Overview

overview

10

Static

static

1

d2100ffe58...c3.exe

windows7-x64

10

d2100ffe58...c3.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    d2100ffe58eb50c05d97a3da738ccd1f0be9672c057c26a10140af80595b78c3.exe

  • Size

    881KB

  • Sample

    241215-el5b1stla1

  • MD5

    9049faba5517305c44bd5f28398fb6b9

  • SHA1

    036c6b32f3e7d7d689c9b4d482091eebcc669bfa

  • SHA256

    d2100ffe58eb50c05d97a3da738ccd1f0be9672c057c26a10140af80595b78c3

  • SHA512

    65a33506f970675775468f80b94a3f8bb2d3672e6fb08fc9f2e5107020095ca6d4bca927c59b72488e2ef4208a64a56ced7511ea14c0445cd50ea3ff9b827f6a

  • SSDEEP

    12288:I2wMm7l55+OeO+OeNhBBhhBBaELPA081o9baXpL3K+HDFgZUid4X9dCU5+Kazw4t:I2wMm7lfCIL3K+gY9dfcw4h3DX9X1

Score
10/10
credential_accessdefense_evasiondiscoveryexecutionimpactpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\Decryptfiles.txt

Ransom Note
ATTENTION! Don't worry, you can return your files! All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key. The only method of recovering files is to purchase a decrypt tool and your key. Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned. We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision. Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours. Contact us email :[email protected] -> [email protected] Attach this file in the email. ID :77F7CDB113A40F953B681AC9D5E1BD1968DA6D4BBCAE36B5E577D50EEF069B296A46A3FA0FEA807C8642E99801742A422F9A6B80DC236E307C9D875D07A4C06E4F1C28AB90F36A61E256E51EDD67B1B157622139733281BC09C8865051663E9DD892AB5DC300BF4035FD55B0C544696E40D3BFE8461A29FC49F0E7CDE70A8B3352CB9473E0A0C510804C35E9F2CAE084D3706EA32A1BC9030730F1BF19B48B28134D368AC85FBA4B0ACADF5843A348010BC81D367F00343A1CE1E667484668ED01BB14EB347BB3426824DCC672207B38096DEAF39AF0076847FF416645D4757033772E89F8FEE4C68FB4281DD16B3C27EEFFCB9D3C5C59FDE437CC684474A0CAB8E1AEAD8518AF90A3C95123DECA03EC5508DF08969DEA44BD6AD1A656C21CDEA66E4DAE6A88AC6FE5B96F6C0D802F90BC7AEBEE04AE149AE5320F6409938F2FF3E2B1DC03CAA3254990266335111B49530C4F1949C6D64DBC79F3C707B28FAB71E298A385B938CD4363EFD47C56F0C820900FE04E7EA53CD425A80CFBB515C6C22E77B8495DD5F1C238AF2719DE4A4E4CA0E87437D81BA9AF9FA23D3091B1D093D2EA8AFE0F44257E7F38FE145BF9D5FA6884F434D3294D1962E387A16AEE96FC59D6A5BD5BBAC288DDB868AD5A7947F5910375423CE8826DBEB48561AC87438FDB14409909FAC5996343A18D5A3B0AAE672A0FF619B3BE695E2EB6173553F36413CF5C720A4DD611A705298386A8C9AFD6FD7C9E90C6ACC3523FFA24D8E2C94543A83C0C35EA95E4A4C0CE2B26BFA74989256AB19D28C2A0AF65EE3876102C8997DC8CBC10AA3F2F1AFEE19D59F83567CAEE4857E663BC17A614A9352E8201A57D369C71F3247AB7EBF12955AE1BD62C87FD81AC077EEB4A9E8E3ADED5688F18CEC168C58906A477A85BD911C015C902E2D50562A435849137CAADF199078F2C109587601EA905BE2DA1D7D1CAE7AF8600925AFF73D99BA19955763071537B47624A8D99BE61CE3D4EA0A3C174B6EF8D9280611A551EE0D4AEAD00B95EB5061E8BC549B75E42759C042683FEE2E1BE2F97CDC0021C0C6CA1070B7E0078DA218BE8B115136FA413F9E34E203E0FFD2056F4AE76B195040376457BEC8CF91B508CACFCE7620AC8230F06CCE094E7592A23977076D7AD89008BED3233574492C494FBF429876F2D60B77CC3E14C043C5B4755E019606969429A8D1CFC61B57D6410677DACDF7AEC46C5FC7FDBFF8DFB9009AD7EF895107DA884B9EADFE0983E501CB36ABD57E77C535342D3C95B895F6BD26244A5A1F47BC1CC6BA485576D4556199979AE4D7AFE81EE74B6D202CD5785A922D5B9300636C22A35972C68F3EAB0FF664E52A6110D49EBCD1BCE66E7EC339FB0E0EA45D5E6BBC0F75CD98F391863D5379966A585683CCF8C4C53EED7BFDAA612D200BDAA08BE8260F16E34C47D7E07CFA04F10FFBC5F19FC85508D6D67994D60D10F7E16F7CB04737C24008D00CFEEBD30F0FDEE10677C22F8ACB3489FC5777341BB6FEECB5C927B6EAB3DEC55ADADC27BE7B6C8CC750698F563707F337D7600111E0D796D63B5A015B98629EF7D576AC857514B5C858F68F512F2FC9DF41DF27EAA4591380BFC8499004292E66693D0697682D832E45F403B2403FDF0F24C2334292B3A166053747E79FF34974F846296584618E7FD14551043FF9D493BAB6F9A783738018577298D208A8CD1940FD8E152EB127B20CC2345DA7F67C371FE120CD1DF25E68AAAAE205556D9C5E49EF4B2C141657ECFA343CA132C8B57E16C4CD8C2FB2BC13D05DCFCDF8B0097502A8F9141579457556ECC2DE834391D347FB353775BAF2A104B8E24B7276A3E7B28F0F75F16674CED559F5FA21928DF8E961CD5E8F573C194622D342E72D7EA1D5BDBAE2C2213D7F9DE3D2B6334DD2B77DD95148505BC1A5B57964847C4C2B6D06C02274BBD472F48B787BBBAEB7B1AE6900D3511C83F13EEC2CA4F4C73D8463785A0080401B152492BEC2B04D1D0E8558EFE8B0E4887BE87173153BBAD626DE0CCC2100CA9D720A2308B6A0367E2CE981185E79011FF7D1D2A8D54DCEDDCECAEC0E9AD815808A2E904E4F196F271916ADC735ADB77B6CA17FE0FA90F1F2F23186BCF17C6462C00F8CF3DFFFEB40FDB2902162C9C0D83C478537DB413FF9A7B9006678642E02F773A1309746E77DE5187DB007C5C7C595203CD3E9C979706A0030CB6D6E850F39FBD61DD804F09F0B9BED752F6196BA0BAEB56E6575EE6CC3A825FEFEA811418F48A78642DA96BD4B2D02DBC23F122A1D86A990E28E362C9FF2250F4A4BF5C7BB86CFD25AEAFCE01461EC4B90EBBF92FB2476ED5DB4F322BF45907CD79E7414EDCB3D2C65D

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\Decryptfiles.txt

Ransom Note
ATTENTION! Don't worry, you can return your files! All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key. The only method of recovering files is to purchase a decrypt tool and your key. Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned. We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision. Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours. Contact us email :[email protected] -> [email protected] Attach this file in the email. ID :9ACB682FAC04AD56018D4D79D4E1E64E2BFCF9E0EA1ECB1B4596B5EFD97E8A55B86BA855FF8BD60D6830BA62BE7ED142BD4C21428E3252A9495F70E24DED125848EDB882DFAFCEEDF9AF74680BA96EECBC09935FB273106D752959C63112F82A87AEC02A682F471A511294C555B9C5458DC2608AF55D1E2C44444AA89BAE78831B616E1887706B96688711D71D3091A8FB2811C2D06804DBD3AD5A757FCA82E5AA96ECC40E9A587915AEB5DABF1F3EAEBF53B6F17CC061C512B8F4B6D566A0509D1BA006740121B7A36A49DEC280D97A6CB2E3F04F80932B932E4E112D70501193FEFDFA85D97BBF64195FA7C7655DD798B5E6706C568B1C0B8B717340BE21D361D9418C817316BF094F51A0C06A00910A8CB646FFCB3F58F1193CABFCA66065AA913F3992651CE435C16E660A919DD24171247673AA2462F9531AE8BEC7C151AB379DFD51E6E605E295AE21DC74F1B299FBB6BC5862FDCC4EE56FB9510CEDE44DFCC7D5630DE189783D2EFCF0D9A5369C09AB572435843D706F6CF8B6B5BA83F307A309489FD7C6A4EEEB0D779C5B56070C26325936EE589949B78EC94BDE7D051D3D3046B213398C6E829B7969B3A4534FB6665AF6ED940D1BB43CFB728CBA32BE9945E3C82E2FAEDD8CCFF056A73D6E6301D1B14FFBBEFA5D7394724B8B271C10BBDF2AF505E95850276AFB26D9F005D7DF2216CC8332E27F9231E281407AB02037EF4AF617319D40A95A363F5DDD91F194A7A1E9C036A5D631C13F44D436D16F5835A3B29F4FE7486631D4CE3DBC9CD11E2965837B4E0D219B371958253659AB4A8DCA9A2470DB7593B803D14959FC399856A9D89C79C482C7558F39692B25F4CBCDA0780ED02AC00B3337A3EC9B1F8FB47F92F593407344316D6ECD4AEB7A46E49561EDFF826E0385C0C4D60F301ED153D65A2CB681E6CF19AB4543D0E0668E9600D09C2C8DF7AA8C7EA4F0FEF9D4C6FBC82A7B97930596CC554A3CA5CF03051EE3C566E355F3B40533FC9E900FDFA2634C2F201E163B265B155343C8EC5FA4EEF8853C1DF1B89497BBC01771D822498A32AB7D22D9D2471783A526581F555546B5C41D92168B021489CB3A6A62C964487DF31FD7463C6FB1E466898B842623DEA8945FF72F98C3FFFB3DCCD528E1FE12CFB9290FCA2A34A8932155CCD370995A6B80BE5388B7397791CBBAB36A302D031441A7BB3B4E540EA37F9EEDB084E749A761AC06A59B8276675E1C3DAE52A54834D57E1FE7050F572F140616DBD57D16EB41803DC4A9CDB76A03D45CC48769EE22394385BD71B1A4B8281F00088CB1D8B2F904A43643AC45D48EBEA8AEABB6410C81C23D821E934A9CB7ABF9E228FCB0E32C7CE743EE7CB05F2124E49AF55442AAF25FD1ED39E3C1D6F3BD0BCC59CD829CAD50C7505313A9D5559E96FDAEC9DEAD42C80C74EF30E99B9B066269439D47D4DC2A2D1E654D6327F376135E825CB4F39BC11F7DB1897153B64629495862FE9E6081CEE1D10D037312409F5F23A4F93A99A5E847D30598C41950A7E5A5ABAC9B0F2D9DAAFA2EDA5AC7637B2E2AFD09257B4657094320E34FAA3579A9132CAB84AE44C25D844DCCB06C3F9BDBA986AC875D1FCE5145E43B36EF0EBD8B9F4EC36B3CEC6F5772B00653A3D94BA6BA04C58BD813396220EC7D16CC9DBCE27820BB098E425917C32255AE9EB3F08EC254AB26EE9D50DDDEFFFFAAEA032C8F908E85607A341926BA41A7D44BF4E989242BC3A1C01D80686EB1BC7EFD150329F3A43F92030F557BF8D89F5FC23148F7D9C55CD7F10E0883EC872D8DCEF488015255AB98AB4E53DE02D836C2CD212F94BA863FA67FEE54EF7EAA0746211F9A9A239451B4522941984D30BA04EABB122C751BA0BE9A53AD293724AD972A5AC8E6DB46E65D83DC1D23E607CFE427EA58C501028784D508C002C8B699F737B6AB10691D876826D8CDAA352BE0AEAAF07F89D29211FA0C2152668AA35580F351DA5D325635C76FF1F6EB38FE9A98C9C97F4C6CC23B11063F99D031F1C530656BC22DB371E60BFF375D2D0A2FD15E9D1525AD0624EE113260449FBEF099E262E33871B541201CE64658897320D8E963EF925AE98A1A22815FFE5C8F3777626565A0D1999A6A35B5B25AC327015F54049F95202E3F3EEE165C2F14667BC94CD755B39F534CCBF36923CD31A0428C1FAB4EE189239BF892EBC218AB6E4C514CCE478A94C129FE5D40CF7E3F2CDB12AC22D973E4017CEBC29C3CBF8011BB51CCD3CDE9F4B98EE013741F215F874E1B1FD41CDCD73E4065962EB2A4D61F6BA078D41D6FDFC4A758247CF253E536988E6835D3E98BB86E44FD5B95972EF254E9C50D9405FF2C38340647F99D721BE033

Targets

    • Target

      d2100ffe58eb50c05d97a3da738ccd1f0be9672c057c26a10140af80595b78c3.exe

    • Size

      881KB

    • MD5

      9049faba5517305c44bd5f28398fb6b9

    • SHA1

      036c6b32f3e7d7d689c9b4d482091eebcc669bfa

    • SHA256

      d2100ffe58eb50c05d97a3da738ccd1f0be9672c057c26a10140af80595b78c3

    • SHA512

      65a33506f970675775468f80b94a3f8bb2d3672e6fb08fc9f2e5107020095ca6d4bca927c59b72488e2ef4208a64a56ced7511ea14c0445cd50ea3ff9b827f6a

    • SSDEEP

      12288:I2wMm7l55+OeO+OeNhBBhhBBaELPA081o9baXpL3K+HDFgZUid4X9dCU5+Kazw4t:I2wMm7lfCIL3K+gY9dfcw4h3DX9X1

    Score
    10/10
    credential_accessdefense_evasiondiscoveryexecutionimpactpersistenceransomwarespywarestealer

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

      credential_accessstealer

    • Deletes itself

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Indicator Removal

1
T1070

File Deletion

1
T1070.004

Modify Registry

1
T1112

Credential Access

Credentials from Password Stores

2
T1555

Credentials from Web Browsers

1
T1555.003

Windows Credential Manager

1
T1555.004

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Remote System Discovery

1
T1018

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

1
T1490

Tasks