Overview

overview

10

Static

static

3

5f770ebeb2...3N.exe

windows7-x64

10

5f770ebeb2...3N.exe

windows10-2004-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    5f770ebeb2cd08f90640d8b8b462f8226c221aecd2b372c6fd30088d41f522d3N

  • Size

    388KB

  • Sample

    241010-rgz8qazang

  • MD5

    1d5c584cfb294c49fe6bf53c39ff26c0

  • SHA1

    f7e1a3e4d976253c903eef486c50336e8a8c7c4c

  • SHA256

    5f770ebeb2cd08f90640d8b8b462f8226c221aecd2b372c6fd30088d41f522d3

  • SHA512

    4a32466968218e6d90435da61fad430f8f84939be5f8dd7d84a99ad42d2f45d9efdfa5b3d7cc884fd9edca58ba055ac50bf0435e277c858f3662407558749fac

  • SSDEEP

    6144:5da8uOhcMWhqVln4xKj+tw3boEFLOSO6/NvsHJxc00d+DzRLITiNs:/a8ivhqVl+Kqt28EQSO62DzRLm

Score
10/10
defense_evasiondiscoveryexecutionimpactpersistenceransomware

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\HELP_RESTORE_FILES.txt

Ransom Note
All your documents, photos, databases and other important files have been encrypted with strongest encryption RSA-2048 key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main encryptor red window, examine it and follow the instructions. Otherwise, it seems that you or your antivirus deleted the encryptor program. Now you have the last chance to decrypt your files. Open http://tkj3higtqlvohs7z.aw49f4j3n26.com or http://tkj3higtqlvohs7z.dfj3d8w3n27.com , https://tkj3higtqlvohs7z.s5.tor-gateways.de/ in your browser. They are public gates to the secret server. Copy and paste the following Bitcoin address in the input form on server. Avoid missprints. 1LXns2Qxgj4onmHRryEXaRPZ8j2LvaBWQu Follow the instructions on the server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://tkj3higtqlvohs7z.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following Bitcoin address in the input form on server. Avoid missprints. 1LXns2Qxgj4onmHRryEXaRPZ8j2LvaBWQu Follow the instructions on the server.
Wallets

1LXns2Qxgj4onmHRryEXaRPZ8j2LvaBWQu

URLs

http://tkj3higtqlvohs7z.aw49f4j3n26.com

http://tkj3higtqlvohs7z.dfj3d8w3n27.com

https://tkj3higtqlvohs7z.s5.tor-gateways.de/

http://tkj3higtqlvohs7z.onion/

Extracted

Path

C:\Program Files\7-Zip\Lang\HELP_RESTORE_FILES.txt

Ransom Note
All your documents, photos, databases and other important files have been encrypted with strongest encryption RSA-2048 key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main encryptor red window, examine it and follow the instructions. Otherwise, it seems that you or your antivirus deleted the encryptor program. Now you have the last chance to decrypt your files. Open http://tkj3higtqlvohs7z.aw49f4j3n26.com or http://tkj3higtqlvohs7z.dfj3d8w3n27.com , https://tkj3higtqlvohs7z.s5.tor-gateways.de/ in your browser. They are public gates to the secret server. Copy and paste the following Bitcoin address in the input form on server. Avoid missprints. 12shGwxwNpBaQH5Z3SMCRzU4tiKAbZrDSf Follow the instructions on the server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://tkj3higtqlvohs7z.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following Bitcoin address in the input form on server. Avoid missprints. 12shGwxwNpBaQH5Z3SMCRzU4tiKAbZrDSf Follow the instructions on the server.
Wallets

12shGwxwNpBaQH5Z3SMCRzU4tiKAbZrDSf

URLs

http://tkj3higtqlvohs7z.aw49f4j3n26.com

http://tkj3higtqlvohs7z.dfj3d8w3n27.com

https://tkj3higtqlvohs7z.s5.tor-gateways.de/

http://tkj3higtqlvohs7z.onion/

Targets

    • Target

      5f770ebeb2cd08f90640d8b8b462f8226c221aecd2b372c6fd30088d41f522d3N

    • Size

      388KB

    • MD5

      1d5c584cfb294c49fe6bf53c39ff26c0

    • SHA1

      f7e1a3e4d976253c903eef486c50336e8a8c7c4c

    • SHA256

      5f770ebeb2cd08f90640d8b8b462f8226c221aecd2b372c6fd30088d41f522d3

    • SHA512

      4a32466968218e6d90435da61fad430f8f84939be5f8dd7d84a99ad42d2f45d9efdfa5b3d7cc884fd9edca58ba055ac50bf0435e277c858f3662407558749fac

    • SSDEEP

      6144:5da8uOhcMWhqVln4xKj+tw3boEFLOSO6/NvsHJxc00d+DzRLITiNs:/a8ivhqVl+Kqt28EQSO62DzRLm

    Score
    10/10
    defense_evasiondiscoveryexecutionimpactpersistenceransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Renames multiple (359) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

      defense_evasion

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks