General

  • Target

    c94b70dff50e69639b0ef1e828621c5fddcf144fea93e27520f48264ddd33273.exe

  • Size

    1.4MB

  • Sample

    241114-dmstyasrbv

  • MD5

    1b637a43abca552acaee11c01913db18

  • SHA1

    3029954ac63d1c92601ba03ac8a59c66b386be21

  • SHA256

    c94b70dff50e69639b0ef1e828621c5fddcf144fea93e27520f48264ddd33273

  • SHA512

    989da53ed85976c64cc4efd7a86f3c4592bc49fc08b05a7c5220cde38eeab70d9f402d8e69a4c62cfea251ec47a24cd7d379879d4551440acbc749f4a47d1f1c

  • SSDEEP

    24576:62kDGWIXrNkFADnrFpwHDsQ/R3xaFbrOCR:6/GVXrNkFADnppwHDsQ/GFW

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\readme.txt

Ransom Note
What's happened? Your corporate network has been encrypted. And that’s not all - we studied and downloaded a lot of your data, many of them have confidential status. If you ignore this incident, we will ensure that your confidential data is widely available to the public. We will make sure that your clients and partners know about everything, and attacks will continue. Some of the data will be sold to scammers who will attack your clients and employees. What's next? You must contact us via qTox to make a deal. To install qTox follow the following instructions: 1. Follow the link to the official release and download the installation file. https://github.com/qTox/qTox/releases/download/v1.17.6/setup-qtox-x86_64-release.exe 2. Open and install setup-qtox-x86_64-release.exe 3. Double-click the qTox shortcut on your desktop. 4. In the username field, enter the name of your company. 5. Create your password and enter it in the password field. 6. Enter your password again in the confirm field 7. Click the "Create Profile" button. 8. In the Add Friends window, in the ToxID field, enter this: 74773DBD4085BA39A1643CFA561488124771BE839961793DA10245560E1F2D3A3DBD566445E8 then click the "Send friend request" button 9. Wait for technical support to contact you. Advantages of dealing with us: 1. We will not mention this incident. 2. You will receive a recovery tool for all your systems that have been encrypted. 3. We guarantee that there will be no data leakage and will delete all your data from our servers. 4. We will provide a security report and give advice on how to prevent similar attacks in the future. 5. We will never attack you again. What not to do: Do not attempt to change or rename any files - this will render them unrecoverable. Do not make any changes until you receive the decryption tool to avoid permanent data damage.
URLs

https://github.com/qTox/qTox/releases/download/v1.17.6/setup-qtox-x86_64-release.exe

Targets

    • Target

      c94b70dff50e69639b0ef1e828621c5fddcf144fea93e27520f48264ddd33273.exe

    • Size

      1.4MB

    • MD5

      1b637a43abca552acaee11c01913db18

    • SHA1

      3029954ac63d1c92601ba03ac8a59c66b386be21

    • SHA256

      c94b70dff50e69639b0ef1e828621c5fddcf144fea93e27520f48264ddd33273

    • SHA512

      989da53ed85976c64cc4efd7a86f3c4592bc49fc08b05a7c5220cde38eeab70d9f402d8e69a4c62cfea251ec47a24cd7d379879d4551440acbc749f4a47d1f1c

    • SSDEEP

      24576:62kDGWIXrNkFADnrFpwHDsQ/R3xaFbrOCR:6/GVXrNkFADnppwHDsQ/GFW

    • Renames multiple (841) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

MITRE ATT&CK Enterprise v15

Tasks