General
-
Target
220629-p7hp9ahfel
-
Size
7.7MB
-
Sample
240320-l27kmseb32
-
MD5
a7ab0969bf6641cd0c7228ae95f6d217
-
SHA1
002971b6d178698bf7930b5b89c201750d80a07e
-
SHA256
117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464
-
SHA512
7e1cce428e3b80b60635c354801af6e86354c9437ba7a661ca6a922c17057a16439a97d1ea11873eb359c05018df9eb6040b72fa97b30cf4d04cae56bf052b8a
-
SSDEEP
49152:mwHittZSrb/TjvO90dL3BmAFd4A64nsfJTGNHltPgQjre0Q2hEsj2kcR9RsU/2LU:mwUs3dfC2at9kDXdmG55wuzZqGdE
Behavioral task
behavioral1
Sample
220629-p7hp9ahfel.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
220629-p7hp9ahfel.exe
Resource
win10v2004-20240226-en
Malware Config
Extracted
agenda
-
company_id
OnHnnBvUej
-
note
-- Agenda Your network/system was encrypted. Encrypted files have new extension. -- Compromising and sensitive data We have downloaded compromising and sensitive data from you system/network If you refuse to communicate with us and we do not come to an agreementyour data will be published. Data includes: - Employees personal dataCVsDLSSN. - Complete network map including credentials for local and remote services. - Financial information including clients databillsbudgetsannual reportsbank statements. - Complete datagrams/schemas/drawings for manufacturing in solidworks format - And more... -- Warning 1) If you modify files - our decrypt software won't able to recover data 2) If you use third party software - you can damage/modify files (see item 1) 3) You need cipher key / our decrypt software to restore you files. 4) The police or authorities will not be able to help you get the cipher key. We encourage you to consider your decisions. -- Recovery 1) Download tor browser: https://www.torproject.org/download/ 2) Go to domain 3) Enter credentials -- Credentials Extension: OnHnnBvUej Domain: login: bd61eb78-64a3-4ee0-9a8e-543b8bc12b5e password: 14158620-fb98-4889-87cb-f5251368fc21
Extracted
C:\$Recycle.Bin\OnHnnBvUej-RECOVER-README.txt
agenda
Targets
-
-
Target
220629-p7hp9ahfel
-
Size
7.7MB
-
MD5
a7ab0969bf6641cd0c7228ae95f6d217
-
SHA1
002971b6d178698bf7930b5b89c201750d80a07e
-
SHA256
117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464
-
SHA512
7e1cce428e3b80b60635c354801af6e86354c9437ba7a661ca6a922c17057a16439a97d1ea11873eb359c05018df9eb6040b72fa97b30cf4d04cae56bf052b8a
-
SSDEEP
49152:mwHittZSrb/TjvO90dL3BmAFd4A64nsfJTGNHltPgQjre0Q2hEsj2kcR9RsU/2LU:mwUs3dfC2at9kDXdmG55wuzZqGdE
Score10/10-
Agenda Ransomware
A ransomware with multiple variants written in Golang and Rust first seen in August 2022.
-
Detects command variations typically used by ransomware
-
Detects executables containing many references to VEEAM. Observed in ransomware
-
Detects executables referencing many IR and analysis tools
-
Renames multiple (158) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-