General

  • Target

    2024-02-24_2c93d9140330805fa14abc112bcc7a17_darkside

  • Size

    146KB

  • Sample

    240224-e5lzsahc46

  • MD5

    2c93d9140330805fa14abc112bcc7a17

  • SHA1

    e1f42c206416534b541ab35258798dd4abfae3c8

  • SHA256

    8b6946cca11e9507df8234e0c68567f19a893c3f08b1d384b88808846d67d7eb

  • SHA512

    558900cdcd5250a945f3c1cb9bc7aec547213c092535674fc975cda840d4f5d6fb994f8690f065b3caee14f9ca016a129b5b43db035a27ad066fd6adbeaad74c

  • SSDEEP

    3072:Y6glyuxE4GsUPnliByocWepgzJ3+Kz7djMuMFV+:Y6gDBGpvEByocWe2J3+KzxjMJFE

Malware Config

Extracted

Path

C:\gXokUr0LJ.README.txt

Ransom Note
--- Hotline Miami Ransomware--- --> We have stolen and encrypted all your data. --> WARNING ! myadmin:cykaC0caB12 Do not attempt to delete or modify ANY files. Do not ask a company to retreive your data. If you do so, it will lead to recovery issues and we won't be able to do anything. --> This is your personal DECRYPTION ID: 274077C819D4DBB747AB6EFDB4E902DE --> Please contact us with your decryption id on : [email protected] If you don't get any response in a long time, please reach us on : [email protected] --> Why we wont deceive you We don't want anything else than your money. If you pay us, you will receive the decryption tools and we will delete all your stolen data. If we do not send you the tools or do not delete your stolen data after payement, no one will pay us. Our reputation is a key point. --> WARNING! We will attack your company again if you do not pay the ransom !

Extracted

Path

C:\gXokUr0LJ.README.txt

Ransom Note
--- Hotline Miami Ransomware--- --> We have stolen and encrypted all your data. --> WARNING ! myadmin:cykaC0caB12 Do not attempt to delete or modify ANY files. Do not ask a company to retreive your data. If you do so, it will lead to recovery issues and we won't be able to do anything. --> This is your personal DECRYPTION ID: 274077C819D4DBB7243F7DE2FA628008 --> Please contact us with your decryption id on : [email protected] If you don't get any response in a long time, please reach us on : [email protected] --> Why we wont deceive you We don't want anything else than your money. If you pay us, you will receive the decryption tools and we will delete all your stolen data. If we do not send you the tools or do not delete your stolen data after payement, no one will pay us. Our reputation is a key point. --> WARNING! We will attack your company again if you do not pay the ransom !

Targets

    • Target

      2024-02-24_2c93d9140330805fa14abc112bcc7a17_darkside

    • Size

      146KB

    • MD5

      2c93d9140330805fa14abc112bcc7a17

    • SHA1

      e1f42c206416534b541ab35258798dd4abfae3c8

    • SHA256

      8b6946cca11e9507df8234e0c68567f19a893c3f08b1d384b88808846d67d7eb

    • SHA512

      558900cdcd5250a945f3c1cb9bc7aec547213c092535674fc975cda840d4f5d6fb994f8690f065b3caee14f9ca016a129b5b43db035a27ad066fd6adbeaad74c

    • SSDEEP

      3072:Y6glyuxE4GsUPnliByocWepgzJ3+Kz7djMuMFV+:Y6gDBGpvEByocWe2J3+KzxjMJFE

    • Renames multiple (333) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks