Overview

overview

10

Static

static

10

0033c6e1db...le.exe

windows7_x64

10

0033c6e1db...le.exe

windows10_x64

10

02665fcf9c...le.exe

windows7_x64

10

02665fcf9c...le.exe

windows10_x64

10

1c4b55fefc...le.exe

windows7_x64

10

1c4b55fefc...le.exe

windows10_x64

10

48be948c33...le.exe

windows7_x64

10

48be948c33...le.exe

windows10_x64

10

714f630043...le.exe

windows7_x64

10

714f630043...le.exe

windows10_x64

10

7932343454...le.exe

windows7_x64

10

7932343454...le.exe

windows10_x64

10

aa3e530d45...le.exe

windows7_x64

8

aa3e530d45...le.exe

windows10_x64

10

b6f774f469...le.exe

windows7_x64

10

b6f774f469...le.exe

windows10_x64

10

b739791dd0...le.exe

windows7_x64

10

b739791dd0...le.exe

windows10_x64

10

d6cb46d0b3...le.exe

windows7_x64

10

d6cb46d0b3...le.exe

windows10_x64

10

e1c46a96ef...le.exe

windows7_x64

10

e1c46a96ef...le.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Archive 2.zip

  • Size

    1MB

  • Sample

    210528-dxr93gxbxe

  • MD5

    8a28ff9a7824a4b446720e405b80acf6

  • SHA1

    6a6d05680726ea4edfe7e1b32cb312308ff4c9e3

  • SHA256

    2481bcb7380b038e84a6052a3cc42fab8e791cf1dffaefe783398a843af68c22

  • SHA512

    5a33f2eb6b861cab43a9eb39bc6ae7cb8b4a888b6ccdb8f4927c2dc49b23222bcfd90d2e861f53377fab97939b2d879e52bf1d63af440203dc1a7617c9398ef4

Score
10/10
hakbitmakopthanosdiscoveryevasionpersistenceransomwaretrojan

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\Instruction.txt

Ransom Note
Hello. Your files, documents, photo, databases and all the rest aren't REMOVED. They are ciphered by the most reliable enciphering. It is impossible to restore files without our help. You will try to restore files independent you will lose files FOREVER. ---------------------------------------------------------- You will be able to restore files so: 1. to contact us by e-mail: filesrestore000@airmail.cc * report your ID and we will switch off any removal of files (if don't report your ID identifier, then each 24 hours will be to be removed on 24 files. If report to ID-we will switch off it) * you send your ID identifier and 2 files, up to 2 MB in size everyone. We decipher them, as proof of a possibility of interpretation. also you receive the instruction where and how many it is necessary to pay. 2. you pay and confirm payment. 3. after payment you receive the DECODER program. which you restore ALL YOUR FILES. ---------------------------------------------------------- You have 72 hours on payment. If you don't manage to pay in 72 hours, then the price of interpretation increases twice. The price increases twice each 72 hours. To restore files, without loss, and on the minimum tariff, you have to pay within 72 hours. Address for detailed instructions e-mail: filesrestore000@airmail.cc If you don't waste time for attempts to decipher, then you will be able to restore all files in 1 hour. If you try to decipher - you can FOREVER lose your files. e-mail: filesrestore000@airmail.cc Key Identifier: SLdaGCF4ew8t/9t0D4EHVnZF4HNwA9H0Ll6SD1DvUrhjH3w+qSQ7E7k63GZ7g78iOL7PZ5u3WlLOYFYXzIVDtCRq1aplveI6YC4NPS4vkRhZR9YMlt1hBkjlshxKVW4A1f4mtEv2EVjfZso+cd1hrOhln8MCNnh1iXkvBi+4/8E5Nn3ugCFRb2o6MxsQsUc6hGzSr9te6sJwOV8CEDKcwpyRgW9tzgs0Mrudw0OpgZHrgHohBvBYmP6588VKISli8yDQAt9BtRGcEgMpnULhA8i75UggGUwuYXXp9tCNeaG/AS0Zcctg30e/bh45gI9cuDrEhGAKCt5kGgB+7YZDTkAak8RFRMyZPGtjP2LKowDn76iGpRsiI/g0uIDQauvGV/bdvefJJXpfG4uF47xUXJTqeayShdkthpY13JqX4Tfi4QW2Ybyx7ve7xCLi+L16q1oF4HS02fIb+ArJ5gkh5IkEA6U6xXgfIgubPKjZsNnx+fsV5rB8pzBFNQ4lK3ZiIVZYHym6DaTcYmjcPvjpErOSkgGfG4y/SD3fEnmvKEUoegUyimBZ9aeOTZxsRcgErjXhDOdcIvy9EHKQO2KH4M47/wFpsAjnvuKlq1rbMbY9gJIbN3qY4Z41EpuMmgyr7ZIPkp6LAGdvUU2ZhHeJD6etxW4dv/nxmOsMibxThaQ=
Emails

filesrestore000@airmail.cc

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\Instruction.txt

Ransom Note
Hello. Your files, documents, photo, databases and all the rest aren't REMOVED. They are ciphered by the most reliable enciphering. It is impossible to restore files without our help. You will try to restore files independent you will lose files FOREVER. ---------------------------------------------------------- You will be able to restore files so: 1. to contact us by e-mail: filesrestore000@airmail.cc * report your ID and we will switch off any removal of files (if don't report your ID identifier, then each 24 hours will be to be removed on 24 files. If report to ID-we will switch off it) * you send your ID identifier and 2 files, up to 2 MB in size everyone. We decipher them, as proof of a possibility of interpretation. also you receive the instruction where and how many it is necessary to pay. 2. you pay and confirm payment. 3. after payment you receive the DECODER program. which you restore ALL YOUR FILES. ---------------------------------------------------------- You have 72 hours on payment. If you don't manage to pay in 72 hours, then the price of interpretation increases twice. The price increases twice each 72 hours. To restore files, without loss, and on the minimum tariff, you have to pay within 72 hours. Address for detailed instructions e-mail: filesrestore000@airmail.cc If you don't waste time for attempts to decipher, then you will be able to restore all files in 1 hour. If you try to decipher - you can FOREVER lose your files. e-mail: filesrestore000@airmail.cc Key Identifier: PmtNWUcg5SNNI/aVu32e6wdJXByFW8IMKQa9/PuRH11pBCuqGZocihgFuIlbl3l0Pkaolh+IDHP5xx4Me0y+6o26AH9f5plHGWXe0WVW0cqT7QYxTmNTBcXZkQCmTrUVFcR4LwIYt7uj5minig4ldrv08gRu7biYm1jXcgEsBkQgv6Fu3WEbP4kv3Ys+n6WDFW3iS3jxzOhp0PmY2VHW4a9D/frelrENadoPuZC9UtDBrv/j/CuaEPSOBOD39RNVPunHATT+7NUGQNYD/Mo1HNd1CAMArdkHXshpVXK7Tb9UF6JtIZtEyXfCE3II8QjkFXwxSowijtQIwdXC+S1DfdXHcliJV+wYoA0e+0P9J6HqZBUFLY7XRu5hrB2bKONZsM3GIovKSavVMv8Bv7DPn1K94qp7GvcTZn+5B8Qdewz6SO7UqdPx/lLqqhlAshRs/TKFTosd0aDGFiygs7zvynhYY2ivI6euVt0efpisX0DMnesxFYjudIOSIzd/vc4QVJfbVF7lcplNn07B9rcH+3yh0QuO+1lmO6J6S8mWKEP1OZ5XEHzG66Z/APccE9BY6LNbeMScYRkegP7cok8pkrOLaaGHf3Bv0/XN7m9MWXy9iwuDND6QeQZC4+TzA8BVkAQKCkeIi8YH62amQlDnCIhFp+doAr8iIw8R/DUsbdc=
Emails

filesrestore000@airmail.cc

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RESTORE_FILES_INFO.txt

Ransom Note
Hello. Your files, documents, photo, databases and all the rest aren't REMOVED. They are ciphered by the most reliable enciphering. It is impossible to restore files without our help. You will try to restore files independent you will lose files FOREVER. ---------------------------------------------------------- You will be able to restore files so: 1. to contact us by e-mail: filesrestore000@msgsafe.io * report your ID and we will switch off any removal of files (if don't report your ID identifier, then each 24 hours will be to be removed on 24 files. If report to ID-we will switch off it) * you send your ID identifier and 2 files, up to 2 MB in size everyone. We decipher them, as proof of a possibility of interpretation. also you receive the instruction where and how many it is necessary to pay. 2. you pay and confirm payment. 3. after payment you receive the DECODER program. which you restore ALL YOUR FILES. ---------------------------------------------------------- If you have not been answered within 24 hours by mail, use the backup link. To do this: 1. Download TOX at https ://tox.chat/clients.html 2. Sign up (takes 1 minute) 3. Add a contact. Our TOX contact - B9131B8B3AAB24F72F0DBB1783AB54231E1756277455F52BC404AD769BF83B372F13A039708F You have 72 hours on payment. If you don't manage to pay in 72 hours, then the price of interpretation increases twice. The price increases twice each 72 hours. To restore files, without loss, and on the minimum tariff, you have to pay within 72 hours. Address for detailed instructions e-mail: filesrestore000@msgsafe.io If you don't waste time for attempts to decipher, then you will be able to restore all files in 1 hour. If you try to decipher - you can FOREVER lose your files. Key Identifier: i4owRhbeLHl50VZKaHHkoZFP0ebjIfqQnoe2zf6ziooPwo9MW9OmubGukHsn+ex0KZjeLk0aT1/mUC5AnanHFocxgIoXL0o2lnRUqf40g5C3kNbVhxYn3OyldNOY9l0d8eFx3/oA6RqLi8O4uqiTbFiMCJhBwn3/v4jjLW5hVFw2GuIsFp7ZizmCxb5axs15dz3Ogrg+EDv+3mH0SQwgRAQDzPKNfOxAkJuMMObVCieCWBKVeBXlI+Vtak3HGzChWrvmmj+tJ9b8Qxokp6rjlZvyUOmYojtw0XyMsOmGGP4sritoAQfpF9bs1JzWrbdhFhA9MImV6U2kAmBlQcjWS4Stuc9Xqwyk7cG4JYiSqkDBBUaA5nH2yeDIoWYJVnX2/XvgzR5YYFpQB+Zh3f7gpa7oT+2mZwoUxSYmnwYllw3k2mQ9NXgc2xeWj3DXjziZvbnS8r0tXVTHTaoj+Zj+EQc2GVkSUTLKQEJXkulP3vuHjfMJpXHyYx/gH1WRaKLFVZOZw5SxULBOdrTZZUXHaV6fc4dJjzZNVceMVo3oAfs+U8zWqgjRHIYH7yGr3dG5NWlOfgawFsG0uiSM6emBsTgch5wdcr8Ze63hOn/j5mq6WVsQr1ZNnpCEBNQ+JkZJtucnctebITOLHbmefSF7f/H/vipZzzPwkyfE2bPPW8M=
Emails

filesrestore000@msgsafe.io

URLs

https

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RESTORE_FILES_INFO.txt

Family

makop

Ransom Note
::: Greetings ::: Little FAQ: .1. Q: Whats Happen? A: Your files have been encrypted. The file structure was not damaged, we did everything possible so that this could not happen. .2. Q: How to recover files? A: If you wish to decrypt your files you will need to pay in Bitcoins. .3. Q: What about guarantees? A: Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests. To check the ability of returning files, you can send to us any 2 files with SIMPLE extensions(jpg,xls,doc, etc... not databases!) and low sizes(max 1 mb), we will decrypt them and send back to you. That is our guarantee. .4. Q: How to contact with you? A: Please, write us to our qTOX account: 7BDD546F7524089A930B12F793F4C1D1B4470A15A4CBA85AA0DA6D030AFE2E48B8799204F004 You can learn about this way of communication and download it here: https://qtox.github.io/ Or use Bitmessage and write to our address: BM-2cUbGd124Dcs1Jdc5VfSa2GDMC1iaNTesC You can learn about this way of communication and download it here: https://wiki.bitmessage.org/ and here: https://github.com/Bitmessage/PyBitmessage/releases/ .5. Q: How will the decryption process proceed after payment? A: After payment we will send to you our scanner-decoder program and detailed instructions for use. With this program you will be able to decrypt all your encrypted files. .6. Q: If I don’t want to pay bad people like you? A: If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause only we have the private key. In practice - time is much more valuable than money. :::BEWARE::: DON'T try to change encrypted files by yourself! If you will try to use any third party software for restoring your data or antivirus solutions - please make a backup for all encrypted files! Any changes in encrypted files may entail damage of the private key and, as result, the loss all data. Key Identifier: G5uSIqrXHFcaeqZZwri6skRdvIb/VMvUODWoLy4kMxo3WYL6X82rpz65SIZq3m68FoUDvbQpqBFbySMA5ilV376vNaqdNnWCJ0gaUwuXCr5dTC+YF0LvkntT7esI1UobUFQ8L/qDKkjzsvGdx249mMKcyNI/lGN0cQlrwAGXrh8vV5P8ToGhMlz2WUTHTZqzDfRIRS43EirDylKwe34BwvF+ttol871tIMcrGdIqjdgVdnsM+T6H/u/uzBj3l8WXLQEDSPyCxAkVoa0p3Wqnw4zLJAYclO3Hsu997OBNsIoLvoYK0CKTUQwZKmkOhBIzAp3FEKVtGGOfT6jkFBRmSGgREjpBIVKC4o2rdsQ9HAnYCYIBRsTkWlvmutoN1WdzJ7wupGQX9eHLCeo8PgbmLoF1hg6YGlRYZta+az8c03Ogjxi7tFu5h1VwFXrXXHFpaTFdpTeYbAv2BUspDgmnYsP0U7/dV9XVQ+QcIKK6JVaHqkwW50/rdU/WobLVyc3Kr7OBo1b2Ej6dtRVIthUWVlew19EMZ1bo0uHEb7flRvspEU3OmtbJ/ydKHG9DW81xczwh/im6zEVTy0rahy+eWTYhmO/O376yIm3Wud5gkJ7eOdyRLmV5Ic+mSHke0jyYVqEVxpEd3ehULTjnpNXDKZw2UHiO42PY39QA4uR02rY= PC Hardware ID: 40707513

Extracted

Path

C:\Users\Admin\Desktop\RESTORE_FILES_INFO.txt

Family

makop

Ransom Note
::: Greetings ::: Little FAQ: .1. Q: Whats Happen? A: Your files have been encrypted. The file structure was not damaged, we did everything possible so that this could not happen. .2. Q: How to recover files? A: If you wish to decrypt your files you will need to pay in Bitcoins. .3. Q: What about guarantees? A: Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests. To check the ability of returning files, you can send to us any 2 files with SIMPLE extensions(jpg,xls,doc, etc... not databases!) and low sizes(max 1 mb), we will decrypt them and send back to you. That is our guarantee. .4. Q: How to contact with you? A: Please, write us to our qTOX account: 7BDD546F7524089A930B12F793F4C1D1B4470A15A4CBA85AA0DA6D030AFE2E48B8799204F004 You can learn about this way of communication and download it here: https://qtox.github.io/ Or use Bitmessage and write to our address: BM-2cUbGd124Dcs1Jdc5VfSa2GDMC1iaNTesC You can learn about this way of communication and download it here: https://wiki.bitmessage.org/ and here: https://github.com/Bitmessage/PyBitmessage/releases/ .5. Q: How will the decryption process proceed after payment? A: After payment we will send to you our scanner-decoder program and detailed instructions for use. With this program you will be able to decrypt all your encrypted files. .6. Q: If I don’t want to pay bad people like you? A: If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause only we have the private key. In practice - time is much more valuable than money. :::BEWARE::: DON'T try to change encrypted files by yourself! If you will try to use any third party software for restoring your data or antivirus solutions - please make a backup for all encrypted files! Any changes in encrypted files may entail damage of the private key and, as result, the loss all data. Key Identifier: G5uSIqrXHFcaeqZZwri6skRdvIb/VMvUODWoLy4kMxo3WYL6X82rpz65SIZq3m68FoUDvbQpqBFbySMA5ilV376vNaqdNnWCJ0gaUwuXCr5dTC+YF0LvkntT7esI1UobUFQ8L/qDKkjzsvGdx249mMKcyNI/lGN0cQlrwAGXrh8vV5P8ToGhMlz2WUTHTZqzDfRIRS43EirDylKwe34BwvF+ttol871tIMcrGdIqjdgVdnsM+T6H/u/uzBj3l8WXLQEDSPyCxAkVoa0p3Wqnw4zLJAYclO3Hsu997OBNsIoLvoYK0CKTUQwZKmkOhBIzAp3FEKVtGGOfT6jkFBRmSGgREjpBIVKC4o2rdsQ9HAnYCYIBRsTkWlvmutoN1WdzJ7wupGQX9eHLCeo8PgbmLoF1hg6YGlRYZta+az8c03Ogjxi7tFu5h1VwFXrXXHFpaTFdpTeYbAv2BUspDgmnYsP0U7/dV9XVQ+QcIKK6JVaHqkwW50/rdU/WobLVyc3Kr7OBo1b2Ej6dtRVIthUWVlew19EMZ1bo0uHEb7flRvspEU3OmtbJ/ydKHG9DW81xczwh/im6zEVTy0rahy+eWTYhmO/O376yIm3Wud5gkJ7eOdyRLmV5Ic+mSHke0jyYVqEVxpEd3ehULTjnpNXDKZw2UHiO42PY39QA4uR02rY= Number of files that were processed is: 502 PC Hardware ID: 40707513

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RESTORE_FILES_INFO.txt

Family

makop

Ransom Note
::: Greetings ::: Little FAQ: .1. Q: Whats Happen? A: Your files have been encrypted. The file structure was not damaged, we did everything possible so that this could not happen. .2. Q: How to recover files? A: If you wish to decrypt your files you will need to pay in Bitcoins. .3. Q: What about guarantees? A: Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests. To check the ability of returning files, you can send to us any 2 files with SIMPLE extensions(jpg,xls,doc, etc... not databases!) and low sizes(max 1 mb), we will decrypt them and send back to you. That is our guarantee. .4. Q: How to contact with you? A: Please, write us to our qTOX account: 7BDD546F7524089A930B12F793F4C1D1B4470A15A4CBA85AA0DA6D030AFE2E48B8799204F004 You can learn about this way of communication and download it here: https://qtox.github.io/ Or use Bitmessage and write to our address: BM-2cUbGd124Dcs1Jdc5VfSa2GDMC1iaNTesC You can learn about this way of communication and download it here: https://wiki.bitmessage.org/ and here: https://github.com/Bitmessage/PyBitmessage/releases/ .5. Q: How will the decryption process proceed after payment? A: After payment we will send to you our scanner-decoder program and detailed instructions for use. With this program you will be able to decrypt all your encrypted files. .6. Q: If I don’t want to pay bad people like you? A: If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause only we have the private key. In practice - time is much more valuable than money. :::BEWARE::: DON'T try to change encrypted files by yourself! If you will try to use any third party software for restoring your data or antivirus solutions - please make a backup for all encrypted files! Any changes in encrypted files may entail damage of the private key and, as result, the loss all data. Key Identifier: m95+iwjPW3df+Q5Af9nNgODdSnq45sS4gC3xS6DqdYcMtPchvhm/id0X/o+JThF0aLSP5jEAmrAU1fXkXVZZe7Z8Mi1rLjnzYrLQuy+kZnncD5oKVWlKetzCXAOmbmL8hjhBB9Tv+fIalOwDQI774GjcL1pUbPUw9MVCTyKAxo4VWSV6r9cBzKfyrbUjWynh1ev3iXytcuF6sAddzQRCMCZAw7mZWavQ5XUPH9OAvVJPDjlASNKvN5tqhQL/tlssT2jJ5cIqWwVIqH+pin8AKYNDJluRHzQxIe70WnrQUkZtIhsAPCNgoM8GesBXDErOk/8w1OgKKQuBKuwgOj0vA1QEyab0wZVwLF5JYrFHZH6fsxiqjaEugwPrRLSXNmdm9MRdtxv228xgEl3ZaoPKR+mpyiLFwjgh7dhgY/kbk2Fgdvk2X4nJrYycU3x5pfDbQlsjT4jD6a4glEOHj3CQhQn0O+xb0W0co1BVgt+xTXtELPR7LLRF+wanDF234v1Qnrnro2AYOqJX9rwgLSuUM1VMorNS6jsgi2N+f/zVFwp9jaTo635cJ9qg2///SBuZr5hCcOgxBHE0sBkrwv3D1nYZRotzOHtAV9Pt/aDdvrDxMFRJUWNZHtEc1pnjzHC2y5/F0H4WnMSncGdGRTj6dNAa6w3bLsWb5bT1WBvpQzQ= PC Hardware ID: A2C56C1C

Extracted

Path

C:\Users\Admin\Desktop\RESTORE_FILES_INFO.txt

Family

hakbit

Ransom Note
Ваша система была зашифрована. Для того что бы получить доступ к Вашим файлам и расшифровать их Вам необходимо связаться с нами по адрессам decoder44@rambler.ru alpinbovuar@protonmail.com (обращаем ваше внимание что могут возникнуть трудности по дохождению писем на протон с мейл.ру и яндекса) или телеграмма который мы Вам сообщим связавшись с вашими сотрудниками. Так же у нас есть данные от ваших баз данных, бекапов, телеграмы ваших сотрудников, личные данные ваших клиентов и доступы к платежным системам. Key Identifier: nyc7naPl3Tm4IRaasMrJmW6GvDXvcYATJ8lWgUAe1Aj1Yu/M+ZMH95DAbtZVCFD43yREV8rJCipgLiK7g/qp0QZCAqur0OKu+pBhICkuKEzw1PGhelvUsd0d6iIKD4m/vZo9B645SVPIuDlbiGaE3dBjwGeJHDkCj5G1JNEKn2nd32tzBrwejWIwSBBKaD7DN1Th0lVpatR1lP7sC3f+NFbuzwc1qJAsFvYuXVXbT4JVWBWUL8pzbkUMSN/a2g/QArJluDkrt3fEwosrxd1r6EX0lUGAesWO7QRMURS/fDA5osEtQWodtxGsDAAK+as4ThVEcjWxquhFiVyAtiq0dyNIU00QMXtW514o0NZUry4tuRAGaeK4PhxkkET0Q3VPeuEb5f100s7fz+fV59x3uSO5QZ9V7JJFLGMTA+wB/136u2VJt7XDFrTH+7IO5VzJk/A+9inL9sbmGI0HzLE9H1rqwDjfEjd8+x2NRshl3H85+SoPljuvvt+a/uP7bdqUoppOEcyCN9kakRqRT3p3qitiJyrv02cASLeJa1ZJp4IJ5cSspAabHsFgvAG2FCHoAp8nW3PXDT8IklO0YorU66FJPXRCWUog2Jg6Xu1IjKrUKG9gyFqVWvKzjO2p0WEvOfC1S6esvGqp4OEccRF++09opeh0wip0IcJYovnM0bI= Number of files that were processed is: 162
Emails

decoder44@rambler.ru

alpinbovuar@protonmail.com

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RESTORE_FILES_INFO.txt

Ransom Note
YOUR COMPANY NETWORK HAS BEEN HACKED All your important files have been encrypted! Your files are safe! Only modified.(AES) No software available on internet can help you. We are the only ones able to decrypt your files. -------------------------------------------------------------------------------- We also gathered highly confidential/personal data. These data are currently stored on a private server. Files are also encrypted and stored securely. -------------------------------------------------------------------------------- As a result of working with us, you will receive: Fully automatic decryptor, all your data will be recovered within a few hours after it's run. Server with your data will be immediately destroyed after your payment. Save time and continue working. You will can send us 2-3 non-important files and we will decrypt it for free to prove we are able to give your files back. -------------------------------------------------------------------------------- !!!!!!!!!!!!!!!!!!!!!!!! If you decide not to work with us: All data on your computers will remain encrypted forever. YOUR DATA ON OUR SERVER AND WE WILL RELEASE YOUR DATA TO PUBLIC OR RE-SELLER! So you can expect your data to be publicly available in the near future.. The price will increase over time. !!!!!!!!!!!!!!!!!!!!!!!!! -------------------------------------------------------------------------------- It doesn't matter to us what you choose. We only seek money and our goal is not to damage your reputation or prevent your business from running. Write to us now and we will provide the best prices. Instructions for contacting us: 1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site. 2. Press "Download Tor", then press "Download Tor Browser Bundle", install it. 3. Open the Tor browser. Copy the link http://promethw27cbrcot.onion/ticket.php?track=AA4-MX4-GGQD and paste it in the Tor browser. 7. Start a chat and follow the further instructions. Attention! Any attempt to restore your files with third-party software will corrupt it. Modify or rename files will result in a loose of data. If you decide to try anyway, make copies before that Key Identifier: P40rMDHNMpJJZpoBUoqJzoFVgJKfCw95Tfq8EyDXyuTUOWgtvXkGTzr+CGZHg3HEGh/ghbhTCMJBlb/Raup6yXnYismG2oDwbFE2qVTarverhMFFq6DWhbYFIlxASISDHulTlbA8lYMnC+pZhL3GTGZNsXbdZndvKJfmYT4pXBbWwDba+nOGPgSXnQUXBZ9iu4UBBKzED7vUvPlhzd6sOTvZuI/iD9i6rlnRf5P+lAUTI5TKk0SeX45YmIpPhDbGXR5rIOfBc+Q3uay1HvcXxUjSTYo7K3QR2Dv7AJ8jvbbFmK8fIzAXvTIA7/WEidHtmzrF0NKzjEJSiFuwNsXq9jy9lmheeFopQ+fP7vocIdsKvoAb6aoarSb2rXFHn69RxJRTPdeZaYhZHAM6CeuYfN0PYlylhYDnLKrB55Ut3eGakMiOWFGwLGMAwU3BAH33KlarikAjr67Hb5Cec3nw2q9vQyS4BevPgUAYo81RcHHBytj/rnSvEY5SNYu5skW/s/PATWLYV5m2mSyk+PtsBeYErXwfGycsZBUjmExmOs+2Kwj59rKTKNxDSAzjQSf3o0MAXODZe2+jecw4oso5l7HRyZiAZfSTfkDu3Qlkmcp5x8UHoU7PnepOu99sxS0vvmGkA1FBqKrYFW+a76RJ99EW8KUtRk5ZAzGWZTG2nGc=
URLs

http://promethw27cbrcot.onion/ticket.php?track=AA4-MX4-GGQD

Extracted

Path

C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta

Ransom Note
YOUR COMPANY NETWORK HAS BEEN HACKED All your important files have been encrypted! Your files are safe! Only modified.(AES) No software available on internet can help you. We are the only ones able to decrypt your files. We also gathered highly confidential/personal data. These data are currently stored on a private server. Files are also encrypted and stored securely. As a result of working with us, you will receive: Fully automatic decryptor, all your data will be recovered within a few hours after it’s installation. Server with your data will be immediately destroyed after your payment. Save time and continue working. You will can send us 2-3 non-important files and we will decrypt it for free to prove we are able to give your files back. If you decide not to work with us: All data on your computers will remain encrypted forever. YOUR DATA ON OUR SERVER AND WE WILL RELEASE YOUR DATA TO PUBLIC OR RE-SELLER! So you can expect your data to be publicly available in the near future.. The price will increase over time. It doesn't matter to us what you choose. We only seek money and our goal is not to damage your reputation or prevent your business from running. Write to us now and we will provide the best prices. Instructions for contacting us: 1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site. 2. Press "Download Tor", then press "Download Tor Browser Bundle", install it. 3. Open the Tor browser. Copy the link http://promethw27cbrcot.onion/ticket.php?track=AA4-MX4-GGQD and paste it in the Tor browser. 7. Start a chat and follow the further instructions. Attention! Any attempt to restore your files with third-party software will corrupt it. Modify or rename files will result in a loose of data. If you decide to try anyway, make copies before that Key Identifier: P40rMDHNMpJJZpoBUoqJzoFVgJKfCw95Tfq8EyDXyuTUOWgtvXkGTzr+CGZHg3HEGh/ghbhTCMJBlb/Raup6yXnYismG2oDwbFE2qVTarverhMFFq6DWhbYFIlxASISDHulTlbA8lYMnC+pZhL3GTGZNsXbdZndvKJfmYT4pXBbWwDba+nOGPgSXnQUXBZ9iu4UBBKzED7vUvPlhzd6sOTvZuI/iD9i6rlnRf5P+lAUTI5TKk0SeX45YmIpPhDbGXR5rIOfBc+Q3uay1HvcXxUjSTYo7K3QR2Dv7AJ8jvbbFmK8fIzAXvTIA7/WEidHtmzrF0NKzjEJSiFuwNsXq9jy9lmheeFopQ+fP7vocIdsKvoAb6aoarSb2rXFHn69RxJRTPdeZaYhZHAM6CeuYfN0PYlylhYDnLKrB55Ut3eGakMiOWFGwLGMAwU3BAH33KlarikAjr67Hb5Cec3nw2q9vQyS4BevPgUAYo81RcHHBytj/rnSvEY5SNYu5skW/s/PATWLYV5m2mSyk+PtsBeYErXwfGycsZBUjmExmOs+2Kwj59rKTKNxDSAzjQSf3o0MAXODZe2+jecw4oso5l7HRyZiAZfSTfkDu3Qlkmcp5x8UHoU7PnepOu99sxS0vvmGkA1FBqKrYFW+a76RJ99EW8KUtRk5ZAzGWZTG2nGc=
URLs

