Resubmissions

12-09-2024 04:11

240912-er3qda1bjd 10

06-09-2024 04:08

240906-eqgfrawcmg 10

05-09-2024 07:05

240905-hwwpeavfjj 10

General

  • Target

    ja.salivan.exe

  • Size

    92KB

  • Sample

    240906-eqgfrawcmg

  • MD5

    f25b8c72c61c734bbf4ee7cbffda3d48

  • SHA1

    5b725dbebfd73c95067cc40c904dd981a5f1ce22

  • SHA256

    ce371f9f9c2446ca5d84e5df4bd8562247c198310b81e577fa4afc2398795438

  • SHA512

    e63183995e9e3950790266f71130fcabe3d4e9d7e270b1f72116323e16f31a6f51a4d96d268dbc1fdc3ad2375ad20e7dc0b1572a5a7bedb54209afc3dcb7d8d8

  • SSDEEP

    1536:mBwl+KXpsqN5vlwWYyhY9S4A5qERXCE5uodtYr2I41:Qw+asqN5aW/hLn9Ry6bC2f1

Malware Config

Extracted

Path

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note
All your files have been encrypted! Don't worry, you can return all your files! If you want to restore them, write to the mail: [email protected] YOUR ID [email protected] Free decryption as guarantee Before paying you can send us up to 3 files for free decryption. The total size of files must be less than 3Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/ Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Targets

    • Target

      ja.salivan.exe

    • Size

      92KB

    • MD5

      f25b8c72c61c734bbf4ee7cbffda3d48

    • SHA1

      5b725dbebfd73c95067cc40c904dd981a5f1ce22

    • SHA256

      ce371f9f9c2446ca5d84e5df4bd8562247c198310b81e577fa4afc2398795438

    • SHA512

      e63183995e9e3950790266f71130fcabe3d4e9d7e270b1f72116323e16f31a6f51a4d96d268dbc1fdc3ad2375ad20e7dc0b1572a5a7bedb54209afc3dcb7d8d8

    • SSDEEP

      1536:mBwl+KXpsqN5vlwWYyhY9S4A5qERXCE5uodtYr2I41:Qw+asqN5aW/hLn9Ry6bC2f1

    • Dharma

      Dharma is a ransomware that uses security software installation to hide malicious activities.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Renames multiple (317) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks