General

  • Target

    b923f1d2ece074dabe58bb6a603ed5d49e8d62044a1293a37e8afbcac029dded

  • Size

    146KB

  • Sample

    230521-ht4l8sgf63

  • MD5

    a96ac42f9ccc7d11663f2741d5dfe930

  • SHA1

    3ff257bcb32b3862d4eb08c73949e1aa930a2384

  • SHA256

    b923f1d2ece074dabe58bb6a603ed5d49e8d62044a1293a37e8afbcac029dded

  • SHA512

    0021067adc17831733b267893639e034db928583acb5a2c18221213772ae7e85fd52bfdf7f90377cee63495d5ba05ce4bd706af302f81357f41fabde9fe29409

  • SSDEEP

    3072:q6glyuxE4GsUPnliByocWepqzYq7G9HkRgeXCDy8MD5:q6gDBGpvEByocWe4Y7pkRgeS28MD5

Malware Config

Extracted

Path

C:\6KMVhDmrY.README.txt

Ransom Note
~~~ Your computer was infected with a ransomware virus~~~ >>>> Your data are stolen and encrypted The data will be published on TOR website if you do not pay the ransom You won't be able to decrypt them without our help. >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems! >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will decrypt all your files and delete your data from our database If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future. >>>> Payment information To recover your files, Send $50 worth of Bitcoin to the following address: bc1qe4mvvcsycwsu6gp7chnd7r4wd5f5sgy2man87k Contact us (email addess): [email protected]

Targets

    • Target

      b923f1d2ece074dabe58bb6a603ed5d49e8d62044a1293a37e8afbcac029dded

    • Size

      146KB

    • MD5

      a96ac42f9ccc7d11663f2741d5dfe930

    • SHA1

      3ff257bcb32b3862d4eb08c73949e1aa930a2384

    • SHA256

      b923f1d2ece074dabe58bb6a603ed5d49e8d62044a1293a37e8afbcac029dded

    • SHA512

      0021067adc17831733b267893639e034db928583acb5a2c18221213772ae7e85fd52bfdf7f90377cee63495d5ba05ce4bd706af302f81357f41fabde9fe29409

    • SSDEEP

      3072:q6glyuxE4GsUPnliByocWepqzYq7G9HkRgeXCDy8MD5:q6gDBGpvEByocWe4Y7pkRgeS28MD5

    • Renames multiple (636) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Deletes itself

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v6

Tasks