Overview

overview

10

Static

static

3

sample.exe

windows7-x64

10

sample.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    994539855377a216b90c1db4f77fdd60dd89aa2296a19345cf19d9591419809e.bin.sample.gz

  • Size

    154KB

  • Sample

    241229-tgp4vstrht

  • MD5

    9538b3184f9ac21b4b6b095f8896b2d1

  • SHA1

    e179756d06f3b96414dcf153bb473952c656117b

  • SHA256

    597a05e82a6716a0d6326ad61f746dfe7bcc04ea5a606bba6ddb60c2ed358aa6

  • SHA512

    f0220fde29ea5eab8b08299411f2e248feb0471250b2a5b3290b942a521c1a4453e1f0c529a2c93396035e7b60fe6bea1f00b098628768ddd4fa71f6943e2513

  • SSDEEP

    3072:L9DLte9hC6bK/agsXrBhNPaX6U/ZR0QMR5ul22lOuw:L3e9hC+K/ENhNrGR0lPd2lOuw

Score
10/10
discoverypersistenceransomware

Malware Config

Extracted

Path

C:\MSOCache\All Users\READ_ME_NOTE.txt

Ransom Note
!!! ALL YOUR FILES ARE ENCRYPTED!!! All your files, documents, photos, databases and other important files are encrypted. The only way to recover your files is to get a decryptor. To get the decryptor, write to us by mail or telegram, specify the ID of the encrypted files in the letter: Email: [email protected] Telegram: https://t.me/returnbackcyberfearcom Warning!!! * Do not rename files. * Do not attempt to decrypt data using third party software, as this may result in permanent data loss. * Do not contact other people, only we can help you and recover your data. Your personal decryption ID: CxLg9XcDAS0
URLs

https://t.me/returnbackcyberfearcom

Targets

    • Target

      sample

    • Size

      280KB

    • MD5

      badc00888b75a7a568d5a2b3d0cb6451

    • SHA1

      10e2dde399f369bab14eba5acfa06a923394aa33

    • SHA256

      994539855377a216b90c1db4f77fdd60dd89aa2296a19345cf19d9591419809e

    • SHA512

      5d00ce31011d460a34446469382b4151d0a241853b925b979da4b758336ff3416ef93b77c31666d1b846fc0ab1e242b34c400ef5b8c2f33cc725d1c39d3d4c7f

    • SSDEEP

      6144:EjWkd35a63FC6EkbwO+ZfhluCm9At1sotV50DErPtld:EjWk130CbwOouCmouDel

    Score
    10/10
    discoverypersistenceransomware

    • Renames multiple (221) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks