Overview

overview

10

Static

static

3

Bit Paymer.exe

windows10-2004-x64

10

Resubmissions

18-07-2024 07:25

240718-h84wjs1hpb 10

18-07-2024 07:19

240718-h51pqa1gng 10

17-07-2024 20:55

240717-zqkhmaydmq 10

17-07-2024 19:21

240717-x2pwdaycjb 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    RANSOMWARE11224.rar

  • Size

    6.5MB

  • Sample

    240718-h84wjs1hpb

  • MD5

    6f34e6d90096072ff1a7fc295f2c8a17

  • SHA1

    da305a3b884ea3acafcf1209ad24fc04f28bc7d3

  • SHA256

    84bebbe2cc14519a656dd6ee54e892191872f7122ebf53ef6b2349a5218c11e1

  • SHA512

    0ffa38a106c5ccdaa82b6a5a64b061bcf069125744d5c86cc800367c0d249885f725b89ebd27184bc66286590e2a6b9129d6614221c5cc7e6fe3cf1f2e7994f4

  • SSDEEP

    196608:Wze5gvd12z//fon5Cvg/Hvq6t0Qp9DnaJJ3:uKgvdMs5PC6tZU1

Score
10/10
persistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\vcredist2010_x86.log-MSI_vc_red.msi.txt.readme_txt

Ransom Note
YOUR COMPANY HAS BEEN SUCCESSFULLY PENETRATED! All files are encrypted. We accept only bitcoins to share the decryption software for your network. Also, we have gathered all your private sensitive data.So if you decide not to pay anytime soon, we would share it with media's. It may harm your business reputation and the company's capitalization fell sharply. Do not try to do it with 3rd-parties programs, files might be damaged then. Decrypting of your files is only possible with the special decryption software. To receive your private key and the decryption software please follow the link (using tor2web service): https://qmnmrba4s4a3py6z.onion.to/order/43e4593a-5dc7-11e7-8803-00163e417ea3 If this address is not available, follow these steps: 1. Download and install Tor Browser: https://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser and wait for initialization. 3. Type in the address bar: http://qmnmrba4s4a3py6z.onion/order/43e4593a-5dc7-11e7-8803-00163e417ea3 4. Follow the instructions on the site 5. This link is valid for 72 hours only. Afetr that period your local data would be lost completely. 6. Any questions: [email protected]
URLs

https://qmnmrba4s4a3py6z.onion.to/order/43e4593a-5dc7-11e7-8803-00163e417ea3

http://qmnmrba4s4a3py6z.onion/order/43e4593a-5dc7-11e7-8803-00163e417ea3

Targets

    • Target

      Bit Paymer.exe

    • Size

      92KB

    • MD5

      998246bd0e51f9582b998ca514317c33

    • SHA1

      5a2d799ac4cca8954fc117c7fb3e868f93c6f009

    • SHA256

      d693c33dd550529f3634e3c7e53d82df70c9d4fbd0c339dbc1849ada9e539ea2

    • SHA512

      773d9838be9c09bd43a22aa1eada8f623f95739b21828712236a4a209c6d9266647ef43592d072d68399224965253c37f9ce9ef36e46e8191169c03ac7789130

    • SSDEEP

      1536:tacFdjxs2TlWlpnXv91nhixG8/lA5jG8387SpK6jXOMVHoi5e+vRb:taqJC6lWlpnXv7nhixhlAU83VwMCifvR

    Score
    10/10
    persistenceransomwarespywarestealer

    • Renames multiple (12313) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks