General

  • Target

    samples4 (2).zip

  • Size

    42.6MB

  • Sample

    240101-szxe8afha8

  • MD5

    9b57ef7e531dfa8a0e22d741ace7d11f

  • SHA1

    f8dd7cd98c4ae3c49e6ee85ad94265d661ecdad3

  • SHA256

    27ee59c2aa3a020f2966d4946845edf9449e9f2e2ce5fdccbfe31fb2ba5d69d7

  • SHA512

    2cd6dec3f56b656aaa2638b90d6fb61a005d1bd9304d2bb37b0f344ab699d4061beaaaf8d208e175b3ff9528d634a730d2be8731510342a4f731166877da45bb

  • SSDEEP

    786432:9nEppsCB2TE+tUUHqsX5ATG6NtJiGoI341+dC16tzO1Zi43ktj386ChLc654jZUZ:9EQCB2T7BF5AjJiEdvY3ZhLd4lYB

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\HOW TO RESTORE YOUR LQEPJHGJCZO FILES.TXT

Ransom Note
We inform you that your network has undergone a penetration test, during which we encrypted your files and downloaded more than 100 GB of your data, including: Accounting Confidential documents Personal data Databases Clients files Important! Do not try to decrypt files yourself or using third-party utilities. The program that can decrypt them is our decryptor, which you can request from the contacts below. Any other program can only damage files. Please be aware that if we don't receive a response from you within 3 days, we reserve the right to publish your files. Contact us: [email protected] or [email protected]

Extracted

Path

C:\Program Files\instructions_read_me.txt

Ransom Note
ATTENTION! Your network has been breached and all data was encrypted. Please contact us at: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ Login ID: 87d21e7b-25bc-428b-a3b3-58fba2da0a1b *!* To access .onion websites download and install Tor Browser at: https://www.torproject.org/ (Tor Browser is not related to us) *!* To restore all your PCs and get your network working again, follow these instructions: - Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency. Please follow these simple rules to avoid data corruption: - Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. - Do not hire a recovery company. They can't decrypt without the key. They also don't care about your business. They believe that they are good negotiators, but it is not. They usually fail. So speak for yourself. Waiting you in a chat.
URLs

https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/

Targets

    • Target

      samples4 (2).zip

    • Size

      42.6MB

    • MD5

      9b57ef7e531dfa8a0e22d741ace7d11f

    • SHA1

      f8dd7cd98c4ae3c49e6ee85ad94265d661ecdad3

    • SHA256

      27ee59c2aa3a020f2966d4946845edf9449e9f2e2ce5fdccbfe31fb2ba5d69d7

    • SHA512

      2cd6dec3f56b656aaa2638b90d6fb61a005d1bd9304d2bb37b0f344ab699d4061beaaaf8d208e175b3ff9528d634a730d2be8731510342a4f731166877da45bb

    • SSDEEP

      786432:9nEppsCB2TE+tUUHqsX5ATG6NtJiGoI341+dC16tzO1Zi43ktj386ChLc654jZUZ:9EQCB2T7BF5AjJiEdvY3ZhLd4lYB

    Score
    1/10
    • Target

      052012a941d98920e0fed58649ccfa3b092344630d366889678fa94a26ecc300

    • Size

      3.0MB

    • MD5

      a813a7d9f0348c18c08a8830145360a4

    • SHA1

      46da626125575610cdde9934536c1fdd52c05817

    • SHA256

      052012a941d98920e0fed58649ccfa3b092344630d366889678fa94a26ecc300

    • SHA512

      12e010129989aa48ca5e680767da776122c876e11d72f011efb8503843d03ec8debb81884ecef4512c64bdf9bae40001adc2c228ca6a640621dc22ecec559317

    • SSDEEP

      98304:WpW5QJvhA07f09Glj6Cj6OtwTf9TpR3sE196i:JOL0cjTjNc

    Score
    1/10
    • Target

      7005535e034576fdb66b5b32eb198b48d7755758e77bd66909f8dd7288c1e069

    • Size

      5.3MB

    • MD5

      493640f022a7ac07ad4e8d6f2cd3740e

    • SHA1

      4c4a1df308e415ab356d93ff4c5884f551e40cf5

    • SHA256

      7005535e034576fdb66b5b32eb198b48d7755758e77bd66909f8dd7288c1e069

    • SHA512

      d29b40298f00ba619a59f4aa7cec1bb1ec753df948b9fa50e7e158150ca21801783d701c8ed32a8e3811f138ad948b4077c8cf2b7da5b25917ec8eebe7435c26

    • SSDEEP

      49152:U6q9fOpwcf1pHot9E4IaCf1kin7N0Iu1YES/N4ggvewaFSenC00qTQeVptYt1dmT:ofk3oC9n7N0Iu19SV4ISeLQevtYVmS

    Score
    1/10
    • Target

      ab65ada82bc55b7fb26b76eb5ed2e38ae19ff9b76c3693026f782e9f170e1706

    • Size

      3.0MB

    • MD5

      db812177bb05241d7c5f947eade0e619

    • SHA1

      822422ced38c79a13f7daacb1703fff2a78cd7ac

    • SHA256

      ab65ada82bc55b7fb26b76eb5ed2e38ae19ff9b76c3693026f782e9f170e1706

    • SHA512

      d91e16b1f6f157388d10c86deed8030b0b03ac48026bffe7b6847997601b6a37120e60a3b47e684a877b5d4d2906358d66066233f82951457ab093dd77cfba88

    • SSDEEP

      49152:5exoHxm0o5IBo6sjdJKvhwK+/UDhyHVu07EwallsC3U:5+UD2Vu9li4

    Score
    10/10
    • Renames multiple (4486) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Adds Run key to start application

    • Target

      b0f8ff9688e743ae2fcb54a39910d02bb7687ba6821321cfe2ed44499a7e2b9a

    • Size

      3.2MB

    • MD5

      f1031a188e6970d4fb633cccfd95db24

    • SHA1

      b180b8fe1b371d3e06e22d06cbbb0e6b31cb4393

    • SHA256

      b0f8ff9688e743ae2fcb54a39910d02bb7687ba6821321cfe2ed44499a7e2b9a

    • SHA512

      d26fc043e568bc89b424895229102c9b1a9250061acafd85824c299e678c96085bc3f710d3d3e21750c03be072997bd61b24b5d5dd2356bc3c464ccac6356e85

    • SSDEEP

      49152:ClDhkJlNe8e32UVJDAQ4iZMo5zqxWVu+21Gh5J:aC98zqxWI0h

    Score
    1/10
    • Target

      b3ed13c61bfb6c80ff059cb8199d2c9ff457e05053f7301748e0605bd1fcd7f3

    • Size

      15.5MB

    • MD5

      4dc869e513c2dbabaf84d05e360c121d

    • SHA1

      e353efeff34187704a09a4d4426c8831dcc0275a

    • SHA256

      b3ed13c61bfb6c80ff059cb8199d2c9ff457e05053f7301748e0605bd1fcd7f3

    • SHA512

      90ef3295fe50632e57a3a4dc292fc831381414a404b31fbb60430206834bf71f06205ef15ec7cf2c633b3afd0f4e85f4d711af9a7ddc447c0d796d44d43cf4ca

    • SSDEEP

      393216:YTXarpNAbXCpT9c5hlER2/m3pg/A2hSJ7V2iYumy5WM1NX:sovAgZEhk2Kg/A2hSJ7UiYhy5l

    • Clears Windows event logs

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies boot configuration data using bcdedit

    • Renames multiple (1017) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Deletes System State backups

      Uses wbadmin.exe to inhibit system recovery.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      lockbit.pyc

    • Size

      18KB

    • MD5

      b98150eee419a3d3221c2076848e2788

    • SHA1

      b8146b6183b3b19de9edd813191321095709d015

    • SHA256

      33b3b726fc789a25c4f5f4882dc10c3b84147297852f9141a5ac5bb67926a265

    • SHA512

      03e9d2184c39f47ccee3bb8d88dcdd8ec3332ced79c6b5352f387cdf0baee0a962be45fabc3d4ea7c130776f598c16c4e24b77208dc64016f8fdff60cb2906cc

    • SSDEEP

      384:Cl1OW4CmRsERB3J7X+PxpRJs8wDXOnlZHtw+9wmFEh2ppuvy7Kl+:AY7X3APxTJszglVtGGE43nH

    Score
    3/10
    • Target

      bf01d97d76a6bb8f3cfbf4a697403f4b686d43fabb429a7bf9427aa70371df78

    • Size

      3.8MB

    • MD5

      7c3a6e3b8468a9ce9aa21b8afc140473

    • SHA1

      9f2bae4257e6509e7aa467a623786a0c0b10a8c8

    • SHA256

      bf01d97d76a6bb8f3cfbf4a697403f4b686d43fabb429a7bf9427aa70371df78

    • SHA512

      df1172cdecbdfafe76db72244fa1b20ac5cca40ac596ae6157d1784c2890d5198bfbeba243a05a13e550ef3429f05670c065f2fc281f90df7973fe4e042e00e6

    • SSDEEP

      98304:D7YlmkAB4MGZEmWAqG26XQ3hOeMP+pgODgRJCMwWtca4EOKKv1GeE2nMJrOlaN60:6YB4M4tjeHw4CnBvMB1rtbfhORKkf4CE

    Score
    7/10
    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Target

      c6d3a10c9cad46abc555e4f5d605eab6164756acf995c7d9d123c2b46fb62b75

    • Size

      2.9MB

    • MD5

      44f42dc610bc34e6ba9ec11cb6651948

    • SHA1

      f69c7a8a06582309a4020b1f3c11efcb3307d3d9

    • SHA256

      c6d3a10c9cad46abc555e4f5d605eab6164756acf995c7d9d123c2b46fb62b75

    • SHA512

      1f99c42645b2374e848f9c0dbf23573033364cf1898ba0031eff65e25d45585acb4691e3223fbdbe5cc465f4a5714d98bfcb6539185bf37b4d537d18a9cf1a3b

    • SSDEEP

      49152:3mer6a3OsA3P+SJfWDzG5nEm6oPTVSi2pg0B7B:3HP3OP32SJODqKiJ/v0tB

    Score
    1/10
    • Target

      e81bfaf195654662bf867c6be7115433e394a170e04f169558d294bbc93b3f94

    • Size

      2.6MB

    • MD5

      362138a2faea93e59c8fb010f1481ef5

    • SHA1

      e8ccfa8b4a2810a2c163bf9308ba0b9b47318dc6

    • SHA256

      e81bfaf195654662bf867c6be7115433e394a170e04f169558d294bbc93b3f94

    • SHA512

      62bb9ee592b9c98305eb783f5db55ebd36629d2ddad209190188b57a0ccbaf6d789adcdef1badd7a4dd039f74b1131dd35754135ab086f356846cdf98aa6e360

    • SSDEEP

      49152:CT2NkLn3tayOFhpvrnq3Y0O6OooDKU1+V5MDexWepFC83JnxpICoca+w6DW1+i6x:/NkLn3tayIhBrqoRerU1+XMETZ8es+iI

    Score
    7/10
    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      hc9.pyc

    • Size

      7KB

    • MD5

      9909cbd45aef2d49c7a3c037e67e5a34

    • SHA1

      69d1fc7080d834b2c580e7f01f9d80a764c098bd

    • SHA256

      57883596f57d8f9d1bc0cf9bd6551065f00152fac1e38348ad65a03c229bf59c

    • SHA512

      a48a8f5dea0d32fb1b98226bdee98e9429f82a2d98bc3235779caff21d53c07eb37dc723589812e87e9337c58eb5e3e89dd7411b3ede616dccae027d9467e122

    • SSDEEP

      192:9JnpNAgcb2ryFLkzuPTO+er/Gd9vnSj6fZWCaCXWTzQwbKOuOv0Cb83vNTjwfQ69:9JpN1cb2r8AzuPTO7r/8vng6fZtaMWTl

    Score
    3/10
    • Target

      ee9f2533600c091f246273960b5a2a1b7ceba7697edc5f23d4f6a980e7304485

    • Size

      2.6MB

    • MD5

      586d9e5d8a90301b494e833d36302383

    • SHA1

      360f1ec8899f3a8cc13f9b78e8688ef77089f4fe

    • SHA256

      ee9f2533600c091f246273960b5a2a1b7ceba7697edc5f23d4f6a980e7304485

    • SHA512

      8b37094e7677ed91f7d5471d680f6d6e5f2273e61271bb2ec6a661aac3db7957841e0a11807926cba53aa2c4261e179dd3dabddaabdf9a7a1ff81e6973467043

    • SSDEEP

      49152:j5pM0HdHHl43vRA9sX78IuPCUns2zkqhw/W8M3UNXFOrSnj940a7MZGz+T:g09He3pA9srju6UnsFd/WR3U5FOrSnj9

    Score
    7/10
    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Target

      f0c292785905838d08b27bb99ab260b43fd8de580de80017fdaaab3c3d53d8a6

    • Size

      7.0MB

    • MD5

      3beee8d7f55cd8298fcb009aa6ef6aae

    • SHA1

      672a992ea934a0cba07ca07b80b62493e95c584d

    • SHA256

      f0c292785905838d08b27bb99ab260b43fd8de580de80017fdaaab3c3d53d8a6

    • SHA512

      12bd64d10620c1952127c125e7beb21b3727d8afb6440d48058785267b227a534ee6112d84372749496481cb6edb5c90eeb159689b443fe0f10f4a9202a83a5f

    • SSDEEP

      196608:gUWfTu5s5E6s6eLL1mkJ2Z9Jq5dOYo+SJVTXOD0ch:gUWfTuK5E6s6sBmKk9JMo5/eN

    • Renames multiple (79) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      Main.pyc

    • Size

      9KB

    • MD5

      9004917f87d6ca40750dc0c1fadd1204

    • SHA1

      628d03b5c518f392a87d4806f5c14adfd47cc68e

    • SHA256

      2273f12abfb133e79bd86f15bae3c268fb11853b8add609fc8e581873091c55b

    • SHA512

      edc60074a57187bba503f04b66b32c4c88ab4815c0a44822b9fe72851ca7dfec7091eb2cd9067a905765d3c73783174aec85c90504bd0b535b2a739d53086580

    • SSDEEP

      192:fBV58NRchh3C6iKZyN0194tcmGw/n5AlhvMTPEZp:fBb8wbCVlltzGHn

    Score
    3/10
    • Target

      f2dcd2308c18fdb56a22b7db44e60cdb9118043830e03df02dac34e4c4752587

    • Size

      3.0MB

    • MD5

      3d9d35e36761c7be729f254de5f5c307

    • SHA1

      96963e5186d8e18d9f9ddb9203478e6a60bfce39

    • SHA256

      f2dcd2308c18fdb56a22b7db44e60cdb9118043830e03df02dac34e4c4752587

    • SHA512

      1d581ce569d92258b3519ff3b072a13d5962a258232bad377a15e6b7f53bd9eeb21e6516c26eff3296131188aec8dbf17970fba3fb54691ccd389367a0dfdd51

    • SSDEEP

      49152:D+PVhR1b4NrzHJ9UJzJcFO0QP7UFZjaMQ7zAAAHJAF/VvOAI8TJ:Swu5bMQ7zAAAHJAtVvOA

    Score
    3/10
    • Target

      f89ee06ed27ff00fa5d8f6a5811a9e57063c72c9ec7d478321cdf2a2f018866f

    • Size

      4.8MB

    • MD5

      80c4eabe7ca7200a3735cafe4246e43b

    • SHA1

      f19ea1ca4c8e0ac88c25d5d433dca3413d17d2f9

    • SHA256

      f89ee06ed27ff00fa5d8f6a5811a9e57063c72c9ec7d478321cdf2a2f018866f

    • SHA512

      d6db156fdf7b762295d03f8deb568e584c3d92952156142276f68d05e1a4c3bdaf541b2709ddd9630c6aee249e81d0537ad4e1fcc05f1170c2100cef83a3e11b

    • SSDEEP

      49152:c5Yvom3XQQNrb/T5vO90dL3BmAFd4A64nsfJXL42r+S++UwP5VfvqmEw5EwHgrYD:F3ve2S+YBEqVHBCEhLRSm

    Score
    10/10
    • Clears Windows event logs

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Stops running service(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

MITRE ATT&CK Enterprise v15

Tasks

static1

pyinstalleragilenetupx
Score
7/10

behavioral1

Score
1/10

behavioral2

Score
1/10

behavioral3

Score
1/10

behavioral4

Score
1/10

behavioral5

Score
1/10

behavioral6

Score
1/10

behavioral7

persistenceransomware
Score
10/10

behavioral8

persistenceransomware
Score
10/10

behavioral9

Score
1/10

behavioral10

Score
1/10

behavioral11

Score
7/10

behavioral12

evasionpersistenceransomwarespywarestealer
Score
9/10

behavioral13

Score
3/10

behavioral14

Score
3/10

behavioral15

agilenet
Score
7/10

behavioral16

agilenet
Score
7/10

behavioral17

Score
1/10

behavioral18

Score
1/10

behavioral19

upx
Score
7/10

behavioral20

upx
Score
7/10

behavioral21

Score
3/10

behavioral22

Score
3/10

behavioral23

Score
3/10

behavioral24

Score
7/10

behavioral25

spywarestealerupx
Score
7/10

behavioral26

ransomwarespywarestealerupx
Score
9/10

behavioral27

Score
3/10

behavioral28

Score
3/10

behavioral29

Score
3/10

behavioral30

Score
3/10

behavioral31

ransomware
Score
10/10

behavioral32

evasionransomware
Score
10/10