Overview

overview

10

Static

static

10

cd4b456646...a3.exe

windows7-x64

10

cd4b456646...a3.exe

windows10-2004-x64

10

out.exe

windows7-x64

3

out.exe

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    cd4b4566460611a2dfa75f755270d5b2f56edff3d50a9ef6be8b3c92728c46a3

  • Size

    2.2MB

  • Sample

    240101-pn7j9saghk

  • MD5

    664351f9e645e79cdf17d8bb859ef8e5

  • SHA1

    6f45ee1f3246318d94368de97648245718de795d

  • SHA256

    cd4b4566460611a2dfa75f755270d5b2f56edff3d50a9ef6be8b3c92728c46a3

  • SHA512

    ccd49da2df1fdc3e789000709ce871abe6c90c98842040d818c343d04a165eade662433483e1ea1891c43d099616a29dced57d483cdd35d7642ed30ae66995a1

  • SSDEEP

    49152:kZxdq3f7AohAROoPkMrZVOGeBPEwSX+gyJ7I1Pud1w7pVJ9EluMH3opjhKa70I3Q:kOPhAooPkMnoI+gyJuJ7DJSluMHOjhji

Score
10/10
snatchransomwareupx

Malware Config

Extracted

Path

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\HOW TO RESTORE YOUR FILES.TXT

Ransom Note
Hello! All your files are encrypted, write to me if you want to return your files - I can do it very quickly! Contact me by email: cryptolifeguard@cock.li or unl0ck@keemail.me The subject line must contain an encryption extension or the name of your company! Do not rename encrypted files, you may lose them forever. You may be a victim of fraud. Free decryption as a guarantee. Send us up to 3 files for free decryption. The total file size should be no more than 1 MB! (not in the archive), and the files should not contain valuable information. (databases, backups, large Excel spreadsheets, etc.) !!! Do not turn off or restart the NAS equipment. This will lead to data loss !!! To contact us, we recommend that you create an email address at protonmail.com or tutanota.com Because gmail and other public email programs can block our messages!
Emails

cryptolifeguard@cock.li

unl0ck@keemail.me

Targets

    • Target

      cd4b4566460611a2dfa75f755270d5b2f56edff3d50a9ef6be8b3c92728c46a3

    • Size

      2.2MB

    • MD5

      664351f9e645e79cdf17d8bb859ef8e5

    • SHA1

      6f45ee1f3246318d94368de97648245718de795d

    • SHA256

      cd4b4566460611a2dfa75f755270d5b2f56edff3d50a9ef6be8b3c92728c46a3

    • SHA512

      ccd49da2df1fdc3e789000709ce871abe6c90c98842040d818c343d04a165eade662433483e1ea1891c43d099616a29dced57d483cdd35d7642ed30ae66995a1

    • SSDEEP

      49152:kZxdq3f7AohAROoPkMrZVOGeBPEwSX+gyJ7I1Pud1w7pVJ9EluMH3opjhKa70I3Q:kOPhAooPkMnoI+gyJuJ7DJSluMHOjhji

    Score
    10/10
    snatchransomwareupx

    • Detecting the common Go functions and variables names used by Snatch ransomware

    • Snatch Ransomware

      Ransomware family generally distributed through RDP bruteforce attacks.

      ransomwaresnatch

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Renames multiple (3317) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1behavioral2

    • Target

      out.upx

    • Size

      3.9MB

    • MD5

      c4d8f9d2ebe997ad21f9d5ad0d8ac31a

    • SHA1

      0f7ac5007b73c608233d482cd8ad24ee3da734dc

    • SHA256

      61033f4e5908e6f85058725d233205c4424814fb12154599cb6927b1968f3c78

    • SHA512

      818284f998c31daf391cb5203bf396d66ae8159e303a0904c26650a61d30ea74225044b4b52f0fb727753e8851246aede5d75b4fbc6223e89e1926b323820796

    • SSDEEP

      49152:gqgTYxi19Sl56EixSSvXl5/Jdmir6V2xL02Ul3Suynuw0zMAl9rurLc3Z:gqgWkQl5jYNQiGVgja3GLc

    Score
    3/10
    behavioral3behavioral4

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

2
T1070

File Deletion

2
T1070.004

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2
T1490

Resource Development

Reconnaissance

Tasks