a6339f9ef7c91bc792626ff3765a46809dcada083c93a7e63fd01b0e91c1bb90

General

Target

SayLessRnm Window.exe
Size

557KB
MD5

52c527df9e7554e940c3c45b4e9b3e30
SHA1

ae182f41baae6a5f3c05803933ba77578772233c
SHA256

a6339f9ef7c91bc792626ff3765a46809dcada083c93a7e63fd01b0e91c1bb90
SHA512

eabb6293309e5ac13a9530efe8f3f75d6fa1102a6fed2a1825022fff584836796fc6eab97b42fe88cb618c987907b2c3224cfa79bec8b8f332f72a0f9412752c

Score

10^/10

ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\SAYLESS-RANSOMWARE.saylessrsnm.txt

Ransom Note

Your computer has been infected by SayLess-Ransomware. All your data and files have been encrypted with a MILITARY-GRADE LEVEL ENCRYPTION. To unlock them, send 500$ to the BTC adress below to get decryption key and restore your data... Or else your files are lost! DO NOT TURN OFF YOUR PC, IF YOU SO ALL YOUR FILES WILL BE CORRUPTED FOREVER. Encryption Log: ==================================== C:\Users\Admin\Desktop\AssertOptimize.rtf C:\Users\Admin\Desktop\CheckpointUnblock.mhtml C:\Users\Admin\Desktop\ConfirmApprove.crw C:\Users\Admin\Desktop\ConvertToPublish.xlsx C:\Users\Admin\Desktop\DebugSkip.png C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\Desktop\DisableExpand.midi C:\Users\Admin\Desktop\DismountPing.htm C:\Users\Admin\Desktop\ExportSave.midi C:\Users\Admin\Desktop\FindMount.DVR-MS C:\Users\Admin\Desktop\GrantImport.doc C:\Users\Admin\Desktop\InstallCopy.bat C:\Users\Admin\Desktop\InstallFind.scf C:\Users\Admin\Desktop\MeasureSplit.ps1 C:\Users\Admin\Desktop\MoveHide.mp4 C:\Users\Admin\Desktop\OutEnter.mp4 C:\Users\Admin\Desktop\RedoTrace.edrwx C:\Users\Admin\Desktop\RenameDisconnect.odp C:\Users\Admin\Desktop\SkipAdd.png C:\Users\Admin\Desktop\SplitProtect.pot C:\Users\Admin\Desktop\StepPublish.MTS C:\Users\Admin\Desktop\UndoAdd.eprtx C:\Users\Admin\Desktop\UnregisterSwitch.rmi C:\Users\Admin\Desktop\UnregisterUndo.pps C:\Users\Admin\Pictures\AddGet.dwg C:\Users\Admin\Pictures\BlockDisable.dxf C:\Users\Admin\Pictures\CheckpointSelect.dxf C:\Users\Admin\Pictures\CompressStart.eps C:\Users\Admin\Pictures\ConnectEnable.dib C:\Users\Admin\Pictures\ConvertExit.svg C:\Users\Admin\Pictures\ConvertToOpen.dib C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\Pictures\DisconnectBlock.eps C:\Users\Admin\Pictures\DismountNew.wmf C:\Users\Admin\Pictures\EnterUninstall.tif C:\Users\Admin\Pictures\ExportPop.eps C:\Users\Admin\Pictures\HidePing.emf C:\Users\Admin\Pictures\HideReset.ico C:\Users\Admin\Pictures\MeasureDebug.tif C:\Users\Admin\Pictures\OpenTrace.tif C:\Users\Admin\Pictures\ProtectConfirm.png C:\Users\Admin\Pictures\ProtectSync.bmp C:\Users\Admin\Pictures\PublishCompare.dwg C:\Users\Admin\Pictures\PushCheckpoint.ico C:\Users\Admin\Pictures\RegisterReset.bmp C:\Users\Admin\Pictures\ResolveEdit.emf C:\Users\Admin\Pictures\SendHide.pcx C:\Users\Admin\Pictures\StepConvertFrom.png C:\Users\Admin\Pictures\SuspendClose.emz C:\Users\Admin\Pictures\UnblockInvoke.tif C:\Users\Admin\Pictures\UpdateConvertTo.jpg C:\Users\Admin\Pictures\Wallpaper.jpg C:\Users\Admin\Documents\Are.docx C:\Users\Admin\Documents\BlockApprove.vsd C:\Users\Admin\Documents\CompleteFind.wps C:\Users\Admin\Documents\ConfirmExit.mpp C:\Users\Admin\Documents\ConvertToDisconnect.wps C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\Documents\DismountInitialize.ppt C:\Users\Admin\Documents\ExitRegister.vsw C:\Users\Admin\Documents\ExitSend.odt C:\Users\Admin\Documents\ExitSuspend.xlt C:\Users\Admin\Documents\Files.docx C:\Users\Admin\Documents\GrantSend.vsw C:\Users\Admin\Documents\LimitRegister.doc C:\Users\Admin\Documents\MeasureSuspend.rtf C:\Users\Admin\Documents\Opened.docx C:\Users\Admin\Documents\Recently.docx C:\Users\Admin\Documents\RegisterSplit.ppt C:\Users\Admin\Documents\RevokeOptimize.pot C:\Users\Admin\Documents\SendFormat.potm C:\Users\Admin\Documents\SuspendDeny.ppsx C:\Users\Admin\Documents\These.docx C:\Users\Admin\Documents\UnlockWrite.ods C:\Users\Admin\Documents\UnregisterExit.vsdx C:\Users\Admin\Documents\UseResolve.pptx C:\Users\Admin\Documents\WritePing.docx

Signatures

Modifies extensions of user files 6 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File created	C:\Users\Admin\Pictures\StepConvertFrom.png.saylessrsnm	SayLessRnm Window.exe
File created	C:\Users\Admin\Pictures\UnblockInvoke.tif.saylessrsnm	SayLessRnm Window.exe
File created	C:\Users\Admin\Pictures\EnterUninstall.tif.saylessrsnm	SayLessRnm Window.exe
File created	C:\Users\Admin\Pictures\MeasureDebug.tif.saylessrsnm	SayLessRnm Window.exe
File created	C:\Users\Admin\Pictures\OpenTrace.tif.saylessrsnm	SayLessRnm Window.exe
File created	C:\Users\Admin\Pictures\ProtectConfirm.png.saylessrsnm	SayLessRnm Window.exe

Drops desktop.ini file(s) 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	SayLessRnm Window.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	SayLessRnm Window.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	SayLessRnm Window.exe

C:\Users\Admin\AppData\Local\Temp\SayLessRnm Window.exe
"C:\Users\Admin\AppData\Local\Temp\SayLessRnm Window.exe"
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
PID:1652

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1652-60-0x00000000009E0000-0x00000000009E1000-memory.dmp

Filesize
4KB

Download
memory/1652-62-0x00000000754F1000-0x00000000754F3000-memory.dmp

Filesize
8KB

Download
memory/1652-63-0x0000000004B70000-0x0000000004B71000-memory.dmp

Filesize
4KB

Download
memory/1652-64-0x0000000004B75000-0x0000000004B86000-memory.dmp

Filesize
68KB

Download

Resubmissions

Analysis

Sharing