Analysis

  • max time kernel
    95s
  • max time network
    130s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/02/2025, 19:37

General

  • Target

    e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe

  • Size

    55KB

  • MD5

    821883525833df75c30d68584716f6fd

  • SHA1

    59f8739daa99175ae2a20e38048b1a5d3c5f039a

  • SHA256

    e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5

  • SHA512

    d457be30bc2231490e5d430c4eb545a9ef6c1f7bb3c393f28107faab4219d309c190592080aca9ef649a15ef78ddebf0d4f092b4988501b0177e18eb19386ef0

  • SSDEEP

    768:wGvvuye1kVtGBk6P/v7nWlHznbkVwrEKD9yDwxVSHrowNI2tG6o/t84B5WpCD+9q:JreytM3alnawrRIwxVSHMweio3dD63o

Malware Config

Extracted

Path

C:\Users\Public\Pictures\Open Me!.hta

Ransom Note
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01//EN' 'http://www.w3.org/TR/html4/strict.dtd'> <html> <head> <meta charset='windows-1251'> <title>Mister Merlen Encrypted your File;(</title> <HTA:APPLICATION ICON='msiexec.exe' SINGLEINSTANCE='yes' SysMenu="no"> <script language='JScript'> window.moveTo(50, 50); window.resizeTo(screen.width - 100, screen.height - 100); </script> <style type='text/css'> body { font: 15px Tahoma, sans-serif; margin: 10px; line-height: 25px; background: #EDEDED; } img { display:inline-block; } .bold { font-weight: bold; } .mark { background: #D0D0E8; padding: 2px 5px; } .header { text-align: center; font-size: 30px; line-height: 50px; font-weight: bold; margin-bottom:20px; } .info { background: #D0D0E8; border-left: 10px solid #00008B; } .alert { background: #FFE4E4; border-left: 10px solid #FF0000; } .private { border: 1px dashed #000; background: #FFFFEF; } .note { height: auto; padding-bottom: 1px; margin: 15px 0; } .note .title { font-weight: bold; text-indent: 10px; height: 30px; line-height: 30px; padding-top: 10px; } .note .mark { background: #A2A2B5; } .note ul { margin-top: 0; } .note pre { margin-left: 15px; line-height: 13px; font-size: 13px; } .footer { position:fixed; bottom:0; right:0; text-align: right; } </style> </head> <body> <div class='header'> <img src='data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEAAAABACAQAAAAAYLlVAAAABGdBTUEAALGPC/xhBQAAACBjSFJNAAB6JQAAgIMAAPn/AACA6QAAdTAAAOpgAAA6mAAAF2+SX8VGAAAAAmJLR0QA/4ePzL8AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQfjAwwMJwSFwIn8AAADNklEQVRo3u2ZTUhUURTHfzozmprmZ1pYEmkfJNEmiwwkSEyFECIQpEUboYhqFYHQXlcti9rUKldWBEUiuQpbtDDNzD5G8qM0HRXLRtO5LdJx3puPd++8+xyIztm88zgf/3veufeee18SdimDI1RxnL0U4gbAzxhDdPGCfpZs+49JWTTyFB8iAq8wTju1pDgXvopOliIGX+d57rHPieBuLvLNIvgaD1KvP/x1FiTDCwQTNOkFcJVfCuEFgq+c0he+minF8AJBH2WRnCUph8/nIZVhb2d5w1smEbjYSTn7SQ/TucsFlnWkPxBW6Xc4RkbIoHKooSNshsxRbT98Eb0mtyM04oqgmR6hUNvtrwrnWDa4nOVMVF0XLfw2aPuosBfezQPTmNpiVtFmnpj0W+wBKMFrcPeJ3RYWNfwwWHSSZgdAHX6Du5uWFpl0myqm1KiQrASgnNQQaZFOS4t5nhvkAnbZAbDHIE0wIGHzmsUQKdXkQwlACtsN8ijfJay8zBjkovgBbCLPlAG/hNUcswa5IH4Ayasdzxr5pBbWRRYMstGHYg04QAkH4FbQFSwTCKbdI7mzWVipbMceKtiCCFqO0OeY1caRbAaKOcgOCpQ+WWTyM8EwvfjkTfJoYZDFONqwaPyTHs7LbktlPNMYep2XuE22dfhsHjkS/i+3Wn/SK2EdoE72UeuyGH8rxbbLLjqlkRlb4TAzDo5fIJiOvRTnR+ju9VJuwveC/wASDsD+2h5KUyyQTVZiALzjFt3MsY16mtmqx2mt9BbUw4EQuzpGpVcCLQB8nDBZXmJFDoCeInzFS9ObxwzLmeoBMGA4/QBM4t1IAOHXDi7Zqwg9ACrCWotS8xnQWQCHOGsafzOFOhzLT8NxmoI3RZncULjG1ARA8DHYupxUucbUtxd4ghnw4JI30wdARHneMABx0j8FYD3xCkdefQByKFl9KsOjy6nKNBR0cZRCTjOk1JhrBCCY5r3pZtSS9bZkueSqmljVgPoPDa0Algk4HD8QG8AXph0G8Dk2AC89DgPosFKodvR83G/dtiRzTevtUChP0SCTpBQuM+bI6Bvk51gl96X/FFvzCh9oW0v+H2zO2tYtz/EgAAAAJXRFWHRkYXRlOmNyZWF0ZQAyMDE5LTAzLTEyVDEyOjM5OjA0KzAwOjAwG6lIYwAAACV0RVh0ZGF0ZTptb2RpZnkAMjAxOS0wMy0xMlQxMjozOTowNCswMDowMGr08N8AAAAASUVORK5CYII='> <h2><span style="text-decoration: underline; color: #000000;"><strong><em>All your files have been encrypted!<img src="https://yoursmiles.org/bsmile/fun/b0222.gif" alt="[email protected]" /></em></strong></span></h2> </div> <div class="bold">All your files have been encrypted due to a security problem with your PC.</div> <div class="bold">If you want to restore them, write us to the e-mails:&nbsp;<span style="color: #800000;"><a style="color: #800000;" href="mailto:[email protected]">[email protected]</a></span>&nbsp;and&nbsp;<span style="color: #ff0000;"><a style="color: #ff0000;" href="mailto:[email protected]">[email protected]</a></span>&nbsp;and&nbsp;<span style="color: #0000ff;"><a style="color: #0000ff;" href="mailto:@[email protected]">[email protected] </a></span>&nbsp;<span style="text-decoration: underline;"> </div>(for the fastest possible response, write to all 3 mails at once!)</span></div> <h4 class="bold"><span style="text-decoration: underline;"><em><strong>Write this ID in the title of your message:</strong></em></span></h4> <p><span style="text-decoration: underline; color: #0000ff;"><em><strong> 8D B1 BA 5C 4A F9 8F 7B CC A2 49 A9 B8 FD 6E B5 45 90 DD 5D E7 EA BB A7 7D B7 CF CA AF 32 38 19 AF 2B FE 3A 2E 74 F9 78 72 B9 DB FF 3C 62 3B FE 54 A5 12 24 63 D1 B9 EC 06 13 F8 53 27 CE 0C AF CE 53 0E A8 BE 40 58 2C 9C AF 0C 45 1E E4 DA EA 68 87 B3 09 00 17 93 87 06 AB 5D 13 1D 0D FD 61 AD 1F FB E5 24 8D 7C 99 67 BA 39 9E C1 63 07 40 EF 3C 3F 58 6F B4 5C 5E EA A5 2F 41 7A 64 CB 9C 3F 17 25 70 65 5A D2 85 F6 EB 84 39 4F D9 D0 E2 91 47 1C CE 97 69 D5 65 72 D4 98 46 43 33 C1 79 A1 1E F3 23 88 6A 71 AE E8 EF A6 12 93 BB A7 DA 89 C7 27 F9 CB 72 07 AF 42 4A E3 E8 EA 16 C3 D1 EF CC C5 B5 C0 F9 F4 88 91 EE 91 DA 38 C0 6E 05 96 56 86 00 55 94 B8 3A 41 AA C1 FD 37 C4 62 5B 2F 6D 52 54 F7 F4 A0 AB E2 47 D3 5A 78 D8 3F 8E 8D 7B 8E 85 3D 2E 9F 4F 7B 84 11 E7 22 5A 8D B6 </strong></em></span></p> <div> You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files. </div> <div class='note info'> <div class='title'>Free decryption as guarantee</div> <ul>Before paying you can send us up to 3 files for free decryption. The total size of files must be less than 5Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) </ul> </div> <div class='note info'> <div class='title'>How to obtain Bitcoins</div> <ul> The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. <br><a href='https://localbitcoins.com/buy_bitcoins'>https://localbitcoins.com/buy_bitcoins</a> <br> Also you can find other places to buy Bitcoins and beginners guide here: <br><a href='http://www.coindesk.com/information/how-can-i-buy-bitcoins/'>http://www.coindesk.com/information/how-can-i-buy-bitcoins/</a> </ul> </div> <div class='note alert'> <div class='title'>Attention!</div> <ul> <li>Do not rename encrypted files.</li> <li>Do not try to decrypt your data using third party software, it may cause permanent data loss.</li> <li>Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.</li> </div> </body> </html> �������
Emails

alt="[email protected]"

href="mailto:[email protected]">[email protected]</a></span>&nbsp;and&nbsp;<span

href="mailto:[email protected]">[email protected]</a></span>&nbsp;and&nbsp;<span

href="mailto:@[email protected]">[email protected]

URLs

http://www.w3.org/TR/html4/strict.dtd'>

Signatures

  • Renames multiple (9085) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 30 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe
    "C:\Users\Admin\AppData\Local\Temp\e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe"
    1⤵
    • Checks computer location settings
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:5020
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\e6fae4d52ed5450e44b6c16ce80abf4e63cdc25d3e4fc4f55c220cc1b740c2f5.exe > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1556

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-3181990009-820930284-137514597-1000\desktop.ini

    Filesize

    1KB

    MD5

    2d08d84db4db7475ae752777b942fa85

    SHA1

    6c09232ecad109b169f7c002275144b880eda777

    SHA256

    34f65312da12a2a725c9d07afc1a8d6391abc44739913bfa670a48209c049be0

    SHA512

    b9ce1d5031e4532e37029cf1df34337a15d9ea116ed4de4255d4cb7a3525dda9e245b81cd1824854168039a362cadcf325b0bf113d5985d8cf087753e5bb144f

  • C:\Users\Public\Pictures\Open Me!.hta

    Filesize

    6KB

    MD5

    eb81e3186fea5e42eeda22187eab7d53

    SHA1

    95667595b401961b7e48f2462a73d655185cd216

    SHA256

    21217a34fcb38c23e793fa7e53885ef7c84af76df3b1b71a8c5c078a4337405d

    SHA512

    e61c7f3a5747f9ee27412a81163211425933eaefe7f46e337a0d659b5bdb1b077f506a6d0612b8358afec860a963b78e1283f5e14d4196bf9136b405dccd50d1

  • memory/5020-0-0x0000000000400000-0x000000000040EA00-memory.dmp

    Filesize

    58KB

  • memory/5020-1541-0x0000000000400000-0x000000000040EA00-memory.dmp

    Filesize

    58KB