Overview

overview

10

Static

static

1

50ba244f11...07f.js

windows7-x64

10

50ba244f11...07f.js

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    50ba244f113f398afc39ed760e2c3822fdc82147259e9846df5abab89cf8307f.js

  • Size

    52KB

  • Sample

    241121-fnae4aypez

  • MD5

    b9f2fc5e874114e45330cad7b524476c

  • SHA1

    f158badcc637d7d92efb7ef63a6f8783a886ac6b

  • SHA256

    50ba244f113f398afc39ed760e2c3822fdc82147259e9846df5abab89cf8307f

  • SHA512

    dbbd63c7bd8b4a6723fd170e74e4c6532a6a89cca37c4580566585bb645711e7da05bfa37eb5ff7aac1683943b833bc4210a04959789e3e284d5d9dcf6e556a8

  • SSDEEP

    768:EGWR269T41RPhQ3uvuGNhUP9KU2c0WuPIFXRomYO:Jh6d4wcTMgyBomYO

Score
10/10
defense_evasionexecutionpersistenceransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\a.txt

Ransom Note
ATTENTION! All your documents, photos, databases and other important personal files were encrypted using strong RSA-1024 algorithm with a unique key. To restore your files you have to pay 0.49255 BTC (bitcoins). Please follow this manual: 1. Create Bitcoin wallet here: https://blockchain.info/wallet/new 2. Buy 0.49255 BTC with cash, using search here: https://localbitcoins.com/buy_bitcoins 3. Send 0.49255 BTC to this Bitcoin address: 1GgLeHpXUqeapoK3wvev1HyrCPEjvYKfyG 4. Open one of the following links in your browser to download decryptor: http://ohchinhing.com.sg/counter/?a=1GgLeHpXUqeapoK3wvev1HyrCPEjvYKfyG http://bloki.internetdsl.pl/counter/?a=1GgLeHpXUqeapoK3wvev1HyrCPEjvYKfyG http://crobal-water.com/counter/?a=1GgLeHpXUqeapoK3wvev1HyrCPEjvYKfyG http://stroydek.ru/counter/?a=1GgLeHpXUqeapoK3wvev1HyrCPEjvYKfyG http://www.cuihuangge.com/counter/?a=1GgLeHpXUqeapoK3wvev1HyrCPEjvYKfyG 5. Run decryptor to restore your files. PLEASE REMEMBER: - If you do not pay in 3 days YOU LOOSE ALL YOUR FILES. - Nobody can help you except us. - It`s useless to reinstall Windows, update antivirus software, etc. - Your files can be decrypted only after you make payment. - You can find this manual on your desktop (DECRYPT.txt).
Wallets

1GgLeHpXUqeapoK3wvev1HyrCPEjvYKfyG

URLs

http://ohchinhing.com.sg/counter/?a=1GgLeHpXUqeapoK3wvev1HyrCPEjvYKfyG

http://bloki.internetdsl.pl/counter/?a=1GgLeHpXUqeapoK3wvev1HyrCPEjvYKfyG

http://crobal-water.com/counter/?a=1GgLeHpXUqeapoK3wvev1HyrCPEjvYKfyG

http://stroydek.ru/counter/?a=1GgLeHpXUqeapoK3wvev1HyrCPEjvYKfyG

http://www.cuihuangge.com/counter/?a=1GgLeHpXUqeapoK3wvev1HyrCPEjvYKfyG

Targets

    • Target

      50ba244f113f398afc39ed760e2c3822fdc82147259e9846df5abab89cf8307f.js

    • Size

      52KB

    • MD5

      b9f2fc5e874114e45330cad7b524476c

    • SHA1

      f158badcc637d7d92efb7ef63a6f8783a886ac6b

    • SHA256

      50ba244f113f398afc39ed760e2c3822fdc82147259e9846df5abab89cf8307f

    • SHA512

      dbbd63c7bd8b4a6723fd170e74e4c6532a6a89cca37c4580566585bb645711e7da05bfa37eb5ff7aac1683943b833bc4210a04959789e3e284d5d9dcf6e556a8

    • SSDEEP

      768:EGWR269T41RPhQ3uvuGNhUP9KU2c0WuPIFXRomYO:Jh6d4wcTMgyBomYO

    Score
    10/10
    defense_evasionexecutionpersistenceransomware

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

      defense_evasion
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks