General

  • Target

    10106272231.zip

  • Size

    2.8MB

  • Sample

    230414-yhk9hsda7v

  • MD5

    bcbccf230350d9f446b5564f7be94661

  • SHA1

    5684ad2f6f7d0388694b9d6a4430da55d6e78140

  • SHA256

    5592c91362b538d7592216ec062b518a587f25e192c935c92d1346a8325845e7

  • SHA512

    c75202442c6337bf38ffa22c7ea653aedffb3e0f3baaad2a37674fa41f877dcc00c7469da62fa01f00906d141abad2558e7579bd9e5094365d9915efbd23523c

  • SSDEEP

    49152:d83AOWdsAJy2Qmi5QXiRzTRHWcaoEWMOwVupk6y9GUbqpFEUwj3y2UACSjoxZ:6w5dZJnWKi9TR2NUwBvtqw3Slpz

Malware Config

Extracted

Family

agenda

Attributes
  • company_id

    MmXReVIxLV

  • note

    -- Qilin Your network/system was encrypted. Encrypted files have new extension. -- Compromising and sensitive data We have downloaded compromising and sensitive data from you system/network If you refuse to communicate with us and we do not come to an agreementyour data will be published. Data includes: - Employees personal dataCVsDLSSN. - Complete network map including credentials for local and remote services. - Financial information including clients databillsbudgetsannual reportsbank statements. - Complete datagrams/schemas/drawings for manufacturing in solidworks format - And more... -- Warning 1) If you modify files - our decrypt software won't able to recover data 2) If you use third party software - you can damage/modify files (see item 1) 3) You need cipher key / our decrypt software to restore you files. 4) The police or authorities will not be able to help you get the cipher key. We encourage you to consider your decisions. -- Recovery 1) Download tor browser: https://www.torproject.org/download/ 2) Go to domain 3) Enter credentials -- Credentials Extension: MmXReVIxLV Domain: ueegj65kwr3v3sjhli73gjtmfnh2uqlte3vyg2kkyqq7cja2yx2ptaad.onion login: 6f031ccd-526a-4806-82a8-2e7d926243d4 password:

rsa_pubkey.plain

Extracted

Path

C:\Users\Admin\Desktop\RESTORE_FILES_INFO.txt

Ransom Note
::: Greetings ::: Little FAQ: .1. Q: Whats Happen? A: Your files have been encrypted. The file structure was not damaged, we did everything possible so that this could not happen. .2. Q: How to recover files? A: If you wish to decrypt your files you will need to pay in Monero(XMR) - this is one of the types of cryptocurrency, you can get acquainted with it in more detail here: https://www.getmonero.org/ .3. Q: What about guarantees? A: Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests. To check the ability of returning files, you can send to us any 2 files with SIMPLE extensions(jpg,xls,doc, etc... not databases!) and low sizes(max 1 mb), we will decrypt them and send back to you. That is our guarantee. .4. Q: How to contact with you? A: Please, write us to our qTOX account: A2D64928FE333BF394C79BB1F0B8F3E85AFE84F913135CCB481F0B13ADDDD1055AC5ECD33A05 You can learn about this way of communication and download it here: https://qtox.github.io/ Or use Bitmessage and write to our address: BM-NC6V9JcMRuLPnSuPFN8upRPRRmHEMSFA You can learn about this way of communication and download it here: https://wiki.bitmessage.org/ and here: https://github.com/Bitmessage/PyBitmessage/releases/ .5. Q: How will the decryption process proceed after payment? A: After payment we will send to you our scanner-decoder program and detailed instructions for use. With this program you will be able to decrypt all your encrypted files. .6. Q: If I don’t want to pay bad people like you? A: If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause only we have the private key. In practice - time is much more valuable than money. :::BEWARE::: DON'T try to change encrypted files by yourself! If you will try to use any third party software for restoring your data or antivirus solutions - please make a backup for all encrypted files! Any changes in encrypted files may entail damage of the private key and, as result, the loss all data. Key Identifier: ZPfwhmQkSb7LIvpdEEb6RTqRKZnNmc2AkurkIe01HU6J9x7EkjiomOT1Y0uipQBmDw6jP6QrobjrrBgvPlrVi6hPu5Jz2OuIEUqghtQowIfrzhKnpqZo169tVjimBsZi8UB6hCxIjYY3+UA9UpC0X84MfNLoKnCt2qIpnuVzi9XYSE0w6wMAqSyXqg4+cKy0mZLl4iXrv+vjbuzRCII60q7N6vEGkDSaFpxOMlW0bzSIb4cqlbE8Iz0P3Fmx8laZKiB11Q4hUP2L9OPJrn8Eopeq184jnE8Xtalp6cjJ0VTNvupyaLIccOZQc+eIWmmSDfY5s0lg6SZ1ruW7lPeTqtOGoT4J47PCRJszQek2Gy++HvFlX92RhMAF9Zq1Rre7XnuCpCwlT5f/pie+/BHCe4yGDtLJi8VZcUXyJZgzKyxMYB8eRmXEj0EhLXfcwz3wkjx0riQ74ZpWb45vtDs4wCaFEqq+K9unU+bW5q7Nmz3Zbdq8/ArFtqsyOdjbwEyo0umOSbukfbuz9g9EY43G/tsa3KtyCdYEC/q4goyudW2RZxmxM/yIsKiDG2zdcYaU2hUH0/SqSReln4OKdQ4P8JVCugzYUlDpHddOKaERdbnuqXuWO9V89HUTiv8Dow7ntIu6WrMujhYFm0pjlaEPtoZt9JaoRWz22YxthS3eFEs= Number of files that were processed is: 630 PC Hardware ID: 945C4F3A
URLs

https://www.getmonero.org/

https://qtox.github.io/

https://wiki.bitmessage.org/

https://github.com/Bitmessage/PyBitmessage/releases/

Extracted

Path

C:\Users\Admin\Desktop\RESTORE_FILES_INFO.txt

Ransom Note
::: Greetings ::: Little FAQ: .1. Q: Whats Happen? A: Your files have been encrypted. The file structure was not damaged, we did everything possible so that this could not happen. .2. Q: How to recover files? A: If you wish to decrypt your files you will need to pay in Monero(XMR) - this is one of the types of cryptocurrency, you can get acquainted with it in more detail here: https://www.getmonero.org/ .3. Q: What about guarantees? A: Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests. To check the ability of returning files, you can send to us any 2 files with SIMPLE extensions(jpg,xls,doc, etc... not databases!) and low sizes(max 1 mb), we will decrypt them and send back to you. That is our guarantee. .4. Q: How to contact with you? A: Please, write us to our qTOX account: A2D64928FE333BF394C79BB1F0B8F3E85AFE84F913135CCB481F0B13ADDDD1055AC5ECD33A05 You can learn about this way of communication and download it here: https://qtox.github.io/ Or use Bitmessage and write to our address: BM-NC6V9JcMRuLPnSuPFN8upRPRRmHEMSFA You can learn about this way of communication and download it here: https://wiki.bitmessage.org/ and here: https://github.com/Bitmessage/PyBitmessage/releases/ .5. Q: How will the decryption process proceed after payment? A: After payment we will send to you our scanner-decoder program and detailed instructions for use. With this program you will be able to decrypt all your encrypted files. .6. Q: If I don’t want to pay bad people like you? A: If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause only we have the private key. In practice - time is much more valuable than money. :::BEWARE::: DON'T try to change encrypted files by yourself! If you will try to use any third party software for restoring your data or antivirus solutions - please make a backup for all encrypted files! Any changes in encrypted files may entail damage of the private key and, as result, the loss all data. Key Identifier: LD04sg3SSatU3hlPT7yoEYVd8DFdDkNIMftjW9XExHYMVgah8s1C8yfBu00sEhFSU9w2Jsac0rCTHdWRS+WdC4ScTNrrdhGe497uFi2qOTU6zlRTt6rYfuVdr/2lFCIIwbDm1jPcS93JHGV09xxUkvv3IZzRt4bug3++TW0H1rXmsOjWF25psnVrnrUYZf9XQK1YlWcDBmWaiszX+kaW/nWRJebDOemOTxtuScBaqarK9SPWT/F86MfZ3SKZ0+Qz4I4PKrMOHX1bFhzfq3oTHkhwTL/BtlEMVIvZGHmIoBKhWpMyP7CAYQPieZRgwBn5Onzz65MsmaWKy+vbwUbYxejrdNxgKawz3eMhiwp6miIRMldfjW+oPcE9JaLDx2iY2eWgse+Rn3cO1O0WnslEEY2o1jOGvmlpvPq6J2JCu8HpNPCVEmKMq1GmzFa3/UDMRXc7wLuuN62vspeybPEzFp+v6Hgo9p6rBIi38tm196m3vdBuyUI09U15HOuwYDyQVqFslI81RDBb3Ty49OnQDtEXs0+DKqpwmKQDwoEhqewIaJ0MV2c4gU7XsbB8qT34F+0se74z29iQDLj4YpBvZ1zJw0tra69jWm6JdWbw7XjRUq7bUk7pKxjtNiBzqS9P6exyGphNDT3RX07hb7aSVt7QLdnfnsf7E7LcfGokWHw= Number of files that were processed is: 1086 PC Hardware ID: 9CCFD0DF
URLs

https://www.getmonero.org/

https://qtox.github.io/

https://wiki.bitmessage.org/

https://github.com/Bitmessage/PyBitmessage/releases/

Targets

    • Target

      f6108f33ce141564f1989471bd4e9747a1bc37e6c7d242caa3163a4495c85b8a

    • Size

      9.3MB

    • MD5

      743d9d9b3c39206b0a2de0dbb107fb7d

    • SHA1

      bdff586c4ae0366813335569427b1aeda2815808

    • SHA256

      f6108f33ce141564f1989471bd4e9747a1bc37e6c7d242caa3163a4495c85b8a

    • SHA512

      574402c7f2eff1fdb8edcfc7a78cf741aeb20bd4775db792d44e74156e926c8e143c106623f2f024be20bd28ab46159e18b540862c4a22581c3c17ac2eb5b17c

    • SSDEEP

      98304:4fXT9wuCHGLu1TIRtUOV5ZbvoVUq+kScfFbUs:NuCmTRtnvoVUq+6fFbL

    Score
    10/10
    • Downloads MZ/PE file

    • Downloads PsExec from SysInternals website

      Sysinternals tools like PsExec are often leveraged maliciously by malware families due to being commonly used by testers/administrators.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Drops startup file

    • Drops desktop.ini file(s)

MITRE ATT&CK Enterprise v6

Tasks