4cb3cc8e7d2d712c43268d8a56e20dee3a1f40d580237115992307a5037b991e

General

Target

1ee39f6cd500940ad97c444778dc717361e01ce5579a28d761aedae86e85af64.exe
Size

5.7MB
MD5

e3204b2e61223989b1562f5dee40eee0
SHA1

7bd50a3b0e3f9b4a543f750869ca3ee29b4798e1
SHA256

1ee39f6cd500940ad97c444778dc717361e01ce5579a28d761aedae86e85af64
SHA512

19df0eb4c803e6eeb41abb1fb425f4d9cd6e4262aaeb8bbf7eb959a30f3db2533fd6aed13e055a9781371e9de37de4212d80a32862798368e5dd798763012bc4

Score

10^/10

ransomware

Malware Config

Extracted

Path

C:\Boot\bg-BG\read_me.txt

Ransom Note

--= DEATHRANSOM =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS***** All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email [email protected] [email protected] Your LOCK-ID: tth10yCfNZnYuh5etRKX3CvuHAg5UFshZL9ZdVAoFiTIMCSSSRoBVupLbRav60TSL/mnimzanDjXqAnDG0q5p75PEdyFFenB1JuQ2DwDcw6bhptQByKtku7K8kfNDwIakazCPJSj4QV2IzXP0Fme4sz9O3CjiWeAovUUyZ7ZwOqavusNesQ/IwG+ChTShJCpbVq6VZr0cdQ3XvAe32TMqcYJfSDFLkCxEgjXC/sX5BUJZD3fz3WsT52S8AcRiCYZImcl2gCJBLFOunvRC66uYNtOFLt3vlvHcFokR7dtdD4riHBHY3KPRNJi1miR/BBPD3lmFZvRd3ByY9YRrx6R+gxZVCaEGehaTJtcglbK5DMD+meB6ePOseEBd1I0OwxNjAR6ECXojVJixnaTyQqMvn6iTB+5sQOTCTRwEbql0gSXNKr3WJ+DwXGA1AYL2Vs7Z25qpM6BSDoNk3h0Xdf9qVCDBAyEfLB8EFBs9bf3FlarCOI6lVMWMm/8qNFvVxXVR2/WufLzefmL2yShhneLOpGJww3jUiXw9jGjjdVCxesFLp3SN4J865dd1tTrThhugh8RSZYPVYOPdwy8ombxUO1u6d3+G3fOMK/6FW3yPgcljdJEwM3W37XZSK+C6e6IgUKQ/Hf3qEzNUwFug84khApinnfm2oB6f1nTYeLAP2mTgxwGjKYYxH725vPUGNeL+I+hVQwmDBJwMQXfOoXNCA== >>>How to obtain bitcoin: The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/ >>> Free decryption as guarantee! Before paying you send us up to 1 file for free decryption. We recommeded to send pictures, text files, sheets, etc. (files no more than 1mb) IN ORDER TO PREVENT DATA DAMAGE: 1. Do not rename encrypted files. 2. Do not try to decrypt your data using third party software, it may cause permanent data loss. 3. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Signatures

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3984	1ee39f6cd500940ad97c444778dc717361e01ce5579a28d761aedae86e85af64.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3984	1ee39f6cd500940ad97c444778dc717361e01ce5579a28d761aedae86e85af64.exe
3984	1ee39f6cd500940ad97c444778dc717361e01ce5579a28d761aedae86e85af64.exe

Drops desktop.ini file(s) 23 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Music\desktop.ini	1ee39f6cd500940ad97c444778dc717361e01ce5579a28d761aedae86e85af64.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	1ee39f6cd500940ad97c444778dc717361e01ce5579a28d761aedae86e85af64.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	1ee39f6cd500940ad97c444778dc717361e01ce5579a28d761aedae86e85af64.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	1ee39f6cd500940ad97c444778dc717361e01ce5579a28d761aedae86e85af64.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	1ee39f6cd500940ad97c444778dc717361e01ce5579a28d761aedae86e85af64.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	1ee39f6cd500940ad97c444778dc717361e01ce5579a28d761aedae86e85af64.exe
File opened for modification	C:\Users\Public\desktop.ini	1ee39f6cd500940ad97c444778dc717361e01ce5579a28d761aedae86e85af64.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	1ee39f6cd500940ad97c444778dc717361e01ce5579a28d761aedae86e85af64.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	1ee39f6cd500940ad97c444778dc717361e01ce5579a28d761aedae86e85af64.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	1ee39f6cd500940ad97c444778dc717361e01ce5579a28d761aedae86e85af64.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	1ee39f6cd500940ad97c444778dc717361e01ce5579a28d761aedae86e85af64.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	1ee39f6cd500940ad97c444778dc717361e01ce5579a28d761aedae86e85af64.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	1ee39f6cd500940ad97c444778dc717361e01ce5579a28d761aedae86e85af64.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	1ee39f6cd500940ad97c444778dc717361e01ce5579a28d761aedae86e85af64.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	1ee39f6cd500940ad97c444778dc717361e01ce5579a28d761aedae86e85af64.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	1ee39f6cd500940ad97c444778dc717361e01ce5579a28d761aedae86e85af64.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	1ee39f6cd500940ad97c444778dc717361e01ce5579a28d761aedae86e85af64.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	1ee39f6cd500940ad97c444778dc717361e01ce5579a28d761aedae86e85af64.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	1ee39f6cd500940ad97c444778dc717361e01ce5579a28d761aedae86e85af64.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	1ee39f6cd500940ad97c444778dc717361e01ce5579a28d761aedae86e85af64.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	1ee39f6cd500940ad97c444778dc717361e01ce5579a28d761aedae86e85af64.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	1ee39f6cd500940ad97c444778dc717361e01ce5579a28d761aedae86e85af64.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	1ee39f6cd500940ad97c444778dc717361e01ce5579a28d761aedae86e85af64.exe

Modifies extensions of user files 10 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\CheckpointSuspend.png => C:\Users\Admin\Pictures\CheckpointSuspend.png.wctc	1ee39f6cd500940ad97c444778dc717361e01ce5579a28d761aedae86e85af64.exe
File opened for modification	C:\Users\Admin\Pictures\LockBackup.tiff	1ee39f6cd500940ad97c444778dc717361e01ce5579a28d761aedae86e85af64.exe
File opened for modification	C:\Users\Admin\Pictures\ResolveFind.tiff	1ee39f6cd500940ad97c444778dc717361e01ce5579a28d761aedae86e85af64.exe
File renamed	C:\Users\Admin\Pictures\ResolveFind.tiff => C:\Users\Admin\Pictures\ResolveFind.tiff.wctc	1ee39f6cd500940ad97c444778dc717361e01ce5579a28d761aedae86e85af64.exe
File renamed	C:\Users\Admin\Pictures\ExportSwitch.png => C:\Users\Admin\Pictures\ExportSwitch.png.wctc	1ee39f6cd500940ad97c444778dc717361e01ce5579a28d761aedae86e85af64.exe
File renamed	C:\Users\Admin\Pictures\GrantProtect.png => C:\Users\Admin\Pictures\GrantProtect.png.wctc	1ee39f6cd500940ad97c444778dc717361e01ce5579a28d761aedae86e85af64.exe
File renamed	C:\Users\Admin\Pictures\HideSuspend.tif => C:\Users\Admin\Pictures\HideSuspend.tif.wctc	1ee39f6cd500940ad97c444778dc717361e01ce5579a28d761aedae86e85af64.exe
File renamed	C:\Users\Admin\Pictures\LockBackup.tiff => C:\Users\Admin\Pictures\LockBackup.tiff.wctc	1ee39f6cd500940ad97c444778dc717361e01ce5579a28d761aedae86e85af64.exe
File opened for modification	C:\Users\Admin\Pictures\RedoHide.tiff	1ee39f6cd500940ad97c444778dc717361e01ce5579a28d761aedae86e85af64.exe
File renamed	C:\Users\Admin\Pictures\RedoHide.tiff => C:\Users\Admin\Pictures\RedoHide.tiff.wctc	1ee39f6cd500940ad97c444778dc717361e01ce5579a28d761aedae86e85af64.exe

C:\Users\Admin\AppData\Local\Temp\1ee39f6cd500940ad97c444778dc717361e01ce5579a28d761aedae86e85af64.exe
"C:\Users\Admin\AppData\Local\Temp\1ee39f6cd500940ad97c444778dc717361e01ce5579a28d761aedae86e85af64.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Drops desktop.ini file(s)
- Modifies extensions of user files
PID:3984

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads