Overview

overview

10

Static

static

3

b5466ce462...fe.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe

  • Size

    169KB

  • Sample

    230918-maf42sba43

  • MD5

    98562209465bec53327e65649a2b8829

  • SHA1

    3a47656ed3df213bd934aa01078a863568fe9f2b

  • SHA256

    b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe

  • SHA512

    c11ce14f9cb75df2bc9bd81971c1f8fa885815715f389eb8e796e0f657de59756b36a6f896c216a03c7be7bb3ddff9b8a47aee71146760e4f4d9c6bdc0ff2cc3

  • SSDEEP

    3072:iFgiMd04bHHr/QFDtaruNyXgs7WL61fXbEiVkYELY2P+gA/PF:UE3bHL/ngsu61kYELNmhF

Score
10/10
lockyevasionransomware

Malware Config

Extracted

Path

C:\Users\Admin\Favorites\!!Read_Me.3C430.html

Ransom Note
<!DOCTYPE html><h1>#ALL YOUR FILES ARE ENCRYPTED AND STOLEN BY RAGNAROK</h1>Dear Sir<br><br>Your files are encrypted with RSA4096 and AES encryption algorithm. <br>But don't worry, you can return all your files!! follow the instructions to recover your files <br><br>Cooperate with us and get the decrypter program as soon as possible will be your best solution.<br>Only our software can decrypt all your encrypted files.<br><br>What guarantees you have?<br>We take our reputation seriously. We reject any form of deception</br>You can send one of your encrypted file from your PC and we decrypt it for free. <br>But we can decrypt only 1 file for free. File must not contain any valuable information.<br>When hiring third-party negotiators or recovery companies. listen to what they tell you. try to think.<br> Are they really interested in solving your problems or are they just thinking about their profit and ambitions?<br><br>By the way.We have stolen lots of your company and your private data which includes doc,xls,pdf,jpg,mdf,sql,pst...<br>Here we upload sample files of your company and your private data on our blog :<br>http://wobpitin77vdsdiswr43duntv6eqw4rvphedutpaxycjdie6gg3binad.onion<br>We promise that if you don't pay within a week, we will package and publish all of your company and your data on our website.<br>We also promise we can decrypt all of your data and delete all your files on internet after your payment.<br>Such leaks of information lead to losses for the company. fines and lawsuits. And don't forget that information can fall into the hands of competitors!<br>For us this is just business and to prove to you our seriousness.<br><br>Our e-mail:<br> [email protected]<br><br> Reserve e-mail:<br>[email protected]<br>[email protected]<br><br>Device ID:<br> AAwX1YjLw4yNyEjLwEDLTR1TYZVTSREL5MTMwYTN5gzM0cDRBNTNGdjR4kTNwUERCZURFJTNzMDOEJzNyQjQ1YDMwU0NCJDNFRTNERUNzEzMBRzNGJ0M5UjN2EDN5QzN2IjQwYjNEljR4ITRBJTRBJERyQjQwQkQ1gTNCdTM4QjR4EjNEZkQ0UUM5EzQ0EUOBR0MEljQwYjNDZjN1ETOzEUN3YERDZTOyADR4UzQBBDN2gDRxUjM2YkQGJDMEZEODRUO0EjN3IEMGFDRwUTOEZDMDJENEFjN3YzMCFUO0kjM5ETMwYUM2E0Q5YDM4YkR3QjNxczQ1EDRzIEMxITM0QjNCJUN5gDRCZUOCRTQ4MUR1EzNGBjQDZ0MxITNxcjQ2IzM5UUMFNUOzQzN1kDOCJTM5kzN0QzQ4cjQwI0Q3cjR3gTR2QkMwEUN1kDMBlTMEBjRDlTODdTOER0M2I0N2MTQ1YjR5gDMEdjRyIUMxQkRxEEO0ATODZjR5UTRzMkRDJjQ5IkNyUTNwITO5kTOxITRFJzQDhzMxgTN5ETR3U0Q3MkM4cDNEFkN2AzMGVDN2UTO5QTNxUUR3UDN4MzN4UTOyQzQ5QkM5MkMDljMzczQGRTRxQUQFhzNFhDR3YjMxETN5IUQ3kjN4MEOBhTO2IkRDJjRxIjR0MTMENTO4Q0NCJTRwQjQ4MkNCZEOFJUNwQUQ3YUNCNUOFVEM1EER2MkR5MjN3YTMFFEM1YjMxMUREZTRwIjRzEEO0IjN1AzMxU0QzETMFJUOxATMFFENzMjM0EUR0IEN4UTMxETRENDNGJEM4IjRyQDO4YTODFzN5Y0MDBTR5MTMBRzN4QUM0YTQxQDNDRzQDJEMwUERCZzMDNzQxYTMwIDRCVTQ5QUN5UUR3I0MChzQxQzQCJER5MEO1MjMFVUQ3QjQ4EzQGZTMERjR1czNxIkRxMEN5ITQBlDOxkTQycjMCVERxIjMzU0MzEjQzgjQzIDRFZUR3YUQDFDOyIjMxkTQ0IEO5IEM0EENwgTO5ETM1AjQChTO1gjMFVUREJzNDZUOGZUQ3MzQDFjM5gDN4gDM1EzQCRTO3YERyYkN1cTQ0YURCF0QzEDNCRER2YkQ5UjNDFjR1QDN4czQFFDNGdjMzkzQ3kTQDZDODZTM5UDRBhzQ2UTQwgDMDJDMCNUODF0MxgjN0MDO4QDO2QkM1cTQEFEOxI0M5AzM1QzMycTQFFTOENUNGBjNFZUR1UjM5IUMwkTN5QUN3MEN4MENxgDO1UkR4EENygjRwgTODNzQykTQ1UjRxMUR4UjMCZUQ2kjNzkzQEFkMDBzQ0EEO4MUM4EEN0IUOBRzQ0gjRChDR1EjQ3MzNBhTR1gTNEJDOyEkM5gjMBRTOxYTQ5cjQ1wCM2UjN2MUMwkDN5kDN2ADN5EUN3cjNFFUREJDN5ETNxMzNGhzN3UjR5UUNFV0Q1QjM2UkR1ETQBVUOEJDNFBjR3QzQ1MERGRzNzYkNDVkR4QjQDhjNzkDOFFzN5YDMBNkN1ETN5QzQBJjQ4YzQ0ITRDRjQzYENxYDMzADO3UjREZjN4IjNyQjR1QTQDVTRGljRzIEN2cjN0ITN2gTR2gTRwMUN2QTNFRURDZUNFFkR1IzQBdjRCdTOERENwIzQFhjRFV0QwgzNBdTQ3UkQCNTM0UUQ2gDRCVUQ5MUR5kzN5cTN0czMCJER2ATNxQEOwIzMBFEO4IERzIzQ2QzMDFjQ2QzN5ITRyUkQ5UTQ1kTQ3cTN4cDNDVjQxMkM0QTNwQERyUkR4kTMGhDMxQDNwIEO4UkQ0UUN5cTOBVTQwIEOGNjN4EzMGljN2UjN1IzQEFUM0ITN2MjM0QTMwATRFRDN3cDNwE0NzEzMxYkQCZjQyQjN0QEMxMjQxATO1IkMFJDOxQTNDBDOCZUQEFEO5YDNFRTMEFTR0MDMDBDM2IzQGVEMCBTMxIENDVzNERTRxkDMGJjRzAjNDljMCdTQCNzMxUUO4IzM5QzNCFTQGBTMFRkQ5IDOGFUR2AjRGZEM5ETN5QERFRDRzUkQ3QkR0UUR0ADOwYTNBFTOGhDRyM0NyIURzUDRCVzMFZUN2QENCVDNBNjM0YkQxEzM5AzN1QkR1gDMDBzMCdDR0ITRyITRGFjMEZzNCdTM3QTM0IkQ2kjN2gzM0MkQElDO3IDRyEjNDR0MGZzQyATNzYTOBJzNDRjQFlDMxcjM4EjMDZzMENkQFdTMycjQxIEM1gDN2IjQFVUQyY0N1QTRykDM4MUQwYEMDJzM0I0N3UUQzMEOERTMCZDMzUEO5Y0NCNTR5MjQ4QjQDJzNClzM4I0N5MTQxUUMyEUN5IkQFNDR0MkQ5UUR3IjN0M0NxEDOxQkR0QjRxUDMFdTOGFUOzkDM1UjN2MjQGFUQ5cTRxUUQ1IkNDlDM0MjQBZzNDNkM0M0NFBTM0Y0QEFzNxUEO3IDR0YjRFJTOxQTNFVkQ1ADOwIDMDVEO0IjNzMTRCZDNykTNCRTOChTN4EDR5QkNxAzNFNEOwkTMxYERzQDM1MkQ4gjQ1ETO0EENGF0N0czNDFkN1MENBVTR1gjMzETMEN0NDBDO5MEOBRjMERDM3MzMzcTNzATMxM0M4IERCNDRFFTOxUUQ4YDN2YTM2MTO3M0QGNzM4EEOyUkMEJUM3QUR3YkN4IzN5UDRDFjQBlTOBJTQ3I0QFJ0M1M0MyQUM1QURyMUOChzQwUDOGFkQ1U0N1gjNDJjN1EDO2QjMEJ0Q5ITOCJDO
Emails

[email protected]<br><br>

e-mail:<br>[email protected]<br>[email protected]<br><br>Device

Extracted

Path

C:\Users\Admin\Desktop\!!Read_Me.3C430.html

Ransom Note
#ALL YOUR FILES ARE ENCRYPTED AND STOLEN BY RAGNAROK Dear Sir Your files are encrypted with RSA4096 and AES encryption algorithm. But don't worry, you can return all your files!! follow the instructions to recover your files Cooperate with us and get the decrypter program as soon as possible will be your best solution. Only our software can decrypt all your encrypted files. What guarantees you have? We take our reputation seriously. We reject any form of deceptionYou can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain any valuable information. When hiring third-party negotiators or recovery companies. listen to what they tell you. try to think. Are they really interested in solving your problems or are they just thinking about their profit and ambitions? By the way.We have stolen lots of your company and your private data which includes doc,xls,pdf,jpg,mdf,sql,pst... Here we upload sample files of your company and your private data on our blog : http://wobpitin77vdsdiswr43duntv6eqw4rvphedutpaxycjdie6gg3binad.onion We promise that if you don't pay within a week, we will package and publish all of your company and your data on our website. We also promise we can decrypt all of your data and delete all your files on internet after your payment. Such leaks of information lead to losses for the company. fines and lawsuits. And don't forget that information can fall into the hands of competitors! For us this is just business and to prove to you our seriousness. Our e-mail: [email protected] Reserve e-mail: [email protected] [email protected] Device ID: AAwX1YjLw4yNyEjLwEDLTR1TYZVTSREL5MTMwYTN5gzM0cDRBNTNGdjR4kTNwUERCZURFJTNzMDOEJzNyQjQ1YDMwU0NCJDNFRTNERUNzEzMBRzNGJ0M5UjN2EDN5QzN2IjQwYjNEljR4ITRBJTRBJERyQjQwQkQ1gTNCdTM4QjR4EjNEZkQ0UUM5EzQ0EUOBR0MEljQwYjNDZjN1ETOzEUN3YERDZTOyADR4UzQBBDN2gDRxUjM2YkQGJDMEZEODRUO0EjN3IEMGFDRwUTOEZDMDJENEFjN3YzMCFUO0kjM5ETMwYUM2E0Q5YDM4YkR3QjNxczQ1EDRzIEMxITM0QjNCJUN5gDRCZUOCRTQ4MUR1EzNGBjQDZ0MxITNxcjQ2IzM5UUMFNUOzQzN1kDOCJTM5kzN0QzQ4cjQwI0Q3cjR3gTR2QkMwEUN1kDMBlTMEBjRDlTODdTOER0M2I0N2MTQ1YjR5gDMEdjRyIUMxQkRxEEO0ATODZjR5UTRzMkRDJjQ5IkNyUTNwITO5kTOxITRFJzQDhzMxgTN5ETR3U0Q3MkM4cDNEFkN2AzMGVDN2UTO5QTNxUUR3UDN4MzN4UTOyQzQ5QkM5MkMDljMzczQGRTRxQUQFhzNFhDR3YjMxETN5IUQ3kjN4MEOBhTO2IkRDJjRxIjR0MTMENTO4Q0NCJTRwQjQ4MkNCZEOFJUNwQUQ3YUNCNUOFVEM1EER2MkR5MjN3YTMFFEM1YjMxMUREZTRwIjRzEEO0IjN1AzMxU0QzETMFJUOxATMFFENzMjM0EUR0IEN4UTMxETRENDNGJEM4IjRyQDO4YTODFzN5Y0MDBTR5MTMBRzN4QUM0YTQxQDNDRzQDJEMwUERCZzMDNzQxYTMwIDRCVTQ5QUN5UUR3I0MChzQxQzQCJER5MEO1MjMFVUQ3QjQ4EzQGZTMERjR1czNxIkRxMEN5ITQBlDOxkTQycjMCVERxIjMzU0MzEjQzgjQzIDRFZUR3YUQDFDOyIjMxkTQ0IEO5IEM0EENwgTO5ETM1AjQChTO1gjMFVUREJzNDZUOGZUQ3MzQDFjM5gDN4gDM1EzQCRTO3YERyYkN1cTQ0YURCF0QzEDNCRER2YkQ5UjNDFjR1QDN4czQFFDNGdjMzkzQ3kTQDZDODZTM5UDRBhzQ2UTQwgDMDJDMCNUODF0MxgjN0MDO4QDO2QkM1cTQEFEOxI0M5AzM1QzMycTQFFTOENUNGBjNFZUR1UjM5IUMwkTN5QUN3MEN4MENxgDO1UkR4EENygjRwgTODNzQykTQ1UjRxMUR4UjMCZUQ2kjNzkzQEFkMDBzQ0EEO4MUM4EEN0IUOBRzQ0gjRChDR1EjQ3MzNBhTR1gTNEJDOyEkM5gjMBRTOxYTQ5cjQ1wCM2UjN2MUMwkDN5kDN2ADN5EUN3cjNFFUREJDN5ETNxMzNGhzN3UjR5UUNFV0Q1QjM2UkR1ETQBVUOEJDNFBjR3QzQ1MERGRzNzYkNDVkR4QjQDhjNzkDOFFzN5YDMBNkN1ETN5QzQBJjQ4YzQ0ITRDRjQzYENxYDMzADO3UjREZjN4IjNyQjR1QTQDVTRGljRzIEN2cjN0ITN2gTR2gTRwMUN2QTNFRURDZUNFFkR1IzQBdjRCdTOERENwIzQFhjRFV0QwgzNBdTQ3UkQCNTM0UUQ2gDRCVUQ5MUR5kzN5cTN0czMCJER2ATNxQEOwIzMBFEO4IERzIzQ2QzMDFjQ2QzN5ITRyUkQ5UTQ1kTQ3cTN4cDNDVjQxMkM0QTNwQERyUkR4kTMGhDMxQDNwIEO4UkQ0UUN5cTOBVTQwIEOGNjN4EzMGljN2UjN1IzQEFUM0ITN2MjM0QTMwATRFRDN3cDNwE0NzEzMxYkQCZjQyQjN0QEMxMjQxATO1IkMFJDOxQTNDBDOCZUQEFEO5YDNFRTMEFTR0MDMDBDM2IzQGVEMCBTMxIENDVzNERTRxkDMGJjRzAjNDljMCdTQCNzMxUUO4IzM5QzNCFTQGBTMFRkQ5IDOGFUR2AjRGZEM5ETN5QERFRDRzUkQ3QkR0UUR0ADOwYTNBFTOGhDRyM0NyIURzUDRCVzMFZUN2QENCVDNBNjM0YkQxEzM5AzN1QkR1gDMDBzMCdDR0ITRyITRGFjMEZzNCdTM3QTM0IkQ2kjN2gzM0MkQElDO3IDRyEjNDR0MGZzQyATNzYTOBJzNDRjQFlDMxcjM4EjMDZzMENkQFdTMycjQxIEM1gDN2IjQFVUQyY0N1QTRykDM4MUQwYEMDJzM0I0N3UUQzMEOERTMCZDMzUEO5Y0NCNTR5MjQ4QjQDJzNClzM4I0N5MTQxUUMyEUN5IkQFNDR0MkQ5UUR3IjN0M0NxEDOxQkR0QjRxUDMFdTOGFUOzkDM1UjN2MjQGFUQ5cTRxUUQ1IkNDlDM0MjQBZzNDNkM0M0NFBTM0Y0QEFzNxUEO3IDR0YjRFJTOxQTNFVkQ1ADOwIDMDVEO0IjNzMTRCZDNykTNCRTOChTN4EDR5QkNxAzNFNEOwkTMxYERzQDM1MkQ4gjQ1ETO0EENGF0N0czNDFkN1MENBVTR1gjMzETMEN0NDBDO5MEOBRjMERDM3MzMzcTNzATMxM0M4IERCNDRFFTOxUUQ4YDN2YTM2MTO3M0QGNzM4EEOyUkMEJUM3QUR3YkN4IzN5UDRDFjQBlTOBJTQ3I0QFJ0M1M0MyQUM1QURyMUOChzQwUDOGFkQ1U0N1gjNDJjN1EDO2QjMEJ0Q5ITOCJDO
URLs

http://wobpitin77vdsdiswr43duntv6eqw4rvphedutpaxycjdie6gg3binad.onion

Targets

    • Target

      b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe

    • Size

      169KB

    • MD5

      98562209465bec53327e65649a2b8829

    • SHA1

      3a47656ed3df213bd934aa01078a863568fe9f2b

    • SHA256

      b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe

    • SHA512

      c11ce14f9cb75df2bc9bd81971c1f8fa885815715f389eb8e796e0f657de59756b36a6f896c216a03c7be7bb3ddff9b8a47aee71146760e4f4d9c6bdc0ff2cc3

    • SSDEEP

      3072:iFgiMd04bHHr/QFDtaruNyXgs7WL61fXbEiVkYELY2P+gA/PF:UE3bHL/ngsu61kYELNmhF

    Score
    10/10
    lockyevasionransomware

    • Locky

      Ransomware strain released in 2016, with advanced features like anti-analysis.

      ransomwarelocky

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Renames multiple (172) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Modifies Windows Firewall

      evasion
    behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Defense Evasion

Indicator Removal

2
T1070

File Deletion

2
T1070.004

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Remote System Discovery

1
T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

3
T1490

Resource Development

Reconnaissance

Tasks