Analysis
-
max time kernel
123s -
max time network
123s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
25/05/2021, 11:03
General
-
Target
a653a4d7a1dd36b965591b6f55584ba3d73124eccc92e94ce28a71a0f0415f5a.exe
-
Size
126KB
-
MD5
e1ff64f0910b1e31a12a17ecc9173250
-
SHA1
edee8ab5e9edae3c6f7fbff32151c9d9e2c7f360
-
SHA256
a653a4d7a1dd36b965591b6f55584ba3d73124eccc92e94ce28a71a0f0415f5a
-
SHA512
10364700d1dd533bbf2345908067129386e119cb434ceaff55282a2ee2cc58fc9ddfca40fbc3e333dd4394436eabeb5c29268c088f94eec95abc69921af48428
Score
10/10
Malware Config
Extracted
Path
C:\Users\Admin\Desktop\READ_ME.crypted.txt
Ransom Note
Your files are encrypted.
If you want to unlock them send 50$ worth of bitcoin to this address: 36yFAmBGNDowqjXxbaPA2F3byPUoxWfZyz
After that email your transaction ID, pc code and username to: [email protected]
After that wait for our response and we will send you your unique password and decryptor.
Encrypted files:
C:\Users\Admin\Desktop\AddInstall.potx
C:\Users\Admin\Desktop\ApproveInitialize.ADTS
C:\Users\Admin\Desktop\CompressUnregister.3g2
C:\Users\Admin\Desktop\ConfirmStop.cab
C:\Users\Admin\Desktop\ConvertFromInstall.search-ms
C:\Users\Admin\Desktop\DenyPop.xps
C:\Users\Admin\Desktop\desktop.ini
C:\Users\Admin\Desktop\ExitNew.pot
C:\Users\Admin\Desktop\OptimizeSync.jpg
C:\Users\Admin\Desktop\ProtectSplit.mpa
C:\Users\Admin\Desktop\PublishRemove.txt
C:\Users\Admin\Desktop\ReadEnable.m4a
C:\Users\Admin\Desktop\ReceiveUninstall.vst
C:\Users\Admin\Desktop\RequestConvert.txt
C:\Users\Admin\Desktop\ResetPush.exe
C:\Users\Admin\Desktop\ResizeMeasure.sql
C:\Users\Admin\Desktop\ResolveRequest.ps1xml
C:\Users\Admin\Desktop\ResolveResume.tif
C:\Users\Admin\Desktop\ResolveShow.potx
C:\Users\Admin\Desktop\RestoreApprove.3gp
C:\Users\Admin\Desktop\SaveConnect.rtf
C:\Users\Admin\Desktop\SearchSplit.MOD
C:\Users\Admin\Desktop\ShowMerge.7z
C:\Users\Admin\Desktop\StopExit.temp
C:\Users\Admin\Desktop\UnprotectConvert.pcx
C:\Users\Admin\Desktop\UnpublishCheckpoint.vbe
C:\Users\Admin\Desktop\UpdateUnprotect.htm
C:\Users\Admin\Desktop\WaitSearch.xsl
C:\Users\Admin\Desktop\WriteApprove.WTV
C:\Users\Admin\Pictures\BackupMove.wmf
C:\Users\Admin\Pictures\CompareRestart.dwg
C:\Users\Admin\Pictures\ConnectSuspend.jpg
C:\Users\Admin\Pictures\ConvertFromExport.raw
C:\Users\Admin\Pictures\DebugPing.eps
C:\Users\Admin\Pictures\DenyDisconnect.wmf
C:\Users\Admin\Pictures\DenyRead.svg
C:\Users\Admin\Pictures\desktop.ini
C:\Users\Admin\Pictures\EditGrant.dxf
C:\Users\Admin\Pictures\ExitHide.emz
C:\Users\Admin\Pictures\FindClear.svgz
C:\Users\Admin\Pictures\FormatHide.raw
C:\Users\Admin\Pictures\GrantRegister.bmp
C:\Users\Admin\Pictures\MeasureConnect.pcx
C:\Users\Admin\Pictures\MergeShow.tif
C:\Users\Admin\Pictures\PingUnprotect.jpeg
C:\Users\Admin\Pictures\PushRestore.bmp
C:\Users\Admin\Pictures\RegisterExpand.gif
C:\Users\Admin\Pictures\RevokeAdd.wmf
C:\Users\Admin\Pictures\RevokeClose.svgz
C:\Users\Admin\Pictures\RevokeNew.jpg
C:\Users\Admin\Pictures\SendUse.eps
C:\Users\Admin\Pictures\SplitInstall.crw
C:\Users\Admin\Pictures\StartInitialize.dib
C:\Users\Admin\Pictures\StepAssert.bmp
C:\Users\Admin\Pictures\StepImport.pcx
C:\Users\Admin\Pictures\SubmitDisable.ico
C:\Users\Admin\Pictures\TraceSave.emz
C:\Users\Admin\Pictures\Wallpaper.jpg
C:\Users\Admin\Pictures\WriteRestore.gif
C:\Users\Admin\Documents\Are.docx
C:\Users\Admin\Documents\AssertShow.ppt
C:\Users\Admin\Documents\ConvertCompare.vst
C:\Users\Admin\Documents\ConvertFromWrite.vstx
C:\Users\Admin\Documents\DebugGroup.mhtml
C:\Users\Admin\Documents\desktop.ini
C:\Users\Admin\Documents\EnterInvoke.wps
C:\Users\Admin\Documents\ExportEnable.vssm
C:\Users\Admin\Documents\Files.docx
C:\Users\Admin\Documents\FormatGrant.ods
C:\Users\Admin\Documents\FormatSubmit.pub
C:\Users\Admin\Documents\FormatUninstall.wps
C:\Users\Admin\Documents\ImportUnregister.htm
C:\Users\Admin\Documents\MergeRename.txt
C:\Users\Admin\Documents\MountApprove.htm
C:\Users\Admin\Documents\Opened.docx
C:\Users\Admin\Documents\ProtectImport.docx
C:\Users\Admin\Documents\ProtectResolve.ppsm
C:\Users\Admin\Documents\ReceiveBlock.mht
C:\Users\Admin\Documents\ReceiveResolve.wps
C:\Users\Admin\Documents\Recently.docx
C:\Users\Admin\Documents\RemoveUndo.mht
C:\Users\Admin\Documents\RequestReset.vstm
C:\Users\Admin\Documents\ResetPing.odt
C:\Users\Admin\Documents\SendDismount.vst
C:\Users\Admin\Documents\SplitUndo.dotm
C:\Users\Admin\Documents\StartSet.vdw
C:\Users\Admin\Documents\SubmitInvoke.ppsx
C:\Users\Admin\Documents\SubmitWatch.docm
C:\Users\Admin\Documents\These.docx
C:\Users\Admin\Documents\TraceSelect.ppsx
C:\Users\Admin\Documents\UnlockSet.vdx
C:\Users\Admin\Documents\UseWait.potx
C:\Users\Admin\Documents\WatchAdd.vssx
C:\Users\Admin\Documents\WriteRegister.vsx
Emails
Wallets
36yFAmBGNDowqjXxbaPA2F3byPUoxWfZyz
Signatures
-
Modifies extensions of user files 4 IoCs
Ransomware generally changes the extension on encrypted files.
-
Drops desktop.ini file(s) 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\a653a4d7a1dd36b965591b6f55584ba3d73124eccc92e94ce28a71a0f0415f5a.exe"C:\Users\Admin\AppData\Local\Temp\a653a4d7a1dd36b965591b6f55584ba3d73124eccc92e94ce28a71a0f0415f5a.exe"1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
68KB