Overview

overview

10

Static

static

3

2024-11-21...er.exe

windows7-x64

10

2024-11-21...er.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2024-11-21_5034bb1e06bde3b9ef44ce72e5b680e1_avoslocker_cobalt-strike_luca-stealer

  • Size

    663KB

  • Sample

    241121-n9779asjhx

  • MD5

    5034bb1e06bde3b9ef44ce72e5b680e1

  • SHA1

    227407cbbb205a342a9fd2a6bd5e459aa2f73eff

  • SHA256

    e722a12597c11763970e6d431ec2a54a4881aa8fc745ba239b4dbabd647303f0

  • SHA512

    9c763a00502d34b6917b43e1f22928c038f65b97d1d12adca12814be9ccc1d6860ecd13b75b190d3fe1110bc7d0c0eeaae8f10e9bb69acb2f66db42c55d74e14

  • SSDEEP

    12288:XDiAGc6VBGZLG9PNSx97YoglUw+OeO+OeNhBBhhBBbnt2mS8n3vcUohKivvM2d29:XDiPc6VEZK9PNSx97YonBgmSuA7vlI8B

Score
10/10
defense_evasiondiscoveryexecutionimpactpersistenceransomware

Malware Config

Extracted

Path

\Device\HarddiskVolume1\Boot\cs-CZ\README_WARNING.txt

Ransom Note
::: Greetings ::: Little FAQ: .1. Q: Whats Happen? ): Your files have been encrypted for NIGRA. The file structure was not damaged, we did everything possible so that this could not happen. .2. Q: How to recover files? ): If you wish to decrypt your files you will need to pay us you can send a three small files for testing,'excel ,word,txt,jpg' something. As a guarantee of our decryption ability. .3. Q: How to contact with you? ): You can write us to our 3 mailboxes: [[email protected]] [[email protected]] [[email protected]] If we do not reply within 24 hours, it means that the mailbox has been blocked, please contact our backup mailbox. (please in subject line write your ID: 62c688bab0) :::WARNING STATEMENT::: DON'T try to change encrypted files by yourself! We have never posted any decrypted videos on youtube, any SNS, please don't trust those crooks who post so-called decrypted videos choose to trust them, unless you have a lot of money! If you need decryption, please contact us via our email, we will only get in touch with you via email. The private key for decryption only exists in our hands, and only we can help decrypt files in this world !!

Extracted

Path

F:\$RECYCLE.BIN\S-1-5-21-493223053-2004649691-1575712786-1000\README_WARNING.txt

Ransom Note
::: Greetings ::: Little FAQ: .1. Q: Whats Happen? ): Your files have been encrypted for NIGRA. The file structure was not damaged, we did everything possible so that this could not happen. .2. Q: How to recover files? ): If you wish to decrypt your files you will need to pay us you can send a three small files for testing,'excel ,word,txt,jpg' something. As a guarantee of our decryption ability. .3. Q: How to contact with you? ): You can write us to our 3 mailboxes: [[email protected]] [[email protected]] [[email protected]] If we do not reply within 24 hours, it means that the mailbox has been blocked, please contact our backup mailbox. (please in subject line write your ID: d47e9e7f2d) :::WARNING STATEMENT::: DON'T try to change encrypted files by yourself! We have never posted any decrypted videos on youtube, any SNS, please don't trust those crooks who post so-called decrypted videos choose to trust them, unless you have a lot of money! If you need decryption, please contact us via our email, we will only get in touch with you via email. The private key for decryption only exists in our hands, and only we can help decrypt files in this world !!

Targets

    • Target

      2024-11-21_5034bb1e06bde3b9ef44ce72e5b680e1_avoslocker_cobalt-strike_luca-stealer

    • Size

      663KB

    • MD5

      5034bb1e06bde3b9ef44ce72e5b680e1

    • SHA1

      227407cbbb205a342a9fd2a6bd5e459aa2f73eff

    • SHA256

      e722a12597c11763970e6d431ec2a54a4881aa8fc745ba239b4dbabd647303f0

    • SHA512

      9c763a00502d34b6917b43e1f22928c038f65b97d1d12adca12814be9ccc1d6860ecd13b75b190d3fe1110bc7d0c0eeaae8f10e9bb69acb2f66db42c55d74e14

    • SSDEEP

      12288:XDiAGc6VBGZLG9PNSx97YoglUw+OeO+OeNhBBhhBBbnt2mS8n3vcUohKivvM2d29:XDiPc6VEZK9PNSx97YonBgmSuA7vlI8B

    Score
    10/10
    defense_evasiondiscoveryexecutionimpactpersistenceransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Renames multiple (217) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Modifies file permissions

      discovery

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Direct Volume Access

1
T1006

File and Directory Permissions Modification

1
T1222

Indicator Removal

2
T1070

File Deletion

2
T1070.004

Modify Registry

2
T1112

Credential Access

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

2
T1012

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

2
T1490

Tasks