f4ca0aaa779663297a6fb634fb3c9f775230e52a9fa733073fe8057b0e70a0f5

General

Target

f4ca0aaa779663297a6fb634fb3c9f775230e52a9fa733073fe8057b0e70a0f5.exe
Size

181KB
Sample

250330-hbv75s11dv
MD5

4b61967fdf02be7687b1490e15b9fd68
SHA1

fad1ec3f9014432f8bc878c1424c7a7e56d6d729
SHA256

f4ca0aaa779663297a6fb634fb3c9f775230e52a9fa733073fe8057b0e70a0f5
SHA512

4cbcbe30b4cbc62268a28c4d711548d56f78b3dc82e1840061d1e0f2ecd8d9316ff5a42108ec7994f63fa0cbd088b0f5375e9f178840e21844bf5eebef7ace24
SSDEEP

3072:rB/5U7rXgNoku2TspaCq7IUnQOuDE4cxmphmSkCRgOupmTZ0Nk5TqhpzWJy43UYl:rR5U7rwN02Tyq7IwQO54eMBkwXKmTZQq

Score

10^/10

Malware Config

Extracted

Path

C:\PerfLogs\readme_for_unlock.txt

Ransom Note

!!! ATTENTION !!! Your network is hacked and files are encrypted. Including the encrypted data we also downloaded other confidential information: Data of your employees, customers, partners, as well as accounting and other internal documentation of your company. All data is stored until you will pay. After payment we will provide you the programs for decryption and we will delete your data. If you refuse to negotiate with us (for any reason) all your data will be put up for sale. What you will face if your data gets on the black market: 1) The personal information of your employees and customers may be used to obtain a loan or purchases in online stores. 2) You may be sued by clients of your company for leaking information that was confidential. 3) After other hackers obtain personal data about your employees, social engineering will be applied to your company and subsequent attacks will only intensify. 4) Bank details and passports can be used to create bank accounts and online wallets through which criminal money will be laundered. 5) You will forever lose the reputation. 6) You will be subject to huge fines from the government. You can learn more about liability for data loss here: https://en.wikipedia.org/wiki/General_Data_Protection_Regulation https://gdpr-info.eu/ Courts, fines and the inability to use important files will lead you to huge losses. The consequences of this will be irreversible for you. Contacting the police will not save you from these consequences, but will only make your situation worse. You can get out of this situation with minimal losses To do this you must strictly observe the following rules: DO NOT Modify, DO NOT rename, DO NOT copy, DO NOT move any files. Such actions may DAMAGE them and decryption will be impossible. DO NOT use any third party or public decryption software, it may also DAMAGE files. DO NOT Shutdown or Reboot the system this may DAMAGE files. DO NOT hire any third party negotiators (recovery/police, etc.) You need to contact us as soon as possible and start negotiations. Instructions for contacting our team: Download & Install TOR browser: https://torproject.org For contact us via LIVE CHAT open our > Website: http://z6ig22odfrlgttti64avskvguqpjlmixzzaepm3xn2pmjkare5rjwpid.onion > Login: CLIENT > Password: D01EuXJTiTnWR5S1bSCV If Tor is restricted in your area, use VPN��

URLs

https://gdpr-info.eu/

http://z6ig22odfrlgttti64avskvguqpjlmixzzaepm3xn2pmjkare5rjwpid.onion

Targets

- Target
  
  f4ca0aaa779663297a6fb634fb3c9f775230e52a9fa733073fe8057b0e70a0f5.exe
- Size
  
  181KB
- MD5
  
  4b61967fdf02be7687b1490e15b9fd68
- SHA1
  
  fad1ec3f9014432f8bc878c1424c7a7e56d6d729
- SHA256
  
  f4ca0aaa779663297a6fb634fb3c9f775230e52a9fa733073fe8057b0e70a0f5
- SHA512
  
  4cbcbe30b4cbc62268a28c4d711548d56f78b3dc82e1840061d1e0f2ecd8d9316ff5a42108ec7994f63fa0cbd088b0f5375e9f178840e21844bf5eebef7ace24
- SSDEEP
  
  3072:rB/5U7rXgNoku2TspaCq7IUnQOuDE4cxmphmSkCRgOupmTZ0Nk5TqhpzWJy43UYl:rR5U7rwN02Tyq7IwQO54eMBkwXKmTZQq
Score

10^/10

upx defense_evasion discovery execution impact persistence privilege_escalation ransomware
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Renames multiple (185) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Disables Task Manager via registry modification
  defense_evasion
- Modifies Windows Firewall
  defense_evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Sets desktop wallpaper using registry
  ransomware
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2