Overview

overview

10

Static

static

3

17bf10e4dd...bd.exe

windows7-x64

10

17bf10e4dd...bd.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd.zip

  • Size

    77KB

  • Sample

    231001-ra5vmabd4s

  • MD5

    50001871c875a0663982badcf303f8ad

  • SHA1

    de63341b256bdd708f8d15f86a918ad23c5ebd40

  • SHA256

    9e1d9504f01849014affc783aa1a47989897016e9c676b027ff23a803a37447d

  • SHA512

    68174564ce5cae33f9521593cb9fb6a1bed060f37b42cb89b0608837d5e6d96b84e1853562bd277f326bf9fb5c9c21d5d53394460644ff66e34adca95176e52b

  • SSDEEP

    1536:gEqvLBZ04hjObWBpa+9/STbWOTDv6GBn7GVUC0z33jknzlaMyP:gBLQ4kegPbfDSu0UC0zHjkzljk

Score
10/10
ransomwarespywarestealer

Malware Config

Extracted

Path

C:\ProgramData\README ELECTRONIC.txt

Ransom Note
Electronic Ransmoware ATTENTION! At the moment, your system is not protected. We can fix itand restore files. To get started, send a file to decrypt trial. You can trust us after opening the test file. 2.Do not use free programs to unlock. To restore the system write to both : electronicrans@gmail.com and electronicrans@outlook.com Telegram id:@mgam161 Your Decryption ID: 142B4BFB2B4FD9BD
Emails

electronicrans@gmail.com

electronicrans@outlook.com

Targets

    • Target

      17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd

    • Size

      138KB

    • MD5

      254df705ae1572e5bb33fdf9bdd38bb6

    • SHA1

      3d40b40f626cae4d3499e72288cfdfe409df72ac

    • SHA256

      17bf10e4dd21565658610824afa990f2f474c39a396510701425ef740343fdbd

    • SHA512

      60ba12b65eca7387733707eb27a39c076e9a0d3945555638262030b3bd32e8dd1d584ec59bcce26d96ef217f08a06c582289914229c19ad857ddde789474bf17

    • SSDEEP

      3072:MbvdlTga8za7/aApO6fCR6kMgoXpOpo7KqXd4ljqEJSfMKRuF2f0xsxT626f/GAo:MDppOabdUj1J+MKRaKPLAm3zRd

    Score
    10/10
    ransomwarespywarestealer

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Renames multiple (7760) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Renames multiple (9322) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

2
T1070

File Deletion

2
T1070.004

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2
T1490

Resource Development

Reconnaissance

Tasks