Overview

overview

10

Static

static

10

1.exe

windows7-x64

10

1.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    1.exe

  • Size

    147KB

  • Sample

    240726-f29gcasamh

  • MD5

    e586722144cb8d90672ec57043dd85d0

  • SHA1

    44d79cc55fc09b556e5cd29d686ac5658e0b9ada

  • SHA256

    f885292741e1b6d1bd35d6c35cf125ade98b5956f88f64e6596bde835fb15984

  • SHA512

    90ec3e866ee29d6b40cb7616ca4b5e9d5935be30ac067d07c7d3e81630881670642457326176b6eab15c5c62de55c4e9581bdb767fe894cce63a6cb934a586e7

  • SSDEEP

    1536:QzICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xDHc4KWJXmP0bGAVXVd7YZx3JCTz:vqJogYkcSNm9V7DUWJXm8b7ld7IGTHT

Score
10/10
lockbitdefense_evasiondiscoveryransomwarespywarestealer

Malware Config

Extracted

Path

C:\6MLkBJomc.README.txt

Ransom Note
------Dear managers!------ If you are reading this, it means your network has been attacked. What does that mean? We hacked your network and now all your files, documents, client database, projects and other important data safely encrypted with reliable algorithms. we also have a copy of all your data. WARNING!!! You don't have to go to the POLICE, etc. Otherwise we will not be able to help you. You cannot acces the files right now. But do not worry. You can get it back! It is easy to recover in a few steps. As proof, we can decrypt any 3 files you provide. We are not interested to ruin your business. We want to get ransom and be happy. Please bring this information to your team leaders as soon as possible. In case of a successfull transaction, we will restore your systems within 4-6 hours and also provide security recommendations. Don't cry, money is just paper! -----------------------WARNING----------------------- If you modify files - our decrypt software won't able to recover data If you use third party software - you can damage/modify files (see item 1) You nedd cipher key / our decrypt software to restore you files. The police or authorities will not be able to help you get the cipher key. We encourage you to consider your decisions. -----------------------RECOVERY----------------------- Use email: [email protected] (Alternate email address: [email protected]) You personal ID: 9203819856004948

Targets

    • Target

      1.exe

    • Size

      147KB

    • MD5

      e586722144cb8d90672ec57043dd85d0

    • SHA1

      44d79cc55fc09b556e5cd29d686ac5658e0b9ada

    • SHA256

      f885292741e1b6d1bd35d6c35cf125ade98b5956f88f64e6596bde835fb15984

    • SHA512

      90ec3e866ee29d6b40cb7616ca4b5e9d5935be30ac067d07c7d3e81630881670642457326176b6eab15c5c62de55c4e9581bdb767fe894cce63a6cb934a586e7

    • SSDEEP

      1536:QzICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xDHc4KWJXmP0bGAVXVd7YZx3JCTz:vqJogYkcSNm9V7DUWJXm8b7ld7IGTHT

    Score
    10/10
    defense_evasiondiscoveryransomwarespywarestealer

    • Renames multiple (345) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

      defense_evasion

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks