Overview

overview

10

Static

static

1

032c9162d1...ex.exe

windows7-x64

10

032c9162d1...ex.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    032c9162d162aaexeexeexeex.exe

  • Size

    32KB

  • Sample

    230705-r39z2see9z

  • MD5

    032c9162d162aa7ea4fc3695cd8dc9e1

  • SHA1

    4fd9de268f53d879495366aa477dadd22eabc1a4

  • SHA256

    3596b46583f98813950cd42a7d661238962301ffa1145e34b127616a3075c3ec

  • SHA512

    7c2bd46b0a633cb20c2a4617c102a26fb0dbc830809c8900f40edb5335a301e7f3d32542ea7422d56880d3f8cd2a8211bd7b9bb3d35d9cb7b5731924957a5475

  • SSDEEP

    384:/qtPs5bv1NFartVH0Qw7ZubdQSsP+eZe4FzMgKZyIFWhyXHeU/x+Ha:0YL1NFartN0NIkvzMgKZ5WhyXH46

Score
10/10
ransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\README.txt

Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 Key , both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So , there are two ways you can choose: wait for a _miracle_ and get _your_ PRICE DOUBLED! Or start obtaining *BITCOIN NOW! , and restore _YOUR_ _DATA_ easy way If You have really valuable _DATA_, you better _NOT_ _WASTE_ _YOUR_ _TIME_, because there is _NO_ other way to get your files, except make a _PAYMENT_ Your personal ID: 332C182C:4754BBAD:247FF0B0:78090701����� For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1 - http://xijymvzq4zkyubfe.onion.to 2 - http://xijymvzq4zkyubfe.onion.city If for some reasons the addresses are not availablweropie, follow these steps: 1 - Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2 - Video instruction: https://www.youtube.com/watch?v=NQrUZdsw2hA 3 - After a successful installation, run the browser 4 - Type in the address bar: http://xijymvzq4zkyubfe.onion 5 - Follow the instructions on the site �
URLs

http://xijymvzq4zkyubfe.onion.to

http://xijymvzq4zkyubfe.onion.city

http://xijymvzq4zkyubfe.onion

Extracted

Path

C:\Users\Admin\3D Objects\README.txt

Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 Key , both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So , there are two ways you can choose: wait for a _miracle_ and get _your_ PRICE DOUBLED! Or start obtaining *BITCOIN NOW! , and restore _YOUR_ _DATA_ easy way If You have really valuable _DATA_, you better _NOT_ _WASTE_ _YOUR_ _TIME_, because there is _NO_ other way to get your files, except make a _PAYMENT_ Your personal ID: 3FB0D507:4CD0EA13:0F435DAF:AE090701����� For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1 - http://xijymvzq4zkyubfe.onion.to 2 - http://xijymvzq4zkyubfe.onion.city If for some reasons the addresses are not availablweropie, follow these steps: 1 - Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2 - Video instruction: https://www.youtube.com/watch?v=NQrUZdsw2hA 3 - After a successful installation, run the browser 4 - Type in the address bar: http://xijymvzq4zkyubfe.onion 5 - Follow the instructions on the site �
URLs

http://xijymvzq4zkyubfe.onion.to

http://xijymvzq4zkyubfe.onion.city

http://xijymvzq4zkyubfe.onion

Targets

    • Target

      032c9162d162aaexeexeexeex.exe

    • Size

      32KB

    • MD5

      032c9162d162aa7ea4fc3695cd8dc9e1

    • SHA1

      4fd9de268f53d879495366aa477dadd22eabc1a4

    • SHA256

      3596b46583f98813950cd42a7d661238962301ffa1145e34b127616a3075c3ec

    • SHA512

      7c2bd46b0a633cb20c2a4617c102a26fb0dbc830809c8900f40edb5335a301e7f3d32542ea7422d56880d3f8cd2a8211bd7b9bb3d35d9cb7b5731924957a5475

    • SSDEEP

      384:/qtPs5bv1NFartVH0Qw7ZubdQSsP+eZe4FzMgKZyIFWhyXHeU/x+Ha:0YL1NFartN0NIkvzMgKZ5WhyXH46

    Score
    10/10
    ransomwarespywarestealer

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks