General

  • Target

    068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.zip

  • Size

    94KB

  • Sample

    230321-rwvlsadb2s

  • MD5

    d78c31c7d9c9ceef441abc7aaf301b0d

  • SHA1

    3ec8c66b5eabf891dbc8546762f0f69a827de646

  • SHA256

    dc90492b4f9c25b54a45942f717911f28f7278c8158239fd135f103968c3cce3

  • SHA512

    05b37c75a49f89b1e8e9f4915a81cbecc2551a80e1a5654228cf8ba3a9604ad21edf9c4aa206003c29ffbf393b0927b11808972ee8ac320ce4a19f8bc07c1cbb

  • SSDEEP

    1536:askQEx39Lr6z5IFHySpJ1AGfQopNPof1ApfxNrluXpTYrbLM/xbERZel4n+/8Dyt:aAEjLr6FAHySWopdof1Ap7UmY1llI+L

Malware Config

Extracted

Path

C:\cHpfiXA9s.README.txt

Ransom Note
~~~ XeqtR Ransomeware The world's fastest ransomware ~~~ >>>> Your data is now stolen and encrypted, pleaes read the following carefully, as it is in your best interest. We are sorry to inform you that a Ransomware Virus has taken control of your computer. ALL of your important files and folders on your computer have been encrypted with a military grade encryption algorithm. Your documents, videos, images and every other forms of data are now inaccessible and completely locked, and cannot be unlocked without the sole decryption key, in which we are the ONLY ones in possession of this key. This key is currently being stored on a remote server. To acquire this key and have all files restored, transfer the amount of 500 USD in the cryptocurrency BITCOIN to the below specified bitcoin wallet address before the time runs out. Once you have read this you now have 36 hours until your files are lost forever. If you fail to take action within this time window, the decryption key will be destroyed and access to your files will be permanently lost. If you are not familiar with cryptocurrency and bitcoin, just do a google search, visit bitcoin.org, go on your mobile to Cash App, or pretty much just ask someone and most likely they can explain it. Once again, 500 USD in the form of Bitcoin to this wallet address bc1q8wqyacjzzvrn57d2g7aj35lnr5r8fqv0dn0394 The second you have sent the bitcoin and the transaction verifies another text file will appear on your desktop with the website to get your key, and the simple instructions on how to use it to get your files back. 36 hours starts now, we suggest you do not waste time. For any reason you should need customer service, email [email protected]

Targets

    • Target

      068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe

    • Size

      147KB

    • MD5

      75256873a03f4a4bc073185f48c1097c

    • SHA1

      e9023061def67ba21c09826fadc1607fd7f71d88

    • SHA256

      068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd

    • SHA512

      4b718093ad42d7b7b72498dfcbcfd1b39c980ef44e999b7035e6bfe6b782aad6b7553832f1efee45003d9b0c56bf2e408ca55082c550ac4faa19f199f366dede

    • SSDEEP

      3072:s6glyuxE4GsUPnliByocWepvdHFdjFpZ/fgyVF0dj:s6gDBGpvEByocWetdHZ/fgKF0

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v6

Tasks