Overview

overview

10

Static

static

3

a26f0a2da6...42.exe

windows7-x64

10

a26f0a2da6...42.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-10-2024 11:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe

  • Size

    1.9MB

  • MD5

    f7f679420671b7e18677831d4d276277

  • SHA1

    1cb6a93e6d2d86d3479a1ea59f7d5b258f1c5c53

  • SHA256

    a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642

  • SHA512

    d1254926a171a7ad0588a16cfbd30a039b92aa082b1b32f38b028f745cbf34143ffa0738a97f22946a78fe16baf5b1ac2eb2205093e873438f30a6a0731d9ba7

  • SSDEEP

    49152:NW9uVTc0/UrZUAT+x0L9/T9YDlXljktz4Q7NNJaaArzLGWBDF/y5QeK:Xc1rZD+mtTOxXlzF/y5zK

Score
10/10
ransomware

Malware Config

Extracted

Path

C:\Program Files\Common Files\microsoft shared\ClickToRun\!__README__!.txt

Ransom Note
INTERLOCK - CRITICAL SECURITY ALERT To Whom It May Concern, Your organization has experienced a serious security breach. Immediate action is required to mitigate further risks. Here are the details: THE CURRENT SITUATION - Your systems have been infiltrated by unauthorized entities. - Key files have been encrypted and are now inaccessible to you. - Sensitive data has been extracted and is in our possession. WHAT YOU NEED TO DO NOW 1. Contact us via our secure, anonymous platform listed below. 2. Follow all instructions to recover your encrypted data. Access Point: http://ebhmkoohccl45qesdbvrjqtyro2hmhkmh6vkyfyjjzfllm3ix72aqaid.onion/support/step.php Use your unique Company ID: ELCI3EJW8OU6DEIIO1Y1Y32I7IESI3XHG93KEQJG5997MPF9SH7HEOE5J702 DO NOT ATTEMPT: - File alterations: Renaming, moving, or tampering with files will lead to irreversible damage. - Third-party software: Using any recovery tools will corrupt the encryption keys, making recovery impossible. - Reboots or shutdowns: System restarts may cause key damage. Proceed at your own risk. HOW DID THIS HAPPEN? We identified vulnerabilities within your network and gained access to critical parts of your infrastructure. The following data categories have been extracted and are now at risk: - Personal records and client information - Financial statements, contracts, and legal documents - Internal communications - Backups and business-critical files We hold full copies of these files, and their future is in your hands. YOUR OPTIONS #1. Ignore This Warning: - In 96 hours, we will release or sell your sensitive data. - Media outlets, regulators, and competitors will be notified. - Your decryption keys will be destroyed, making recovery impossible. - The financial and reputational damage could be catastrophic. #2. Cooperate With Us: - You will receive the only working decryption tool for your files. - We will guarantee the secure deletion of all exfiltrated data. - All traces of this incident will be erased from public and private records. - A full security audit will be provided to prevent future breaches. FINAL REMINDER Failure to act promptly will result in: - Permanent loss of all encrypted data. - Leakage of confidential information to the public, competitors, and authorities. - Irreversible financial harm to your organization. CONTACT US SECURELY 1. Install the TOR browser via https://torproject.org 2. Visit our anonymous contact form at http://ebhmkoohccl45qesdbvrjqtyro2hmhkmh6vkyfyjjzfllm3ix72aqaid.onion/support/step.php 3. Use your unique Company ID: ELCI3EJW8OU6DEIIO1Y1Y32I7IESI3XHG93KEQJG5997MPF9SH7HEOE5J702 4. Review a sample of your compromised data for verification. 5. Use a VPN if TOR is restricted in your area.
URLs

http://ebhmkoohccl45qesdbvrjqtyro2hmhkmh6vkyfyjjzfllm3ix72aqaid.onion/support/step.php

Signatures

  • Renames multiple (6795) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Drops file in Program Files directory 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe
    "C:\Users\Admin\AppData\Local\Temp\a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    PID:1880

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Common Files\microsoft shared\ClickToRun\!__README__!.txt
    Filesize

    2KB

    MD5

    7037527ffd3ebe496f9df5278f1004f8

    SHA1

    fd37a41c913acde1fc3e3d75a1f776f5a113dff1

    SHA256

    08b14c7d4be16cae6d08885e174cbc8485d81cfccdaca332418859267f528420

    SHA512

    1f9a43c24e1d07b420b0f85c587c52dfac5af705cc7f082681d958035b95e6bc6e3f6edc0faac80ab40c96f7337223aefcc0499951b88133bbf5754fe106d4fb

    Download Submit

  • memory/1880-0-0x00007FF6FCEA0000-0x00007FF6FD087000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/1880-1-0x00007FF6FCEA0000-0x00007FF6FD087000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/1880-2-0x00007FF6FCEA0000-0x00007FF6FCFB1000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/1880-4826-0x00007FF6FCEA0000-0x00007FF6FD087000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/1880-6931-0x00007FF6FCEA0000-0x00007FF6FCFB1000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/1880-9636-0x00007FF6FCEA0000-0x00007FF6FCFB1000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/1880-9635-0x00007FF6FCEA0000-0x00007FF6FD087000-memory.dmp

    Filesize

    1.9MB

    Download