Overview

overview

10

Static

static

10

8e7a924425...97.exe

windows7-x64

10

8e7a924425...97.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    8e7a92442581fe1179b826cc112ac804c24e0f25389c4c649d87309bcd82c097

  • Size

    146KB

  • Sample

    240714-rykjlawhlh

  • MD5

    a6238bac4eea44789acd7594bbefacae

  • SHA1

    83f89ce4c6ac20243baf5937f0f666b594d91a3c

  • SHA256

    8e7a92442581fe1179b826cc112ac804c24e0f25389c4c649d87309bcd82c097

  • SHA512

    baf19b9074d3971605a2c9cf0c733dccf8f871a21b49034bf984fdcde3e86208c6d21030352619438dfd8adc80c5a23c76fae5e04782b52aae1ab1ae039c242e

  • SSDEEP

    3072:V6glyuxE4GsUPnliByocWepo2NVLiguo/pyEwUST:V6gDBGpvEByocWeauV2gvzwUg

Score
10/10
lockbitransomwarespywarestealer

Malware Config

Extracted

Path

C:\7V7uPExzv.README.txt

Ransom Note
~~~NULLBULGE LOCK - BASED ON LOCKBIT~~~ >>>> Your data is encrypted... but dont freak out If we encrypted you, you majorly fucked up. But... all can be saved But not for free, we require an xmr payment >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption. Life is too short to be sad. Dont be sad money is only paper. Your files are more important than paper right? If we do not give you decrypter then nobody will pay us in the future. To us, our reputation is very important. There is no dissatisfied victim after payment. >>>> You may contact us and decrypt one file for free on these TOR sites with your personal DECRYPTION ID Download and install TOR Browser https://www.torproject.org/ Write to a chat and wait for the answer, we will always answer you. Sometimes you will need to wait a while Links for Tor Browser: http://nullblgtk7dwzpfklgktzll27ovvnj7pvqkoprmhubnnb32qcbmcpgid.onion/ Link for the normal browser http://group.goocasino.org https://nullbulge.com >>>> Your personal DECRYPTION ID: 217B9D5D58C4AD3C7A5BC69A26216496 >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems!
URLs

http://nullblgtk7dwzpfklgktzll27ovvnj7pvqkoprmhubnnb32qcbmcpgid.onion/

http://group.goocasino.org

https://nullbulge.com

Extracted

Path

C:\7V7uPExzv.README.txt

Ransom Note
~~~NULLBULGE LOCK - BASED ON LOCKBIT~~~ >>>> Your data is encrypted... but dont freak out If we encrypted you, you majorly fucked up. But... all can be saved But not for free, we require an xmr payment >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption. Life is too short to be sad. Dont be sad money is only paper. Your files are more important than paper right? If we do not give you decrypter then nobody will pay us in the future. To us, our reputation is very important. There is no dissatisfied victim after payment. >>>> You may contact us and decrypt one file for free on these TOR sites with your personal DECRYPTION ID Download and install TOR Browser https://www.torproject.org/ Write to a chat and wait for the answer, we will always answer you. Sometimes you will need to wait a while Links for Tor Browser: http://nullblgtk7dwzpfklgktzll27ovvnj7pvqkoprmhubnnb32qcbmcpgid.onion/ Link for the normal browser http://group.goocasino.org https://nullbulge.com >>>> Your personal DECRYPTION ID: 217B9D5D58C4AD3C285D9C9B96FB3EBE >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems!
URLs

http://nullblgtk7dwzpfklgktzll27ovvnj7pvqkoprmhubnnb32qcbmcpgid.onion/

http://group.goocasino.org

https://nullbulge.com

Targets

    • Target

      8e7a92442581fe1179b826cc112ac804c24e0f25389c4c649d87309bcd82c097

    • Size

      146KB

    • MD5

      a6238bac4eea44789acd7594bbefacae

    • SHA1

      83f89ce4c6ac20243baf5937f0f666b594d91a3c

    • SHA256

      8e7a92442581fe1179b826cc112ac804c24e0f25389c4c649d87309bcd82c097

    • SHA512

      baf19b9074d3971605a2c9cf0c733dccf8f871a21b49034bf984fdcde3e86208c6d21030352619438dfd8adc80c5a23c76fae5e04782b52aae1ab1ae039c242e

    • SSDEEP

      3072:V6glyuxE4GsUPnliByocWepo2NVLiguo/pyEwUST:V6gDBGpvEByocWeauV2gvzwUg

    Score
    10/10
    ransomwarespywarestealer

    • Renames multiple (320) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks