Overview

overview

10

Static

static

1

ab337d28b4...8b.exe

windows7-x64

10

ab337d28b4...8b.exe

windows10-2004-x64

7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ab337d28b494a966f107fc428d71f78b

  • Size

    1.8MB

  • Sample

    240228-g1jpzadb31

  • MD5

    ab337d28b494a966f107fc428d71f78b

  • SHA1

    5c77dc1f673fbfb9d45de2a63aa16616f80b7a12

  • SHA256

    647f46899b472f8a3ce181bd07ab2219a56e965bf4e24a0b489edb2bc5c8aa8d

  • SHA512

    98ea77a94465780030eb05189ff9061790e438732b2b1245559c5ea0ad1c91f5c1458cf14d50f05c6ef4e97f3e1ab0a6c73109980644cd7ea9ae9a1555eec71a

  • SSDEEP

    6144:Hrn8am/jie/+9h4/cdIG4Uues+f5PfZlfTBoIbY5RUvNjC4LBtJrJyCjSJlIyfh+:Hr

Score
10/10
crylockpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-2721934792-624042501-2768869379-1000\how_to_decrypt.hta

Ransom Note
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <title>CryLock</title> <hta:application showInTaskBar="no" APPLICATION="yes" ICON='msiexec.exe' SINGLEINSTANCE='yes' SysMenu="no" applicationname="CryLock" border="thick" contexmenu="no" scroll="no" selection="yes" singleinstance="yes" windowstate="normal" MAXIMIZEBUTTON="NO" BORDER="DIALOG" width="100" height="100" MINIMIZEBUTTON="NO"></hta:application> <script language="JavaScript"> var ud=0; var op=0xc7bf30; var zoc=0; function document.onkeydown() { var alt=window.event.altKey; if (event.keyCode==116 || event.keyCode==27 || alt && event.keyCode==115) { event.keyCode=0; event.cancelBubble=true; return false; } } function document.onblur() { alert('Attention! This important information for you!'); } function ChangeTime() { var sd = new Date('March 1 2024 06:16:24'); var dn = new Date(); if (sd.getTime()<dn.getTime()) { var dt=document.getElementById('pwr'); dt.innerHTML='<font color="red" size="5"><b>Price is raised!</b></font>'; dt.style.height=78; zoc=1; } else { var delta=sd.getTime()-dn.getTime(); delta=new Date(delta); var dd=(delta.getUTCDate()-1)+((delta.getUTCMonth())*31); var hh=delta.getUTCHours(); var mm=delta.getUTCMinutes(); var ss=delta.getUTCSeconds(); if (dd!=1) { dd=dd+' days'; } else { dd=dd+' day'; } if (hh<10) { hh='0'+hh; } if (mm<10) { mm='0'+mm; } if (ss<10) { ss='0'+ss; } var dt=document.getElementById('dt'); dt.innerHTML='<font face="monospace" color="#c2c2c2" size="4"><b>'+dd+' '+hh+':'+mm+':'+ss+'</b></font>'; } var sd = new Date('March 2 2024 06:16:24'); dn = new Date(); if (sd.getTime()<dn.getTime()) { var dt=document.getElementById('lctw'); dt.innerHTML='<font color="red" size="5"><b>Last chance to decrypt your files!</b></font>'; zoc=2; } else { var delta=sd.getTime()-dn.getTime(); delta=new Date(delta); var dd=(delta.getUTCDate()-1)+((delta.getUTCMonth())*31); var hh=delta.getUTCHours(); var mm=delta.getUTCMinutes(); var ss=delta.getUTCSeconds(); if (dd!=1) { dd=dd+' days'; } else { dd=dd+' day'; } if (hh<10) { hh='0'+hh; } if (mm<10) { mm='0'+mm; } if (ss<10) { ss='0'+ss; } var dt=document.getElementById('et'); dt.innerHTML='<font face="monospace" color="#c2c2c2" size="4"><b>'+dd+' '+hh+':'+mm+':'+ss+'</b></font>'; } } function getRandomArbitrary(min, max) { min = Math.ceil(min); max = Math.floor(max); return Math.floor(Math.random() * (max - min)) + min; } function Rndom() { document.getElementById("blumid").focus(); var bid=document.getElementById('blumid'); var bem=document.getElementById('blummail'); if (ud==0) { op=op-0x10; } else { op=op+0x10; } if (op<=0xc00000) { ud=1; } if (op>=0xc7bf30) { ud=0; } bid.style.backgroundColor=op; bem.style.backgroundColor=op; var xx=''; var i=0; while (i<19) { xx=xx+getRandomArbitrary(0,2); i=i+1; } if (zoc==0) { var dt=document.getElementById('rc'); rc.innerHTML='<font face="monospace" color="white" size="5"><b>'+xx+'</b></font>'; } else { if (zoc==1) { var dt=document.getElementById('rc'); rc.innerHTML='<font face="monospace" color="red" size="5"><b>Price is raised!</b></font>'; } else { var dt=document.getElementById('rc'); rc.innerHTML='<font face="monospace" color="red" size="4"><b>Price is raised!<br>Last chance to decrypt your files!</b></font>'; } } } function Start() { window.resizeTo(800,500) setInterval(ChangeTime,1000); setInterval(Rndom,100); } function copytext(s) { window.clipboardData.setData("Text",s); alert(s+' copied to clipboard'); } function Restart() { alert('Attention! This important information for you!'); } </script> <body style="background-color:#0066CC;" OnLoad="Start()"> <div id="pwr" align="center" style="position:absolute; top:10px; left:10px; width:20%; border: 2px solid #c2c2c2;"> <font color="#c7bf30"><b>Payment will be raised after</b></font> <br> <div id="dt"> <font face="monospace" color="#c2c2c2" size="4">-- days --:--:--</font> </div> </div> <div align="center" style="position:absolute; top:10px; left:170px; width:58%;"> <font face="monospace" color="white" size="4"><b>Your files have been encrypted...</b></font> </div> <div align="center" style="position:absolute; top:60px; left:170px; width:58%;"> <div id="rc"> <font face="monospace" color="white" size="5"><b>00000000000000000000</b></font> </div> </div> <div id="lctw" align="center" style="position:absolute; top:10px; left:620px; width:20%; border: 2px solid #c2c2c2;"> <font color="#c7bf30"><b>Your files will be lost after</b></font> <br> <div id="et"> <font face="monospace" color="#c2c2c2" size="4">-- days --:--:--</font> </div> </div> <div style="background-color:white;overflow-x:hide; overflow-y:scroll; position:absolute; top:100px; left:10px; width:768px; height:320px"> <b>What happened?</b><br> All your documents, databases, backups and other important files have been encrypted due to a security problem with your PC. The only way to recover files is to purchase a unique private decryption key. If you want to recover files, write to us by e-mail: <b>[email protected]</b> with the following details: <ul> <li>External IP</li> <li>You unique ID <font face="monospace" OnClick="copytext('[5FEF09AB-E822B099]')"><b>[5FEF09AB-E822B099] <font size="2">[copy]</font></b></font></li> </ul> The price depends on how fast you write to us, on timers you can see how many time do you have before price increasing. After payment we will send you the tool that will decrypt all your files. In case of no answer in 24 hours write us to this e-mail: <font face="monospace" OnClick="copytext('[email protected]')"><b>[email protected] <font size="2">[copy]</font></b></font><br> <br> <b>Any guarantees?</b><br> Before paying you can send us up to 3 files for free decryption. The total size of files must be less than <i><u>5Mb</u></i> (<i><u>non archived</u></i>), and files should not contain valuable information. (<u><i>databases, backups, large excel sheets, etc.</i></u>)<br> <br> <b><font color="red">Attention!</font></b><br> <ul> <li>Do not try to decrypt your data using third party software, it may cause permanent data loss.</li> <li>Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. </li> <li>Use trusted email clients (gmail.com, protonmail.com, aol.com, etc.) for communication; sometimes your letters do not reach us from corporate letters. </li> <li>Communication with us lasts 2-4 weeks, then we block mail for communication </li> </ul> </div> <div title="Click to copy" OnClick="copytext('[5FEF09AB-E822B099]')" id="blumid" style="cursor:pointer;background-color:#c7bf30; position:absolute; top:430px; left:10px; width:380px; height:20px"> <b>Your ID [5FEF09AB-E822B099] <font size="2">[copy]</font></b> </div> <div title="Click to copy" OnClick="copytext('[email protected]')" id="blummail" style="cursor:pointer;background-color:#c7bf30; position:absolute; top:430px; left:400px; width:380px; height:20px"> <b>Write to [email protected] <font size="2">[copy]</font></b> </div> </body> </html>
Emails

<b>[email protected]</b>

OnClick="copytext('[email protected]')"><b>[email protected]

OnClick="copytext('[email protected]')"

[email protected]

Targets

    • Target

      ab337d28b494a966f107fc428d71f78b

    • Size

      1.8MB

    • MD5

      ab337d28b494a966f107fc428d71f78b

    • SHA1

      5c77dc1f673fbfb9d45de2a63aa16616f80b7a12

    • SHA256

      647f46899b472f8a3ce181bd07ab2219a56e965bf4e24a0b489edb2bc5c8aa8d

    • SHA512

      98ea77a94465780030eb05189ff9061790e438732b2b1245559c5ea0ad1c91f5c1458cf14d50f05c6ef4e97f3e1ab0a6c73109980644cd7ea9ae9a1555eec71a

    • SSDEEP

      6144:Hrn8am/jie/+9h4/cdIG4Uues+f5PfZlfTBoIbY5RUvNjC4LBtJrJyCjSJlIyfh+:Hr

    Score
    10/10
    crylockpersistenceransomwarespywarestealer

    • Crylock

      Ransomware family, which is a new variant of Cryakl ransomware.

      ransomwarecrylock

    • Renames multiple (619) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks