Analysis
-
max time kernel
65s -
max time network
67s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
03-08-2020 14:59
Static task
static1
Behavioral task
behavioral1
Sample
ransomware.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
ransomware.exe
Resource
win10v200722
windows10_x64
0 signatures
0 seconds
General
-
Target
ransomware.exe
-
Size
5.7MB
-
MD5
e3204b2e61223989b1562f5dee40eee0
-
SHA1
7bd50a3b0e3f9b4a543f750869ca3ee29b4798e1
-
SHA256
1ee39f6cd500940ad97c444778dc717361e01ce5579a28d761aedae86e85af64
-
SHA512
19df0eb4c803e6eeb41abb1fb425f4d9cd6e4262aaeb8bbf7eb959a30f3db2533fd6aed13e055a9781371e9de37de4212d80a32862798368e5dd798763012bc4
Score
10/10
Malware Config
Extracted
Path
C:\Boot\bg-BG\read_me.txt
Family
deathransom
Ransom Note
--= DEATHRANSOM =---
***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED***********************
*****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS*****
All your files, documents, photos, databases and other important
files are encrypted.
You are not able to decrypt it by yourself! The only method
of recovering files is to purchase an unique private key.
Only we can give you this key and only we can recover your files.
To be sure we have the decryptor and it works you can send an
email [email protected] and decrypt one file for free. But this
file should be of not valuable!
Do you really want to restore your files?
Write to email
[email protected]
[email protected]
Your LOCK-ID: D05wnNlkB6/ezE4kMPAASUVHuU9t8yZ5ipeXP8ls4zeyEkHnweCMMFlYtXDY+VLBChWVQ7mk4Yzk+8Dzsg6UYvU30EssDXmDLNvwH7PpEqLcx6jkbQhaFL0WHLQxJfFburTwWJNZ1HMQ6evoPU8U1mHZwmqYe/Oe0HLtTFDe7I9+kcA3CuVkLwDrBn6NCCywkGzd3IWaINMRrj1hQpXDPsFDeGXyvLrKRmpYiMbSDlJhWcVBtP7NS3YuX5+ARHjhk+UA4J6m4cf0plAYreOcyIumxL/JJZSeL7030KbCjHC+uPRM5bfMpVyO/n3XlvhlzDzxfGMiCrZzRcgIMosinZPhklbvPIzCb1m6wTrlmDubghc0NJfFxsfojHjWvOxhfOFh+P+PdaTfOeeZNr0aJt8ZoBMSMGNMBj6o3wwXuVgLcavuKWQoM37DpN6AwvY2q8hj5NkkWPbH91tV5AhEzyRJ0UHnZF3LSgOWX3etxLYrL0dAlGB65Awmre2a7Oi4oUuA3xUhvflcOmP3PZVi77doOXg1Ben3QZowZXSWfvAHJNL+qLRVOd8Qi6VnYWtSJPx4sUZ4lcsrbcoD9pXG8FcE8RoZbkAQz4g6BwlR98Yca/jg7DVNVDA7I4Tl/NMv8mwAlcnArPZlR8ByyDaBI8ANqjMdkat7AR/HUa7aYWMiW1YZ9Sa9wEHfPgkUpchX2N+TFk09dNO+6q3gcRvexw==
>>>How to obtain bitcoin:
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price.
https://localbitcoins.com/buy_bitcoins
Also you can find other places to buy Bitcoins and beginners guide here:
http://www.coindesk.com/information/how-can-i-buy-bitcoins/
>>> Free decryption as guarantee!
Before paying you send us up to 1 file for free decryption.
We recommeded to send pictures, text files, sheets, etc. (files no more than 1mb)
IN ORDER TO PREVENT DATA DAMAGE:
1. Do not rename encrypted files.
2. Do not try to decrypt your data using third party software, it may cause permanent data loss.
3. Decryption of your files with the help of third parties may cause increased price (they add their fee to
our) or you can become a victim of a scam.
Signatures
-
DeathRansom
Ransomware family first seen at the start of 2020. Initial versions did not actually encrypt files.
-
Modifies extensions of user files 10 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\EnterWrite.tiff => C:\Users\Admin\Pictures\EnterWrite.tiff.wctc ransomware.exe File renamed C:\Users\Admin\Pictures\PublishMerge.tif => C:\Users\Admin\Pictures\PublishMerge.tif.wctc ransomware.exe File renamed C:\Users\Admin\Pictures\SubmitTest.tiff => C:\Users\Admin\Pictures\SubmitTest.tiff.wctc ransomware.exe File renamed C:\Users\Admin\Pictures\UnpublishUnregister.raw => C:\Users\Admin\Pictures\UnpublishUnregister.raw.wctc ransomware.exe File renamed C:\Users\Admin\Pictures\EditOpen.tif => C:\Users\Admin\Pictures\EditOpen.tif.wctc ransomware.exe File opened for modification C:\Users\Admin\Pictures\EnterWrite.tiff ransomware.exe File renamed C:\Users\Admin\Pictures\SendOut.png => C:\Users\Admin\Pictures\SendOut.png.wctc ransomware.exe File opened for modification C:\Users\Admin\Pictures\SubmitTest.tiff ransomware.exe File opened for modification C:\Users\Admin\Pictures\ConvertFromEnter.tiff ransomware.exe File renamed C:\Users\Admin\Pictures\ConvertFromEnter.tiff => C:\Users\Admin\Pictures\ConvertFromEnter.tiff.wctc ransomware.exe -
Drops desktop.ini file(s) 23 IoCs
description ioc Process File opened for modification C:\Users\Admin\Documents\desktop.ini ransomware.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini ransomware.exe File opened for modification C:\Users\Public\Desktop\desktop.ini ransomware.exe File opened for modification C:\Users\Public\Downloads\desktop.ini ransomware.exe File opened for modification C:\Users\Public\Pictures\desktop.ini ransomware.exe File opened for modification C:\Users\Public\Videos\desktop.ini ransomware.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini ransomware.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini ransomware.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini ransomware.exe File opened for modification C:\Users\Public\desktop.ini ransomware.exe File opened for modification C:\Users\Public\Libraries\desktop.ini ransomware.exe File opened for modification C:\Users\Admin\Music\desktop.ini ransomware.exe File opened for modification C:\Users\Admin\Videos\desktop.ini ransomware.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini ransomware.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini ransomware.exe File opened for modification C:\Users\Admin\Links\desktop.ini ransomware.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini ransomware.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini ransomware.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini ransomware.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini ransomware.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini ransomware.exe File opened for modification C:\Users\Public\Documents\desktop.ini ransomware.exe File opened for modification C:\Users\Public\Music\desktop.ini ransomware.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 60 ransomware.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 60 ransomware.exe 60 ransomware.exe