Overview

overview

10

Static

static

10

0A6172B017F62EAA.exe

windows7-x64

10

0A6172B017F62EAA.exe

windows10-2004-x64

10

Resubmissions

02-12-2024 04:58

241202-flyd5s1jex 10

15-11-2024 02:01

241115-cfxc4swlhv 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    0461e6e8f234e00307331dae19d3512950bbf3cdf7a1ec32802dff62cc14c90c.zip

  • Size

    562KB

  • Sample

    241202-flyd5s1jex

  • MD5

    be8d17952bcdf0bac1696e7f9d4fc337

  • SHA1

    902f122bf960a82331505e82c143af91424db1fd

  • SHA256

    0461e6e8f234e00307331dae19d3512950bbf3cdf7a1ec32802dff62cc14c90c

  • SHA512

    79aea791aa8a43ae88bbb27501f09f16b6f63165481b4faa7357a3f037b59a012ec0444954df41f39eadcc02a1d77d34d17eafaad46b55b023e52f61e0950e84

  • SSDEEP

    12288:7Mgw/UcFZJP2zC7ttD0ZgDn/rvPxemsMgw/UUZJP2z/jrEL0cAB3:7M2cF2zQpCgnc/M2U2znELHAB3

Score
10/10
neshtadefense_evasiondiscoveryexecutionimpactransomwarespywarestealer

Malware Config

Extracted

Path

C:\ProgramData\biobio ransmoware.txt

Ransom Note
kasper Ransmoware ATTENTION! At the moment, your system is not protected. We can fix itand restore files. To get started, send a file to decrypt trial. You can trust us after opening the test file. 2.Do not use free programs to unlock. To restore the system write to both : [email protected] and [email protected] Telegram id:@biobiorans Your Decryption ID: 0A6172B017F62EAA

Targets

    • Target

      0A6172B017F62EAA.exe

    • Size

      137KB

    • MD5

      b556893d6f0219bb98468f724aeb06cf

    • SHA1

      540d6c29aa4a05564da6bf253fc46fc8793277f1

    • SHA256

      a75d6bf3c8cf0fc45b368bd83200d141319c9c67033803a230bd3451a309edff

    • SHA512

      3a9c8477dfec35af9e682e197c76a1c1e341cdd4f4c276d1c18beac9ff5b53da394eac8428e66921369a607cd75c2fb7e430466758df508d6974e59f7f901ae9

    • SSDEEP

      3072:MLIQ8YzXEMZK1A2czbFk58x+o+EFz9/t2f65q8hn2bIoKb:MstYrEMw6Bxk5zOFNtgJiCUb

    Score
    10/10
    defense_evasiondiscoveryexecutionimpactransomwarespywarestealer

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Renames multiple (9092) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks