Resubmissions

25-09-2023 03:09

230925-dnnxdabg21 10

20-04-2023 15:22

230420-ssddrscf5z 10

General

  • Target

    fd71b1ab3e3823ccd88c0f406c30c4386074c36e1c0432e13121550cd655098f.zip

  • Size

    29KB

  • Sample

    230420-ssddrscf5z

  • MD5

    0f025715a5cb507fc46a4df12cfa74d4

  • SHA1

    f8b2c1eb3d8c77aa3dd57e5b86018d10c2f5c4fc

  • SHA256

    2f3446c2b663193e85c11e08af62a74abc28b44ed3d43f815b78b22dd4a25c35

  • SHA512

    43d18b7885e3dff68f6f42737717b2bfa9ca4756ac813be077d2c119936ccf7cdd319c20f24cda2733dbb1857be4bb5b1d793674f5424c1a9bc36ed8d25670d9

  • SSDEEP

    384:cGTTnA+Q+BN166R5aeGxlEmeaX+4nsPpU8vP2T+jdoCFuj4mfuCMG8Isrlde:RTsWHplmvnsxUEP6Ko4mfHlx

Malware Config

Extracted

Path

C:\ProgramData\regid.1991-06.com.microsoft\how_to_back_files.html

Ransom Note
<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">����������15 BF AB 86 5C 9E 24 AF 2C 72 EB AE 9F 3F 33 FF 1C B7 28 B4 48 04 77 69 6E A8 EA 0B A4 BB 79 52 71 D4 49 E5 F9 40 F8 4F 88 A9 44 A4 E3 D8 E8 A8 0E 0F 50 B2 54 9A 73 6B 6A 93 AC BF 1F 2E D2 E7 B7 9D 6C 02 27 C6 20 50 8E 9E 25 48 60 2D 87 F8 56 63 3D A6 81 F0 24 E7 D7 24 A0 30 3F EE 3B 96 64 34 C9 F5 20 63 86 E4 7C 4E 69 58 71 1D E8 82 20 46 E2 72 0E B5 F1 DF EF 03 C8 C7 B9 EA 91 CF 88 0C 0D CC C8 55 BD 85 83 7E B5 BB 79 01 F4 E2 19 A9 8E 35 5F 6B 2A 5D AB C8 CB 3B 4F 8B 84 B2 1C 1A 40 FE 59 38 7B 26 15 8E 4E 07 BB ED 60 6E EC 3B AD 03 66 6D D6 97 B9 A7 6B C8 48 59 74 BD 81 3D 94 39 4E E9 9F E8 22 CA D4 A5 42 C1 88 82 B0 6C 80 BB D8 24 7B 93 E0 57 CF 16 DF CF B3 40 8C 42 93 53 A5 BE 91 49 46 3B 69 C5 87 97 95 95 00 E0 13 FA DA E5 18 03 70 BF C7 0E AE 5C B7 DC </span> <br> <!-- !!! dont changing this !!! --> </div> </div> <!-- --> <div class="tabs"> <!--tab--> <div class="tab"> <div id="tab-content1" class="content"> <div class="text"> <!--text data --> <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br> <!--text data --> <hr> <b>Contact us for price and get decryption software.</b><br><br> <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</a><br> * Note that this server is available via Tor browser only<br><br> Follow the instructions to open the link:<br> 1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br> 2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br> 3. Now you have Tor browser. In the Tor Browser open <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion<br> </a> 4. Start a chat and follow the further instructions. <br> <hr> <b>If you can not use the above link, use the email:</b><br> <a href="[email protected] ">[email protected] </a> <br> <a href="[email protected] ">[email protected] </a> <br> <p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br> <b> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> </div> </div> </div> <!--tab--> <!--text data --> </div> </div> <!--tab--> </div> </div> </body> </html>

Extracted

Path

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p4wuoroe.default-release\how_to_back_files.html

Family

medusalocker

Ransom Note
Your personal ID: ����������15 BF AB 86 5C 9E 24 AF 2C 72 EB AE 9F 3F 33 FF 1C B7 28 B4 48 04 77 69 6E A8 EA 0B A4 BB 79 52 71 D4 49 E5 F9 40 F8 4F 88 A9 44 A4 E3 D8 E8 A8 0E 0F 50 B2 54 9A 73 6B 6A 93 AC BF 1F 2E D2 E7 B7 9D 6C 02 27 C6 20 50 8E 9E 25 48 60 2D 87 F8 56 63 3D A6 81 F0 24 E7 D7 24 A0 30 3F EE 3B 96 64 34 C9 F5 20 63 86 E4 7C 4E 69 58 71 1D E8 82 20 46 E2 72 0E B5 F1 DF EF 03 C8 C7 B9 EA 91 CF 88 0C 0D CC C8 55 BD 85 83 7E B5 BB 79 01 F4 E2 19 A9 8E 35 5F 6B 2A 5D AB C8 CB 3B 4F 8B 84 B2 1C 1A 40 FE 59 38 7B 26 15 8E 4E 07 BB ED 60 6E EC 3B AD 03 66 6D D6 97 B9 A7 6B C8 48 59 74 BD 81 3D 94 39 4E E9 9F E8 22 CA D4 A5 42 C1 88 82 B0 6C 80 BB D8 24 7B 93 E0 57 CF 16 DF CF B3 40 8C 42 93 53 A5 BE 91 49 46 3B 69 C5 87 97 95 95 00 E0 13 FA DA E5 18 03 70 BF C7 0E AE 5C B7 DC /!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\ All your important files have been encrypted! Your files are safe! Only modified. (RSA+AES) ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE WILL PERMANENTLY CORRUPT IT. DO NOT MODIFY ENCRYPTED FILES. DO NOT RENAME ENCRYPTED FILES. No software available on internet can help you. We are the only ones able to solve your problem. We gathered highly confidential/personal data. These data are currently stored on a private server. This server will be immediately destroyed after your payment. If you decide to not pay, we will release your data to public or re-seller. So you can expect your data to be publicly available in the near future.. We only seek money and our goal is not to damage your reputation or prevent your business from running. You will can send us 2-3 non-important files and we will decrypt it for free to prove we are able to give your files back. Contact us for price and get decryption software. qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion * Note that this server is available via Tor browser only Follow the instructions to open the link: 1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site. 2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it. 3. Now you have Tor browser. In the Tor Browser open qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion 4. Start a chat and follow the further instructions. If you can not use the above link, use the email: [email protected] [email protected] * To contact us, create a new free email account on the site: protonmail.com IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.

Extracted

Path

C:\Users\Public\Music\Sample Music\how_to_back_files.html

Ransom Note
<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">����������28 89 19 87 44 DF B0 9E E3 4B E7 F1 DB 5A E2 15 09 F1 4C 21 4E E9 9D 0E F6 EE D3 05 12 E4 AA 7B 16 42 6A D1 10 E0 E8 14 C2 ED CC AD 14 3F A3 B4 3A 3D 0D B3 69 37 9B 68 8C 7F CF 91 4F 38 29 67 A0 D8 64 C9 37 08 AC 61 1E 05 E5 6E 58 79 93 35 94 BA 98 AA 03 DF 01 D4 67 4E B0 25 2A 63 1F BB D6 6F 21 4D B4 25 2D A3 EE 91 11 BA 46 3A B8 C5 7A F1 9F 69 06 5A 9D D0 44 47 B2 9F 5B E2 4B 80 84 AD 9D BA 10 31 E1 7B 66 CC 1F A5 A6 49 71 A9 51 7E 06 2C 9E 72 71 D1 56 11 C6 1F 60 05 5F BD D7 BE 6B 7E 9D BE 2F E4 68 72 9F AB CF EF 41 A4 92 CE 2B 81 22 A5 1B 52 BB C1 E9 78 53 BE 50 FE 7A D3 2F 3C 9B 2E F1 FB C4 79 40 DB DA 91 2C D8 36 A7 59 55 8F 27 9B 9D 98 22 52 66 CF 9E C5 91 FE 23 CE 8E D4 E8 A7 BA C1 9A 9E FC C7 8A 5C F0 03 7B 6D 88 3B 44 66 9F C8 EC 05 6A CD 9A 39 C4 </span> <br> <!-- !!! dont changing this !!! --> </div> </div> <!-- --> <div class="tabs"> <!--tab--> <div class="tab"> <div id="tab-content1" class="content"> <div class="text"> <!--text data --> <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br> <!--text data --> <hr> <b>Contact us for price and get decryption software.</b><br><br> <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</a><br> * Note that this server is available via Tor browser only<br><br> Follow the instructions to open the link:<br> 1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br> 2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br> 3. Now you have Tor browser. In the Tor Browser open <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion<br> </a> 4. Start a chat and follow the further instructions. <br> <hr> <b>If you can not use the above link, use the email:</b><br> <a href="[email protected] ">[email protected] </a> <br> <a href="[email protected] ">[email protected] </a> <br> <p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br> <b> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> </div> </div> </div> <!--tab--> <!--text data --> </div> </div> <!--tab--> </div> </div> </body> </html>

Extracted

Path

C:\Users\Public\Desktop\how_to_back_files.html

Family

medusalocker

Ransom Note
Your personal ID: ����������28 89 19 87 44 DF B0 9E E3 4B E7 F1 DB 5A E2 15 09 F1 4C 21 4E E9 9D 0E F6 EE D3 05 12 E4 AA 7B 16 42 6A D1 10 E0 E8 14 C2 ED CC AD 14 3F A3 B4 3A 3D 0D B3 69 37 9B 68 8C 7F CF 91 4F 38 29 67 A0 D8 64 C9 37 08 AC 61 1E 05 E5 6E 58 79 93 35 94 BA 98 AA 03 DF 01 D4 67 4E B0 25 2A 63 1F BB D6 6F 21 4D B4 25 2D A3 EE 91 11 BA 46 3A B8 C5 7A F1 9F 69 06 5A 9D D0 44 47 B2 9F 5B E2 4B 80 84 AD 9D BA 10 31 E1 7B 66 CC 1F A5 A6 49 71 A9 51 7E 06 2C 9E 72 71 D1 56 11 C6 1F 60 05 5F BD D7 BE 6B 7E 9D BE 2F E4 68 72 9F AB CF EF 41 A4 92 CE 2B 81 22 A5 1B 52 BB C1 E9 78 53 BE 50 FE 7A D3 2F 3C 9B 2E F1 FB C4 79 40 DB DA 91 2C D8 36 A7 59 55 8F 27 9B 9D 98 22 52 66 CF 9E C5 91 FE 23 CE 8E D4 E8 A7 BA C1 9A 9E FC C7 8A 5C F0 03 7B 6D 88 3B 44 66 9F C8 EC 05 6A CD 9A 39 C4 /!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\ All your important files have been encrypted! Your files are safe! Only modified. (RSA+AES) ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE WILL PERMANENTLY CORRUPT IT. DO NOT MODIFY ENCRYPTED FILES. DO NOT RENAME ENCRYPTED FILES. No software available on internet can help you. We are the only ones able to solve your problem. We gathered highly confidential/personal data. These data are currently stored on a private server. This server will be immediately destroyed after your payment. If you decide to not pay, we will release your data to public or re-seller. So you can expect your data to be publicly available in the near future.. We only seek money and our goal is not to damage your reputation or prevent your business from running. You will can send us 2-3 non-important files and we will decrypt it for free to prove we are able to give your files back. Contact us for price and get decryption software. qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion * Note that this server is available via Tor browser only Follow the instructions to open the link: 1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site. 2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it. 3. Now you have Tor browser. In the Tor Browser open qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion 4. Start a chat and follow the further instructions. If you can not use the above link, use the email: [email protected] [email protected] * To contact us, create a new free email account on the site: protonmail.com IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.

Targets

    • Target

      fd71b1ab3e3823ccd88c0f406c30c4386074c36e1c0432e13121550cd655098f.exe

    • Size

      53KB

    • MD5

      5efa19dc204e46e8d8c57482f80e7a40

    • SHA1

      5c83b3ddc8417fe64e0bbd3495445ddcee52e35e

    • SHA256

      fd71b1ab3e3823ccd88c0f406c30c4386074c36e1c0432e13121550cd655098f

    • SHA512

      0cdf4a1263b9a341240acea245155f0afbaac864eccd1d9623a9a152a9287e8a65cd62f12804d5a1293c9d960a4958c2aa05a720f35d42699fec5d4ac0accfc1

    • SSDEEP

      768:FKcvuye1kVtGBk6P/v7nWlHznbkVwrEKD9yDwxVSHrowNI2tG6o/t84B5YW:F9eytM3alnawrRIwxVSHMweio3+

    • GlobeImposter

      GlobeImposter is a ransomware first seen in 2017.

    • MedusaLocker

      Ransomware with several variants first seen in September 2019.

    • Downloads MZ/PE file

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Stops running service(s)

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

MITRE ATT&CK Enterprise v6

Tasks