General

  • Target

    54a6cde2a40da13331d3d5715878155697c5f5d794a457684443b276cef9fc18N.exe

  • Size

    92KB

  • Sample

    240926-sn9leaxbna

  • MD5

    bbb38219ae8cd8baaea964c647be77a0

  • SHA1

    19c272d0ec29a1356e74e5e29edfdb1076e8040e

  • SHA256

    54a6cde2a40da13331d3d5715878155697c5f5d794a457684443b276cef9fc18

  • SHA512

    2eceea83f700ce475195e5c5ae65f3ca4cdf0886954b41bb92591aee942a5c6f0edd812f562953f7d3b27d569fc5f1f5c9d2d2ecfe8fc124019b3c37de7aae10

  • SSDEEP

    1536:mBwl+KXpsqN5vlwWYyhY9S4A0Lia3Z5m+O/NW1PrWaSe5pa:Qw+asqN5aW/hLxYZc+O/NGqH6

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note
All FILES ENCRYPTED "RSA1024" All YOUR FILES HAVE BEEN ENCRYPTED!!! IF YOU WANT TO RESTORE THEM, WRITE US TO THE E-MAIL [email protected] IN THE LETTER WRITE YOUR ID, YOUR ID 32ED5B40 IF YOU ARE NOT ANSWERED, WRITE TO EMAIL: [email protected] YOUR SECRET KEY WILL BE STORED ON A SERVER 7 DAYS, AFTER 7 DAYS IT MAY BE OVERWRITTEN BY OTHER KEYS, DON'T PULL TIME, WAITING YOUR EMAIL FREE DECRYPTION FOR PROOF You can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) DECRYPTION PROCESS: When you make sure of decryption possibility transfer the money to our bitcoin wallet. As soon as we receive the money we will send you: 1. Decryption program. 2. Detailed instruction for decryption. 3. And individual keys for decrypting your files. !WARNING! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note
All FILES ENCRYPTED "RSA1024" All YOUR FILES HAVE BEEN ENCRYPTED!!! IF YOU WANT TO RESTORE THEM, WRITE US TO THE E-MAIL [email protected] IN THE LETTER WRITE YOUR ID, YOUR ID 24AD10E2 IF YOU ARE NOT ANSWERED, WRITE TO EMAIL: [email protected] YOUR SECRET KEY WILL BE STORED ON A SERVER 7 DAYS, AFTER 7 DAYS IT MAY BE OVERWRITTEN BY OTHER KEYS, DON'T PULL TIME, WAITING YOUR EMAIL FREE DECRYPTION FOR PROOF You can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) DECRYPTION PROCESS: When you make sure of decryption possibility transfer the money to our bitcoin wallet. As soon as we receive the money we will send you: 1. Decryption program. 2. Detailed instruction for decryption. 3. And individual keys for decrypting your files. !WARNING! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Targets

    • Target

      54a6cde2a40da13331d3d5715878155697c5f5d794a457684443b276cef9fc18N.exe

    • Size

      92KB

    • MD5

      bbb38219ae8cd8baaea964c647be77a0

    • SHA1

      19c272d0ec29a1356e74e5e29edfdb1076e8040e

    • SHA256

      54a6cde2a40da13331d3d5715878155697c5f5d794a457684443b276cef9fc18

    • SHA512

      2eceea83f700ce475195e5c5ae65f3ca4cdf0886954b41bb92591aee942a5c6f0edd812f562953f7d3b27d569fc5f1f5c9d2d2ecfe8fc124019b3c37de7aae10

    • SSDEEP

      1536:mBwl+KXpsqN5vlwWYyhY9S4A0Lia3Z5m+O/NW1PrWaSe5pa:Qw+asqN5aW/hLxYZc+O/NGqH6

    • Dharma

      Dharma is a ransomware that uses security software installation to hide malicious activities.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Renames multiple (319) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks