Overview

overview

10

Static

static

10

e4a319f7af...42.exe

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    e4a319f7afafbbd710ff2dbe8d0883ef332afcb0363efd4e919ed3c3faba0342.7z

  • Size

    2.2MB

  • Sample

    240617-hdr89ssflm

  • MD5

    55285415f9d9954725008902f727dd9a

  • SHA1

    a6ee6b2d6c98f631473217d822f6ed85d490a5aa

  • SHA256

    3064d978153f5f761626b39f448bff3d47c62c54afd5112aa05b1705f94a52c8

  • SHA512

    701ad5954f71971e1102e21911fc908a92ae27afb4f40d71b58d38896a3493e5ea59dc2a87b9bb0916f1b85b69413c0c67941c3b9a647302e984131efb38f621

  • SSDEEP

    49152:IcigsZ+uxwyp8kW7jpAjEDARwHFbSZPT/GwgPNb6Y1x:IVHxwhpLA8NSlTuwgdHz

Score
10/10
agendadefense_evasionexecutionimpactpersistenceransomware

Malware Config

Extracted

Family

agenda

Attributes
  • company_id

    NBSHhgXuCt

  • note

    -- Agenda Your network/system was encrypted. Encrypted files have new extension. -- Compromising and sensitive data We have downloaded compromising and sensitive data from you system/network If you refuse to communicate with us and we do not come to an agreementyour data will be published. Data includes: - Employees personal dataCVsDLSSN. - Complete network map including credentials for local and remote services. - Financial information including clients databillsbudgetsannual reportsbank statements. - Complete datagrams/schemas/drawings for manufacturing in solidworks format - And more... -- Warning 1) If you modify files - our decrypt software won't able to recover data 2) If you use third party software - you can damage/modify files (see item 1) 3) You need cipher key / our decrypt software to restore you files. 4) The police or authorities will not be able to help you get the cipher key. We encourage you to consider your decisions. -- Recovery 1) Download tor browser: https://www.torproject.org/download/ 2) Go to domain 3) Enter credentials -- Credentials Extension: NBSHhgXuCt Domain: 24kckepr3tdbcomkimbov5nqv2alos6vmrmlxdr76lfmkgegukubctyd.onion login: b6c6347c-39aa-4a5d-a34b-9f73692c3487 password: 3859f83b-e7dc-4fb2-bd6e-70e84ababd72

rsa_pubkey.plain

Extracted

Path

C:\Users\NBSHhgXuCt-RECOVER-README.txt

Ransom Note
-- Agenda Your network/system was encrypted. Encrypted files have new extension. -- Compromising and sensitive data We have downloaded compromising and sensitive data from you system/network If you refuse to communicate with us and we do not come to an agreementyour data will be published. Data includes: - Employees personal dataCVsDLSSN. - Complete network map including credentials for local and remote services. - Financial information including clients databillsbudgetsannual reportsbank statements. - Complete datagrams/schemas/drawings for manufacturing in solidworks format - And more... -- Warning 1) If you modify files - our decrypt software won't able to recover data 2) If you use third party software - you can damage/modify files (see item 1) 3) You need cipher key / our decrypt software to restore you files. 4) The police or authorities will not be able to help you get the cipher key. We encourage you to consider your decisions. -- Recovery 1) Download tor browser: https://www.torproject.org/download/ 2) Go to domain 3) Enter credentials -- Credentials Extension: NBSHhgXuCt Domain: 24kckepr3tdbcomkimbov5nqv2alos6vmrmlxdr76lfmkgegukubctyd.onion login: b6c6347c-39aa-4a5d-a34b-9f73692c3487 password: 3859f83b-e7dc-4fb2-bd6e-70e84ababd72
URLs

http://24kckepr3tdbcomkimbov5nqv2alos6vmrmlxdr76lfmkgegukubctyd.onion

Targets

    • Target

      e4a319f7afafbbd710ff2dbe8d0883ef332afcb0363efd4e919ed3c3faba0342.exe

    • Size

      7.7MB

    • MD5

      54d801a914165802062aea8e5fdae516

    • SHA1

      5f99214d68883e91f586e85d8db96deda5ca54af

    • SHA256

      e4a319f7afafbbd710ff2dbe8d0883ef332afcb0363efd4e919ed3c3faba0342

    • SHA512

      ce5546e60976db6e0c6736ccd32ac623d564e4b7dff91c86a2ddfae6cc8e86f49e70d67d663da61f077a8d244eedc4d6c19e2f185e945395faf522bbc858d5a9

    • SSDEEP

      98304:9h3Hhpg9fmvPQ6awFDwqNmabuc0aZJPE:/BpyV6/CcukM

    Score
    10/10
    defense_evasionexecutionimpactpersistenceransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Renames multiple (165) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Modifies WinLogon

      persistence
    behavioral1

MITRE ATT&CK Enterprise v15

Tasks