2da6d93efe7fc2ab087bf01fc694c1f37eec035c602eedd7d4daeb16490caba6

General

Target

2da6d93efe7fc2ab087bf01fc694c1f37eec035c602eedd7d4daeb16490caba6
Size

426KB
Sample

240908-vnyv1szelc
MD5

b399997b278a10fb7b686c5cbbb4a7f9
SHA1

679847a9de253d364418a968e8e152717f9f17cc
SHA256

2da6d93efe7fc2ab087bf01fc694c1f37eec035c602eedd7d4daeb16490caba6
SHA512

cdcb0a0d16ae9a97763dd375767b4d859dee297fcfa03f5fc17ee4a30508d64ac643b65f0ab1c2f56b4376a049c69b34c4b16006a9bec33d9c183d1121db7535
SSDEEP

3072:2Xs5ezE4pVIYbQf91G3im/2Ef07JysgymgqkRDoUAXxty+yPjZOZugRhy1CCjEBY:KLpVZgxq4+pugRJB7b8XT

Score

10^/10

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Read_Me.txt

Ransom Note

Attention! All your files, documents, photos, databases and other important files are encrypted The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. The server with your decryptor is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- 1. Download Tor browser - https://www.torproject.org/ 2. Install Tor browser 3. Open Tor Browser 4. Open link in TOR browser: http://alcx6zctcmhmn3kx.onion/?YJJJJJJJ 5. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. Alternate communication channel here: http://helpqvrg3cc5mvb3.onion/

URLs

http://alcx6zctcmhmn3kx.onion/?YJJJJJJJ

http://helpqvrg3cc5mvb3.onion/

Extracted

Path

C:\Program Files\Common Files\microsoft shared\ClickToRun\Read_Me.txt

Ransom Note

Attention! All your files, documents, photos, databases and other important files are encrypted The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. The server with your decryptor is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- 1. Download Tor browser - https://www.torproject.org/ 2. Install Tor browser 3. Open Tor Browser 4. Open link in TOR browser: http://alcx6zctcmhmn3kx.onion/?MEFHIKMN 5. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. Alternate communication channel here: http://helpqvrg3cc5mvb3.onion/

URLs

http://alcx6zctcmhmn3kx.onion/?MEFHIKMN

http://helpqvrg3cc5mvb3.onion/

Targets

- Target
  
  2da6d93efe7fc2ab087bf01fc694c1f37eec035c602eedd7d4daeb16490caba6
- Size
  
  426KB
- MD5
  
  b399997b278a10fb7b686c5cbbb4a7f9
- SHA1
  
  679847a9de253d364418a968e8e152717f9f17cc
- SHA256
  
  2da6d93efe7fc2ab087bf01fc694c1f37eec035c602eedd7d4daeb16490caba6
- SHA512
  
  cdcb0a0d16ae9a97763dd375767b4d859dee297fcfa03f5fc17ee4a30508d64ac643b65f0ab1c2f56b4376a049c69b34c4b16006a9bec33d9c183d1121db7535
- SSDEEP
  
  3072:2Xs5ezE4pVIYbQf91G3im/2Ef07JysgymgqkRDoUAXxty+yPjZOZugRhy1CCjEBY:KLpVZgxq4+pugRJB7b8XT
Score

10^/10

discovery persistence ransomware
- Renames multiple (8834) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral1 behavioral2