Overview

overview

10

Static

static

10

2024-06-08...de.exe

windows7-x64

10

2024-06-08...de.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2024-06-08_6394b78bf0109da21ab4e219125d2c67_darkside

  • Size

    147KB

  • Sample

    240608-hfr2aahh2x

  • MD5

    6394b78bf0109da21ab4e219125d2c67

  • SHA1

    644e760bf43d414b988e482cec9369ab47f11d16

  • SHA256

    d60bf9ffc43dc0aa3072e080c4c86b05b92d786c7c2aa6822201b90d49247df9

  • SHA512

    48daafa3aab27a388b60a97ed54dfcafa95feeb21afba82923cdc8d713e6671d8f965ac3013eca36db74ce80e4db0cc0387a3538c5404ca987fd7c42caf2167e

  • SSDEEP

    1536:6zICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xDk6onOmnyJ5kDTDbLx6IWhShx7V:JqJogYkcSNm9V7DkhpUsTDXx6IWMkyT

Score
10/10
lockbitransomwarespywarestealer

Malware Config

Extracted

Path

C:\vy276X92o.README.txt

Ransom Note
------Dear managers!------ If you are reading this, it means your network has been attacked. What does that mean? We hacked your network and now all your files, documents, client database, projects and other important data safely encrypted with reliable algorithms. we also have a copy of all your data. WARNING!!! You don't have to go to the POLICE, etc. Otherwise we will not be able to help you. You cannot acces the files right now. But do not worry. You can get it back! It is easy to recover in a few steps. As proof, we can decrypt any 3 files you provide. We are not interested to ruin your business. We want to get ransom and be happy. Please bring this information to your team leaders as soon as possible. In case of a successfull transaction, we will restore your systems within 4-6 hours and also provide security recommendations. -----------------------WARNING----------------------- If you modify files - our decrypt software won't able to recover data If you use third party software - you can damage/modify files (see item 1) You nedd cipher key / our decrypt software to restore you files. The police or authorities will not be able to help you get the cipher key. We encourage you to consider your decisions. -----------------------RECOVERY----------------------- Use email: [email protected] (Alternate email address: [email protected]) You personal ID: sns54088802500

Targets

    • Target

      2024-06-08_6394b78bf0109da21ab4e219125d2c67_darkside

    • Size

      147KB

    • MD5

      6394b78bf0109da21ab4e219125d2c67

    • SHA1

      644e760bf43d414b988e482cec9369ab47f11d16

    • SHA256

      d60bf9ffc43dc0aa3072e080c4c86b05b92d786c7c2aa6822201b90d49247df9

    • SHA512

      48daafa3aab27a388b60a97ed54dfcafa95feeb21afba82923cdc8d713e6671d8f965ac3013eca36db74ce80e4db0cc0387a3538c5404ca987fd7c42caf2167e

    • SSDEEP

      1536:6zICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xDk6onOmnyJ5kDTDbLx6IWhShx7V:JqJogYkcSNm9V7DkhpUsTDXx6IWMkyT

    Score
    10/10
    ransomwarespywarestealer

    • Renames multiple (338) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks