Overview

overview

10

Static

static

3

7c2dbad516...d1.exe

windows7-x64

10

7c2dbad516...d1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    125s
  • max time network
    132s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-07-2024 09:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7c2dbad516d18d2c1c21ecc5792bc232f7b34dadc1bc19e967190d79174131d1.exe

  • Size

    55KB

  • MD5

    a35596ed0bfb34de4e512a3225f8300a

  • SHA1

    aeb09e894736cbb41e934f83cca0247fe89d8a19

  • SHA256

    7c2dbad516d18d2c1c21ecc5792bc232f7b34dadc1bc19e967190d79174131d1

  • SHA512

    e70eccbbe84f933a567b000fceba9666f4537489de0ed21eb3bdaf06cfb61b618be042d566969100907f06ea68aa2da1b84029d94c73f971ea35af9de968e3de

  • SSDEEP

    1536:gZVYb2bbBisyEcPC00h7sBvvKk+jTc7+T8l7RJV62CzVDL+oWB27evMCUQ:EV+GiVEc6RsMJQ

Score
10/10
deathransomransomware

Malware Config

Extracted

Path

C:\Users\Admin\3D Objects\read_me.txt

Family

deathransom

Ransom Note
--= DEATHRANSOM =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS***** All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email [email protected] [email protected] Your LOCK-ID: +1EZm4GZmyLaV34vl5uw5PZv2g0u9VgLrQzt4czgpDdwwuI8O8XrZGFjX8BrwUK88beeM3SGZwkCU+hV8W7aEoUa8thiMCvf+WWbf5REeO8vtL4Nv4NPCSUtN/MNACQxpPyyUm1/sIPFrNxYholqlB7amB2oaWdyAy2JNXUQM3+7K1F7fzEo4j2Ci63dzD903DYsZI+46tP3IxcoaM0/eM2F+j38GYziv2N9O8Uv+iWFyWTa9caClGCW0iYl1rlxUoLfS9GlqY+ogOyuEWFIg6vyg4vn4qB4FmkU21RsT9YqsiavC7dzof/3jYlb5ClN2stCZ+LE6d+YLg8bROEqCI+UIDHmi3Pzd6VNjw70ZM9RLIYAzUzMaQnfOUz0ssVmzfxanxbVnovEDTMRVgmn0ag4va1d3b+XJU89g2RQuwf9bbLkMkqIi5jruUhVABsqTTHRkR0D7W0qwFcTT4oB8yL9sHxfNo0rmuKhOKyBETnKL2BCbEv3dHdbK91yBROM+/N9kArdctj7GsZsBkq2wqjUbBdx0NvOnk2AFYYqWOQGG6Ny3spJ3C6H8qkEJo6jHbAMA4iWLN9C5Nx1JTPnX09QuEmRfqbhHivliszWZytd77mx2i0Bp/vJcTY4DZ4FSq4wqb/8BBW/Ab/zicBeNUJGE/eOBS+76JRLDvAAI0FIExlGp1Qj0l5i7toh1xA9yYhn4oLJ5RMZc9s01RMOVA== >>>How to obtain bitcoin: The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/ >>> Free decryption as guarantee! Before paying you send us up to 1 file for free decryption. We recommeded to send pictures, text files, sheets, etc. (files no more than 1mb) IN ORDER TO PREVENT DATA DAMAGE: 1. Do not rename encrypted files. 2. Do not try to decrypt your data using third party software, it may cause permanent data loss. 3. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Signatures

  • DeathRansom

    Ransomware family first seen at the start of 2020. Initial versions did not actually encrypt files.

    ransomwaredeathransom
  • Renames multiple (188) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Drops desktop.ini file(s) 25 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

Processes

  • C:\Users\Admin\AppData\Local\Temp\7c2dbad516d18d2c1c21ecc5792bc232f7b34dadc1bc19e967190d79174131d1.exe
    "C:\Users\Admin\AppData\Local\Temp\7c2dbad516d18d2c1c21ecc5792bc232f7b34dadc1bc19e967190d79174131d1.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    PID:3912
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4196,i,16488180140590516186,11762960689811837350,262144 --variations-seed-version --mojo-platform-channel-handle=4156 /prefetch:8
    1⤵
      PID:4540

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\3D Objects\read_me.txt
      Filesize

      2KB

      MD5

      bbea011b3a3d6d4991f3fbbf977cae5e

      SHA1

      51e2e904455890d5c4583acb1a38c1d075b2ad31

      SHA256

      fc795de3cd79a4f86ec085d8315f7b42e5a26f3f0efdfd15af9befad2ca3845c

      SHA512

      b86f4e6a9e91b6b435adbf71d189b7a55852b560e9767cf57da2ff6ac073249e9b1ebfbd87824703755790ebbb837557e13220af4ed36ba52ecb285740c95641

      Download Submit