Overview

overview

10

Static

static

1

fccd129f6a...02.dll

windows7-x64

8

fccd129f6a...02.dll

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    fccd129f6a5b9d2133d14922a3614f02.dll

  • Size

    206KB

  • Sample

    241215-j6rc4symbt

  • MD5

    fccd129f6a5b9d2133d14922a3614f02

  • SHA1

    e814c637e6f0c21f3aa9b43fb92cb161b4d451fc

  • SHA256

    4b4a87552c44158fb53a72c7294319b0ddde9f99f460425ad5997d3b9121cd1e

  • SHA512

    c1594504053bbe2b061880d1ff69819eca8bdd2bc882b74f415ff8a1515389e32b8d7cd1b931d65b042247fd05df1751a000d6da4219427b74e9cdb0e0e52979

  • SSDEEP

    3072:4pEegLluZoATP/QGdqlhNFIkiFnZDJVvU1nSXZOAg0Fuj0pJgOgpQkV+tpMEaE:4pDyp2AQq3FWFnRehAOXpQkY7MY

Score
10/10
credential_accessdefense_evasiondiscoveryexecutionimpactpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\Decryptfiles.txt

Ransom Note
ATTENTION! Don't worry, you can return your files! All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key. The only method of recovering files is to purchase a decrypt tool and your key. Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned. We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision. Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours. Contact us email :[email protected] -> [email protected] Attach this file in the email. ID :3E098A148B1E6083149A8FF1E66E4432BDFDF8A776D94FBC257060F848EE5A4965937BF7E42A93DBAF5DEEFCF2A90AFDE13C7022235A57959E6F6BFF2F1B87E8D03904E6EB308C2DD85368287D0288D6729863882CF2088DD501328D92E1B675DA5FC4004836EDC370966B7DF72293DDDA85178D30AB048A37A3A3C7C86420C1A10720BF90F39BE882CE1FFD87BA6AE070F37120A917C515AC9DEFB996EECD8E39474F6AC1E6E1C73957ECCC74322CFF68F84543088F0E5785B9CC165B441366BEAC4759C120A5DE4B6AEA28929F0B064FC1A41C352051E77E35535C01415730D19138E47419EE967EDA12275E3FAB279514CCED9DCBF83729310123C1981F908309FAEE8E9E7BB618916CEF31EEBB8815E9C2DF5C485F40559A5D93B0D7C849E95DFD23D51F272EEA3B72C03B7D5658A05C1DE15AB48740C99E10F1784CE9F8AA9DFC16B5F59C0A819D06B0659D7A9E204020A8650D3590662D3F53862EA565D3D1F95F33F8C35102AD3D6ED1327326478241EB6484C950A198767BCC21CAF1341115E1898263BE2C84D36C006F48D979379D5C99F3A9E579BD633AE018769612338A88A17D1E4F04846C8563AA4BF0536B7418BD1782964BF1B2A5F4A3EF0E35FF6FFCCE2492BEEF56D7B78F2642D0F57358C3EC7EC23913C3434A5F9C657D591C1FC0E6A53DF4FCBE50215E39109A9CA5ED568AE3F29C2F1D31587FAB34FA0D030F13A1709C7049F7590CC8DFB3304514B3C33D5EEAD54C3F0DB7F49FFBC6B52ACD7B523D9D73F9BB15D40B6193AA267A03CF0EAC38F9D087C64D3397B0D684E4D9E4C560B698579D0BBE6A7502696A3431F9093139B2CC8E1A22DF5BA00A804D422324E8746C5CA0E7C5D111067A2AE9061C7DF62F30C17727550F46BF5E12BB865E88A1718A20D81033E123BAD6434318DA21781FE3C7A234AB7277861531B8BC7271A2A77B6F09EB42D73DD29D0AADE5A6F6AE1110E21FD2803E0F387D0A26B0962BE171F6430F77B2954695B752563919D2AEDBC47CD466A8D5480EDF977CE77EFE60B985F6068C5125D1C9E4D8244AF5CBF0CF5B3CFA147A7D2424EF3EB8935338ED1C825DBB96EF9A902FA41629786448128F32981018B1551D658FD05EBB99F022873D76BCB0D0EA1588B36D7E55A97D253E363433EACBBC988C264F3C1B92A40C4C56C74E212F7A18B7CAA4ACF7185F9AE119EE7B62F9EC91BAD961C699A1836D906471BC13C11F8B82D49C86D3AC3A8D590FED533D0C2BC3A25AE479AA89A3A24CA9EEDB0CF993304C5B0132F449A6907FB38E022F3C9A8BCAEFAB82603A4E71CA4AE12943F68C06BCAC50D55772DBBCF89AECFE8EE1EDA55EEBB78BC47592023402B6671AA4DFF5A713DDA3F3D332B582E6608B3D738F985339427B16CFC1CCAE492472F584FD2E146823C80FEF924A1A30AD1472E3EC2F6130498CF214894129016A25D7AEE21D26EBA572EA152D670E297297AAE909A60CC98322240627253DC87E3DBCC69C118F3D4191A3BCEED2F90BCA711D523546FC039452C60D33B338A5778D6D72651AA42B74D01A58C13DC1CDE3CEDFA5E8565024A64E037338DE56D7957E793455DA9017F206F209DCDA739B185EA50C437D5BEB335AE8317B55FC81BFCC9422D3A9FEE207D330AA0E430A8C1544241E45B3D64E3F54F5EFD3413DC35DB8FE3B28239E0A5220A25409138BD05D43CE033322419ABA47AF6107712132BF1B4CCC5B7DDAA1F46AEBC33F83BE39DD5D6F73BC58A619DC308BDABA481CC4BA577A64D3B0CCB50499D4EC66B27CB8CB3C99E55B05929848CBDF976EFC2EEFC8FB7DCE54611D82841132304AAC18240E9295D058E7F8BA062E605FE487A8C2A52945643B29AD2761EA4DE785D05FBFE47FB1335D4301B5CCCF73F27C19451E8B5AF146FD901550A9139B6C841B1AF1C11F21C9C48D56087AF763D18910064E74BAA7F6A46B489660A6BDCF9049A7F92BDB0880C2B962D6DF28AE55609D567A60A5C8D76C67F56C6A2E6E791D1BF42C59063AE6B3A5F3742791435BB10ADFA08DA9DE0204FA92FEE905177F7C4E61C1076AC03EADC1518211FBB6CAC1719BE32B0DD539B7E1B1C1120CDCE192FA2F4F2CA37C21C0481B3A78DB0914952A7D848E72734D614B57708CC378152401DC8AEDB0C65190CE35F4608EE6AA99DBB946A0645C741D60552518B62500B4F3A6F6F7DBFACB45A1C381061742EF01449B82B8FF0549EFBB95820F6FD41B56F9B9C376FE6F0C97BCEBEFC48BF49DDC731F2640B9731ECF7A4BCD6C671CF3713F6F29C32CE8A327F21453AACE98CFAB4E2C7A69F889AF924D1FD1BB0E6A75482FD3CB2842724B695AF2A3545B1BEF7B83AB873F99D6

Targets

    • Target

      fccd129f6a5b9d2133d14922a3614f02.dll

    • Size

      206KB

    • MD5

      fccd129f6a5b9d2133d14922a3614f02

    • SHA1

      e814c637e6f0c21f3aa9b43fb92cb161b4d451fc

    • SHA256

      4b4a87552c44158fb53a72c7294319b0ddde9f99f460425ad5997d3b9121cd1e

    • SHA512

      c1594504053bbe2b061880d1ff69819eca8bdd2bc882b74f415ff8a1515389e32b8d7cd1b931d65b042247fd05df1751a000d6da4219427b74e9cdb0e0e52979

    • SSDEEP

      3072:4pEegLluZoATP/QGdqlhNFIkiFnZDJVvU1nSXZOAg0Fuj0pJgOgpQkV+tpMEaE:4pDyp2AQq3FWFnRehAOXpQkY7MY

    Score
    10/10
    discoveryexecutioncredential_accessdefense_evasionimpactpersistenceransomwarespywarestealer

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Command and Scripting Interpreter: PowerShell

      Powershell Invoke Web Request.

      execution

    • Downloads MZ/PE file

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

      credential_accessstealer

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2
T1059

PowerShell

2
T1059.001

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Indicator Removal

1
T1070

File Deletion

1
T1070.004

Modify Registry

1
T1112

Credential Access

Credentials from Password Stores

2
T1555

Credentials from Web Browsers

1
T1555.003

Windows Credential Manager

1
T1555.004

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Remote System Discovery

1
T1018

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

1
T1490

Tasks