Analysis

  • max time kernel
    110s
  • max time network
    101s
  • platform
    windows7_x64
  • resource
    win7-en-20211014
  • submitted
    21-10-2021 18:50

General

  • Target

    Muisvc(unpacked).exe

  • Size

    1.0MB

  • MD5

    dee33a5b0f93ffbf6c5da9e376b89c9b

  • SHA1

    e5c0415345340ccec55c6e79503296a846db7a70

  • SHA256

    b654cc6156b8cb72642d97672847401552bf72b208d52047b2697612ef3107d1

  • SHA512

    9ff39cbd360eca2adafd44f60064da2b6d7e1961599ef28de97d0582725d02c4a81e6429e2a9d33f389d175fb12136d190fd4d2188a44d50d02b2f1fede241c8

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\633754-readme.html

Ransom Note
<html> <head> <title>Inferno</title> <style> *, :after, :before { box-sizing: border-box; } html, body { margin: 0; background: #000000; font-family: sans-serif; line-height: 1.5; color: #777; } h1 { margin: 0; font-size: 2rem; } h2 { margin: 0; font-size: 1.4rem; } h3 { margin: 0; font-size: 1.2rem; } li, p { margin-top: 0; margin-bottom: .7rem; font-size: 1.1rem; letter-spacing: .02rem; } .logo { display: flex; justify-content: center; padding: 1.3rem 0; } .title { background-color: #ffffff; padding: .5rem 0; } .title h1 { text-align: center; } .title h1 span{ color: #000; } .description, .attention, .cc { width: 900px; max-width: 100%; margin: auto; padding: 1.3rem 0; } .copy-btn { opacity: .3; cursor: pointer; } .copy-btn svg { width: 18px; } .copy-btn:hover { opacity: 1; } .link { cursor: pointer; } .link:hover { text-shadow: 0 0 3px #828282; } .identity-head { display: flex; justify-content: space-between; } .identity { word-break: break-all; background-color: #e3f5eb; padding: 1rem; font-size: 1.1rem; font-family: monospace; margin-bottom: 1.3rem; } .attention p { text-transform: uppercase; color: #dc3545; text-align: center; } </style> </head> <body> <div class="logo"> <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="200" height="250" viewBox="0 0 200 250"> <image width="200" height="250" xlink:href="data:img/png;base64,/9j/4AAQSkZJRgABAQEBLAEsAAD/4S/wRXhpZgAASUkqAAgAAAAHABIBAwABAAAAAQAAABoBBQAB AAAAYgAAABsBBQABAAAAagAAACgBAwABAAAAAgAAADEBAgANAAAAcgAAADIBAgAUAAAAgAAAAGmH BAABAAAAlAAAAKYAAAAsAQAAAQAAACwBAAABAAAAR0lNUCAyLjEwLjI0AAAyMDIxOjA5OjA5IDE0 OjM3OjU3AAEAAaADAAEAAAABAAAAAAAAAAgAAAEEAAEAAADMAAAAAQEEAAEAAAAAAQAAAgEDAAMA AAAMAQAAAwEDAAEAAAAGAAAABgEDAAEAAAAGAAAAFQEDAAEAAAADAAAAAQIEAAEAAAASAQAAAgIE AAEAAADWLgAAAAAAAAgACAAIAP/Y/+AAEEpGSUYAAQEAAAEAAQAA/9sAQwAIBgYHBgUIBwcHCQkI CgwUDQwLCwwZEhMPFB0aHx4dGhwcICQuJyAiLCMcHCg3KSwwMTQ0NB8nOT04MjwuMzQy/9sAQwEJ CQkMCwwYDQ0YMiEcITIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy MjIyMjIy/8AAEQgBAADMAwEiAAIRAQMRAf/EAB8AAAEFAQEBAQEBAAAAAAAAAAABAgMEBQYHCAkK C//EALUQAAIBAwMCBAMFBQQEAAABfQECAwAEEQUSITFBBhNRYQcicRQygZGhCCNCscEVUtHwJDNi