General

  • Target

    a3bac432e92a26exeexeexeex.exe

  • Size

    146KB

  • Sample

    230709-krjkdsce4z

  • MD5

    a3bac432e92a26e6c1151d89630b7a04

  • SHA1

    2aee43243b537012b68ca4bf215ddb7ffc6aabaf

  • SHA256

    d219db7baf1ca936062295654f85fac8888f89d10853ed7a8d5efea3191bbcf2

  • SHA512

    11caceb38abdc9577ab030589e084e329d4ae4e06d5386a1e576c9d0267486e9f9fd9589f946b938a71fcd3e3e158f110c8d857220c4bddc2d571a100fe31d8f

  • SSDEEP

    1536:lzICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xD80KbZB4S3zMA+U7SJjeN0ZFC0b:mqJogYkcSNm9V7DBKBV+U70vvjAD8BT

Malware Config

Extracted

Path

C:\8MNKRqUah.README.txt

Ransom Note
All your files are encrypted!!! You will not be able to decrypt on your own! The only way to recover your files is to get a decryptor and a unique decryption key. Only with the help of a decryptor you can return all your data to its original state. To make sure we have a decryptor and it works, you can send an email to: [email protected] and decrypt one file for free. But that file doesn't have to be valuable! Are you sure you want to recover the files? Telegram: @data_decrypt https://t.me/data_decrypt Email: [email protected] Reserved email: [email protected] Warning. * Do not rename encrypted files. * Do not try to decrypt data with third-party software, it may cause irreversible data loss. Your personal decryption ID: EFA665188FF58B9C66BDBFB601778451
URLs

https://t.me/data_decrypt

Extracted

Path

C:\8MNKRqUah.README.txt

Ransom Note
All your files are encrypted!!! You will not be able to decrypt on your own! The only way to recover your files is to get a decryptor and a unique decryption key. Only with the help of a decryptor you can return all your data to its original state. To make sure we have a decryptor and it works, you can send an email to: [email protected] and decrypt one file for free. But that file doesn't have to be valuable! Are you sure you want to recover the files? Telegram: @data_decrypt https://t.me/data_decrypt Email: [email protected] Reserved email: [email protected] Warning. * Do not rename encrypted files. * Do not try to decrypt data with third-party software, it may cause irreversible data loss. Your personal decryption ID: EFA665188FF58B9C061B25E912EE6D4D
URLs

https://t.me/data_decrypt

Targets

    • Target

      a3bac432e92a26exeexeexeex.exe

    • Size

      146KB

    • MD5

      a3bac432e92a26e6c1151d89630b7a04

    • SHA1

      2aee43243b537012b68ca4bf215ddb7ffc6aabaf

    • SHA256

      d219db7baf1ca936062295654f85fac8888f89d10853ed7a8d5efea3191bbcf2

    • SHA512

      11caceb38abdc9577ab030589e084e329d4ae4e06d5386a1e576c9d0267486e9f9fd9589f946b938a71fcd3e3e158f110c8d857220c4bddc2d571a100fe31d8f

    • SSDEEP

      1536:lzICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xD80KbZB4S3zMA+U7SJjeN0ZFC0b:mqJogYkcSNm9V7DBKBV+U70vvjAD8BT

    • Renames multiple (368) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Renames multiple (634) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v6

Tasks