Overview

overview

10

Static

static

3

0aa9c3d901...82.exe

windows7-x64

10

0aa9c3d901...82.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    0aa9c3d901f7d0447417ca0d7315dec99f1607efd397a660365b3be601ddd882

  • Size

    1.1MB

  • Sample

    241217-qfttwazmgv

  • MD5

    59b7ec85012da5fa1028820d2f97e507

  • SHA1

    61653b380392efd0d218aa87705f87109ee2684b

  • SHA256

    0aa9c3d901f7d0447417ca0d7315dec99f1607efd397a660365b3be601ddd882

  • SHA512

    e0a02d223bb8758eb51b941daad84dca6b1520aa053e762954f7987339027ec7aa0d32d344580efe5a3a508c760619769d90517496bcd8bd6cb62c0d9e4e5f9f

  • SSDEEP

    24576:XJZEZJPVUVTmTj0CfOZuzhg1HREnUjwSGvQ+giNxMOacZR:XJZEPPMT2j0CGZuimnUVGvQ+giNOOPR

Score
10/10
pandastealeraspackv2credential_accessdiscoverypersistenceransomwarestealerupx

Malware Config

Extracted

Path

C:\MSOCache\Help.hta

Ransom Note
<html><head><meta charset='UTF-8'><title>RECOVERY TOOL</title><HTA:APPLICATION ICON='msiexec.exe' SINGLEINSTANCE='yes' SysMenu='no'> <script>window.moveTo(50,50);window.resizeTo(screen.width-100,screen.height-100);</script><style type='text/css'>body{background:#000}.b{font:120%;font-weight:bold;color:#fff}.a{background:#f00;border-left:10px}.q{text-align:center;font:200%;font-weight:bold;margin-bottom:20px;color:#fff}</style></head><body><div class='q'>FILES ARE ENCRYPTED</div><div class='b'>All your files were encrypted and important data was copied to our storage</br>If you want to recover files, contact the operator in the TOX application, enter YOUR ID <font color=Lime> hhnllvnu2</font></br>Add the ID <font color=Blue>3CC7CCEF369D6A7A4F6CAD11D12D7DE671909962944A7D034282F1F7B54F9D3522E570232A0B</font> of your personal operator as a friend so that you can start chatting.</br>If the Operator did not respond within 24 hours or encountered any problem then send an email to our support <font color=Blue>[email protected]</font></br>In the header of the letter, indicate your ID and attach 2-3 infected files to generate a private key and compile the decryptor</br>Files should not have important information and should not exceed the size of more than 5 MB</br>After receiving the ransom, we will send a recovery tool with detailed instructions within an hour and delete your files from our storages</div></br><div class='a'><div class='q'>Attention</div><ul><div class='b'><li>Do not rename encrypted files.</li><li>Do not try to decrypt your data using third party software, it may cause permanent data loss.</li><li>If you refuse to pay the ransom, Important Data that contains personal confidential information or trade secrets will be sold to third parties interested in them.</br>In any case, we will receive a payment, and your company will face problems in law enforcement and judicial areas.</li></div></ul></div><script language='VBScript'> On Error Resume Next set S=CreateObject("Wscript.shell") utox=S.ExpandEnvironmentStrings("%windir%\utox.exe") If not CreateObject("Scripting.FileSystemObject").FileExists(utox) Then MsgBox "Find and download UTOX.EXE file on the Internet and start..." End If S.Run utox & " -p",1 </script></body></html>
Emails

color=Blue>[email protected]</font></br>In

Extracted

Path

F:\System Volume Information\Help.hta

Ransom Note
<html><head><meta charset='UTF-8'><title>RECOVERY TOOL</title><HTA:APPLICATION ICON='msiexec.exe' SINGLEINSTANCE='yes' SysMenu='no'> <script>window.moveTo(50,50);window.resizeTo(screen.width-100,screen.height-100);</script><style type='text/css'>body{background:#000}.b{font:120%;font-weight:bold;color:#fff}.a{background:#f00;border-left:10px}.q{text-align:center;font:200%;font-weight:bold;margin-bottom:20px;color:#fff}</style></head><body><div class='q'>FILES ARE ENCRYPTED</div><div class='b'>All your files were encrypted and important data was copied to our storage</br>If you want to recover files, contact the operator in the TOX application, enter YOUR ID <font color=Lime> rnovvmko2</font></br>Add the ID <font color=Blue>3CC7CCEF369D6A7A4F6CAD11D12D7DE671909962944A7D034282F1F7B54F9D3522E570232A0B</font> of your personal operator as a friend so that you can start chatting.</br>If the Operator did not respond within 24 hours or encountered any problem then send an email to our support <font color=Blue>[email protected]</font></br>In the header of the letter, indicate your ID and attach 2-3 infected files to generate a private key and compile the decryptor</br>Files should not have important information and should not exceed the size of more than 5 MB</br>After receiving the ransom, we will send a recovery tool with detailed instructions within an hour and delete your files from our storages</div></br><div class='a'><div class='q'>Attention</div><ul><div class='b'><li>Do not rename encrypted files.</li><li>Do not try to decrypt your data using third party software, it may cause permanent data loss.</li><li>If you refuse to pay the ransom, Important Data that contains personal confidential information or trade secrets will be sold to third parties interested in them.</br>In any case, we will receive a payment, and your company will face problems in law enforcement and judicial areas.</li></div></ul></div><script language='VBScript'> On Error Resume Next set S=CreateObject("Wscript.shell") utox=S.ExpandEnvironmentStrings("%windir%\utox.exe") If not CreateObject("Scripting.FileSystemObject").FileExists(utox) Then MsgBox "Find and download UTOX.EXE file on the Internet and start..." End If S.Run utox & " -p",1 </script></body></html>
Emails

color=Blue>[email protected]</font></br>In

Targets

    • Target

      0aa9c3d901f7d0447417ca0d7315dec99f1607efd397a660365b3be601ddd882

    • Size

      1.1MB

    • MD5

      59b7ec85012da5fa1028820d2f97e507

    • SHA1

      61653b380392efd0d218aa87705f87109ee2684b

    • SHA256

      0aa9c3d901f7d0447417ca0d7315dec99f1607efd397a660365b3be601ddd882

    • SHA512

      e0a02d223bb8758eb51b941daad84dca6b1520aa053e762954f7987339027ec7aa0d32d344580efe5a3a508c760619769d90517496bcd8bd6cb62c0d9e4e5f9f

    • SSDEEP

      24576:XJZEZJPVUVTmTj0CfOZuzhg1HREnUjwSGvQ+giNxMOacZR:XJZEPPMT2j0CGZuimnUVGvQ+giNOOPR

    Score
    10/10
    pandastealerdiscoverypersistenceransomwarestealerupxaspackv2credential_access

    • Panda Stealer payload

    • PandaStealer

      Panda Stealer is a fork of CollectorProject Stealer written in C++.

      stealerpandastealer

    • Pandastealer family

      pandastealer

    • Renames multiple (9684) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

      credential_accessstealer

    • Deletes itself

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks