c5da0c48c4abb688415f8d11a374647d047f2d99e8b01145567ab68d30b86a69

General

Target

9893de16867126eeb989265cd99fd201.bin
Size

426KB
Sample

230130-xts8tsdd7s
MD5

fbcd3e444307066ce4910440e1f7a15b
SHA1

c84d6e28ddd820bc12b0da9940f7c4a00c577919
SHA256

c5da0c48c4abb688415f8d11a374647d047f2d99e8b01145567ab68d30b86a69
SHA512

640aaea430360cd3fe02181a2ebfffd77ebe89510c6926d3778c562bcbf93c7e9c25e3f1fb4270b4272e7a2e51fe601f718b6edf13083d7ab589858e6ef0e47b
SSDEEP

12288:1vZiDr9DsfnqSxz0CKDpXvUeuM+M8Nvva6t2:1ODgqIz0CoMn/3NvC6o

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\info.hta

Ransom Note

All your files have been encrypted by Loki locker! All your files have been encrypted due to a security problem with your PC. If you want to restore them, please send an email [email protected] You have to pay for decryption in Bitcoin. The price depends on how fast you contact us. After payment we will send you the decryption tool. You have to 48 hours(2 Days) To contact or paying us After that, you have to Pay Double . In case of no answer in 24 hours (1 Day) write to this email [email protected] Your unique ID is : 12419524 You only have LIMITED time to get back your files! If timer runs out and you dont pay us , all of files will be DELETED and you hard disk will be seriously DAMAGED. You will lose some of your data on day 2 in the timer. You can buy more time for pay. Just email us. THIS IS NOT A JOKE! you can wait for the timer to run out ,and watch deletion of your files :) What is our decryption guarantee? Before paying you can send us up to for free decryption. The total size of files must be less than 2Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) Attention! DO NOT pay any money before decrypting the test files. DO NOT trust any intermediary. they wont help you and you may be victim of scam. just email us , we help you in any steps. DO NOT reply to other emails. ONLY this two emails can help you. Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Targets

- Target
  
  13933403b4b5d79da1decbc41867c842e3577bcba8ce3859f7d9b881348ad377.exe
- Size
  
  607KB
- MD5
  
  9893de16867126eeb989265cd99fd201
- SHA1
  
  71e0c3ee67daffada30a0bcd3abafaf59cfa8b5d
- SHA256
  
  13933403b4b5d79da1decbc41867c842e3577bcba8ce3859f7d9b881348ad377
- SHA512
  
  d7e175b821f3cef659c57b0f46abc35bb11f3dd47c8acdf1aa534c5faa88131e82aa2eebb0e5bfdb16a545356af975daac64a70085eee64196c5e5dfc92995ea
- SSDEEP
  
  12288:o6pGFv42oseLA5Gt/arlTT6zncVUJ7vnK6U:o6pEA25WQm/cTT6DNK6U
Score

10^/10

evasion persistence ransomware trojan
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Disables Task Manager via registry modification
  evasion
- Modifies Windows Firewall
  evasion
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Sets desktop wallpaper using registry
  ransomware
behavioral1 behavioral2