Overview

overview

10

Static

static

10

2024-09-10...de.exe

windows7-x64

10

2024-09-10...de.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside

  • Size

    146KB

  • Sample

    240910-mr8kma1eng

  • MD5

    04e651e75deb8edc024b8295532f5d3f

  • SHA1

    d8660e404e98db706ae3b74fbb04d08a2ac7130b

  • SHA256

    3934455289f9b1a4d37c785c89e8c177c58e20406e6f1a825b3b2ae19d665da2

  • SHA512

    b1b46d0fb381ecb15aff708c0751cff95992b15d897602cc119590f6c1ce13b2e88b8c862dfc1e8bdd8c7b96a5eb3bb0eafb2f3b0a2e8485dd2257888cb19b6f

  • SSDEEP

    3072:mqJogYkcSNm9V7Db/aSG5HF5v5pANOhKT:mq2kc4m9tDvQHF5Xt

Score
10/10
lockbitdefense_evasiondiscoveryransomwarespywarestealer

Malware Config

Extracted

Path

C:\HdbtqCuyh.README.txt

Ransom Note
[Your Files Have Been Encrypted] Hello, Your files have been encrypted with strong encryption algorithms. To regain access to your data, you need to follow the instructions below: Do Not Attempt to Recover Your Files: Any attempt to recover your files using third-party tools will result in permanent data loss. Pay the Ransom: You must pay a ransom of 1 Bitcoin to receive the decryption key. Payment must be made within 72 hours to avoid data loss. Contact Us on Telegram: To get the payment details and further instructions, contact us via Telegram at @BIBIL_0DAY. Decryption Key: After payment is confirmed, we will send you the decryption key and instructions on how to unlock your files. Warning: If you do not contact us or pay within the given timeframe, your data will be permanently lost. Do not attempt to contact us via any other means. We will not respond. Your encrypted files are your responsibility. Telegram Username: @BIBIL_0DAY

Targets

    • Target

      2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside

    • Size

      146KB

    • MD5

      04e651e75deb8edc024b8295532f5d3f

    • SHA1

      d8660e404e98db706ae3b74fbb04d08a2ac7130b

    • SHA256

      3934455289f9b1a4d37c785c89e8c177c58e20406e6f1a825b3b2ae19d665da2

    • SHA512

      b1b46d0fb381ecb15aff708c0751cff95992b15d897602cc119590f6c1ce13b2e88b8c862dfc1e8bdd8c7b96a5eb3bb0eafb2f3b0a2e8485dd2257888cb19b6f

    • SSDEEP

      3072:mqJogYkcSNm9V7Db/aSG5HF5v5pANOhKT:mq2kc4m9tDvQHF5Xt

    Score
    10/10
    defense_evasiondiscoveryransomwarespywarestealer

    • Renames multiple (326) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

      defense_evasion

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks