Overview

overview

10

Static

static

10

08cf8ed94c...a4.exe

windows10-2004-x64

10

Resubmissions

03-01-2025 13:09

250103-qdr79sykfn 10

22-11-2024 02:14

241122-cpgn1sykap 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Batch_1.zip

  • Size

    13.3MB

  • Sample

    250103-qdr79sykfn

  • MD5

    19090d44d59052a2c0747280fadc7f92

  • SHA1

    25162ddae11d4f21729418d6f5e43c8fd035de68

  • SHA256

    e9b99706a9b48b09974dd18c1af8a0e402ccddcaa0c91edf43fdd838128a7408

  • SHA512

    9168cb1b97bf680b5be065852486b51c38cd134ec2aebe97bc0a6a4b681a226cf83013e012de1e0402e44369fc6c1ed95068f94ab6e21b4dbba91606f95f9800

  • SSDEEP

    393216:17+hcOnO654Z2D2suR0212iUS8EgAoHBM9a6h2BS8uO:EZzuZu5uR0IRnyHBMIvYO

Score
10/10
blackmooncredential_accessdefense_evasiondiscoveryevasionexecutionimpactpersistenceransomwarestealerupx

Malware Config

Extracted

Path

C:\FILES.TXT

Ransom Note
Don't panic, read this and contact someone from IT department. Your computer has been infected with a virus known as ransomware. All files including your personal or business documents, backups and projects are encrypted. Encryption is very sophisticated and without paying a ransom you won't get your files back. You could be advised not to pay, but you should anyway get in touch with us. Ransom value for your files is 5000$ to be paid in digital currency called Bitcoin. If you have questions, write us. If you have doubts, write us. If you want to negotiate, write us. If you want to make sure we can get your files back, write us. [email protected] [email protected] [email protected] In case we don't respond to an email within one day, download application called BitMessage and reach to us for the fastest response. BitMessage BM-2cVPKqFb5ZRaMuYdryqxsMNxFMudibvnY6 ######################################################################### To someone from IT department This is custom developed ransomware, decrypter won't be made by an antivirus company. This one doesn't even have a name. It uses AES-256 for encrypting files, RSA-2048 for storing encrypted AES-256 password and SHA-2 for keeping the encrypted file integrity. It's written in C++ and have passed many quality assurance tests. To prevent this next time use offline backups. #########################################################################

Targets

    • Target

      08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe

    • Size

      727KB

    • MD5

      d13f890034a68ccb4af4e0bf51e2b5ec

    • SHA1

      84afde24c913c007b0c0490041b61877aa254737

    • SHA256

      08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4

    • SHA512

      0065844527f3a3556bc50705f9d5608561a04e95a2d99b1a262db1094ca188425ef69f02f801eab2eaf74e14e027ceebb471a754192e195e51b6c57d3d7d45ce

    • SSDEEP

      12288:jk2624GHVUBOSRVrHZfiZHJ2HFO/9xwrPgWyzZp+L7vN3:H6+VUBraeF8/tSh

    Score
    10/10
    credential_accessdefense_evasiondiscoveryevasionexecutionimpactpersistenceransomwarestealer

    • Clears Windows event logs

      evasionransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

      credential_accessstealer

    • Drops startup file

    • Drops desktop.ini file(s)

    • Power Settings

      powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

      persistence

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks