Overview

overview

10

Static

static

3

f028a27430...ca.exe

windows7-x64

10

f028a27430...ca.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    20125033936.zip

  • Size

    320KB

  • Sample

    241130-q44zrazlcn

  • MD5

    832a3b2bdd95486e9cb651853170b5ac

  • SHA1

    2ddaa2721db8ec9c054994fa2110ecccfcd48892

  • SHA256

    e31d56289c1957053630383ff71959cba08521874410bd78e46680788490e9cd

  • SHA512

    5747ad665694fc76336c206f6917111ad9c380bcc1d92802791e7b0d235da8f167f210700f1cb16993e09dcf9a4684026d99bdf87f5bc6ddf7829336b33c46ff

  • SSDEEP

    6144:ePP9y8PLj5WBhpnbKGvekXrCPTe3baza1Whe6l1ivojaookujfr0hHwF7rZo502c:ePPNPLLGv12PTe3+OO3l1pjaookW06qO

Score
10/10
defense_evasiondiscoveryevasionexecutionimpactpersistenceransomware

Malware Config

Extracted

Path

C:\MSOCache\READ_NOTE.html

Ransom Note
<div class="tabs1"> <div class="head"><strong>Your personal ID:</strong></div> <div class="identi"><span style="width: 1000px; color: #ffffff; font-size: 10px;">0VVQrkAIZxf1ZyVPjO8/B+loe9O59lEj/f/G4BYNRGa67RUC+yKspAzoVPW7iQV3mvx4vro+/3Rt9qqnW9cyw1/P2Gdk4Zm0/o1naxVa1SHVIBCcAo4bpvvghRtpKzXrCFfX1fcdQta5jPBiJibC1922pdqAe1KtzlvKAv2BKNSNA09pX1SpCa16K/GmOz0XLAowWlRTZ5nWwT2+atB+4nGB677j1nLmEPrjSOmO5U4NXCWu+gfkrikBRXWMGlQHe8yvm8VVbfov1uDKHR6nk6sk7gJEsMqXCWl4zGdkBevucQen4GqLMydOgeMJlH9IAk3dWBaLWKKuP8F21BpBBA==�</span> <br /> <!-- !!! dont changing this !!! --></div> </div> <!-- --> <div class="tabs"><!--tab--> <div class="tab"> <div id="tab-content1" class="content"> <div class="text"><!--text data --> <strong>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</strong><br /> <strong>All your important files have been encrypted!</strong><br /><br /><hr /><span style="text-decoration: underline; background-color: #00ff00;"><em>Your files are safe! Only modified. (RSA+AES)</em></span><br /><br /> <span style="background-color: #00ff00;"><strong>ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE</strong></span><br /><span style="background-color: #00ff00;"><strong> WILL PERMANENTLY CORRUPT IT.</strong></span><br /><span style="background-color: #00ff00;"><strong> DO NOT MODIFY ENCRYPTED FILES.</strong></span><br /><span style="background-color: #00ff00;"><strong> DO NOT RENAME ENCRYPTED FILES.</strong></span><br /><br /> No software available on internet can help you. We are the only ones able to<br /> solve your problem.<br /><br /> We gathered highly confidential/personal data. These data are currently stored on<br /> a private server. This server will be immediately destroyed after your payment.<br /> If you decide to not pay, we will release your data to public or re-seller.<br /> So you can expect your data to be publicly available in the near future..<br /><br /> We only seek money and our goal is not to damage your reputation or prevent<br /> your business from running.<br /><br /> You will can send us 2-3 non-important files and we will decrypt it for free<br /> to prove we are able to give your files back.<br /> When you compose a letter, please indicate the <strong>PERSONAL ID</strong> from the beginning of the note, so that we can more specifically approach the formation of conditions for you.<br /> <!--text data --><hr /><strong>Contact us for price and get decryption software.</strong><br /><br /><hr /><strong>email:</strong><br /> <a href="[email protected]">[email protected] </a> <br /> <a href="[email protected]">[email protected] </a> <br /> <strong>OUR TOX:</strong> <a href="https://tox.chat/clients.html"> BA3779BDEE7B982BF08FC0B7B0410E6AE7CC6612B13433B60000E0757BDD682A69AD98563AEC</a> <br /> <p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br /> <strong> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</strong><br /></a></p> <p>*Our site and Tor-chat to always be in touch:</p> </div> </div> </div> <!--tab--> <strong> <strong><span style="background-color: #00ff00; font-size: 22px;"> <strong> xfycpauc22t5jsmfjcaz2oydrrrfy75zuk6chr32664bsscq4fgyaaqd.onion </strong></span><br /><br /> </strong><br /> <!--text data --> </strong></div> <!--tab-->
URLs

http://xfycpauc22t5jsmfjcaz2oydrrrfy75zuk6chr32664bsscq4fgyaaqd.onion

Extracted

Path

F:\$RECYCLE.BIN\READ_NOTE.html

Ransom Note
<div class="tabs1"> <div class="head"><strong>Your personal ID:</strong></div> <div class="identi"><span style="width: 1000px; color: #ffffff; font-size: 10px;">AUIHe5eUNIJRAOgm1c4k1MKf+zIuqf7L5lcBbp/yEbLju7+G2UhQz//TKFOBAi7UKt0qLnjpMUGjzde4kEfuTKIm8B7CM3pt4ZjlEJlb/7fuxvxhn8JPOVL50scq/hsmaeg89bJQURp4VsG2FA7gnlt0Mnx1CYwR0deego7dsZm8lzhEYlC8U8/3oiWiuc70N5lwxa/C0rNUW7rwp1z3ekL1bCS299kusF5OCuO/82TyA/CeE9Pg3VOaXTKzvgxKheoqE9tFe21e9jqvd3EboUiVXBhxP+WCVD48xf1DqQh/0o156wnMuGFwqMPeW/qOyKthIsezZRcWdsGyqFsYXw==�</span> <br /> <!-- !!! dont changing this !!! --></div> </div> <!-- --> <div class="tabs"><!--tab--> <div class="tab"> <div id="tab-content1" class="content"> <div class="text"><!--text data --> <strong>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</strong><br /> <strong>All your important files have been encrypted!</strong><br /><br /><hr /><span style="text-decoration: underline; background-color: #00ff00;"><em>Your files are safe! Only modified. (RSA+AES)</em></span><br /><br /> <span style="background-color: #00ff00;"><strong>ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE</strong></span><br /><span style="background-color: #00ff00;"><strong> WILL PERMANENTLY CORRUPT IT.</strong></span><br /><span style="background-color: #00ff00;"><strong> DO NOT MODIFY ENCRYPTED FILES.</strong></span><br /><span style="background-color: #00ff00;"><strong> DO NOT RENAME ENCRYPTED FILES.</strong></span><br /><br /> No software available on internet can help you. We are the only ones able to<br /> solve your problem.<br /><br /> We gathered highly confidential/personal data. These data are currently stored on<br /> a private server. This server will be immediately destroyed after your payment.<br /> If you decide to not pay, we will release your data to public or re-seller.<br /> So you can expect your data to be publicly available in the near future..<br /><br /> We only seek money and our goal is not to damage your reputation or prevent<br /> your business from running.<br /><br /> You will can send us 2-3 non-important files and we will decrypt it for free<br /> to prove we are able to give your files back.<br /> When you compose a letter, please indicate the <strong>PERSONAL ID</strong> from the beginning of the note, so that we can more specifically approach the formation of conditions for you.<br /> <!--text data --><hr /><strong>Contact us for price and get decryption software.</strong><br /><br /><hr /><strong>email:</strong><br /> <a href="[email protected]">[email protected] </a> <br /> <a href="[email protected]">[email protected] </a> <br /> <strong>OUR TOX:</strong> <a href="https://tox.chat/clients.html"> BA3779BDEE7B982BF08FC0B7B0410E6AE7CC6612B13433B60000E0757BDD682A69AD98563AEC</a> <br /> <p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br /> <strong> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</strong><br /></a></p> <p>*Our site and Tor-chat to always be in touch:</p> </div> </div> </div> <!--tab--> <strong> <strong><span style="background-color: #00ff00; font-size: 22px;"> <strong> xfycpauc22t5jsmfjcaz2oydrrrfy75zuk6chr32664bsscq4fgyaaqd.onion </strong></span><br /><br /> </strong><br /> <!--text data --> </strong></div> <!--tab-->
URLs

http://xfycpauc22t5jsmfjcaz2oydrrrfy75zuk6chr32664bsscq4fgyaaqd.onion

Targets

    • Target

      f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca

    • Size

      663KB

    • MD5

      7df4d51141b1c657e2c5f78ada3b526a

    • SHA1

      d0bbec49bbf722aa102e3cbd548cfec5f88dd6a8

    • SHA256

      f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca

    • SHA512

      fed221cf7f27d3e74023457c58e903e55aa14a608db36df341e8bef2b2cb751ca1fb90da1e6a091ed0fbab70347e67365398c1af51815bec1da0ff330e35b54a

    • SSDEEP

      12288:UIj+Lg10Vgi+ve+Ge5JFzLZQMDObpph0lhSMXl+XXenm1hdLQ:Uc+k18+ve+Ge53LuMKHh0lhSMXlYei

    Score
    10/10
    defense_evasiondiscoveryevasionexecutionimpactransomwarepersistence

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Renames multiple (5714) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Deletes system backups

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks