Overview

overview

10

Static

static

3

Device/Har...45.exe

windows7-x64

10

Device/Har...45.exe

windows10-2004-x64

10

Resubmissions

21-05-2024 20:36

240521-zd27xahe78 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    DATA_HOST_2024-05-21_20_34_30.836.zip

  • Size

    2.9MB

  • Sample

    240521-zd27xahe78

  • MD5

    cd6488a97647cf5ff2f36deaf2e75aac

  • SHA1

    92c9680f5eb2011807eaed423bbb80ba870fa539

  • SHA256

    b880b2c34c098e63dc6b6e75c0ca7402bfcf77ff2a88a49e2b906dd2cc2027e7

  • SHA512

    72209c5104aabb76fafa2e4202aec3a7a839875b3eeaf359c8a2e6a8898f959794313375107fb5cc473d6ec278674670f17ce104e9fed4f8cde49a34c839a3a2

  • SSDEEP

    49152:1ZeDzi7yWN+4sOniNgEAn6ow+po6UN/oeZhiNsm5FT3Z111NJjwTbF5MqnQJ8qIN:vWzZWNQ2F26UN/b7G5FT3z1z9wn/Mqnh

Score
10/10
agendabootkitdefense_evasionexecutionimpactpersistenceransomware

Malware Config

Extracted

Family

agenda

Attributes
  • company_id

    woaB2am8Ar

  • note

    -- Qilin Your network/system was encrypted. Encrypted files have new extension. -- Compromising and sensitive data We have downloaded compromising and sensitive data from you system/network If you refuse to communicate with us and we do not come to an agreement, your data will be published. Data includes: - Employees personal data, CVs, DL , SSN. - Complete network map including credentials for local and remote services. - Financial information including clients data, bills, budgets, annual reports, bank statements. - Complete datagrams/schemas/drawings for manufacturing in solidworks format - And more... -- Warning 1) If you modify files - our decrypt software won't able to recover data 2) If you use third party software - you can damage/modify files (see item 1) 3) You need cipher key / our decrypt software to restore you files. 4) The police or authorities will not be able to help you get the cipher key. We encourage you to consider your decisions. -- Recovery 1) Download tor browser: https://www.torproject.org/download/ 2) Go to domain 3) Enter credentials-- Credentials Extension: woaB2am8Ar Domain: dv4pfmexhcv7dvvwjjrmfhor5nt7lkj7sodjbfmnfueekb2szromq2qd.onion login: LSTPCR5sBt1TbmkUzuJAi_QAb2I9YqSZ password:

rsa_pubkey.plain

Extracted

Path

C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\README-RECOVER-woaB2am8Ar.txt

Ransom Note
-- Qilin Your network/system was encrypted. Encrypted files have new extension. -- Compromising and sensitive data We have downloaded compromising and sensitive data from you system/network If you refuse to communicate with us and we do not come to an agreement, your data will be published. Data includes: - Employees personal data, CVs, DL , SSN. - Complete network map including credentials for local and remote services. - Financial information including clients data, bills, budgets, annual reports, bank statements. - Complete datagrams/schemas/drawings for manufacturing in solidworks format - And more... -- Warning 1) If you modify files - our decrypt software won't able to recover data 2) If you use third party software - you can damage/modify files (see item 1) 3) You need cipher key / our decrypt software to restore you files. 4) The police or authorities will not be able to help you get the cipher key. We encourage you to consider your decisions. -- Recovery 1) Download tor browser: https://www.torproject.org/download/ 2) Go to domain 3) Enter credentials-- Credentials Extension: woaB2am8Ar Domain: dv4pfmexhcv7dvvwjjrmfhor5nt7lkj7sodjbfmnfueekb2szromq2qd.onion login: LSTPCR5sBt1TbmkUzuJAi_QAb2I9YqSZ password:qt6Pv7bAmMw3A7xVndj2RSTJw3guatQr
URLs

http://dv4pfmexhcv7dvvwjjrmfhor5nt7lkj7sodjbfmnfueekb2szromq2qd.onion

Targets

    • Target

      Device/HarddiskVolume3/1/645.exe

    • Size

      5.0MB

    • MD5

      5d759f58085ced122e4b2966d759c232

    • SHA1

      1e77ee62f57b55e17fca4e557c13e065cceb3295

    • SHA256

      75d3f06b02441cadcc764959ed9398a4504e76841e3472ebfca9470b4bc9cba3

    • SHA512

      0af18d2cbdee581f90d748cce5772ef8e6d181bf635e22610898374a1422d137d847bd7c8d53d8fa3ec49706b67c5ea3f1769b3f8e619ad434e53311c5ed47ce

    • SSDEEP

      98304:xGVtSFT2BruTi/S8o/2nctMPnXd3x3tO6j:xGrSFaATAWNGnt3zOG

    Score
    10/10
    agendabootkitdefense_evasionexecutionimpactpersistenceransomware

    • Agenda Ransomware

      A ransomware with multiple variants written in Golang and Rust first seen in August 2022.

      ransomwareagenda

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks