Overview

overview

10

Static

static

10

fef96e503b...5d.exe

windows7-x64

10

fef96e503b...5d.exe

windows10-2004-x64

10

Resubmissions

21-01-2024 14:53

240121-r9h5xaead4 10

21-01-2024 14:52

240121-r8582seac9 10

14-07-2023 02:02

230714-cf9cnsbh35 10

14-07-2023 01:58

230714-cd9wesbh32 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    fef96e503bb02c85e176305a0a42116eb9595c8c37151d3a740ed4a266694b5d.zip

  • Size

    604KB

  • Sample

    230714-cf9cnsbh35

  • MD5

    e2ac5bd327a6947d73edfeb9df1c3763

  • SHA1

    64b32710fba76796f5bdf0b0d9c7ffb5a496c45c

  • SHA256

    aa08618b8ae0911c647852bc52b98910d3b73f37a62706b31709352d11f36430

  • SHA512

    bc46e644ed181b0c7f85d40e55939480e1b54f0c1fa5627ec6662e94da4e84632da279180f95dbd1cbe319621c1e3d22c40a47be6e1476732011c454f27802b8

  • SSDEEP

    12288:mPKIMNVWxa/S21rNSMjDdFDiDEfqo0YUVJTEnmuXJwZcoMjN:mS7VWkairFvdti/9/tomuXJwZcoO

Score
10/10
trigonadiscoveryevasionpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\appdata\local\temp\how_to_decrypt.hta

Ransom Note
 --START_OF_DATA-- 40434C41444944364532414237343333393341334341393030463038413032364638413844364230323241463843393237393742393538454246313532373841343534414144390000001642433932423033423145333146453242314646313435000005BB00000200138BC3BFA1E64F250525C58140B62D539FDA69C5015C974CD520281F36234ABB5428D3DDF28B747E74E669CA8068C38B9F0E9B61906D9E962024930793601C1C7CD676DC9AB7D175C3DA395E712AD743059BB474611CD8052F2F30791522DC12B04303F43B638C54783F5DF605A3440EBA91BE8F0708DC3A4C2D2A2F531D587911CBA1631B88A06FF2DEC3CE9F69E6357EAC6175B65C5CC2600E64B50FE14AA08B17FB650166D617B4B6872060B5E74A45A9BBEFA68F09CA56D726EE3F6B4F0155336B77B95C562C6AE559404FA91C037034D4BD1650292C03F25AA0262F30E6DAC2A03999A986A07FD9A57B5E7E5A6955800BEBAC373B18619B7FFC501A5E08FF87746B33D80A42FC44048BCBD0BF19660BCBB3B59261147E114CB72CEBFBFF794B45A1C62FF8F40F22B789466A02656F599228082197695A752AB5FCB9CC21A30799C8816CC65408447C4A4E5B0DB62C23E278C0168721F257992EAAA79614FF953B98388F4BA76254276B5C57E43BCC5E5A4140C92375F625342FC1550D8E8AEDB4FBF1FC82568866BDE4BBA7A166F0E849D1655CB61DE6BE11ACE2ADDB53D13F46594C6E74E51098F07E3F6C8CEEDF575C62BE010502D7E1CD8F2E859720C841360F3A925D4815C4BE2E14D8F15EF90B165E04F0D5D4C1703F78BB8BCC9C25C660ADFB270455A845496E41E8FD9432929205D080D76C25D5C256B73851A4000003B3780157E310E712427B80BFB038E7FFE219BB197D064077A7C7DA60C36C7298F758BC9D636C0C5AB3B43D8C5359E85027BBA99681517C02BAC332BAE6BEC32FDBAFAE26785BB5B704199B758D5324D89EFBEB72B4FAA8546833B1033E8D8BC46B4C99ED865AA732DA3BD93C739635F1BDFDA38314A2252EECAEF3F085B2BA96CC0A739E95CDF88D410993D55477E06C2650FF8CD05552B9E4DDC92ADCC0F6D9E17263F3B5E45D4DC15D4EEDD2EACEFF8CE64C0CD1C1FAD63C0AE3CAAD62DE9EE1AD4CFE6481BC7359063A4CA2DB372624F361327567F8A1AB152A12599D104B0424E613AEA02C8CD83BC1CF2CA2422ADB26767176195356CFDB1B12E9A7CBD639C50E1412D110C448FFB81F356E8E03E4E4CA38FA21E29C1E4CD653647D8BA5954345B77B50559A06F68E0DD674B36461CD5D0F2C585C4EE0EB2CFA1455C3A5D36ECC6AE52D6E7A19B3C07D8877C5AA50F1AFE41467E26C21F72E4219824F2E656930B77E4B5698E9E418AC8A83897AB033B4C3173873CCDB71BDEB9942ED77A318218F1337B66B291B256034CF7422C932C5FD8F64391CF90DAA4F2E0B083A8C6D90011CF108B25C73522759DF0C1F97BD22952D96D18A7BAEA7235DC6100CFA24F7E7ED059DF0F579274277395396F7F233750D784310C9C17010C71EA315B53C676A1DCD7153B88DB2A507E881E850CACAC14435C192F7DFD2A5EB18E00393046EA755B99B4D342E22D384F1B45C428FCA7EA51AAA3E0A2727C2DB54DFB20BB6813A8988B41841B40A4ECF2B8B956EFFFEAA605852B759875101F04B7622E21A3BD8C98A7C6D705EB3F06D7BD4823DE1BFBCEFA1DEE917F2F7133456E05EED47923C29F441C649AFEA76C15312CB893959F91C973376922254AC0FE4DB90226E20527FE0A92D3F989FF7779F2FA360FDCE2B1F28662FD1CBE49DDD6E9089065DC31FF3B2A83DB105A720BBC6AD6B3DEAC7460EEE168F4CE96B283CE17316880A1564AE913DCD81C09739C9D92A32CA2F9B3D8CAE00A0BEEAB8B794CEF43000447F5BFA5E3F312332FB0EEDA21898CE1FF1220F971F08F251FEC0C873D0502329E6294F506DA71659E668A3A8184B5C792CAF47768B1468E2DB958AEC9A9DAB5467BDA86C37B522C234BC4E5D190EA14871A407F6A2A5163E3D92A015742B882368B24623E8550441BE0A9084021AE33EBEAD31D4523B07D08C21303239F4F859146045907DF41C126FAC4775B5D1BC834CB8E0AF5580E56738CFA4E9D7E1D9BCB0EAFD3950AF30EB737718B444F11C65F133AEE2B2F62049D62F732C80A709504EE0D1B9A994808916F7FFCF078527470F1056AB4C3BB24FB60360D3AFEEE0D6F45F0BC56D7BF9D5512D945A45325F594B9C16B29A470F3AC1D92A4B9FA80AEBAE03E663B323101C2A1EF5CD6AE4BD7CD9F1D9805F9A72C02400191907925999EB3DA8529DF0B3103AA41323CD233A8E9B0AD78D737313028C6F736C5D36A013372A28BA97D952F89A00000077343331353644333934364537373542344345433130463730334544304535344236A5E2AC3798447FD2B9C7A64A3FEEE1324A6882BD3991178EB8A3BBF2D556F43834333645384537364532363630374633454136453831413045314438333346 --END_OF_DATA-- the entire network is encrypted your business is losing money ▲ All documents, databases, backups and other critical data were encrypted and transfered to our servers ▲ We are using AES encryption, which makes recovery possible only using our software ▲ If you refuse to contact us, your data will be released to auction, competitors, media, clients, authorities, etc To recover your data, please follow the instructions 1 Download Tor Browser(safe, no viruses) Download 2 Copy recovery linkPaste into the www bar Copy 3 Copy certificate link Paste at auth page Copy Recovery fee dependes on how soon your rep will contact us Data deletion from our servers - same depending Need help? ● Trial recovery Claim 3 files free recovery to proof our recovery tool works ● Don't waste time 48 hours to contact us. Or your data will be released to public ● Don't contact middlemans They resell our services at a premium ● Don't use other software It will kill your files forever. Be wise var authkey = ''; var email = '[email protected]'; var url = 'http://3x55o3u2b7cjs54eifja5m3ottxntlubhjzt6k6htp5nrocjmsxxh7ad.onion/'; var vid = 'NAMDARAN'; var cid = 'BC92B03B1E31FE2B1FF145'; var uniqueid; function Start() { window.resizeTo(660,540); if (vid == '') { uniqueid = cid; } else { uniqueid = vid; } } function copytext(s) { window.clipboardData.setData("Text", s); alert('Certificate copied to clipboard.'); }; function openpage(url) { window.clipboardData.setData("Text", url); alert('URL copied to clipboard. Open it in Tor Browser.'); } function help() { window.clipboardData.setData("Text", uniqueid); alert('If you are having problems with the Tor browser or logging into the site, write to '+email+'. Your ID copied to buffer.'); } function document.onkeydown() { var alt = window.event.altKey; if (event.keyCode == 116 || event.keyCode == 27 || alt && event.keyCode == 115) { event.keyCode = 0; event.cancelBubble = true; return false; } } Start(); var authkey = ''; var email = '[email protected]'; var url = 'http://3x55o3u2b7cjs54eifja5m3ottxntlubhjzt6k6htp5nrocjmsxxh7ad.onion/'; var vid = 'NAMDARAN'; var cid = 'BC92B03B1E31FE2B1FF145'; var uniqueid; function Start() { window.resizeTo(660,540); if (vid == '') { uniqueid = cid; } else { uniqueid = vid; } } function copytext(s) { window.clipboardData.setData("Text", s); alert('Certificate copied to clipboard.'); }; function openpage(url) { window.clipboardData.setData("Text", url); alert('URL copied to clipboard. Open it in Tor Browser.'); } function help() { window.clipboardData.setData("Text", uniqueid); alert('If you are having problems with the Tor browser or logging into the site, write to '+email+'. Your ID copied to buffer.'); } function document.onkeydown() { var alt = window.event.altKey; if (event.keyCode == 116 || event.keyCode == 27 || alt && event.keyCode == 115) { event.keyCode = 0; event.cancelBubble = true; return false; } } Start();
URLs

http://3x55o3u2b7cjs54eifja5m3ottxntlubhjzt6k6htp5nrocjmsxxh7ad.onion/

Extracted

Path

C:\Users\Admin\appdata\local\temp\how_to_decrypt.hta

Ransom Note
 --START_OF_DATA-- 40434C41444944364532414237343333393341334341393030463038413032364638413844364230323241463843393237393742393538454246313532373841343534414144390000001645413131303044383339433246374142373236424236000005C7000002005400E03E2AD268F05547F9A7F9B18CA1FA3C46823FDA0AF4C40D05A3CDB3A2CAB785EB620498BD01FD60A9563A88724A5B2915FABE894A67E805AD138BD879D69C7F1CE65E5616DE1D7B1CA10EC2FEA380B4136D45FE343E9A3A1668B900F6B69F61BA2199DD5E8C8D1EE464EC46A50F09FF859287E69B87CE2D27EE568C5B3A766CE6058F7C322BB1E1A736D0C4DB4CEAC45501DEE3E5E9A5A33B7618EA42FABD49F659505A330D68B7DD1236D5FE3DB441EB03E191C0F9E052C659C77D870E37A3E32DD8C5B08673B9833BD53B8FF8C9F3E5CF5B0C17D8B569256B79CCE7D22FABA28A5BE50957E2CD623E38BEDD500031BCCC49DAEC13E27E321F4C6E4B6896C214CE4EE41BEA7E21E6D8E2CCC4F8B3C48BE5AB318D0F7E36DF5C3AAD4EFC78A91D55918B4B9D9B9C3867FFE4DDB59D767B0F9D0A4A895E73DB8047D02DB2C2B119E6397A32EE5D14D458C45EB2B4BD911E6AD45C0E2458B85313576086B8DB4CE7755E321F3E4FE4A5183A39F43F2152D9D5404A269B5483C5F531E5154FA1C2B5FEF8BBE5E505DDCDD4129A7E75886D005CF43DA4C1CEDEC60C23D72BA594B4055A3A0BA5B185E5983D80090F8A9E4C3EAEE140D0F6B0A7E711EAB2C3BEDE55229DEFB7656E3EF549F5A8C4E269E4A40BE466FBDCEE6402D759626A1DFD370FD3AB8A1090A4543B10C5EF5CAA6EB77452B3FF2304BA17A29A7CC9C0F2F3000003BFF8866FE5DAE26A80012869FA347E149676027174265DBB51DE2288AB1B2A4567FB859C7F99A8C99C730BB35363DDFACBEAF03B47A49983E55F277A9F782EFFD9C1F1F59EB26B06AFAFE05FE2BE4F67CE3027498CAD3B57DE8A4BBFCE762EB52FFA16D4C79462AE55A2ED1606DF914F63DC76BAD6F2D854DE816032B9A831A50930B1A5E6E0A421D04909544B542A96C602D74A461D72D85CBC1FB78EF5C335F99C5CEE9E589A258E5298A4CDA084B718D04BEB0F4C9D57EB11F7AFCF4356ABD225507D0CFAC1B01B6FB3FEB458D434B1DCEA87352CAD9DC18A5B06F4A6C8F1CE69DC4FD8A41E9F619581F17BE6A6F7AFFE1BAE183C2A7FD9FA1B642D31E9802C91C3751F74859658972E4FE3FFC73AF88DF7D616C962F4D986E70F6980FD730668EE89F8A8594123D73B97E3CA57DE22CA23773C7F5038E5E3105C9E32B62D7AF6534111B0A8EE3F1254782FB7D3519C96FA1AD91813FFD5D98876F5E9778B2FBC1A01062612D5BB54E1CBDE4E3738261CB5C38342C1B03DFBF2189FE954FCEE5726720EFEF28B193947FB0FD555220E852FE25D88ED43A13EC2C7DA57C26C93B6F3DBC0806BD7F66E5357817D1C9A90124165E9A3200ECF7C471B61AB5611470FA9C001323A546AFEF40063913ADF2445387AFD3AA8B5560E67248DF15E4C0274FD86CFB8A40A7FE099110E0ABA9D858D9AE1C360D9A393F311F8BD83BD3736F322961A911D44270D4D1740B73D1A6DDCE4D012399C12EF5FBDED57FC92F3C8AD33D8D18EFE3B6A2DC811D3F146E2D5D211A0D395CF8A7F0B1B3AF952D2C78725B314808762A8052E640FF3CC020C61D0ABBF401D9FB6AADC2D44390ECBFD157092B3471B5D5B3CEE4ABE5E0D58A856CCCB4A5DE6DEABCD37EC3635693EF8D0367BDF955CE0A29E23F1C5A35DC1672C7C193EE3CB0B76A479033BD013F0DF421F57F085D0B6FDE2F3FD18AC4EFA596FC04614FBFC7D10B13DABCC1AA2A3C968D46883024BBDE2E61B520CFCDC36478F3E9AC0726F5D0E8388B0A5A052F56C901F211293D22FE0F0FF8EECA8BECDD050C7E01E1D8017FF47B2477207F0116CA963490A2095E9BB1984D7BAAA3A31435011A69E0A0CCA543FDC8E59D98F843C6495FE266D4E8B4B7AA1ECC8A0BA3C1C3F0069F13C7EEB81345E9A423E5607EF8A3424DF7BFEEDF053D8108C78332FD5131C0093CF7C2674960E8F8552B068ABF4943AF394F1D8F777BBE0879AFAA1DB7972CF327F0F262C1472B028BD4893392DD4DA8C3735897EA86D64D6DFC9EC70ED6C26D2230C8E3780CAFB25DBE61BF0F252C274D55BA0AD76814B67945DBD555B96DEA10AC7E0153401D31D9724A00BC830B42E0E2561D37D718E11A75345DA7ECDE91ED6D0F9D55D2979BA6178C706348AE57FA301347A03D4726672354E37C48D206D0100EA1DC9583B6433E65A7C07398143B1F653B342FC78DF02C9659BDFF2FD0CC11A6D01138EA31686E16F02C7A49C8623086EF90F9D8A855B4465A2D84E1CE1A9AEDF7AC6D90000007A3433313536443339343645373735423443454331304637303345443045353442FDA8AF3A072A12474F10FB76CC1B9BBE764F149CB30C47BCF89147E8AF0CCFA33933313037383943414232454136393736333139414438363833453444323536 --END_OF_DATA-- the entire network is encrypted your business is losing money ▲ All documents, databases, backups and other critical data were encrypted and transfered to our servers ▲ We are using AES encryption, which makes recovery possible only using our software ▲ If you refuse to contact us, your data will be released to auction, competitors, media, clients, authorities, etc To recover your data, please follow the instructions 1 Download Tor Browser(safe, no viruses) Download 2 Copy recovery linkPaste into the www bar Copy 3 Copy certificate link Paste at auth page Copy Recovery fee dependes on how soon your rep will contact us Data deletion from our servers - same depending Need help? ● Trial recovery Claim 3 files free recovery to proof our recovery tool works ● Don't waste time 48 hours to contact us. Or your data will be released to public ● Don't contact middlemans They resell our services at a premium ● Don't use other software It will kill your files forever. Be wise var authkey = ''; var email = '[email protected]'; var url = 'http://3x55o3u2b7cjs54eifja5m3ottxntlubhjzt6k6htp5nrocjmsxxh7ad.onion/'; var vid = 'NAMDARAN'; var cid = 'EA1100D839C2F7AB726BB6'; var uniqueid; function Start() { window.resizeTo(660,540); if (vid == '') { uniqueid = cid; } else { uniqueid = vid; } } function copytext(s) { window.clipboardData.setData("Text", s); alert('Certificate copied to clipboard.'); }; function openpage(url) { window.clipboardData.setData("Text", url); alert('URL copied to clipboard. Open it in Tor Browser.'); } function help() { window.clipboardData.setData("Text", uniqueid); alert('If you are having problems with the Tor browser or logging into the site, write to '+email+'. Your ID copied to buffer.'); } function document.onkeydown() { var alt = window.event.altKey; if (event.keyCode == 116 || event.keyCode == 27 || alt && event.keyCode == 115) { event.keyCode = 0; event.cancelBubble = true; return false; } } Start(); var authkey = ''; var email = '[email protected]'; var url = 'http://3x55o3u2b7cjs54eifja5m3ottxntlubhjzt6k6htp5nrocjmsxxh7ad.onion/'; var vid = 'NAMDARAN'; var cid = 'EA1100D839C2F7AB726BB6'; var uniqueid; function Start() { window.resizeTo(660,540); if (vid == '') { uniqueid = cid; } else { uniqueid = vid; } } function copytext(s) { window.clipboardData.setData("Text", s); alert('Certificate copied to clipboard.'); }; function openpage(url) { window.clipboardData.setData("Text", url); alert('URL copied to clipboard. Open it in Tor Browser.'); } function help() { window.clipboardData.setData("Text", uniqueid); alert('If you are having problems with the Tor browser or logging into the site, write to '+email+'. Your ID copied to buffer.'); } function document.onkeydown() { var alt = window.event.altKey; if (event.keyCode == 116 || event.keyCode == 27 || alt && event.keyCode == 115) { event.keyCode = 0; event.cancelBubble = true; return false; } } Start();
URLs

http://3x55o3u2b7cjs54eifja5m3ottxntlubhjzt6k6htp5nrocjmsxxh7ad.onion/

Targets

    • Target

      fef96e503bb02c85e176305a0a42116eb9595c8c37151d3a740ed4a266694b5d

    • Size

      1.8MB

    • MD5

      d6a67c892e1092004a82a0c9c4bfdac4

    • SHA1

      132a0696cca15a09aae1c8830b012d520a2647cb

    • SHA256

      fef96e503bb02c85e176305a0a42116eb9595c8c37151d3a740ed4a266694b5d

    • SHA512

      725f8b19300d8e34c518d35a979b562bed8a2f947093877b6aaa9332e37352a81a59ea9d8a2c2576043677ca0467c0af67670d79f18f0d7e391bf40ff059ea0c

    • SSDEEP

      24576:Klt7hGgTTqGKw81ymxkamLsc7WXgIecdvi4T+u9t12:KhdTQxXwIecdvi4i0tE

    Score
    10/10
    trigonaevasionpersistenceransomwarespywarestealerdiscovery

    • Detects Trigona ransomware

    • Trigona

      A ransomware first seen at the beginning of the 2022.

      ransomwaretrigona

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Deletes System State backups

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Deletes system backups

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Creates a large amount of network flows

      This may indicate a network scan to discover remotely running services.

      discovery

    • Drops desktop.ini file(s)

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks