Overview

overview

10

Static

static

1

fccd129f6a...02.dll

windows7-x64

8

fccd129f6a...02.dll

windows10-2004-x64

10

Resubmissions

15-12-2024 15:31

241215-syg9xaykdx 8

15-12-2024 08:28

241215-kc625synes 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    fccd129f6a5b9d2133d14922a3614f02.dll

  • Size

    206KB

  • Sample

    241215-kc625synes

  • MD5

    fccd129f6a5b9d2133d14922a3614f02

  • SHA1

    e814c637e6f0c21f3aa9b43fb92cb161b4d451fc

  • SHA256

    4b4a87552c44158fb53a72c7294319b0ddde9f99f460425ad5997d3b9121cd1e

  • SHA512

    c1594504053bbe2b061880d1ff69819eca8bdd2bc882b74f415ff8a1515389e32b8d7cd1b931d65b042247fd05df1751a000d6da4219427b74e9cdb0e0e52979

  • SSDEEP

    3072:4pEegLluZoATP/QGdqlhNFIkiFnZDJVvU1nSXZOAg0Fuj0pJgOgpQkV+tpMEaE:4pDyp2AQq3FWFnRehAOXpQkY7MY

Score
10/10
credential_accessdefense_evasiondiscoveryexecutionimpactpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\Decryptfiles.txt

Ransom Note
ATTENTION! Don't worry, you can return your files! All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key. The only method of recovering files is to purchase a decrypt tool and your key. Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned. We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision. Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours. Contact us email :[email protected] -> [email protected] Attach this file in the email. ID :3A6589530BE47A549270C7F4D66B57C9187123FC77CEFA4E1E77FEFD9609284B3C54DE304EF0C55058ED467F3FE875CF439341C6D7BA79AB5DB8FF34595E668B9EA5A5A109A8E916BF8F5853D261239B32D10921C3BA1A4BD228A3E38311E9C94A80574BFCAABB3E68F52B12856825FC383037D0FC56B79C84D6FF619844E01E538CCF3F16678EF3015029089335290850B4F54B0FD30659F0DBEBED583588D65A3C0895A7070B8EBD614058AF6CC620E30C1382059C93AD2B79E17B315121814BD3629AB4EDD86B447BE315199E6ABE45F387E5B9769BBF907FEDF3C9F4AF54D700CA612727A97EA5B30D23FFC67EF48C429B02AAF3FBEFB9C66D8AC19711B7E5A63B161E7C8CFF183FE8F103C9C713D500F191EBB98F6998FA1AEBE72BB36968DC6AD6523A1B52FA36A836C73DA3351F69E7CA90B6E2817F6F6E6CA241C2F6D7FA05D79DCA5FA4202528A961A2964F8FF42E2C20D5CA7CE39125DCD2FB78B149FD97CE206B557D8102658710DEA032C289E3EA6CF495909705CDCF67E878A22379C51E4F0386E1523DA79780C27ACD74746BFDA5A47E8664ABBF4CF44F67B998985E4A33650E3E49BFF0B3892C931B8408ED1AE4F17E4B3FCD03A94BFC6D55F9D47D5593B2876661D088B8334E01328EC7AB8D58A62BDD98E1ACFF2FA8586477232E5514D9D60C579C5799C0A970631A8A0F14C77B1F96CD87BEAB303E9A3D964DE48037F0AD31A95725A94671F9E6AA0D004E45CFE3DE12D993E2E6B52A687EEC17E89147E589016420A36C5F2AF8BD284732420C99F48DBDFE66DA700A122C4E9AE7F6B379F79C28DB56074ED1B076E24934E58EC8050598759491712B0E3F666AF227311B76840EF15CCF6F7C5D68920F66CD34E0BDE10F8FDB2C206C9D4EDCDFA20AC7DA989D2438224CA08BA9368E0109739CE505603B91E257658F27DA281EF3AC10FA666506B423FD47B356A799347118B74CE3025DA2D45CC78CF7537854F0D1361BB7A6DF78E6762389173715977A05F7634A2D1B06C34E4C370423ACC6F46D437F8F0B972EE59509F590FE1528599124EA93BBFCD382F72C74E99B57E9C8BC6CDE19ED9DF8706C81127848EEEA8E8F0DBD93FBA3953CEE06CA179B881B2D2EF31D7CC39590B54F457191E2D53A6BF69A1F9CD900B47370E4560D889F6FD983515A4A64E9F954186890C54A91DB097674A13E5A487CFFF7FB0EB77BF3551FE1A028ADFB40F1EE40EE6BB3B91FDDD4D0349E2FE17BE099F5F8EF3409E1C85D5C10787BAA21701145DF51210416159132FBFC6DE26DD5E2EB337485C2679F4E3A034FB6E652DA77E1E43BC120CF13A8393B3A42C1A0236C545187F0ED6C721A3AEB1A0495248AF8901D8889190F90AA9090A853FFF6CCE843A3D9CB459036E5EF5997AAA316170AE4F1FBE15C172DAD85DE00112749C6D3F16FFE4511DE3A34CFA23E473DA77450D348126460959C1ECB524E550F9A8893598CFCAEDE3A79D628060CE342522EADB6FCAC2B19CB13DF056E7947B8AA066147E9179AD23AC759471861A93A56125EDA5F07E05964A5AA0436F34DAE510D4887D700E8B0C73F0DECFFF9B1A0F4A8AE6CE0BA97CD5A9553894F2174397B3B47DE5FFC016CAB16C965BCB15166DCBD84AA4D67544CE34C7A7A35BA8F1E4506C6DE7CC35DD97C82594B0C39B3CF8044CD6B15614CD2E8BB2476E9E8750721850D654B15E0947ECA275CFBCEAD256D819C215E72DDC1AE42DD6BE819462B4D3B05D8D78489F33C6FDD82FB52D231149F7D25640964AEE1D2D0AFD5B911016921386DD49787AE1BC06F0B8420D6A110C3D93CB0CBD1BBE426E5A7F19894A5803C1F0D473CDDEDA569078C633A3BDFDABD00D5DFFCD1031F55289BDF939A8AFB234E214E5AA3330E4966605B9C07D52AC58A8BDE928C1D68CEE1FFA4F0E3614784FF7FAF287F14D8DADDD5BC9DFBE0628F72D0B295D186FC6BA3992EDE8DBDBC31C598943C6D841980583E5AA9842429204B167E3BD7B75F8B548F63540249E524D1A94CF0A9AF148D59F744AE05DD6B72A8EE25847952761E17D317124EC4D43EE146AD09A3A618A9C0EDE23C7D631BCA1C6643F3F898BB10E2A5E3C93267552EC9F3AE9A947FAF97D5D26846B668CD2F168690774D0B4F408C62893A7567720BEEC065DC483B5163349F22C83B55719228DF8732A6CADA90A4509287F2C5BBE44E014EEF7EADDB69BF85ECA0491971EA810F3EE91425BC0C005A02F5F2BCAF18B7E1E51EE5D8D788C44F58AEDD3E4BAA50C8C01735F11BA0757963309B960531BBAA9EDCAF569B3705269E11DBD8343CF3C0DC0E2A10F355D652D38BFFDC24C3F1841D7574078CB78199EFC178843C7E

Targets

    • Target

      fccd129f6a5b9d2133d14922a3614f02.dll

    • Size

      206KB

    • MD5

      fccd129f6a5b9d2133d14922a3614f02

    • SHA1

      e814c637e6f0c21f3aa9b43fb92cb161b4d451fc

    • SHA256

      4b4a87552c44158fb53a72c7294319b0ddde9f99f460425ad5997d3b9121cd1e

    • SHA512

      c1594504053bbe2b061880d1ff69819eca8bdd2bc882b74f415ff8a1515389e32b8d7cd1b931d65b042247fd05df1751a000d6da4219427b74e9cdb0e0e52979

    • SSDEEP

      3072:4pEegLluZoATP/QGdqlhNFIkiFnZDJVvU1nSXZOAg0Fuj0pJgOgpQkV+tpMEaE:4pDyp2AQq3FWFnRehAOXpQkY7MY

    Score
    10/10
    discoveryexecutioncredential_accessdefense_evasionimpactpersistenceransomwarespywarestealer

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Downloads MZ/PE file

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

      credential_accessstealer

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Indicator Removal

1
T1070

File Deletion

1
T1070.004

Modify Registry

1
T1112

Credential Access

Credentials from Password Stores

2
T1555

Credentials from Web Browsers

1
T1555.003

Windows Credential Manager

1
T1555.004

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Remote System Discovery

1
T1018

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

1
T1490

Tasks