Resubmissions

15-11-2024 13:53

241115-q67hnatqfw 10

05-11-2024 10:19

241105-mcg45a1rhq 10

General

  • Target

    e21cbdbf6414ffc0ef4175295c7e188800a66b7b83302bd35b7e3fd6fabfccde

  • Size

    709KB

  • Sample

    241115-q67hnatqfw

  • MD5

    0d7e80ec85db5cb45642235cb2381a0c

  • SHA1

    f0a15a7ecaff7d0659bab2a416e5d668ff67724e

  • SHA256

    e21cbdbf6414ffc0ef4175295c7e188800a66b7b83302bd35b7e3fd6fabfccde

  • SHA512

    bb54a37b50b26b33724462faaf5d8d6328721a980bb51a95cfffce048d1ccca4050ee0a3740f47604de6504de70026c5f1567efe8be3913cea2ef9f1012a8921

  • SSDEEP

    12288:klXYLQe1BJTAhHvVIgLfnEYbLrOqP0NbuLyoHNAoBmbgLO:klip10hREYbLrBWbuLod

Score
10/10

Malware Config

Extracted

Path

C:\Program Files\dotnet\host\fxr\8.0.2\RECOVERY INFO.txt

Ransom Note
Your data has been encrypted In order to return your files back you need decryption tool 1)Download TOR Browser 2)Open in TOR browser link below and contact with us there: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/4A5269AFE952FCF19F51570A3D86E233AD91951CEAB9F22F0D9EFC976FDF03ED Or email: [email protected] Backup email: [email protected] Limit for free decryption: 3 files up to 5mb (no database or backups)
URLs

http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/4A5269AFE952FCF19F51570A3D86E233AD91951CEAB9F22F0D9EFC976FDF03ED

Targets

    • Target

      e21cbdbf6414ffc0ef4175295c7e188800a66b7b83302bd35b7e3fd6fabfccde

    • Size

      709KB

    • MD5

      0d7e80ec85db5cb45642235cb2381a0c

    • SHA1

      f0a15a7ecaff7d0659bab2a416e5d668ff67724e

    • SHA256

      e21cbdbf6414ffc0ef4175295c7e188800a66b7b83302bd35b7e3fd6fabfccde

    • SHA512

      bb54a37b50b26b33724462faaf5d8d6328721a980bb51a95cfffce048d1ccca4050ee0a3740f47604de6504de70026c5f1567efe8be3913cea2ef9f1012a8921

    • SSDEEP

      12288:klXYLQe1BJTAhHvVIgLfnEYbLrOqP0NbuLyoHNAoBmbgLO:klip10hREYbLrBWbuLod

    Score
    10/10
    • Renames multiple (7643) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks