41b93a574bb612aa155054a537fe86be308ece7c10764a1f57ce01f894848f7c

General

Target

konets.exe
Size

17KB
Sample

240810-pw7j8stfmc
MD5

6a178845e4b33de30efcdcf7b4e128be
SHA1

2f144879ef702ce6fe75515240c9add67b5945ea
SHA256

41b93a574bb612aa155054a537fe86be308ece7c10764a1f57ce01f894848f7c
SHA512

c1e6db9afb21263b47466636d23775a6aaa88a43903fdfa26952b831bc369cef59ae9200ee0466c7869e748192756d19ed6c717403a05622cc3a0ef0104574a8
SSDEEP

192:v6e44RTHEdAppUxevrtachyQpYtXz3usVccmDesQ5tf3XNGlraivR5uQpI:v6eFZLpuABbyQCRq6sW2amNp

Score

10^/10

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\README.txt

Ransom Note

~~~ Your files have been encrypted! ~~~ Using advanced AES256 encryption technique your databases, documents, photos and other important files have been encrypted. See for yourself! look at any file with .kon extension. You cannot recover these files yourself. Do not waste your time. Nobody can recover your files. Only we can! We can decrypt these files, we can guarantee that your files can be decrypted, but you have little time. Payment for the decryption is ~$70 We can restore your systems in less than 6 hours if you pay now. However, we will not decrypt your system if: - You go to police and report us. >>> If you report us AFTER decryption, we WILL attack you again!!! <<< Do not delete or modify encrypted files, it will cause problems when recovery! Send the personal ID to [email protected] We will provide payment information, once payment is done, we will send you a decryptor! >>> Your personal ID: 5ZY4-HSUI-YKHT-PFPN <<<

Emails

[email protected]

Targets

- Target
  
  konets.exe
- Size
  
  17KB
- MD5
  
  6a178845e4b33de30efcdcf7b4e128be
- SHA1
  
  2f144879ef702ce6fe75515240c9add67b5945ea
- SHA256
  
  41b93a574bb612aa155054a537fe86be308ece7c10764a1f57ce01f894848f7c
- SHA512
  
  c1e6db9afb21263b47466636d23775a6aaa88a43903fdfa26952b831bc369cef59ae9200ee0466c7869e748192756d19ed6c717403a05622cc3a0ef0104574a8
- SSDEEP
  
  192:v6e44RTHEdAppUxevrtachyQpYtXz3usVccmDesQ5tf3XNGlraivR5uQpI:v6eFZLpuABbyQCRq6sW2amNp
Score

10^/10

ransomware spyware stealer
- Renames multiple (4956) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Drops file in Drivers directory
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Renames multiple (4956) files with added filename extension

Drops file in Drivers directory

Drops startup file

Reads user/profile data of web browsers

Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2