General

  • Target

    085105e613ad37808a8db9a3c2ba5561d5d38d5c5c43b469c93d15f0d64af0c1

  • Size

    92KB

  • Sample

    200911-r9zcgmtzbs

  • MD5

    95f91f236cf95d698d9195690133265b

  • SHA1

    29f3c5cc44709847c416bc35b3043d3da1392a8c

  • SHA256

    085105e613ad37808a8db9a3c2ba5561d5d38d5c5c43b469c93d15f0d64af0c1

  • SHA512

    4b457010d1c02369ad8ffed852071207b3ea2b1fe55599636990977d939affc3fbd349348ddd3b63ab6e4a0835dabdb6cac66c679be20dd52e6492ec26609339

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\FILES ENCRYPTED.txt

Ransom Note
all your data has been locked us You want to return? write email zphc@cock.li or adresspower@tutanota.com
Emails

zphc@cock.li

adresspower@tutanota.com

Extracted

Path

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note
YOUR FILES ARE ENCRYPTED Don't worry,you can return all your files! If you want to restore them, follow this link: email zphc@cock.li YOUR ID If you have not been answered via the link within 12 hours, write to us by e-mail: adresspower@tutanota.com Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Emails

zphc@cock.li

adresspower@tutanota.com

Targets

    • Target

      085105e613ad37808a8db9a3c2ba5561d5d38d5c5c43b469c93d15f0d64af0c1

    • Size

      92KB

    • MD5

      95f91f236cf95d698d9195690133265b

    • SHA1

      29f3c5cc44709847c416bc35b3043d3da1392a8c

    • SHA256

      085105e613ad37808a8db9a3c2ba5561d5d38d5c5c43b469c93d15f0d64af0c1

    • SHA512

      4b457010d1c02369ad8ffed852071207b3ea2b1fe55599636990977d939affc3fbd349348ddd3b63ab6e4a0835dabdb6cac66c679be20dd52e6492ec26609339

    • Dharma

      Dharma is a ransomware that uses security software installation to hide malicious activities.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Drops file in System32 directory

    • Modifies service

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Modify Existing Service

1
T1031

Defense Evasion

File Deletion

2
T1107

Modify Registry

2
T1112

Credential Access

Credentials in Files

1
T1081

Collection

Data from Local System

1
T1005

Impact

Inhibit System Recovery

2
T1490

Tasks