Overview

overview

10

Static

static

1

6612cf82da...08.exe

windows7-x64

10

6612cf82da...08.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08

  • Size

    1.2MB

  • Sample

    230210-kk87gadd2s

  • MD5

    e07ee232400dafd802235b90e0e7e056

  • SHA1

    49ab07c411e63e8ad305b58489c69fded1f2db13

  • SHA256

    6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08

  • SHA512

    6607ba5bf390666bf7d3487984c3241783a5137fa2f3af3bc8173a7a1520d1fe5456512cb6eecd613b5ccb30d5f0a41df9987886d1818269068f6fd27958ac41

  • SSDEEP

    24576:Kwh7cD9+IBdH0oIX68Ta7fGXbt8RRnUtX642Rg0ybdDHSF1dRiDHBT2c+T:H7cDUIBdH0Pe7FnUtXh0wSVRi7BT2c+T

Score
10/10
evasionpersistenceransomwaretrojan

Malware Config

Extracted

Path

\??\c:\Restore_Your_Files.txt

Ransom Note
All Your Files Are Locked And Important Data Downloaded ! Your Files Are No Longer Accessible Don't Waste Your Time, Without Our Decryption Program Nobody Can't Help You . Your ID : NEOMB If You Want To Restore Them Email Us : ransomwarebit@gmail.com If You Do Not Receive A Response Within 24 Hours, Send A Message To Our Second Email : ransomwarebitx@gmail.com To Decrypt Your Files You Need Buy Our Special Decrypter In Bitcoin . Every Day The Delay Increases The Price !! The Decryption Price Depends On How Fast You Write To Us Email. We Deliver The Decryptor Immediately After Payment , Please Write Your System ID In The Subject Of Your E-mail. If Payment Is Not Made We Will Sell Or Publish Your Data. What is the guarantee ! Before Payment You Can Send Some Files For Decryption Test. If We Do Not Fulfill Our Obligations, No One Does Business With Us , Our Reputation Is Important To Us It's Just Business To Get Benefits. =============================================================================== Attention ! Do Not Rename,Modify Encrypted Files . Do Not Try To Recover Files With Free Decryptors Or Third-Party Programs And Antivirus Solutions Because It May Make Decryption Harder Or Destroy Your Files Forever ! =============================================================================== Buy Bitcoin ! https://www.kraken.com/learn/buy-bitcoin-btc https://www.coinbase.com/how-to-buy/bitcoin
Emails

ransomwarebit@gmail.com

ransomwarebitx@gmail.com

Extracted

Path

\??\c:\$Recycle.Bin\Restore_Your_Files.txt

Ransom Note
All Your Files Are Locked And Important Data Downloaded ! Your Files Are No Longer Accessible Don't Waste Your Time, Without Our Decryption Program Nobody Can't Help You . Your ID : NEOMB If You Want To Restore Them Email Us : ransomwarebit@gmail.com If You Do Not Receive A Response Within 24 Hours, Send A Message To Our Second Email : ransomwarebitx@gmail.com To Decrypt Your Files You Need Buy Our Special Decrypter In Bitcoin . Every Day The Delay Increases The Price !! The Decryption Price Depends On How Fast You Write To Us Email. We Deliver The Decryptor Immediately After Payment , Please Write Your System ID In The Subject Of Your E-mail. If Payment Is Not Made We Will Sell Or Publish Your Data. What is the guarantee ! Before Payment You Can Send Some Files For Decryption Test. If We Do Not Fulfill Our Obligations, No One Does Business With Us , Our Reputation Is Important To Us It's Just Business To Get Benefits. =============================================================================== Attention ! Do Not Rename,Modify Encrypted Files . Do Not Try To Recover Files With Free Decryptors Or Third-Party Programs And Antivirus Solutions Because It May Make Decryption Harder Or Destroy Your Files Forever ! =============================================================================== Buy Bitcoin ! https://www.kraken.com/learn/buy-bitcoin-btc https://www.coinbase.com/how-to-buy/bitcoinAll Your Files Are Locked And Important Data Downloaded ! Your Files Are No Longer Accessible Don't Waste Your Time, Without Our Decryption Program Nobody Can't Help You . Your ID : NEOMB If You Want To Restore Them Email Us : ransomwarebit@gmail.com If You Do Not Receive A Response Within 24 Hours, Send A Message To Our Second Email : ransomwarebitx@gmail.com To Decrypt Your Files You Need Buy Our Special Decrypter In Bitcoin . Every Day The Delay Increases The Price !! The Decryption Price Depends On How Fast You Write To Us Email. We Deliver The Decryptor Immediately After Payment , Please Write Your System ID In The Subject Of Your E-mail. If Payment Is Not Made We Will Sell Or Publish Your Data. What is the guarantee ! Before Payment You Can Send Some Files For Decryption Test. If We Do Not Fulfill Our Obligations, No One Does Business With Us , Our Reputation Is Important To Us It's Just Business To Get Benefits. =============================================================================== Attention ! Do Not Rename,Modify Encrypted Files . Do Not Try To Recover Files With Free Decryptors Or Third-Party Programs And Antivirus Solutions Because It May Make Decryption Harder Or Destroy Your Files Forever ! =============================================================================== Buy Bitcoin ! https://www.kraken.com/learn/buy-bitcoin-btc https://www.coinbase.com/how-to-buy/bitcoin
Emails

ransomwarebit@gmail.com

ransomwarebitx@gmail.com

Extracted

Path

\??\c:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\Restore_Your_Files.txt

Ransom Note
All Your Files Are Locked And Important Data Downloaded ! Your Files Are No Longer Accessible Don't Waste Your Time, Without Our Decryption Program Nobody Can't Help You . Your ID : NEOMB If You Want To Restore Them Email Us : ransomwarebit@gmail.com If You Do Not Receive A Response Within 24 Hours, Send A Message To Our Second Email : ransomwarebitx@gmail.com To Decrypt Your Files You Need Buy Our Special Decrypter In Bitcoin . Every Day The Delay Increases The Price !! The Decryption Price Depends On How Fast You Write To Us Email. We Deliver The Decryptor Immediately After Payment , Please Write Your System ID In The Subject Of Your E-mail. If Payment Is Not Made We Will Sell Or Publish Your Data. What is the guarantee ! Before Payment You Can Send Some Files For Decryption Test. If We Do Not Fulfill Our Obligations, No One Does Business With Us , Our Reputation Is Important To Us It's Just Business To Get Benefits. =============================================================================== Attention ! Do Not Rename,Modify Encrypted Files . Do Not Try To Recover Files With Free Decryptors Or Third-Party Programs And Antivirus Solutions Because It May Make Decryption Harder Or Destroy Your Files Forever ! =============================================================================== Buy Bitcoin ! https://www.kraken.com/learn/buy-bitcoin-btc https://www.coinbase.com/how-to-buy/bitcoinAll Your Files Are Locked And Important Data Downloaded ! Your Files Are No Longer Accessible Don't Waste Your Time, Without Our Decryption Program Nobody Can't Help You . Your ID : NEOMB If You Want To Restore Them Email Us : ransomwarebit@gmail.com If You Do Not Receive A Response Within 24 Hours, Send A Message To Our Second Email : ransomwarebitx@gmail.com To Decrypt Your Files You Need Buy Our Special Decrypter In Bitcoin . Every Day The Delay Increases The Price !! The Decryption Price Depends On How Fast You Write To Us Email. We Deliver The Decryptor Immediately After Payment , Please Write Your System ID In The Subject Of Your E-mail. If Payment Is Not Made We Will Sell Or Publish Your Data. What is the guarantee ! Before Payment You Can Send Some Files For Decryption Test. If We Do Not Fulfill Our Obligations, No One Does Business With Us , Our Reputation Is Important To Us It's Just Business To Get Benefits. =============================================================================== Attention ! Do Not Rename,Modify Encrypted Files . Do Not Try To Recover Files With Free Decryptors Or Third-Party Programs And Antivirus Solutions Because It May Make Decryption Harder Or Destroy Your Files Forever ! =============================================================================== Buy Bitcoin ! https://www.kraken.com/learn/buy-bitcoin-btc https://www.coinbase.com/how-to-buy/bitcoinAll Your Files Are Locked And Important Data Downloaded ! Your Files Are No Longer Accessible Don't Waste Your Time, Without Our Decryption Program Nobody Can't Help You . Your ID : NEOMB If You Want To Restore Them Email Us : ransomwarebit@gmail.com If You Do Not Receive A Response Within 24 Hours, Send A Message To Our Second Email : ransomwarebitx@gmail.com To Decrypt Your Files You Need Buy Our Special Decrypter In Bitcoin . Every Day The Delay Increases The Price !! The Decryption Price Depends On How Fast You Write To Us Email. We Deliver The Decryptor Immediately After Payment , Please Write Your System ID In The Subject Of Your E-mail. If Payment Is Not Made We Will Sell Or Publish Your Data. What is the guarantee ! Before Payment You Can Send Some Files For Decryption Test. If We Do Not Fulfill Our Obligations, No One Does Business With Us , Our Reputation Is Important To Us It's Just Business To Get Benefits. =============================================================================== Attention ! Do Not Rename,Modify Encrypted Files . Do Not Try To Recover Files With Free Decryptors Or Third-Party Programs And Antivirus Solutions Because It May Make Decryption Harder Or Destroy Your Files Forever ! =============================================================================== Buy Bitcoin ! https://www.kraken.com/learn/buy-bitcoin-btc https://www.coinbase.com/how-to-buy/bitcoin
Emails

ransomwarebit@gmail.com

ransomwarebitx@gmail.com

Targets

    • Target

      6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08

    • Size

      1.2MB

    • MD5

      e07ee232400dafd802235b90e0e7e056

    • SHA1

      49ab07c411e63e8ad305b58489c69fded1f2db13

    • SHA256

      6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08

    • SHA512

      6607ba5bf390666bf7d3487984c3241783a5137fa2f3af3bc8173a7a1520d1fe5456512cb6eecd613b5ccb30d5f0a41df9987886d1818269068f6fd27958ac41

    • SSDEEP

      24576:Kwh7cD9+IBdH0oIX68Ta7fGXbt8RRnUtX642Rg0ybdDHSF1dRiDHBT2c+T:H7cDUIBdH0Pe7FnUtXh0wSVRi7BT2c+T

    Score
    10/10
    evasionpersistenceransomwaretrojan

    • UAC bypass

      evasiontrojan

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Creates new service(s)

      persistence

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

New Service

1
T1050

Modify Existing Service

1
T1031

Scheduled Task

1
T1053

Privilege Escalation

Bypass User Account Control

1
T1088

New Service

1
T1050

Scheduled Task

1
T1053

Defense Evasion

Bypass User Account Control

1
T1088

Disabling Security Tools

1
T1089

Modify Registry

2
T1112

File Deletion

2
T1107

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

4
T1082

Peripheral Device Discovery

1
T1120

Process Discovery

1
T1057

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2
T1490

Tasks