Overview

overview

10

Static

static

3

f028a27430...ca.exe

windows7-x64

10

f028a27430...ca.exe

windows10-2004-x64

10

Resubmissions

02-12-2024 02:16

241202-cqmawszjeq 10

02-12-2024 02:12

241202-cncnnstqcv 10

30-11-2024 13:53

241130-q7gnmavrdw 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    20125033936.zip

  • Size

    320KB

  • Sample

    241202-cqmawszjeq

  • MD5

    832a3b2bdd95486e9cb651853170b5ac

  • SHA1

    2ddaa2721db8ec9c054994fa2110ecccfcd48892

  • SHA256

    e31d56289c1957053630383ff71959cba08521874410bd78e46680788490e9cd

  • SHA512

    5747ad665694fc76336c206f6917111ad9c380bcc1d92802791e7b0d235da8f167f210700f1cb16993e09dcf9a4684026d99bdf87f5bc6ddf7829336b33c46ff

  • SSDEEP

    6144:ePP9y8PLj5WBhpnbKGvekXrCPTe3baza1Whe6l1ivojaookujfr0hHwF7rZo502c:ePPNPLLGv12PTe3+OO3l1pjaookW06qO

Score
10/10
defense_evasiondiscoveryevasionexecutionimpactpersistenceransomware

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\READ_NOTE.html

Ransom Note
<div class="tabs1"> <div class="head"><strong>Your personal ID:</strong></div> <div class="identi"><span style="width: 1000px; color: #ffffff; font-size: 10px;">kkwstpsxHTybqfiDLR0UfwRDz81WdkpLqmyyGXvmIWNDLVR2nGuYD3qORBoVKASaz1Cj5a9ewJ54TO8I9QmMKUQI6gOgnq3vABoMHDx065f51uLYIui9gewUyaf9030Cq7UYH7smBFf/avHsrL2N3P5tMiaF6k2oyHsi81D0IzllS3EXi+z1/9StCRL4aQ11ajyaAR2Fd+VMMcNDsQ71N2og9KxlEaarS+7sS6e+3Q5/jr264E6QKRElw1j/Ig3ofm/4ljuSQWJx3JNjQuOSPHvXBaYD6/VYqV1Mvf+4V4+ZjMmvZ31eEjlqgUUXDtgHNOwjzm+68JwdBOot1EkrDQ==�</span> <br /> <!-- !!! dont changing this !!! --></div> </div> <!-- --> <div class="tabs"><!--tab--> <div class="tab"> <div id="tab-content1" class="content"> <div class="text"><!--text data --> <strong>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</strong><br /> <strong>All your important files have been encrypted!</strong><br /><br /><hr /><span style="text-decoration: underline; background-color: #00ff00;"><em>Your files are safe! Only modified. (RSA+AES)</em></span><br /><br /> <span style="background-color: #00ff00;"><strong>ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE</strong></span><br /><span style="background-color: #00ff00;"><strong> WILL PERMANENTLY CORRUPT IT.</strong></span><br /><span style="background-color: #00ff00;"><strong> DO NOT MODIFY ENCRYPTED FILES.</strong></span><br /><span style="background-color: #00ff00;"><strong> DO NOT RENAME ENCRYPTED FILES.</strong></span><br /><br /> No software available on internet can help you. We are the only ones able to<br /> solve your problem.<br /><br /> We gathered highly confidential/personal data. These data are currently stored on<br /> a private server. This server will be immediately destroyed after your payment.<br /> If you decide to not pay, we will release your data to public or re-seller.<br /> So you can expect your data to be publicly available in the near future..<br /><br /> We only seek money and our goal is not to damage your reputation or prevent<br /> your business from running.<br /><br /> You will can send us 2-3 non-important files and we will decrypt it for free<br /> to prove we are able to give your files back.<br /> When you compose a letter, please indicate the <strong>PERSONAL ID</strong> from the beginning of the note, so that we can more specifically approach the formation of conditions for you.<br /> <!--text data --><hr /><strong>Contact us for price and get decryption software.</strong><br /><br /><hr /><strong>email:</strong><br /> <a href="[email protected]">[email protected] </a> <br /> <a href="[email protected]">[email protected] </a> <br /> <strong>OUR TOX:</strong> <a href="https://tox.chat/clients.html"> BA3779BDEE7B982BF08FC0B7B0410E6AE7CC6612B13433B60000E0757BDD682A69AD98563AEC</a> <br /> <p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br /> <strong> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</strong><br /></a></p> <p>*Our site and Tor-chat to always be in touch:</p> </div> </div> </div> <!--tab--> <strong> <strong><span style="background-color: #00ff00; font-size: 22px;"> <strong> xfycpauc22t5jsmfjcaz2oydrrrfy75zuk6chr32664bsscq4fgyaaqd.onion </strong></span><br /><br /> </strong><br /> <!--text data --> </strong></div> <!--tab-->
URLs

http://xfycpauc22t5jsmfjcaz2oydrrrfy75zuk6chr32664bsscq4fgyaaqd.onion

Extracted

Path

F:\$RECYCLE.BIN\READ_NOTE.html

Ransom Note
<div class="tabs1"> <div class="head"><strong>Your personal ID:</strong></div> <div class="identi"><span style="width: 1000px; color: #ffffff; font-size: 10px;">F4VdZVFw3H6Y7UpoC7JQA1a4f9h0KdnEBQIhhcxC4vLnb7PjwIqZqXQ2Z6YYbYlQhU/FwXFJkj3NuzcwD8/6Ri/c273u09sjsaK8TwG4ED77P+pebaMpwFf+9ykcbgEwtkiyS3eaxQtAF1Fc9kzKnFh46XYl4p3jtv+w8BrlgHYG191VDIMkHH1NzPjcwBV8ow8XHqXzfpa5EcUeWUAIfQVdgI2wTnwkYCFiYKUu3nY+qXLDjuCBVqOlFgyA+7wvsxrisLRyfQE+czBHHYtdV0J2SZRZmqiZpx7HZ8ionmzuDNECpVq0YH6cUxmsHryI+/rNRByY5UOPmNjImOfYfg==�</span> <br /> <!-- !!! dont changing this !!! --></div> </div> <!-- --> <div class="tabs"><!--tab--> <div class="tab"> <div id="tab-content1" class="content"> <div class="text"><!--text data --> <strong>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</strong><br /> <strong>All your important files have been encrypted!</strong><br /><br /><hr /><span style="text-decoration: underline; background-color: #00ff00;"><em>Your files are safe! Only modified. (RSA+AES)</em></span><br /><br /> <span style="background-color: #00ff00;"><strong>ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE</strong></span><br /><span style="background-color: #00ff00;"><strong> WILL PERMANENTLY CORRUPT IT.</strong></span><br /><span style="background-color: #00ff00;"><strong> DO NOT MODIFY ENCRYPTED FILES.</strong></span><br /><span style="background-color: #00ff00;"><strong> DO NOT RENAME ENCRYPTED FILES.</strong></span><br /><br /> No software available on internet can help you. We are the only ones able to<br /> solve your problem.<br /><br /> We gathered highly confidential/personal data. These data are currently stored on<br /> a private server. This server will be immediately destroyed after your payment.<br /> If you decide to not pay, we will release your data to public or re-seller.<br /> So you can expect your data to be publicly available in the near future..<br /><br /> We only seek money and our goal is not to damage your reputation or prevent<br /> your business from running.<br /><br /> You will can send us 2-3 non-important files and we will decrypt it for free<br /> to prove we are able to give your files back.<br /> When you compose a letter, please indicate the <strong>PERSONAL ID</strong> from the beginning of the note, so that we can more specifically approach the formation of conditions for you.<br /> <!--text data --><hr /><strong>Contact us for price and get decryption software.</strong><br /><br /><hr /><strong>email:</strong><br /> <a href="[email protected]">[email protected] </a> <br /> <a href="[email protected]">[email protected] </a> <br /> <strong>OUR TOX:</strong> <a href="https://tox.chat/clients.html"> BA3779BDEE7B982BF08FC0B7B0410E6AE7CC6612B13433B60000E0757BDD682A69AD98563AEC</a> <br /> <p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br /> <strong> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</strong><br /></a></p> <p>*Our site and Tor-chat to always be in touch:</p> </div> </div> </div> <!--tab--> <strong> <strong><span style="background-color: #00ff00; font-size: 22px;"> <strong> xfycpauc22t5jsmfjcaz2oydrrrfy75zuk6chr32664bsscq4fgyaaqd.onion </strong></span><br /><br /> </strong><br /> <!--text data --> </strong></div> <!--tab-->
URLs

http://xfycpauc22t5jsmfjcaz2oydrrrfy75zuk6chr32664bsscq4fgyaaqd.onion

Targets

    • Target

      f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca

    • Size

      663KB

    • MD5

      7df4d51141b1c657e2c5f78ada3b526a

    • SHA1

      d0bbec49bbf722aa102e3cbd548cfec5f88dd6a8

    • SHA256

      f028a27430e5cca11911b70a85e3ec826e17d5501028f78da9452fbb3ec6bdca

    • SHA512

      fed221cf7f27d3e74023457c58e903e55aa14a608db36df341e8bef2b2cb751ca1fb90da1e6a091ed0fbab70347e67365398c1af51815bec1da0ff330e35b54a

    • SSDEEP

      12288:UIj+Lg10Vgi+ve+Ge5JFzLZQMDObpph0lhSMXl+XXenm1hdLQ:Uc+k18+ve+Ge53LuMKHh0lhSMXlYei

    Score
    10/10
    defense_evasiondiscoveryevasionexecutionimpactransomwarepersistence

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Renames multiple (5711) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Deletes system backups

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks