23047bb5524e4fd1a3d495497903f5014d66bbec5852de053270ccd06193faf5

General

Target

NEAS.23047bb5524e4fd1a3d495497903f5014d66bbec5852de053270ccd06193faf5.exe
Size

294KB
Sample

231111-l3hynsea94
MD5

d8a34898267e26baf617b17a93b2a8e7
SHA1

f8b9823bf5c44759d76e40783ca71de499c261d8
SHA256

23047bb5524e4fd1a3d495497903f5014d66bbec5852de053270ccd06193faf5
SHA512

ded6f3f8c9baa248ee759a942b412e93a29ec5cbb8368f7c3054ea4c4291bb49eecd929a45b35f4576b39e8bcd1a647d40190e0e4c4c47bc09ac77374ac06ec0
SSDEEP

3072:kzUgzUuhf9c5hgQYPau9PhMcBdYkjeqGN4pfhaL8PdrqMbnfw6tO68vSQblrGLOj:QUpuotYPzPhn3061xPdfGvTRb

Score

10^/10

Malware Config

Extracted

Path

C:\SYRWnZ0xS.README.txt

Ransom Note

.+####*=: -+=*=-++*=::+-:++*::@@= @@#%*+#@*+==-=-+- :=---:::::---::-:-====*+#@@ @@@=+---===-====-:+=-=::: -=--:::-:::: +::::=:=.:=#@ @#+#+-==---+:----------:-.::: ::+.:-:::--:-:--.-=+-**+-=% @##*###*+=:=--:::-=-:--=:.=:- --::-==---:-----=-=#*+-==*#%*#*++=%-*:--=--==:-=-::-:-: =.:::.:----------+=+=+*-++*@ @@**+:=*#*#--=-----:--:-=-:+: .::::------=-=.=++-++++##@ @@ @@ @%*=*+*+=**=:-:=----::::: ::-:--:--==-++=+====+%@@ @@#@@@@@@ @%=+++=++==-:::--:-::: ::----=-==-*++=+==*==# +@:@@@@@@@@@ %.*=++====+++=+::--:: :----+==-:+==+==++*=-*+:@@@@@@@%#*#*+---+*+=+=+==--::. :--=*+-=:=:=*:==-+++=-#**@+*#@@@+*#*++=++=*-=-===+=:=: .-++=--::=-==+=-=++*:*--+-*:#@@*-=+=+=--::-==== +:....::--=----=+++::=#**=@#+@*=-+=:*===-::.:::= :::-==--::-:.@@@@@#*==+==---:. ---=++---+.-@#@@+#*===-===++.. -+====:--:-+=+@*=**=*+===: ---==-@+::=:###*-+-. -*:*=*#@@@@##=-=+- @@@--#=**@*-*-:+@@ :#==-*. Hi. All your files are encrypted. For decryption contact us on Session messenger. You can get it from https://getsession.org Our Session ID: 050877486f869a0ca3c28c831576801d63e522afba3adfe310c443f9e7da124001 [+] Do not rename encrypted files. [+] Do not try to decrypt your data using third party software, it may cause permanent data loss. [+] You have 72 hours to get the key.

URLs

https://getsession.org

Targets

- Target
  
  NEAS.23047bb5524e4fd1a3d495497903f5014d66bbec5852de053270ccd06193faf5.exe
- Size
  
  294KB
- MD5
  
  d8a34898267e26baf617b17a93b2a8e7
- SHA1
  
  f8b9823bf5c44759d76e40783ca71de499c261d8
- SHA256
  
  23047bb5524e4fd1a3d495497903f5014d66bbec5852de053270ccd06193faf5
- SHA512
  
  ded6f3f8c9baa248ee759a942b412e93a29ec5cbb8368f7c3054ea4c4291bb49eecd929a45b35f4576b39e8bcd1a647d40190e0e4c4c47bc09ac77374ac06ec0
- SSDEEP
  
  3072:kzUgzUuhf9c5hgQYPau9PhMcBdYkjeqGN4pfhaL8PdrqMbnfw6tO68vSQblrGLOj:QUpuotYPzPhn3061xPdfGvTRb
Score

10^/10

ransomware spyware stealer
- Renames multiple (330) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Renames multiple (579) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Renames multiple (330) files with added filename extension

Renames multiple (579) files with added filename extension

Deletes itself

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Drops desktop.ini file(s)

Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2