Overview

overview

10

Static

static

3

cryptolaemus

windows10-2004-x64

10

cryptolaemus

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767

  • Size

    439KB

  • Sample

    240810-r97hhathml

  • MD5

    95d8ef6aaeae33dae91636b2bde473b8

  • SHA1

    6e79574a1fd0af774f985b3fcf646039d30cc7e8

  • SHA256

    05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767

  • SHA512

    2982681c763db9dc3af710db4d8ba260d8c5591a37a9df13529a4e7a0a08cfd7fd6dbde5c6922b69baeeaf3222212a6697cf961304ec386e1dd5f5b022e13061

  • SSDEEP

    6144:XsaeVjbUSAODc/mDHJKzBJvPKcQQfHAijx7TSig0yw6J:XsamHDDpuBhKX2jlGiyw6

Score
10/10
defense_evasiondiscoveryransomwarespywarestealer

Malware Config

Extracted

Path

C:\HdbtqCuyh.README.txt

Ransom Note
[Your Files Have Been Encrypted] Hello, Your files have been encrypted with strong encryption algorithms. To regain access to your data, you need to follow the instructions below: Do Not Attempt to Recover Your Files: Any attempt to recover your files using third-party tools will result in permanent data loss. Pay the Ransom: You must pay a ransom of 1 Bitcoin to receive the decryption key. Payment must be made within 72 hours to avoid data loss. Contact Us on Telegram: To get the payment details and further instructions, contact us via Telegram at @BIBIL_0DAY. Decryption Key: After payment is confirmed, we will send you the decryption key and instructions on how to unlock your files. Warning: If you do not contact us or pay within the given timeframe, your data will be permanently lost. Do not attempt to contact us via any other means. We will not respond. Your encrypted files are your responsibility. Telegram Username: @BIBIL_0DAY

Targets

    • Target

      05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767

    • Size

      439KB

    • MD5

      95d8ef6aaeae33dae91636b2bde473b8

    • SHA1

      6e79574a1fd0af774f985b3fcf646039d30cc7e8

    • SHA256

      05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767

    • SHA512

      2982681c763db9dc3af710db4d8ba260d8c5591a37a9df13529a4e7a0a08cfd7fd6dbde5c6922b69baeeaf3222212a6697cf961304ec386e1dd5f5b022e13061

    • SSDEEP

      6144:XsaeVjbUSAODc/mDHJKzBJvPKcQQfHAijx7TSig0yw6J:XsamHDDpuBhKX2jlGiyw6

    Score
    10/10
    defense_evasiondiscoveryransomwarespywarestealer

    • Renames multiple (601) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

      defense_evasion

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks