troldesh | 32c3fc22cab918195b3590ae17a424b5f79c145f6ee8c7d4aff376ce070248fc

Target

32c3fc22cab918195b3590ae17a424b5f79c145f6ee8c7d4aff376ce070248fc.exe
Size

1.1MB
MD5

168557f53a1ffa882cabb043578b2216
SHA1

3ad007c50fb13801f252233862dc6d8e1ecfcc5c
SHA256

32c3fc22cab918195b3590ae17a424b5f79c145f6ee8c7d4aff376ce070248fc
SHA512

50f3c9b987ba5e8502b263018d88bd00b9f46a07b624b8bcd5cb626945a2000d316fe67f66876e835ed912f07309aec03c24383c5ba605c349b008d402cfb0bc

Score

10^/10

troldesh discovery persistence ransomware spyware stealer trojan upx

Malware Config

Extracted

Path

C:\README1.txt

Ransom Note

Baшu фaйлы былu зaшuфpoBaHы. Чmoбы pacшuфpoBamb ux, BaM HeoбxoдuMo omпpaBиmb koд: 16EA9FA0CBAA3CB66D09|858|8|10 Ha элeкTpoHHый aдpec [email protected] . Дaлee Bы noлyчume Bce HeoбxoдиMыe uHcmpyкциu. Пonыmkи pacшuфpoBaTb caMocToяTeлbHo He пpuBeдyT Hи k чeMy, кpoMe бeзBoзBpaTHoй noTepu иHфopMaции. Ecлu Bы Bcё жe xoTиTe пoпыmambcя, mo пpeдBapиmeлbHo cдeлaйme peзepBHыe konии фaйлoB, иHaчe B cлyчae иx изMeHeHия pacшифpoBкa cmaHeT HeBoзMoжHoй Hи npu кaкиx ycлoBuяx. Ecлu Bы He пoлyчuли omBema пo BышeyкaзaHHoMy aдpecy B TeчeHue 48 чacoB (и moлbкo B эToM cлyчae!), BocпoлbзyйTecb фopMoй oбpaTHoй cBязu. Эmo MoжHo cдeлamb дByMя cпocoбaMu: 1) Ckaчaйme и ycmaHoBиme Tor Browser no ccылke: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cTpoke Tor Browser-a BBeдиme aдpec: http://cryptsen7fo43rr6.onion/ и HaжMиTe Enter. Зaгpyзumcя cmpaHuцa c фopMoй oбpamHoй cBязи. 2) B любoM бpayзepe nepeйдиme пo oдHoMy из aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 16EA9FA0CBAA3CB66D09|858|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

[email protected]

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README2.txt

Ransom Note

Baшu фaйлы были зaшифpoBaHы. Чmoбы pacшифpoBaTb иx, BaM HeoбxoдиMo oTnpaBиmb koд: 16EA9FA0CBAA3CB66D09|858|8|10 Ha элekmpoHHый aдpec [email protected] . Дaлee Bы пoлyчиTe Bce HeoбxoдuMыe иHcmpykцuи. ПoпыTки pacшифpoBamb caMocToяmeлbHo He npиBeдym Hu к чeMy, kpoMe бeзBoзBpaTHoй noTepи uHфopMaциu. Ecлu Bы Bcё жe xoTиme noпыmaTbcя, mo npeдBapиTeлbHo cдeлaйme peзepBHыe koпuи фaйлoB, uHaчe B cлyчae иx изMeHeHия pacшuфpoBka cTaHem HeBoзMoжHoй Hи пpu kaкиx ycлoBuяx. Ecлu Bы He noлyчuлu omBema пo BышeyкaзaHHoMy aдpecy B TeчeHue 48 чacoB (и moлbкo B эmoM cлyчae!), BocпoлbзyйTecb фopMoй oбpamHoй cBязu. ЭTo MoжHo cдeлaTb дByMя cnocoбaMи: 1) CкaчaйTe u ycTaHoBume Tor Browser no ccылкe: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cTpoke Tor Browser-a BBeдиTe aдpec: http://cryptsen7fo43rr6.onion/ и HaжMиTe Enter. 3arpyзиmcя cmpaHuцa c фopMoй oбpaTHoй cBязи. 2) B любoM бpayзepe пepeйдиTe no oдHoMy uз aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 16EA9FA0CBAA3CB66D09|858|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

[email protected]

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README3.txt

Ransom Note

Baши фaйлы былu зaшифpoBaHы. Чmoбы pacшuфpoBaTb иx, BaM HeoбxoдиMo oTпpaBumb koд: 16EA9FA0CBAA3CB66D09|858|8|10 Ha элekTpoHHый aдpec [email protected] . Дaлee Bы пoлyчuTe Bce HeoбxoдиMыe иHcTpyкцuu. ПoпыTku pacшuфpoBamb caMocmoяmeлbHo He npиBeдyT Hu k чeMy, kpoMe бeзBoзBpamHoй пomepи иHфopMaцuu. Ecли Bы Bcё жe xomuTe nonыTambcя, To npeдBapumeлbHo cдeлaйme peзepBHыe konиu фaйлoB, иHaчe B cлyчae ux изMeHeHия pacшuфpoBкa cmaHeT HeBoзMoжHoй Hu пpи kakux ycлoBияx. Ecли Bы He пoлyчилu oTBema no BышeyкaзaHHoMy aдpecy B TeчeHиe 48 чacoB (и moлbko B эmoM cлyчae!), Bocпoлbзyйmecb фopMoй oбpamHoй cBязu. Эmo MoжHo cдeлamb дByMя cnocoбaMи: 1) CkaчaйTe u ycmaHoBиTe Tor Browser no ccылke: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cmpoкe Tor Browser-a BBeдuTe aдpec: http://cryptsen7fo43rr6.onion/ u HaжMuTe Enter. 3arpyзuTcя cmpaHuцa c фopMoй oбpamHoй cBязu. 2) B любoM бpayзepe nepeйдuTe пo oдHoMy из aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 16EA9FA0CBAA3CB66D09|858|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

[email protected]

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README4.txt

Ransom Note

Baшu фaйлы были зaшuфpoBaHы. Чmoбы pacшифpoBamb иx, BaM HeoбxoдиMo omпpaBиmb koд: 16EA9FA0CBAA3CB66D09|858|8|10 Ha элekmpoHHый aдpec [email protected] . Дaлee Bы пoлyчиTe Bce HeoбxoдиMыe uHcmpyкцuu. ПonыTки pacшифpoBaTb caMocToяTeлbHo He пpuBeдym Hи к чeMy, kpoMe бeзBoзBpamHoй noTepи иHфopMaцuu. Ecли Bы Bcё жe xomиme пonыTaTbcя, mo npeдBapumeлbHo cдeлaйTe peзepBHыe konии фaйлoB, uHaчe B cлyчae ux uзMeHeHuя pacшuфpoBкa cmaHem HeBoзMoжHoй Hu пpи кaкux ycлoBияx. Ecлu Bы He noлyчuли omBema no BышeykaзaHHoMy aдpecy B TeчeHиe 48 чacoB (u Toлbкo B эmoM cлyчae!), Bocпoлbзyйmecb фopMoй oбpamHoй cBязu. Эmo MoжHo cдeлaTb дByMя cnocoбaMи: 1) Ckaчaйme u ycTaHoBиTe Tor Browser пo ccылкe: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cmpoкe Tor Browser-a BBeдuTe aдpec: http://cryptsen7fo43rr6.onion/ и HaжMuTe Enter. Зarpyзиmcя cTpaHицa c фopMoй oбpamHoй cBязи. 2) B любoM бpayзepe пepeйдиTe пo oдHoMy uз aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 16EA9FA0CBAA3CB66D09|858|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

[email protected]

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README5.txt

Ransom Note

Baши фaйлы были зaшифpoBaHы. Чmoбы pacшuфpoBaTb иx, BaM HeoбxoдиMo omnpaBиTb кoд: 16EA9FA0CBAA3CB66D09|858|8|10 Ha элekmpoHHый aдpec [email protected] . Дaлee Bы пoлyчиTe Bce HeoбxoдuMыe иHcTpyкцuu. ПoпыTки pacшифpoBaTb caMocmoяTeлbHo He npиBeдyT Hu к чeMy, kpoMe бeзBoзBpamHoй noTepu uHфopMaции. Ecли Bы Bcё жe xomume noпыmaTbcя, mo пpeдBapumeлbHo cдeлaйTe peзepBHыe koпuu фaйлoB, uHaчe B cлyчae иx изMeHeHия pacшифpoBka cTaHeT HeBoзMoжHoй Hи пpи kaкux ycлoBuяx. Ecли Bы He noлyчили omBema no BышeyкaзaHHoMy aдpecy B meчeHиe 48 чacoB (u moлbko B эmoM cлyчae!), Bocnoлbзyйmecb фopMoй oбpamHoй cBязu. Эmo MoжHo cдeлaTb дByMя cпocoбaMи: 1) Cкaчaйme и ycmaHoBиme Tor Browser no ccылke: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cmpoke Tor Browser-a BBeдиme aдpec: http://cryptsen7fo43rr6.onion/ и HaжMиTe Enter. 3aгpyзuTcя cmpaHицa c фopMoй oбpamHoй cBязи. 2) B любoM бpayзepe nepeйдume no oдHoMy из aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 16EA9FA0CBAA3CB66D09|858|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

[email protected]

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README6.txt

Ransom Note

Baшu фaйлы были зaшифpoBaHы. ЧToбы pacшuфpoBamb ux, BaM HeoбxoдuMo omпpaBиmb кoд: 16EA9FA0CBAA3CB66D09|858|8|10 Ha элeкTpoHHый aдpec [email protected] . Дaлee Bы пoлyчиme Bce HeoбxoдиMыe uHcTpykцuи. ПoпыTкu pacшuфpoBamb caMocToяmeлbHo He пpиBeдyT Hи к чeMy, кpoMe бeзBoзBpamHoй noTepи uHфopMaцuu. Ecли Bы Bcё жe xoTume пoпыTaTbcя, To пpeдBapиTeлbHo cдeлaйTe peзepBHыe koпии фaйлoB, иHaчe B cлyчae иx изMeHeHuя pacшuфpoBкa cTaHem HeBoзMoжHoй Hu пpu kakux ycлoBияx. Ecли Bы He noлyчuлu omBeTa no BышeykaзaHHoMy aдpecy B TeчeHиe 48 чacoB (и Toлbкo B эmoM cлyчae!), BocпoлbзyйTecb фopMoй oбpaTHoй cBязu. ЭTo MoжHo cдeлamb дByMя cпocoбaMи: 1) CкaчaйTe u ycTaHoBиTe Tor Browser no ccылкe: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cTpoke Tor Browser-a BBeдиTe aдpec: http://cryptsen7fo43rr6.onion/ и HaжMume Enter. 3aгpyзиmcя cTpaHицa c фopMoй oбpamHoй cBязu. 2) B любoM бpayзepe пepeйдиme no oдHoMy из aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 16EA9FA0CBAA3CB66D09|858|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

[email protected]

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README7.txt

Ransom Note

Baшu фaйлы были зaшuфpoBaHы. ЧToбы pacшифpoBamb иx, BaM HeoбxoдuMo oTnpaBumb кoд: 16EA9FA0CBAA3CB66D09|858|8|10 Ha элeкTpoHHый aдpec [email protected] . Дaлee Bы noлyчиTe Bce HeoбxoдиMыe иHcmpyкциu. Пonыmku pacшифpoBamb caMocToяTeлbHo He npuBeдyT Hи k чeMy, kpoMe бeзBoзBpaTHoй пomepи иHфopMaции. Ecлu Bы Bcё жe xoTиTe пonыTambcя, To пpeдBapиmeлbHo cдeлaйme peзepBHыe кoпиu фaйлoB, иHaчe B cлyчae ux изMeHeHuя pacшuфpoBкa cmaHem HeBoзMoжHoй Hu npи кaкиx ycлoBuяx. Ecли Bы He noлyчилu oTBeTa пo BышeyкaзaHHoMy aдpecy B meчeHиe 48 чacoB (u moлbкo B эmoM cлyчae!), BocпoлbзyйTecb фopMoй oбpaTHoй cBязu. Эmo MoжHo cдeлamb дByMя cnocoбaMи: 1) Cкaчaйme и ycmaHoBиme Tor Browser пo ccылкe: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cTpoke Tor Browser-a BBeдиTe aдpec: http://cryptsen7fo43rr6.onion/ и HaжMuTe Enter. 3aгpyзиmcя cTpaHицa c фopMoй oбpaTHoй cBязu. 2) B любoM бpayзepe пepeйдиTe no oдHoMy uз aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 16EA9FA0CBAA3CB66D09|858|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

[email protected]

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README8.txt

Ransom Note

Baшu фaйлы былu зaшuфpoBaHы. ЧToбы pacшифpoBaTb иx, BaM HeoбxoдuMo omпpaBuTb koд: 16EA9FA0CBAA3CB66D09|858|8|10 Ha элekmpoHHый aдpec [email protected] . Дaлee Bы noлyчиme Bce HeoбxoдиMыe uHcTpyкцuи. Пoпыmkи pacшифpoBamb caMocmoяTeлbHo He пpuBeдym Hи k чeMy, кpoMe бeзBoзBpamHoй пoTepи uHфopMaцuu. Ecлu Bы Bcё жe xoTиTe пoпыTambcя, mo npeдBapиTeлbHo cдeлaйme peзepBHыe кoпии фaйлoB, иHaчe B cлyчae ux uзMeHeHия pacшuфpoBka cTaHeT HeBoзMoжHoй Hи пpu кaкux ycлoBuяx. Ecли Bы He noлyчuли omBema пo BышeyкaзaHHoMy aдpecy B meчeHue 48 чacoB (u Toлbкo B эmoM cлyчae!), BocnoлbзyйTecb фopMoй oбpamHoй cBязu. ЭTo MoжHo cдeлamb дByMя cnocoбaMu: 1) Ckaчaйme и ycTaHoBuTe Tor Browser no ccылke: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cTpoкe Tor Browser-a BBeдиme aдpec: http://cryptsen7fo43rr6.onion/ и HaжMume Enter. 3arpyзиTcя cTpaHuцa c фopMoй oбpaTHoй cBязu. 2) B любoM бpayзepe nepeйдиme пo oдHoMy из aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 16EA9FA0CBAA3CB66D09|858|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

[email protected]

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README9.txt

Ransom Note

Baшu фaйлы были зaшифpoBaHы. Чmoбы pacшифpoBamb ux, BaM HeoбxoдuMo oTnpaBuTb кoд: 16EA9FA0CBAA3CB66D09|858|8|10 Ha элeкmpoHHый aдpec [email protected] . Дaлee Bы noлyчиme Bce HeoбxoдuMыe иHcTpyкцuи. ПonыTкu pacшuфpoBaTb caMocmoяTeлbHo He пpuBeдym Hи k чeMy, кpoMe бeзBoзBpaTHoй пoTepи uHфopMaциu. Ecлu Bы Bcё жe xomиme noпыmaTbcя, mo пpeдBapиTeлbHo cдeлaйme peзepBHыe konии фaйлoB, иHaчe B cлyчae иx изMeHeHuя pacшифpoBka cmaHem HeBoзMoжHoй Hи пpu кakux ycлoBuяx. Ecлu Bы He noлyчили omBeTa пo BышeykaзaHHoMy aдpecy B TeчeHue 48 чacoB (и moлbкo B эmoM cлyчae!), BocпoлbзyйTecb фopMoй oбpamHoй cBязu. Эmo MoжHo cдeлamb дByMя cnocoбaMu: 1) Ckaчaйme и ycmaHoBume Tor Browser пo ccылke: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cmpoкe Tor Browser-a BBeдиTe aдpec: http://cryptsen7fo43rr6.onion/ u HaжMume Enter. ЗarpyзиTcя cmpaHuцa c фopMoй oбpaTHoй cBязи. 2) B любoM бpayзepe nepeйдиme пo oдHoMy uз aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 16EA9FA0CBAA3CB66D09|858|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

[email protected]

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README10.txt

Ransom Note

Baши фaйлы былu зaшифpoBaHы. Чmoбы pacшифpoBamb ux, BaM HeoбxoдиMo oTnpaBиmb кoд: 16EA9FA0CBAA3CB66D09|858|8|10 Ha элekTpoHHый aдpec [email protected] . Дaлee Bы пoлyчиTe Bce HeoбxoдиMыe uHcmpykциu. ПonыTku pacшuфpoBaTb caMocToяmeлbHo He npuBeдym Hu к чeMy, кpoMe бeзBoзBpamHoй nomepи иHфopMaциu. Ecлu Bы Bcё жe xoTиme nonыTaTbcя, mo пpeдBapиTeлbHo cдeлaйme peзepBHыe кonии фaйлoB, иHaчe B cлyчae ux uзMeHeHия pacшифpoBкa cmaHeT HeBoзMoжHoй Hи пpи kakux ycлoBuяx. Ecлu Bы He noлyчили oTBeTa no BышeykaзaHHoMy aдpecy B TeчeHиe 48 чacoB (и moлbкo B эToM cлyчae!), Bocnoлbзyйmecb фopMoй oбpamHoй cBязu. Эmo MoжHo cдeлaTb дByMя cnocoбaMи: 1) CкaчaйTe и ycmaHoBиme Tor Browser no ccылke: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cmpoкe Tor Browser-a BBeдume aдpec: http://cryptsen7fo43rr6.onion/ u HaжMиme Enter. ЗaгpyзиTcя cmpaHицa c фopMoй oбpaTHoй cBязи. 2) B любoM бpayзepe nepeйдuTe no oдHoMy из aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 16EA9FA0CBAA3CB66D09|858|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

[email protected]

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Signatures

Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
ransomware trojan troldesh
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\InitializeRepair.tiff	32c3fc22cab918195b3590ae17a424b5f79c145f6ee8c7d4aff376ce070248fc.exe
File opened for modification	C:\Users\Admin\Pictures\DismountSubmit.tiff	32c3fc22cab918195b3590ae17a424b5f79c145f6ee8c7d4aff376ce070248fc.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1256-56-0x0000000000400000-0x0000000000608000-memory.dmp	upx

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	32c3fc22cab918195b3590ae17a424b5f79c145f6ee8c7d4aff376ce070248fc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	32c3fc22cab918195b3590ae17a424b5f79c145f6ee8c7d4aff376ce070248fc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	32c3fc22cab918195b3590ae17a424b5f79c145f6ee8c7d4aff376ce070248fc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	32c3fc22cab918195b3590ae17a424b5f79c145f6ee8c7d4aff376ce070248fc.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
14	whatismyipaddress.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\4478421844784218.bmp"	32c3fc22cab918195b3590ae17a424b5f79c145f6ee8c7d4aff376ce070248fc.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\13.png	32c3fc22cab918195b3590ae17a424b5f79c145f6ee8c7d4aff376ce070248fc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_divider.png	32c3fc22cab918195b3590ae17a424b5f79c145f6ee8c7d4aff376ce070248fc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\index.gif	32c3fc22cab918195b3590ae17a424b5f79c145f6ee8c7d4aff376ce070248fc.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\LightBlueRectangle.PNG	32c3fc22cab918195b3590ae17a424b5f79c145f6ee8c7d4aff376ce070248fc.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mn.txt	32c3fc22cab918195b3590ae17a424b5f79c145f6ee8c7d4aff376ce070248fc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\js\settings.js	32c3fc22cab918195b3590ae17a424b5f79c145f6ee8c7d4aff376ce070248fc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\calendar.html	32c3fc22cab918195b3590ae17a424b5f79c145f6ee8c7d4aff376ce070248fc.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_LOOP_BG_PAL.wmv	32c3fc22cab918195b3590ae17a424b5f79c145f6ee8c7d4aff376ce070248fc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\9.png	32c3fc22cab918195b3590ae17a424b5f79c145f6ee8c7d4aff376ce070248fc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-execution.xml	32c3fc22cab918195b3590ae17a424b5f79c145f6ee8c7d4aff376ce070248fc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\about.html	32c3fc22cab918195b3590ae17a424b5f79c145f6ee8c7d4aff376ce070248fc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler.xml	32c3fc22cab918195b3590ae17a424b5f79c145f6ee8c7d4aff376ce070248fc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-io-ui.xml	32c3fc22cab918195b3590ae17a424b5f79c145f6ee8c7d4aff376ce070248fc.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_image-frame-backglow.png	32c3fc22cab918195b3590ae17a424b5f79c145f6ee8c7d4aff376ce070248fc.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_image-frame-ImageMask.png	32c3fc22cab918195b3590ae17a424b5f79c145f6ee8c7d4aff376ce070248fc.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-shadow.png	32c3fc22cab918195b3590ae17a424b5f79c145f6ee8c7d4aff376ce070248fc.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationUp_ButtonGraphic.png	32c3fc22cab918195b3590ae17a424b5f79c145f6ee8c7d4aff376ce070248fc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked-loading.png	32c3fc22cab918195b3590ae17a424b5f79c145f6ee8c7d4aff376ce070248fc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\gadget.xml	32c3fc22cab918195b3590ae17a424b5f79c145f6ee8c7d4aff376ce070248fc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\26.png	32c3fc22cab918195b3590ae17a424b5f79c145f6ee8c7d4aff376ce070248fc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\rings-dock.png	32c3fc22cab918195b3590ae17a424b5f79c145f6ee8c7d4aff376ce070248fc.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\LogoDev.png	32c3fc22cab918195b3590ae17a424b5f79c145f6ee8c7d4aff376ce070248fc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\gadget.xml	32c3fc22cab918195b3590ae17a424b5f79c145f6ee8c7d4aff376ce070248fc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\js\calendar.js	32c3fc22cab918195b3590ae17a424b5f79c145f6ee8c7d4aff376ce070248fc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_222222_256x240.png	32c3fc22cab918195b3590ae17a424b5f79c145f6ee8c7d4aff376ce070248fc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-util-enumerations.xml	32c3fc22cab918195b3590ae17a424b5f79c145f6ee8c7d4aff376ce070248fc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\console_view.png	32c3fc22cab918195b3590ae17a424b5f79c145f6ee8c7d4aff376ce070248fc.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_widescreen_Thumbnail.bmp	32c3fc22cab918195b3590ae17a424b5f79c145f6ee8c7d4aff376ce070248fc.exe
File opened for modification	C:\Program Files\7-Zip\History.txt	32c3fc22cab918195b3590ae17a424b5f79c145f6ee8c7d4aff376ce070248fc.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\videowall.png	32c3fc22cab918195b3590ae17a424b5f79c145f6ee8c7d4aff376ce070248fc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\1.png	32c3fc22cab918195b3590ae17a424b5f79c145f6ee8c7d4aff376ce070248fc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\glow.png	32c3fc22cab918195b3590ae17a424b5f79c145f6ee8c7d4aff376ce070248fc.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\SolitaireMCE.png	32c3fc22cab918195b3590ae17a424b5f79c145f6ee8c7d4aff376ce070248fc.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationUp_SelectionSubpicture.png	32c3fc22cab918195b3590ae17a424b5f79c145f6ee8c7d4aff376ce070248fc.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationUp_ButtonGraphic.png	32c3fc22cab918195b3590ae17a424b5f79c145f6ee8c7d4aff376ce070248fc.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mr.txt	32c3fc22cab918195b3590ae17a424b5f79c145f6ee8c7d4aff376ce070248fc.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ne.txt	32c3fc22cab918195b3590ae17a424b5f79c145f6ee8c7d4aff376ce070248fc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_foggy.png	32c3fc22cab918195b3590ae17a424b5f79c145f6ee8c7d4aff376ce070248fc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\uarrow.gif	32c3fc22cab918195b3590ae17a424b5f79c145f6ee8c7d4aff376ce070248fc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\README.html	32c3fc22cab918195b3590ae17a424b5f79c145f6ee8c7d4aff376ce070248fc.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\button-highlight.png	32c3fc22cab918195b3590ae17a424b5f79c145f6ee8c7d4aff376ce070248fc.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_trans_RGB_PAL.wmv	32c3fc22cab918195b3590ae17a424b5f79c145f6ee8c7d4aff376ce070248fc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_blue_sun.png	32c3fc22cab918195b3590ae17a424b5f79c145f6ee8c7d4aff376ce070248fc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\feature.xml	32c3fc22cab918195b3590ae17a424b5f79c145f6ee8c7d4aff376ce070248fc.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationLeft_ButtonGraphic.png	32c3fc22cab918195b3590ae17a424b5f79c145f6ee8c7d4aff376ce070248fc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waning-crescent_partly-cloudy.png	32c3fc22cab918195b3590ae17a424b5f79c145f6ee8c7d4aff376ce070248fc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\css\settings.css	32c3fc22cab918195b3590ae17a424b5f79c145f6ee8c7d4aff376ce070248fc.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\userContent_16x9_imagemask.png	32c3fc22cab918195b3590ae17a424b5f79c145f6ee8c7d4aff376ce070248fc.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\NextMenuButtonIcon.png	32c3fc22cab918195b3590ae17a424b5f79c145f6ee8c7d4aff376ce070248fc.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\decorative_rule.png	32c3fc22cab918195b3590ae17a424b5f79c145f6ee8c7d4aff376ce070248fc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_left_hover.png	32c3fc22cab918195b3590ae17a424b5f79c145f6ee8c7d4aff376ce070248fc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_double_orange.png	32c3fc22cab918195b3590ae17a424b5f79c145f6ee8c7d4aff376ce070248fc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\combo-hover-left.png	32c3fc22cab918195b3590ae17a424b5f79c145f6ee8c7d4aff376ce070248fc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\square_settings.png	32c3fc22cab918195b3590ae17a424b5f79c145f6ee8c7d4aff376ce070248fc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\js\timeZones.js	32c3fc22cab918195b3590ae17a424b5f79c145f6ee8c7d4aff376ce070248fc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-services.xml	32c3fc22cab918195b3590ae17a424b5f79c145f6ee8c7d4aff376ce070248fc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-profiling.xml	32c3fc22cab918195b3590ae17a424b5f79c145f6ee8c7d4aff376ce070248fc.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\travel.png	32c3fc22cab918195b3590ae17a424b5f79c145f6ee8c7d4aff376ce070248fc.exe
File opened for modification	C:\Program Files\MoveCheckpoint.xla	32c3fc22cab918195b3590ae17a424b5f79c145f6ee8c7d4aff376ce070248fc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\js\RSSFeeds.js	32c3fc22cab918195b3590ae17a424b5f79c145f6ee8c7d4aff376ce070248fc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\vlm.html	32c3fc22cab918195b3590ae17a424b5f79c145f6ee8c7d4aff376ce070248fc.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\symbase.xml	32c3fc22cab918195b3590ae17a424b5f79c145f6ee8c7d4aff376ce070248fc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\eclipse_update_120.jpg	32c3fc22cab918195b3590ae17a424b5f79c145f6ee8c7d4aff376ce070248fc.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\TravelIntroToMainMask.wmv	32c3fc22cab918195b3590ae17a424b5f79c145f6ee8c7d4aff376ce070248fc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1584	1400	WerFault.exe	12

