c35b8114cf20d7683905224a84263fdff99577ce69a1b1a94e66f525c38f31ce

General

Target

460a1s0ssssd7da.exe
Size

717KB
MD5

a8569bc863ee5c29671bbac230ee8d90
SHA1

ece5c2505319d3abe8bb081f325c4a42f61dd6db
SHA256

c35b8114cf20d7683905224a84263fdff99577ce69a1b1a94e66f525c38f31ce
SHA512

5a510640357931044bc471cd5664b91869ba405682d7847e9fb7081a865ccd6b9a37bb022e5c92e9616002029ae9c29a46aec7ff0e9d14160ce758146c717205

Score

10^/10

ransomware

Malware Config

Extracted

Path

\??\M:\Read_Me.txt

Ransom Note

Attention! All your files, documents, photos, databases and other important files are encrypted The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. The server with your decryptor is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- 1. Download Tor browser - https://www.torproject.org/ 2. Install Tor browser 3. Open Tor Browser 4. Open link in TOR browser: http://7rzpyw3hflwe2c7h.onion/?CUVXYACD 5. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. Alternate communication channel here: http://helpqvrg3cc5mvb3.onion/

URLs

http://7rzpyw3hflwe2c7h.onion/?CUVXYACD

http://helpqvrg3cc5mvb3.onion/

Signatures

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

460a1s0ssssd7da.exe

description	pid	process	target process
PID 3024 wrote to memory of 3812	3024	460a1s0ssssd7da.exe	460a1s0ssssd7da.exe
PID 3024 wrote to memory of 3812	3024	460a1s0ssssd7da.exe	460a1s0ssssd7da.exe
PID 3024 wrote to memory of 3812	3024	460a1s0ssssd7da.exe	460a1s0ssssd7da.exe
PID 3024 wrote to memory of 3812	3024	460a1s0ssssd7da.exe	460a1s0ssssd7da.exe
PID 3024 wrote to memory of 3812	3024	460a1s0ssssd7da.exe	460a1s0ssssd7da.exe
PID 3024 wrote to memory of 3812	3024	460a1s0ssssd7da.exe	460a1s0ssssd7da.exe
PID 3024 wrote to memory of 3812	3024	460a1s0ssssd7da.exe	460a1s0ssssd7da.exe
PID 3024 wrote to memory of 3812	3024	460a1s0ssssd7da.exe	460a1s0ssssd7da.exe
PID 3024 wrote to memory of 3812	3024	460a1s0ssssd7da.exe	460a1s0ssssd7da.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

460a1s0ssssd7da.exe

description pid process target process

PID 3024 set thread context of 3812 3024 460a1s0ssssd7da.exe 460a1s0ssssd7da.exe

description	pid	process	target process
PID 3024 set thread context of 3812	3024	460a1s0ssssd7da.exe	460a1s0ssssd7da.exe

Suspicious behavior: EnumeratesProcesses 4306 IoCs

Processes:

460a1s0ssssd7da.exe

pid	process
3812	460a1s0ssssd7da.exe
3812	460a1s0ssssd7da.exe
3812	460a1s0ssssd7da.exe
3812	460a1s0ssssd7da.exe
3812	460a1s0ssssd7da.exe
3812	460a1s0ssssd7da.exe
3812	460a1s0ssssd7da.exe
3812	460a1s0ssssd7da.exe
3812	460a1s0ssssd7da.exe
3812	460a1s0ssssd7da.exe
3812	460a1s0ssssd7da.exe
3812	460a1s0ssssd7da.exe
3812	460a1s0ssssd7da.exe
3812	460a1s0ssssd7da.exe
3812	460a1s0ssssd7da.exe
3812	460a1s0ssssd7da.exe
3812	460a1s0ssssd7da.exe
3812	460a1s0ssssd7da.exe
3812	460a1s0ssssd7da.exe
3812	460a1s0ssssd7da.exe
3812	460a1s0ssssd7da.exe
3812	460a1s0ssssd7da.exe
3812	460a1s0ssssd7da.exe
3812	460a1s0ssssd7da.exe
3812	460a1s0ssssd7da.exe
3812	460a1s0ssssd7da.exe
3812	460a1s0ssssd7da.exe
3812	460a1s0ssssd7da.exe
3812	460a1s0ssssd7da.exe
3812	460a1s0ssssd7da.exe
3812	460a1s0ssssd7da.exe
3812	460a1s0ssssd7da.exe
3812	460a1s0ssssd7da.exe
3812	460a1s0ssssd7da.exe
3812	460a1s0ssssd7da.exe
3812	460a1s0ssssd7da.exe
3812	460a1s0ssssd7da.exe
3812	460a1s0ssssd7da.exe
3812	460a1s0ssssd7da.exe
3812	460a1s0ssssd7da.exe
3812	460a1s0ssssd7da.exe
3812	460a1s0ssssd7da.exe
3812	460a1s0ssssd7da.exe
3812	460a1s0ssssd7da.exe
3812	460a1s0ssssd7da.exe
3812	460a1s0ssssd7da.exe
3812	460a1s0ssssd7da.exe
3812	460a1s0ssssd7da.exe
3812	460a1s0ssssd7da.exe
3812	460a1s0ssssd7da.exe
3812	460a1s0ssssd7da.exe
3812	460a1s0ssssd7da.exe
3812	460a1s0ssssd7da.exe
3812	460a1s0ssssd7da.exe
3812	460a1s0ssssd7da.exe
3812	460a1s0ssssd7da.exe
3812	460a1s0ssssd7da.exe
3812	460a1s0ssssd7da.exe
3812	460a1s0ssssd7da.exe
3812	460a1s0ssssd7da.exe
3812	460a1s0ssssd7da.exe
3812	460a1s0ssssd7da.exe
3812	460a1s0ssssd7da.exe
3812	460a1s0ssssd7da.exe

Drops file in Program Files directory 9016 IoCs

Processes:

460a1s0ssssd7da.exe

description	ioc	process
File opened for modification	C:\Program Files\Windows Defender\Offline\EppManifest.dll	460a1s0ssssd7da.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1702.301.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\VoiceRecorderSplashScreen.contrast-black_scale-200.png	460a1s0ssssd7da.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\locale\boot_zh_CN.jar	460a1s0ssssd7da.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL102.XML	460a1s0ssssd7da.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\feature.xml	460a1s0ssssd7da.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Retail-ul-phn.xrm-ms	460a1s0ssssd7da.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Retail-ul-phn.xrm-ms	460a1s0ssssd7da.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.Recommendation.Client.Picasso.dll	460a1s0ssssd7da.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART12.BDR	460a1s0ssssd7da.exe
File created	C:\Program Files\Reference Assemblies\Read_Me.txt	460a1s0ssssd7da.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\Interceptor.dll	460a1s0ssssd7da.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.WorkflowServices.dll	460a1s0ssssd7da.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad.xml	460a1s0ssssd7da.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\security\US_export_policy.jar	460a1s0ssssd7da.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-private-l1-1-0.dll	460a1s0ssssd7da.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\WordVL_KMS_Client-ul-oob.xrm-ms	460a1s0ssssd7da.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\HintBarEllipses.16.GrayF.png	460a1s0ssssd7da.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-200_8wekyb3d8bbwe\Assets\MusicStoreLogo.scale-200.png	460a1s0ssssd7da.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_zh_TW.properties	460a1s0ssssd7da.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\psfontj2d.properties	460a1s0ssssd7da.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_BypassTrial180-ppd.xrm-ms	460a1s0ssssd7da.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Trial-ul-oob.xrm-ms	460a1s0ssssd7da.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\shaded.dotx	460a1s0ssssd7da.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SPRING\SPRING.INF	460a1s0ssssd7da.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-core-xstate-l2-1-0.dll	460a1s0ssssd7da.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.bindings_0.10.200.v20140424-2042.jar	460a1s0ssssd7da.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench3.nl_ja_4.4.0.v20140623020002.jar	460a1s0ssssd7da.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-openide-actions.jar	460a1s0ssssd7da.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-openide-execution.jar	460a1s0ssssd7da.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\DUBAI-MEDIUM.TTF	460a1s0ssssd7da.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-swing-outline.xml	460a1s0ssssd7da.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.targetsize-20_altform-unplated.png	460a1s0ssssd7da.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp3-ppd.xrm-ms	460a1s0ssssd7da.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	460a1s0ssssd7da.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\_Resources\2.rsrc	460a1s0ssssd7da.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\AppPackageBadgeLogo.scale-200.png	460a1s0ssssd7da.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\tnameserv.exe	460a1s0ssssd7da.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_MAK-ppd.xrm-ms	460a1s0ssssd7da.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.scale-140.png	460a1s0ssssd7da.exe
File opened for modification	C:\Program Files\Windows Defender\MpOAV.dll	460a1s0ssssd7da.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\Read_Me.txt	460a1s0ssssd7da.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\C2R64.dll	460a1s0ssssd7da.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-filesystem-l1-1-0.dll	460a1s0ssssd7da.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libflacsys_plugin.dll	460a1s0ssssd7da.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\192.png	460a1s0ssssd7da.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\WideTile.scale-125.png	460a1s0ssssd7da.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.osgi.nl_zh_4.4.0.v20140623020002.jar	460a1s0ssssd7da.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Trial-ppd.xrm-ms	460a1s0ssssd7da.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	460a1s0ssssd7da.exe
File created	C:\Program Files\VideoLAN\VLC\locale\bs\Read_Me.txt	460a1s0ssssd7da.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-200_8wekyb3d8bbwe\Read_Me.txt	460a1s0ssssd7da.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\toc.gif	460a1s0ssssd7da.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\deployed\jdk15\windows-amd64\profilerinterface.dll	460a1s0ssssd7da.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PROOF\msgr8en.dub	460a1s0ssssd7da.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_16.511.8780.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\PhotosLargeTile.contrast-black_scale-100.png	460a1s0ssssd7da.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.swt.nl_zh_4.4.0.v20140623020002.jar	460a1s0ssssd7da.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jdwp.dll	460a1s0ssssd7da.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_KMS_Client_AE-ul-oob.xrm-ms	460a1s0ssssd7da.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\msointl30.dll	460a1s0ssssd7da.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\TimerSmallTile.scale-125.png	460a1s0ssssd7da.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.scale-80.png	460a1s0ssssd7da.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\202.png	460a1s0ssssd7da.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\Read_Me.txt	460a1s0ssssd7da.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-heapwalker_ja.jar	460a1s0ssssd7da.exe

Drops desktop.ini file(s) 3 IoCs

Processes:

460a1s0ssssd7da.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini	460a1s0ssssd7da.exe
File opened for modification	C:\Program Files\desktop.ini	460a1s0ssssd7da.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	460a1s0ssssd7da.exe

C:\Users\Admin\AppData\Local\Temp\460a1s0ssssd7da.exe
"C:\Users\Admin\AppData\Local\Temp\460a1s0ssssd7da.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:3024

C:\Users\Admin\AppData\Local\Temp\460a1s0ssssd7da.exe
"{path}"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Drops file in Program Files directory
- Drops desktop.ini file(s)
PID:3812

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3812-1-0x0000000000407CA0-mapping.dmp

Download
memory/3812-0-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3812-2-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads