General

  • Target

    9779776776.zip

  • Size

    3.3MB

  • Sample

    230330-pnwsrscf29

  • MD5

    315f04f0838b2776ebd51fd9575bed8d

  • SHA1

    2325bc7557f7b63e7fc6746f48d656bd6fb02774

  • SHA256

    143aa60d44f38ae8a99ce6b5dbdb80412e2c32fcf8f50b5bd1aee46a3f5a4b40

  • SHA512

    daa69d24428397d49b6dbf58551348043be92d258595c9ef304772edcd17788324105327bd828263e44785857d748b2f21f676fee2615e496024e0cd08aa8dea

  • SSDEEP

    98304:A8zVJFNqBJuSfwgqVDjPQQ7/C2pO1A/Mlu3f22kj:PfFgBJuSfwVDj4o65xlu3u2kj

Malware Config

Extracted

Path

C:\ProgramData\Readme_Instructions.html

Ransom Note
<!DOCTYPE HTML> <html><head><title>infected with ransomware virus</title> <meta http-equiv="X-UA-Compatible" content="IE=edge"> </head> <body style="margin: 0.4em; font-size: 14pt;"><p>!!!&nbsp; &nbsp; Your files are encrypted&nbsp; !!!<br><br>*All your files are protected with encryption*<br>*There is no public decryption software.*<br>*All files/documents/software with ".CRYPT" extension is encrypted*<br><br><br>###### Program and private key, What is the price? The price depends on how fast you can pay us.!######<br>1 day : 50 Bitcoin<br>2 day : 60 Bitcoin<br>3 day : 90 Bitcoin<br>4 day : 130 Bitcoin<br> 5 day&nbsp; &nbsp; : permanent data loss !!!!<br><br> ***How to contact our team through tox chat***<br><br>*Download tox chat from<br>*<a href="https://tox.chat/download.html">https://tox.chat/download.html</a><br>*send us friend request to tox chat id <br><br>7D8796EB86CBF29F53F8A8447EABAF310ED898D9DEFF97AE09C1864C2A6B3B14ED8F82AE9B9D<br><br>*Our team is waiting*<br><br>!!!!For immediate decryption!!!<br><br>write to our email:<br><br><a href="mailto:decryptorsoftware@xyzmailpro.com">decryptorsoftware@xyzmailpro.com</a><br><br> *After payment received, we will send private key to your IT department.!!!*<br><br> *Free decryption As a guarantee, you can send us up to 3 free decrypted files before payment.*<br><br>!!! We have downloaded all your files to our servers and will release data if you do not comply.!!!<br>!!! Do not attempt to decrypt your data using third-party software, this will result in permanent data loss.!!!</p></body></html>
Emails

href="mailto:decryptorsoftware@xyzmailpro.com">decryptorsoftware@xyzmailpro.com</a><br><br>

URLs

http-equiv="X-UA-Compatible"

Extracted

Path

C:\Users\Admin\Desktop\Readme_Instructions.html

Ransom Note
!!! Your files are encrypted !!! *All your files are protected with encryption* *There is no public decryption software.* *All files/documents/software with ".CRYPT" extension is encrypted* ###### Program and private key, What is the price? The price depends on how fast you can pay us.!###### 1 day : 50 Bitcoin 2 day : 60 Bitcoin 3 day : 90 Bitcoin 4 day : 130 Bitcoin 5 day : permanent data loss !!!! ***How to contact our team through tox chat*** *Download tox chat from *https://tox.chat/download.html *send us friend request to tox chat id 7D8796EB86CBF29F53F8A8447EABAF310ED898D9DEFF97AE09C1864C2A6B3B14ED8F82AE9B9D *Our team is waiting* !!!!For immediate decryption!!! write to our email:decryptorsoftware@xyzmailpro.com *After payment received, we will send private key to your IT department.!!!* *Free decryption As a guarantee, you can send us up to 3 free decrypted files before payment.* !!! We have downloaded all your files to our servers and will release data if you do not comply.!!! !!! Do not attempt to decrypt your data using third-party software, this will result in permanent data loss.!!!
Emails

email:decryptorsoftware@xyzmailpro.com

Targets

    • Target

      134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457

    • Size

      12.0MB

    • MD5

      a067491773524cf499e7a0bc77ceec96

    • SHA1

      e8034dfd3468dcd3d5a6d09f3fde7f63dcc9ec13

    • SHA256

      134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457

    • SHA512

      c759d0ace38c842f98d4a9d4a8cc342c89d40ab4238ff52625db13a4e50714aedf701798f6ea22e755e3599c4e002b4ba49ed3f9b06c56e4d95ac7ce6800fa4c

    • SSDEEP

      98304:QnLu1TIRtUOV5ZQ+5jZArLu1OWWqXpy05QP:QnTRtBYk405QP

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Collection

Data from Local System

1
T1005

Tasks