Overview

overview

10

Static

static

10

2024-08-16...de.exe

windows7-x64

10

2024-08-16...de.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2024-08-16_1e2322b24277332e0ab810551c8f87b9_darkside

  • Size

    146KB

  • Sample

    240816-atrzfayfqp

  • MD5

    1e2322b24277332e0ab810551c8f87b9

  • SHA1

    9ea390d9770f47be36cb8c405da0b9fe459921f0

  • SHA256

    c4630ec569053d88fe906f935f6164ea8facf90e56e412d3bf8bdcf2ccda3518

  • SHA512

    8fb18e9a2c2c761544e0fb9fffb71d620dc06ceadfdfc7e3006f9f810a79a10c6fd3ffbc33c87f0600c4b9ac9168a4b23496bfe83e5949b7b9feaeb45e36a244

  • SSDEEP

    3072:R6glyuxE4GsUPnliByocWepnspQclM2F0pV0J27z:R6gDBGpvEByocWeJZEMnuJ2

Score
10/10
lockbitdefense_evasiondiscoveryransomwarespywarestealer

Malware Config

Extracted

Path

C:\qMRzgE1NN.README.txt

Ransom Note
All your files have been encrypted! All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail: [email protected] Write YOUR ID FF4165CAFD8295DF9DA85FE1B3FE0EF5 in the message! If there is no response, write here: [email protected] You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. Free decryption as guarantee Before paying you can send us up to 3 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/

Extracted

Path

C:\qMRzgE1NN.README.txt

Ransom Note
All your files have been encrypted! All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail: [email protected] Write YOUR ID FF4165CAFD8295DF72B5B8D59BA26D4B in the message! If there is no response, write here: [email protected] You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. Free decryption as guarantee Before paying you can send us up to 3 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/

Targets

    • Target

      2024-08-16_1e2322b24277332e0ab810551c8f87b9_darkside

    • Size

      146KB

    • MD5

      1e2322b24277332e0ab810551c8f87b9

    • SHA1

      9ea390d9770f47be36cb8c405da0b9fe459921f0

    • SHA256

      c4630ec569053d88fe906f935f6164ea8facf90e56e412d3bf8bdcf2ccda3518

    • SHA512

      8fb18e9a2c2c761544e0fb9fffb71d620dc06ceadfdfc7e3006f9f810a79a10c6fd3ffbc33c87f0600c4b9ac9168a4b23496bfe83e5949b7b9feaeb45e36a244

    • SSDEEP

      3072:R6glyuxE4GsUPnliByocWepnspQclM2F0pV0J27z:R6gDBGpvEByocWeJZEMnuJ2

    Score
    10/10
    defense_evasiondiscoveryransomwarespywarestealer

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Renames multiple (7704) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

      defense_evasion

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks