Overview

overview

10

Static

static

3

fd71b1ab3e...8f.exe

windows10-1703-x64

10

fd71b1ab3e...8f.exe

windows10-2004-x64

10

Resubmissions

25-09-2023 03:09

230925-dnnxdabg21 10

20-04-2023 15:22

230420-ssddrscf5z 10

Analysis

  • max time kernel
    151s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-09-2023 03:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fd71b1ab3e3823ccd88c0f406c30c4386074c36e1c0432e13121550cd655098f.exe

  • Size

    53KB

  • MD5

    5efa19dc204e46e8d8c57482f80e7a40

  • SHA1

    5c83b3ddc8417fe64e0bbd3495445ddcee52e35e

  • SHA256

    fd71b1ab3e3823ccd88c0f406c30c4386074c36e1c0432e13121550cd655098f

  • SHA512

    0cdf4a1263b9a341240acea245155f0afbaac864eccd1d9623a9a152a9287e8a65cd62f12804d5a1293c9d960a4958c2aa05a720f35d42699fec5d4ac0accfc1

  • SSDEEP

    768:FKcvuye1kVtGBk6P/v7nWlHznbkVwrEKD9yDwxVSHrowNI2tG6o/t84B5YW:F9eytM3alnawrRIwxVSHMweio3+

Score
10/10
ransomwarespywarestealer

Malware Config

Extracted

Path

C:\ProgramData\regid.1991-06.com.microsoft\how_to_back_files.html

Ransom Note
<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">����������7B 3E 8C AC A5 99 3C 8B A4 F4 44 AF 29 D6 D2 5E 2A C3 E1 57 B3 D1 EA 5E 7A 65 3F 7D 9D 2D 07 6C 54 30 05 5C 3A 28 DE 4F 48 36 26 13 C3 FA 57 7F 46 94 53 35 E0 65 BF 79 3B F6 3E 30 33 80 46 1A 07 0D AB 37 08 A0 54 8E 62 88 4F 05 B5 81 5E 4D F5 4B D4 02 20 90 06 E0 E0 01 B7 47 73 ED 0F 3B BA AA C7 AB ED 7B 51 23 3D E9 4E D2 A5 50 85 96 2A 30 CF F0 27 81 8A 7C 30 EE 8E DC 25 72 3A 3E 31 67 DC B4 04 D3 15 D8 48 47 CE FE FA D8 D6 23 2A 84 10 B5 25 BA 57 9E FD 52 C6 49 86 39 B8 83 CB 3F E3 15 F5 97 DA 33 DF A3 16 58 71 B0 F2 FD 72 CC 3C E2 C9 E3 86 26 75 5D 96 84 1E 88 16 FB CF A6 5C DD F2 CE 2B F9 CB A8 68 62 0C 76 2E 94 B2 DB 4F 03 AF 5A 14 26 07 B3 25 C5 FE 75 C1 E4 3F 10 B7 95 AC B8 44 0D A7 87 B1 45 8D 10 EE E7 3A 91 02 2B 8D 2B D2 B9 6E 81 DF 59 3C 23 1B 05 </span> <br> <!-- !!! dont changing this !!! --> </div> </div> <!-- --> <div class="tabs"> <!--tab--> <div class="tab"> <div id="tab-content1" class="content"> <div class="text"> <!--text data --> <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br> <!--text data --> <hr> <b>Contact us for price and get decryption software.</b><br><br> <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</a><br> * Note that this server is available via Tor browser only<br><br> Follow the instructions to open the link:<br> 1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br> 2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br> 3. Now you have Tor browser. In the Tor Browser open <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion<br> </a> 4. Start a chat and follow the further instructions. <br> <hr> <b>If you can not use the above link, use the email:</b><br> <a href="[email protected] ">[email protected] </a> <br> <a href="[email protected] ">[email protected] </a> <br> <p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br> <b> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> </div> </div> </div> <!--tab--> <!--text data --> </div> </div> <!--tab--> </div> </div> </body> </html>

Signatures

  • Renames multiple (5499) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Program Files directory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fd71b1ab3e3823ccd88c0f406c30c4386074c36e1c0432e13121550cd655098f.exe
    "C:\Users\Admin\AppData\Local\Temp\fd71b1ab3e3823ccd88c0f406c30c4386074c36e1c0432e13121550cd655098f.exe"
    1⤵
    • Drops file in Program Files directory
    PID:3268

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\regid.1991-06.com.microsoft\how_to_back_files.html
    Filesize

    4KB

    MD5

    ff073c143bae13e7c6c965a0bc09313c

    SHA1

    77b8ccfa5e6e6afa5694265960ca663a29805ff7

    SHA256

    4ebf3854b18bd182387363607a7737cc690e84080d07c8194d06bde814becd39

    SHA512

    da0bb719d2bf44ae547bbbad34a87b41cd06b981f2ecd7a0bd31ef6a43cd0e72ced52e6de8adc205913cc7cbc03f3beb1206e7efd9cb1e48e5b71dae3b4e8c51

    Download Submit

  • memory/3268-0-0x0000000000400000-0x000000000040E200-memory.dmp

    Filesize

    56KB

    Download

  • memory/3268-162-0x0000000000400000-0x000000000040E200-memory.dmp

    Filesize

    56KB

    Download