a653a4d7a1dd36b965591b6f55584ba3d73124eccc92e94ce28a71a0f0415f5a

General

Target

a653a4d7a1dd36b965591b6f55584ba3d73124eccc92e94ce28a71a0f0415f5a.exe
Size

126KB
MD5

e1ff64f0910b1e31a12a17ecc9173250
SHA1

edee8ab5e9edae3c6f7fbff32151c9d9e2c7f360
SHA256

a653a4d7a1dd36b965591b6f55584ba3d73124eccc92e94ce28a71a0f0415f5a
SHA512

10364700d1dd533bbf2345908067129386e119cb434ceaff55282a2ee2cc58fc9ddfca40fbc3e333dd4394436eabeb5c29268c088f94eec95abc69921af48428

Score

10^/10

ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\READ_ME.crypted.txt

Ransom Note

Your files are encrypted. If you want to unlock them send 50$ worth of bitcoin to this address: 36yFAmBGNDowqjXxbaPA2F3byPUoxWfZyz After that email your transaction ID, pc code and username to: [email protected] After that wait for our response and we will send you your unique password and decryptor. Encrypted files: C:\Users\Admin\Desktop\AssertOut.docx C:\Users\Admin\Desktop\CopyMerge.sys C:\Users\Admin\Desktop\DebugGrant.mov C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\Desktop\DisconnectSubmit.dotx C:\Users\Admin\Desktop\ExitDisable.mid C:\Users\Admin\Desktop\ExpandConfirm.vstx C:\Users\Admin\Desktop\ExportDisable.mpg C:\Users\Admin\Desktop\GroupMove.xps C:\Users\Admin\Desktop\GroupUpdate.cr2 C:\Users\Admin\Desktop\ImportConvert.asx C:\Users\Admin\Desktop\LimitSet.3gp2 C:\Users\Admin\Desktop\MountSwitch.jpeg C:\Users\Admin\Desktop\MoveExit.tif C:\Users\Admin\Desktop\MovePush.bmp C:\Users\Admin\Desktop\OutInstall.midi C:\Users\Admin\Desktop\PopImport.js C:\Users\Admin\Desktop\PublishBlock.jfif C:\Users\Admin\Desktop\RequestEnable.docx C:\Users\Admin\Desktop\ResetLock.wmv C:\Users\Admin\Desktop\RestartDeny.ppsm C:\Users\Admin\Desktop\RestoreUndo.css C:\Users\Admin\Desktop\SaveClose.temp C:\Users\Admin\Desktop\SkipFind.vssx C:\Users\Admin\Desktop\StopMove.midi C:\Users\Admin\Desktop\TraceOut.dwfx C:\Users\Admin\Desktop\UnlockEdit.cmd C:\Users\Admin\Desktop\UnlockStop.cmd C:\Users\Admin\Desktop\WatchDebug.ttc C:\Users\Admin\Pictures\AddPop.svg C:\Users\Admin\Pictures\CompressEnter.crw C:\Users\Admin\Pictures\ConvertExport.dxf C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\Pictures\DisableUnpublish.bmp C:\Users\Admin\Pictures\DisconnectSwitch.tif C:\Users\Admin\Pictures\EnableSend.gif C:\Users\Admin\Pictures\FormatFind.dxf C:\Users\Admin\Pictures\GetBlock.raw C:\Users\Admin\Pictures\HideOut.raw C:\Users\Admin\Pictures\HideTrace.crw C:\Users\Admin\Pictures\ImportAdd.ico C:\Users\Admin\Pictures\InstallAssert.tiff C:\Users\Admin\Pictures\LockWait.dwg C:\Users\Admin\Pictures\MoveUpdate.crw C:\Users\Admin\Pictures\OpenDisconnect.emz C:\Users\Admin\Pictures\PingBlock.wmf C:\Users\Admin\Pictures\PublishBlock.wmf C:\Users\Admin\Pictures\SaveWrite.ico C:\Users\Admin\Pictures\SelectClose.emz C:\Users\Admin\Pictures\SelectLock.svgz C:\Users\Admin\Pictures\ShowCompare.bmp C:\Users\Admin\Pictures\ShowConvert.jpg C:\Users\Admin\Pictures\UninstallSuspend.dxf C:\Users\Admin\Pictures\UseWait.svg C:\Users\Admin\Pictures\Wallpaper.jpg C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\Documents\AddFind.mht C:\Users\Admin\Documents\Are.docx C:\Users\Admin\Documents\AssertLimit.vstx C:\Users\Admin\Documents\CompareRedo.pptm C:\Users\Admin\Documents\ConnectUnpublish.dotm C:\Users\Admin\Documents\DenySync.html C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\Documents\Files.docx C:\Users\Admin\Documents\FindBlock.rtf C:\Users\Admin\Documents\GrantMerge.vst C:\Users\Admin\Documents\GroupUnpublish.odp C:\Users\Admin\Documents\LimitWatch.ppsm C:\Users\Admin\Documents\LockPing.dotx C:\Users\Admin\Documents\MeasureRegister.vsw C:\Users\Admin\Documents\MoveClose.xls C:\Users\Admin\Documents\MoveRevoke.docm C:\Users\Admin\Documents\OpenConvertTo.odt C:\Users\Admin\Documents\Opened.docx C:\Users\Admin\Documents\OpenMerge.pptx C:\Users\Admin\Documents\PopRegister.mhtml C:\Users\Admin\Documents\PublishRevoke.xlt C:\Users\Admin\Documents\PushBackup.mhtml C:\Users\Admin\Documents\PushDeny.xlsm C:\Users\Admin\Documents\ReceiveUse.mpp C:\Users\Admin\Documents\Recently.docx C:\Users\Admin\Documents\RegisterDisconnect.pptm C:\Users\Admin\Documents\RemoveSync.pub C:\Users\Admin\Documents\RepairEdit.pptm C:\Users\Admin\Documents\RepairResize.vsw C:\Users\Admin\Documents\RequestExit.wps C:\Users\Admin\Documents\RestoreFormat.pps C:\Users\Admin\Documents\RevokeRequest.ods C:\Users\Admin\Documents\RevokeUnregister.vsdm C:\Users\Admin\Documents\SelectPing.xla C:\Users\Admin\Documents\SendPing.vdx C:\Users\Admin\Documents\SkipTest.mht C:\Users\Admin\Documents\SubmitExpand.wps C:\Users\Admin\Documents\These.docx C:\Users\Admin\Documents\UnblockDismount.dot C:\Users\Admin\Documents\UnlockGrant.vdx C:\Users\Admin\Documents\UnpublishShow.xlsx C:\Users\Admin\Documents\UpdateSkip.rtf C:\Users\Admin\Documents\UseMerge.csv

Emails

[email protected]

Wallets

36yFAmBGNDowqjXxbaPA2F3byPUoxWfZyz

Signatures

Modifies extensions of user files 8 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File created	C:\Users\Admin\Pictures\HideOut.raw.crypted	a653a4d7a1dd36b965591b6f55584ba3d73124eccc92e94ce28a71a0f0415f5a.exe
File created	C:\Users\Admin\Pictures\HideTrace.crw.crypted	a653a4d7a1dd36b965591b6f55584ba3d73124eccc92e94ce28a71a0f0415f5a.exe
File created	C:\Users\Admin\Pictures\InstallAssert.tiff.crypted	a653a4d7a1dd36b965591b6f55584ba3d73124eccc92e94ce28a71a0f0415f5a.exe
File opened for modification	C:\Users\Admin\Pictures\InstallAssert.tiff	a653a4d7a1dd36b965591b6f55584ba3d73124eccc92e94ce28a71a0f0415f5a.exe
File created	C:\Users\Admin\Pictures\MoveUpdate.crw.crypted	a653a4d7a1dd36b965591b6f55584ba3d73124eccc92e94ce28a71a0f0415f5a.exe
File created	C:\Users\Admin\Pictures\CompressEnter.crw.crypted	a653a4d7a1dd36b965591b6f55584ba3d73124eccc92e94ce28a71a0f0415f5a.exe
File created	C:\Users\Admin\Pictures\DisconnectSwitch.tif.crypted	a653a4d7a1dd36b965591b6f55584ba3d73124eccc92e94ce28a71a0f0415f5a.exe
File created	C:\Users\Admin\Pictures\GetBlock.raw.crypted	a653a4d7a1dd36b965591b6f55584ba3d73124eccc92e94ce28a71a0f0415f5a.exe

Drops desktop.ini file(s) 5 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	a653a4d7a1dd36b965591b6f55584ba3d73124eccc92e94ce28a71a0f0415f5a.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	a653a4d7a1dd36b965591b6f55584ba3d73124eccc92e94ce28a71a0f0415f5a.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	a653a4d7a1dd36b965591b6f55584ba3d73124eccc92e94ce28a71a0f0415f5a.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	a653a4d7a1dd36b965591b6f55584ba3d73124eccc92e94ce28a71a0f0415f5a.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	a653a4d7a1dd36b965591b6f55584ba3d73124eccc92e94ce28a71a0f0415f5a.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3904	a653a4d7a1dd36b965591b6f55584ba3d73124eccc92e94ce28a71a0f0415f5a.exe

C:\Users\Admin\AppData\Local\Temp\a653a4d7a1dd36b965591b6f55584ba3d73124eccc92e94ce28a71a0f0415f5a.exe
"C:\Users\Admin\AppData\Local\Temp\a653a4d7a1dd36b965591b6f55584ba3d73124eccc92e94ce28a71a0f0415f5a.exe"
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Suspicious use of AdjustPrivilegeToken
PID:3904

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3904-114-0x0000000000E90000-0x0000000000E91000-memory.dmp

Filesize
4KB

Download
memory/3904-116-0x0000000005D30000-0x0000000005D31000-memory.dmp

Filesize
4KB

Download
memory/3904-117-0x0000000005740000-0x0000000005741000-memory.dmp

Filesize
4KB

Download
memory/3904-118-0x00000000056E0000-0x00000000056E1000-memory.dmp

Filesize
4KB

Download
memory/3904-119-0x0000000005830000-0x0000000005D2E000-memory.dmp

Filesize
5.0MB

Download
memory/3904-120-0x0000000007BB0000-0x0000000007BB1000-memory.dmp

Filesize
4KB

Download
memory/3904-121-0x0000000005830000-0x0000000005D2E000-memory.dmp

Filesize
5.0MB

Download

Resubmissions

Analysis

Sharing