Overview

overview

10

Static

static

3

HEUR-Trojan.Win32.exe

windows7-x64

10

HEUR-Trojan.Win32.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    HEUR-Trojan.Win32.Generic-83f549e4db93384add65c4203bf80d1eb9b7b5272b9636e77532284d8b760928

  • Size

    76KB

  • Sample

    230425-v1devabg95

  • MD5

    56895d0a3d6b6f9107448c4c94c8608e

  • SHA1

    cf0243d461f1b820df9861ea5930a02c211d8ef6

  • SHA256

    83f549e4db93384add65c4203bf80d1eb9b7b5272b9636e77532284d8b760928

  • SHA512

    d8893fb5b7ddf854f85a3196d2d2b9ea6807ea9c1937b7a7fcfae2261ba9eaab2d18b66646e93ffec21d64caccdba9e2b1f3fc4e0be006c837c3df8493ec4b49

  • SSDEEP

    1536:dPpMF9fS4PUP511AtDxD93D+e+xKiSUrJTsD:za4P511INpCe2LrJTs

Score
10/10
persistenceransomware

Malware Config

Extracted

Path

C:\PerfLogs\HELP_DECRYPT_YOUR_FILES.TXT

Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files protected by a strong encryption with RSA-2048. More information about the encryption keys using RSA-2048 can be found here: https://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-2048 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start send email now for more specific instructions! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions: Contact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 24 hours. For you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. Please do not waste your time! You have 72 hours only! After that The Main Server will double your price! So right now You have a chance to buy your individual private softWare with a low price! E-MAIL1: [email protected] E-MAIL2: [email protected] Spare email: E-MAIL1: [email protected] E-MAIL2: [email protected] YOUR_ID: db1583f91c9b74ea

Extracted

Path

C:\Program Files\HELP_DECRYPT_YOUR_FILES.TXT

Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files protected by a strong encryption with RSA-2048. More information about the encryption keys using RSA-2048 can be found here: https://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-2048 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start send email now for more specific instructions! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions: Contact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 24 hours. For you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee. Please do not waste your time! You have 72 hours only! After that The Main Server will double your price! So right now You have a chance to buy your individual private softWare with a low price! E-MAIL1: [email protected] E-MAIL2: [email protected] Spare email: E-MAIL1: [email protected] E-MAIL2: [email protected] YOUR_ID: ecce5e701c9b74ea

Targets

    • Target

      HEUR-Trojan.Win32.Generic-83f549e4db93384add65c4203bf80d1eb9b7b5272b9636e77532284d8b760928

    • Size

      76KB

    • MD5

      56895d0a3d6b6f9107448c4c94c8608e

    • SHA1

      cf0243d461f1b820df9861ea5930a02c211d8ef6

    • SHA256

      83f549e4db93384add65c4203bf80d1eb9b7b5272b9636e77532284d8b760928

    • SHA512

      d8893fb5b7ddf854f85a3196d2d2b9ea6807ea9c1937b7a7fcfae2261ba9eaab2d18b66646e93ffec21d64caccdba9e2b1f3fc4e0be006c837c3df8493ec4b49

    • SSDEEP

      1536:dPpMF9fS4PUP511AtDxD93D+e+xKiSUrJTsD:za4P511INpCe2LrJTs

    Score
    10/10
    persistenceransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks