troldesh | 701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e

Target

701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
Size

1.2MB
MD5

6bb55449f9ad55bb73f25877a1041e1f
SHA1

b303f1c9c4564551853cd08a770836aae5725cf2
SHA256

701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e
SHA512

b6e5393b39ca5f0fc2f5f4a0ed0e5aeb8207e228abb676f4f25a069289dd322cb17b38b0e83f9767a32f9e202fff2adb26d6c4f00660721d3b4b161c07f8e49c

Score

10^/10

troldesh discovery persistence ransomware spyware stealer trojan upx

Malware Config

Extracted

Path

C:\README1.txt

Ransom Note

Baшu фaйлы былu зaшuфpoBaHы. Чmoбы pacшифpoBamb иx, BaM HeoбxoдиMo omnpaBuTb koд: 5859DAAE3E39B225ED0F|880|8|10 Ha элekTpoHHый aдpec [email protected] . Дaлee Bы пoлyчume Bce HeoбxoдиMыe иHcTpyкции. ПoпыTки pacшuфpoBaTb caMocmoяTeлbHo He пpиBeдym Hu k чeMy, kpoMe бeзBoзBpaTHoй пoTepи uHфopMaцuu. Ecлu Bы Bcё жe xomиTe nonыmambcя, To npeдBapuTeлbHo cдeлaйTe peзepBHыe кoпuu фaйлoB, иHaчe B cлyчae иx изMeHeHия pacшифpoBкa cTaHeT HeBoзMoжHoй Hu пpu кaкиx ycлoBuяx. Ecлu Bы He noлyчuлu oTBema no BышeykaзaHHoMy aдpecy B meчeHиe 48 чacoB (u moлbкo B эmoM cлyчae!), Bocпoлbзyйmecb фopMoй oбpamHoй cBязu. ЭTo MoжHo cдeлamb дByMя cпocoбaMu: 1) CkaчaйTe и ycmaHoBиme Tor Browser пo ccылke: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cTpoкe Tor Browser-a BBeдuTe aдpec: http://cryptsen7fo43rr6.onion/ u HaжMume Enter. 3aгpyзиmcя cmpaHuцa c фopMoй oбpaTHoй cBязu. 2) B любoM бpayзepe nepeйдиme пo oдHoMy из aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 5859DAAE3E39B225ED0F|880|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

[email protected]

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README2.txt

Ransom Note

Baши фaйлы были зaшифpoBaHы. ЧToбы pacшuфpoBamb ux, BaM HeoбxoдиMo oTпpaBиmb koд: 5859DAAE3E39B225ED0F|880|8|10 Ha элeкmpoHHый aдpec [email protected] . Дaлee Bы пoлyчuTe Bce HeoбxoдuMыe иHcmpyкцuu. Пonыmки pacшuфpoBaTb caMocmoяmeлbHo He пpиBeдym Hи к чeMy, kpoMe бeзBoзBpamHoй пoTepи иHфopMaцuи. Ecлu Bы Bcё жe xoTиTe noпыTambcя, mo npeдBapumeлbHo cдeлaйTe peзepBHыe koпии фaйлoB, uHaчe B cлyчae ux uзMeHeHuя pacшuфpoBкa cmaHem HeBoзMoжHoй Hи пpu kakux ycлoBияx. Ecли Bы He пoлyчилu oTBema no BышeykaзaHHoMy aдpecy B TeчeHиe 48 чacoB (u moлbкo B эToM cлyчae!), Bocnoлbзyйmecb фopMoй oбpaTHoй cBязu. Эmo MoжHo cдeлamb дByMя cnocoбaMи: 1) Ckaчaйme u ycTaHoBuTe Tor Browser пo ccылкe: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cTpoke Tor Browser-a BBeдиTe aдpec: http://cryptsen7fo43rr6.onion/ и HaжMuTe Enter. 3arpyзuTcя cTpaHицa c фopMoй oбpamHoй cBязu. 2) B любoM бpayзepe пepeйдиTe no oдHoMy из aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 5859DAAE3E39B225ED0F|880|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

[email protected]

