Overview

overview

10

Static

static

10

k.exe

windows11-21h2-x64

10

Resubmissions

30/09/2024, 15:02

240930-selg8a1fnn 10

30/09/2024, 15:02

240930-sek7fs1fnm 10

29/09/2024, 10:50

240929-mw8fes1cmp 10

28/09/2024, 07:48

240928-jm698avaqn 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    k.exe

  • Size

    7.7MB

  • Sample

    240928-jm698avaqn

  • MD5

    a652ce5220cd49b6f763768dfa5f2a31

  • SHA1

    8b34c4ec496f910e2c70747ec73dad366a39006a

  • SHA256

    18e1937edc999cd87fa77cf26ac15b01421c4bf057ee5e0d8a659690f0db1964

  • SHA512

    62108c8f26fc7a8f3992bf3ee3957125fb806afe7dd54e5e3dce3bb58be808d1c7702c8aae0c62a90efc61777c9b0e24232166c96766765a8f70059d7b1e5b4f

  • SSDEEP

    98304:bwuFB5I0/A/636tEWlv5ZbNelTmLOqHBwiXM2Ol2GhZ:rW0/A/kIHOqKUM242WZ

Score
10/10
thunderkittyransomwarecredential_accessdiscoveryransomwarespywarestealer

Malware Config

Extracted

Family

thunderkittyransomware

C2

https://discord.com/api/webhooks/1289254488690921604/T_8SdWKaS6HoADGM7JVaF6jcngj3AwNmj_uW_5n-JDG_BMkPSaslAw0RSFMU0AJAbScS

Extracted

Path

C:\Users\Admin\Desktop\README-NOW.txt

Ransom Note
Your computer is encrypted. To recover your files you need a key. To get it, you must purchase it. You can do this by sending 300 EUR to this Monero address: 441UUX43FTv1UroSfiCAtxNJVgSDEPoGF2tqDnLMUwcn59TjGio9HH8JLjTKShj2jGVEdvSrMEBrpMrTsrnuGmSY82HYbCH Don't know how to get Monero? Here are some websites: https://changenow.io/buy/monero https://bit2me.com/buy-monero https://guardarian.com/buy-xmr (If the ransomware blocked your browser use the smartphone) Your ID: bgGFqqPGM When you purchase, contact us at [email protected]. (Specify the address with which you paid and your ID) Once you have completed all of the steps, we will contact you with the email with which you wrote to us, sending you the link to the unlocking program and your unique key. You have 3 days before the key is destroyed forever. IMPORTANT Don't try to: -Use third-party programs -Restart your PC -Change the file extension Any of these actions could corrupt your files and at that point there would be no way to recover them.
URLs

https://changenow.io/buy/monero

https://bit2me.com/buy-monero

https://guardarian.com/buy-xmr

Targets

    • Target

      k.exe

    • Size

      7.7MB

    • MD5

      a652ce5220cd49b6f763768dfa5f2a31

    • SHA1

      8b34c4ec496f910e2c70747ec73dad366a39006a

    • SHA256

      18e1937edc999cd87fa77cf26ac15b01421c4bf057ee5e0d8a659690f0db1964

    • SHA512

      62108c8f26fc7a8f3992bf3ee3957125fb806afe7dd54e5e3dce3bb58be808d1c7702c8aae0c62a90efc61777c9b0e24232166c96766765a8f70059d7b1e5b4f

    • SSDEEP

      98304:bwuFB5I0/A/636tEWlv5ZbNelTmLOqHBwiXM2Ol2GhZ:rW0/A/kIHOqKUM242WZ

    Score
    10/10
    credential_accessdiscoveryransomwarespywarestealer

    • Renames multiple (2268) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

      credential_accessstealer

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Legitimate hosting services abused for malware hosting/C2

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks