Overview

overview

10

Static

static

10

2025-03-20...to.exe

windows7-x64

10

2025-03-20...to.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2025-03-20_88cd426be100a17756f2ff09fbb790bb_mailto

  • Size

    69KB

  • Sample

    250320-a2173sysbs

  • MD5

    88cd426be100a17756f2ff09fbb790bb

  • SHA1

    339df90f848d5394fcf0d68d70e89a9c7852915e

  • SHA256

    e6385e24bf9a458a6e8040c0778c55d1db3f403a40ba800c124fe7851eb2c12b

  • SHA512

    faa9af7a3104c03a34672625a36404ddd6a1e6db68a5d7732c47c3f3e94885b9555fed268677bf7fe3d9579b84e66a2d3980df433507bf2d74dda04262a70066

  • SSDEEP

    1536:cuCWRxL7hbUiQfovePbUU+hhOZuIWiFp+ZfaBZebC33O+6wc:XCWf7VJQfmePbvkhOZu1iFBBZebC3o

Score
10/10
netwalkerdefense_evasiondiscoveryexecutionimpactransomwarespywarestealer

Malware Config

Extracted

Path

C:\ProgramData\Microsoft\OfficeSoftwareProtectionPlatform\Cache\29B4D4-Readme.txt

Ransom Note
Hello Cowan, Liebowitz & Latman, P.C. Your files are encrypted. All encrypted files for this computer has extension: .29b4d4 All data from your computers, servers including emails were uploaded. https://photos.app.goo.gl/LBMfnb3wZ9gp4uL58 You have 5 days to contact us and pay, otherwise all your data, personal information your clients and other confidentinal documents will be published and your clients will receive a link to the publication. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. To contact us, please go to the chat section on our website. -- Steps to get access on our website: 1.Download and install Tor-browser: https://torproject.org/ 2.Open our website in Tor-browser: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_29b4d4: Z3b1zfUrUzhC6YTd5AIb9Jm9acnvEweEVL/WWGl2tRq9cjRKJ5 c6qyBGkPrsb7avTqsbbr6xmst64u8qh9GS7TrtHJsWcWllB9s0 UjULSZaLbFH54tHz1/+/kx0vDuhUGbuPGC3CWZ5L7UWJkVfrBn Y+sIpZfzRLdBr+POSvFH2bgwfHJXCFXRVc02LfKvhdESszt2LW 3v/sBu1GZd/p730reXJfJRaNd1xTlA3MjKmBaMUx9FhEVyMzA8 7QxQg/VDN19jl11ZVTFv9TPMFUJVylFZsNrn0tyA==}
URLs

https://photos.app.goo.gl/LBMfnb3wZ9gp4uL58

http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Extracted

Path

C:\Users\Public\Libraries\3AC8D3-Readme.txt

Ransom Note
Hello Cowan, Liebowitz & Latman, P.C. Your files are encrypted. All encrypted files for this computer has extension: .3ac8d3 All data from your computers, servers including emails were uploaded. https://photos.app.goo.gl/LBMfnb3wZ9gp4uL58 You have 5 days to contact us and pay, otherwise all your data, personal information your clients and other confidentinal documents will be published and your clients will receive a link to the publication. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. To contact us, please go to the chat section on our website. -- Steps to get access on our website: 1.Download and install Tor-browser: https://torproject.org/ 2.Open our website in Tor-browser: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_3ac8d3: LmtiRfgeytF+31YK/GSHwhnjhXaZk6Jnx2FgWUiHxakgD+Ca/z B6c9tW/HavyLKI7wpHDv2AGOSTR28j8cjj5kpwW75jkxxdB9s0 Urm79Qd5LuQjVMlAP+kMaMMwmAUzZrLhf3E5EGtX9OEsRwNai7 cZo5cboWkyEyQNG6Yr9xbjm77b3ytACKfcwNO9OdgzZnTXIC2h j8Dwj2W2KDIHkazHa4MUD8PPEKiMBf4HspSGoQfEDRJchXBjFw V+jjwqV7ZKSrULbYTkX1YhILWWfadFrlXcjOeshg==}
URLs

https://photos.app.goo.gl/LBMfnb3wZ9gp4uL58

http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Targets

    • Target

      2025-03-20_88cd426be100a17756f2ff09fbb790bb_mailto

    • Size

      69KB

    • MD5

      88cd426be100a17756f2ff09fbb790bb

    • SHA1

      339df90f848d5394fcf0d68d70e89a9c7852915e

    • SHA256

      e6385e24bf9a458a6e8040c0778c55d1db3f403a40ba800c124fe7851eb2c12b

    • SHA512

      faa9af7a3104c03a34672625a36404ddd6a1e6db68a5d7732c47c3f3e94885b9555fed268677bf7fe3d9579b84e66a2d3980df433507bf2d74dda04262a70066

    • SSDEEP

      1536:cuCWRxL7hbUiQfovePbUU+hhOZuIWiFp+ZfaBZebC33O+6wc:XCWf7VJQfmePbvkhOZu1iFBBZebC3o

    Score
    10/10
    defense_evasiondiscoveryexecutionimpactransomwarespywarestealer

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Renames multiple (7440) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks