General

  • Target

    2024-06-18_363933ccd21e56d8786ffde6ee09a4b1_blackkingdom

  • Size

    12.1MB

  • Sample

    240619-ajmlzathkl

  • MD5

    363933ccd21e56d8786ffde6ee09a4b1

  • SHA1

    f99af556f6c274f072bff355ac5cb24281958bc6

  • SHA256

    57b5c39fdcd0054a5f8979a1531861a4a1fe39bf55f4e9efbc331cdb24da12e7

  • SHA512

    cf4e8b6a4b9559b8adff1b5b61935f8a022d21f9944affeaba99c0171c36c0e7e87d04080adc3c66a6dd208b3d6e8dca5c1bc89090f07341084af47ef47cb77c

  • SSDEEP

    393216:Qd9c5hlEK/PNKwtN3ZWyp032LOqKT1g8Cy:QXEhxtKwtN3p232LOqKgz

Malware Config

Extracted

Path

C:\MSOCache\All Users\decrypt_file.TxT

Ransom Note
*************************** | We Are Back ? *************************** We hacked your (( Network )), and now all files, documents, images, databases and other important data are safely encrypted using the strongest algorithms ever. You cannot access any of your files or services . But do not worry. You can restore everthing and get back business very soon ( depends on your actions ) before I tell how you can restore your data, you have to know certain things : We have downloaded most of your data ( especially important data ) , and if you don't contact us within 2 days, your data will be released to the public. To see what happens to those who didn't contact us, just google : ( Blackkingdom Ransomware ) *************************** | What guarantees ? *************************** We understand your stress and anxiety. So you have a free opportunity to test our service by instantly decrypting one or two files for free just send the files you want to decrypt to ([email protected] *************************************************** | How to contact us and recover all of your files ? *************************************************** The only way to recover your files and protect from data leaks, is to purchase a unique private key for you that we only posses . [ + ] Instructions: 1- Send the decrypt_file.txt file to the following email ===> [email protected] 2- send the following amount of US dollars ( 10,000 ) worth of bitcoin to this address : [ 1Lf8ZzcEhhRiXpk6YNQFpCJcUisiXb34FT ] 3- confirm your payment by sending the transfer url to our email address 4- After you submit the payment, the data will be removed from our servers, and the decoder will be given to you, so that you can recover all your files. ## Note ## Dear system administrators, do not think you can handle it on your own. Notify your supervisors as soon as possible. By hiding the truth and not communicating with us, what happened will be published on social media and yet in news websites. Your ID ==> 4tvfbkrN4oVxWHTvK11x
Wallets

1Lf8ZzcEhhRiXpk6YNQFpCJcUisiXb34FT

Extracted

Path

C:\Recovery\decrypt_file.TxT

Ransom Note
*************************** | We Are Back ? *************************** We hacked your (( Network )), and now all files, documents, images, databases and other important data are safely encrypted using the strongest algorithms ever. You cannot access any of your files or services . But do not worry. You can restore everthing and get back business very soon ( depends on your actions ) before I tell how you can restore your data, you have to know certain things : We have downloaded most of your data ( especially important data ) , and if you don't contact us within 2 days, your data will be released to the public. To see what happens to those who didn't contact us, just google : ( Blackkingdom Ransomware ) *************************** | What guarantees ? *************************** We understand your stress and anxiety. So you have a free opportunity to test our service by instantly decrypting one or two files for free just send the files you want to decrypt to ([email protected] *************************************************** | How to contact us and recover all of your files ? *************************************************** The only way to recover your files and protect from data leaks, is to purchase a unique private key for you that we only posses . [ + ] Instructions: 1- Send the decrypt_file.txt file to the following email ===> [email protected] 2- send the following amount of US dollars ( 10,000 ) worth of bitcoin to this address : [ 1Lf8ZzcEhhRiXpk6YNQFpCJcUisiXb34FT ] 3- confirm your payment by sending the transfer url to our email address 4- After you submit the payment, the data will be removed from our servers, and the decoder will be given to you, so that you can recover all your files. ## Note ## Dear system administrators, do not think you can handle it on your own. Notify your supervisors as soon as possible. By hiding the truth and not communicating with us, what happened will be published on social media and yet in news websites. Your ID ==> uqVIh5BHRHLyDgtedpsB
Wallets

1Lf8ZzcEhhRiXpk6YNQFpCJcUisiXb34FT

Targets

    • Target

      2024-06-18_363933ccd21e56d8786ffde6ee09a4b1_blackkingdom

    • Size

      12.1MB

    • MD5

      363933ccd21e56d8786ffde6ee09a4b1

    • SHA1

      f99af556f6c274f072bff355ac5cb24281958bc6

    • SHA256

      57b5c39fdcd0054a5f8979a1531861a4a1fe39bf55f4e9efbc331cdb24da12e7

    • SHA512

      cf4e8b6a4b9559b8adff1b5b61935f8a022d21f9944affeaba99c0171c36c0e7e87d04080adc3c66a6dd208b3d6e8dca5c1bc89090f07341084af47ef47cb77c

    • SSDEEP

      393216:Qd9c5hlEK/PNKwtN3ZWyp032LOqKT1g8Cy:QXEhxtKwtN3p232LOqKgz

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Drops desktop.ini file(s)

MITRE ATT&CK Enterprise v15

Tasks