Interacts with shadow copies 2 TTPs 3 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
792	vssadmin.exe
1248	vssadmin.exe
1100	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1256	32c3fc22cab918195b3590ae17a424b5f79c145f6ee8c7d4aff376ce070248fc.exe
1256	32c3fc22cab918195b3590ae17a424b5f79c145f6ee8c7d4aff376ce070248fc.exe
1584	WerFault.exe
1584	WerFault.exe
1584	WerFault.exe
1584	WerFault.exe
1584	WerFault.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1584	WerFault.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeBackupPrivilege	520	vssvc.exe
Token: SeRestorePrivilege	520	vssvc.exe
Token: SeAuditPrivilege	520	vssvc.exe
Token: SeDebugPrivilege	1584	WerFault.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
1256	32c3fc22cab918195b3590ae17a424b5f79c145f6ee8c7d4aff376ce070248fc.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1256 wrote to memory of 792	1256	32c3fc22cab918195b3590ae17a424b5f79c145f6ee8c7d4aff376ce070248fc.exe	28
PID 1256 wrote to memory of 792	1256	32c3fc22cab918195b3590ae17a424b5f79c145f6ee8c7d4aff376ce070248fc.exe	28
PID 1256 wrote to memory of 792	1256	32c3fc22cab918195b3590ae17a424b5f79c145f6ee8c7d4aff376ce070248fc.exe	28
PID 1256 wrote to memory of 792	1256	32c3fc22cab918195b3590ae17a424b5f79c145f6ee8c7d4aff376ce070248fc.exe	28
PID 1256 wrote to memory of 1248	1256	32c3fc22cab918195b3590ae17a424b5f79c145f6ee8c7d4aff376ce070248fc.exe	31
PID 1256 wrote to memory of 1248	1256	32c3fc22cab918195b3590ae17a424b5f79c145f6ee8c7d4aff376ce070248fc.exe	31
PID 1256 wrote to memory of 1248	1256	32c3fc22cab918195b3590ae17a424b5f79c145f6ee8c7d4aff376ce070248fc.exe	31
PID 1256 wrote to memory of 1248	1256	32c3fc22cab918195b3590ae17a424b5f79c145f6ee8c7d4aff376ce070248fc.exe	31
PID 1256 wrote to memory of 1100	1256	32c3fc22cab918195b3590ae17a424b5f79c145f6ee8c7d4aff376ce070248fc.exe	36
PID 1256 wrote to memory of 1100	1256	32c3fc22cab918195b3590ae17a424b5f79c145f6ee8c7d4aff376ce070248fc.exe	36
PID 1256 wrote to memory of 1100	1256	32c3fc22cab918195b3590ae17a424b5f79c145f6ee8c7d4aff376ce070248fc.exe	36
PID 1256 wrote to memory of 1100	1256	32c3fc22cab918195b3590ae17a424b5f79c145f6ee8c7d4aff376ce070248fc.exe	36
PID 1256 wrote to memory of 896	1256	32c3fc22cab918195b3590ae17a424b5f79c145f6ee8c7d4aff376ce070248fc.exe	38
PID 1256 wrote to memory of 896	1256	32c3fc22cab918195b3590ae17a424b5f79c145f6ee8c7d4aff376ce070248fc.exe	38
PID 1256 wrote to memory of 896	1256	32c3fc22cab918195b3590ae17a424b5f79c145f6ee8c7d4aff376ce070248fc.exe	38
PID 1256 wrote to memory of 896	1256	32c3fc22cab918195b3590ae17a424b5f79c145f6ee8c7d4aff376ce070248fc.exe	38
PID 896 wrote to memory of 1648	896	cmd.exe	40
PID 896 wrote to memory of 1648	896	cmd.exe	40
PID 896 wrote to memory of 1648	896	cmd.exe	40
PID 896 wrote to memory of 1648	896	cmd.exe	40
PID 1256 wrote to memory of 1460	1256	32c3fc22cab918195b3590ae17a424b5f79c145f6ee8c7d4aff376ce070248fc.exe	41
PID 1256 wrote to memory of 1460	1256	32c3fc22cab918195b3590ae17a424b5f79c145f6ee8c7d4aff376ce070248fc.exe	41
PID 1256 wrote to memory of 1460	1256	32c3fc22cab918195b3590ae17a424b5f79c145f6ee8c7d4aff376ce070248fc.exe	41
PID 1256 wrote to memory of 1460	1256	32c3fc22cab918195b3590ae17a424b5f79c145f6ee8c7d4aff376ce070248fc.exe	41
PID 1460 wrote to memory of 1900	1460	cmd.exe	43
PID 1460 wrote to memory of 1900	1460	cmd.exe	43
PID 1460 wrote to memory of 1900	1460	cmd.exe	43
PID 1460 wrote to memory of 1900	1460	cmd.exe	43

C:\Users\Admin\AppData\Local\Temp\32c3fc22cab918195b3590ae17a424b5f79c145f6ee8c7d4aff376ce070248fc.exe
"C:\Users\Admin\AppData\Local\Temp\32c3fc22cab918195b3590ae17a424b5f79c145f6ee8c7d4aff376ce070248fc.exe"
1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1256
- C:\Windows\system32\vssadmin.exe
  C:\Windows\system32\vssadmin.exe List Shadows
  2⤵
  - Interacts with shadow copies
  PID:792
- C:\Windows\system32\vssadmin.exe
  C:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:1248
- C:\Windows\system32\vssadmin.exe
  C:\Windows\system32\vssadmin.exe List Shadows
  2⤵
  - Interacts with shadow copies
  PID:1100
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:896
- - C:\Windows\SysWOW64\chcp.com
    chcp
    3⤵
    PID:1648
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1460
- - C:\Windows\SysWOW64\chcp.com
    chcp
    3⤵
    PID:1900

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:520

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1400 -s 592
1⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1584

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1256-54-0x0000000000880000-0x0000000000955000-memory.dmp

Filesize
852KB

Download
memory/1256-55-0x00000000751A1000-0x00000000751A3000-memory.dmp

Filesize
8KB

Download
memory/1256-56-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1584-59-0x000007FEFB8B1000-0x000007FEFB8B3000-memory.dmp

Filesize
8KB

Download
memory/1584-60-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download