Overview

overview

10

Static

static

1

d2100ffe58...c3.exe

windows7-x64

10

d2100ffe58...c3.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    20396165116.zip

  • Size

    394KB

  • Sample

    241217-yy59maxpgk

  • MD5

    b081377e58bfddf7741a002e0282ebdc

  • SHA1

    adcc45489959a320d0aba37635ae338caec40ea8

  • SHA256

    678ea394d9523956e439a2a44728906160e0bf65f050dedde04b7cd3beca13a2

  • SHA512

    3f86e54896045ce8cc64af06dd42157aab9be45f9b5852a9d0467c55cb2a88c34eefe2e49bc4eb2417d902a9ba90ed5cfae2ca99afdb097b1d11a9481aca22b2

  • SSDEEP

    12288:kB130BAECMaaulWHZ9PxTi224TBDL8ljF+3:kuwH4HZ9PxTNDL8l5o

Score
10/10
credential_accessdefense_evasiondiscoveryexecutionimpactpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\Decryptfiles.txt

Ransom Note
ATTENTION! Don't worry, you can return your files! All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key. The only method of recovering files is to purchase a decrypt tool and your key. Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned. We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision. Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours. Contact us email :[email protected] -> [email protected] Attach this file in the email. ID :27E53A694C8F646403744459BD63EB3FCDFFF37780973D6EC2C929FFC3B3C936560FCC5E2AEF8059176D4A38278C672C8649ECB107B4ACE408F87EBC949E9ADEB5422E0BA8D9755A730AE886274F0AC5E5463B94370AFF570194B6A42AF2968713C46696F18591FBE3E8758EFC7643342B157256CD1F9755893ED8274D25786110AB046BE768FCAE89949AF0A6254385A4F620EC4402EDA46FDFE00C86315A19153B50B0385E29246D5FEBD75126DF362FA55D78282CEA9376FD28B0EA341A1755DE0EEA838F0BB34595173DAFD649F8DB98DC13D0010D3B5302B24D31D59C797088427DD72209837CBB6D5699E7CC88DE19CA47EF940F0FFBE3A78D4DFDAE2FE05051CFECC4AED697631F706B8AEC56C0F2B91E32A0ADC55147DD3E0CF2F0B02A51F7B1A999854E6D9ED71C2BAE044C8F89D9404E94BACF49325CDE2D459EF8B515FCCEA22E770F5E01BDCD73B116251191AD0D0878AC04A8997AD9BE37DABC91CD1F7291B140CFABB5805250B2EADF8737537C6D26B3E80DBA4741ECC81C9420E47B9BE9F699E182735EE413F49EEE096F391D6BBDDF55B3AC1DA3F752066BF7962D7063E52C6DB011421EB374124854362B5EA6E9BAD7E60B17EA32C9F8CAD8901596BD86791BDAEA051E711ECAD0494E17106F07A459C061E9570C6F977C166A97E1077B6656A40515B48595ED892727562FA7E46F319AC66A439FF7A09A379CF4C26C650196227D08A0A32355DD88858AACC1C3ACE4D337545E58372D5EBE0835146F009F591F426E2CC66886515476068571CB3FF23EDB3D715F540E20BBFDE584658757E64AA1C58F7AA2E76E300E443CB4E964E30409167234E97F0692E05B33FDBC54E2BD569B0B48800F5D4400DEC706148C2CF884163B23EA522D01588440FDA0AB7DA85E01E7A2AB7C4506BC224DE058A2460184A753DD24474042E24BC223195C843042FB8EEEC1087FFB72F0F1FEF84CC1B9078F3C471876C8737C9E9C8BA7802200123C742C8F289FBF816ACCB9C309DD0E2796CA0321FEDC1293317E3325D23E3D20D85CB24DBB07478A35A9F1CB75E75FA309FAB2E7652166E619E8CF5471AA72FDD9110BA1EEBA9D4E3977DEDBE855EFE73C007E2BB303236F3B08FDDCDDAFD72281BD313889F8AFF735FE96531A9A62F64975B3EABEDBE06C99435EB6AD483D2BBCECBB19B69D53A81DCC407D3849FFD4CB70F6B9720AE3155B5EC26D98D0B9837367FEC197EB01A1C85A09AEDD5A7AC7476212756FA49B9FE3D156CF570A84BE6FCD3C34082F92BDAC07272172FB6E4090B14ABA2ABC6515A5A07DE0B77BB2055CD6BD5EBB02728CA24F45C80E6F2F47AD3806DAF1D56F3905AA99EFF6A9C28A5D86C0DC0071359F5BAF29F7E3B61E9453A2408B1207CF87548652B298415298AB4A71467EFD7B21D1C1DC659C5C6EED376250513A74643EDAB25E084BBD084BC4B6614066FB86E7EC605D5E7519B544EE5E4ADFB2098D9FDA7253AED03F7A3B7EF9CF52632401363355206BAC2D9FFB3CAD5D0F5FB0F2253EE25699D79A9D1B9DD5FA75650F61110A35485DD6C243B708331E06C9AF9F124506D87F6DA47DB3011348E928D30F67D85CFFA971F0E4BB3EBCED933B94CAF5A13347295D4F34CCCEBDCBA95E3B3AD0583985289DB27419CB84E04B20CF7DC11118EF91EB9C39766A30CBDF8A93471FD923971E8A93329133438E0A14894636B5E7A5A6031AD64F466F60EC1854383F0790324459E37D37822D47065E0A0F35F06877D93CBC9D920DD45C8FB5E39C76031AD64B783CC26032CAC6C84F7F553F72C22835D2B0BD44F149CEEA0334372DC1F8240F203ECA240477131B53513BBB948265EB703FEADB58458A4F2DE2FFD30CE8E6A8DB3D5EC9D98BE916F5478B8292861E0E7B56389149BBE2DB07A229DA7DD121C997FE30925BCE0E15A8A29C9DD56F4265A37F9CF182FF2A1180E76E6EE4858F443CBBE5566359557F122D38A9C7F272C4DC6524985EB5BDD02B27779DFC19E925D6C706B83CB8699CCE8B5C987C76EC6BA029B5DB0B0CD5E077826643EE1C63A4D9547489B0E38A753F82E3A5B43FD7B7D86DBCD22B89F1C6A13A1AC3A4FCDF168C32145F2AEE688563E3C9EB11433DCD6D2A3A2E5F3558FB38119A7E97D61A0DBCAEB06B1D150989A119FB66A99B471A2275A21A9F3AB79CE12311CF1255667666947653D2981069830A2E3D0179EA45130E110E778959B12AB0FAF182B5A476BEA22DA62A958B87039AF3AADEF07D7FCC3074C04DA8F02E7F112804387921DD31CC0EA904E39D14C649C43FCDD4D10E33056B3A4585DBC165518BFEC8393113EC574589118C82FC8A0F5D19F2C17ECEE71D8EA11D

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\Decryptfiles.txt

Ransom Note
ATTENTION! Don't worry, you can return your files! All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key. The only method of recovering files is to purchase a decrypt tool and your key. Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned. We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision. Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours. Contact us email :[email protected] -> [email protected] Attach this file in the email. ID :1696CABFFB18FF26F53F3EF8010660949CCFA8F3F47E9CCFE08605CA9561CE1A6D963914A767D2DEB71063C0F2BC44A12DE4533FB9AC718618A28105BFB1B5E3035C30BB548D2BBE1B80D922B782FE6CA2C36C129A5131D82EA38EC7B568A1F8642A51917280FC009454399C3A4933A74F3DFAB2D7FF5E76F3DA57ACC9C94424FE9A6B67933DB0764C6E998EEDB82FDB78606F1669D993079ED349698A681A65A2352DAD9DC8E0B51B0F7F917C01F836643A72EBEBD83B46DB17C62DB2F33A9A9BB229685AE7474EEB422EC0E4BDC9314826188BE8754F39C20801F1B6997550787831D8903667B09BF850E6F8A583BE4B16C7688CB7957CE8600901DE919356AC6AF92F7187B28591170BA283EBEE5D6B9F5CB36668425F245840F5732DA66D323159C5A74DD40895EF9DA69DC9ABBA4F71DFD97F5C270C4FD51FFB7FA6AC6CF766670052FC550BFD081720180FB6A5C47D0B45233212A7DBB54F7A23079AA010430931C22E37B3879F953C5BFF2C0F6C065B89B52E63A67FD45C7E120B742E3E5C7304A80EE4F80F5E3631DA03EB9476F8142FA8F6F0FDCF51185C6655FB94C65D6AACD43C7467B4275D845D33A99B797D15B53B9F2D2318DF38C1466D8FAA77D5BD567E9F1DA011B73CD3836004A2C04FA80AEE26BCE52AFF557CE8F687B8103AB8C904EE5A485E397B633D4E7E35B10A233BB1B302B09A5D2125C46409B4DFBF0B24517E87E88EE1ED84C7828CB1E0D6E81A29843F324FDF0A807C80E30D53123A5C0674E174B94CDDBA7AE292134E544C3BDF6344BFDB5FD65A6C6ADFD942438867207836D1FB0047348AF8E90C1250D522A0776B514545B731F4795DBE7632408EB9D8980F289E55981D5347DF440704BAADF430CFF15F9CC615E15F2F9B5E1A99EEEC3C9BE890FE063C3C269AD7F3841B53E9A13722F79F7C2DCA96FEB40BF9F8AC1668A1470E23C26493E11E41258DD93C42DD907ADA2DF82364A82D96E5ADD6162E6A4126A37D76F73E9AAB186574380420BCB77FA380671B9630362E9A2548E16219CE970D0EE6DBD7E32E6985B04A4FCFB1941F4C26E127FAC6033A6B58F42D11804FD317316E51954FC85BA930ADAB1D83A6FFA7E3DC3A5659C871A882BA345E9AC8BD805C6DC77D678CC3D4BCFC935A92A4FEC0876A49BC837BE02CECA6EBDA695AB830524D7DD6EC440E6AC3C8FAFADE0316C367EA6FCD6008E6865132430F33133A7CDA2F2BE636A7F30304ED91D7023F66493BE0BC0D2661A512F0C5473C2F76F520744ABED7B7171888756BCB9DD56F27CCCD88E014784A05FF625CEE7E54CDFB26180C15DEC2FAC35CFAFE6DC7CC68F7C3096C278A3F8A422624CA5D57C77705657BFBF886643FA3094C020690D57C5D92D7EC00F4C37650F503D1A434F49B299F90BFF93076AE2C9EF888F7EB29A4DDCD6C4036661AB758DF99C1CD2556A5E095A2643444AF8A4A8025049CCDA5C0736D2B63924477C8F201912B2729E5E1B17625679669B0A6DA16CFFD1C1D44062360E7D0845603BE463D53A2CD177A2F3EF762C25A1CE2F54C86265D07B090ACA23B63328B19CBA833597217054CC9665F01C04871CA790BD7981FED3DC9B24081F34BDE01BBB7AD6FD5DD8A6CB46F90717D6C0AE99B8487D18C26334C2476A33AC2FAFA7692AB7083BC155DFD75D0B88B9C4B2603B2E1FA54176D698463040DB560BCA912A3479060011440B906AA95506F326CD85129B0037DF81900EA0043B0DC4F2C763A53A0CE5587D42551B5138359D8EE699989F8B8C1D063DAEF115D8DAC3FDB77232F0BBCFAF89465105158DC41A7697988E41AB96AEE30212D18F6FF946057010F3366A944DC9005A8B109A3949795EA37477451F5C54D3811F6266245C2EF0BAC7C63F5879AF7FB723941C09DFA4B32A014C3A1B5164548476FEA3BAC6160C97ABCD5BF08C8CF05D3F5031497128849E16329644031C14943D2430F2C42BBCE8DD46BC4504B0587850C559F01B73C21DFA7E8FB3080CDF07BE83FFCA45DB12C2FFC1E1008BE218B55EEDA36A68DCA7CEF928887FBCBDEF218B5CEB13B505EF19AB4788EA6F66F1E065D9FBD53DCF1D29FF3A037D4D9473B8FD7E334C39CB67C352C91EB0616F631E8FAD96688CDD9DEF27D75581F6DC4479934078F4347CC2E42C510742034E896CAC33D47A5CD94E630F085674A35A7A4DBDAAC297D5793A32B4C39C745EDC1C9DDA0063C781AE0F436090D7B4EE8E76FFC86B719FF07A2C40E9E0041A0AC1267D2DEC804EEFDB83E84ED43886A5454B7E5AE9F776BA5C13534811B2A720E6A63CD90BADA75BC3C7CABE6B19A3C3C609C77E1E310DBA839B2533036C7B1D07D4FCE32D8F0BC1D

Targets

    • Target

      d2100ffe58eb50c05d97a3da738ccd1f0be9672c057c26a10140af80595b78c3

    • Size

      881KB

    • MD5

      9049faba5517305c44bd5f28398fb6b9

    • SHA1

      036c6b32f3e7d7d689c9b4d482091eebcc669bfa

    • SHA256

      d2100ffe58eb50c05d97a3da738ccd1f0be9672c057c26a10140af80595b78c3

    • SHA512

      65a33506f970675775468f80b94a3f8bb2d3672e6fb08fc9f2e5107020095ca6d4bca927c59b72488e2ef4208a64a56ced7511ea14c0445cd50ea3ff9b827f6a

    • SSDEEP

      12288:I2wMm7l55+OeO+OeNhBBhhBBaELPA081o9baXpL3K+HDFgZUid4X9dCU5+Kazw4t:I2wMm7lfCIL3K+gY9dfcw4h3DX9X1

    Score
    10/10
    credential_accessdefense_evasiondiscoveryexecutionimpactpersistenceransomwarespywarestealer

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

      credential_accessstealer

    • Deletes itself

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Indicator Removal

1
T1070

File Deletion

1
T1070.004

Modify Registry

1
T1112

Credential Access

Credentials from Password Stores

2
T1555

Credentials from Web Browsers

1
T1555.003

Windows Credential Manager

1
T1555.004

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Remote System Discovery

1
T1018

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

1
T1490

Tasks