Overview

overview

10

Static

static

10

FW-APGKSDT...DF.exe

windows7-x64

10

FW-APGKSDT...DF.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    9227619177.zip

  • Size

    559KB

  • Sample

    230221-n2hydsef94

  • MD5

    13973e33f8be47f2d8fdc3f492ae2a3d

  • SHA1

    08415d3285d4a535d2b604c2831d5f181ec402c5

  • SHA256

    dcf9903203f0ee534a154663128a35274b603dbdc210a14f2bf2317173f1371a

  • SHA512

    e6a509049f5fafc1fa64d173835409bdf9f451f19d945e0d1a50cd160f5cd7f21a80c44447c769d79cc92583f54e01280bb051c90d0e4aaae30496116a79db56

  • SSDEEP

    12288:hmUopIhMsSpRnc3qsSNLjU1KLDumelQLFzxgtgC8:hXoexSEfSJLolWTb

Score
10/10
xoristpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\HOW TO DECRYPT FILES.txt

Ransom Note
YOUR SYSTEM IS LOCKED AND ALL YOUR IMPORTANT DATA HAS BEEN ENCRYPTED. DON'T WORRY YOUR FILES ARE SAFE. TO RETURN ALL THE NORMALLY YOU MUST BUY THE CERBER DECRYPTOR PROGRAM. PAYMENTS ARE ACCEPTED ONLY THROUGH THE BITCOIN NETWORK. YOU CAN GET THEM VIA ATM MACHINE OR ONLINE https://coinatmradar.com/ (find a ATM) https://www.localbitcoins.com/ (buy instantly online any country) 1. Visit qtox.github.io 2. Download and install qTOX on your PC. 3. Open it, click "New Profile" and create profile. 4. Click "Add friends" button and search our contact - DA639EF141F3E3C35EA62FF284200C29FA2E7E597EF150FDD526F9891CED372CBB9AB7B8BEC8 For more information : [email protected] (24/7) Second Support Via Email Subject : SYSTEM-LOCKED-ID: MortalKombat=ID12DJ901S
URLs

https://coinatmradar.com/

https://www.localbitcoins.com/

Targets

    • Target

      FW-APGKSDTPX4HOAUJJMBVDNXPOHZ.PDF.exe

    • Size

      577KB

    • MD5

      8b42ebfba0cb67a1164a15c6dae6fbef

    • SHA1

      5d4b97bbf2ca874b5924ec489c90a2e109ae2ad6

    • SHA256

      e5f60df786e9da9850b7f01480ebffced3be396618c230fa94b5cbc846723553

    • SHA512

      cb3be528482a3304217d7ab805b46a76a597b3cdfd4a000aaf4642039bd91064ea579ee3fae64ff4a568d7c9cb7f1d3be0adbd196f9c8cc01d89152bbbd2de4e

    • SSDEEP

      12288:cqt10g6PdfHXIMgWw+PgOoC0c2L10oP9X:cqt1p6ZHXWb+PDm0w

    Score
    10/10
    persistenceransomwarespywarestealer

    • Drops file in Drivers directory

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks