79468940d42d217a815eca555b9d2efe72b4f2a53e47d29076c3adde5eb9c5af

General

Target

Nicht bestätigt 829106.crdownload
Size

1.8MB
Sample

240125-mjd12sdgh4
MD5

d156711735a2fb0992440a2cd0a19138
SHA1

c8c9645ae15012eb25e83841d87a3ac6c16344aa
SHA256

79468940d42d217a815eca555b9d2efe72b4f2a53e47d29076c3adde5eb9c5af
SHA512

4d10a6a0c77e9bb5feba5a110da54e21ec201cbed7002b9a58a61087b0986e960fa7ba233bc111151ce8c145d2851720678923ee6306b35c169a8dd4bacf273c
SSDEEP

49152:2NA8O1U5YwSTTEVOCT316+f0RbnRM13qE83q7rjjY/qg4wG:21dYNOOSE+f0RzRMdc3Afjtv

Score

10^/10

Malware Config

Extracted

Path

C:\PerfLogs\lockxx.recovery_data.hta

Ransom Note

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <title>How_To_Decrypt_My_File_</title> <style type="text/css"> body{font:15px Tahoma,sans-serif;margin:10px;line-height:25px;background:#EDEDED;}.bold{font-weight:bold;font-size:15px;color:#E53333;}.mark{background:#D0D0E8;padding:2px 5px;}.info{background:#D0D0E8;border-left:10px solid #00008B;}.note{height:auto;padding-bottom:1px;margin:15px 0;}.note .title{font-weight:bold;text-indent:10px;height:30px;line-height:30px;padding-top:10px;}.note .mark{background:#A2A2B5;}.note ul{margin-top:0;}.note pre{margin-left:15px;line-height:13px;font-size:13px;}}.lsb{display:none;margin:15px;text-align:center;}.ls{border:1px solid #888;border-radius:3px;padding:0 0.5em;margin:1em 0.1em;line-height:2em;display:inline-block;} </style> <script language="javascript"> function aIndexOf(arr,v){for(var i=0;i<arr.length;i++)if(arr[i]==v)return i;return-1} function tweakClass(cl,f){var els;if(document.getElementByClassName!=null){els=document.getElementsByClassName(cl)}else{els=[];var tmp=document.getElementsByTagName('*');for(var i=0;i<tmp.length;i++){var c=tmp[i].className;if((c==cl)||((c.indexOf(cl)!=1)&&((' '+c+' ').indexOf(' '+cl+' ')!=-1)))els.push(tmp[i])}}for(var i=0;i<els.length;i++)f(els[i])} function show(el){ el.style.display = 'block'; } function hide(el){ el.style.display = 'none'; } var langs=["en","zh"];var m1="[email protected]";var m2="[email protected]";var langName; var Terminal={language:(navigator.browserLanguage||navigator.language).toLowerCase()} switch(Terminal.language){case'zh-cn':langName="zh";break;default:langName="en";} function setLang(lang){if(aIndexOf(langs,lang)==-1)lang=langs[0];for(var i=0;i<langs.length;i++){var clang=langs[i];tweakClass('l-'+clang,function(el){el.style.display=(clang==lang)?'block':'none'});tweakClass('ls-'+clang,function(el){el.style.backgroundColor=(clang==lang)?'#BBB':''})}} function onPageLoaded(){try{tweakClass('lsb',show)}catch(e){}try{setLang(langName)}catch(e){}} </script> </head> <body onload="javascript:onPageLoaded()"> <div class="lsb"> <span class="ls ls-en" onclick="javascript:return setLang('en')">English</span> <span class="ls ls-zh" onclick="javascript:return setLang('zh')">Chinese</span> </div> <div class="container"> <div class="text l l-en" style="display:block"> The price depends on the speed at which you write to us . After payment , we will send you a decryption tool and assist you in decrypting all files <br /> <br /> <div class="bold"> Mail address ! </div> <ul> <span style="font-size:20px;color:#333333;"><script type="text/javascript">document.write(m1);</script></span> <br> <span style="font-size:20px;color:#333333;"><script type="text/javascript">document.write(m2);</script></span> </ul> <div class="bold"> Free decryption test as guarantee ! </div> <ul> <li>Integrity is our principle </li> <li>Before making the payment , you can send us a test file to prove that we are capable of recovering your data </li> </ul> <div class="bold"> Attention ! </div> <ul> <li>Decryption of your files with the help of third parties may cause increased price </li> <li>Do not try to decrypt your data using third party software , it may cause permanent data loss </li> <li>Please do not (edit, delete, rename) any files , otherwise it cannot be restored </li> </ul> </div> <div class="text l l-zh" style="display:block"> 价格取决于你给我们写信的速度 . 付款后 , 我们将向你发送解密工具 , 并协助你解密所有文件 <br /> <br /> <div class="bold"> 邮件地址 ! </div> <ul> <span style="font-size:20px;color:#333333;"><script type="text/javascript">document.write(m1);</script></span> <br> <span style="font-size:20px;color:#333333;"><script type="text/javascript">document.write(m2);</script></span> </ul> <div class="bold"> 免费解密测试作为保证 ! </div> <ul> <li>诚信是我们的原则</li> <li>在付款之前 , 你可以向我们发送测试文件以证明我们有能力恢复你的数据</li> </ul> <div class="bold"> 注意 ! </div> <ul> <li>在第三方的帮助下解密你的文件可能会导致价格上涨 </li> <li>请勿尝试使用第三方软件解密你的数据 , 这可能会导致数据永久丢失 </li> <li>请不要 (编辑, 删除, 重命名) 任何文件 , 否则无法恢复文件 </li> </ul> </div> <div class="note info"> <div class="title"> ID </div> <pre> dizI/y2N5Q4ynd9Y </pre> </div> </div> </body> </html>

Sharing

General

Malware Config

Extracted

Targets

UAC bypass

Deletes shadow copies

Modifies boot configuration data using bcdedit

Renames multiple (207) files with added filename extension

Deletes itself

UPX packed file

Adds Run key to start application

Checks whether UAC is enabled

Drops desktop.ini file(s)

Enumerates connected drives

Sets desktop wallpaper using registry

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4