atomsilo | d9f7bb98ad01c4775ec71ec66f5546de131735e6dba8122474cc6eb62320e47b

Analysis

max time kernel
146s
max time network
130s
platform
windows7_x64
resource
win7-en-20210920
submitted
04-10-2021 16:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ATOMSILO_2.exe
Size

328KB
MD5

04a8307259478245cbae49940b6d655a
SHA1

0f5259812be378bbd764cef94697019075990b4d
SHA256

d9f7bb98ad01c4775ec71ec66f5546de131735e6dba8122474cc6eb62320e47b
SHA512

a2277ba16e1749ea7528f38640b2e2ca6d3aeb3c86df0bc417df37416fa6bc9be3bc84889e73793f8cda965676c2b0976bab140be2246dce7ab4ea6451d2e0f3

Score

10^/10

atomsilo ransomware

Malware Config

Extracted

Path

C:\Users\Public\ATOMSILO-README.hta

Family

atomsilo

Ransom Note

Atom Slio Instructions WARNING! YOUR FILES ARE ENCRYPTED AND LEAKED! We are AtomSilo.Sorry to inform you that your files has been obtained and encrypted by us. But don’t worry, your files are safe, provided that you are willing to pay the ransom. Any forced shutdown or attempts to restore your files with the thrid-party software will be damage your files permanently! The only way to decrypt your files safely is to buy the special decryption software from us. The price of decryption software is 1000000 dollars . If you pay within 48 hours, you only need to pay 500000 dollars . No price reduction is accepted. We only accept Bitcoin payment,you can buy it from bitpay,coinbase,binance or others. You have five days to decide whether to pay or not. After a week, we will no longer provide decryption tools and publish your files Time starts at 0:00 on September 11 Survival time： You can contact us with the following email: Email:[email protected] If this email can't be contacted, you can find the latest email address on the following website: http://mhdehvkomeabau7gsetnsrhkfign4jgnx3wajth5yb5h6kvzbd72wlqd.onion If you don’t know how to open this dark web site, please follow the steps below to installation and use TorBrowser: run your Internet browser enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER wait for the site loading on the site you will be offered to download TorBrowser; download and run it, follow the installation instructions, wait until the installation is completed run TorBrowser connect with the button "Connect" (if you use the English version) a normal Internet browser window will be opened after the initialization type or copy the address in this browser address bar and press ENTER the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or use of TorBrowser, please, visit https://www.youtube.com and type request in the search bar "Install TorBrowser Windows" and you will find a lot of training videos about TorBrowser installation and use. Additional information: You will find the instructions ("README-FILE-#COMPUTER#-#TIME#.hta") for restoring your files in any folder with your encrypted files. The instructions "README-FILE-#COMPUTER#-#TIME#.hta" in the folders with your encrypted files are not viruses! The instructions "README-FILE-#COMPUTER#-#TIME#.hta" will help you to decrypt your files. Remember! The worst situation already happened and now the future of your files depends on your determination and speed of your actions.

Emails

Email:[email protected]

URLs

http://mhdehvkomeabau7gsetnsrhkfign4jgnx3wajth5yb5h6kvzbd72wlqd.onion

Signatures

AtomSilo
Ransomware family first seen in September 2021.
ransomware atomsilo

Modifies extensions of user files 7 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\ProtectConfirm.png => \??\c:\Users\Admin\Pictures\ProtectConfirm.png.ATOMSILO	ATOMSILO_2.exe
File renamed	C:\Users\Admin\Pictures\RegisterUninstall.png => \??\c:\Users\Admin\Pictures\RegisterUninstall.png.ATOMSILO	ATOMSILO_2.exe
File opened for modification	\??\c:\Users\Admin\Pictures\RenameRestart.tiff	ATOMSILO_2.exe
File renamed	C:\Users\Admin\Pictures\RenameRestart.tiff => \??\c:\Users\Admin\Pictures\RenameRestart.tiff.ATOMSILO	ATOMSILO_2.exe
File renamed	C:\Users\Admin\Pictures\RenameStep.png => \??\c:\Users\Admin\Pictures\RenameStep.png.ATOMSILO	ATOMSILO_2.exe
File renamed	C:\Users\Admin\Pictures\StopInvoke.png => \??\c:\Users\Admin\Pictures\StopInvoke.png.ATOMSILO	ATOMSILO_2.exe
File renamed	C:\Users\Admin\Pictures\CompleteResolve.crw => \??\c:\Users\Admin\Pictures\CompleteResolve.crw.ATOMSILO	ATOMSILO_2.exe

Deletes itself 1 IoCs

pid	Process
748	cmd.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	\??\c:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\README-FILE-JZCKHXIN-1633366318.hta	ATOMSILO_2.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-templates.xml	ATOMSILO_2.exe
File opened for modification	\??\c:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_divider.png	ATOMSILO_2.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Trek.xml	ATOMSILO_2.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrowMask.bmp	ATOMSILO_2.exe
File opened for modification	\??\c:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\css\clock.css	ATOMSILO_2.exe
File created	\??\c:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\js\README-FILE-JZCKHXIN-1633366318.hta	ATOMSILO_2.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBluTSFrame.png	ATOMSILO_2.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Checkers.api	ATOMSILO_2.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-It.otf	ATOMSILO_2.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21328_.GIF	ATOMSILO_2.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\QuestionIcon.jpg	ATOMSILO_2.exe
File opened for modification	\??\c:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_snow.png	ATOMSILO_2.exe
File opened for modification	\??\c:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_few-showers.png	ATOMSILO_2.exe
File opened for modification	\??\c:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Title_Page_Ref_PAL.wmv	ATOMSILO_2.exe
File opened for modification	\??\c:\Program Files\Java\jre7\lib\zi\America\Kentucky\Monticello	ATOMSILO_2.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01247U.BMP	ATOMSILO_2.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR36F.GIF	ATOMSILO_2.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsOutgoingImage.jpg	ATOMSILO_2.exe
File opened for modification	\??\c:\Program Files\Java\jre7\lib\zi\Pacific\Noumea	ATOMSILO_2.exe
File opened for modification	\??\c:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\js\settings.js	ATOMSILO_2.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107446.WMF	ATOMSILO_2.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SUMIPNTG\SUMIPNTG.INF	ATOMSILO_2.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\button_right_over.gif	ATOMSILO_2.exe
File opened for modification	\??\c:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\icon.png	ATOMSILO_2.exe
File opened for modification	\??\c:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\203x8subpicture.png	ATOMSILO_2.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\vlc.mo	ATOMSILO_2.exe
File opened for modification	\??\c:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\localizedStrings.js	ATOMSILO_2.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105414.WMF	ATOMSILO_2.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\Issues.accdt	ATOMSILO_2.exe
File opened for modification	\??\c:\Program Files\Java\jre7\lib\zi\Etc\GMT-14	ATOMSILO_2.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\lua\http\requests\status.json	ATOMSILO_2.exe
File opened for modification	\??\c:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\combo-hover-left.png	ATOMSILO_2.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN00211_.WMF	ATOMSILO_2.exe
File opened for modification	\??\c:\Program Files\7-Zip\7zCon.sfx	ATOMSILO_2.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Stationery\Orange Circles.htm	ATOMSILO_2.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0301052.WMF	ATOMSILO_2.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01357_.WMF	ATOMSILO_2.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00720_.WMF	ATOMSILO_2.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\Project Report Type\Fancy\SPACER.GIF	ATOMSILO_2.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\MEDIA\BREEZE.WAV	ATOMSILO_2.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaBrightItalic.ttf	ATOMSILO_2.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\New_York	ATOMSILO_2.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.syntheticnotification.exsd	ATOMSILO_2.exe
File created	\??\c:\Program Files\Windows Defender\en-US\README-FILE-JZCKHXIN-1633366318.hta	ATOMSILO_2.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18242_.WMF	ATOMSILO_2.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00538_.WMF	ATOMSILO_2.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03012U.BMP	ATOMSILO_2.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL097.XML	ATOMSILO_2.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153313.WMF	ATOMSILO_2.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02793_.WMF	ATOMSILO_2.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Madeira	ATOMSILO_2.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423861240811.profile.gz	ATOMSILO_2.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.nl_zh_4.4.0.v20140623020002.jar	ATOMSILO_2.exe
File created	\??\c:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\README-FILE-JZCKHXIN-1633366318.hta	ATOMSILO_2.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\menu_arrow.gif	ATOMSILO_2.exe
File created	\??\c:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Groove.en-us\README-FILE-JZCKHXIN-1633366318.hta	ATOMSILO_2.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239951.WMF	ATOMSILO_2.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\Library\Analysis\FUNCRES.XLAM	ATOMSILO_2.exe
File created	\??\c:\Program Files\7-Zip\Lang\README-FILE-JZCKHXIN-1633366318.hta	ATOMSILO_2.exe
File opened for modification	\??\c:\Program Files\Java\jre7\lib\zi\Australia\Adelaide	ATOMSILO_2.exe
File created	\??\c:\Program Files\Windows Photo Viewer\fr-FR\README-FILE-JZCKHXIN-1633366318.hta	ATOMSILO_2.exe
File opened for modification	\??\c:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_close_down.png	ATOMSILO_2.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\en.ttt	ATOMSILO_2.exe

Modifies Internet Explorer settings 1 TTPs 10 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
844	PING.EXE

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 552	2004	ATOMSILO_2.exe	29
PID 2004 wrote to memory of 552	2004	ATOMSILO_2.exe	29
PID 2004 wrote to memory of 552	2004	ATOMSILO_2.exe	29
PID 2004 wrote to memory of 812	2004	ATOMSILO_2.exe	30
PID 2004 wrote to memory of 812	2004	ATOMSILO_2.exe	30
PID 2004 wrote to memory of 812	2004	ATOMSILO_2.exe	30
PID 2004 wrote to memory of 684	2004	ATOMSILO_2.exe	31
PID 2004 wrote to memory of 684	2004	ATOMSILO_2.exe	31
PID 2004 wrote to memory of 684	2004	ATOMSILO_2.exe	31
PID 2004 wrote to memory of 588	2004	ATOMSILO_2.exe	32
PID 2004 wrote to memory of 588	2004	ATOMSILO_2.exe	32
PID 2004 wrote to memory of 588	2004	ATOMSILO_2.exe	32
PID 2004 wrote to memory of 1652	2004	ATOMSILO_2.exe	33
PID 2004 wrote to memory of 1652	2004	ATOMSILO_2.exe	33
PID 2004 wrote to memory of 1652	2004	ATOMSILO_2.exe	33
PID 2004 wrote to memory of 1436	2004	ATOMSILO_2.exe	34
PID 2004 wrote to memory of 1436	2004	ATOMSILO_2.exe	34
PID 2004 wrote to memory of 1436	2004	ATOMSILO_2.exe	34
PID 2004 wrote to memory of 1076	2004	ATOMSILO_2.exe	35
PID 2004 wrote to memory of 1076	2004	ATOMSILO_2.exe	35
PID 2004 wrote to memory of 1076	2004	ATOMSILO_2.exe	35
PID 2004 wrote to memory of 616	2004	ATOMSILO_2.exe	36
PID 2004 wrote to memory of 616	2004	ATOMSILO_2.exe	36
PID 2004 wrote to memory of 616	2004	ATOMSILO_2.exe	36
PID 2004 wrote to memory of 540	2004	ATOMSILO_2.exe	37
PID 2004 wrote to memory of 540	2004	ATOMSILO_2.exe	37
PID 2004 wrote to memory of 540	2004	ATOMSILO_2.exe	37
PID 2004 wrote to memory of 752	2004	ATOMSILO_2.exe	38
PID 2004 wrote to memory of 752	2004	ATOMSILO_2.exe	38
PID 2004 wrote to memory of 752	2004	ATOMSILO_2.exe	38
PID 2004 wrote to memory of 748	2004	ATOMSILO_2.exe	39
PID 2004 wrote to memory of 748	2004	ATOMSILO_2.exe	39
PID 2004 wrote to memory of 748	2004	ATOMSILO_2.exe	39
PID 748 wrote to memory of 844	748	cmd.exe	41
PID 748 wrote to memory of 844	748	cmd.exe	41
PID 748 wrote to memory of 844	748	cmd.exe	41

C:\Users\Admin\AppData\Local\Temp\ATOMSILO_2.exe
"C:\Users\Admin\AppData\Local\Temp\ATOMSILO_2.exe"
1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Windows\system32\mshta.exe
  mshta "C:\Users\Public\ATOMSILO-README.hta"
  2⤵
  - Modifies Internet Explorer settings
  PID:552
- C:\Windows\system32\mshta.exe
  mshta "C:\Users\Public\ATOMSILO-README.hta"
  2⤵
  - Modifies Internet Explorer settings
  PID:812
- C:\Windows\system32\mshta.exe
  mshta "C:\Users\Public\ATOMSILO-README.hta"
  2⤵
  - Modifies Internet Explorer settings
  PID:684
- C:\Windows\system32\mshta.exe
  mshta "C:\Users\Public\ATOMSILO-README.hta"
  2⤵
  - Modifies Internet Explorer settings
  PID:588
- C:\Windows\system32\mshta.exe
  mshta "C:\Users\Public\ATOMSILO-README.hta"
  2⤵
  - Modifies Internet Explorer settings
  PID:1652
- C:\Windows\system32\mshta.exe
  mshta "C:\Users\Public\ATOMSILO-README.hta"
  2⤵
  - Modifies Internet Explorer settings
  PID:1436
- C:\Windows\system32\mshta.exe
  mshta "C:\Users\Public\ATOMSILO-README.hta"
  2⤵
  - Modifies Internet Explorer settings
  PID:1076
- C:\Windows\system32\mshta.exe
  mshta "C:\Users\Public\ATOMSILO-README.hta"
  2⤵
  - Modifies Internet Explorer settings
  PID:616
- C:\Windows\system32\mshta.exe
  mshta "C:\Users\Public\ATOMSILO-README.hta"
  2⤵
  - Modifies Internet Explorer settings
  PID:540
- C:\Windows\system32\mshta.exe
  mshta "C:\Users\Public\ATOMSILO-README.hta"
  2⤵
  - Modifies Internet Explorer settings
  PID:752
- C:\Windows\system32\cmd.exe
  cmd /c ping 127.0.0.1 -n 6 && del "C:\Users\Admin\AppData\Local\Temp\ATOMSILO_2.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:748
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.1 -n 6
    3⤵
    - Runs ping.exe
    PID:844

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1436-64-0x000007FEFBC31000-0x000007FEFBC33000-memory.dmp

Filesize
8KB

Download