General

  • Target

    bf5f4d7b6ef1fdb903677e4ede04fb49952e08cee79822b9b53642bb5d1e6f02.exe

  • Size

    4.6MB

  • Sample

    230418-gqapbabf2w

  • MD5

    cfd31737ccacf6e9a0e2ac18cf3445ac

  • SHA1

    74c615ca54aaff3c5e6734efef04259290c357ba

  • SHA256

    bf5f4d7b6ef1fdb903677e4ede04fb49952e08cee79822b9b53642bb5d1e6f02

  • SHA512

    a2d1cae0864e66f92c10932df8dd5782ad47579404a6f9112d0e0f7287427fe56dc70aadf77baf8d9e5665cbc5eb26ee58ad9f401b0164cbf054a581c8bda98f

  • SSDEEP

    98304:OOTXCHbq9evuviwF+Mc42HfPt5Sqg9pkJ9:3LCHbqwvuvi40HN5Tgi9

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\HOW TO RESTORE YOUR FILES.TXT

Ransom Note
Hello! All your files are encrypted, write to me if you want to return your files - I can do it very quickly! Contact me by email: [email protected] or [email protected] The subject line must contain an encryption extension or the name of your company! Do not rename encrypted files, you may lose them forever. You may be a victim of fraud. Free decryption as a guarantee. Send us up to 3 files for free decryption. The total file size should be no more than 1 MB! (not in the archive), and the files should not contain valuable information. (databases, backups, large Excel spreadsheets, etc.) !!! Do not turn off or restart the NAS equipment. This will lead to data loss !!!

Targets

    • Target

      bf5f4d7b6ef1fdb903677e4ede04fb49952e08cee79822b9b53642bb5d1e6f02.exe

    • Size

      4.6MB

    • MD5

      cfd31737ccacf6e9a0e2ac18cf3445ac

    • SHA1

      74c615ca54aaff3c5e6734efef04259290c357ba

    • SHA256

      bf5f4d7b6ef1fdb903677e4ede04fb49952e08cee79822b9b53642bb5d1e6f02

    • SHA512

      a2d1cae0864e66f92c10932df8dd5782ad47579404a6f9112d0e0f7287427fe56dc70aadf77baf8d9e5665cbc5eb26ee58ad9f401b0164cbf054a581c8bda98f

    • SSDEEP

      98304:OOTXCHbq9evuviwF+Mc42HfPt5Sqg9pkJ9:3LCHbqwvuvi40HN5Tgi9

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

MITRE ATT&CK Enterprise v6

Tasks