coIJChYXGBkaJSYnKCkqNDU2Nzg5OkNERUZHSElKU1RVVldYWVpjZGVmZ2hpanN0dXZ3eHl6g4SF hoeIiYqSk5SVlpeYmZqio6Slpqeoqaqys7S1tre4ubrCw8TFxsfIycrS09TV1tfY2drh4uPk5ebn 6Onq8fLz9PX29/j5+v/EAB8BAAMBAQEBAQEBAQEAAAAAAAABAgMEBQYHCAkKC//EALURAAIBAgQE AwQHBQQEAAECdwABAgMRBAUhMQYSQVEHYXETIjKBCBRCkaGxwQkjM1LwFWJy0QoWJDThJfEXGBka JicoKSo1Njc4OTpDREVGR0hJSlNUVVZXWFlaY2RlZmdoaWpzdHV2d3h5eoKDhIWGh4iJipKTlJWW l5iZmqKjpKWmp6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uLj5OXm5+jp6vLz9PX29/j5 +v/aAAwDAQACEQMRAD8A8ZXWNV8hnGoXgxzkysc8/Wr0fiO/aMH7Xc8fexKTWXbyKtu6kjbtIyaq I5Ugr94UAdSmu32Fxd3LEnP+tb/GkuPFN7ECI7u4Ge/nNmsCKfA445qCTByxIye1AG7aeKdYe9jD ajchSfu+e2P511K32oucvqV0oIPC3B/TmvOY2Ak8zHII4rq7C48+2WQkg5Ix2oA2/tuo7UZdTvME kD/SDTo9W1JJtr6lOw/67t/k1RSYlTwR834dc08zRgYUDO7PJ6igC62oaxJJ+51C5wc8CY/41G2r a3Dgfb7o+5mYf1rP+0tGwZX4B55qSW9llKqzg56EntQBaXWdaZju1C6BIyMTt/Q06PWNWyf+Jndk +879fzrMkkdnYF2GDz0/SmLMyuAX79SKANN9V1kcNqd6p9PtL/41EusazlgdUvWI4/4+X5/Wqzyj PDY55J74pziRyCMHd3IFAEra7q4yF1S+Bz/z8N/jUn9v6s0QB1S8BH/Tduf1qlPG8a7yVHXBHeoQ QSDt3H07UAaP9u6yF+bVLwdxi4bn9asprGtOwA1W9JZf+fhhistQjsNxxzkYHIp7EE9WwvJ2nigD R/tPX1jz/a96TnP/AB8NkfrS/wBtay0h3atfAA4GLlx+PWsjOVIXLM2cAkU57WRxvMnznjg9vSgD TfWNd3ZOq3u31Fw3+NOttZ1ogmXVL/rx++fP8+lZceYpDly+89MnirB2sxAYg9sc0AaZ1rVWH/IT vtxPTzmH9ahkvdaLbhrOoKM/dFy/P61Riy4CQ+ZI/wDGOtPljltiqXDqrHkAMGI/L/GgC3cazrCj Karfg88NcOOPwNWYNb1IRDfrOoA+13J/9esqWMzAFZNygE7pB19qgtvLSM+bJhicjahIx+dAHHWq kRqxHGc49cGoACzNgYB6VegI8tSqjOWAHrUJjKXDqvQcUARKoiYo45BwaRwCchTtq1OoMzAjaw6g 01VJQgZ9h7UAVwpIwPx966PQo2uLaRmwBG3PHP8AnisTYViGOcnNdV4dgjWzl3HYTzkmgB6oSg2/ LzjAp32bcSyuMt0HU4q4beMOHBwCCMZ70jqPOVlOFXGRQBSubURhCOcYz3zUZhhljQgkYJHA61oG NSeXDCl+zwuDsUdOmaAKSqu1QAcexprRRg9GYdCc+tTyQHcm3OKkFtGAA5w2eSKAInjhdEUgA7cY z19zThkxgL94Dt6dR/OpDBCMBQMdAe561Fsfz1cAbeP/ANVAEdxGzKCTliPTpUNtG4lHOcnuKuvE 25fm9zziljjLk5A3A/LQBHKqFcBOaUptZSwBBwSO2KvrbbYxj5jnHXpUUm0jGcGgCqI1jfzI9obH 8Q5NAc7/AN2ByOfyqRlR3BbOPX1q/Y6U9xcRxSYSXBYL0JHqfQUAZot5bqYFEEj+g4xV+O2toI2k uHZpd2FiQ8fjVy4uo7EC3t1AXGHlUfyqgfJEbSO2Mc7mNAA80zxlICEiJyUUY/8A10SWe9Aqqrc5 PH9at2sVr9mWYyfeBOeoNRTDP7yGUA44BNAHPPqkcN7OhGIlG38cVhT6xIZmweMnGB2qjI8qu7M5 J6HnOaZuVfvgZPPNAGnYL+7TG3O45J/Kk1K1NsY5WOd2M46GnWuXtxg4wc881q6xbNNpqbQCQqyZ XsD60AYFw4M5I46E/WjcFj+/hu4FMOQW39e5qN2VFIGCCc5oAswEAPjkgfKM9K6LQHL29wHOcEfe rmQ6iMOqsCMd8V0GgHe8wGCWjBxuxQBuyGIJw4YgA4HAHP8A9aohIXUZYfNjgnmnSQyAKpAAAAPP aj7O6yKAQvZhux0oAAgx5hICg/KMdqY8OeARk9DnGKti3eKFBGpPGc7ulI1s6lW68c4J70AZhZ0k GZMD061ZP75s7uemDmrEtsOijgDutPC7wAU7ZGDQBUltWT5wpIznk+1EgYugUFQSPmJ5x2q26SM+ wsApGMlsDNDQtEQwGQPfv0xQBWVYw2XUHAwSFq5EkbyDBXtzioGM2GO4upOecfyqaAs2fu9RxnkU AWEwOpOR0xVV4sZ3R854I5OfStAD90UeFf8Aexz+ApYLMsWmlQ+RGeT/AHj9f8+lAEVjbCRd7AKq /emccD6e9SXl6gLQWcDRqWBlldvmkGBxn8/rmop5pJ5MHCxqSQq9B14wKgMZZioViM/j+FAEXksW UtkjFRarJHFpxIjAJYDLtxz7VcjhUOwYFs9ODis/xFCi6eBMh+ZxjjHfpQAmjF5rERkZZXPbt2q5 cQRxxszDBxznpVLw1M2XiQAFl7sTj8ulXtXkkgsrjfsKqhbIHXA7elAHmkp3DcVAyajYHdyAferL lptoAXjAGPWlYyI7KCF56DHFAGnpyqbd1KkqQcnOP89K10X7XpoIJOE2Dn0rG0x1RAssvlJ3ZV3M eOOK3LbVNNtI0jht55WbiQ3D5U/Tbg/rQBzHlOkhY5Jwck461EI3mbZGrSP6BSa6WfXILJ2S3t7G MvkktaK5X6M2TUtn4huZIZEGsTRQkcxK+wE+wAxQBgwaNrU2ww6bdyYPG2Bjj8hXTaHoesQ3Dy3W nXUSFAAZ4WUDnpkjFalppM+pWoktdQlmAGdu8Er/AIVsaV4W1qC6aWJ7hdo+Untn3/z1oAxpUwFR cjaMN0NQYkSY5LjHTIzz/kV2NymsMPOmtY7wRjazXEe49uM9eh6isad9KE0L3unXVsHXIa3l3E++ GBoAz1ZUQFiSW9BUay5IL5JPQcHFXY4tJuT/AKPrkCMW2iK7h2n65Gf5VJ/wjGosjNEIrmIYKyQy gqfbsaAKmD5YUFjlSRxxmk3ImGKoVA5VuR+Vadn4c1q7tp5raxaSKMNubeOMegzzWJtks/MW7jZG VfuuMEHHpQBJJdRkkRO2O6jp/npUDzSxkuSVC52gKBj06U1poGIMayoP9rpn246U6X53LpGCuAME HJxigCMTytxk8tltvFTC4kL5jbaPXA5/SmCKeRxCq7S2AvapNiJMIZLgIif60qRkewoAuxI91Gkt xORGDgDGNxH0q5qN0EhitYt0SqAzKvHJHAPP6+/0qml157xeRE8duGCLuHUZA696df8AyahLhhgS EBeuMcDqPQUARqCCgO7I/hB7flS25/0gDOeSfu5H86ikznCYIPGT2pofA+SXGCScnAoA1IsCQgPl s44jHzCsfxQpOjg7FwsqAOCM8nv3q7almnMZY7ccHGRXP3N+914cuPNBd4LsrnGcjNADbK4Nlcq4 w0f3VH97/P0rRv7mS68M6jJMI8r8qgcnaemK5dZMOSM/eBUc9auS6qiaPf20qZM2zyyOxDDP6ZoA wUAhnVupI6MTj8cU5kQzS74RI28nKvgD2qMyRiUbSSpx8rc1cjVE3DYx5znjuAaAGxIhUq3J68Hp VxINyxME+QkgZ46VRtnUR4J3Z68dPeteB/NEaxElQAQTzQBn6jaIkayLu4HzE9KzY2B5xxXTalGz ac6En5hkYHcVziHbgFchh1PagC5Z3DWySSRySK+N2EYgcfSvRPCfxHvLa6gt9UPnW0ihCQPmX3z3 rzSIEyGLALE8GtO0/dyAgBcDbn1A/wD10AfVVo1nPBFcRKH8wDDDH5/yqLUdD028VhPBHhhkAdK8 68G+IWWzaKeYLDBySx6qc5H54/Otm41fVNdCppxkgt0JHn45k7YUf1oA5nxNomlRyS2VpbpcTKTt WLnA/DpWHY+GNU0uEXd5q5s4U/5d4m3nB/T+dem6f4RuYbYs5jj8z5mwPmz6se9YHiPTm0bZ5n71 JBkk8jP0oAqeDvGN5HBdQQ2jPC7lI2k4+Yetchqmof2lqF1cg7RJIzDsMZz0rctr8aFq9lblN0IG +Y7clWckn9MfnVa806CbUJrexuF+zOxMRxyvcLj0zxmgDBgt5Lm7SG3Yln6bztHHv6cV0FpptvBb me7aKaZy2yKFi2AAwB/PH86qeIVtbC1mMm65u3XhFOEjGcAnHU57dK3fANwFtN7rBcLt3qrRgvHI VUdeyjcT+FAFKxu7eS6fT4bRpGYblEx3EE4GfQVk+IdKvLbX2tdSeN5mt1kBUcbff1PvXuKafZWc UNwtjHJOeTLtHU88n8a8R8ca1/aPxLu0QbfLtvI4Pcc0AO0Dw5qsytNYpJJaJIONw2kjnGCc0mpK /wBvn82NopTIzPGexJ6V6Xoc2maZoNvbRXInYJ0HHXufWuf8X2FgNKN23/H6uwl0XqOmCe9AHEq8 owFHyqMnjJ96VVBboQi4JHoaEnAXf0LcYNLHkuUDAA85xnigCxCwiwe55wTXFm4bbc2/mIY5ZNzq OcEGu2gh+Zv7pOBx1rgJwqXMitgDzGGMe9AFmOBCyljjaCTnjpVa5uVkLeWuIE4GOpNXp3H2KWRh uymB6ZrBZh5YQZz60AS23lveAE8MDgEZHSrc5W3dUUgAqDxVWyjD3SZ49MVpAuOJYwWAAG4YIA6U AZsRDrtXI47HNb/h7BmQSfMAGAYdDjpWJAiqrF0IUAYx1zW1okipKWEYDLkjd7j0oA6OZI5HZGQM MEDiuDuIkiv3VsgBi2M9q7ZMYC5ZmQ8muY1e1VdTkQgDeO5/WgDPjnRC5ViSDx7/AFoS9Ma5bBPI HHQE0LEcNIigjI6DpTZRbbGVOXJBzn36UAel6NNp1vYm71Vv3BCbYVOWmIGdvsOhP/166m1+KNnp 75fT3htQPvHG4D2AryxL+J2s4Cu+SXIyBgDHt71X8Q+ULRI43+cvkrnpQB9M6R4hstd0+O6srhZo Xzu7Mp9CK5TxwxvriwghG8GTY474/wD1V5f4F1ubQJ7ebzG+zM2ydexT1/DrXoxu11LxYiWhyVUy gk5BwMfrmgCG404FHv2iDB5Nm7pwAFHPpxWTb6Mlj51+biIq2ViRGJKdMD6+1euSaPHPo62uwAKm DjpmvCdXFxaX1zaxTSNbwyHagkIBwf7uce1AGYbp21e6Ow/YZI2gbceSRnp+J/WnaTqkVi621tMY yIiHO7A69D+lQ2dpPe2YlbPktK21HJwCxGSPXirsWjRP9rgkTa+1GDADIG0AfTkGgD0rwn4st73T 79dTdGSKJpFdzhcgdP5V4lFcvceMYtTnibyrmckDsQeAM1JfXsmwaalxtTH70g9cdjXceB9H0/Ut Ptje5EYYqjhcfN160AeoXdjqFpa2T6Bb2bwSRqJ4ZAASO/zdjXIeLvE0et6defZrUC3tYgjqQBhy 2M/gcfrV7XdWutPiS0kt3hlhjMkN4jBtxx0I6EV5leX888YLhQp/hQYHXqRnmgCtHcBiPNjBBOdo 4yBU8co84bXOW4Pt7VXLZOSuR6+lThmLgRYyvHTigDVSLfPhWHloc5zjmvPrnBvJyFLYduPXk12l qztLtZ0LAcAAnmuPZSbxgPvCQ/Tv19KAJLlHt9AUOcs77qyMlgshXt1rcvlefTIoSPmBJAA5NYlw uzCnoACMdOlAFnTJQJSSMsikgg9AOta0oeYhzDnOcEnryay7G2LbiFKgpyRz1NRPNdo5VZN+OpJx QBICFHygnI4H+Fa2nb5CBhMMuAAc1kwuODjaGIwQP0FakE5ieMJyMk4J/CgDoYNyAqkbE5yeayPE YQTW0uQhYFCCMZJ/D2rctmMuWVei4J+lZfiWNn0t3wdyMDk9hQBzEsbJG6FPmz8pB6UyGB3D4i5z ndn+mamRWkttoOBjngYP41ZtontondgoGCwwMj3FAGehmtrxWkILRL8ozjjsf1p0jme+dpJWZd2Q OtMui7XkpdQpHO38P/1UxnUTK3yAf7tAG5pLSNL9lXIhwSBg5B616J4e1i306IX10DNPboixxggF gCeM/TFeX2M6xX8SxNuznI2+xrsrO+Q6VFAoYXEchkLjg4x2NAHZp8VdTvXZHsYoUcbV8tiShPrn r+GK5q3M2tXgsn2bsF52xyE/+v0q7eaM2q2aXTOxvHjysokGW93ypJx68GsXS3Ph7U7mG6ulX5Cx 243Nk8DoTn3oA6SSOG0jAUKsERDY3AOzHgDjpk1Ld/8AEpvtUzGWN5pqTmOKMvwAAMemDznPGayh qdrqNtC4gCwCTcmW5dhwGJ9fb3NaN8dWvdZvZLSyVtJuraOya4IDHCYJx6c4J+goA8rit3yxRS5b JGB0/Ovo7wPpkNv4I06BzuLxibDc43ckdK8h1HQGs9RKpkwyrkZwWz/nNe8eGrmz/wCEbht7Zwgj UKuMBunUigDkvE+nSTpFZwH96QfJO0HC9OcsDxn0rGuPCdrpNjH5yR3krYWQtN5ZBI4C9ge/zHFd V49s86F/acThby2HUtwVJGT7Hv8AhXk8+t3l8wE925UcBVP8/Xp+tAFS7hj+0zbEKRFjt3n5h7Ht mmxKyMgV1JyWweOO1WbO3udSuhb2cTSvyeBz+dT3OkajYeU15A8PnEhBIRn8R1H44oAhKzedndhC QcqMVxU0Li4cF0y0jfxdOe/evTrQR26YYiQgZJDdPrXI+K9Ph069tri13NDPmUjAwp9vagDOkVkt gTKpCqRwf/11jiMvzLKu0jAUHr/hWs8vm2EbqMksc9qopC7xRk5Dh8EjtzQAtoj7nUkkDaCDxn0q e1t90RMIQpnq+Cc4GfwoxtS6dHLjeApx0xz/AI1bhaOJSqRhhnJO0nmgDDhchFAYdh0ye3ep0kaO ZQzkCq9rgx7BkgHsPar0MZaXy9oXcMjIzQB0OnzHy22sWBII+lSaoBNptyg5LJnJGMGqGmp/pax4 I9q17qECJo2BKkHpQBw9tMWjXfhgMbgTjNW3uC48qQheNvy+1VQlvG8uB0YoB1pYYvl3ZBBwTjv7 UAVb1gbyQnc2cFfpgYpJW2zkyYOMDj2FWH2SybjyVCjim/Z2mJ2LlgcYPIoASyUfbo3cZBGeB7V3 Hh+1hv7e4KvMsnAIVAQvv7/QYrk7SNUnt9+AApyx7Hmuu8OT31vO09hCJEYBZAy4XHrn1oAuPNda JZ+TNP52wnynUkDHYfWtXw74auNU1ZVvUjlNwvnu+4HHYAEcgDIGKxfErNNq9rC+BwZDs6exP61t Qarq9lZi9sYd83VmYBSV4GB/hQBf8YeA7fR7KCSzSdXa4jUfZweSXGTt7/Lu/Sp7S4vNLt7SwZHE Jt/MkSTKuzHPbtj09xVm28aXk9pGLuHyzGOCUyAe38v1qK4uojDaS3t0yGRTIG3AkZ5xj0oAq3UC DS43uP3s07BIicjpznP0xXX+GbcxW6WpDxvE2Gw3DcdvavPW8SyavrtuLbaLC1dVLOMKuCOAe54/ WuiuPE+2+863dY4MYbd1H0+tAHVeJrSTW7ZtMYMLZiC54G7byAOelcrbaP4e8O3EbzSW4kVuEJ3Z PbJ6/rVHUNfe3sBJbZu5ZHIZ2kwEPUDFcdK9xdTyzTMzzSHLAdvpQB6Ve6tol/cp5hCT7Svnx4Yq MAHGenFc9qesywWIslmS+sGV1DlDuYbeM56EHHIrnmsJ0YNsYkjJx6UggkTBZiI/7p45oApX2oTQ WEyQoFkdcFj7mjSA194f1S3JJWOIMoYZ2nnkVU1LLjB3Jkluew6VLoUMsOm6jIrkqY8HP4/40Ac+ Mw2km52y3X69zVD7UXeNByM9WrQu4GECosh+YjAx3qpHYlpYmY4yT06cUASW8oS2JILSFyeenA71 Ya/w5IQDOD8pODx1qRLMmHajAtnlSuOcdKiNnMDxsYnrkZwaAKVqrLHjPft1rQt4pWIJ24XBx3NZ MQLBdxY+mD17cGr0RMZyZCAV+oFAG5aSf6Urtg8jJ9q3XjD53E9OlczZvlRt+9wevUZrogAyIykn OSPWgDir63W31i4jBO0kMp+v/wBekitma5K7goC4b0J/zirfiCPZrCM2RlBjBxUKsIpoioJ5DH07 0AUJomjZdpySvfqOvH6Uo4Xf0HQgHGeKlvMb1dg2CgII5GSxqIOmcLkjHPGccUAXNMx5sAxvdwfv fw8n+ldv4ae8Dy/KDp8jgMoThcdx6VxWjxKss29d7eSQqk42nI5/z613mhJfRaO7Ft2nkEPwflYD 1oAraklxf3NxNbREgKyovUhR34rqPC88lxpkNndQoZACoKLg9eM598flXO6XFLF5F/bTyQoRtlwv 38n7oNeg+HLZ5pjc3JSKJJGKZHQk5/LFAC23hKTxCry3UrwWXBQQgZkbOCfp1/Os34heHtE0bw+L iyuJFu49q7JG3GQfj0/Dsa09Z8UwabAlvaYDv/qwsmON3GeePr6ZNczDbXniK9g1G/sVu7Qho1R5 fLQnruOf880Aef2txsjWEBjGx3SLuwG4/wDrVsX94t2kIitVhjXpsbOfequsJaf2jtitDZlWKSQK dwUg9jVSRQrJ5Ttj7xABoA1I3KhUXBGOgqTyjCFZmzwc457Vjz3htdKuJGYHdwvHOfam6dclrNPv HkgnOKAOhGozRDMMhGBjnsKmtNTkaRjcMvltxjb+tZilsq6ncACBjnHXGaswGJoy7PtyORjrg0AZ OvXCPqjrEQ6j5Qegq3pdux8K6hdlwVDrHtHU5rEvJDuycgHqcdaltrwLodxb8+ZJMGwOwAHOaAKt +u6UBJANo+XmkWLDW27bwh4qBEGVjJLMck/Sr2S7wbuNsZGQPegA6kuuNwcBcHqR1qlcybJyqs64 6++ef61qLAEhBXBI3A9sHBwarSw7JGG4jnpxx2oA5+3yu1gMccMBn/PSr0W4MeWI/utx+VUbdi0Y O5h2znp71YMRaPeGLkNkYHP4UAa9rKo24X5D1A4NdHBcIYthKhgflwQMjHauVikEKoUIfnHQc8dv SulgVRaRy4UZUA88mgDG8QwmWe2dgxOCOO3Tvis9JJI1SNcHJ6dSevr+FaviYNDb28xOAJdoUDjG DWIGTzfO3KeAwA+o65z6UAQXLqsjKFK4AK8e5PP51Cp8mbvkHbgjAbmrV28jSSKAoVhlemPrz9ad BYSwGGa42DDZHmNjf6e+DxQBbhSW3sJnWJ9zHLkLjy1z0P1rtfD32x9Ju7eKXdatGS4K/cOOORUv iF9Ms/CCSRPaS3szLPcbGAJP90KACB7Vn+GbqW8iSKxkigbOJQThSPcUAdDZQ28Wlyt9oeRIQJFX AIDY4wTXEw+ItS2Srb6g/lBsje65bnA5I5IFdh4VmlGo3GlzoiqXKkE4J44PXpjtiuNu9KewvJrK e1EckBIPlSHDH+9nGcEdPrQBZnv7q9VxLMkZIJMMSAucKOpGTg8Zx6dBVuXWJJIoGW6VJEjx5CFl AweBz6gD0rLjufItxDCrhS2AMkZ/TmhSvkK8dtaOWGG3DPpzjHB6+lAEktwtzdPczxHfI25scD8K vQtZTP5ckcscjY24IxUNpb2whYtsiyN2xI5Mf+hda0LCzt7qUZeFlbjzEjk3fpxQBzvjGOK2t7aN JSd7bsbTx+PerWlQRtYLIWVFDgMTnuM8YBqHx7HFHc2dtCkaso5CFiT9d3T8Kk0G7msZLf55Ps4b MirJjcenfigDo4bOAgCKdXb7pQZJ5+oFPNlb2umXcssNwjBSAHjIHpx9Kn+wWHnb3ldjIR8ruFJz 7Y/z2qPVrP7FoRmWRtk21eOAVyD9O1AHJMu/d8nGQRzxTXtXCFmySwyvtTmUO26OQgjrkdOKC5ET sxB3jtnrQBkzwhRvcnkcDP8An9a1/LkgjgkAO1ohg4Hr61kXnzzJCOTuwQo5+ua6rUCIbO1TccKO vXORQBnW4jdTuY8k89ec1Quz+/JMSMT1O7HfFW7VlbeyKWRn5YDp6iquoWzLcKQCAyAjGaAOfiBU lfbp6f5xVtZCoBZsYwRj3qAR5mJBwoPGfzxVnyY+OCST24oAuRzAQg5XqC1dHZXSfYw5O0Llj6mu cSESDZGrfP1zVoTblMCuVQfKoX+KgCn4h1B7q5VXGxVXKqOcmqdiVJZXkb5gEwcj35q3rMbRXNlv 5YxkEk+9UVyJA5Qn58EjuM0APuGSOVEJ3IMAqT94E/8A1v1rp5rEajaxyy7TMXJwBgIgAwOnc5rm 9TQedkA4xwR69vw612VtIBaQs2cY+XA4P1oA5rUIUisnhU7SilzkkknNTeF7iIrdQsyq0i7txwD9 Kivo5pIp2ZgAUbnoMZrBtrqSwZ3VQWI2qe1AHq9uItRtYmt5Et9QtQoBeXDSj+6T/I1s6hYReInh ilIttTCACRwdr5z8rj1B7j171xGkOt/YRzs4jlGCrAdT711cV/emFWf555ZRDG6kErnPT8j9DigD Et/DmoXN1PbT7S8bDCRneTjqc9uO/sRV+XwqbOMyXdrdxKuNuSoPPcjbzXqmn21n4I8PQF42m1SZ jtXGXYnkgeo4qlq3ji50+WJdV0jFrO3y7mU8A5P9KAPMbvShZkOxie2PyiSNMMD6MPWtPTpNJt4R 9qRUcMFB8kHr7hhW/wCI49Pl3z28W22uLcTMOu1s9vzNcj4rNtDpGnyIgWaS6hX/AFQ2nDA9e/0o A5v4hS2kniW3Nuu2JYV4wR3PqT/OohPHDEhAGdvp39ad8Q5YpvFCyDblLeMERpsXOT2pAm+0Uq2N y8nHI4oA9c8MQ2934etHnkWSRlOxXAJHzfXPpWT8TJBYaFY20L7FllyyEYB2jGRyf71dB8PdX0+4 0Wy0ZVD6h8+QFUnaD7+xrlPjNLG1/pVqkQiaKFpHVQP4m74/3cUAeexymQ4ZsAjHyilvJFWNPu9O MiobcccgqpJGOhNMuZImicODwMKxNAFe3eIarAMcAgc9K7TUIA1nudccZ+mK4XDu9u0YXzNwwc8H Fdhb6qbvT5o5ImScKRkjg0AZtmvkrMFwPmHTpzV/+wZLwCUueBgYbHH51mac58lyY2Ys/c+1b9jd PBbBFzjPO4c0AeehSsrDO3k81ZVsbc5Ddcjk4qN1/eyxk5Ic9PY1Ig3IBuXjg4PIoAsLcNCmY9pO CpYjJ5/rUunQkz4YkmMbjz09BVWQKqIMqgB4AGc+9dJ4dsoZvMBfC8Zzxn3oA5TWr0XOoFUxtjG0 Hrk96fazLCqGVv3bDJPUjn/61R61Alnq9zbxbSqyEhvrzj9arABynXd0JNAF+ZVMkflSZVlDHPcK TiuqUs+kIkLBxtxn0zxmuK8p2yArHoPbk/412NmRFoscjNs/dg8e9AGUYmljmj3HcqnYe3PWuU4I A9PWuwgxvli81if4SPpzXHyDY7oOzEUAddpV6sGhs0ZQyQRknJyK6bwVry3NzYzSx7nS5VScZX2G K8qVmVCoYgHritTQdSWznMMzlIZSMv8A3GB4agD274p+KZ9F8TWUwjlEDxNGkyD7pBGQPz/lXHnx DH4ku4UN9JNFD/B5ZyBW3Jrlh4m0uLSdcjLQsihJscoRj5lb8+PSuQ1HwZqvhO4uLvS5xewFCFkg OGUHHLDrQB1o1m21ES6Xby7GTaskkn93sAOw71gfEKJ9N1bQ9L+1+cg2zEjpkkYx+tc54auGt2vZ bgM7cM2/qfWsXU9Vn1K+FzKzZUAR/N90DpQBueM7iKbxZOsfzohRASeSNoP8yatsxW3iiGADwCO2 a5WKdnuY5ZTvdzgsWyfxrr4UildFY/MSP50Adb8Prn7J4qsbuQkx28M8pBH/AEyOf5D8q4i8vLy/ 8uW7naRwAivIecZJxn6k10Frfrp8csiqRI1u8CnP3SyEZ/WucmRdj4zgPt57elACuD5vJBwMZzVW +iWNAN+QRk+mfWpVm+Zs527fz7VBcf6t0Y4z1z6dsUAM0ve9xCQNy5z0xWqk+LwNjbHJJs69CKo6 dzdoFfIC5x6e1LGXN0m5SAbgY9KANSMJHGm1wH5+XHv1rWi4jHzLzyMVm6hGscqlBlAQMg9M/wD1 xVyGFZoUbKoMYALc4oA4a5YpqNxkHiVwM9xuNS2oClTI4Kk56Z3flUV+0aazeZDZ89xx/vVLBkKB jHzAHPB/GgCy8ZOSwDFjzxgY7V03haIkSheCV+QZrn3QSqqEsT3wRmuh8Nh3ikDKAAvG7igDlPEk ZTxFcocA5ByRjsKzWGFVd3IOMY61s+MIlj1zjALxq3Un1rIT5VyV3PwAAaABXkEm3DHHzA57j/8A VXWWm99MtYiSAzBWB9QOlcnKzL5hI/eZOSOwzjp25zW5YSyfYrI5YYmPcY60AMIkt9RkALAByp78 e1c5cgfaZRk/eOPzrotS41m44b1Dccf/AFq5+9IN3IVHGaAICeABSe9KDijOaANfTPEN5YSwF2Nx DCwKxMeODnH05rsNI8ZRKY/LAt5ACGjY5Ug5xj8+nPSvN8UZxQB6tfPpmspJFPCIJSdslxblRxju M4NcBrmhXOi3CrL88EuTFMvKuP8AGobPVprULG7GSPsGJO36V0w8nVtPEJYFJGOGCHKt2I//AFUA cfAcyKFJDEgV1tvFIvltnJ3gZ6965Iq1rdmOTIaN9r49jzXW21zGYA6gcMGIx2zQBYvbuWNpQEEm CAHzzz7VmyXbs+xcHhskeuf/AK1W2lWSP5RgPyQeeueKzVkQTuSAQjBV9PrQBXYSElFXkNjrmrJl XYBIMlckkYzUZVmBOBk9RVR5iXQeXypOAmcmgDQ0ppPtQChsFDnPNXIFdGtI5OT9pyBt7VFpxPmv GBsUrnkdat2RY32lrJlmkk3Z7UAaepRutzBnvkcH+dQu0S7VdZGIHYnj8vfNbetRbJbYLtZfLfeQ OetYqLC4zOyo/wCeR2Oc0Acffqq6xebs5Fw/Ge2afAVU7W6bSMdqi1Eldevcscee+f8Avo1ajRfN H+yDj0oAttIU5AJO31wa7PR2jSOI8AunC9sVyKkEDDBGHbFddpe0pEdp2KvBx3oA5Hx0qJraFSGz Av1HJrn0m2AEryOnPNdR46tlD2dwgwWDIxP5j+tcmFEka4zuJ28fpQAomDOc59uc/nWpbTGAJGSG 2EDI4qla25EcjlSu1wueuOK09LsoGL6hfsRaJ8qpn5pW9BQBOtneateu0Ns0v95ydoH1OcUy98L3 cl5hbiyDuB8pm7/XGKuX+o3F3LCiAwQFPkij4VfrisDV0YFJN/AJA5oAj1HQ9Q0s5u7famceYjBl P4iqDY7c1raX4jvNOJjYi4tm4eGXkMKvXGkWGsRfadGPly9ZLV27/wCzQBzJyOtJnipJoZLeV4pU ZJFOCrDBFR0AGK3/AA7NIZGjBLbBlBngGsDrXTeFrJ2ZpsD5uFz7f/r/AEoAqeIUiOuSyKPKWRVf avY4/wDrVdjCGz65UgYyc5NZmuSxz6xcvGQI1IVcewwf1zV+xBNjHui/3T60AWGkUuDgKpzlQv41 RtrgKZpG4LsTnHTmrVw6RRSO2eVYgj6cVTjyLdVEZDZ5PYGgCyZcOiRsc

Extracted

Path

C:\633754-readme.html

Ransom Note
"Gustave Doré, engraving illustrating Canto XVII of Divine Comedy, Inferno, by Dante Alighieri; caption: The Descent of the Abyss on Geryon's Back; in Dante Alighieri, The Divine Comedy: the Inferno, Purgatorio, and Paradiso, trans.: Lawrence Grant White," by ancientartpodcast.org is licensed with CC BY 2.0. Your network has been infected by Inferno All your documents, photos, databases and other important files have been encrypted and you are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software - Inferno General Decryptor . Only we can give you this software and only we can restore your files! You can get more information on our page, which is located in a Tor hidden network. How to get to our page Download Tor browser - https://www.torproject.org/ Install Tor browser Open link in Tor browser - infernoyrxlapxaiq.onion Follow the instructions on this page Your ID: NDctWkpiQ0ZJRjdlODJveTFqV3hZMlN1YVl5MDBOSWFTTTRwc3VCaGhTYktjK1cyOE5xZmR5dVBqL0lNbndiUTdTd2JTNTZpZTZ3K2hBUEZGMmFjSkJNazRiUmVHZ0FjYnZMMWVBbk5mdFY1bjY2L3FHWVNEZnJjOXpZN2dYZmI0K1FMOUZsWGxSWjMvMFdRSkN2UlU0NWQwNmtNVlJIc3ZGdGdIc2svaEFCOWllNC9lOUZrTU1FdTVsQlhuaWxVcWROSGQ1aG9BKzhWM3pLTVJUUmNDZUsrK2xKdENiWlpzcWFlZVNnSG5xT1BLaEprK2taZ0xZanh5VEFDbWlqQ1dIM0MzOVh0a25IUlBFVmtscSsvdjFMU2ovSGoyTHVDRXRxdzlTTVFHaEZjSzBEd3pCa0tERi9hNUJjRmVhZ242eG0xSDFNWTRhcW0zNXRzeGVHSFRSM1h1ZXc4dnJXMmtnUzlNTy8vbnFaMW16ZzBzR1ZBbVJYTVBpbjhjTXpJOUJqbjdOQXBabVJiSWZXRTBpRHJZT1I3d1Uyc1h2QXh4eTdmdGUzdXhDTXJhTUhVbEx5ZERnYUZJeWhRMkZyMGZaUGJlcURUNHVraFh6b2MzeDh5ZXJCQnVXNTF3MWhqa3VObzNLZ0dVNG9wUEExTkp5a0R5OWt3c1oyZEZlbkpXbmdSZCtBQzFod1RYc3pLQzI1eDdiOVNDb2UvUjZKWDBlMjY2cVZTRDl1RGhsRExwZHc5TnJxanJCVEVOQkxyQVJ3bUsyLzNQaWVkUXRVZzR1cklPZktYTmgwK0lPdlFBRGN0Q3NheWFsU1JGZGdDVERpaDdyZGR2UlBFQVM3TU1iYmZDeFJ1eE5yRlBKUDRIdWwxazlwdEtOWUhqRTF1dFFwQnFJbFBoK1hlZTUxR21HV1RiQzRNNkpLelpjT3QwalF4N28za2xmWlFobjg3ZytwY0ZHWkx5S0JrK2N6SE9jRUs0UnhRRWFCdVo3KzZDb1ZjaTNkT3NkaHFEWEtGdGlOTitlUUJ0MjRjOGVXQkVrQloxZklBb09jZlNaNm9Qc2orT3NIS0VyTVBqUWdabklzKzFSMk1uRkwzUEpyV1ZpbzdOMVQ2MVE2bWRWQVZKR2l1VEUzcjlJOUtMOTlnZUNUbkdiTThLRjgySGFjS3ZFVDg4bEFSM01TUkRKSGFkcXZaTmcxazdKQlNnajNGUHBzTGlUc0F6anJjZlpEb2s0QUpIMEpvM3BIanEwQUhaWExaY0U4OUd3YmlLK0o5bGhnaFYvUHNWalk1b0YvdEcwVllid2h6UFloSGh5TGVGdGNjdWlLUDEwbkt0K2xPM0dzakkyQXl1NG5yL2xJRm5abjB3SmVNTnRuYzJNOWpzVHF0bHBnYzJvRVZSOFJ5ckRiRnVBQTNFWS9QUDhITXBYdVdPZ21hN2RlVEV6STlPNDh5czB1bExwT2VDMmhuSDRFTDNoODB4bzNmRG5JbjNndXpSSWd6ZEh1STR0VlBkdFg3M1ZESDVrZG5zUitveEN0WVRvNDF3K1BXK1dWeDZTcUo4aHE5dkcvTlJBKzhWYVFSVXpjRDZSenJiWUpjMnh0MlQxZXI3YlVhNTlrL2FzOFRiMms3S2lEWmdCZ2ZraDNmVW1tR2NWbE10cGQxaGxIMFBZdmNmcVBKM1Z4QjFjeWIzWjl0Y2x2cTNKVG0zRnF4UzQwN0xuS2NTbWh4RU56RlFQYk95K1BmZlFzUmNmbGlmNkR3NGcxank3YjVlVFJMNUJyeFgxb2F1Y0lDbWhJSWpWeHNwNWJCeERMTGFYYmZMWVA0cm1GM1NoY1VMTEhDUHJhZzhLSW9qQm5sL2NzWXZWbnVMa0N2bHBwNDd1TA== Do not try to recover files yourself! Do not modify encrypted files! Otherwise, you may lose all your files forever! “Now, now my good man, this is no time to be making enemies. (Voltaire on his deathbed in response to a priest asking him that he renounce Satan.)” Voltaire
URLs

http://infernoyrxlapxaiq.onion

Signatures

  • Avaddon

    Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.

  • UAC bypass 3 TTPs
  • suricata: ET MALWARE Win32/Avaddon Ransomware Style External IP Address Check

    suricata: ET MALWARE Win32/Avaddon Ransomware Style External IP Address Check

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies extensions of user files 2 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Adds Run key to start application 2 TTPs 4 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Drops desktop.ini file(s) 1 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 3 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies Internet Explorer settings 1 TTPs 33 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • System policy modification 1 TTPs 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Muisvc(unpacked).exe
    "C:\Users\Admin\AppData\Local\Temp\Muisvc(unpacked).exe"
    1⤵
    • Modifies extensions of user files
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1740
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:564
    • C:\Windows\SysWOW64\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      2⤵
      • Interacts with shadow copies
      PID:1816
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1716
    • C:\Windows\SysWOW64\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      2⤵
      • Interacts with shadow copies
      PID:1948
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1728
    • C:\Windows\SysWOW64\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      2⤵
      • Interacts with shadow copies
      PID:1724
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1364
  • C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    1⤵
      PID:1360
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x59c
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1424
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" C:\633754-readme.html
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:304
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:304 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:324

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Bypass User Account Control

    1
    T1088

    Defense Evasion

    Bypass User Account Control

    1
    T1088

    Disabling Security Tools

    1
    T1089

    Modify Registry

    4
    T1112

    File Deletion

    2
    T1107

    Discovery

    System Information Discovery

    3
    T1082

    Query Registry

    1
    T1012

    Peripheral Device Discovery

    1
    T1120

    Impact

    Inhibit System Recovery

    2
    T1490

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\633754-readme.html
      MD5

      3ade478a30c55cdeec2ef3db51b60503

      SHA1

      5171287ad45694aed083dde0c40a5e44258f8b9d

      SHA256

      e340777458c2a119c4edcc6c7dfe5b7b47dfc2d720c41c4bcab8e5c197bf6ac8

      SHA512

      7de89f8198e9cc939e14afbac1da8996314b7c3ac117a1c7a89f9aa00bb64663e21288543d1dec43fd1028c68e3aef0c2d0c8d852af3b5510e15f56dbfd6472d

    • memory/324-64-0x0000000000000000-mapping.dmp
    • memory/564-57-0x0000000000000000-mapping.dmp
    • memory/1360-63-0x000007FEFC371000-0x000007FEFC373000-memory.dmp
      Filesize

      8KB

    • memory/1716-59-0x0000000000000000-mapping.dmp
    • memory/1724-62-0x0000000000000000-mapping.dmp
    • memory/1728-61-0x0000000000000000-mapping.dmp
    • memory/1740-55-0x0000000075BA1000-0x0000000075BA3000-memory.dmp
      Filesize

      8KB

    • memory/1740-56-0x0000000000A70000-0x0000000000B7A000-memory.dmp
      Filesize

      1.0MB

    • memory/1816-58-0x0000000000000000-mapping.dmp
    • memory/1948-60-0x0000000000000000-mapping.dmp