Overview

overview

10

Static

static

10

HEUR-Troja...df.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    HEUR-Trojan-Ransom.Win32.Generic-41c059f4dfaa143cc75df07f38f50d7d6ac0c6416d3e21aac2e530683c037fdf.7z

  • Size

    1.5MB

  • Sample

    250402-wcpzea1sfz

  • MD5

    3290585e13e51afac3b0e2e17fc18212

  • SHA1

    146f76cbdbf088fba0ca2bbe1efece22cebfa254

  • SHA256

    712b77a8e132fdef3974b4ce3cf5da81ed98fc4ef3754c407c696922d662df02

  • SHA512

    5612dc1ef3be15387a3217aeaa4291eb361b659e47d96c51259bae2c63efffd17523c3235ac859b31fdc452012679878105b14883c14542d74543ac44a13da10

  • SSDEEP

    24576:hfGKRIF3Cr01NK5+2i5L5kr+NcgpMSlG6ZKzoQMgvxk2RG8+u:lNQ9t5L5y+mclG6ZixBr+u

Score
10/10
satancryptorzebrocycredential_accessdefense_evasiondiscoveryransomwarespywarestealer

Malware Config

Extracted

Path

C:\ProgramData\Adobe\# M0rphine Help #.hta

Ransom Note
<html> <head> <title>M0rphine</title> <HTA:APPLICATION ID="" APPLICATIONNAME="" BORDER="DIALOG" MAXIMIZEBUTTON="NO" SCROLLFLAT="YES" CAPTION="YES" SELECTION="NO" INNERBORDER="NO" ICON="" SCROLL="NO" SHOWINTASKBAR="YES" SINGLEINSTANCE="YES" SYSMENU="YES" WINDOWSTATE="NORMAL" /> </head> <script language=javascript> var winWidth = 800; var winHeight = 600; window.resizeTo(winWidth, winHeight); window.moveTo(screen.width/2-winWidth/2, screen.height/2-winHeight/2); </script> <body bgcolor=buttonface text=buttontext style="font: 10pt 'Tahoma'"> <div style="font-weight:bold; font:16pt; text-align: center" id="Tittle">Attention!</div> <br> <div style="padding:15px" id="SubTittle"> Your documents, photos, databases and other important files have been encrypted cryptographically strong, without the cipher key recovery is impossible! <br> <br> To decrypt your files you need to buy the special software - <strong>M0rphine Decryptor</strong> and your <strong>Private Decryption Key</strong>. <br> <br> Using another tools could corrupt your files, in case of using third party software we dont give guarantees that full recovery is possible so use it on your own risk. <br> <br> If you want to restore files, write us to the our e-mail: <strong>[email protected]</strong> <br> <br> Please write your <strong>Personal Identification Code</strong> in body of your message. <br> <br> Also attach to email 3 encrypted files for free decryption test. (each file have to be less than 1 MB size and not have valuable content) <br> <br> It is in your interest to respond as soon as possible to ensure the restoration of your files! <br> <br> Your <strong>Personal Identification Code</strong>: </div> <center> <textarea style="overflow:auto; font:10pt 'Tahoma'" name="TextArea" rows=10 cols=120 readonly>5354000000019B040000EFC91B74EE16ABF884C0A14BE799D344D22293CC7B2EB1B6853E9AAB1AF4DBFEF679644CCD73AF00C2DD968EBFB0672FB886543A910F6256BC62FBC7C6C1ABBC97BDAB339F58F4E12AD9124B58277BCB91EF6501AFE5BC7BAF95C47E0B55B8AC4924FCE407C0DFD3AF87E316BF5513D7965418311553DF316D1C030996F2AA007F61EF1135068E0E6367A2B6FAB797B1493179C221A77D7D2254DA94A0A9D5F3592C86B094FF2326BA14EAF013F6D5CAB2F973F8550AC461E8D6E617CF15034F13541C35A04F7C8770D9F76AD9FA560883888E53024237AB0027173ACFC9FAD44295C1A0D354FAAA9B21FE4B6C337F9A8A9AA7117D62E70FF3CFF310D227163B95D1E00F8C89591F55DD286C627487D3FC5D9877CBA305D8984B73488264812F424A42B494F0B00A394B5E7E86E3C3DCB1C10B987C8BD56720F6981D61CD7DC7BF7CCA53EEF308ACE24922DFC10F6CABCFA6813D9B86E027F8E95974DBE87203C863233A7E845E8FE968056D12DCE0CAEDE1D3951274F6B41612E5FB3A7D1BB0E1D39F6D808219A7CD254FD93056C30645E6D5394A19365660A3269A2F3CE4D76F36BDC4C782E8423594D0DAFBA4C562C6B3AF90A8CAF72A9725E464DC01E2F090DE5AE78FFDE5C26E46FC42510F71FCF5E20AE6538686F433AFB70341CD412F9813980D187B28AE72350892ED837BDCEA5886750BF5BB1A5FC2F55B47813C432A39707A098C6D4277A26603BCD314961BE69DB5B73108508BDAB93ACC33A0DFAB9BC52BEDFA521144FC156E61B00F1393614B47E16FAC3B56FA64D323B58902842F77264319EDFBFDBEA0EEC487D1A398FE854AEBF723948DAD3D9DF383133E444F97E4EBC535DFABFE4EBA326A421CC1E4334D6310AE68CF46BA399210938257FC4F67902B8AF3CCE4DF2F55E5F4594803BEDDA86099F4B104937562DB731895928B46F5E37A4F3E061303EE32EBACE4D6FA82BB39301D937BE39ACBACFA3823DE5C5136D5A11A923A65FBECC28B45A49B789526E6F68CA4A049E792601D72ED7265AF4388071230143C5A6D782B30186CA7BDEA95859083E7405CA6F550D289BDF795FD210A584C9767443BAEA2ABE0887346B5707CEC801635D162AD1DD8AA0C7CEEB3FDDB88D6A36CC8EFD67E5908D7EF1A394780946C37E901C156775C006CD4AF00F7C3095DBE50E53EAE88A8C26A9FAA1D711EB427F2DD45A725B7D97418609414D0FC4A9324F0030D46451403C4DBE8332E726116A5E8492D698DF15E1C8031FAAE2A62669ED50B778C00C592C1286A87F2698CA7D3E037D355B080F87770F95E275E77041C7D458C82BFC2F10613AF814BDC5EF5E124D5417B43BC0F9D688E07BE61ABF9E933FC3A069DFD55BAD45BBF2B8691CB67885D00770C4FB114F1E06CA9CFD552E613611A297BF998DA5A9DE3A55A128093AF126DE08A84152600DBB1AC00B5D802C90EAE86DBF2EC1A2D8F31F301CAA3C4B85762D106A96DDF7A3C43037D092B8D9EBFFAD7405711E14011D349EE941E699CA2AF7203E8CB5C12017EF3DDC1ECE92589E068F0BE69F6130C7941F7BDA89675A9ED0C9D5B41FA269A230A9AE7D76D8546704572E04930627C2E1230AADCAFA56B2C32727823B9105CA0FCFEBC14F0A6EC8F4267AF03FA11BEEC14FCBD7B5B4C3B3CA855485C984FAD040000</textarea> </center> </body>
Emails

<strong>[email protected]</strong>

Targets

    • Target

      HEUR-Trojan-Ransom.Win32.Generic-41c059f4dfaa143cc75df07f38f50d7d6ac0c6416d3e21aac2e530683c037fdf.exe

    • Size

      4.7MB

    • MD5

      d2654d7085cfa021953f9a42c8057bba

    • SHA1

      e86ad4024e568938ca94454f00d04a9303f5f7af

    • SHA256

      41c059f4dfaa143cc75df07f38f50d7d6ac0c6416d3e21aac2e530683c037fdf

    • SHA512

      2767f4ab916d58a0700d1df4933f6b8edb7d6e54ec9920a6b228ae1c130563942dbf4828e7ca9066fa71f1f195047a3b78a38e63ef67a0d8232f1599d4f00ea3

    • SSDEEP

      98304:uvPbS1fekFplWVo9BvKg8MU9d0IK418OHcX:uvO1jUVB0IK4u

    Score
    10/10
    satancryptorcredential_accessdefense_evasiondiscoveryransomwarespywarestealer

    • SatanCryptor

      Golang ransomware first seen in early 2020.

      ransomwaresatancryptor

    • Satancryptor family

      satancryptor

    • Renames multiple (2197) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

      credential_accessstealer

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

      defense_evasion

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks