Overview

overview

10

Static

static

1

d2100ffe58...c3.exe

windows7-x64

3

d2100ffe58...c3.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    d2100ffe58eb50c05d97a3da738ccd1f0be9672c057c26a10140af80595b78c3.exe

  • Size

    881KB

  • Sample

    241215-ep92nstmay

  • MD5

    9049faba5517305c44bd5f28398fb6b9

  • SHA1

    036c6b32f3e7d7d689c9b4d482091eebcc669bfa

  • SHA256

    d2100ffe58eb50c05d97a3da738ccd1f0be9672c057c26a10140af80595b78c3

  • SHA512

    65a33506f970675775468f80b94a3f8bb2d3672e6fb08fc9f2e5107020095ca6d4bca927c59b72488e2ef4208a64a56ced7511ea14c0445cd50ea3ff9b827f6a

  • SSDEEP

    12288:I2wMm7l55+OeO+OeNhBBhhBBaELPA081o9baXpL3K+HDFgZUid4X9dCU5+Kazw4t:I2wMm7lfCIL3K+gY9dfcw4h3DX9X1

Score
10/10
credential_accessdefense_evasiondiscoveryexecutionimpactpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\Decryptfiles.txt

Ransom Note
ATTENTION! Don't worry, you can return your files! All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key. The only method of recovering files is to purchase a decrypt tool and your key. Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned. We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision. Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours. Contact us email :[email protected] -> [email protected] Attach this file in the email. ID :90064A5AC1F78AA084730F25A40290B23AD1DE856758B84309CFB072F89F1A6C7F9757719F5BE35D783838D1FC70A92F913F52F263319D7DE079A9978502CE148E142CD143408D6DEF1B00B5E938B5CB3E9886ADB16E84E78871044EB8E429FB5A8F77E98ED244098689E260429955D156310EA6841AB465972D5B3931E449B9BFD23973C63FA7591879A107E3F7E9EDC2CFE436F650BBBB6104D73E0318DD4CC7CAE7A29B286C1887369BC7059A26CBED98F073DF9C761B0FC49B0A17BDBD069C6F3B3A5C127BAAAF59F991672DA3D38FA0902CC7637FC0AA3EF5A53B42E1A4536D01347CBCE739AD042F96C3325CCA39206D394BC018B8B46BCC0415B33D8DE3DD9075920552E7218B8AD7E4CD2025E6774D3D05650CB92D40C5E14E047448189724001EDCD8DB454A5AB083B88EA76E6C234BA91180F27B8061EB9717C73308DD8497CD1C2A481A36E0F6396F53E96BE03F545CE437E96C25BC8F7D8F481AC5EA29864594D05E42F778E5A900896518034EA3744B3512F205AD9C8DF3F46ED60820D60012BC1EADC024C29074432FBE38BE6C6947F8CA8864F191E23FA27BAD16FAF1FAF9CAAB62C09190B4C5CCA03D0F8881FDE5499934EBDAD6200B5A110F1D2F7F39269379118F55467F8A816342A550CC51EECC9958175B63B46A7C334BA2DF9EC3FDA5FDAD4CEEE2ECEFAF37934A0DD96BC754D4E7948B01898AA5B692FD4F36965E3662951044F7C1983AE7E3DDA7F3C7A7CA9A958E6BBF39039B1E3702CAC903476C1C74117628C700E87FE6E4E0B2CAF2C0CD1A93A450916D603E4301BC617CEFC53DA280519737B67E0D1C7323C7D3E7756938365D02F6FC732861FAC73FBC00BEEEF2D30B45A3885BA565089334C8169EF7A123836053A118D399DBCCBF42F7AD2BBF722C12AA12E1CC75C22BCD44B69B4BA7B7ECE3BABF94F7D877FBA154A2C320432848335BB37BDFD73AC3FEE1E83197DFFAA812C51D76A56E432E0BABB757EC5974C3FCA3FF763294E9F68D67A37DE8FAB2C2A3777B6D0B5F923DB072F400A067D3FE91979FECC80D098CE393BB7B27014FFFF4AB52487A933B71A2A6FB9D6A0530FD0662546C4BFB04EB3D439696E1FFB878BED43770B7094B7B355147408DF3B8DE95BD082F1C56294875ECF8FE20AB51EE2E14878A888AB07A2504748D2BED90F18D13C7EA6ABCF4DA10B1FB6BECA2FD80AADAA1889F839CEF063406CC4E942EA63AD1E9A8080117631638AD3766899C8D78DE049CCEF63767B0454EAE4E07E2BB72CCB75B488B4322B2430626E935E7036A736D459522D056A417002B079370D83AF12838E64BDFE165C4A8610CA5C3BB3670655A60FAA90166D63C76E46EE5A9045BC8C8724FD064383789720781D7333F442503E73BE69F384E45AF7BEA0274EF71BFDA5EF62D5A4CB95E814411AB400B8018A76D1174E5319FA80D43CDD3055AD9587CD6FE8C28A93FA18275AE5C4D64117C68256F5DB2F9BDEC3B267149F0BA8B8ADE64DA6BBB45DF6184079DE6A7BF84CFBB31271646F9135550F8806E262BE01CA1379786FFFBAA719C6732B8603B6AE17C0A18BBDAF148384BC9FE08DCF157728CBCC939C7965CAA80E26E4842A5B6737279DEC607616C3352D7891710B1092A0CF4870E0F077F592851552DDC6FA285A6A48BC31DA202F9568D2207FE8D4F2BCA3B37AEDBFD466FE273731C28DDF8E309AD9C2E67B3AFBD8522B40DE7F62A12A01D53BBD85F12E9E9D7C35FA52BE19ACBD0543CA9181027513D01E985A4C64E6D22CADF05D762B7D66B447D5EFB414CBABE94681C5B0D2ADF0650B38BE533F068AEBB912E68999A360E25C8911A5B76AAE7A051978FBC1CD9C2F3E7258A96C47853BAE98FCB390792BF7250BCFF424CA1887B2024F72AE2AABF692F4D23BFFB5523E09019CD8188AF1BFC66991D6CB0AE945774688AEB28E8D773BF8724E3CFDD331E8C0F071148D31846DD8327A6892082E5378C51655828B6F0F8343B9FA129E42059D53EAAF55B1CD14761F62224C9ACE6808DC475B3FC4F38F891DD1BC633A499B838F28ED8421DA370F49CC7BD376ED2CF0830E10E1592DAD93FE124DEA43895A3525C17A3FCDBF4A7504BC6024B84E3628764BD92F2E7014CB2347CEFFA90DA614D58F81E3F23F4F03E414D8EF4FFCE3665009EA8CB297632081ED2A0C56952DD406702052ED8A8A1DAE76A3CBF6C27F6E1681D88182C8A17DB8CF19C8CB34196AD8837F96161CA9C18E8F3DA5BE92A37DFA10BC366D2CFB1CDFB31A3B1EE526346C54E742BBD0D606C5A29879AB76183002E24FEB2E2F89AA4F0A30503A56D5DE338FD0073FB5582DA483B48C2ECC50F25F125AA1A16F5995B

Targets

    • Target

      d2100ffe58eb50c05d97a3da738ccd1f0be9672c057c26a10140af80595b78c3.exe

    • Size

      881KB

    • MD5

      9049faba5517305c44bd5f28398fb6b9

    • SHA1

      036c6b32f3e7d7d689c9b4d482091eebcc669bfa

    • SHA256

      d2100ffe58eb50c05d97a3da738ccd1f0be9672c057c26a10140af80595b78c3

    • SHA512

      65a33506f970675775468f80b94a3f8bb2d3672e6fb08fc9f2e5107020095ca6d4bca927c59b72488e2ef4208a64a56ced7511ea14c0445cd50ea3ff9b827f6a

    • SSDEEP

      12288:I2wMm7l55+OeO+OeNhBBhhBBaELPA081o9baXpL3K+HDFgZUid4X9dCU5+Kazw4t:I2wMm7lfCIL3K+gY9dfcw4h3DX9X1

    Score
    10/10
    discoverycredential_accessdefense_evasionexecutionimpactpersistenceransomwarespywarestealer

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

      credential_accessstealer

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Indicator Removal

1
T1070

File Deletion

1
T1070.004

Modify Registry

1
T1112

Credential Access

Credentials from Password Stores

2
T1555

Credentials from Web Browsers

1
T1555.003

Windows Credential Manager

1
T1555.004

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Remote System Discovery

1
T1018

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

1
T1490

Tasks