General

  • Target

    MalwareCollection-master.zip

  • Size

    57.3MB

  • Sample

    240224-nle7kaac64

  • MD5

    b59aed5137772e644e29ad334dba17e0

  • SHA1

    a2e545bbe058bddee0f7af68e21c3471d4abc3ab

  • SHA256

    c6a916c33096cd488ca57c28863c433cf5279128aa50ea156761bab6444f4937

  • SHA512

    daaa8ff6ddb53cb2c3c0218f73be43807982b13f0b5893a322bdd719e0f208b7b98586d0516b04e2e0f36c7dea45dde3fa8423c421f7d82cb9dbb14e3cede525

  • SSDEEP

    1572864:9j/A/cygNPTitKk8Gq4+/34speZ0jqmhkv71Cg8a6Egs5:Z/ZygNPTitKkRqh/34sprj3q1C31Egs5

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note
All your files have been encrypted! All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail [email protected] Write this ID in the title of your message E56F723E In case of no answer in 24 hours write us to theese e-mails: [email protected] You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. Free decryption as guarantee Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/ Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note
All your files have been encrypted! All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail [email protected] Write this ID in the title of your message 4D0CCC78 In case of no answer in 24 hours write us to theese e-mails: [email protected] You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. Free decryption as guarantee Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/ Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Targets

    • Target

      Ransomware.7ev3n.exe

    • Size

      315KB

    • MD5

      9f8bc96c96d43ecb69f883388d228754

    • SHA1

      61ed25a706afa2f6684bb4d64f69c5fb29d20953

    • SHA256

      7d373ccb96d1dbb1856ef31afa87c2112a0c1795a796ab01cb154700288afec5

    • SHA512

      550a891c1059f58aa983138caf65a7ea9c326cb1b94c15f3e7594128f6e9f1295b9c2dbc0925637dba7c94e938083fffc6a63dc7c2e5b1e247679931cce505c6

    • SSDEEP

      6144:BswDdb2MemnBVlz0SoVbO4A6OA4Trl28TyT6llY1/I8cWJWlfTXv:BswRSslz0P1OdFXJlJ8buXv

    • Target

      Ransomware.BadRabbit.exe

    • Size

      431KB

    • MD5

      fbbdc39af1139aebba4da004475e8839

    • SHA1

      de5c8d858e6e41da715dca1c019df0bfb92d32c0

    • SHA256

      630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da

    • SHA512

      74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87

    • SSDEEP

      12288:BHNTywFAvN86pLbqWRKHZKfErrZJyZ0yqsGO3XR63:vT56NbqWRwZaEr3yt2O3XR63

    • BadRabbit

      Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.

    • Mimikatz

      mimikatz is an open source tool to dump credentials on Windows.

    • mimikatz is an open source tool to dump credentials on Windows

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Loads dropped DLL

    • Target

      Ransomware.CoronaVirus.exe

    • Size

      1.0MB

    • MD5

      055d1462f66a350d9886542d4d79bc2b

    • SHA1

      f1086d2f667d807dbb1aa362a7a809ea119f2565

    • SHA256

      dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0

    • SHA512

      2c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1

    • SSDEEP

      24576:FRYz/ERA0eMuWfHvgPw/83JI8CorP9qY0:FE/yADMuYvgP93JIc2

    • Dharma

      Dharma is a ransomware that uses security software installation to hide malicious activities.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Renames multiple (312) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Drops file in System32 directory

    • Target

      Ransomware.CryptoLocker.exe

    • Size

      338KB

    • MD5

      04fb36199787f2e3e2135611a38321eb

    • SHA1

      65559245709fe98052eb284577f1fd61c01ad20d

    • SHA256

      d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9

    • SHA512

      533d6603f6e2a77bd1b2c6591a135c4717753d53317c1be06e43774e896d9543bcd0ea6904a0688aa84b2d8424641d68994b1e7dc4aa46d66c36feecb6145444

    • SSDEEP

      6144:sWmw0EuCN0pLWgTO3x5N22vWvLRKKAX5l++SybIvC:sWkEuCaNT85I2vCMX5l+ZRv

    • CryptoLocker

      Ransomware family with multiple variants.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Target

      MalwareCollection-master/Ransomware/Ransomware.NoMoreRansom.zip

    • Size

      916KB

    • MD5

      032f198b7b5d9553ba2e7bf34d9f33c0

    • SHA1

      23bb43f6991b59516b20ed7d07cc55879a9192f2

    • SHA256

      a1a0c26a3976bd07fae54519d2ca62818987ddcb7ae8dd44cebc710c1928548b

    • SHA512

      92f9f0dfce9b48602d87d86d6e73f308573168a01e851982d1a0a0baa76568495b5815a3ed11928463db5f5aa8b6d0b685968588eb75ef9624ae5b9355922788

    • SSDEEP

      24576:whK+SCleARYrlhgOZiapPMOiwtCd8BvABnU0FJtjVcW7:whVSCRAhgMia+OFnFAVtpZ7

    Score
    1/10
    • Target

      MalwareCollection-master/Ransomware/Ransomware.WannaCrypt0r.v1.zip

    • Size

      191KB

    • MD5

      04d2762c440097c67cef47fcba96ce3c

    • SHA1

      6ecf78935809ea1699a9dd075b489ef27bd00c02

    • SHA256

      593a4b3fb31a25c433f4c04fe6a9bdacfc30771ac41e3f394b81b0a13f6e5df8

    • SHA512

      c00118b7fb2ef8c386c49cb95fc0e0e9d39d90eb9b1cdd10145ce2bc5d99bb6361daf90b9b5e5de42464583c9ee864b29de5d87aaeb8f82f610342fc6fd13bfd

    • SSDEEP

      3072:kNmj7C7mm4HynVpIDTLjbMQ40rDi9Lpnrq3TrWmb/wnLCJuPCx:MmjO7hNnLIvnb2qiJpn23TrWmDwnLCJT

    Score
    1/10
    • Target

      MalwareCollection-master/Trojan/Trojan.000.zip

    • Size

      121KB

    • MD5

      ea01841aaa16d6c7d6d6d8c4d94d1278

    • SHA1

      fb6662262d0b18278ba111fdb65e1208793444a5

    • SHA256

      697e2609b2430c8f5a2421a8ff86926bb2bc1dfa9fc67aebf58152102ad02b13

    • SHA512

      b11807f1f52264e4e0c5653f7350c3d50a5e4350b92e23f6c4e3bb26edebe79502f0710058c27ba892c0436868004cba29f6e93344fdc23b1db3b9852d69454a

    • SSDEEP

      3072:vbGHZNTKIVLS8c++PpUKhcLY7U/RWN1lz62h/lTwJcZK:vIZhKI88yPjhWIU81llTwJcY

    Score
    1/10
    • Target

      MalwareCollection-master/Trojan/Trojan.MEMZ-4.0.zip

    • Size

      8KB

    • MD5

      6d1c6d848c80c62c8886f3f4a05d9e16

    • SHA1

      cd815164b65537f8134b389ea8698591b5f92043

    • SHA256

      d6eb28f01b2d59777c30d37b851c095ce73c7fca0523805b7c1e6ad687d41d89

    • SHA512

      39dcfd16526e4a9f395a151a277deccee62f46a4e0380adebaa3556e7e6b73ee6a197b32db1b70ec0c1dc6e766e82115e8bce088ce3ba48ca0e9d790b4b20eb2

    • SSDEEP

      192:XIpLlKueTbS91NnmDPYG9Yuq/XmONuwsBThAb4WULr1ZyZdyg:0LlKPSYTYWLqruphAdULTqdV

    Score
    1/10
    • Target

      MalwareCollection-master/Worm/Email-Worm/Email-Worm.Mylife.A.zip

    • Size

      21KB

    • MD5

      16ede8d6dc128db98c80d0291644ec28

    • SHA1

      ee06a26bdf7084ab6fe987af6e6c9bfafd4fcc09

    • SHA256

      ee963ace2c315a3a6323a22e1eaf7e6b80bfcaf8f1f0080d9f0b1cd25ce4eff6

    • SHA512

      32aeb31ba894b7a6bbb6299b590be98c08bb407d7585459bc62f3d453fa77ea3cb0aa8263bd75fde91c605718fa33a6eae3f4bb3f2b7d98ae64b44322a8c7cb2

    • SSDEEP

      384:h1GVZNKbSIBbRlWotth9IL13lAdZQzCuV85zKTtfzHLZKsMTfoihPL9OsU:KZNKeIBbRI/3lAdwp85zWHlKNzo8rU

    Score
    1/10

MITRE ATT&CK Enterprise v15

Tasks