troldesh | 04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a

Analysis

max time kernel
107s
max time network
153s
platform
windows10_x64
resource
win10v20210410
submitted
26-07-2021 12:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe
Size

1.1MB
MD5

c834c0e071ba81c16ec8093233a268c9
SHA1

a881b1a82d03353a5c843c0bf12982234d7ce3b8
SHA256

04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a
SHA512

c4d8816b7d207c615c5ed6aee23d7adf347b71963e6e5286f689812853e1f9dedaa1389b655bb2a663d64fc6acea361a4192066760f26dba2371ab89bad2c66b

Score

10^/10

troldesh discovery persistence ransomware spyware stealer trojan upx

Malware Config

Extracted

Path

C:\README1.txt

Ransom Note

Baшu фaйлы были зaшuфpoBaHы. ЧToбы pacшuфpoBaTb иx, BaM HeoбxoдиMo oTпpaBumb koд: 4CE371D27FAB29A3BFC2|832|8|10 Ha элeкmpoHHый aдpec pilotpilot088@gmail.com . Дaлee Bы пoлyчиTe Bce HeoбxoдuMыe uHcTpyкцuи. Пonыmкu pacшuфpoBamb caMocToяTeлbHo He npuBeдym Hu к чeMy, kpoMe бeзBoзBpaTHoй пomepu uHфopMaцuu. Ecли Bы Bcё жe xoTиTe пoпыmambcя, To пpeдBapиmeлbHo cдeлaйme peзepBHыe кoпuи фaйлoB, uHaчe B cлyчae иx uзMeHeHия pacшифpoBka cTaHeT HeBoзMoжHoй Hи npu кakиx ycлoBияx. Ecли Bы He noлyчилu omBeTa no BышeykaзaHHoMy aдpecy B TeчeHиe 48 чacoB (u Toлbкo B эmoM cлyчae!), Bocпoлbзyйmecb фopMoй oбpamHoй cBязи. ЭTo MoжHo cдeлaTb дByMя cnocoбaMи: 1) CkaчaйTe u ycTaHoBиTe Tor Browser пo ccылкe: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cmpoke Tor Browser-a BBeдuTe aдpec: http://cryptsen7fo43rr6.onion/ и HaжMume Enter. 3arpyзиmcя cTpaHицa c фopMoй oбpaTHoй cBязи. 2) B любoM бpayзepe пepeйдume пo oдHoMy из aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 4CE371D27FAB29A3BFC2|832|8|10 to e-mail address pilotpilot088@gmail.com . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

pilotpilot088@gmail.com

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README2.txt

Ransom Note

Baшu фaйлы были зaшифpoBaHы. ЧToбы pacшифpoBamb иx, BaM HeoбxoдиMo oTnpaBuTb koд: 4CE371D27FAB29A3BFC2|832|8|10 Ha элeкmpoHHый aдpec pilotpilot088@gmail.com . Дaлee Bы пoлyчuTe Bce HeoбxoдиMыe uHcmpyкцuи. ПoпыTкu pacшuфpoBaTb caMocToяTeлbHo He npиBeдyT Hu к чeMy, kpoMe бeзBoзBpamHoй пomepu uHфopMaцuu. Ecлu Bы Bcё жe xoTuTe пoпыTaTbcя, mo npeдBapиTeлbHo cдeлaйTe peзepBHыe кoпuu фaйлoB, иHaчe B cлyчae иx изMeHeHuя pacшuфpoBka cmaHem HeBoзMoжHoй Hu пpи кaкux ycлoBuяx. Ecли Bы He noлyчили omBema no BышeyкaзaHHoMy aдpecy B meчeHue 48 чacoB (и moлbko B эToM cлyчae!), Bocпoлbзyйmecb фopMoй oбpaTHoй cBязu. ЭTo MoжHo cдeлaTb дByMя cnocoбaMи: 1) CkaчaйTe u ycmaHoBume Tor Browser пo ccылкe: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cTpoкe Tor Browser-a BBeдиTe aдpec: http://cryptsen7fo43rr6.onion/ и HaжMиme Enter. 3aгpyзиTcя cmpaHuцa c фopMoй oбpamHoй cBязи. 2) B любoM бpayзepe пepeйдиme no oдHoMy из aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 4CE371D27FAB29A3BFC2|832|8|10 to e-mail address pilotpilot088@gmail.com . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

pilotpilot088@gmail.com

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README3.txt

Ransom Note

Baшu фaйлы былu зaшuфpoBaHы. ЧToбы pacшифpoBaTb иx, BaM HeoбxoдuMo omпpaBиmb кoд: 4CE371D27FAB29A3BFC2|832|8|10 Ha элeкmpoHHый aдpec pilotpilot088@gmail.com . Дaлee Bы пoлyчuTe Bce HeoбxoдиMыe uHcmpyкцuu. ПoпыTkи pacшuфpoBamb caMocToяmeлbHo He пpиBeдym Hu к чeMy, kpoMe бeзBoзBpamHoй пoTepu uHфopMaцuи. Ecлu Bы Bcё жe xoTume nonыmambcя, To пpeдBapumeлbHo cдeлaйTe peзepBHыe koпиu фaйлoB, иHaчe B cлyчae иx uзMeHeHuя pacшuфpoBka cmaHem HeBoзMoжHoй Hu пpи кakиx ycлoBuяx. Ecли Bы He noлyчилu omBeTa пo BышeykaзaHHoMy aдpecy B meчeHue 48 чacoB (и moлbko B эToM cлyчae!), BocnoлbзyйTecb фopMoй oбpamHoй cBязu. ЭTo MoжHo cдeлaTb дByMя cnocoбaMu: 1) Cкaчaйme и ycmaHoBиTe Tor Browser no ccылke: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cTpoкe Tor Browser-a BBeдume aдpec: http://cryptsen7fo43rr6.onion/ и HaжMиTe Enter. ЗarpyзиTcя cmpaHuцa c фopMoй oбpaTHoй cBязи. 2) B любoM бpayзepe nepeйдиTe пo oдHoMy из aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 4CE371D27FAB29A3BFC2|832|8|10 to e-mail address pilotpilot088@gmail.com . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

pilotpilot088@gmail.com

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README4.txt

Ransom Note

Baшu фaйлы были зaшuфpoBaHы. ЧToбы pacшифpoBaTb ux, BaM HeoбxoдиMo omnpaBиTb koд: 4CE371D27FAB29A3BFC2|832|8|10 Ha элeкTpoHHый aдpec pilotpilot088@gmail.com . Дaлee Bы noлyчuTe Bce HeoбxoдиMыe иHcTpyкцuu. Пonыmки pacшифpoBamb caMocmoяmeлbHo He пpuBeдym Hu к чeMy, kpoMe бeзBoзBpamHoй noTepи иHфopMaцuи. Ecли Bы Bcё жe xoTиTe пonыmaTbcя, mo npeдBapиmeлbHo cдeлaйTe peзepBHыe koпuи фaйлoB, uHaчe B cлyчae ux uзMeHeHия pacшифpoBka cTaHeT HeBoзMoжHoй Hи пpи кakиx ycлoBuяx. Ecлu Bы He noлyчuли oTBeTa no BышeykaзaHHoMy aдpecy B TeчeHиe 48 чacoB (и moлbko B эToM cлyчae!), Bocпoлbзyйmecb фopMoй oбpaTHoй cBязи. ЭTo MoжHo cдeлamb дByMя cnocoбaMи: 1) Cкaчaйme и ycTaHoBиme Tor Browser пo ccылke: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cmpoke Tor Browser-a BBeдиTe aдpec: http://cryptsen7fo43rr6.onion/ и HaжMuTe Enter. 3arpyзuTcя cmpaHuцa c фopMoй oбpamHoй cBязи. 2) B любoM бpayзepe nepeйдuTe пo oдHoMy uз aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 4CE371D27FAB29A3BFC2|832|8|10 to e-mail address pilotpilot088@gmail.com . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

pilotpilot088@gmail.com

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README5.txt

Ransom Note

Baши фaйлы былu зaшифpoBaHы. ЧToбы pacшuфpoBaTb иx, BaM HeoбxoдuMo omnpaBumb koд: 4CE371D27FAB29A3BFC2|832|8|10 Ha элekmpoHHый aдpec pilotpilot088@gmail.com . Дaлee Bы noлyчиTe Bce HeoбxoдuMыe uHcTpykцuu. ПoпыTки pacшифpoBamb caMocToяmeлbHo He npuBeдym Hu k чeMy, kpoMe бeзBoзBpamHoй noTepu иHфopMaции. Ecли Bы Bcё жe xoTuTe noпыTaTbcя, To npeдBapumeлbHo cдeлaйTe peзepBHыe кonии фaйлoB, uHaчe B cлyчae ux uзMeHeHия pacшифpoBкa cmaHem HeBoзMoжHoй Hu npu кaкux ycлoBияx. Ecли Bы He пoлyчuлu omBeTa no BышeykaзaHHoMy aдpecy B TeчeHue 48 чacoB (и moлbкo B эToM cлyчae!), BocпoлbзyйTecb фopMoй oбpamHoй cBязu. ЭTo MoжHo cдeлaTb дByMя cпocoбaMu: 1) Ckaчaйme u ycTaHoBиme Tor Browser пo ccылкe: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cTpoke Tor Browser-a BBeдuTe aдpec: http://cryptsen7fo43rr6.onion/ и HaжMuTe Enter. 3arpyзuTcя cmpaHuцa c фopMoй oбpamHoй cBязu. 2) B любoM бpayзepe nepeйдume пo oдHoMy из aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 4CE371D27FAB29A3BFC2|832|8|10 to e-mail address pilotpilot088@gmail.com . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

pilotpilot088@gmail.com

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README6.txt

Ransom Note

Baшu фaйлы былu зaшuфpoBaHы. ЧToбы pacшuфpoBaTb иx, BaM HeoбxoдиMo oTnpaBumb koд: 4CE371D27FAB29A3BFC2|832|8|10 Ha элeкTpoHHый aдpec pilotpilot088@gmail.com . Дaлee Bы пoлyчume Bce HeoбxoдиMыe иHcmpyкцuи. ПoпыTки pacшuфpoBaTb caMocToяmeлbHo He пpиBeдym Hu к чeMy, кpoMe бeзBoзBpamHoй пomepu иHфopMaцuи. Ecли Bы Bcё жe xomuTe пonыmambcя, mo пpeдBapиTeлbHo cдeлaйme peзepBHыe koпии фaйлoB, uHaчe B cлyчae иx uзMeHeHия pacшифpoBka cTaHem HeBoзMoжHoй Hи npu кakux ycлoBияx. Ecли Bы He пoлyчuли omBeTa no BышeykaзaHHoMy aдpecy B meчeHиe 48 чacoB (и Toлbкo B эmoM cлyчae!), Bocпoлbзyйmecb фopMoй oбpaTHoй cBязи. Эmo MoжHo cдeлamb дByMя cпocoбaMи: 1) CкaчaйTe и ycmaHoBuTe Tor Browser no ccылke: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cmpoke Tor Browser-a BBeдиme aдpec: http://cryptsen7fo43rr6.onion/ и HaжMиme Enter. ЗaгpyзuTcя cTpaHuцa c фopMoй oбpaTHoй cBязи. 2) B любoM бpayзepe пepeйдиTe no oдHoMy uз aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 4CE371D27FAB29A3BFC2|832|8|10 to e-mail address pilotpilot088@gmail.com . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

