Overview

overview

10

Static

static

10

a17f22b67e...8c.exe

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.zip

  • Size

    94KB

  • Sample

    250403-bhm2sayq19

  • MD5

    5ff7e3d830ceb0d8db02ab6aecd68d3f

  • SHA1

    a500b5d0329ce99215b5b532bb2cadc08ba0092a

  • SHA256

    88bb534525e0fb662e60ff3524897d1b92d86ef792615f916f93f27abb5ea4b1

  • SHA512

    d203f4f2c3c91f0e9aa88f8162a2d5095328edb33ffb8d70b25d2791e6abd17b6f1ce01d5703d8429a6e4e858995872c3e74a23b2db3839390578f052e0329b5

  • SSDEEP

    1536:R1ZvO4c+TcpzIVy1+7TdjUXhEs2doDGfEIScepzTc5vAxLmR2skk5UVM:RbthTcpc41+vdj+12yGOvNc5vAm2HQUM

Score
10/10
lockbitdefense_evasiondiscoveryransomwarespywarestealer

Malware Config

Extracted

Path

C:\ni8pxbvnx.README.txt

Ransom Note
>>>> Your data are stolen and encrypted! >>>> Sensitive data on your system was DOWNLOADED and it will be PUBLISHED if you refuse to cooperate. Your competitors or law enforcement may get them on the web. Data includes: - Employees personal data, CVs, DL, SSN. - Complete network map including credentials for local and remote services. - Financial information including clients data, bills, budgets, annual reports, bank statements. - Complete datagrams/schemas/drawings for manufacturing in solidworks format - And more... You can request the tree of files that we have. >>>> You need contact us and decrypt one file for free, send a small file for test decryption with your personal DECRYPTION ID to tox chat: >>>> Your personal DECRYPTION ID: 6791ACA56D6F7E54FDBF7A5D3FB74F05 1)Download and install TOX chat: https://tox.chat 2)Write to this tox id: DED25DCB2AAAF65A05BEA584A0D1BB1D55DD2D8BB4185FA39B5175C60C8DDD0C0A7F8A8EC815 and wait for the answer, we will always answer you. >>>> DO NOT MODIFY FILES YOURSELF. >>>> DO NOT USE THIRD PARTY SOFTWARE TO RESTORE YOUR DATA. >>>> YOU MAY DAMAGE YOUR FILES, IT WILL RESULT IN PERMANENT DATA LOSS. >>>> YOUR DATA IS STRONGLY ENCRYPTED, YOU CAN NOT DECRYPT IT WITHOUT CIPHER KEY.
URLs

https://tox.chat

Targets

    • Target

      a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe

    • Size

      146KB

    • MD5

      c6c371198124b086a547407a7d36fcc6

    • SHA1

      1a3108ecb72ca0da0c04bd5c29caebee0ffd795d

    • SHA256

      a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c

    • SHA512

      568da365e16e806593d5bb9ca335a4b1e7585148b29fe131d3fffb45275962991948de6700c28d3afb4302ebbb8570e20781933bdcfb3685cde325b64efc19d5

    • SSDEEP

      1536:szICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xDzp6HbSCkHdMBfusRDARJbWUyz:DqJogYkcSNm9V7Dzx19pODObWT

    Score
    10/10
    defense_evasiondiscoveryransomwarespywarestealer

    • Renames multiple (539) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Deletes itself

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

      defense_evasion

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks