Overview

overview

10

Static

static

3

KatyushaRa...re.exe

windows7-x64

10

KatyushaRa...re.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    KatyushaRansomware.bin

  • Size

    2.4MB

  • Sample

    240922-v17npa1fjr

  • MD5

    7f87db33980c0099739de40d1b725500

  • SHA1

    f0626999b7f730f9003ac1389d3060c50068da5a

  • SHA256

    d00ee0e6eab686424f8d383e151d22005f19adbda5b380a75669629e32fe12a6

  • SHA512

    1bf8e63a09ee7618102982a1d8c39c2eada1e7c52452d0cadb0df9010421799171880580dd6e4d5fb371d314ee7676d438ab827ef1695bb9de95835ac7cb47f8

  • SSDEEP

    49152:tzlhgyBIjVpPZHZlPpLPk0vglJIAc/8KYBsxdO0G7x+dP1Y+:zy9jRZlFknvzcEKY8dOD7x8NY

Score
10/10
mimikatzdefense_evasiondiscoveryexecutionimpactransomwarespywarestealer

Malware Config

Extracted

Path

C:\_how_to_decrypt_you_files.txt

Ransom Note
=====================================HOW TO DECRYPT YOU FILES==================================== All your documents, photos, databases and other important personal files were encrypted!! Please send 0.5 bitcoins to my wallet address: 3ALmvAWLEothnMF5BjckAFaKB5S6zan9PK If you paid, send the ID and IDKEY to my email: [email protected] I will give you the key and tool If there is no payment within three days we will no longer support decryption If you exceed the payment time, your data will be open to the public download We support decrypting the test file. Send two small than 2 MB files to the email address: [email protected] Your ID:52424003 Your IDKEY: ================================================================================ rs+Kd8ypWeDvhZsTwzd9Co9H+cD6up9gvtkc1zY819ocbZOMyg8bdK9kyb/uuck+ AmpXLixdcfqVYrFDet1secCoqrK0v2dyWMVZTu1Pu/lQmlYN/k44OwYI49uGhu24 SX5/fMgXhcMGaAJgMyffi1B7lkc2IUKf1Qe1cbrW0vzza5SxJP7bnUQTsluCnzk7 A7ln414JUYdFpX0xBZpyQiraKr1rfKpSzS3xI1bVwGvcZQalnnSv4WlZ4JLYO2iB pDHcUIWo5sH4UPdyfu96M8RRV73KSOCorxMlmQtNG1K+FSt18vwoCyjRovNNOODd fhNylKaxmeYnat/bh1ESXA== ================================================================================ Payment site https://www.bithumb.com/ Payment site http://www.coinone.com/ Payment site https://www.gopax.co.kr/ Payment site http://www.localbitcoins.com/ Officail Mail:[email protected]
Emails
Wallets

3ALmvAWLEothnMF5BjckAFaKB5S6zan9PK

URLs

https://www.bithumb.com/

http://www.coinone.com/

https://www.gopax.co.kr/

http://www.localbitcoins.com/

Extracted

Path

C:\_how_to_decrypt_you_files.txt

Ransom Note
=====================================HOW TO DECRYPT YOU FILES==================================== All your documents, photos, databases and other important personal files were encrypted!! Please send 0.5 bitcoins to my wallet address: 3ALmvAWLEothnMF5BjckAFaKB5S6zan9PK If you paid, send the ID and IDKEY to my email: [email protected] I will give you the key and tool If there is no payment within three days we will no longer support decryption If you exceed the payment time, your data will be open to the public download We support decrypting the test file. Send two small than 2 MB files to the email address: [email protected] Your ID:24221205 Your IDKEY: ================================================================================ s51h8v7ybyp0C0LQ+OcJxh0ml8DI2VIg4gNKHjuusLLQzDFxotgJfpk10m85MDua bmFyxOgfi9G+hwmYnpCM0BSUWS1U/dZoGjeCewEWmDtZOk8k8v6nOGkZ240ekHLr kW2GGfXVAg8OXeBGu2l74aVAkeZrYydUwc4PAb/ycUwJ0/c5BWnBRlQE1snOdI84 Cm7AyD70rdy0fPxoyqRC8Ewzzk1F7Cz/ibbxNvueU1r5lS8I3KXSe+u72eI6sa6h sR0qoFHru1FBySQKvabnAhiintj05t1QJiEuUsO1P3n2M1slOZStEynLV5oEULNn pTpFcfWIZxFu/xWZX9Glcg== ================================================================================ Payment site https://www.bithumb.com/ Payment site http://www.coinone.com/ Payment site https://www.gopax.co.kr/ Payment site http://www.localbitcoins.com/ Officail Mail:[email protected]
Emails
Wallets

3ALmvAWLEothnMF5BjckAFaKB5S6zan9PK

URLs

https://www.bithumb.com/

http://www.coinone.com/

https://www.gopax.co.kr/

http://www.localbitcoins.com/

Targets

    • Target

      KatyushaRansomware.bin

    • Size

      2.4MB

    • MD5

      7f87db33980c0099739de40d1b725500

    • SHA1

      f0626999b7f730f9003ac1389d3060c50068da5a

    • SHA256

      d00ee0e6eab686424f8d383e151d22005f19adbda5b380a75669629e32fe12a6

    • SHA512

      1bf8e63a09ee7618102982a1d8c39c2eada1e7c52452d0cadb0df9010421799171880580dd6e4d5fb371d314ee7676d438ab827ef1695bb9de95835ac7cb47f8

    • SSDEEP

      49152:tzlhgyBIjVpPZHZlPpLPk0vglJIAc/8KYBsxdO0G7x+dP1Y+:zy9jRZlFknvzcEKY8dOD7x8NY

    Score
    10/10
    mimikatzdefense_evasiondiscoveryexecutionimpactransomwarespywarestealer

    • Mimikatz

      mimikatz is an open source tool to dump credentials on Windows.

      mimikatz

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Renames multiple (7516) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • mimikatz is an open source tool to dump credentials on Windows

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Creates a large amount of network flows

      This may indicate a network scan to discover remotely running services.

      discovery

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks