General

  • Target

    3c380d5492add3084df3876e715ef641ae0ba910cf84395e2f1f22bee33dad97

  • Size

    4.6MB

  • Sample

    241212-ylaxysvrex

  • MD5

    87ed0fc8118723ea66be965e8cea3764

  • SHA1

    bcc642835880fbf922cc2b029d362b3d82fac938

  • SHA256

    3c380d5492add3084df3876e715ef641ae0ba910cf84395e2f1f22bee33dad97

  • SHA512

    70974198ed89c9a325c03b3c78c1576d90b8a83b7adf3735fdfe2f30ea83309ba76bc34a3c78e9eb52defb161e5d5fb0e8813690a3960ce74975a2655b3f359a

  • SSDEEP

    98304:lpzHHcNCDnfENtGVKSqnJe9pANQvlsisx:ldHHcN2nfENGOYvlsjx

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\HOW TO RESTORE YOUR FILES.TXT

Ransom Note
Hello! All your files are encrypted and only we can decrypt them. Contact us: [email protected] or [email protected] Write us if you want to return your files - we can do it very quickly! The header of letter must contain extension of encrypted files. We always reply within 24 hours. If not - check spam folder, resend your letter or try send letter from another email service (like protonmail.com). Attention! Do not rename or edit encrypted files: you may have permanent data loss. To prove that we can recover your files, we am ready to decrypt any three files (less than 1Mb) for free (except databases, Excel and backups). HURRY UP! If you do not email us in the next 48 hours then your data may be lost permanently.

Targets

    • Target

      3c380d5492add3084df3876e715ef641ae0ba910cf84395e2f1f22bee33dad97

    • Size

      4.6MB

    • MD5

      87ed0fc8118723ea66be965e8cea3764

    • SHA1

      bcc642835880fbf922cc2b029d362b3d82fac938

    • SHA256

      3c380d5492add3084df3876e715ef641ae0ba910cf84395e2f1f22bee33dad97

    • SHA512

      70974198ed89c9a325c03b3c78c1576d90b8a83b7adf3735fdfe2f30ea83309ba76bc34a3c78e9eb52defb161e5d5fb0e8813690a3960ce74975a2655b3f359a

    • SSDEEP

      98304:lpzHHcNCDnfENtGVKSqnJe9pANQvlsisx:ldHHcN2nfENGOYvlsjx

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Renames multiple (7857) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

MITRE ATT&CK Enterprise v15

Tasks