Overview

overview

10

Static

static

10

winprofile

windows7-x64

10

winprofile

windows10-1703-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    01648bd95ce5d66d76d5c292ce639f0b4371402f9730b5067804ff0d3389d3b8

  • Size

    148KB

  • Sample

    240418-17ffnshc9x

  • MD5

    8f44723c6243b90795c93b6653ba9735

  • SHA1

    34270e442f37cd46db49d6896a8f154980af855f

  • SHA256

    01648bd95ce5d66d76d5c292ce639f0b4371402f9730b5067804ff0d3389d3b8

  • SHA512

    116b564fbf858c41a257fd9166631c25c3d59f476220d02e11793cab6f6412d8caa819c7e56720c8f2248ee5315cbcc905d11667b209ee5e7b3e8fc5cbe25438

  • SSDEEP

    3072:+qJogYkcSNm9V7DcaDtRx+roDNO1NZiQtu6E+TbT:+q2kc4m9tDVt3+041NZXtu6Z

Score
10/10
lockbitransomwarespywarestealer

Malware Config

Extracted

Path

C:\i0BQZsoDj.README.txt

Ransom Note
.+####*=: -+=*=-++*=::+-:++*::@@= @@#+#@*+==-=-+- :=---:::::---::-:-====*+#@@ @@@=+---===-====-:+=-=::: -=--:::-:::: +::::=:=.:=#@ @#+#+-==---+:----------:-.::: ::+.:-:::--:-:--.-=+-**+-=@##*###*+=:=--:::-=-:--=:.=:- --::-==---:-----=-=#*+-==*##*++=:--=--==:-=-::-:-: =.:::.:----------+=+=+*-++*@ @@**+:=*#*#--=-----:--:-=-:+: .::::------=-=.=++-++++##@ @@ @@ @=*+*+=**=:-:=----::::: ::-:--:--==-++=+====+@@ @@#@@@@@@ @=+++=++==-:::--:-::: ::----=-==-*++=+==*==# +@:@@@@@@@@@ =++====+++=+::--:: :----+==-:+==+==++*=-*+:@@@@@@@#*+---+*+=+=+==--::. :--=*+-=:=:=*:==-+++=-#**@+*#@@@+*#*++=++=*-=-===+=:=: .-++=--::=-==+=-=++*:*--+-*:#@@*-=+=+=--::-==== +:....::--=----=+++::=#**=@#+@*=-+=:*===-::.:::= :::-==--::-:.@@@@@#*==+==---:. ---=++---+.-@#@@+#*===-===++.. -+====:--:-+=+@*=**=*+===: ---==-@+::=:###*-+-. -*:*=*#@@@@##=-=+- @@@--#=**@*-*-:+@@ :#==-*. Hi. All your files are encrypted. For decryption contact us on Session messenger. You can get it from https://getsession.org Our Session ID: 050877486f869a0ca3c28c831576801d63e522afba3adfe310c443f9e7da124001 [+] Do not rename encrypted files. [+] Do not try to decrypt your data using third party software, it may cause permanent data loss. [+] You have 72 hours to get the key.
URLs

https://getsession.org

Targets

    • Target

      01648bd95ce5d66d76d5c292ce639f0b4371402f9730b5067804ff0d3389d3b8

    • Size

      148KB

    • MD5

      8f44723c6243b90795c93b6653ba9735

    • SHA1

      34270e442f37cd46db49d6896a8f154980af855f

    • SHA256

      01648bd95ce5d66d76d5c292ce639f0b4371402f9730b5067804ff0d3389d3b8

    • SHA512

      116b564fbf858c41a257fd9166631c25c3d59f476220d02e11793cab6f6412d8caa819c7e56720c8f2248ee5315cbcc905d11667b209ee5e7b3e8fc5cbe25438

    • SSDEEP

      3072:+qJogYkcSNm9V7DcaDtRx+roDNO1NZiQtu6E+TbT:+q2kc4m9tDVt3+041NZXtu6Z

    Score
    10/10
    ransomwarespywarestealer

    • Renames multiple (295) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Resource Development

Reconnaissance

Tasks