Overview

overview

10

Static

static

10

0fb86a8ba8...05.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.zip

  • Size

    94KB

  • Sample

    240715-yb9zasycrg

  • MD5

    de3cce94ddf0aa1585bbaa932dbfa7af

  • SHA1

    36beacbc1251584a65398b979b2a167d3acbe599

  • SHA256

    b0ce0621e11158bf5467d9f051e47da62a16240d69616a77a37acdf70bdc853c

  • SHA512

    a5510d8d189c6cb5d24c38aa1e47ed212e4012c82b89ee51af6f86068da83b500a8631ae406685534480fe94fe5a57c6b1bc7a2898ae3d9d5d010a03bd8d6bee

  • SSDEEP

    1536:oHOO9o8lbCzZiOi+H5WtV78Hp/6EvyxDj6HQJe3/2M8YDrh71prvEAzgJwd3e:TO9o8lAwOii0t9896Eaj6HXX8CfBsAsf

Score
10/10
lockbitransomwarespywarestealer

Malware Config

Extracted

Path

C:\7V7uPExzv.README.txt

Ransom Note
~~~NULLBULGE LOCK - BASED ON LOCKBIT~~~ >>>> Your data is encrypted... but dont freak out If we encrypted you, you majorly fucked up. But... all can be saved But not for free, we require an xmr payment >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption. Life is too short to be sad. Dont be sad money is only paper. Your files are more important than paper right? If we do not give you decrypter then nobody will pay us in the future. To us, our reputation is very important. There is no dissatisfied victim after payment. >>>> You may contact us and decrypt one file for free on these TOR sites with your personal DECRYPTION ID Download and install TOR Browser https://www.torproject.org/ Write to a chat and wait for the answer, we will always answer you. Sometimes you will need to wait a while Links for Tor Browser: http://nullblgtk7dwzpfklgktzll27ovvnj7pvqkoprmhubnnb32qcbmcpgid.onion/ Link for the normal browser http://group.goocasino.org https://nullbulge.com >>>> Your personal DECRYPTION ID: 217B9D5D58C4AD3C6AF9D000A709531C >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems!
URLs

http://nullblgtk7dwzpfklgktzll27ovvnj7pvqkoprmhubnnb32qcbmcpgid.onion/

http://group.goocasino.org

https://nullbulge.com

Targets

    • Target

      0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe

    • Size

      146KB

    • MD5

      2357ecbcf3b566c76c839daf7ecf2681

    • SHA1

      89d9b7c3eff0a15dc9dbbfe2163de7d5e9479f58

    • SHA256

      0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305

    • SHA512

      bb5630ae44e684f2dfc74478c57bf97a94045501a64022d563e87f2a60d777307cab2b5a14e6764d25a2fd1f27901624c1ee76ca551d5a5e3a21abc4befef401

    • SSDEEP

      3072:V6glyuxE4GsUPnliByocWepo2NVLiguo/pyEwUS:V6gDBGpvEByocWeauV2gvzwU

    Score
    10/10
    ransomwarespywarestealer

    • Renames multiple (637) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks