Analysis
-
max time kernel
62s -
max time network
120s -
platform
windows10_x64 -
resource
win10 -
submitted
09-07-2020 17:15
Static task
static1
Behavioral task
behavioral1
Sample
6a1s0ssssd7da.exe
Resource
win7
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
6a1s0ssssd7da.exe
Resource
win10
0 signatures
0 seconds
General
-
Target
6a1s0ssssd7da.exe
-
Size
717KB
-
MD5
ae1941234e5d7a3402e5f10432b2cf44
-
SHA1
7b817fa8a163e3450d7122c6fc7ad92e93000986
-
SHA256
d4d432c94d69e9a57f473c042f53abc181aa8919981206a3714201f429c19b44
-
SHA512
2a19cfc3a6d8c612bcb90c95bc21ee9dea18f4d3d9e66c89cff342d377107e44263a63c074a2e418a2ea617518f74f3a09f6a971b8126777fce30bbc68d52be7
Score
10/10
Malware Config
Extracted
Path
C:\Boot\bg-BG\Read_Me.txt
Ransom Note
Attention!
All your files, documents, photos, databases and other important files are encrypted
The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files.
The server with your decryptor is in a closed network TOR. You can get there by the following ways:
----------------------------------------------------------------------------------------
1. Download Tor browser - https://www.torproject.org/
2. Install Tor browser
3. Open Tor Browser
4. Open link in TOR browser: http://7rzpyw3hflwe2c7h.onion/?HYABDFGI
5. Follow the instructions on this page
----------------------------------------------------------------------------------------
On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free.
Alternate communication channel here: http://helpqvrg3cc5mvb3.onion/
URLs
http://7rzpyw3hflwe2c7h.onion/?HYABDFGI
http://helpqvrg3cc5mvb3.onion/
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
6a1s0ssssd7da.exedescription pid process target process PID 3100 set thread context of 3860 3100 6a1s0ssssd7da.exe 6a1s0ssssd7da.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
explorer.exepid process 3780 explorer.exe 3780 explorer.exe 3780 explorer.exe 3780 explorer.exe -
Drops file in Program Files directory 10136 IoCs
Processes:
6a1s0ssssd7da.exedescription ioc process File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_17.8010.5926.0_x64__8wekyb3d8bbwe\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEEXCH.DLL 6a1s0ssssd7da.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\sk-SK\tipresx.dll.mui 6a1s0ssssd7da.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\epl-v10.html 6a1s0ssssd7da.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\bookicon.gif 6a1s0ssssd7da.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_Subscription-ul-oob.xrm-ms 6a1s0ssssd7da.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\[email protected] 6a1s0ssssd7da.exe File opened for modification C:\Program Files\Windows Defender\MsMpCom.dll 6a1s0ssssd7da.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html 6a1s0ssssd7da.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Buttons\Solve\autosolve_button_press.png 6a1s0ssssd7da.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_MAK-ul-phn.xrm-ms 6a1s0ssssd7da.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\INDUST\THMBNAIL.PNG 6a1s0ssssd7da.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\LiveTile\W1.png 6a1s0ssssd7da.exe File created C:\Program Files\Microsoft Office\root\Templates\1033\GettingStarted16\Read_Me.txt 6a1s0ssssd7da.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\InstallerMainShell.tlb 6a1s0ssssd7da.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\manifestAssets\contrast-black\Square44x44Logo.targetsize-16.png 6a1s0ssssd7da.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-coredump.xml 6a1s0ssssd7da.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-crt-stdio-l1-1-0.dll 6a1s0ssssd7da.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libx26410b_plugin.dll 6a1s0ssssd7da.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-attach_zh_CN.jar 6a1s0ssssd7da.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\jli.dll 6a1s0ssssd7da.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCalculator_10.1702.312.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\CalculatorLargeTile.contrast-black_scale-125.png 6a1s0ssssd7da.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.1.25002.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml 6a1s0ssssd7da.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Trial-ppd.xrm-ms 6a1s0ssssd7da.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_KMS_ClientC2R-ul-oob.xrm-ms 6a1s0ssssd7da.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ReviewRouting_Review.xsn 6a1s0ssssd7da.exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\OriginResume.Dotx 6a1s0ssssd7da.exe File created C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\Read_Me.txt 6a1s0ssssd7da.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Resources\TopicPage\PartnerJS\retailDemo.js 6a1s0ssssd7da.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVPolicy.dll 6a1s0ssssd7da.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-application-views_zh_CN.jar 6a1s0ssssd7da.exe File created C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\Read_Me.txt 6a1s0ssssd7da.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\157.png 6a1s0ssssd7da.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN114.XML 6a1s0ssssd7da.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA6\VBE6EXT.OLB 6a1s0ssssd7da.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InkObj.dll 6a1s0ssssd7da.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-openide-io.xml 6a1s0ssssd7da.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Violet.xml 6a1s0ssssd7da.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_OEM_Perp-ul-phn.xrm-ms 6a1s0ssssd7da.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial2-pl.xrm-ms 6a1s0ssssd7da.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.SqlServer.Configuration.SString.dll 6a1s0ssssd7da.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-black\SmallTile.scale-125.png 6a1s0ssssd7da.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_neutral_split.scale-200_8wekyb3d8bbwe\AppxBlockMap.xml 6a1s0ssssd7da.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\TEE\en-US.PostalAddress.ot 6a1s0ssssd7da.exe File created C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\StarClub\Read_Me.txt 6a1s0ssssd7da.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\CHART.DLL 6a1s0ssssd7da.exe File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\Read_Me.txt 6a1s0ssssd7da.exe File created C:\Program Files\VideoLAN\VLC\locale\ta\Read_Me.txt 6a1s0ssssd7da.exe File opened for modification C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-locale-l1-1-0.dll 6a1s0ssssd7da.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SpreadsheetIQ.ExcelAddIn.dll 6a1s0ssssd7da.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\policytool.exe 6a1s0ssssd7da.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.apache.commons.logging_1.1.1.v201101211721.jar 6a1s0ssssd7da.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Grace-ul-oob.xrm-ms 6a1s0ssssd7da.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Retail-pl.xrm-ms 6a1s0ssssd7da.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] 6a1s0ssssd7da.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\System\ole db\xmlrwbin.dll 6a1s0ssssd7da.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\epl-v10.html 6a1s0ssssd7da.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\SPPRedist.msi 6a1s0ssssd7da.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_ViewOnly_ZeroGrace-ppd.xrm-ms 6a1s0ssssd7da.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libhttps_plugin.dll 6a1s0ssssd7da.exe File opened for modification C:\Program Files\Microsoft Office\root\Client\AppVLP.exe 6a1s0ssssd7da.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription5-ul-oob.xrm-ms 6a1s0ssssd7da.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription5-ul-oob.xrm-ms 6a1s0ssssd7da.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Bibliography\Author2XML.XSL 6a1s0ssssd7da.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-white_scale-180.png 6a1s0ssssd7da.exe -
Drops desktop.ini file(s) 3 IoCs
Processes:
6a1s0ssssd7da.exedescription ioc process File opened for modification C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini 6a1s0ssssd7da.exe File opened for modification C:\Program Files\desktop.ini 6a1s0ssssd7da.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI 6a1s0ssssd7da.exe -
Modifies registry class 5 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff explorer.exe -
Modifies Installed Components in the registry 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
6a1s0ssssd7da.exedescription pid process target process PID 3100 wrote to memory of 3860 3100 6a1s0ssssd7da.exe 6a1s0ssssd7da.exe PID 3100 wrote to memory of 3860 3100 6a1s0ssssd7da.exe 6a1s0ssssd7da.exe PID 3100 wrote to memory of 3860 3100 6a1s0ssssd7da.exe 6a1s0ssssd7da.exe PID 3100 wrote to memory of 3860 3100 6a1s0ssssd7da.exe 6a1s0ssssd7da.exe PID 3100 wrote to memory of 3860 3100 6a1s0ssssd7da.exe 6a1s0ssssd7da.exe PID 3100 wrote to memory of 3860 3100 6a1s0ssssd7da.exe 6a1s0ssssd7da.exe PID 3100 wrote to memory of 3860 3100 6a1s0ssssd7da.exe 6a1s0ssssd7da.exe PID 3100 wrote to memory of 3860 3100 6a1s0ssssd7da.exe 6a1s0ssssd7da.exe PID 3100 wrote to memory of 3860 3100 6a1s0ssssd7da.exe 6a1s0ssssd7da.exe -
Suspicious behavior: EnumeratesProcesses 6276 IoCs
Processes:
6a1s0ssssd7da.exepid process 3860 6a1s0ssssd7da.exe 3860 6a1s0ssssd7da.exe 3860 6a1s0ssssd7da.exe 3860 6a1s0ssssd7da.exe 3860 6a1s0ssssd7da.exe 3860 6a1s0ssssd7da.exe 3860 6a1s0ssssd7da.exe 3860 6a1s0ssssd7da.exe 3860 6a1s0ssssd7da.exe 3860 6a1s0ssssd7da.exe 3860 6a1s0ssssd7da.exe 3860 6a1s0ssssd7da.exe 3860 6a1s0ssssd7da.exe 3860 6a1s0ssssd7da.exe 3860 6a1s0ssssd7da.exe 3860 6a1s0ssssd7da.exe 3860 6a1s0ssssd7da.exe 3860 6a1s0ssssd7da.exe 3860 6a1s0ssssd7da.exe 3860 6a1s0ssssd7da.exe 3860 6a1s0ssssd7da.exe 3860 6a1s0ssssd7da.exe 3860 6a1s0ssssd7da.exe 3860 6a1s0ssssd7da.exe 3860 6a1s0ssssd7da.exe 3860 6a1s0ssssd7da.exe 3860 6a1s0ssssd7da.exe 3860 6a1s0ssssd7da.exe 3860 6a1s0ssssd7da.exe 3860 6a1s0ssssd7da.exe 3860 6a1s0ssssd7da.exe 3860 6a1s0ssssd7da.exe 3860 6a1s0ssssd7da.exe 3860 6a1s0ssssd7da.exe 3860 6a1s0ssssd7da.exe 3860 6a1s0ssssd7da.exe 3860 6a1s0ssssd7da.exe 3860 6a1s0ssssd7da.exe 3860 6a1s0ssssd7da.exe 3860 6a1s0ssssd7da.exe 3860 6a1s0ssssd7da.exe 3860 6a1s0ssssd7da.exe 3860 6a1s0ssssd7da.exe 3860 6a1s0ssssd7da.exe 3860 6a1s0ssssd7da.exe 3860 6a1s0ssssd7da.exe 3860 6a1s0ssssd7da.exe 3860 6a1s0ssssd7da.exe 3860 6a1s0ssssd7da.exe 3860 6a1s0ssssd7da.exe 3860 6a1s0ssssd7da.exe 3860 6a1s0ssssd7da.exe 3860 6a1s0ssssd7da.exe 3860 6a1s0ssssd7da.exe 3860 6a1s0ssssd7da.exe 3860 6a1s0ssssd7da.exe 3860 6a1s0ssssd7da.exe 3860 6a1s0ssssd7da.exe 3860 6a1s0ssssd7da.exe 3860 6a1s0ssssd7da.exe 3860 6a1s0ssssd7da.exe 3860 6a1s0ssssd7da.exe 3860 6a1s0ssssd7da.exe 3860 6a1s0ssssd7da.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
Processes:
explorer.exedescription pid process Token: SeShutdownPrivilege 3780 explorer.exe Token: SeCreatePagefilePrivilege 3780 explorer.exe Token: SeShutdownPrivilege 3780 explorer.exe Token: SeCreatePagefilePrivilege 3780 explorer.exe Token: SeShutdownPrivilege 3780 explorer.exe Token: SeCreatePagefilePrivilege 3780 explorer.exe Token: SeShutdownPrivilege 3780 explorer.exe Token: SeCreatePagefilePrivilege 3780 explorer.exe Token: SeShutdownPrivilege 3780 explorer.exe Token: SeCreatePagefilePrivilege 3780 explorer.exe -
Suspicious use of SendNotifyMessage 9 IoCs
Processes:
explorer.exepid process 3780 explorer.exe 3780 explorer.exe 3780 explorer.exe 3780 explorer.exe 3780 explorer.exe 3780 explorer.exe 3780 explorer.exe 3780 explorer.exe 3780 explorer.exe -
Enumerates connected drives 3 TTPs
Processes
-
C:\Users\Admin\AppData\Local\Temp\6a1s0ssssd7da.exe"C:\Users\Admin\AppData\Local\Temp\6a1s0ssssd7da.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\6a1s0ssssd7da.exe"{path}"2⤵
- Drops file in Program Files directory
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Suspicious use of FindShellTrayWindow
- Modifies registry class
- Modifies Installed Components in the registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage