7d1d299ab02045a320bf42f47e74b1f8e846ef5f9b6bf8395760207c2ce886ab

General

Target

7d1d299ab02045a320bf42f47e74b1f8e846ef5f9b6bf8395760207c2ce886ab
Size

192KB
Sample

240920-r6p42ssalc
MD5

156b09d46b8da539df1e85a0b25badb2
SHA1

98ba6441f1a701a6c3242c65c84efeccdd463058
SHA256

7d1d299ab02045a320bf42f47e74b1f8e846ef5f9b6bf8395760207c2ce886ab
SHA512

a962489357e6678571ed04a0dd119eef31560436efafb989d6bf9f20fce77f077981938eb73a575995996481465e41f863b3ecc76973763bea73367235f43fb2
SSDEEP

3072:U4hmS2KXMEsrQLOJgY8Zp8LHD4XWaNH71dLdG1iiFM2Z1uhQ5lF0KvNZH+zGmpMY:ES2KXXsrQLOJgpZp8LHD4GaNH71dLdGG

Score

10^/10

Malware Config

Extracted

Path

C:\Program Files\7-Zip\readme_for_unlock.txt

Ransom Note

!!! ATTENTION !!! Your network is hacked and files are encrypted. Including the encrypted data we also downloaded other confidential information: Data of your employees, customers, partners, as well as accounting and other internal documentation of your company. All data is stored until you will pay. After payment we will provide you the programs for decryption and we will delete your data. If you refuse to negotiate with us (for any reason) all your data will be put up for sale. What you will face if your data gets on the black market: 1) The personal information of your employees and customers may be used to obtain a loan or purchases in online stores. 2) You may be sued by clients of your company for leaking information that was confidential. 3) After other hackers obtain personal data about your employees, social engineering will be applied to your company and subsequent attacks will only intensify. 4) Bank details and passports can be used to create bank accounts and online wallets through which criminal money will be laundered. 5) You will forever lose the reputation. 6) You will be subject to huge fines from the government. You can learn more about liability for data loss here: https://en.wikipedia.org/wiki/General_Data_Protection_Regulation https://gdpr-info.eu/ Courts, fines and the inability to use important files will lead you to huge losses. The consequences of this will be irreversible for you. Contacting the police will not save you from these consequences, but will only make your situation worse. You can get out of this situation with minimal losses To do this you must strictly observe the following rules: DO NOT Modify, DO NOT rename, DO NOT copy, DO NOT move any files. Such actions may DAMAGE them and decryption will be impossible. DO NOT use any third party or public decryption software, it may also DAMAGE files. DO NOT Shutdown or Reboot the system this may DAMAGE files. DO NOT hire any third party negotiators (recovery/police, etc.) You need to contact us as soon as possible and start negotiations. Instructions for contacting our team: Download & Install TOR browser: https://torproject.org For contact us via LIVE CHAT open our > Website: http://fvfk3ckwdekoz3jrjwcgvmlh2xt7xl5t5rcniheahn26lz7ybvgnggad.onion > Login: CLIENT > Password: o82YDy5bSZ76VqD8pH6m If Tor is restricted in your area, use VPN��

URLs

https://gdpr-info.eu/

http://fvfk3ckwdekoz3jrjwcgvmlh2xt7xl5t5rcniheahn26lz7ybvgnggad.onion

Targets

- Target
  
  7d1d299ab02045a320bf42f47e74b1f8e846ef5f9b6bf8395760207c2ce886ab
- Size
  
  192KB
- MD5
  
  156b09d46b8da539df1e85a0b25badb2
- SHA1
  
  98ba6441f1a701a6c3242c65c84efeccdd463058
- SHA256
  
  7d1d299ab02045a320bf42f47e74b1f8e846ef5f9b6bf8395760207c2ce886ab
- SHA512
  
  a962489357e6678571ed04a0dd119eef31560436efafb989d6bf9f20fce77f077981938eb73a575995996481465e41f863b3ecc76973763bea73367235f43fb2
- SSDEEP
  
  3072:U4hmS2KXMEsrQLOJgY8Zp8LHD4XWaNH71dLdG1iiFM2Z1uhQ5lF0KvNZH+zGmpMY:ES2KXXsrQLOJgpZp8LHD4GaNH71dLdGG
Score

10^/10

credential_access defense_evasion discovery evasion execution impact persistence privilege_escalation ransomware stealer
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Renames multiple (8179) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Credentials from Password Stores: Windows Credential Manager
  Suspicious access to Credentials History.
  credential_access stealer
- Deletes itself
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Indicator Removal: File Deletion
  Adversaries may delete files left behind by the actions of their intrusion activity.
  defense_evasion
behavioral1 behavioral2