Analysis
-
max time kernel
95s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
-
submitted
23/02/2025, 19:37
General
-
Target
e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe
-
Size
55KB
-
MD5
821883525833df75c30d68584716f6fd
-
SHA1
59f8739daa99175ae2a20e38048b1a5d3c5f039a
-
SHA256
e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5
-
SHA512
d457be30bc2231490e5d430c4eb545a9ef6c1f7bb3c393f28107faab4219d309c190592080aca9ef649a15ef78ddebf0d4f092b4988501b0177e18eb19386ef0
-
SSDEEP
768:wGvvuye1kVtGBk6P/v7nWlHznbkVwrEKD9yDwxVSHrowNI2tG6o/t84B5WpCD+9q:JreytM3alnawrRIwxVSHMweio3dD63o
Score
10/10
Malware Config
Extracted
Path
C:\Users\Public\Pictures\Open Me!.hta
Ransom Note
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01//EN' 'http://www.w3.org/TR/html4/strict.dtd'>
<html>
<head>
<meta charset='windows-1251'>
<title>Mister Merlen Encrypted your File;(</title>
<HTA:APPLICATION
ICON='msiexec.exe'
SINGLEINSTANCE='yes'
SysMenu="no">
<script language='JScript'>
window.moveTo(50, 50);
window.resizeTo(screen.width - 100, screen.height - 100);
</script>
<style type='text/css'>
body {
font: 15px Tahoma, sans-serif;
margin: 10px;
line-height: 25px;
background: #EDEDED;
}
img {
display:inline-block;
}
.bold {
font-weight: bold;
}
.mark {
background: #D0D0E8;
padding: 2px 5px;
}
.header {
text-align: center;
font-size: 30px;
line-height: 50px;
font-weight: bold;
margin-bottom:20px;
}
.info {
background: #D0D0E8;
border-left: 10px solid #00008B;
}
.alert {
background: #FFE4E4;
border-left: 10px solid #FF0000;
}
.private {
border: 1px dashed #000;
background: #FFFFEF;
}
.note {
height: auto;
padding-bottom: 1px;
margin: 15px 0;
}
.note .title {
font-weight: bold;
text-indent: 10px;
height: 30px;
line-height: 30px;
padding-top: 10px;
}
.note .mark {
background: #A2A2B5;
}
.note ul {
margin-top: 0;
}
.note pre {
margin-left: 15px;
line-height: 13px;
font-size: 13px;
}
.footer {
position:fixed;
bottom:0;
right:0;
text-align: right;
}
</style>
</head>
<body>
<div class='header'>
<img src='data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEAAAABACAQAAAAAYLlVAAAABGdBTUEAALGPC/xhBQAAACBjSFJNAAB6JQAAgIMAAPn/AACA6QAAdTAAAOpgAAA6mAAAF2+SX8VGAAAAAmJLR0QA/4ePzL8AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQfjAwwMJwSFwIn8AAADNklEQVRo3u2ZTUhUURTHfzozmprmZ1pYEmkfJNEmiwwkSEyFECIQpEUboYhqFYHQXlcti9rUKldWBEUiuQpbtDDNzD5G8qM0HRXLRtO5LdJx3puPd++8+xyIztm88zgf/3veufeee18SdimDI1RxnL0U4gbAzxhDdPGCfpZs+49JWTTyFB8iAq8wTju1pDgXvopOliIGX+d57rHPieBuLvLNIvgaD1KvP/x1FiTDCwQTNOkFcJVfCuEFgq+c0he+minF8AJBH2WRnCUph8/nIZVhb2d5w1smEbjYSTn7SQ/TucsFlnWkPxBW6Xc4RkbIoHKooSNshsxRbT98Eb0mtyM04oqgmR6hUNvtrwrnWDa4nOVMVF0XLfw2aPuosBfezQPTmNpiVtFmnpj0W+wBKMFrcPeJ3RYWNfwwWHSSZgdAHX6Du5uWFpl0myqm1KiQrASgnNQQaZFOS4t5nhvkAnbZAbDHIE0wIGHzmsUQKdXkQwlACtsN8ijfJay8zBjkovgBbCLPlAG/hNUcswa5IH4Ayasdzxr5pBbWRRYMstGHYg04QAkH4FbQFSwTCKbdI7mzWVipbMceKtiCCFqO0OeY1caRbAaKOcgOCpQ+WWTyM8EwvfjkTfJoYZDFONqwaPyTHs7LbktlPNMYep2XuE22dfhsHjkS/i+3Wn/SK2EdoE72UeuyGH8rxbbLLjqlkRlb4TAzDo5fIJiOvRTnR+ju9VJuwveC/wASDsD+2h5KUyyQTVZiALzjFt3MsY16mtmqx2mt9BbUw4EQuzpGpVcCLQB8nDBZXmJFDoCeInzFS9ObxwzLmeoBMGA4/QBM4t1IAOHXDi7Zqwg9ACrCWotS8xnQWQCHOGsafzOFOhzLT8NxmoI3RZncULjG1ARA8DHYupxUucbUtxd4ghnw4JI30wdARHneMABx0j8FYD3xCkdefQByKFl9KsOjy6nKNBR0cZRCTjOk1JhrBCCY5r3pZtSS9bZkueSqmljVgPoPDa0Algk4HD8QG8AXph0G8Dk2AC89DgPosFKodvR83G/dtiRzTevtUChP0SCTpBQuM+bI6Bvk51gl96X/FFvzCh9oW0v+H2zO2tYtz/EgAAAAJXRFWHRkYXRlOmNyZWF0ZQAyMDE5LTAzLTEyVDEyOjM5OjA0KzAwOjAwG6lIYwAAACV0RVh0ZGF0ZTptb2RpZnkAMjAxOS0wMy0xMlQxMjozOTowNCswMDowMGr08N8AAAAASUVORK5CYII='>
<h2><span style="text-decoration: underline; color: #000000;"><strong><em>All your files have been encrypted!<img src="https://yoursmiles.org/bsmile/fun/b0222.gif" alt="[email protected]" /></em></strong></span></h2>
</div>
<div class="bold">All your files have been encrypted due to a security problem with your PC.</div>
<div class="bold">If you want to restore them, write us to the e-mails: <span style="color: #800000;"><a style="color: #800000;" href="mailto:[email protected]">[email protected]</a></span> and <span style="color: #ff0000;"><a style="color: #ff0000;" href="mailto:[email protected]">[email protected]</a></span> and <span style="color: #0000ff;"><a style="color: #0000ff;" href="mailto:@[email protected]">[email protected] </a></span> <span style="text-decoration: underline;">
</div>(for the fastest possible response, write to all 3 mails at once!)</span></div>
<h4 class="bold"><span style="text-decoration: underline;"><em><strong>Write this ID in the title of your message:</strong></em></span></h4>
<p><span style="text-decoration: underline; color: #0000ff;"><em><strong>
8D B1 BA 5C 4A F9 8F 7B CC A2 49 A9 B8 FD 6E B5
45 90 DD 5D E7 EA BB A7 7D B7 CF CA AF 32 38 19
AF 2B FE 3A 2E 74 F9 78 72 B9 DB FF 3C 62 3B FE
54 A5 12 24 63 D1 B9 EC 06 13 F8 53 27 CE 0C AF
CE 53 0E A8 BE 40 58 2C 9C AF 0C 45 1E E4 DA EA
68 87 B3 09 00 17 93 87 06 AB 5D 13 1D 0D FD 61
AD 1F FB E5 24 8D 7C 99 67 BA 39 9E C1 63 07 40
EF 3C 3F 58 6F B4 5C 5E EA A5 2F 41 7A 64 CB 9C
3F 17 25 70 65 5A D2 85 F6 EB 84 39 4F D9 D0 E2
91 47 1C CE 97 69 D5 65 72 D4 98 46 43 33 C1 79
A1 1E F3 23 88 6A 71 AE E8 EF A6 12 93 BB A7 DA
89 C7 27 F9 CB 72 07 AF 42 4A E3 E8 EA 16 C3 D1
EF CC C5 B5 C0 F9 F4 88 91 EE 91 DA 38 C0 6E 05
96 56 86 00 55 94 B8 3A 41 AA C1 FD 37 C4 62 5B
2F 6D 52 54 F7 F4 A0 AB E2 47 D3 5A 78 D8 3F 8E
8D 7B 8E 85 3D 2E 9F 4F 7B 84 11 E7 22 5A 8D B6
</strong></em></span></p>
<div>
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files.
</div>
<div class='note info'>
<div class='title'>Free decryption as guarantee</div>
<ul>Before paying you can send us up to 3 files for free decryption. The total size of files must be less than 5Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) </ul>
</div>
<div class='note info'>
<div class='title'>How to obtain Bitcoins</div>
<ul>
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price.
<br><a href='https://localbitcoins.com/buy_bitcoins'>https://localbitcoins.com/buy_bitcoins</a>
<br> Also you can find other places to buy Bitcoins and beginners guide here:
<br><a href='http://www.coindesk.com/information/how-can-i-buy-bitcoins/'>http://www.coindesk.com/information/how-can-i-buy-bitcoins/</a>
</ul>
</div>
<div class='note alert'>
<div class='title'>Attention!</div>
<ul>
<li>Do not rename encrypted files.</li>
<li>Do not try to decrypt your data using third party software, it may cause permanent data loss.</li>
<li>Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.</li>
</div>
</body>
</html> �������
Emails
alt="[email protected]"
href="mailto:[email protected]">[email protected]</a></span> and <span
href="mailto:[email protected]">[email protected]</a></span> and <span
href="mailto:@[email protected]">[email protected]
URLs
http://www.w3.org/TR/html4/strict.dtd'>
Signatures
-
Renames multiple (9085) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 30 IoCs
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in Program Files directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe"C:\Users\Admin\AppData\Local\Temp\e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe"1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe > nul2⤵
- System Location Discovery: System Language Discovery
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD52d08d84db4db7475ae752777b942fa85
SHA16c09232ecad109b169f7c002275144b880eda777
SHA25634f65312da12a2a725c9d07afc1a8d6391abc44739913bfa670a48209c049be0
SHA512b9ce1d5031e4532e37029cf1df34337a15d9ea116ed4de4255d4cb7a3525dda9e245b81cd1824854168039a362cadcf325b0bf113d5985d8cf087753e5bb144f
-
Filesize
6KB
MD5eb81e3186fea5e42eeda22187eab7d53
SHA195667595b401961b7e48f2462a73d655185cd216
SHA25621217a34fcb38c23e793fa7e53885ef7c84af76df3b1b71a8c5c078a4337405d
SHA512e61c7f3a5747f9ee27412a81163211425933eaefe7f46e337a0d659b5bdb1b077f506a6d0612b8358afec860a963b78e1283f5e14d4196bf9136b405dccd50d1
-
Filesize
58KB
-
Filesize
58KB