79468940d42d217a815eca555b9d2efe72b4f2a53e47d29076c3adde5eb9c5af

General

Target

79468940d42d217a815eca555b9d2efe72b4f2a53e47d29076c3adde5eb9c5af
Size

1.8MB
Sample

240124-p3m46saffp
MD5

d156711735a2fb0992440a2cd0a19138
SHA1

c8c9645ae15012eb25e83841d87a3ac6c16344aa
SHA256

79468940d42d217a815eca555b9d2efe72b4f2a53e47d29076c3adde5eb9c5af
SHA512

4d10a6a0c77e9bb5feba5a110da54e21ec201cbed7002b9a58a61087b0986e960fa7ba233bc111151ce8c145d2851720678923ee6306b35c169a8dd4bacf273c
SSDEEP

49152:2NA8O1U5YwSTTEVOCT316+f0RbnRM13qE83q7rjjY/qg4wG:21dYNOOSE+f0RzRMdc3Afjtv

Score

10^/10

Malware Config

Extracted

Path

C:\PerfLogs\lockxx.recovery_data.hta

Ransom Note

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <title>How_To_Decrypt_My_File_</title> <style type="text/css"> body{font:15px Tahoma,sans-serif;margin:10px;line-height:25px;background:#EDEDED;}.bold{font-weight:bold;font-size:15px;color:#E53333;}.mark{background:#D0D0E8;padding:2px 5px;}.info{background:#D0D0E8;border-left:10px solid #00008B;}.note{height:auto;padding-bottom:1px;margin:15px 0;}.note .title{font-weight:bold;text-indent:10px;height:30px;line-height:30px;padding-top:10px;}.note .mark{background:#A2A2B5;}.note ul{margin-top:0;}.note pre{margin-left:15px;line-height:13px;font-size:13px;}}.lsb{display:none;margin:15px;text-align:center;}.ls{border:1px solid #888;border-radius:3px;padding:0 0.5em;margin:1em 0.1em;line-height:2em;display:inline-block;} </style> <script language="javascript"> function aIndexOf(arr,v){for(var i=0;i<arr.length;i++)if(arr[i]==v)return i;return-1} function tweakClass(cl,f){var els;if(document.getElementByClassName!=null){els=document.getElementsByClassName(cl)}else{els=[];var tmp=document.getElementsByTagName('*');for(var i=0;i<tmp.length;i++){var c=tmp[i].className;if((c==cl)||((c.indexOf(cl)!=1)&&((' '+c+' ').indexOf(' '+cl+' ')!=-1)))els.push(tmp[i])}}for(var i=0;i<els.length;i++)f(els[i])} function show(el){ el.style.display = 'block'; } function hide(el){ el.style.display = 'none'; } var langs=["en","zh"];var m1="chinahelp2023@nigge.rs";var m2="datahelp2023@cyberfear.com";var langName; var Terminal={language:(navigator.browserLanguage||navigator.language).toLowerCase()} switch(Terminal.language){case'zh-cn':langName="zh";break;default:langName="en";} function setLang(lang){if(aIndexOf(langs,lang)==-1)lang=langs[0];for(var i=0;i<langs.length;i++){var clang=langs[i];tweakClass('l-'+clang,function(el){el.style.display=(clang==lang)?'block':'none'});tweakClass('ls-'+clang,function(el){el.style.backgroundColor=(clang==lang)?'#BBB':''})}} function onPageLoaded(){try{tweakClass('lsb',show)}catch(e){}try{setLang(langName)}catch(e){}} </script> </head> <body onload="javascript:onPageLoaded()"> <div class="lsb"> <span class="ls ls-en" onclick="javascript:return setLang('en')">English</span> <span class="ls ls-zh" onclick="javascript:return setLang('zh')">Chinese</span> </div> <div class="container"> <div class="text l l-en" style="display:block"> The price depends on the speed at which you write to us . After payment , we will send you a decryption tool and assist you in decrypting all files <br /> <br /> <div class="bold"> Mail address ! </div> <ul> <span style="font-size:20px;color:#333333;"><script type="text/javascript">document.write(m1);</script></span> <br> <span style="font-size:20px;color:#333333;"><script type="text/javascript">document.write(m2);</script></span> </ul> <div class="bold"> Free decryption test as guarantee ! </div> <ul> <li>Integrity is our principle </li> <li>Before making the payment , you can send us a test file to prove that we are capable of recovering your data </li> </ul> <div class="bold"> Attention ! </div> <ul> <li>Decryption of your files with the help of third parties may cause increased price </li> <li>Do not try to decrypt your data using third party software , it may cause permanent data loss </li> <li>Please do not (edit, delete, rename) any files , otherwise it cannot be restored </li> </ul> </div> <div class="text l l-zh" style="display:block"> 价格取决于你给我们写信的速度 . 付款后 , 我们将向你发送解密工具 , 并协助你解密所有文件 <br /> <br /> <div class="bold"> 邮件地址 ! </div> <ul> <span style="font-size:20px;color:#333333;"><script type="text/javascript">document.write(m1);</script></span> <br> <span style="font-size:20px;color:#333333;"><script type="text/javascript">document.write(m2);</script></span> </ul> <div class="bold"> 免费解密测试作为保证 ! </div> <ul> <li>诚信是我们的原则</li> <li>在付款之前 , 你可以向我们发送测试文件以证明我们有能力恢复你的数据</li> </ul> <div class="bold"> 注意 ! </div> <ul> <li>在第三方的帮助下解密你的文件可能会导致价格上涨 </li> <li>请勿尝试使用第三方软件解密你的数据 , 这可能会导致数据永久丢失 </li> <li>请不要 (编辑, 删除, 重命名) 任何文件 , 否则无法恢复文件 </li> </ul> </div> <div class="note info"> <div class="title"> ID </div> <pre> dizI/y2N5Q4ynd9Y </pre> </div> </div> </body> </html>

Emails

m1="chinahelp2023@nigge.rs";var

m2="datahelp2023@cyberfear.com";var

URLs

http-equiv="Content-Type"

Targets

- Target
  
  79468940d42d217a815eca555b9d2efe72b4f2a53e47d29076c3adde5eb9c5af
- Size
  
  1.8MB
- MD5
  
  d156711735a2fb0992440a2cd0a19138
- SHA1
  
  c8c9645ae15012eb25e83841d87a3ac6c16344aa
- SHA256
  
  79468940d42d217a815eca555b9d2efe72b4f2a53e47d29076c3adde5eb9c5af
- SHA512
  
  4d10a6a0c77e9bb5feba5a110da54e21ec201cbed7002b9a58a61087b0986e960fa7ba233bc111151ce8c145d2851720678923ee6306b35c169a8dd4bacf273c
- SSDEEP
  
  49152:2NA8O1U5YwSTTEVOCT316+f0RbnRM13qE83q7rjjY/qg4wG:21dYNOOSE+f0RzRMdc3Afjtv
Score

10^/10

evasion persistence ransomware trojan upx
- UAC bypass
  evasion trojan
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Renames multiple (203) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Deletes itself
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Sets desktop wallpaper using registry
  ransomware
behavioral1 behavioral2
- Target
  
  out.upx
- Size
  
  5.1MB
- MD5
  
  05e310b856fe180d3e4cf606c73d5212
- SHA1
  
  7214d001cbac4191446d68d045b3bdc0964a2cc8
- SHA256
  
  69a693a243b47e2e50d5c8173c72cf0cc219a109bfeba6683cf907ce527377ac
- SHA512
  
  b628833a55bc529d9e2687aa224890ab9a4b9592c32d30726af228cb98cd4d8b6cf3689191ef223b9617f34ae0614fe233b3afbd8c6e1afe9eb5c5297cea67a2
- SSDEEP
  
  49152:dnIfVc/Z+xgIVjX7li0UqQraCf+T7s4ID1z1mJ5E3gvtJu3DgO8uISgk+SIfDgp:W0+xgIbUlrruTIKfE3gP9c
Score

1^/10
behavioral3 behavioral4