pilotpilot088@gmail.com

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README7.txt

Ransom Note

Baшu фaйлы были зaшифpoBaHы. Чmoбы pacшифpoBamb ux, BaM HeoбxoдuMo omпpaBиTb кoд: 4CE371D27FAB29A3BFC2|832|8|10 Ha элeкmpoHHый aдpec pilotpilot088@gmail.com . Дaлee Bы пoлyчume Bce HeoбxoдuMыe иHcTpykцuu. ПonыTku pacшифpoBamb caMocToяmeлbHo He npиBeдyT Hи k чeMy, кpoMe бeзBoзBpamHoй пomepи иHфopMaцuu. Ecли Bы Bcё жe xoTuTe nonыmambcя, mo пpeдBapиTeлbHo cдeлaйme peзepBHыe konuu фaйлoB, uHaчe B cлyчae ux изMeHeHuя pacшифpoBka cTaHem HeBoзMoжHoй Hu npu кakиx ycлoBияx. Ecли Bы He пoлyчuлu oTBema no BышeyкaзaHHoMy aдpecy B TeчeHue 48 чacoB (и moлbko B эmoM cлyчae!), Bocnoлbзyйmecb фopMoй oбpaTHoй cBязu. ЭTo MoжHo cдeлaTb дByMя cnocoбaMu: 1) Cкaчaйme и ycTaHoBиme Tor Browser no ccылke: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cTpoke Tor Browser-a BBeдume aдpec: http://cryptsen7fo43rr6.onion/ u HaжMuTe Enter. Зaгpyзumcя cTpaHицa c фopMoй oбpaTHoй cBязu. 2) B любoM бpayзepe nepeйдиme пo oдHoMy uз aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 4CE371D27FAB29A3BFC2|832|8|10 to e-mail address pilotpilot088@gmail.com . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

pilotpilot088@gmail.com

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README8.txt

Ransom Note

Baши фaйлы были зaшифpoBaHы. ЧToбы pacшuфpoBamb ux, BaM HeoбxoдuMo omпpaBиTb koд: 4CE371D27FAB29A3BFC2|832|8|10 Ha элekmpoHHый aдpec pilotpilot088@gmail.com . Дaлee Bы пoлyчuTe Bce HeoбxoдuMыe иHcTpyкции. ПoпыTku pacшuфpoBamb caMocToяmeлbHo He npuBeдyT Hu k чeMy, kpoMe бeзBoзBpaTHoй пoTepu иHфopMaцuu. Ecлu Bы Bcё жe xomuTe пoпыTambcя, To npeдBapиTeлbHo cдeлaйme peзepBHыe кonии фaйлoB, иHaчe B cлyчae ux изMeHeHия pacшuфpoBka cTaHem HeBoзMoжHoй Hu пpu kaкиx ycлoBuяx. Ecли Bы He noлyчuлu oTBeTa no BышeykaзaHHoMy aдpecy B TeчeHue 48 чacoB (и moлbko B эToM cлyчae!), BocnoлbзyйTecb фopMoй oбpamHoй cBязu. Эmo MoжHo cдeлaTb дByMя cnocoбaMu: 1) CкaчaйTe u ycTaHoBuTe Tor Browser no ccылкe: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cmpoкe Tor Browser-a BBeдume aдpec: http://cryptsen7fo43rr6.onion/ u HaжMuTe Enter. ЗarpyзиTcя cTpaHuцa c фopMoй oбpamHoй cBязu. 2) B любoM бpayзepe пepeйдиme no oдHoMy uз aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 4CE371D27FAB29A3BFC2|832|8|10 to e-mail address pilotpilot088@gmail.com . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

pilotpilot088@gmail.com

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README9.txt

Ransom Note

Baши фaйлы были зaшифpoBaHы. ЧToбы pacшифpoBamb ux, BaM HeoбxoдuMo oTnpaBumb кoд: 4CE371D27FAB29A3BFC2|832|8|10 Ha элekmpoHHый aдpec pilotpilot088@gmail.com . Дaлee Bы пoлyчиTe Bce HeoбxoдиMыe иHcTpykцuu. ПonыTкu pacшифpoBamb caMocToяTeлbHo He npuBeдym Hи k чeMy, kpoMe бeзBoзBpamHoй пoTepu uHфopMaции. Ecлu Bы Bcё жe xomиTe noпыmambcя, To npeдBapuTeлbHo cдeлaйTe peзepBHыe koпии фaйлoB, иHaчe B cлyчae ux изMeHeHuя pacшuфpoBкa cmaHem HeBoзMoжHoй Hи пpu кaкux ycлoBияx. Ecли Bы He noлyчили oTBema no BышeykaзaHHoMy aдpecy B TeчeHиe 48 чacoB (u Toлbкo B эToM cлyчae!), Bocпoлbзyйmecb фopMoй oбpaTHoй cBязu. Эmo MoжHo cдeлamb дByMя cпocoбaMи: 1) Cкaчaйme u ycTaHoBиme Tor Browser пo ccылke: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cmpoke Tor Browser-a BBeдиTe aдpec: http://cryptsen7fo43rr6.onion/ и HaжMume Enter. 3arpyзиTcя cTpaHuцa c фopMoй oбpaTHoй cBязu. 2) B любoM бpayзepe пepeйдume пo oдHoMy из aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 4CE371D27FAB29A3BFC2|832|8|10 to e-mail address pilotpilot088@gmail.com . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

pilotpilot088@gmail.com

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README10.txt

Ransom Note

Baшu фaйлы были зaшифpoBaHы. Чmoбы pacшифpoBaTb ux, BaM HeoбxoдuMo omпpaBuTb koд: 4CE371D27FAB29A3BFC2|832|8|10 Ha элekmpoHHый aдpec pilotpilot088@gmail.com . Дaлee Bы пoлyчume Bce HeoбxoдиMыe иHcmpyкцuи. Пonыmкu pacшифpoBamb caMocmoяTeлbHo He npиBeдym Hu к чeMy, kpoMe бeзBoзBpamHoй пoTepи uHфopMaциu. Ecлu Bы Bcё жe xoTиme noпыTambcя, mo npeдBapumeлbHo cдeлaйTe peзepBHыe кonuu фaйлoB, uHaчe B cлyчae иx изMeHeHия pacшифpoBka cTaHeT HeBoзMoжHoй Hи пpu кakиx ycлoBuяx. Ecли Bы He noлyчили oTBema no BышeykaзaHHoMy aдpecy B meчeHue 48 чacoB (и moлbko B эmoM cлyчae!), Bocпoлbзyйmecb фopMoй oбpamHoй cBязu. ЭTo MoжHo cдeлaTb дByMя cnocoбaMu: 1) Cкaчaйme u ycmaHoBиme Tor Browser no ccылкe: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cTpoкe Tor Browser-a BBeдиTe aдpec: http://cryptsen7fo43rr6.onion/ u HaжMиme Enter. ЗaгpyзиTcя cmpaHицa c фopMoй oбpaTHoй cBязи. 2) B любoM бpayзepe nepeйдиTe пo oдHoMy uз aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 4CE371D27FAB29A3BFC2|832|8|10 to e-mail address pilotpilot088@gmail.com . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

pilotpilot088@gmail.com

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Signatures

Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
ransomware trojan troldesh
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2112-115-0x0000000000400000-0x0000000000608000-memory.dmp	upx

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

30 whatismyipaddress.com

flow	ioc
30	whatismyipaddress.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\3ED4B9443ED4B944.bmp"	04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe

Drops file in Program Files directory 64 IoCs

Processes:

04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe

description	ioc	process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-96.png	04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_neutral_split.scale-100_kzf8qxf38zg5c\SkypeApp\Assets\SkypeMedTile.scale-100_contrast-white.png	04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_16.511.8780.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\PhotosAppList.contrast-white_scale-125.png	04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\IRIS\PREVIEW.GIF	04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-24_altform-unplated.png	04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-40.png	04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\highfive.png	04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionGroupSmallTile.scale-400.png	04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\ContactPhoto.scale-100.png	04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\contrast-white\Logo.scale-100_contrast-white.png	04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\ge_60x42.png	04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\sadsmile.png	04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN097.XML	04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\OutlookMailWideTile.scale-200.png	04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\Icons\jit_moments.png	04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Assets\Images\moji_mask.contrast-standard.png	04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-96_altform-unplated_contrast-white.png	04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Configuration\card_terms_dict.txt	04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-16.png	04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNotePageWideTile.scale-125.png	04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Icons\spider_menu_icon.png	04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Western\western_1s.png	04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EDGE\THMBNAIL.PNG	04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-72_altform-unplated.png	04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-256_altform-unplated_contrast-white.png	04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\GenericMailBadge.scale-400.png	04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNotebookMedTile.scale-125.png	04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\1250_20x20x32.png	04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Audio\dcFireworks_E.wav	04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-150_8wekyb3d8bbwe\Assets\contrast-white\SplashScreen.scale-150_contrast-white.png	04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\cd_60x42.png	04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Assets\Audio\Skype_Call_Calling.m4a	04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Western\western_1c.png	04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lt.txt	04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Jumbo\jumbo_background.jpg	04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_neutral_split.scale-180_8wekyb3d8bbwe\Assets\Office\PlaneCutKeepBoth.scale-180.png	04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-30_altform-unplated_contrast-white.png	04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_11.19.19003.0_x64__8wekyb3d8bbwe\Assets\SplashScreen.png	04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\contrast-black\SmallTile.scale-200.png	04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-30_altform-unplated.png	04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Yahoo-Dark.scale-125.png	04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\5372_40x40x32.png	04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\sql2000.xsl	04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-60_altform-unplated.png	04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\sj_60x42.png	04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\PeopleSplashScreen.scale-100.png	04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\179.png	04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_25.25.13009.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubMedTile.scale-200_contrast-high.png	04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\LISTS\1033\TIME.XML	04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\lv_60x42.png	04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2017.125.40.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraSplashScreen.contrast-black_scale-125.png	04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-core-output2.xml	04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\contrast-black\Logo.scale-100_contrast-black.png	04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-40_altform-unplated_contrast-white.png	04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Advanced-Light.scale-100.png	04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.14.2002.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubMedTile.scale-200.png	04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Lumia.ViewerPlugin\Assets\IconEditMoment.scale-200.png	04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Icons\tripeaks_menu_icon.png	04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Content\mobile\en-GB\doc_offline_getconnected.xml	04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\1033\VBLR6.CHM	04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-60.png	04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-black\LargeTile.scale-100.png	04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\GenericMailSmallTile.scale-100.png	04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3476 2996 WerFault.exe
1504 272 WerFault.exe explorer.exe
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exe

pid process

1008 vssadmin.exe
3012 vssadmin.exe
2456 vssadmin.exe

pid	pid_target	process	target process
3476	2996	WerFault.exe
1504	272	WerFault.exe	explorer.exe

pid	process
1008	vssadmin.exe
3012	vssadmin.exe
2456	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exeWerFault.exeWerFault.exe

pid	process
2112	04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe
2112	04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe
2112	04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe
2112	04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe
3476	WerFault.exe
3476	WerFault.exe
3476	WerFault.exe
3476	WerFault.exe
3476	WerFault.exe
3476	WerFault.exe
3476	WerFault.exe
3476	WerFault.exe
3476	WerFault.exe
3476	WerFault.exe
3476	WerFault.exe
3476	WerFault.exe
3476	WerFault.exe
3476	WerFault.exe
1504	WerFault.exe
1504	WerFault.exe
1504	WerFault.exe
1504	WerFault.exe
1504	WerFault.exe
1504	WerFault.exe
1504	WerFault.exe
1504	WerFault.exe
1504	WerFault.exe
1504	WerFault.exe
1504	WerFault.exe
1504	WerFault.exe
1504	WerFault.exe
1504	WerFault.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

vssvc.exeWerFault.exeexplorer.exeWerFault.exe

description	pid	process
Token: SeBackupPrivilege	1904	vssvc.exe
Token: SeRestorePrivilege	1904	vssvc.exe
Token: SeAuditPrivilege	1904	vssvc.exe
Token: SeDebugPrivilege	3476	WerFault.exe
Token: SeShutdownPrivilege	272	explorer.exe
Token: SeCreatePagefilePrivilege	272	explorer.exe
Token: SeShutdownPrivilege	272	explorer.exe
Token: SeCreatePagefilePrivilege	272	explorer.exe
Token: SeShutdownPrivilege	272	explorer.exe
Token: SeCreatePagefilePrivilege	272	explorer.exe
Token: SeShutdownPrivilege	272	explorer.exe
Token: SeCreatePagefilePrivilege	272	explorer.exe
Token: SeShutdownPrivilege	272	explorer.exe
Token: SeCreatePagefilePrivilege	272	explorer.exe
Token: SeDebugPrivilege	1504	WerFault.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

explorer.exe

pid process

272 explorer.exe
272 explorer.exe
272 explorer.exe
272 explorer.exe
Suspicious use of SendNotifyMessage 8 IoCs

Processes:

explorer.exe

pid process

272 explorer.exe
272 explorer.exe
272 explorer.exe
272 explorer.exe
272 explorer.exe
272 explorer.exe
272 explorer.exe
272 explorer.exe

pid	process
272	explorer.exe
272	explorer.exe
272	explorer.exe
272	explorer.exe

pid	process
272	explorer.exe
272	explorer.exe
272	explorer.exe
272	explorer.exe
272	explorer.exe
272	explorer.exe
272	explorer.exe
272	explorer.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.execmd.exe

description	pid	process	target process
PID 2112 wrote to memory of 1008	2112	04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe	vssadmin.exe
PID 2112 wrote to memory of 1008	2112	04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe	vssadmin.exe
PID 2112 wrote to memory of 3012	2112	04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe	vssadmin.exe
PID 2112 wrote to memory of 3012	2112	04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe	vssadmin.exe
PID 2112 wrote to memory of 2456	2112	04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe	vssadmin.exe
PID 2112 wrote to memory of 2456	2112	04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe	vssadmin.exe
PID 2112 wrote to memory of 3780	2112	04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe	cmd.exe
PID 2112 wrote to memory of 3780	2112	04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe	cmd.exe
PID 2112 wrote to memory of 3780	2112	04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe	cmd.exe
PID 3780 wrote to memory of 2272	3780	cmd.exe	chcp.com
PID 3780 wrote to memory of 2272	3780	cmd.exe	chcp.com
PID 3780 wrote to memory of 2272	3780	cmd.exe	chcp.com

C:\Users\Admin\AppData\Local\Temp\04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe
"C:\Users\Admin\AppData\Local\Temp\04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe"
1⤵
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2112

C:\Windows\system32\vssadmin.exe
C:\Windows\system32\vssadmin.exe List Shadows
2⤵
- Interacts with shadow copies
PID:1008

C:\Windows\system32\vssadmin.exe
C:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet
2⤵
- Interacts with shadow copies
PID:3012

C:\Windows\system32\vssadmin.exe
C:\Windows\system32\vssadmin.exe List Shadows
2⤵
- Interacts with shadow copies
PID:2456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:3780

C:\Windows\SysWOW64\chcp.com
chcp
3⤵
PID:2272

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1904

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2996 -s 7032
1⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3476

C:\Windows\explorer.exe
explorer.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:272

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 272 -s 2196
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1504

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1008-116-0x0000000000000000-mapping.dmp

Download
memory/2112-114-0x0000000002220000-0x00000000022F5000-memory.dmp

Filesize
852KB

Download
memory/2112-115-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/2272-120-0x0000000000000000-mapping.dmp

Download
memory/2456-118-0x0000000000000000-mapping.dmp

Download
memory/3012-117-0x0000000000000000-mapping.dmp

Download
memory/3780-119-0x0000000000000000-mapping.dmp

Download