Overview

overview

10

Static

static

10

90fcaf3926...b2.exe

windows7-x64

10

90fcaf3926...b2.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    90fcaf3926265ba790e6245975b3106617b89f4d7fe2a7733a6ecd0f7ac79bb2

  • Size

    146KB

  • Sample

    240714-ryh1rswhle

  • MD5

    9c538ff5f541f0e8b9b2cc8386b40c65

  • SHA1

    689fcc9c3a30efe6ff5bee231506bf3c4637e6e8

  • SHA256

    90fcaf3926265ba790e6245975b3106617b89f4d7fe2a7733a6ecd0f7ac79bb2

  • SHA512

    1367c402cab5e89d6863f9dad5faf497d7e15a8ce9a0644c314f523d2435f95286048ef4d87c65096a024c6f4a299049f15d863c30054ef666fa053102c25122

  • SSDEEP

    3072:V6glyuxE4GsUPnliByocWepo2NVLiguo/pyEwUS7:V6gDBGpvEByocWeauV2gvzwUg

Score
10/10
lockbitransomwarespywarestealer

Malware Config

Extracted

Path

C:\7V7uPExzv.README.txt

Ransom Note
~~~NULLBULGE LOCK - BASED ON LOCKBIT~~~ >>>> Your data is encrypted... but dont freak out If we encrypted you, you majorly fucked up. But... all can be saved But not for free, we require an xmr payment >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption. Life is too short to be sad. Dont be sad money is only paper. Your files are more important than paper right? If we do not give you decrypter then nobody will pay us in the future. To us, our reputation is very important. There is no dissatisfied victim after payment. >>>> You may contact us and decrypt one file for free on these TOR sites with your personal DECRYPTION ID Download and install TOR Browser https://www.torproject.org/ Write to a chat and wait for the answer, we will always answer you. Sometimes you will need to wait a while Links for Tor Browser: http://nullblgtk7dwzpfklgktzll27ovvnj7pvqkoprmhubnnb32qcbmcpgid.onion/ Link for the normal browser http://group.goocasino.org https://nullbulge.com >>>> Your personal DECRYPTION ID: 217B9D5D58C4AD3CF1AA322CDD7E2EF8 >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems!
URLs

http://nullblgtk7dwzpfklgktzll27ovvnj7pvqkoprmhubnnb32qcbmcpgid.onion/

http://group.goocasino.org

https://nullbulge.com

Extracted

Path

C:\7V7uPExzv.README.txt

Ransom Note
~~~NULLBULGE LOCK - BASED ON LOCKBIT~~~ >>>> Your data is encrypted... but dont freak out If we encrypted you, you majorly fucked up. But... all can be saved But not for free, we require an xmr payment >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption. Life is too short to be sad. Dont be sad money is only paper. Your files are more important than paper right? If we do not give you decrypter then nobody will pay us in the future. To us, our reputation is very important. There is no dissatisfied victim after payment. >>>> You may contact us and decrypt one file for free on these TOR sites with your personal DECRYPTION ID Download and install TOR Browser https://www.torproject.org/ Write to a chat and wait for the answer, we will always answer you. Sometimes you will need to wait a while Links for Tor Browser: http://nullblgtk7dwzpfklgktzll27ovvnj7pvqkoprmhubnnb32qcbmcpgid.onion/ Link for the normal browser http://group.goocasino.org https://nullbulge.com >>>> Your personal DECRYPTION ID: 217B9D5D58C4AD3C97741A9AED537439 >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems!
URLs

http://nullblgtk7dwzpfklgktzll27ovvnj7pvqkoprmhubnnb32qcbmcpgid.onion/

http://group.goocasino.org

https://nullbulge.com

Targets

    • Target

      90fcaf3926265ba790e6245975b3106617b89f4d7fe2a7733a6ecd0f7ac79bb2

    • Size

      146KB

    • MD5

      9c538ff5f541f0e8b9b2cc8386b40c65

    • SHA1

      689fcc9c3a30efe6ff5bee231506bf3c4637e6e8

    • SHA256

      90fcaf3926265ba790e6245975b3106617b89f4d7fe2a7733a6ecd0f7ac79bb2

    • SHA512

      1367c402cab5e89d6863f9dad5faf497d7e15a8ce9a0644c314f523d2435f95286048ef4d87c65096a024c6f4a299049f15d863c30054ef666fa053102c25122

    • SSDEEP

      3072:V6glyuxE4GsUPnliByocWepo2NVLiguo/pyEwUS7:V6gDBGpvEByocWeauV2gvzwUg

    Score
    10/10
    ransomwarespywarestealer

    • Renames multiple (354) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks