Analysis
-
max time kernel
122s -
max time network
122s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
19-10-2021 05:55
General
-
Target
5fa490668a9963e97d956f9a3b0c746b1d16eee9a73dfba875c9a3dc0e2c0d1b.exe
-
Size
938KB
-
MD5
17b447b971a4977b2bfb2c28659aa1dd
-
SHA1
4af0fc90413fffcb4f73839adcae91ccdcc7c4f0
-
SHA256
5fa490668a9963e97d956f9a3b0c746b1d16eee9a73dfba875c9a3dc0e2c0d1b
-
SHA512
a92fdc07cbf295bbf90174820a1a24b7909bd55845acd6f01ca36a2540aed822f6a9fca8d5d78052917b55355c65ad2a80cde03f285493277162691f51c39949
Score
10/10
Malware Config
Extracted
Path
C:\Users\Public\index.html
Ransom Note
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Atom Slio: Instructions</title>
<HTA:APPLICATION APPLICATIONNAME="Atom Slio" SCROLL="yes" SINGLEINSTANCE="yes" WINDOWSTATE="maximize">
<style type="text/css">
.text{
text-align:center;
}
a {
color: #04a;
text-decoration: none;
}
a:hover {
text-decoration: underline;
}
body {
background-color: #e7e7e7;
color: #222;
font-family: "Lucida Sans Unicode", "Lucida Grande", sans-serif;
font-size: 13pt;
line-height: 19pt;
}
body, h1 {
margin: 0;
padding: 0;
}
hr {
color: #bda;
height: 2pt;
margin: 1.5%;
}
h1 {
color: #555;
font-size: 14pt;
}
ol {
padding-left: 2.5%;
}
ol li {
padding-bottom: 13pt;
}
small {
color: #555;
font-size: 11pt;
}
.button:hover {
text-decoration: underline;
}
.container {
background-color: #fff;
border: 2pt solid #c7c7c7;
margin: 5%;
min-width: 850px;
padding: 2.5%;
}
.header {
border-bottom: 2pt solid #c7c7c7;
margin-bottom: 2.5%;
padding-bottom: 2.5%;
}
.hr {
background: #bda;
display: block;
height: 2pt;
margin-top: 1.5%;
margin-bottom: 1.5%;
overflow: hidden;
width: 100%;
}
.info {
background-color: #f3f3fc;
border: 2pt solid #bda;
display: inline-block;
padding: 1%;
text-align: center;
box-sizing:border-box;
border-radius:20px;
}
.h {
display: none;
}
.ml1{
position:absolute;width:50%;height:10rem;left:-211px;top:0;background:#f3f3fc;border:1px solid #cfd3da;box-sizing:border-box;padding:2% 2%
}
</style>
</head>
<body>
<div class="container">
<div class="header">
<h1>Atom Slio</h1>
<small id="title">Instructions</small>
</div>
<div class="text">
<span style="color:#f71b3a;font-size:40px">WARNING! YOUR FILES ARE ENCRYPTED AND LEAKED!</span>
</div>
<hr>
<div class="info">
<p>We are AtomSilo.Sorry to inform you that your files has been obtained and encrypted by us.</p>
<p>But don’t worry, your files are safe, provided that you are willing to pay the ransom.</p>
<p>Any forced shutdown or attempts to restore your files with the thrid-party software will be <span style="color:#f71b3a">damage your files permanently!</span></p>
<p>The only way to decrypt your files safely is to buy the special decryption software from us. </p>
<p>The price of decryption software is <span style="color:#f71b3a">200000 dollars</span>. <br>If you pay within 48 hours, you only need to pay <span style="color:#f71b3a">50% off dollars</span>. No price reduction is accepted.</p>
<p>We only accept Bitcoin payment,you can buy it from bitpay,coinbase,binance or others. </p>
<p>You have five days to decide whether to pay or not. After a week, we will no longer provide decryption tools and publish your files</p>
</div>
<hr></hr>
<div align="center">
<span style="color:#f71b3a;font-size:200%">Time starts at 0:00 on September 28</span>
<hr></hr>
<span style="color:#f71b3a;font-size:300%">
<a>Survival time:</a>
<span id="td"></span>
<span id="th"></span>
<span id="tm"></span>
<span id="ts"></span>
</span>
</div>
<script type="text/javascript">
function getRTime(){
var EndTime= new Date('2021/09/28 00:00:00');
var NowTime = new Date();
var t =EndTime.getTime() - NowTime.getTime();
var d=Math.floor(t/1000/60/60/24);
var h=Math.floor(t/1000/60/60%24);
var m=Math.floor(t/1000/60%60);
var s=Math.floor(t/1000%60);
document.getElementById("td").innerHTML = d + " Day ";
document.getElementById("th").innerHTML = h + " Hour ";
document.getElementById("tm").innerHTML = m + " Min ";
document.getElementById("ts").innerHTML = s + " Sec ";
}
setInterval(getRTime,1000);
</script>
<hr></hr>
<p>You can contact us with the following email:
<p><a href="mailto:[email protected]"><span class="info">Email:[email protected] </span></a></p>
<p>If this email can't be contacted, you can find the latest email address on the following website:</p>
<p><span class="info"><a href="http://mhdehvkomeabau7gsetnsrhkfign4jgnx3wajth5yb5h6kvzbd72wlqd.onion" target="_blank">http://mhdehvkomeabau7gsetnsrhkfign4jgnx3wajth5yb5h6kvzbd72wlqd.onion</a></span></p>
<hr>
<p>If you don’t know how to open this dark web site, please follow the steps below to installation and use TorBrowser:</p>
<ol>
<li>run your Internet browser</li>
<li>enter or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER</li>
<li>wait for the site loading</li>
<li>on the site you will be offered to download TorBrowser; download and run it, follow the installation instructions, wait until the installation is completed</li>
<li>run TorBrowser</li>
<li>connect with the button "Connect" (if you use the English version)</li>
<li>a normal Internet browser window will be opened after the initialization</li>
<li>type or copy the address in this browser address bar and press ENTER</li>
<li>the site should be loaded; if for some reason the site is not loading wait for a moment and try again.</li>
</ol>
<p>If you have any problems during installation or use of TorBrowser, please, visit <a href="https://www.youtube.com/results?search_query=Install+Tor+Browser+Windows" target="_blank">https://www.youtube.com</a> and type request in the search bar "Install TorBrowser Windows" and you will find a lot of training videos about TorBrowser installation and use.</p>
<hr>
<p><strong>Additional information:</strong></p>
<p>You will find the instructions ("README-FILE-#COMPUTER#-#TIME#.hta") for restoring your files in any folder with your encrypted files.</p>
<p>The instructions "README-FILE-#COMPUTER#-#TIME#.hta" in the folders with your encrypted files are not viruses! The instructions "README-FILE-#COMPUTER#-#TIME#.hta" will help you to decrypt your files.</p>
<p>Remember! The worst situation already happened and now the future of your files depends on your determination and speed of your actions.</p>
</div>
<span class="h">AESKEY</span>
</body>
</html>a:<asf>HIMXppFAbHFGj+AlY9Fx7pNrLuPbWjSZWEl/CbLmKvN3sVE7dwM2NtLcAUuityXG3WK27ATRiqP2Zv46DAUWq3CUKAvBNRLpzSaZLbA0IPzw3wHwu/oAV1l4sNISg7JjFlrcV+f7W/SZ20aKiNcuPmIGEg+sWalBAGpcSr2jhWRnHTiHDqXMlgfSXQXfDlnGeYA+d6obvevbWTnkGn1hZCwqOlqIW0MDBAu/GtOMAF0AVwtj2CAI1MtwHfZwrk8Dia0bBVZ4cfQ5B57BX2UyKRgRJ9VPkvgRYnDLWkQDnWwABxY74Q7z1RTiI5yDhZqnIcpRMrv6ikQcrYz2pItFUbhmv2RlsdR/+Qzc1qW+DrdtfMbLPtqiJevrdHhlEh2bdQHr2NujG+oXgoucUewtFChdrFIjZXckiRTPpQMPqnDVDo1ECNiQ4azjhWD4Jxoi3vlzFwN78z9IEX3ht7y+oTuE680c+jPOOJbShZUfM0SKPwOW9rWPeQkoK1p1idIHQWHu6yMIe6e79SVhBhpxjTclV8/oW/IIkviZlmrZnrXWGgJKQPOiJptzWCrHtv2oE6jvfBswCtJd/S24dKj2qNmLNmVS8V7ZWdhqY0Q6L+O9IJbkoHZPtgeeHsZqq9g5vd+OEZceQ35JqTmnOvZ0GT9VsqXkJAJFOBgovD55dXsMfQgVb6tS5GkDR6+KP02BC4ZjSIJMOgDV4uByF01jThceuQYcrugNgZrCIp4oURDgLtNFFLTvA8u5rI2A26PbO847x4JTPP+hTI/Ar/UBVU/qoda/Gqvv5gpKhohXZ2BJjW3FaAToCzmTrEBVeGIuxjBbMzzsoR26xUeQHGsGQ3EAgA/PG0mUDyf5IYG7iJ6JyBvevzDI49pGL43r/9vY/tEW4VTEnY6PyUG5IjA5ueP6kUAyytJ80X5lj1RPpCGXNGhwJ2I7YXTuRJJz1sJuqvT80QnDl8b79wFzN48nrRDPDn92wD0JhfIC38dMYteGmrXQl+9r5b8bhaCCEXhXv4Uh7S5dh3kDzAkgmoQ7eYxbtCKfCDH0wVlHhgRbefcYco9VS1eAphwTO7pDMcKDuW6wgwPZ8QxGwhExvoGwghMseD9IGr76cxKpHnDGeaPZoir5Z2shgS9BKeMw/5v+skKkcGQCqskjRneJuQ2hFuDKE3b0hKRO8zlrqFHbyoCKRNF7S/GQ7Rr7emhM9ZUynb61rXJlqjBI/xrilmXPPmXurrauwAlQCSiSs6dRYSRGixxpv6/4rQ188buDNEoL2h9Ppr2lTDb5ZXkiLVXk02EHsFL94531DJ7LMILh2fv9w8DbWTiX9jAePtfPrWiA8oaiyK0bTm6i69jfqkzvOobvTQLOo4gsW2MK/6OHZuul/iV4Anwc+kdzfJIH0t2x04f4Cv08BDihh2FAZm4vSk3jLFLwCthV94fhDr7HqgeiFofXGSASoCHuc+ydOhacpZF/EiibRIxiGOeTumOGQv3ezE4LTEMUAfp6feGOFdPGS9OZrxfWubwFZJtUYyWh8zVksEafKhXaaPHaiA0vk3WR3vljBkp+pL6vw6CnkGlxbqDgygB9boHZIaLcKb//Zm30Iioxf/eTiFeC6r0NnAdO/nF6+KeG7qs/f1BMQkaPamZxLAgXiDQzzr4DCu2oZq2ObT8Gv8CzQmAOriiOxzrt7wxRbgiu8gf0H3Br6iMUgqdDKqfIo3Viujonspqq0NiV9FXJhUNRqvtFzOb0GBi2Xy6jjREx0qwwHEJVWDDavebBEFHkRTzXzEZNJiaURJgWkwEP1GQ/F43uFpnc4JYYSFzqKynLVYa0nGIlMqaZGIPyUw3zkayI6rr+uLXfMtvtOoOhEyxZNhnot+uwsD297dJGf0ckafcENXbuIAodnAjQ3HdHS47J4UEO6TFlwsbm/5XOQUJpFVjlOjt8daRahF19GdtckdtpvwIP4xcSNeTIjl9fjgW9/U5McxoRF8g34AqxN+CQVqZQiLvM/LPd3d16iD/R3K73x9O+2DQ+yXR1hiRhK0qVE9f8PBA2rF9/PvubkmBwmYiFL2A7NeJ0rAU9ixBWgyeuv1nUSyKYE1Hys9Tlc+HohD5pRfoptcIuECW7jKC+Ta6KnN5yJXbVHAWd+6HYG79FcTnGBi4N4JmvUehcEMwmvbBn7BxP8rJsnKMuAx5UgVjQNXHxotfo3Dz/hnLlRYnp8LAcEYeFLUAVMtLRZd0vpF3Qr0LaHrPsmqNAs5XRwW3XT2iMIycLBh6gZvQZkXLihKJ8LgxozWGrUJADRvihxDJolptKt3cq9pHVRkuXcoGoD9tWN04t8/X3jpkqL4gPQF26SEtS9lLT6N+oCM2v/+zQcNXXl5CWsyMqe5OGlh7B5I1VEC5yrtShuQ8rMfqdX5WWb9U27cDDTrbfRlJP5M8f/BO3B0GQCuqFbQG7vHRW0eJojtd+pdiL5+Ph4PR3hABxqdJq3Id6aOIfMvZKTQI7re31wwGenUve1V31ZQqB9eDNBr4CmIKJn04UYPLJiQp2GOIKIqhaAWUwjobmIntD0oRNl11IgvVF8GCSvWejFqLKDOBD+ZOVmuR0n3uB/c1jlIgebQZ8b1U0Yd+FOVSxxbqSIv9DNRTFfMCPDQiqr1VKd53zVVnBX9klXrwdb92Rzvue75DJu6asuYzYANflbvRLvW6kHt+myHqbHQ4+R9SuCP2D1EM9SWkVXPHKHBRQ38uCmQCywQ+ADu6yn9a694++AFRLV8rl8WeEQkYm1LjZaU2KEaaLtntg6q6/9X0ubbtL8hr+txwqV2xxKbfXCsFYAaWrx7mkZJlUqwpO7AHpfelv2INsx5wgGfD/4yz4hR14JXUM/V3zqJV+diY2tRbVI5cjpbwh6VAn+MQK9w/3l0X0MopVR72dNRj83YVb9kzUqomyQUpoXIBG1aZLNl3ZTVN5FOGGTcL+CbUGCT5B2zBybFAz0TNyj3mknKhPlo29JUmRP6f92jyAEQtXAXAVxTjZamnNytMg62iQE6urmVRLmHG6Abh+D/DkhM3G+5E2PelQXCzTRudQMJQz+H/HpzrP40hga5qzDfua9iXPF9Zs1s4GoFoYAm+p6O0RRbTvXZPxOeofgziBdUD+pZ4nfs3BOuJKhA5Arr5HzuzOxFi8cOS43JlD3ilXp7kEfFKVXMjvth+ufokVPLH2fTPS4/zRZaLWpRvq6ggILk9h4R04FaY28MZNh+ANlGZExPUrNWXzekmL+/SNMYwB4NnvXjAE+gDX46z6Eg2EbaD3iTKvzl6a2t0zQyb/xQyjiAwrPGpHXoxkk0MbWi34Q3QYE99Q8+LSA7QUC8M7tyoC5p6IWxdWgLUnu8wSYQLPfsuXHsuBNgAWzmFerKGgEen/J3zi1w7KVRBLRF5x59yKHEM96iNyhoPNDtRlNvvZsuC+WGHCZ9k+R7YDrFllHtZoEd3V+jGUebTyQqnVrZCiCfcUk7eEC0SxzJsGkCxb4GKKqB/MvueEB9wKvv/f8pQ9xoxFYUO8rz2Qt8Z0GXM7SEbivZtgUA8nBlO0cCneUi9z11e6C4ynYQHLuyWVgQPZQVZADvO6OxNTxJVD4ZsCAd/kD+xdmyIAj9BSn7j4xvXbdzEy3W4Y3CkgzmGYfhrpmFX5EWu09t7PPVOeOea8PKTEb/SmbTtoDleaq0ufQS0umlOrcyZ7yFG1T2h96ePcUMLFwLS8h27mqBUvfmvnFgn2hPFiSgRvGfX5d6gWvm614JqY5IGArvFgzMvVIWuuRQW9QmTE4guwxZbAfM8Cs4W1zCvzzbHxOr1abhM0ImbQzKkWBL67Kq5rtoe+VwYQAsG2N4BnqHSSFEARqMe9KIka32UG8pSXJSSzJVSzevYQgMqT6cyCHvqt4GFhpjpn52JL5kL7LDQ6YnldSkQJEFjvioWVuNCMgPQRmAUU1+HDkE8z3umlynVD9wl3dSvM5wvOE9XGMUQvKq1YiGJ4GeNN/IYg4PmOJl3iFw/W7B/DPQ6DGwhAX9zkZ0Qz9wDefP01UbiP1h8q8lhvj9pJeVNxIj+9s5Jen6omyNWaKw3YqbPNSguyQzgFIdH7zrnI</asf><csf>3</csf><pub>MIICIDANBgkqhkiG9w0BAQEFAAOCAg0AMIICCAKCAgEAiyDd7rXciHiqopdziwn7xUpRzMFP3JPUAbnDJzaUdeXvfN6vvmOCQ8CBqH8IAGujTlIWbCTHBnq4JnJoIX5bpCQmBEJhLSMPl6UpK9uVSEnx9eY0mlf+L9nZ5SNh1pK/MCvxMRdCC2iMzIJxmSUY19QMJf3bIvT+L5jXjf+2f9QLJGb01pOkIj+OmyrnOfldu/bRLN80sGIIZYZ4QE9hBPTjMrr5sFPoUQyowamvQSVcDlYi0tD0pp3ZajQOPbF6rcNh9H9YE+TxIX6sdxP3rDd8E58jq7+GKHuCdi3UxOxeyJ02SIuFjTXP4060lPz1XJB1FpBbXWQCGTIpgraFPg8QkT/PyA47OJ4yJt5OYdSWmfD+2zzwuLi8K0BjgVHTFkCHJT+Wa/pc3pTP4xjBwX/6CokuVvIGVlVZg7O7IT4Z8yUkN4ThXQ+Cwjd4YJx/LPIn/u7UTH3SxuYAu/hrrBAfHAlWBIzJiXhEdHFtpP6ohi2b25nS+/fajOQUs8YPkOsXI3yuNxrESThGQf6qwInv++zVDE0oG+p1vwmNebCnJGcMY7rKDwd9wboCpsw6Zo2467q53MWFS4E38xxXVCkprr/rIK3KynLHSsBewfnT7tkgdt/EfJpZJ9wRqBgJJRWivdJCs69dJ/eY+88aLRb6Jvb4c1CGl1o/U17zhL0CARE=</pub><bsf>JQKTJDNJ</bsf></span></body></html>
Emails
href="mailto:[email protected]"><span
class="info">Email:[email protected]
Extracted
Path
C:\Users\Public\ATOMSILO-README.hta
Family
atomsilo
Ransom Note
Atom Slio
Instructions
WARNING! YOUR FILES ARE ENCRYPTED AND LEAKED!
We are AtomSilo.Sorry to inform you that your files has been obtained and encrypted by us.
But don’t worry, your files are safe, provided that you are willing to pay the ransom.
Any forced shutdown or attempts to restore your files with the thrid-party software will be damage your files permanently!
The only way to decrypt your files safely is to buy the special decryption software from us.
The price of decryption software is 200000 dollars .
If you pay within 48 hours, you only need to pay 50% off dollars . No price reduction is accepted.
We only accept Bitcoin payment,you can buy it from bitpay,coinbase,binance or others.
You have five days to decide whether to pay or not. After a week, we will no longer provide decryption tools and publish your files
Time starts at 0:00 on September 28 Survival time:
You can contact us with the following email: Email:[email protected]
If this email can't be contacted, you can find the latest email address on the following website:
http://mhdehvkomeabau7gsetnsrhkfign4jgnx3wajth5yb5h6kvzbd72wlqd.onion
If you don’t know how to open this dark web site, please follow the steps below to installation and use TorBrowser:
run your Internet browser
enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER
wait for the site loading
on the site you will be offered to download TorBrowser; download and run it, follow the installation instructions, wait until the installation is completed
run TorBrowser
connect with the button "Connect" (if you use the English version)
a normal Internet browser window will be opened after the initialization
type or copy the address in this browser address bar and press ENTER
the site should be loaded; if for some reason the site is not loading wait for a moment and try again.
If you have any problems during installation or use of TorBrowser, please, visit https://www.youtube.com and type request in the search bar "Install TorBrowser Windows" and you will find a lot of training videos about TorBrowser installation and use.
Additional information:
You will find the instructions ("README-FILE-#COMPUTER#-#TIME#.hta") for restoring your files in any folder with your encrypted files.
The instructions "README-FILE-#COMPUTER#-#TIME#.hta" in the folders with your encrypted files are not viruses! The instructions "README-FILE-#COMPUTER#-#TIME#.hta" will help you to decrypt your files.
Remember! The worst situation already happened and now the future of your files depends on your determination and speed of your actions.
AESKEY
Emails
Email:[email protected]
URLs
http://mhdehvkomeabau7gsetnsrhkfign4jgnx3wajth5yb5h6kvzbd72wlqd.onion
Signatures
-
AtomSilo
Ransomware family first seen in September 2021.
-
Modifies extensions of user files 14 IoCs
Ransomware generally changes the extension on encrypted files.
-
Drops startup file 1 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 24 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\5fa490668a9963e97d956f9a3b0c746b1d16eee9a73dfba875c9a3dc0e2c0d1b.exe"C:\Users\Admin\AppData\Local\Temp\5fa490668a9963e97d956f9a3b0c746b1d16eee9a73dfba875c9a3dc0e2c0d1b.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\mshta.exemshta "C:\Users\Public\ATOMSILO-README.hta"2⤵
-
-
C:\Windows\SYSTEM32\mshta.exemshta "C:\Users\Public\ATOMSILO-README.hta"2⤵
-
-
C:\Windows\SYSTEM32\mshta.exemshta "C:\Users\Public\ATOMSILO-README.hta"2⤵
-
-
C:\Windows\SYSTEM32\mshta.exemshta "C:\Users\Public\ATOMSILO-README.hta"2⤵
-
-
C:\Windows\SYSTEM32\mshta.exemshta "C:\Users\Public\ATOMSILO-README.hta"2⤵
-
-
C:\Windows\SYSTEM32\mshta.exemshta "C:\Users\Public\ATOMSILO-README.hta"2⤵
-
-
C:\Windows\SYSTEM32\mshta.exemshta "C:\Users\Public\ATOMSILO-README.hta"2⤵
-
-
C:\Windows\SYSTEM32\mshta.exemshta "C:\Users\Public\ATOMSILO-README.hta"2⤵
-
-
C:\Windows\SYSTEM32\mshta.exemshta "C:\Users\Public\ATOMSILO-README.hta"2⤵
-
-
C:\Windows\SYSTEM32\mshta.exemshta "C:\Users\Public\ATOMSILO-README.hta"2⤵
-
-
C:\Windows\SYSTEM32\cmd.execmd /c ping 127.0.0.1 -n 6 && del "C:\Users\Admin\AppData\Local\Temp\5fa490668a9963e97d956f9a3b0c746b1d16eee9a73dfba875c9a3dc0e2c0d1b.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 63⤵
- Runs ping.exe
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
aa93d342bd0f81cc147de7a280e022b2
SHA1d6d2ae4def8fa1414faba0cdbc031b5919bb43f9
SHA256a87a80d452899f4c98aee55cefcce897faca567e8e9763ed20f41f7dc7b48071
SHA512aeed5f93daebbec7241719a6903e0463e9d204f699d317adb498c6262dbecf61d68b1f77f6ec369ee45fe703a849086fbd407247fb021350fcec6a8b0950f375
-
-
-
-
-
-
-
Filesize
32KB
-
-
-
-
-
-