General

  • Target

    mallox_poss_18717826374.zip

  • Size

    1.4MB

  • Sample

    240826-tqtteatajf

  • MD5

    bfea7bb766ed582c9ab1c2d510c7515f

  • SHA1

    f7d4c015b49dc50c973498d1c139fbc63c108aa1

  • SHA256

    26d9af84cabb56e8755bb9b8fdeb70f731afbb1da70c543effc63450e9a13018

  • SHA512

    2b77df777a85fdaf826bbbe0436a95e1e3bf503e02e137065a2a56dbd0be531dafb7527080a5c7e38ef0aa0938d0e9ddd1574c9118dc8c101771b56fd5ef0f81

  • SSDEEP

    24576:htcnuAVrmmby7CVRpLoJahQXuxvMsYMMZ9lOFyRyubGEEW1OIfuhFosCKYf:AnuAAOK7Xa0s4ZXOkRyupEW1v2hFosO

Malware Config

Extracted

Path

C:\Users\Admin\Pictures\How to decrypt files.txt

Family

targetcompany

Ransom Note
Your personal identifier: TIF3MW2QALL All files on Take It For Granit, INC. network have been encrypted due to insufficient security. The only way to quickly and reliably regain access to your files is to contact us. The price depends on how fast you write to us. In other cases, you risk losing your time and access to data. Usually time is much more valuable than money. FAQ Q: How to contact us A: * Download Tor Browser - https://www.torproject.org/ * Open link in Tor Browser http://w3nrsbh4n35dkujnho3yiv5ocntimv5nb3jg5fggvgw3dwrzdnmtlaqd.onion/TIF3MW2QALL * Follow the instructions on the website. Q: What guarantees? A: Before paying, we can decrypt several of your test files. Files should not contain valuable information. Q: Can I decrypt my data for free or through intermediaries? A: Use third party programs and intermediaries at your own risk. Third party software may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price or you can become a victim of a scam.�
URLs

http://w3nrsbh4n35dkujnho3yiv5ocntimv5nb3jg5fggvgw3dwrzdnmtlaqd.onion/TIF3MW2QALL

Targets

    • Target

      352f00d2c53b14d500cc182b1e14954df25a6ff9171b50aacd4a981ebe03246a

    • Size

      2.6MB

    • MD5

      c1227e81e0fb3339d0aa7b039758f6bc

    • SHA1

      07e72d41e6fc806a5153138eb4aef0c969022ecb

    • SHA256

      352f00d2c53b14d500cc182b1e14954df25a6ff9171b50aacd4a981ebe03246a

    • SHA512

      9c714ff05ecc51eabe5239fcac65d8e21e3bd84a743d27a9fb9f70b4a0d244978fc18f41a6c713f870886c793963ea089c4ac3fe19a2e4a2feb7dd5339b03467

    • SSDEEP

      49152:pLgNjaYPW2p7+m5zx21dXIMHPnxYTIFtfy//mghqI6MAmTZiuRySfa8GIBbE:pL0xPGdaMFe5faSbE

    Score
    1/10
    • Target

      db12aacbc394e441e23c1e1d9ce25ca354a554d7362b399e6d0e33770f0e98fe

    • Size

      125KB

    • MD5

      b13a1e9c7ef5a51f64a58bae9b508e62

    • SHA1

      e232747c02b5cab0a414190a0d8438f5be042000

    • SHA256

      db12aacbc394e441e23c1e1d9ce25ca354a554d7362b399e6d0e33770f0e98fe

    • SHA512

      3f42f81505693089dc2595976c523f1568aee6cbe2565ba16b3e4b43a06b2533b4f2c63ba90afc2637380a32fbc5dd09b70e84ff932fe90482e0da84c0571afe

    • SSDEEP

      3072:GA1PPaKgKdZqTXKopLuLgdgjgVE0e95NlmD:G6CKg8ZqTvpyLgd0gVqdE

    • TargetCompany,Mallox

      TargetCompany (aka Mallox) is a ransomware which encrypts files using a combination of ChaCha20, AES-128, and Curve25519, first seen in June 2021.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies boot configuration data using bcdedit

    • Renames multiple (6884) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

MITRE ATT&CK Enterprise v15

Tasks