General

  • Target

    150016___Enc.exe

  • Size

    146KB

  • Sample

    241111-3tznhaymez

  • MD5

    06f96cb31a2b655835130a09387fb401

  • SHA1

    bb27f7e6cb3102c017c44a5bf8d86c16641e593b

  • SHA256

    f4fb0f2ae098850f2a8ffb771ae4c6c8aaa81144fe53228a2c01df2d34307053

  • SHA512

    2caeba7d1404019e2d378abed794b97dd4d14c646c51d6a9950cd6b677afdcf10f7263469f725d23251e11fa0913f5126743c6255d0c32f1583dcbf1c7c13744

  • SSDEEP

    1536:jzICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xD11h0i9TJmr7kZd9V78ny3OxTIT:8qJogYkcSNm9V7D1pTJmr7ksy4IT

Malware Config

Extracted

Path

C:\xEJOHNVZF.README.txt

Ransom Note
Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm. Backups were either encrypted Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation. More than a year ago, world experts recognized the impossibility of deciphering by any means except the original decoder. No decryption software is available in the public. Antiviruse companies, researchers, IT specialists, and no other persons cant help you decrypt the data. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT DELETE readme files. To confirm our honest intentions.Send 2 different random files and you will get it decrypted. It can be from different computers on your network to be sure that one key decrypts everything. 2 files we unlock for free To get info (decrypt your files) contact us at telegram first . if you don't get answer in 24 hours then write us a email Contact information : Mail 1 : [email protected] Telegram: https://t.me/AzureShard You will receive btc address for payment in the reply letter No system is safe!
URLs

https://t.me/AzureShard

Targets

    • Target

      150016___Enc.exe

    • Size

      146KB

    • MD5

      06f96cb31a2b655835130a09387fb401

    • SHA1

      bb27f7e6cb3102c017c44a5bf8d86c16641e593b

    • SHA256

      f4fb0f2ae098850f2a8ffb771ae4c6c8aaa81144fe53228a2c01df2d34307053

    • SHA512

      2caeba7d1404019e2d378abed794b97dd4d14c646c51d6a9950cd6b677afdcf10f7263469f725d23251e11fa0913f5126743c6255d0c32f1583dcbf1c7c13744

    • SSDEEP

      1536:jzICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xD11h0i9TJmr7kZd9V78ny3OxTIT:8qJogYkcSNm9V7D1pTJmr7ksy4IT

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Renames multiple (7757) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks