Resubmissions

15-11-2024 15:56

241115-tdh65sxapg 10

17-04-2023 12:24

230417-pk2jvaeb53 10

General

  • Target

    e_win.bin.exe

  • Size

    79KB

  • Sample

    241115-tdh65sxapg

  • MD5

    c8579ccb6690e1f2102f9ba887c12f9e

  • SHA1

    e8e46e3f88011aa43c90cde3c9945e3508986a25

  • SHA256

    87b9b910d5d5a053e3b39989cc6fd51601abdaea207a26c765f21f43a4cd4dcb

  • SHA512

    f579e9b39400a0b3879dc8a1c41bd829d8f6b399d9d0a97302f7157a76f036ede5e4391eeb12bd2285a7f523969d572a92f482cf415ed2fb023d96d745f82244

  • SSDEEP

    1536:hxpkWBeG/vEbKsrQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2Xsf8:/BeQsKsrQLOJgY8Zp8LHD4XWaNH71dLH

Malware Config

Extracted

Path

C:\Users\Admin\Documents\How To Restore Your Files.txt

Ransom Note
----------- [ Hello! ] -------------> ******BY ANUBIZ LOCKER****** What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted from your network and copied. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - a universal decoder. This program will restore your entire network. Follow our instructions below and you will recover all your data. If you continue to ignore this for a long time, we will start reporting the hack to mainstream media and posting your data to the dark web. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. How to contact us? ---------------------------------------------- Using EMAIL: 1) Open your mail 2) Write this ID in the title of your message: kFdfAV0C4B 3) Write us: [email protected] !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!

Targets

    • Target

      e_win.bin.exe

    • Size

      79KB

    • MD5

      c8579ccb6690e1f2102f9ba887c12f9e

    • SHA1

      e8e46e3f88011aa43c90cde3c9945e3508986a25

    • SHA256

      87b9b910d5d5a053e3b39989cc6fd51601abdaea207a26c765f21f43a4cd4dcb

    • SHA512

      f579e9b39400a0b3879dc8a1c41bd829d8f6b399d9d0a97302f7157a76f036ede5e4391eeb12bd2285a7f523969d572a92f482cf415ed2fb023d96d745f82244

    • SSDEEP

      1536:hxpkWBeG/vEbKsrQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2Xsf8:/BeQsKsrQLOJgY8Zp8LHD4XWaNH71dLH

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Renames multiple (229) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

MITRE ATT&CK Enterprise v15

Tasks