Overview

overview

10

Static

static

10

307a61c288...9b.exe

windows7-x64

10

307a61c288...9b.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.exe

  • Size

    23KB

  • Sample

    240126-mw3vyadbhk

  • MD5

    71d9e6ee26d46c4dbb3d8e6df19dda7d

  • SHA1

    a88176cdd3df153349104442eac4e2d1c416e457

  • SHA256

    ec09cfa4a79d709daed859d1a0e131aaa994f4a7b4bed80406125db76446fbda

  • SHA512

    d6a61d6d32bf636bec7948323a422116b359dadf78e55327633ad5c3de41e6c15dcadd27a8c53453ef14dd63184c22dee82420b99338f5cc7359e9f6ec50cca7

  • SSDEEP

    384:eebFNw4Pk1itKkpAjjI2Ypdm/nYi/8lhRea16Wv88oyLOixGqKWW0o:e0FmBkpKjPYpudR4v8x3iAE

Score
10/10
xoristpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\HOW TO DECRYPT FILES.txt

Ransom Note
All your important files were encrypted on this computer. You can verify this by click on see files an try open them. Encrtyption was produced using unique KEY generated for this computer. To decrypted files, you need to otbtain private key. The single copy of the private key, with will allow you to decrypt the files, is locate on a secret server on the internet; The server will destroy the key within 24 hours after encryption completed. Payment have to be made in maxim 24 hours To retrieve the private key, you need to pay 3 BITCOINS Bitcoins have to be sent to this address: 1NJNG57hFPPcmSmFYbxKmL33uc5nLwYLCK After you've sent the payment send us an email to : [email protected] with subject : ERROR-ID-63100778(3BITCOINS) If you are not familiar with bitcoin you can buy it from here : SITE : www.localbitcoin.com After we confirm the payment , we send the private key so you can decrypt your system.
Wallets

1NJNG57hFPPcmSmFYbxKmL33uc5nLwYLCK

Targets

    • Target

      307a61c288932ffeb7a25d667cf2911266c5379acfab20aa9a52c1aa1148d59b.exe

    • Size

      23KB

    • MD5

      71d9e6ee26d46c4dbb3d8e6df19dda7d

    • SHA1

      a88176cdd3df153349104442eac4e2d1c416e457

    • SHA256

      ec09cfa4a79d709daed859d1a0e131aaa994f4a7b4bed80406125db76446fbda

    • SHA512

      d6a61d6d32bf636bec7948323a422116b359dadf78e55327633ad5c3de41e6c15dcadd27a8c53453ef14dd63184c22dee82420b99338f5cc7359e9f6ec50cca7

    • SSDEEP

      384:eebFNw4Pk1itKkpAjjI2Ypdm/nYi/8lhRea16Wv88oyLOixGqKWW0o:e0FmBkpKjPYpudR4v8x3iAE

    Score
    10/10
    persistenceransomwarespywarestealer

    • Renames multiple (11497) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Drops file in Drivers directory

    • Modifies Installed Components in the registry

      persistence

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks