Overview

overview

10

Static

static

10

117fc30c25...64.exe

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.7z

  • Size

    2.2MB

  • Sample

    240615-xtmfaasalg

  • MD5

    4d4cda045a758202f9e9f3b3837c16ff

  • SHA1

    b7b75cc3465c7e236a4eaa4e2a0c4c46c0f94ece

  • SHA256

    af9919d2097e7bb4daf6456906c44b36421ad0c108d58ed9525b0a5eda468b8c

  • SHA512

    04e6787f0af21ff520fb664c5a7facd42c77d9b4c8256af79c77c61dddc37d7845d50527e56fabf2928c4e982f62ac821875b7cf16891b2e5200be63bfdcc92f

  • SSDEEP

    24576:QYIDv+fwXWczxi0VKVpCYhWfTyalBkp3hRQwYCFsde4XnPLjxYbClaJoVsM987D7:QY1wL9VsCZypNsde4XPQxJQCOjg3F

Score
10/10
agendadefense_evasionexecutionimpactpersistenceransomware

Malware Config

Extracted

Family

agenda

Attributes
  • company_id

    OnHnnBvUej

  • note

    -- Agenda Your network/system was encrypted. Encrypted files have new extension. -- Compromising and sensitive data We have downloaded compromising and sensitive data from you system/network If you refuse to communicate with us and we do not come to an agreementyour data will be published. Data includes: - Employees personal dataCVsDLSSN. - Complete network map including credentials for local and remote services. - Financial information including clients databillsbudgetsannual reportsbank statements. - Complete datagrams/schemas/drawings for manufacturing in solidworks format - And more... -- Warning 1) If you modify files - our decrypt software won't able to recover data 2) If you use third party software - you can damage/modify files (see item 1) 3) You need cipher key / our decrypt software to restore you files. 4) The police or authorities will not be able to help you get the cipher key. We encourage you to consider your decisions. -- Recovery 1) Download tor browser: https://www.torproject.org/download/ 2) Go to domain 3) Enter credentials -- Credentials Extension: OnHnnBvUej Domain: login: bd61eb78-64a3-4ee0-9a8e-543b8bc12b5e password: 14158620-fb98-4889-87cb-f5251368fc21

rsa_pubkey.plain

Extracted

Path

C:\$Recycle.Bin\OnHnnBvUej-RECOVER-README.txt

Family

agenda

Ransom Note
-- Agenda Your network/system was encrypted. Encrypted files have new extension. -- Compromising and sensitive data We have downloaded compromising and sensitive data from you system/network If you refuse to communicate with us and we do not come to an agreementyour data will be published. Data includes: - Employees personal dataCVsDLSSN. - Complete network map including credentials for local and remote services. - Financial information including clients databillsbudgetsannual reportsbank statements. - Complete datagrams/schemas/drawings for manufacturing in solidworks format - And more... -- Warning 1) If you modify files - our decrypt software won't able to recover data 2) If you use third party software - you can damage/modify files (see item 1) 3) You need cipher key / our decrypt software to restore you files. 4) The police or authorities will not be able to help you get the cipher key. We encourage you to consider your decisions. -- Recovery 1) Download tor browser: https://www.torproject.org/download/ 2) Go to domain 3) Enter credentials -- Credentials Extension: OnHnnBvUej Domain: login: bd61eb78-64a3-4ee0-9a8e-543b8bc12b5e password: 14158620-fb98-4889-87cb-f5251368fc21%!(EXTRA string=same as login)

Targets

    • Target

      117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe

    • Size

      7.7MB

    • MD5

      a7ab0969bf6641cd0c7228ae95f6d217

    • SHA1

      002971b6d178698bf7930b5b89c201750d80a07e

    • SHA256

      117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464

    • SHA512

      7e1cce428e3b80b60635c354801af6e86354c9437ba7a661ca6a922c17057a16439a97d1ea11873eb359c05018df9eb6040b72fa97b30cf4d04cae56bf052b8a

    • SSDEEP

      49152:mwHittZSrb/TjvO90dL3BmAFd4A64nsfJTGNHltPgQjre0Q2hEsj2kcR9RsU/2LU:mwUs3dfC2at9kDXdmG55wuzZqGdE

    Score
    10/10
    agendadefense_evasionexecutionimpactpersistenceransomware

    • Agenda Ransomware

      A ransomware with multiple variants written in Golang and Rust first seen in August 2022.

      ransomwareagenda

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Renames multiple (158) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks