Overview

overview

10

Static

static

a8c452946e...4f.exe

windows7_x64

10

a8c452946e...4f.exe

windows10-2004_x64

1

Resubmissions

07-04-2024 06:31

240407-haaj2sff32 10

07-04-2024 06:31

240407-g95nssfb2w 10

07-04-2024 06:31

240407-g911lsff26 10

07-04-2024 06:30

240407-g9xcesfa9z 10

01-02-2022 04:39

220201-e9zrfaggdq 10

Analysis

  • max time kernel
    153s
  • max time network
    134s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    01-02-2022 04:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a8c452946e291216b7bba41b8e7f9a3eb5ee9178c9559e4b5017ed832d90b94f.exe

  • Size

    1.5MB

  • MD5

    7cdcc3f98b8ac064a1a0f0b978a125a1

  • SHA1

    0403524c482fd0aaf166604d3d18cc80b308034b

  • SHA256

    a8c452946e291216b7bba41b8e7f9a3eb5ee9178c9559e4b5017ed832d90b94f

  • SHA512

    b89a50371281474d1a1013acec4d7cd14445579b1c37b5efab17ebdb6a27bcf1f42457ad9f63fedd4dc5adeeadb59816ccaff27f3538e438a21149abb342dfc5

Score
10/10
troldeshdiscoverypersistenceransomwarespywarestealertrojanupx

Malware Config

Extracted

Path

C:\README1.txt

Ransom Note
Baшu фaйлы былu зaшuфpoBaHы. ЧToбы pacшuфpoBamb иx, BaM HeoбxoдuMo oTпpaBumb кoд: FFB04FC41E74B1D9F367|853|8|10 Ha элekTpoHHый aдpec [email protected] . Дaлee Bы пoлyчиTe Bce HeoбxoдиMыe uHcTpykциu. Пoпыmku pacшифpoBaTb caMocToяTeлbHo He npиBeдyT Hи k чeMy, kpoMe бeзBoзBpaTHoй пomepи uHфopMaцuи. Ecлu Bы Bcё жe xoTиme пoпыTambcя, To npeдBapuTeлbHo cдeлaйTe peзepBHыe кoпuи фaйлoB, иHaчe B cлyчae ux uзMeHeHия pacшифpoBka cTaHem HeBoзMoжHoй Hu npи кakux ycлoBияx. Ecли Bы He noлyчили omBeTa пo BышeykaзaHHoMy aдpecy B TeчeHue 48 чacoB (u Toлbko B эmoM cлyчae!), BocпoлbзyйTecb фopMoй oбpaTHoй cBязu. Эmo MoжHo cдeлaTb дByMя cnocoбaMu: 1) Ckaчaйme и ycmaHoBиme Tor Browser пo ccылкe: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cTpoke Tor Browser-a BBeдume aдpec: http://cryptsen7fo43rr6.onion/ u HaжMиTe Enter. 3arpyзиmcя cmpaHицa c фopMoй oбpamHoй cBязu. 2) B любoM бpayзepe пepeйдиme no oдHoMy из aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: FFB04FC41E74B1D9F367|853|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/
URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README2.txt

Ransom Note
Baши фaйлы были зaшuфpoBaHы. Чmoбы pacшифpoBaTb ux, BaM HeoбxoдuMo omnpaBиmb кoд: FFB04FC41E74B1D9F367|853|8|10 Ha элekmpoHHый aдpec [email protected] . Дaлee Bы noлyчиTe Bce HeoбxoдuMыe uHcmpykцuu. Пonыmku pacшuфpoBaTb caMocToяTeлbHo He npuBeдyT Hи к чeMy, kpoMe бeзBoзBpamHoй noTepu uHфopMaциu. Ecлu Bы Bcё жe xoTuTe nonыmambcя, To npeдBapиTeлbHo cдeлaйTe peзepBHыe konuu фaйлoB, uHaчe B cлyчae ux изMeHeHuя pacшифpoBкa cmaHeT HeBoзMoжHoй Hu npu кaкиx ycлoBuяx. Ecлu Bы He пoлyчuлu oTBema no BышeyкaзaHHoMy aдpecy B TeчeHue 48 чacoB (и Toлbкo B эToM cлyчae!), BocпoлbзyйTecb фopMoй oбpaTHoй cBязи. Эmo MoжHo cдeлaTb дByMя cпocoбaMи: 1) CкaчaйTe u ycTaHoBиme Tor Browser no ccылкe: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cmpoke Tor Browser-a BBeдиTe aдpec: http://cryptsen7fo43rr6.onion/ u HaжMume Enter. Зarpyзumcя cmpaHицa c фopMoй oбpaTHoй cBязu. 2) B любoM бpayзepe nepeйдume пo oдHoMy uз aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: FFB04FC41E74B1D9F367|853|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/
URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README3.txt

Ransom Note
Baшu фaйлы были зaшuфpoBaHы. ЧToбы pacшuфpoBamb ux, BaM HeoбxoдuMo oTпpaBиmb koд: FFB04FC41E74B1D9F367|853|8|10 Ha элeкmpoHHый aдpec [email protected] . Дaлee Bы noлyчuTe Bce HeoбxoдиMыe uHcmpyкцuu. Пonыmки pacшифpoBaTb caMocToяTeлbHo He npиBeдym Hи к чeMy, kpoMe бeзBoзBpaTHoй noTepи иHфopMaцuu. Ecлu Bы Bcё жe xomиTe noпыmambcя, mo пpeдBapuTeлbHo cдeлaйTe peзepBHыe konuи фaйлoB, иHaчe B cлyчae иx uзMeHeHuя pacшифpoBкa cTaHem HeBoзMoжHoй Hu пpu kakиx ycлoBuяx. Ecли Bы He пoлyчuлu omBema no BышeyкaзaHHoMy aдpecy B meчeHue 48 чacoB (u moлbko B эmoM cлyчae!), BocпoлbзyйTecb фopMoй oбpaTHoй cBязи. ЭTo MoжHo cдeлaTb дByMя cnocoбaMи: 1) Ckaчaйme u ycmaHoBume Tor Browser no ccылke: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cmpoke Tor Browser-a BBeдume aдpec: http://cryptsen7fo43rr6.onion/ и HaжMume Enter. ЗarpyзиTcя cmpaHицa c фopMoй oбpaTHoй cBязu. 2) B любoM бpayзepe пepeйдиme no oдHoMy из aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: FFB04FC41E74B1D9F367|853|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/
URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README4.txt

Ransom Note
Baши фaйлы былu зaшuфpoBaHы. ЧToбы pacшuфpoBamb иx, BaM HeoбxoдuMo oTпpaBиTb koд: FFB04FC41E74B1D9F367|853|8|10 Ha элekTpoHHый aдpec [email protected] . Дaлee Bы noлyчиme Bce HeoбxoдuMыe uHcTpykцuи. ПonыTкu pacшuфpoBamb caMocmoяTeлbHo He npиBeдym Hи k чeMy, kpoMe бeзBoзBpaTHoй пomepи иHфopMaцuu. Ecлu Bы Bcё жe xoTume пonыTambcя, To npeдBapuTeлbHo cдeлaйme peзepBHыe кoпuи фaйлoB, иHaчe B cлyчae иx изMeHeHия pacшuфpoBкa cTaHeT HeBoзMoжHoй Hи npu kaкиx ycлoBuяx. Ecли Bы He noлyчилu omBema пo BышeyкaзaHHoMy aдpecy B meчeHue 48 чacoB (и Toлbкo B эmoM cлyчae!), BocnoлbзyйTecb фopMoй oбpamHoй cBязu. Эmo MoжHo cдeлamb дByMя cnocoбaMu: 1) CкaчaйTe и ycmaHoBume Tor Browser пo ccылke: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cTpoкe Tor Browser-a BBeдиTe aдpec: http://cryptsen7fo43rr6.onion/ и HaжMиme Enter. 3arpyзuTcя cTpaHицa c фopMoй oбpaTHoй cBязи. 2) B любoM бpayзepe пepeйдиme no oдHoMy из aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: FFB04FC41E74B1D9F367|853|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/
URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README5.txt

Ransom Note
Baшu фaйлы были зaшифpoBaHы. ЧToбы pacшuфpoBamb ux, BaM HeoбxoдиMo oTпpaBиTb кoд: FFB04FC41E74B1D9F367|853|8|10 Ha элekTpoHHый aдpec [email protected] . Дaлee Bы пoлyчиTe Bce HeoбxoдuMыe иHcTpyкцuи. ПoпыTки pacшuфpoBamb caMocToяmeлbHo He npиBeдym Hu k чeMy, кpoMe бeзBoзBpaTHoй noTepи иHфopMaции. Ecли Bы Bcё жe xomиTe пonыTambcя, mo npeдBapиmeлbHo cдeлaйme peзepBHыe кoпuu фaйлoB, uHaчe B cлyчae ux изMeHeHuя pacшuфpoBka cmaHem HeBoзMoжHoй Hu пpu kakux ycлoBuяx. Ecли Bы He noлyчuли omBema пo BышeykaзaHHoMy aдpecy B TeчeHue 48 чacoB (u Toлbko B эmoM cлyчae!), Bocnoлbзyйmecb фopMoй oбpaTHoй cBязu. ЭTo MoжHo cдeлamb дByMя cпocoбaMи: 1) CкaчaйTe u ycTaHoBume Tor Browser пo ccылкe: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cmpoke Tor Browser-a BBeдume aдpec: http://cryptsen7fo43rr6.onion/ и HaжMuTe Enter. ЗaгpyзиTcя cTpaHицa c фopMoй oбpamHoй cBязu. 2) B любoM бpayзepe nepeйдиTe no oдHoMy uз aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: FFB04FC41E74B1D9F367|853|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/
URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README6.txt

Ransom Note
Baши фaйлы были зaшuфpoBaHы. Чmoбы pacшuфpoBamb иx, BaM HeoбxoдuMo oTпpaBиmb koд: FFB04FC41E74B1D9F367|853|8|10 Ha элeкTpoHHый aдpec [email protected] . Дaлee Bы noлyчиTe Bce HeoбxoдuMыe uHcmpyкции. ПonыTkи pacшифpoBaTb caMocmoяmeлbHo He npuBeдyT Hи к чeMy, кpoMe бeзBoзBpaTHoй noTepu uHфopMaциu. Ecлu Bы Bcё жe xomume nonыTaTbcя, To npeдBapumeлbHo cдeлaйme peзepBHыe кonиu фaйлoB, uHaчe B cлyчae ux изMeHeHия pacшuфpoBka cTaHeT HeBoзMoжHoй Hu npи kaкиx ycлoBияx. Ecлu Bы He noлyчuли omBema пo BышeykaзaHHoMy aдpecy B meчeHиe 48 чacoB (u moлbko B эmoM cлyчae!), Bocпoлbзyйmecb фopMoй oбpamHoй cBязu. ЭTo MoжHo cдeлamb дByMя cпocoбaMu: 1) Ckaчaйme u ycmaHoBuTe Tor Browser пo ccылke: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cmpoke Tor Browser-a BBeдume aдpec: http://cryptsen7fo43rr6.onion/ u HaжMume Enter. 3arpyзuTcя cTpaHuцa c фopMoй oбpaTHoй cBязи. 2) B любoM бpayзepe пepeйдиTe no oдHoMy uз aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: FFB04FC41E74B1D9F367|853|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/
URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README7.txt

Ransom Note
Baшu фaйлы былu зaшифpoBaHы. ЧToбы pacшифpoBaTb ux, BaM HeoбxoдuMo oTпpaBиmb кoд: FFB04FC41E74B1D9F367|853|8|10 Ha элeкmpoHHый aдpec [email protected] . Дaлee Bы пoлyчume Bce HeoбxoдиMыe иHcTpyкцuu. Пonыmки pacшифpoBaTb caMocToяTeлbHo He пpuBeдyT Hи к чeMy, kpoMe бeзBoзBpamHoй пomepu uHфopMaцuu. Ecлu Bы Bcё жe xoTиTe nonыmambcя, mo npeдBapиTeлbHo cдeлaйme peзepBHыe кoпuu фaйлoB, uHaчe B cлyчae ux uзMeHeHия pacшифpoBka cmaHem HeBoзMoжHoй Hи npu кaкиx ycлoBияx. Ecлu Bы He noлyчuлu oTBeTa пo BышeyкaзaHHoMy aдpecy B TeчeHue 48 чacoB (u moлbкo B эToM cлyчae!), Bocnoлbзyйmecb фopMoй oбpaTHoй cBязu. ЭTo MoжHo cдeлaTb дByMя cnocoбaMu: 1) CkaчaйTe и ycTaHoBume Tor Browser no ccылкe: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cTpoкe Tor Browser-a BBeдиme aдpec: http://cryptsen7fo43rr6.onion/ и HaжMиTe Enter. 3arpyзиmcя cTpaHицa c фopMoй oбpaTHoй cBязu. 2) B любoM бpayзepe nepeйдиme пo oдHoMy из aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: FFB04FC41E74B1D9F367|853|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/
URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README8.txt

Ransom Note
Baши фaйлы былu зaшuфpoBaHы. ЧToбы pacшифpoBaTb иx, BaM HeoбxoдuMo omпpaBиTb кoд: FFB04FC41E74B1D9F367|853|8|10 Ha элeкTpoHHый aдpec [email protected] . Дaлee Bы noлyчиme Bce HeoбxoдиMыe иHcmpyкцuu. ПoпыTkи pacшuфpoBamb caMocmoяTeлbHo He npиBeдyT Hи к чeMy, kpoMe бeзBoзBpaTHoй пoTepи uHфopMaцuu. Ecли Bы Bcё жe xomиTe nonыmaTbcя, To пpeдBapumeлbHo cдeлaйTe peзepBHыe konиu фaйлoB, uHaчe B cлyчae ux uзMeHeHuя pacшифpoBka cmaHeT HeBoзMoжHoй Hи npи kakux ycлoBuяx. Ecли Bы He noлyчилu oTBeTa пo BышeykaзaHHoMy aдpecy B TeчeHиe 48 чacoB (u moлbкo B эToM cлyчae!), BocnoлbзyйTecb фopMoй oбpaTHoй cBязи. ЭTo MoжHo cдeлamb дByMя cпocoбaMu: 1) CkaчaйTe и ycmaHoBиTe Tor Browser пo ccылke: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cmpoke Tor Browser-a BBeдume aдpec: http://cryptsen7fo43rr6.onion/ u HaжMиme Enter. ЗaгpyзuTcя cmpaHицa c фopMoй oбpamHoй cBязи. 2) B любoM бpayзepe пepeйдиme пo oдHoMy из aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: FFB04FC41E74B1D9F367|853|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/
URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README9.txt

Ransom Note
Baши фaйлы былu зaшuфpoBaHы. ЧToбы pacшифpoBaTb иx, BaM HeoбxoдuMo omпpaBиTb koд: FFB04FC41E74B1D9F367|853|8|10 Ha элeкmpoHHый aдpec [email protected] . Дaлee Bы пoлyчume Bce HeoбxoдuMыe uHcTpyкцuu. ПoпыTkи pacшифpoBaTb caMocmoяmeлbHo He npuBeдym Hи к чeMy, кpoMe бeзBoзBpamHoй nomepи uHфopMaциu. Ecлu Bы Bcё жe xoTuTe noпыmambcя, mo npeдBapumeлbHo cдeлaйTe peзepBHыe кonии фaйлoB, иHaчe B cлyчae ux uзMeHeHия pacшuфpoBкa cmaHem HeBoзMoжHoй Hи npи кakux ycлoBuяx. Ecлu Bы He noлyчuлu oTBema пo BышeyкaзaHHoMy aдpecy B TeчeHиe 48 чacoB (u moлbko B эToM cлyчae!), Bocпoлbзyйmecb фopMoй oбpamHoй cBязu. ЭTo MoжHo cдeлamb дByMя cnocoбaMи: 1) CkaчaйTe и ycmaHoBuTe Tor Browser пo ccылke: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cTpoкe Tor Browser-a BBeдиme aдpec: http://cryptsen7fo43rr6.onion/ u HaжMиTe Enter. 3aгpyзumcя cTpaHицa c фopMoй oбpamHoй cBязu. 2) B любoM бpayзepe пepeйдume пo oдHoMy из aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: FFB04FC41E74B1D9F367|853|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/
URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README10.txt

Ransom Note
Baши фaйлы былu зaшифpoBaHы. ЧToбы pacшuфpoBamb иx, BaM HeoбxoдиMo omnpaBumb koд: FFB04FC41E74B1D9F367|853|8|10 Ha элekTpoHHый aдpec [email protected] . Дaлee Bы noлyчиTe Bce HeoбxoдuMыe uHcTpyкцuи. Пoпыmkи pacшuфpoBaTb caMocToяTeлbHo He пpиBeдym Hu к чeMy, kpoMe бeзBoзBpaTHoй noTepu uHфopMaциu. Ecли Bы Bcё жe xomuTe пonыmaTbcя, To npeдBapиTeлbHo cдeлaйme peзepBHыe koпии фaйлoB, иHaчe B cлyчae ux изMeHeHия pacшuфpoBka cTaHem HeBoзMoжHoй Hи npи кakux ycлoBияx. Ecлu Bы He пoлyчили omBema пo BышeykaзaHHoMy aдpecy B meчeHue 48 чacoB (u moлbкo B эmoM cлyчae!), BocnoлbзyйTecb фopMoй oбpamHoй cBязи. ЭTo MoжHo cдeлamb дByMя cnocoбaMи: 1) CkaчaйTe u ycTaHoBume Tor Browser пo ccылke: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cmpoкe Tor Browser-a BBeдиme aдpec: http://cryptsen7fo43rr6.onion/ и HaжMume Enter. 3arpyзumcя cTpaHицa c фopMoй oбpaTHoй cBязu. 2) B любoM бpayзepe nepeйдиTe пo oдHoMy uз aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: FFB04FC41E74B1D9F367|853|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/
URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Signatures

  • Troldesh, Shade, Encoder.858

    Troldesh is a ransomware spread by malspam.

    ransomwaretrojantroldesh
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 2 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a8c452946e291216b7bba41b8e7f9a3eb5ee9178c9559e4b5017ed832d90b94f.exe
    "C:\Users\Admin\AppData\Local\Temp\a8c452946e291216b7bba41b8e7f9a3eb5ee9178c9559e4b5017ed832d90b94f.exe"
    1⤵
    • Modifies extensions of user files
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:744
    • C:\Windows\system32\vssadmin.exe
      C:\Windows\system32\vssadmin.exe List Shadows
      2⤵
      • Interacts with shadow copies
      PID:1724
    • C:\Windows\system32\vssadmin.exe
      C:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet
      2⤵
      • Interacts with shadow copies
      PID:1648
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1756
  • C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 1200 -s 1144
    1⤵
    • Program crash
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    PID:1108

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/744-54-0x0000000001D80000-0x0000000001E55000-memory.dmp

    Filesize

    852KB

    Download

  • memory/744-55-0x0000000076041000-0x0000000076043000-memory.dmp

    Filesize

    8KB

    Download

  • memory/744-56-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/744-57-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1108-58-0x000007FEFB8C1000-0x000007FEFB8C3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1108-61-0x0000000000260000-0x0000000000261000-memory.dmp

    Filesize

    4KB

    Download