Overview

overview

10

Static

static

10

319fbb2dd2...d5.exe

windows7-x64

10

319fbb2dd2...d5.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    7f64cb7e7ebfefa6d1376bcfc5b2a8fdded19aff482f3cdb766f27923a5a3bbc

  • Size

    6KB

  • Sample

    240419-wy9kyabh23

  • MD5

    ad69026f0cf984eaef62389e9b8ab266

  • SHA1

    29d3d01ce6827de4298c7bea23acd2b74053991d

  • SHA256

    7f64cb7e7ebfefa6d1376bcfc5b2a8fdded19aff482f3cdb766f27923a5a3bbc

  • SHA512

    945e5facf42341344ae1aeadc907da389742b0064fcad490920a9335dce79468166daa2574769d547277a98c4b73a1a59ee8e3f0a2eaaa5ca5f877cb98881e24

  • SSDEEP

    192:3rSTs/1W2RH1wTV6uQcMGEVnqx41r4940nmqVTIv:3z/1W2sB1Qcz6nqx4J0mKK

Score
10/10
xoristpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\HOW TO DECRYPT FILES.txt

Ransom Note
Attention! All your files are encrypted! To restore your files and access them, please send an SMS with the text virusjahid4209@cyberper.net You have 70 attempts to enter the code. When that number has been exceeded, all the data irreversibly is destroyed. Be careful when you enter the code! Price of private key and decrypt software is $50. Discount 50% available if you contact us first 72 hours, that�s price for you is $25. BTC Wallet: 37t6hwuzJbq6PtEgaxyS3AWyLS99qMGrt8 Bitcoin ee Transfer korte na parle Bkash ee Trasnfer korte parbn tk2500[3days] Contact me here: virusjahid4209@cyberper.net
Emails

virusjahid4209@cyberper.net

Wallets

37t6hwuzJbq6PtEgaxyS3AWyLS99qMGrt8

Targets

    • Target

      319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5

    • Size

      12KB

    • MD5

      0a5e38ff165e9e78e58fd5b47b19b86a

    • SHA1

      d0cccb38776b7390bf8b0fc5ebe14a75b1dfa3ef

    • SHA256

      319fbb2dd26045a90a452eb26799c6529f8a77ad8d7b967aec58111e25b12cd5

    • SHA512

      330c946e02bab30f4f33a6b246c0ad3d83438dddd1572d499aca2af5a1789714b81ba08729c2917ad8b6090ccb2b476d3a88f6bfd537ebd5a2f0e8ff9048ab67

    • SSDEEP

      192:K/TrG62a6B10k3g4fXk1iTV3HGc7EkpAqEjvu2q9C/YpXnAITZfPtRMTrE4l2W:KebFNw4Pk1itKkpAjjI2YpdmToQ2W

    Score
    10/10
    persistenceransomwarespywarestealer

    • Renames multiple (2190) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Drops file in Drivers directory

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks