Resubmissions

06-08-2024 22:37

240806-2kbpmssgrn 10

14-06-2024 18:31

240614-w6arkswcll 10

General

  • Target

    Malware with taskmgr.zip

  • Size

    2.9MB

  • Sample

    240806-2kbpmssgrn

  • MD5

    a964aeb3e8cf59d3b8708af99731abf4

  • SHA1

    77a9caa0eb747c0d5bba1d2b86dd13537516f849

  • SHA256

    39345b9dc44db0aec3ceb63efa9f4b0bb74753da4fa421745acff9835f50debc

  • SHA512

    9109666afd9cb90a9ba44ef14a9914afcd7749169b2e4a04f6066f470a7a89503ddf90a21adeadd4dfd2056aa66854f99db532824be64c95bc0d94ad7439c79a

  • SSDEEP

    49152:x7yeTYZ5z0vegABI2egr4OecHvD5m33UZRQDRfPapjj6axvkVxureuIiBAkpwESc:xnTYZ5z0WgH234RUI3UrQ1uHlvkxuhLd

Malware Config

Extracted

Family

cobaltstrike

Botnet

0

Attributes
  • watermark

    0

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\#DECRYPT MY FILES#.html

Ransom Note
<html> <head> <meta charset='utf-8'> <title>WHAT HAPPENED</title> <style type='text/css'> body { font: 15px Tahoma, sans-serif; margin: 10px; line-height: 25px; background-color: #C1AB8F; } .bold { font-weight: bold; } .xx { border: 1px dashed #000; background: #E3D5F1; } .mark { background: #D0D0E8; padding: 2px 5px; } .header { font-size: 30px; height: 50px; line-height: 50px; font-weight: bold; border-bottom: 10px solid #D0D0E8; } .info { background: #D0D0E8; border-left: 10px solid #00008B; } .after { background: #FFE4E4; border-left: 10px solid #A5A52F; } .third { background: #FFE4E4; border-left: 10px solid #0000FF; } .alert { background: #FFE4E4; border-left: 10px solid #0000FF; } .contact { background: #CCCCCC; border-left: 10px solid #00FF00; } .party { background: #FFE4E4; border-left: 10px solid #FF0000; } .private { border: 1px dashed #000; background: #FFFFEF; } .note { height: auto; padding-bottom: 1px; margin: 15px 0; } .note .title { font-weight: bold; text-indent: 10px; height: 30px; line-height: 30px; padding-top: 10px; } .note .mark { background: #A2A2B5; } .note ul { margin-top: 0; } .note pre { margin-left: 15px; line-height: 13px; font-size: 13px; }</style> </head> <div class='header'>Your files are encrypted!</div> <div class='header'>Paradise Ransomware Team!</div><div class='note private'> <div class='title'>Your personal ID</div> <pre>2wbBLus6</pre><div class='title'>Your personal KEY</div> <pre><textarea name='mesage' rows='10' cols='150' wrap='virtual'>q/HNqCXhyy7LqMNio48MnIYzcLnkX9BC+Y5th5nZWoyWefGx25etubKGtowjsSlnEjUAbSxCFmoG57FB2CA3SE2fuQGjtxiQn/R7DP189g3JvLcrF4Kg1pWtG528gU7t1a15Xk492Ye0JQFukndOy6GqHx3rKjD2tB2yaRzqAolCdUV4MY6aOU5RrG+zwQVsGTnLIE5YL2nvAvcNNf/3kUzagKevmra7TWKIENM8E2fKJU7Tg7Uu7qx0+jJa7B6YbjAFHIG81xnOzA5nOZm9eKT7wVeRBRJNQuQOE1S2yIFVhlMmCmhymX13hfiQ5XtFwCJzzfyt+oDAUTCRfh0PFm/GMXcTjoh8I99MLszLTrwE6BMcc6/NRdmSGsdQ4rJftewBR6U9OO78viqI7KDJ+P5VdvLVbYo18BoYmspkDhGJFN84UundTVqNUOEUHRU31VwDE92VmHhpcNRAbTptWq5wl4NdXN4/1gI4GOEKvJiM24XdHwC5oP3+z5p89m/rfDFpl1CLAXUYX7O+nx+Hoez9YgUf07z3KTe/fzDIoEAlvM5exA9j7KxOJgq68pcaWkkPrhk8guVpZ2ttXfyOkzwDLO7SFWKTEkaoDSsAmbH86SaHrT2EMWDpnsY4rvPrGmI6WKFL5ORYsFOWGsgSVkENKAOd1oGePGVHHDnv7DF/cBK+jsi+hAQfzP7uSMMIqbrbGeGtohEBbIYSGAV8dwz7sH6szh3/tiFH+Ru4bFqZztryemj3Gj3mZdfGSL1Z98UhDF/npc0uxOeoArnRxsdgJGYvCfCpkEYnMjOHlBu6usNBvlBGul0tqbbqiALwqSzj1tQ2FcmrJVrEFGmVTxGR/ce2E5MsR2LhmnIGRoz6mW4YKH2t3n5CFHbC7M9QWoVtc+5/GByoJVZ1c251y+MdvF+wTV9sog1H6RcKFaeCB88D3MUJxp7d+M9vahPIadi/IFfcFq6ZhAAEEwsqJ6GA6XreUNXuTNFUF2GL7wUy3t0WgfiP+8CMZWxnn8gTjmgAinzRHPuaVcrrMO8LQpXIRffnL5DE0GECB2Jec7PSWetObxTARUuc5NCB3YbWoQ6PuoZNNQQtWAXrZYnW2FUSy4sQX4NOqQg1+n+H4fK1/3N4zt6PDMjM8ND/eTXrVYtdCvg8i12TxJj8i5E+yl2LmK+RZCikkdoYtgSmnwKy42f0uDY0FPDGFEZIQYN/fXhMNKwpuZFM0baZ0RPBN8ob9DxVZ5mrU9OmdNuWfKsj8tgwu/+3AW0xQ534xjDWXTygy2aO3yzYnJTN4aPEQr3inq+i4D1zo5LcXwbePzahpOlPfXdxrDTCnKY2MC/EOrtBiMH3Dw8Gi3EEcD9SbQ==</textarea></div> <div class='note after'> <div class='title'>WHAT HAPPENED!</div> <ul><li>Your important files produced on this computer have been encrypted due a security problem.</li> <li>If you want to restore them, pay to us by website.</li> <li>After payment we will send you the decryption tool that will decrypt all your files.</li> </ul> </div> <div class='note third'> <div class='title'>FREE DECRYPTION AS GUARANTEE!</div> <ul><li>Before payment you can send us 1-3 files for free decryption.</li> <li>Please note that files must NOT contain valuable information.</li><li>The file size should not exceed 1MB.</li> <li>As evidence, we can decrypt one file</li> </ul> </div> <div class='note alert'> <div class='title'>HOW TO PAY!</div> <ul><li>Buy Paid Code In: https://shop.linuxenc.top/buy/2</li> <li>After you got Paid Code, get your personal key in https://search.linuxenc.top</li> </ul> </div> <div class='note contact'> <div class='title'>Contact!</div> <ul><li>e-mail:<input type='text' name='login' value='[email protected]' size='20' maxlength='5'> </li> <li>or</li><li>e-mail:<input type='text' name='login' value='[email protected]' size='20' maxlength='5'> </li> </ul> </div> <div> <div class='note party'> <div class='title'>Attention!</div> <ul><li>Do not rename encrypted files</li> <li>Do not try to decrypt your data using third party software, it may cause permanent data loss</li><li>You are guaranteed to get the decryptor after payment</li> <li>As evidence, we can decrypt one file</li> <li>Do not attempt to use the antivirus or uninstall the program</li> <li>This will lead to your data loss and unrecoverable</li> <li>Decoders of other users is not suitable to decrypt your files - encryption key is unique</li> </ul> </div> </body> </html>
Emails
URLs

https://shop.linuxenc.top/buy/2</li>

https://search.linuxenc.top</li>

Targets

    • Target

      Setup.exe

    • Size

      12KB

    • MD5

      a14e63d27e1ac1df185fa062103aa9aa

    • SHA1

      2b64c35e4eff4a43ab6928979b6093b95f9fd714

    • SHA256

      dda39f19837168845de33959de34bcfb7ee7f3a29ae55c9fa7f4cb12cb27f453

    • SHA512

      10418efcce2970dcdbef1950464c4001753fccb436f4e8ba5f08f0d4d5c9b4a22a48f2803e59421b720393d84cfabd338497c0bc77cdd4548990930b9c350082

    • SSDEEP

      192:brl2reIazGejA7HhdSbw/z1ULU87glpK/b26J4S1Xu85:b52r+xjALhMWULU870gJJ

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Ammyy Admin

      Remote admin tool with various capabilities.

    • AmmyyAdmin payload

    • Cobaltstrike

      Detected malicious payload which is part of Cobaltstrike.

    • FlawedAmmyy RAT

      Remote-access trojan based on leaked code for the Ammyy remote admin software.

    • Modifies security service

    • Phorphiex payload

    • Phorphiex, Phorpiex

      Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Windows security bypass

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Renames multiple (1484) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Downloads MZ/PE file

    • Stops running service(s)

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Windows security modification

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Command and Scripting Interpreter: AutoIT

      Using AutoIT for possible automate script.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks