Analysis

  • max time kernel
    357s
  • max time network
    358s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    22-11-2024 03:25

General

  • Target

    f6a8d7a4291c55020101d046371a8bda.exe

  • Size

    799KB

  • MD5

    f6a8d7a4291c55020101d046371a8bda

  • SHA1

    09b08e04ee85b26ba5297cf3156653909671da90

  • SHA256

    082060e3320870d1d576083e0ee65c06a1104913ae866137f8ca45891c059a76

  • SHA512

    547ad8ac404e494cce474209ebfbe33a40b69feb59f564215622f479e98dd93699794f4950b05d21225af271c55987da24c68d7c4c172f1d99ba7050b7063888

  • SSDEEP

    24576:Fpfzmg0hsVxPJHnhxqj/jELyOpQR2dnCy:FpfCHKrPFnh4jEWOpQEdnCy

Score
10/10

Malware Config

Extracted

Path

C:\Users\Admin\Documents\READ_THIS_TO_DECRYPT.html

Ransom Note
<html> <head> <title>-</title> <style> html {font-family:Consolas;font-size:20px;background-color:lightgrey;} div{ margin:0 auto 15px auto; border:1px solid; background-color:grey;} p,h3{ text-align:center; color:white; } #R{background-color:darkred;} button{padding:10px 15px; margin:15px;} </style> </head> <body> <div> <h3>YOU PERSONAL FILES HAS BEEN ENCRYPTED</h3> <p>-</p> <p>Your data (photos, documents, databases etc.) have been encrypted with a private and unique key generated for this computer. This means that you will not be able to access your files anymore until they are decrypted. The privete key is stored in our servers and the only way to receive your key to decrypt your files is making a payment.</p> </div> <div> <p>The payment has to be done in Bitcoin to a unique address that we generated for you. Bitcoins are the virtual currency to make online payments. If you don't know how to get Bitcoins, you can click the button "How to buy Bitcoins" below and follow the instructions. If you have problem with this task use internet.</p> <p><abbr style="color:red;background-color:black;">You have only 1 week to submit the payment.</abbr> When this time ends, the unique key will be destroyed and you won't be able to recover your files anymore.</p> </div> <div id="R"><h3>YOUR UNIQUE KEY WILL BE DESTROYED IN 1 WEEK FROM ENCRYPTION!</h3></div> <div> <p>To recover your files, you must send 0.1 Bitcoins ( ~$37 ) to the next Bitcoin address:</p> <p><abbr style="background-color:white;font-size:35px;color:black;">15F5FM7qMhLQ44RDxuozbKRwSbHKmq7N39</abbr></p> <a target="_blank" href="https://bitcoin.org/en/getting-started"><button>How to buy Bitcoins #1</button></a> <a target="_blank" href="https://en.bitcoin.it/wiki/Buying_Bitcoins_(the_newbie_version)"><button>How to buy Bitcoins #2</button></a> </div> </body> </html>

Signatures

  • Drops startup file 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

Processes

  • C:\Users\Admin\AppData\Local\Temp\f6a8d7a4291c55020101d046371a8bda.exe
    "C:\Users\Admin\AppData\Local\Temp\f6a8d7a4291c55020101d046371a8bda.exe"
    1⤵
    • Drops startup file
    • System Location Discovery: System Language Discovery
    PID:2508

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\Documents\READ_THIS_TO_DECRYPT.html

    Filesize

    1KB

    MD5

    55764b80badcdfe4337f538993fc3aab

    SHA1

    049ebb79ca8e78a30318d9eef6b37992572e1034

    SHA256

    a53779746a2aec49c361f546b70a74508aac83c9ea8203af07f142abfa251b35

    SHA512

    b8a94d01ad1ca07fd08a890a5b55b71d97d0fc3df705704812c18993872d1ed7360aea6a5fb7e388fd8cedbc2baa7cfabf4207f59becee2927aa1030fa60689b