Overview

overview

10

Static

static

8

ATOMSILO_2.exe

windows7_x64

10

ATOMSILO_2.exe

windows10_x64

10

Analysis

  • max time kernel
    146s
  • max time network
    130s
  • platform
    windows7_x64
  • resource
    win7-en-20210920
  • submitted
    04-10-2021 16:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ATOMSILO_2.exe

  • Size

    328KB

  • MD5

    04a8307259478245cbae49940b6d655a

  • SHA1

    0f5259812be378bbd764cef94697019075990b4d

  • SHA256

    d9f7bb98ad01c4775ec71ec66f5546de131735e6dba8122474cc6eb62320e47b

  • SHA512

    a2277ba16e1749ea7528f38640b2e2ca6d3aeb3c86df0bc417df37416fa6bc9be3bc84889e73793f8cda965676c2b0976bab140be2246dce7ab4ea6451d2e0f3

Score
10/10
atomsiloransomware

Malware Config

Extracted

Path

C:\Users\Public\ATOMSILO-README.hta

Family

atomsilo

Ransom Note
Atom Slio Instructions WARNING! YOUR FILES ARE ENCRYPTED AND LEAKED! We are AtomSilo.Sorry to inform you that your files has been obtained and encrypted by us. But don’t worry, your files are safe, provided that you are willing to pay the ransom. Any forced shutdown or attempts to restore your files with the thrid-party software will be damage your files permanently! The only way to decrypt your files safely is to buy the special decryption software from us. The price of decryption software is 1000000 dollars . If you pay within 48 hours, you only need to pay 500000 dollars . No price reduction is accepted. We only accept Bitcoin payment,you can buy it from bitpay,coinbase,binance or others. You have five days to decide whether to pay or not. After a week, we will no longer provide decryption tools and publish your files Time starts at 0:00 on September 11 Survival time: You can contact us with the following email: Email:[email protected] If this email can't be contacted, you can find the latest email address on the following website: http://mhdehvkomeabau7gsetnsrhkfign4jgnx3wajth5yb5h6kvzbd72wlqd.onion If you don’t know how to open this dark web site, please follow the steps below to installation and use TorBrowser: run your Internet browser enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER wait for the site loading on the site you will be offered to download TorBrowser; download and run it, follow the installation instructions, wait until the installation is completed run TorBrowser connect with the button "Connect" (if you use the English version) a normal Internet browser window will be opened after the initialization type or copy the address in this browser address bar and press ENTER the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or use of TorBrowser, please, visit https://www.youtube.com and type request in the search bar "Install TorBrowser Windows" and you will find a lot of training videos about TorBrowser installation and use. Additional information: You will find the instructions ("README-FILE-#COMPUTER#-#TIME#.hta") for restoring your files in any folder with your encrypted files. The instructions "README-FILE-#COMPUTER#-#TIME#.hta" in the folders with your encrypted files are not viruses! The instructions "README-FILE-#COMPUTER#-#TIME#.hta" will help you to decrypt your files. Remember! The worst situation already happened and now the future of your files depends on your determination and speed of your actions.
Emails
URLs

http://mhdehvkomeabau7gsetnsrhkfign4jgnx3wajth5yb5h6kvzbd72wlqd.onion

Signatures

  • AtomSilo

    Ransomware family first seen in September 2021.

    ransomwareatomsilo
  • Modifies extensions of user files 7 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Deletes itself 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Modifies Internet Explorer settings 1 TTPs 10 IoCs
    adwarespyware
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ATOMSILO_2.exe
    "C:\Users\Admin\AppData\Local\Temp\ATOMSILO_2.exe"
    1⤵
    • Modifies extensions of user files
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:2004
    • C:\Windows\system32\mshta.exe
      mshta "C:\Users\Public\ATOMSILO-README.hta"
      2⤵
      • Modifies Internet Explorer settings
      PID:552
    • C:\Windows\system32\mshta.exe
      mshta "C:\Users\Public\ATOMSILO-README.hta"
      2⤵
      • Modifies Internet Explorer settings
      PID:812
    • C:\Windows\system32\mshta.exe
      mshta "C:\Users\Public\ATOMSILO-README.hta"
      2⤵
      • Modifies Internet Explorer settings
      PID:684
    • C:\Windows\system32\mshta.exe
      mshta "C:\Users\Public\ATOMSILO-README.hta"
      2⤵
      • Modifies Internet Explorer settings
      PID:588
    • C:\Windows\system32\mshta.exe
      mshta "C:\Users\Public\ATOMSILO-README.hta"
      2⤵
      • Modifies Internet Explorer settings
      PID:1652
    • C:\Windows\system32\mshta.exe
      mshta "C:\Users\Public\ATOMSILO-README.hta"
      2⤵
      • Modifies Internet Explorer settings
      PID:1436
    • C:\Windows\system32\mshta.exe
      mshta "C:\Users\Public\ATOMSILO-README.hta"
      2⤵
      • Modifies Internet Explorer settings
      PID:1076
    • C:\Windows\system32\mshta.exe
      mshta "C:\Users\Public\ATOMSILO-README.hta"
      2⤵
      • Modifies Internet Explorer settings
      PID:616
    • C:\Windows\system32\mshta.exe
      mshta "C:\Users\Public\ATOMSILO-README.hta"
      2⤵
      • Modifies Internet Explorer settings
      PID:540
    • C:\Windows\system32\mshta.exe
      mshta "C:\Users\Public\ATOMSILO-README.hta"
      2⤵
      • Modifies Internet Explorer settings
      PID:752
    • C:\Windows\system32\cmd.exe
      cmd /c ping 127.0.0.1 -n 6 && del "C:\Users\Admin\AppData\Local\Temp\ATOMSILO_2.exe"
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:748
      • C:\Windows\system32\PING.EXE
        ping 127.0.0.1 -n 6
        3⤵
        • Runs ping.exe
        PID:844

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Public\ATOMSILO-README.hta
    MD5

    491ea317fb6c8b6480e466c7f9609882

    SHA1

    174a6b3a5746f0e9c4147c84f9f4886a81c00596

    SHA256

    62895cbddaa94033f325b454d177aa0d1db3c0e33d6042fcf26bde1f7886f4f6

    SHA512

    6a7146b513e3872d273f2fcc3114c6f1951b1fd0472735614ad1e77b5fdbebebb89d5127f1db9c5cdbb7340092f33a11bd8a1d67fe31ce22c835194667cfe4f1

    Download Submit

  • memory/540-61-0x0000000000000000-mapping.dmp

    Download

  • memory/552-53-0x0000000000000000-mapping.dmp

    Download

  • memory/588-56-0x0000000000000000-mapping.dmp

    Download

  • memory/616-60-0x0000000000000000-mapping.dmp

    Download

  • memory/684-55-0x0000000000000000-mapping.dmp

    Download

  • memory/748-63-0x0000000000000000-mapping.dmp

    Download

  • memory/752-62-0x0000000000000000-mapping.dmp

    Download

  • memory/812-54-0x0000000000000000-mapping.dmp

    Download

  • memory/844-67-0x0000000000000000-mapping.dmp

    Download

  • memory/1076-59-0x0000000000000000-mapping.dmp

    Download

  • memory/1436-58-0x0000000000000000-mapping.dmp

    Download

  • memory/1436-64-0x000007FEFBC31000-0x000007FEFBC33000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1652-57-0x0000000000000000-mapping.dmp

    Download