Overview

overview

10

Static

static

10

w.exe

windows7-x64

10

w.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    w.exe

  • Size

    147KB

  • Sample

    240629-e16hma1blf

  • MD5

    a076dd9346194f5ce76c015fe9daae49

  • SHA1

    395393bde77493a8ca1df57e1c10466f0c45a2b5

  • SHA256

    cf8844cbd945f7e42a001758cd9807776cf219902b802f2860ac2b59b4282967

  • SHA512

    04c086a9cebb6f0bac69e4a68097e8bd6a539683c947ccad1c4e15601d4c25547c8756fdeeb8e45708915f74393fe91a38af05657d3ae13f374d2e390df812d4

  • SSDEEP

    1536:9zICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xDu+OBVJ8wRy+k3E7WYQWEZHUyz:uqJogYkcSNm9V7DxOnJ8OyRU7WYaHT

Score
10/10
lockbitransomwarespywarestealer

Malware Config

Extracted

Path

C:\lYEPThbqY.README.txt

Ransom Note
------Dear managers!------ If you are reading this, it means your network has been attacked. What does that mean? We hacked your network and now all your files, documents, client database, projects and other important data safely encrypted with reliable algorithms. we also have a copy of all your data. WARNING!!! You don't have to go to the POLICE, etc. Otherwise we will not be able to help you. You cannot acces the files right now. But do not worry. You can get it back! It is easy to recover in a few steps. As proof, we can decrypt any 3 files you provide. We are not interested to ruin your business. We want to get ransom and be happy. Please bring this information to your team leaders as soon as possible. In case of a successfull transaction, we will restore your systems within 4-6 hours and also provide security recommendations. -----------------------WARNING----------------------- If you modify files - our decrypt software won't able to recover data If you use third party software - you can damage/modify files (see item 1) You nedd cipher key / our decrypt software to restore you files. The police or authorities will not be able to help you get the cipher key. We encourage you to consider your decisions. -----------------------RECOVERY----------------------- Use email: [email protected] (Alternate email address: [email protected]) You personal ID: 995619885677

Targets

    • Target

      w.exe

    • Size

      147KB

    • MD5

      a076dd9346194f5ce76c015fe9daae49

    • SHA1

      395393bde77493a8ca1df57e1c10466f0c45a2b5

    • SHA256

      cf8844cbd945f7e42a001758cd9807776cf219902b802f2860ac2b59b4282967

    • SHA512

      04c086a9cebb6f0bac69e4a68097e8bd6a539683c947ccad1c4e15601d4c25547c8756fdeeb8e45708915f74393fe91a38af05657d3ae13f374d2e390df812d4

    • SSDEEP

      1536:9zICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xDu+OBVJ8wRy+k3E7WYQWEZHUyz:uqJogYkcSNm9V7DxOnJ8OyRU7WYaHT

    Score
    10/10
    ransomwarespywarestealer

    • Renames multiple (348) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks