a653a4d7a1dd36b965591b6f55584ba3d73124eccc92e94ce28a71a0f0415f5a

General

Target

a653a4d7a1dd36b965591b6f55584ba3d73124eccc92e94ce28a71a0f0415f5a.exe
Size

126KB
MD5

e1ff64f0910b1e31a12a17ecc9173250
SHA1

edee8ab5e9edae3c6f7fbff32151c9d9e2c7f360
SHA256

a653a4d7a1dd36b965591b6f55584ba3d73124eccc92e94ce28a71a0f0415f5a
SHA512

10364700d1dd533bbf2345908067129386e119cb434ceaff55282a2ee2cc58fc9ddfca40fbc3e333dd4394436eabeb5c29268c088f94eec95abc69921af48428

Score

10^/10

ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\READ_ME.crypted.txt

Ransom Note

Your files are encrypted. If you want to unlock them send 50$ worth of bitcoin to this address: 36yFAmBGNDowqjXxbaPA2F3byPUoxWfZyz After that email your transaction ID, pc code and username to: [email protected] After that wait for our response and we will send you your unique password and decryptor. Encrypted files: C:\Users\Admin\Desktop\CompareDisable.inf C:\Users\Admin\Desktop\ConfirmUnregister.AAC C:\Users\Admin\Desktop\ConvertFromRedo.gif C:\Users\Admin\Desktop\ConvertFromRename.001 C:\Users\Admin\Desktop\ConvertResume.iso C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\Desktop\EditReset.otf C:\Users\Admin\Desktop\MeasureConvertTo.ttc C:\Users\Admin\Desktop\MeasureInstall.xla C:\Users\Admin\Desktop\MountUninstall.dwfx C:\Users\Admin\Desktop\ProtectSplit.3gpp C:\Users\Admin\Desktop\ProtectStep.jpg C:\Users\Admin\Desktop\RepairRestore.wmv C:\Users\Admin\Desktop\RestartBlock.vstx C:\Users\Admin\Desktop\ResumeFormat.mov C:\Users\Admin\Desktop\SendExpand.odp C:\Users\Admin\Desktop\StopCheckpoint.rtf C:\Users\Admin\Desktop\SubmitDisconnect.mpeg C:\Users\Admin\Desktop\TraceRemove.easmx C:\Users\Admin\Desktop\UnblockRegister.ini C:\Users\Admin\Desktop\UpdateConnect.sys C:\Users\Admin\Pictures\CheckpointInitialize.gif C:\Users\Admin\Pictures\CheckpointSearch.ico C:\Users\Admin\Pictures\CopySend.jpg C:\Users\Admin\Pictures\DebugMeasure.png C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\Pictures\EditImport.dxf C:\Users\Admin\Pictures\EnableTest.cr2 C:\Users\Admin\Pictures\ExitEnable.ico C:\Users\Admin\Pictures\ExpandComplete.png C:\Users\Admin\Pictures\InitializeResolve.raw C:\Users\Admin\Pictures\NewProtect.svg C:\Users\Admin\Pictures\OutLimit.tif C:\Users\Admin\Pictures\PopConvert.raw C:\Users\Admin\Pictures\ResizeAdd.jpg C:\Users\Admin\Pictures\ResumeTrace.emf C:\Users\Admin\Pictures\ResumeWrite.crw C:\Users\Admin\Pictures\RevokeSuspend.svgz C:\Users\Admin\Pictures\UnprotectRemove.eps C:\Users\Admin\Pictures\UnprotectSubmit.dib C:\Users\Admin\Pictures\UnpublishComplete.svg C:\Users\Admin\Pictures\Wallpaper.jpg C:\Users\Admin\Pictures\WriteSave.crw C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\Documents\Are.docx C:\Users\Admin\Documents\ConnectSubmit.ppsm C:\Users\Admin\Documents\ConvertFromShow.xlt C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\Documents\ExitSync.vdw C:\Users\Admin\Documents\Files.docx C:\Users\Admin\Documents\FindUnprotect.xps C:\Users\Admin\Documents\GroupInvoke.xlsb C:\Users\Admin\Documents\InstallRestore.xls C:\Users\Admin\Documents\Opened.docx C:\Users\Admin\Documents\PingMerge.pub C:\Users\Admin\Documents\PopSuspend.vsdm C:\Users\Admin\Documents\ReceiveSync.html C:\Users\Admin\Documents\Recently.docx C:\Users\Admin\Documents\SetEdit.xlsb C:\Users\Admin\Documents\ShowTest.rtf C:\Users\Admin\Documents\These.docx C:\Users\Admin\Documents\UnregisterExit.vsdx C:\Users\Admin\Documents\UnregisterHide.ppt C:\Users\Admin\Documents\UpdateSet.vstm C:\Users\Admin\Documents\WriteSwitch.odt C:\Users\Admin\Documents\WriteUnprotect.vsx

Emails

[email protected]

Wallets

36yFAmBGNDowqjXxbaPA2F3byPUoxWfZyz

Signatures

Modifies extensions of user files 7 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File created	C:\Users\Admin\Pictures\OutLimit.tif.crypted	a653a4d7a1dd36b965591b6f55584ba3d73124eccc92e94ce28a71a0f0415f5a.exe
File created	C:\Users\Admin\Pictures\PopConvert.raw.crypted	a653a4d7a1dd36b965591b6f55584ba3d73124eccc92e94ce28a71a0f0415f5a.exe
File created	C:\Users\Admin\Pictures\ResumeWrite.crw.crypted	a653a4d7a1dd36b965591b6f55584ba3d73124eccc92e94ce28a71a0f0415f5a.exe
File created	C:\Users\Admin\Pictures\WriteSave.crw.crypted	a653a4d7a1dd36b965591b6f55584ba3d73124eccc92e94ce28a71a0f0415f5a.exe
File created	C:\Users\Admin\Pictures\DebugMeasure.png.crypted	a653a4d7a1dd36b965591b6f55584ba3d73124eccc92e94ce28a71a0f0415f5a.exe
File created	C:\Users\Admin\Pictures\ExpandComplete.png.crypted	a653a4d7a1dd36b965591b6f55584ba3d73124eccc92e94ce28a71a0f0415f5a.exe
File created	C:\Users\Admin\Pictures\InitializeResolve.raw.crypted	a653a4d7a1dd36b965591b6f55584ba3d73124eccc92e94ce28a71a0f0415f5a.exe

Drops desktop.ini file(s) 5 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	a653a4d7a1dd36b965591b6f55584ba3d73124eccc92e94ce28a71a0f0415f5a.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	a653a4d7a1dd36b965591b6f55584ba3d73124eccc92e94ce28a71a0f0415f5a.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	a653a4d7a1dd36b965591b6f55584ba3d73124eccc92e94ce28a71a0f0415f5a.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	a653a4d7a1dd36b965591b6f55584ba3d73124eccc92e94ce28a71a0f0415f5a.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	a653a4d7a1dd36b965591b6f55584ba3d73124eccc92e94ce28a71a0f0415f5a.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	668	a653a4d7a1dd36b965591b6f55584ba3d73124eccc92e94ce28a71a0f0415f5a.exe

C:\Users\Admin\AppData\Local\Temp\a653a4d7a1dd36b965591b6f55584ba3d73124eccc92e94ce28a71a0f0415f5a.exe
"C:\Users\Admin\AppData\Local\Temp\a653a4d7a1dd36b965591b6f55584ba3d73124eccc92e94ce28a71a0f0415f5a.exe"
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Suspicious use of AdjustPrivilegeToken
PID:668

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/668-114-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/668-116-0x0000000005110000-0x0000000005111000-memory.dmp

Filesize
4KB

Download
memory/668-117-0x0000000004B00000-0x0000000004B01000-memory.dmp

Filesize
4KB

Download
memory/668-118-0x00000000025E0000-0x0000000002672000-memory.dmp

Filesize
584KB

Download
memory/668-119-0x0000000002670000-0x0000000002671000-memory.dmp

Filesize
4KB

Download
memory/668-120-0x00000000025E0000-0x0000000002672000-memory.dmp

Filesize
584KB

Download
memory/668-121-0x0000000006F20000-0x0000000006F21000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing