Resubmissions
27-05-2024 13:08
240527-qdam8aeg57 10Analysis
-
max time kernel
143s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
13-04-2024 16:00
Static task
static1
Behavioral task
behavioral1
Sample
a25097d2ae808df410c2f35d725a500fb680f38605e62c9e3b619e389ef6733f.exe
Resource
win7-20240319-en
Behavioral task
behavioral2
Sample
a25097d2ae808df410c2f35d725a500fb680f38605e62c9e3b619e389ef6733f.exe
Resource
win10v2004-20240226-en
General
-
Target
a25097d2ae808df410c2f35d725a500fb680f38605e62c9e3b619e389ef6733f.exe
-
Size
5.0MB
-
MD5
1410b418a078559581725d14fa389cdd
-
SHA1
081cd6c242d472db9148fd0ce33346f7a3e87ac2
-
SHA256
a25097d2ae808df410c2f35d725a500fb680f38605e62c9e3b619e389ef6733f
-
SHA512
4d7a06d34208b69a338cefeb3d676b37358c236e604926a351db50dfe27d24acab6ac186c3343611fde92dc45072e3e922883eafa863243a117fdf3b2ec48676
-
SSDEEP
49152:piU0bmF9imb6ApZ017p2fM0EBmYPhwOj45/oAsl11PO3gUJGzwryAFsF/s7u4CCT:pb5FcWg1kibj45QAusGzwryWS/s70CT
Malware Config
Extracted
agenda
- Username:
[email protected] - Password:
Chennai#$345
-
company_id
OKJRM-RKPy
-
note
-- Qilin Your network/system was encrypted. Encrypted files have new extension. -- Compromising and sensitive data We have downloaded compromising and sensitive data from you system/network If you refuse to communicate with us and we do not come to an agreement, your data will be published. Data includes: - Employees personal data, CVs, DL , SSN. - Complete network map including credentials for local and remote services. - Financial information including clients data, bills, budgets, annual reports, bank statements. - Complete datagrams/schemas/drawings for manufacturing in solidworks format - And more... -- Warning 1) If you modify files - our decrypt software won't able to recover data 2) If you use third party software - you can damage/modify files (see item 1) 3) You need cipher key / our decrypt software to restore you files. 4) The police or authorities will not be able to help you get the cipher key. We encourage you to consider your decisions. -- Recovery 1) Download tor browser: https://www.torproject.org/download/ 2) Go to domain 3) Enter credentials-- Credentials Extension: OKJRM-RKPy Domain: ftx4rx6n4wp6fu57awd5p52l2xbmtknea26dtuwr3dalrixfuytiluad.onion login: h1ykctMTqqda69-Kts9Oe-4C0FdDdT69 password:
Signatures
-
Agenda Ransomware
A ransomware with multiple variants written in Golang and Rust first seen in August 2022.
Processes
-
C:\Users\Admin\AppData\Local\Temp\a25097d2ae808df410c2f35d725a500fb680f38605e62c9e3b619e389ef6733f.exe"C:\Users\Admin\AppData\Local\Temp\a25097d2ae808df410c2f35d725a500fb680f38605e62c9e3b619e389ef6733f.exe"1⤵PID:4596
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3816 --field-trial-handle=2356,i,13261194862334667799,7441241219475888176,262144 --variations-seed-version /prefetch:81⤵PID:3552