http://promethw27cbrcot.onion/ticket.php?track=AA4-MX4-GGQD

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RESTORE_FILES_INFO.txt

Ransom Note
YOUR COMPANY NETWORK HAS BEEN HACKED All your important files have been encrypted! Your files are safe! Only modified.(AES) No software available on internet can help you. We are the only ones able to decrypt your files. -------------------------------------------------------------------------------- We also gathered highly confidential/personal data. These data are currently stored on a private server. Files are also encrypted and stored securely. -------------------------------------------------------------------------------- As a result of working with us, you will receive: Fully automatic decryptor, all your data will be recovered within a few hours after it's run. Server with your data will be immediately destroyed after your payment. Save time and continue working. You will can send us 2-3 non-important files and we will decrypt it for free to prove we are able to give your files back. -------------------------------------------------------------------------------- !!!!!!!!!!!!!!!!!!!!!!!! If you decide not to work with us: All data on your computers will remain encrypted forever. YOUR DATA ON OUR SERVER AND WE WILL RELEASE YOUR DATA TO PUBLIC OR RE-SELLER! So you can expect your data to be publicly available in the near future.. The price will increase over time. !!!!!!!!!!!!!!!!!!!!!!!!! -------------------------------------------------------------------------------- It doesn't matter to us what you choose. We only seek money and our goal is not to damage your reputation or prevent your business from running. Write to us now and we will provide the best prices. Instructions for contacting us: 1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site. 2. Press "Download Tor", then press "Download Tor Browser Bundle", install it. 3. Open the Tor browser. Copy the link http://promethw27cbrcot.onion/ticket.php?track=AA4-MX4-GGQD and paste it in the Tor browser. 7. Start a chat and follow the further instructions. Attention! Any attempt to restore your files with third-party software will corrupt it. Modify or rename files will result in a loose of data. If you decide to try anyway, make copies before that Key Identifier: OP410sm/Zu/hwIaK+r04opH63hmJ6HYEJ3vx14YZ3Xrdmvn9PUkLTUIBcLi1fPBhnKuX2wZmofEzPpHZKxo5GzMml88FOa3FwAoY4JK8KvlC2Lge4NYk0rmrSTYspFXUHLkhA3scXzyu9C0Qb8EnHW6TvFX7zkyuQ8b4vfbSER4rKxcx9DTPJByns6ju7+Rme//9I3UKR58o0w9L9JnudfnAyupCiGR0pqIFbtsxIWmPmepLhuOaootyhYF5GQ0gUbZdE9WjIcHJs4wVW7f2h2GDN9F0KPQtnMxK6bsCxubXNFq0osz/6XgqkdZF21YyxqR3Wvi3LO0189yHoebhRgIo8W1K2SO1J3oM5vikUDxZvR03dxVm+6OkEn8dcI9tcjjCyv2V5ENJ35dn2FUoXn29GomorLuEAmI8yTQ+ZwFBPr3p9Fu1PVY1vqMOUtfR4qPUeESQTvP8rDSqR+44bB1aM2UQsS1v7iGQ27OXW9WOpV0jY0nl+wSKbsVWfUn9wGulDvgMgMYiPZyWPPfYFf0yYN3gsKPgqQBENVjXTFIZ6uzvEdok6WJBMwZ9o9BOUNNXu8RUUw1hMX8UE48vXpEVA5zv6ySGWQAQhzljrShrFDbqcAmya1/Tu4bqPDt4h22/yC0m1jOM4UKIiREeDyZLC/Ir7623L5McbR32dRM=
URLs

http://promethw27cbrcot.onion/ticket.php?track=AA4-MX4-GGQD

Targets

    • Target

      0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454.bin.sample

    • Size

      346KB

    • MD5

      aff561dee3b750728a4f2f8681cc252c

    • SHA1

      f3a3ee6042c819ae00d028437c5f02ebefe0eb08

    • SHA256

      0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454

    • SHA512

      6b73be255c3616dedb8c5c37254729526412967e886f3aa27038dfadb268efeb048ef3099575e4214b797c6fd555e2bcddb5f6c7b890903d0c6ca3b5b948d847

    Score
    10/10
    discoveryevasionpersistencetrojan
    behavioral1behavioral2

    • Target

      02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f.bin.sample

    • Size

      481KB

    • MD5

      50379b825ba54e395092a73fb4b6e399

    • SHA1

      8171cf970cbd3746c74143d4933e4f2a69e1ea7e

    • SHA256

      02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f

    • SHA512

      42015ac9b4a3b33adda1d1c538cc33126d72f6f8ccbd4d72b58485971a0b03b9e17908d304f6e9d3a2fe389741995618ce3ce6520bec3e62930fb11b741f090d

    Score
    10/10
    discoveryevasionransomwaretrojanpersistence

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Disables Task Manager via registry modification

      evasion

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • Drops startup file

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Windows security modification

      evasiontrojan

    • Modifies WinLogon

      persistence
    behavioral3behavioral4

    • Target

      1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample

    • Size

      367KB

    • MD5

      b31f6216e6bc5a6291a0b82de0377553

    • SHA1

      0afdc5359268f7e78a0ca3c3c67752edd304a742

    • SHA256

      1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb

    • SHA512

      7044cae1da196e1997fd21cbac41ff0d8e7dd5da6ebcf14e4ecd26ff53f65936430c009e473c17a2eecabbc5645e2d1fb32c5ef8ab036d045b5941a52e2982f6

    Score
    10/10
    discoveryevasionpersistenceransomwaretrojan

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Disables Task Manager via registry modification

      evasion

    • Downloads MZ/PE file

    • Modifies Windows Firewall

      evasion

    • Drops startup file

    • Modifies file permissions

      discovery

    • Windows security modification

      evasiontrojan

    • Modifies WinLogon

      persistence
    behavioral5behavioral6

    • Target

      48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698.bin.sample

    • Size

      353KB

    • MD5

      3de060c1a25fb75735767e9450ed797d

    • SHA1

      8c0e899fc89aa8e0201aa8ee4ba41cd05702116e

    • SHA256

      48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698

    • SHA512

      4792c3c919c87269544bbe60b62930059f71421eae0a736113e4472e14cfebf95b16ebc430e441a88655fcb84397d5959367061e59d58deaf26de43915eea37b

    Score
    10/10
    discoveryevasionpersistenceransomwaretrojan

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Disables Task Manager via registry modification

      evasion

    • Downloads MZ/PE file

    • Modifies Windows Firewall

      evasion

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Modifies file permissions

      discovery

    • Windows security modification

      evasiontrojan

    • Modifies WinLogon

      persistence
    behavioral7behavioral8

    • Target

      714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample

    • Size

      107KB

    • MD5

      ffd507c308ffa09e21aa937bc631421a

    • SHA1

      7938ce37df604cf807e9d2767acf33984a1776a3

    • SHA256

      714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409

    • SHA512

      b48721c1e57152afe16576e7f54084e52d88d594c12203e5e56316bca8a7bc44c29b790e2e358ab0b7220b2d6e098a288b0fa602af84dda9cef16104f72d2970

    Score
    10/10
    makopdiscoveryevasionransomware

    • Makop

      Ransomware family discovered by @VK_Intel in early 2020.

      ransomwaremakop

    • Downloads MZ/PE file

    • Modifies Windows Firewall

      evasion

    • Drops startup file

    • Modifies file permissions

      discovery
    behavioral9behavioral10

    • Target

      79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249.bin.sample

    • Size

      165KB

    • MD5

      1407b521eded12eca22dc4a12421be59

    • SHA1

      031cf6f7f62cbea5753b3d6cc7ee113f69aa43a3

    • SHA256

      79323434542bf442218be77d3982e167e118dc9954ce9ea1726db42bcac4d249

    • SHA512

      79ed739a0ad7f9b45150f491dc9e1cd9f8d4b828fc0ff82bdc23307c4e31efefb862d163ded840438759805b3a792b3fa569d3cce13e4702987a107bc85d3406

    Score
    10/10
    evasionpersistenceransomwaretrojandiscovery

    • Modifies WinLogon for persistence

      persistence

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Downloads MZ/PE file

    • Modifies Windows Firewall

      evasion

    • Modifies file permissions

      discovery

    • Windows security modification

      evasiontrojan
    behavioral11behavioral12

    • Target

      aa3e530d4567c1511126029fac0562ba8aa4ead0a01aceea169ade3e38a37ea7.bin.sample

    • Size

      128KB

    • MD5

      9606a0bdc7a04dcf4d8625345c2875cd

    • SHA1

      34c37511ef2105aedf55eda054e89210757f51ec

    • SHA256

      aa3e530d4567c1511126029fac0562ba8aa4ead0a01aceea169ade3e38a37ea7

    • SHA512

      64796dde9fe7791e166cecb622d7713ef3a6947e404919eaba27c532fdf3be799f8ead904402a5b9dfff27977813c77e1c86954801c7bc4a867265d6aa36a595

    Score
    10/10
    discoveryevasionhakbitransomware

    • Hakbit

      Ransomware which encrypts files using AES, first seen in November 2019.

      ransomwarehakbit

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Drops startup file

    • Loads dropped DLL

    • Modifies file permissions

      discovery
    behavioral13behavioral14

    • Target

      b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32.bin.sample

    • Size

      358KB

    • MD5

      625c0b381462e729abdcca12d424e50a

    • SHA1

      9e20fd6588a16b852d5b1f5ed122706aebce58ac

    • SHA256

      b6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32

    • SHA512

      48b289d17752bacbe65f46eee9b016264120dff5858bb87609bdfe2a10a1a1c6d12c395dc1bfa6adc8fe24b2b5da48957beec7eb0f38eaa244566ab0ac27c58d

    Score
    10/10
    discoveryevasionpersistencetrojan
    behavioral15behavioral16

    • Target

      b739791dd0b159c6c5c7a9f9b2f8ea7fc0c0c43c55561f94128e0863ac890424.bin.sample

    • Size

      393KB

    • MD5

      104b68a8b7e2913139049b30847f990f

    • SHA1

      0f25791a039298be94a3d024f5a3d1796e13a587

    • SHA256

      b739791dd0b159c6c5c7a9f9b2f8ea7fc0c0c43c55561f94128e0863ac890424

    • SHA512

      cba38f93247621cc38ea33f72efc1147e0a6d1a8b9256a26853ac3c1c8c3c9444d2d3a5af586e934febad1822c93fbc1e9c538759b4587720ba03a92792ce04d

    Score
    10/10
    thanosevasionpersistenceransomwaretrojan

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Modifies WinLogon for persistence

      persistence

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Thanos Ransomware

      Ransomware-as-a-service (RaaS) sold through underground forums.

      ransomwarethanos

    • Thanos executable

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Drops startup file

    • Windows security modification

      evasiontrojan

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Modifies WinLogon

      persistence
    behavioral17behavioral18

    • Target

      d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample

    • Size

      97KB

    • MD5

      212614aa34906a41edd51491c7980529

    • SHA1

      671f1031d3b2cd242a270e17718cc0fe20122ad0

    • SHA256

      d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00

    • SHA512

      21a57568c090f0ed72b599168a16d1bfb2073e639972fb0268e6d91143f5bb54292fd6a15fea20f6d90ee817eafebf771b6c7771318a90de148fd95692f49d6a

    Score
    10/10
    evasionpersistenceransomwaretrojandiscovery

    • Modifies WinLogon for persistence

      persistence

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Drops startup file

    • Modifies file permissions

      discovery

    • Windows security modification

      evasiontrojan

    • Modifies WinLogon

      persistence

    • Drops file in System32 directory

    behavioral19behavioral20

    • Target

      e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.bin.sample

    • Size

      290KB

    • MD5

      a6dcf23059f6e61fa683907c47baf73e

    • SHA1

      1d55396b26d97b18256513607dcbe3f308569d5b

    • SHA256

      e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3

    • SHA512

      72ef9997b814807e677e7861a94de3c8c2b7cb350ab79c887de61f505f23ebc2e3db177b34e86f1dedb3017f468e5c6c0f34d188c574e4cbe20410ff1bf596f7

    Score
    10/10
    discoveryevasionpersistenceransomware
    behavioral21behavioral22

MITRE ATT&CK Matrix