General

  • Target

    samples (2) (3).zip

  • Size

    2.1MB

  • Sample

    240101-sk786sfeg4

  • MD5

    ef77a8926ba8419c886a9862e064eb7f

  • SHA1

    a12d66fca51f2ceb0a0d631f84924678b6481e48

  • SHA256

    ef99a1844cbf354868a70cdcc2584ec94ffceafc4ffcd3a6b5563fa1d632844e

  • SHA512

    a7f86c90e2734d1033eb5afd814b554c92bbd30128b02183d5cba689e7ac0b2c065eed9534cfac689e7bc6a405718fec8b567cbaf8e8711a791f707d2cc4f315

  • SSDEEP

    49152:bGKM2Bb45hv8YJbPp38tBHjgq6/IyKU7UIk0EaQLeM+AZHDQl:bGKM2BU5hvbJbhOEq6MU7UIkxaQqMvy

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note
All your files have been encrypted! All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail [email protected] Write this ID in the title of your message C2E90A1A In case of no answer in 24 hours write us to theese e-mails: [email protected] You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. Free decryption as guarantee Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/ Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Targets

    • Target

      samples (2) (3).zip

    • Size

      2.1MB

    • MD5

      ef77a8926ba8419c886a9862e064eb7f

    • SHA1

      a12d66fca51f2ceb0a0d631f84924678b6481e48

    • SHA256

      ef99a1844cbf354868a70cdcc2584ec94ffceafc4ffcd3a6b5563fa1d632844e

    • SHA512

      a7f86c90e2734d1033eb5afd814b554c92bbd30128b02183d5cba689e7ac0b2c065eed9534cfac689e7bc6a405718fec8b567cbaf8e8711a791f707d2cc4f315

    • SSDEEP

      49152:bGKM2Bb45hv8YJbPp38tBHjgq6/IyKU7UIk0EaQLeM+AZHDQl:bGKM2BU5hvbJbhOEq6MU7UIkxaQqMvy

    Score
    1/10
    • Target

      100b8bfff550fb74c98a2ef9a71d4bb53553d2d7ba509bb451fe32814ec57e48

    • Size

      308KB

    • MD5

      e2982778434438cce87e6f43493d63ce

    • SHA1

      1927c6f73714a3d06d379d2bc4693e7a970d5cea

    • SHA256

      100b8bfff550fb74c98a2ef9a71d4bb53553d2d7ba509bb451fe32814ec57e48

    • SHA512

      47e51150b308109e218949cfe80160706bca06f2ba9b2ffac27e36db35a2ead729766afc09936d020cde20e0678a7c912d1ed59a6295fe9bcceb17f2b12b2248

    • SSDEEP

      6144:j09jZMz/y1rekkCkVg+AW93YVfhZR3MM+SYRQlsQc0EJroJ:AXC/FkdkVg9WlufR3MM+PRQvcZ

    Score
    1/10
    • Target

      16b51224239d3671b1af3e8f2656a2ad1e7f5fb9acb09111a95461338a841b49

    • Size

      207KB

    • MD5

      8d0a312773a8475e499b7f879cfe8ece

    • SHA1

      7aa2568f464780f85dafd385a6ff82d79ea6379f

    • SHA256

      16b51224239d3671b1af3e8f2656a2ad1e7f5fb9acb09111a95461338a841b49

    • SHA512

      a7cbd19806e8832ef687ccf01debf3db4c0afb9e631379e2200c7da5144fd40146508b2c9685bddadf620491bff5f30f910ab0d6c900fc34bfb0893dcd78d953

    • SSDEEP

      3072:5M+lmsolAIrRuw+mqv9j1MWLQBexM+lmsolAIrRuw+mqv9j1MWLQ:S+lDAAYx+lDAA

    Score
    7/10
    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Target

      2727dde7418284bd2b16a032346a9c6921cbfb5e950ad21c9468792b71ee3898

    • Size

      77KB

    • MD5

      e076f267e066671604177ee2f4f406f9

    • SHA1

      ca09b5cdbb6c4f12f8b1486ed282f64e6c0d64b9

    • SHA256

      2727dde7418284bd2b16a032346a9c6921cbfb5e950ad21c9468792b71ee3898

    • SHA512

      f4d65ba7a7afee6335c10a178a5536f6f1a2255a9eeddbb34b6f6b4b87fe6f91354a883bdba1657311f240b88ba1496e51e04999681bcd2543da5ca8016408d8

    • SSDEEP

      1536:7ClodSIRar0dQMLPRNqC3P0btbqJYl6i9Fp9glI792Li/yuUBQs:2aQIYQOYPtY6pi9we2sd

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Renames multiple (2120) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Drops startup file

    • Adds Run key to start application

    • Target

      29dd920ac1453b5be12fcef5af45690dbbe625e985f6692e237a057e832937e5

    • Size

      67KB

    • MD5

      26838a257e64a6c6dfeb1d49f3fe114f

    • SHA1

      105c02e87551ccdb00b27eb939dae094a418fa29

    • SHA256

      29dd920ac1453b5be12fcef5af45690dbbe625e985f6692e237a057e832937e5

    • SHA512

      6e71bc97e0d1d9d64f85e30d0c6a0cd8f8e9f503496962cda8a694fdd90930ccae289132aba2fbd61eefc782298399deacc20a49476a8775811191423c639174

    • SSDEEP

      1536:diEmjO9wAM2Cq6Av4YHLV1zbYnGJ0+FonVZ4iD5aJxuNRj6W8Q:6UwAMQTv7p1zEG6+sVBKWR

    Score
    1/10
    • Target

      2001.exe

    • Size

      138KB

    • MD5

      b9272a777740d1b5796cc6eaf7eff252

    • SHA1

      43526f39d742bb421ebe2514fa1e7bee2ec0f86d

    • SHA256

      df93154c63aeea6a56d0f2b4c89d424f38897c2a43d756495efa4cfa69f87aa4

    • SHA512

      2e19dd25e46400878b6fcecceb8a7f650a996e47f8b785f3a63e640710951a4a8fe6991842879d1959b65f59f25ccefc76b39bd9d46fa62e3acb5d5a481544bc

    • SSDEEP

      3072:1ZO75plD368W/5SeiLHpV3IhzfW+3g70XdlqgDuYUB/vemeeCLdJLVd:1C5px3HW/3iLHpV4hzu+jd7uYU5JexTd

    Score
    9/10
    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Renames multiple (266) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Target

      3c5ffe21fd24c4daf62f5190d96e65bf7a25232ef9ec956a77db910e90750017

    • Size

      64KB

    • MD5

      460a2e4418cadbbb91513e4908ab765c

    • SHA1

      4bf64187179ba81f7ed6295d30079c8bd56d9148

    • SHA256

      3c5ffe21fd24c4daf62f5190d96e65bf7a25232ef9ec956a77db910e90750017

    • SHA512

      59e730bf6bd6a18fd287da1d205f197b46620415ad228953333b6a98b3e64dccb4b52a4c86b0f4f335678418a64757ea4425d70ec54f2deefb1db4ab5edc759a

    • SSDEEP

      768:y6xnBtviPDs6zWgjU7p6iViakLi05kToZ0uoKKJKr9jlQJZVLfUlAvHm:1tvn6zxuZkLpP6uoW9azVfUee

    Score
    1/10
    • Target

      48493bb68bc1062b11cc505e444db288ec6cba0c979d10a9b5a3ea775daf9420

    • Size

      53KB

    • MD5

      13bfc9705ee633aec38f4ccffdca471c

    • SHA1

      bfa8395e872262b95bb218b9834edd90ab2cff5e

    • SHA256

      48493bb68bc1062b11cc505e444db288ec6cba0c979d10a9b5a3ea775daf9420

    • SHA512

      c900e5dd21c35c2ff875b3d209bff0da0d52468d48dc17324401f5646bf7bdcbeec460085e8abad222dfb30bd85e2c3d214dce80e2de567cb6ddee217999be6e

    • SSDEEP

      768:1xPUSvuye1kVtGBk6P/v7nWlHznbkVwrEKD9yDwxVSHrowNI2tG6o/t84B5NID:1lHeytM3alnawrRIwxVSHMweio3jI

    • GlobeImposter

      GlobeImposter is a ransomware first seen in 2017.

    • Renames multiple (8113) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Target

      568a79ce585dac32af237cb187b663cb6d2e4f594d66860c7ea1b3c66e4b7919

    • Size

      78KB

    • MD5

      0163a114f3cd11d4a2d3c1374bf4878d

    • SHA1

      96b9b8510641a18f7920f48078087001a16db568

    • SHA256

      568a79ce585dac32af237cb187b663cb6d2e4f594d66860c7ea1b3c66e4b7919

    • SHA512

      0104fedf9a6cc994a267f743c8fa3324af388e2191dec5aff1eedf7345a1d0bbb4829db2b846dd6f7e63e2e4c04aaa0d315ed8b7361c8fbbd8b9f0096e90cba0

    • SSDEEP

      1536:freiQwer+Gu3gzQ6qOAI2PneemZcsABvYPpXUJqnwBWH9R1X3Jq5:yiPGu34Q6pAgeJsOOYByXHJ

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Renames multiple (482) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Drops startup file

    • Loads dropped DLL

    • Adds Run key to start application

    • Target

      57de0d2d5945db11d6c845459419a1b48a5cf415a7a0866c40b03afaec6fb4fe

    • Size

      108KB

    • MD5

      04bd0a129ac331d598a08c88f3b99089

    • SHA1

      e2b18d04541e93c7e2c871849061dcea5a77dc95

    • SHA256

      57de0d2d5945db11d6c845459419a1b48a5cf415a7a0866c40b03afaec6fb4fe

    • SHA512

      82495d4d2d1319d52e66308bfbbd812334e1cf1cd5b4f84763380556fdeb7790a25f38839c6eb2189f55eedcb48ba08fa74baec25d7b74fd1403660c75f33aa1

    • SSDEEP

      3072:IFLXTOKX8HIBxac8SKfbzxcwg7es6/Vsb8VKTuv:IOfoBdUhcX7elbKTu

    • Renames multiple (59) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Target

      5e34ceeaf60a7cdfaeee0443a87edb92115727130323314628503dfe755b9505

    • Size

      49KB

    • MD5

      51b8687135b216cf4c3cdb8a545540b8

    • SHA1

      e5cba03649cd490b93d70a01595e18e934532bef

    • SHA256

      5e34ceeaf60a7cdfaeee0443a87edb92115727130323314628503dfe755b9505

    • SHA512

      c401e208b9d48ad46e4d9451ba6f8ab4e5efe99917a20774f668288830b0b8b008005af2f3a9131864c5741f1cad1c5efa677a0a8d1b6409ca75add86d98e5a2

    • SSDEEP

      768:3V6573iVm2/6pG5gm8jnEU6t7+9jJJzYcHe+Z:l+yUpGa1ELt7ijJY+

    Score
    1/10
    • Target

      6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac

    • Size

      74KB

    • MD5

      85110da3605b25aaaa7533e2bdbdc6fb

    • SHA1

      8eb6f6e0e50d1d6e496e1c3498d500e00c47b8ae

    • SHA256

      6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac

    • SHA512

      f49ddeb9c0ad79f5979b299fbb231f225c0e6c149633c1d1cdfe0f4d94ce2cf28ee65e17c020624dadb036c20270d343f5f869da3d01b535181e7e7aafae0312

    • SSDEEP

      1536:naDpA+SIN1RWDmGN7NuoH4T+p9yF+KUFP4VuBs7hu7HU0QU9v:1lHNZuoHnyQKrVhWHLQU

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Renames multiple (2758) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Drops startup file

    • Loads dropped DLL

    • Adds Run key to start application

    • Target

      75342ada938ea71dc863ee603a075a3ff7cbd759a091879f065a849650097a76

    • Size

      167KB

    • MD5

      11442c43bbe7810c91a58af6d92ac810

    • SHA1

      027d4ef6a11a59ca7588a6a3eed0b4ee368206a5

    • SHA256

      75342ada938ea71dc863ee603a075a3ff7cbd759a091879f065a849650097a76

    • SHA512

      9fef88249f11afa4bc057bbe095114273e68e962ab015b89648b0708d1dee6e822a0e0e209512ad6d9fadc57cfe1d6fbfa54a13c4e1bcb59a8881cf1fd7a64f2

    • SSDEEP

      1536:XWF0Tz+2x+/m2x+kDgJF+2x+/m2x+kDgWGekNsGekNFuJGekNsGekNRl:VTz1+l+kcJF1+l+kctphp1

    Score
    8/10
    • Modifies Installed Components in the registry

    • Drops desktop.ini file(s)

    • Target

      7e623dca8a26a45440c331e383ac6ce3783d5c1bd60b91ee91ce0cc5841633e2

    • Size

      219KB

    • MD5

      419ac67a37befc87317f2263e43bbccb

    • SHA1

      9a85595a04ac9f2c2b3dbf2a3ec171fc4486e3dd

    • SHA256

      7e623dca8a26a45440c331e383ac6ce3783d5c1bd60b91ee91ce0cc5841633e2

    • SHA512

      5a1fcacd280ba94f5178db1934b1122cf8e4359372e09812a57ae5601060e78f38f402a24a2b04dfe2fb7f6052cecce68df0aa9f41b48db34513cade81cd1969

    • SSDEEP

      3072:W5LZvmXjUjS/oewQhcyibDoO1iPN2HuzNUYi821BNL5kQdL:yLmQu/tJcToO1mNSuWYWIQN

    • Dharma

      Dharma is a ransomware that uses security software installation to hide malicious activities.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Renames multiple (159) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Drops file in System32 directory

    • Target

      87f2db714eac44b77889c850b8b6b55e2b117c88ac8f8923b47ac89fecadab7e

    • Size

      168KB

    • MD5

      858f74b2c777c086eaa36d9cfd4f38d2

    • SHA1

      ccc4e31495008464118c71b55e27ace1fe35736f

    • SHA256

      87f2db714eac44b77889c850b8b6b55e2b117c88ac8f8923b47ac89fecadab7e

    • SHA512

      c30e692885aab0bc30dba82a1ee6037b25de56027fb06564062991713e9f062c2b5d9fbcdd802aa0f7503b1ea8942bd9641b7b2299b4e341aa5f41b4739af0c5

    • SSDEEP

      1536:R9vtiz8f+2x+/m2x+kDgJF+2x+/m2x+kDgWGekNsGekNFuJGekNsGekNcl:+8f1+l+kcJF1+l+kctphpS

    Score
    8/10
    • Modifies Installed Components in the registry

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Target

      8dcb1af1e7886834252394e9710ee72b9bfa910779c4ea041831d0622efa85b0

    • Size

      188KB

    • MD5

      09b2ee5a8b7f20eba946d962e4408ecd

    • SHA1

      855524a5905ef2d56ebc3f9ff2025802fc21b856

    • SHA256

      8dcb1af1e7886834252394e9710ee72b9bfa910779c4ea041831d0622efa85b0

    • SHA512

      62e5db2b05cc632595774e3d46e2fcc2682302104b92b2a608607e4067006cf457a3396a985fbe0e02b54914185f3368e72bce11e583d6aea101682b2a98d694

    • SSDEEP

      3072:Y08i6o0xsBlbLCzJjgYFAzgwXiI2OMotklIXAiv9F26UoaEX:Y0IkmdMRz/in3aB

    Score
    7/10
    • Drops startup file

MITRE ATT&CK Enterprise v15

Tasks

static1

medusalocker
Score
10/10

behavioral1

Score
1/10

behavioral2

Score
1/10

behavioral3

Score
1/10

behavioral4

Score
1/10

behavioral5

Score
7/10

behavioral6

Score
7/10

behavioral7

persistenceransomware
Score
9/10

behavioral8

persistenceransomware
Score
9/10

behavioral9

Score
1/10

behavioral10

Score
1/10

behavioral11

ransomware
Score
9/10

behavioral12

ransomware
Score
9/10

behavioral13

Score
1/10

behavioral14

Score
1/10

behavioral15

globeimposterpersistenceransomwarespywarestealer
Score
10/10

behavioral16

globeimposterpersistenceransomware
Score
10/10

behavioral17

persistenceransomware
Score
9/10

behavioral18

persistenceransomware
Score
9/10

behavioral19

ransomwarespywarestealer
Score
9/10

behavioral20

spywarestealer
Score
7/10

behavioral21

Score
1/10

behavioral22

Score
1/10

behavioral23

persistenceransomware
Score
9/10

behavioral24

persistenceransomware
Score
9/10

behavioral25

persistence
Score
8/10

behavioral26

Score
6/10

behavioral27

dharmapersistenceransomwarespywarestealer
Score
10/10

behavioral28

dharmapersistenceransomware
Score
10/10

behavioral29

persistence
Score
8/10

behavioral30

persistence
Score
8/10

behavioral31

Score
7/10

behavioral32

Score
7/10