 days we will either sell or leak your data in many forums Remain all of your files untouched, do not change their name, extension and... CONTACT US Your system is offline. in order to contact us you can email this address sentafe@rape.lol this ID ( 3O6YNpkxJ017jXqT ) for the title of your email. If you weren't able to contact us whitin 24 hours please email: justin@cyberfear.com , magicback@onionmail.org Check your data situation in http://sdjf982lkjsdvcjlksaf2kjhlksvvnktyoiasuc92lf.onion
Emails

sentafe@rape.lol

justin@cyberfear.com

magicback@onionmail.org

URLs

http://sdjf982lkjsdvcjlksaf2kjhlksvvnktyoiasuc92lf.onion

Targets

    • Target

      977083fc01e2982258eac0a13e56cd697d9f6941f5a365e9d02d544fc3e15000.exe

    • Size

      718KB

    • MD5

      16deea31a988e7af71001c2eda8ad614

    • SHA1

      8d992884b713b56d1edbf40306b2e11dc54f9887

    • SHA256

      977083fc01e2982258eac0a13e56cd697d9f6941f5a365e9d02d544fc3e15000

    • SHA512

      143955d3098dd547e32e908d9ccd5155b877eca8ae9d9f5db4d36609977ce3cb27fcb0b2956db3c3eb4b916809b869e85883d5dcaa5bc80ce620089e615a8d78

    • SSDEEP

      12288:LURRIEFPULfzlsH5HCSSv5zEWptZrilt:LiRIEF6zlsu5AWpttilt

    • Deletes NTFS Change Journal

      The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.

    • Modifies Windows Defender Real-time Protection settings

    • UAC bypass

    • Clears Windows event logs

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies boot configuration data using bcdedit

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

    • Disables Task Manager via registry modification

    • Disables use of System Restore points

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Sets desktop wallpaper using registry

MITRE ATT&CK Matrix ATT&CK v6

Execution

Command-Line Interface

1
T1059

Scheduled Task

1
T1053

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Bypass User Account Control

1
T1088

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

5
T1112

Disabling Security Tools

2
T1089

Bypass User Account Control

1
T1088

Indicator Removal on Host

1
T1070

File Deletion

3
T1107

Discovery

Query Registry

3
T1012

System Information Discovery

5
T1082

Peripheral Device Discovery

2
T1120

Impact

Inhibit System Recovery

6
T1490

Data Destruction

1
T1485

Defacement

1
T1491

Tasks