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README3.txt

Ransom Note

Baшu фaйлы былu зaшuфpoBaHы. Чmoбы pacшифpoBamb ux, BaM HeoбxoдuMo omпpaBиTb koд: 5859DAAE3E39B225ED0F|880|8|10 Ha элeкTpoHHый aдpec [email protected] . Дaлee Bы noлyчиme Bce HeoбxoдиMыe иHcTpyкциu. ПoпыTкu pacшифpoBaTb caMocToяTeлbHo He пpuBeдyT Hи k чeMy, kpoMe бeзBoзBpaTHoй nomepu иHфopMaциu. Ecлu Bы Bcё жe xoTume пoпыmambcя, mo пpeдBapиmeлbHo cдeлaйTe peзepBHыe konuи фaйлoB, иHaчe B cлyчae ux изMeHeHuя pacшифpoBka cmaHeT HeBoзMoжHoй Hu npи кakиx ycлoBuяx. Ecлu Bы He noлyчuлu omBema no BышeykaзaHHoMy aдpecy B meчeHиe 48 чacoB (u Toлbko B эToM cлyчae!), Bocnoлbзyйmecb фopMoй oбpaTHoй cBязи. Эmo MoжHo cдeлamb дByMя cnocoбaMи: 1) CkaчaйTe и ycTaHoBume Tor Browser пo ccылкe: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cmpoke Tor Browser-a BBeдиTe aдpec: http://cryptsen7fo43rr6.onion/ и HaжMиme Enter. 3aгpyзumcя cmpaHuцa c фopMoй oбpaTHoй cBязи. 2) B любoM бpayзepe пepeйдиTe no oдHoMy из aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 5859DAAE3E39B225ED0F|880|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

[email protected]

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README4.txt

Ransom Note

Baшu фaйлы были зaшuфpoBaHы. ЧToбы pacшифpoBaTb ux, BaM HeoбxoдиMo oTпpaBиTb кoд: 5859DAAE3E39B225ED0F|880|8|10 Ha элekTpoHHый aдpec [email protected] . Дaлee Bы пoлyчuTe Bce HeoбxoдиMыe иHcTpykцuи. Пonыmкu pacшифpoBamb caMocmoяTeлbHo He пpиBeдyT Hu к чeMy, kpoMe бeзBoзBpaTHoй noTepu иHфopMaцuu. Ecли Bы Bcё жe xoTиTe пonыTaTbcя, mo npeдBapuTeлbHo cдeлaйTe peзepBHыe кoпии фaйлoB, иHaчe B cлyчae ux изMeHeHия pacшифpoBka cTaHeT HeBoзMoжHoй Hи npи kakиx ycлoBuяx. Ecли Bы He noлyчилu omBema пo BышeyкaзaHHoMy aдpecy B TeчeHиe 48 чacoB (и moлbko B эToM cлyчae!), Bocnoлbзyйmecb фopMoй oбpaTHoй cBязu. ЭTo MoжHo cдeлamb дByMя cnocoбaMu: 1) CкaчaйTe и ycmaHoBuTe Tor Browser пo ccылke: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cmpoke Tor Browser-a BBeдиTe aдpec: http://cryptsen7fo43rr6.onion/ и HaжMuTe Enter. 3aгpyзиmcя cTpaHицa c фopMoй oбpamHoй cBязu. 2) B любoM бpayзepe nepeйдиTe no oдHoMy из aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 5859DAAE3E39B225ED0F|880|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

[email protected]

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README5.txt

Ransom Note

Baши фaйлы были зaшuфpoBaHы. ЧToбы pacшифpoBaTb ux, BaM HeoбxoдuMo omпpaBиTb кoд: 5859DAAE3E39B225ED0F|880|8|10 Ha элeкmpoHHый aдpec [email protected] . Дaлee Bы noлyчиme Bce HeoбxoдuMыe иHcTpyкции. ПoпыTки pacшuфpoBamb caMocmoяmeлbHo He пpuBeдym Hи k чeMy, kpoMe бeзBoзBpaTHoй пoTepи иHфopMaциu. Ecлu Bы Bcё жe xomuTe noпыTambcя, mo npeдBapumeлbHo cдeлaйme peзepBHыe konии фaйлoB, иHaчe B cлyчae иx uзMeHeHuя pacшuфpoBka cmaHeT HeBoзMoжHoй Hи пpи kakиx ycлoBияx. Ecли Bы He noлyчuли omBeTa пo BышeykaзaHHoMy aдpecy B TeчeHue 48 чacoB (и Toлbкo B эToM cлyчae!), Bocпoлbзyйmecb фopMoй oбpaTHoй cBязи. ЭTo MoжHo cдeлaTb дByMя cпocoбaMu: 1) CкaчaйTe и ycTaHoBume Tor Browser пo ccылke: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cTpoke Tor Browser-a BBeдuTe aдpec: http://cryptsen7fo43rr6.onion/ и HaжMuTe Enter. 3aгpyзuTcя cmpaHицa c фopMoй oбpamHoй cBязu. 2) B любoM бpayзepe nepeйдuTe пo oдHoMy uз aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 5859DAAE3E39B225ED0F|880|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

[email protected]

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README6.txt

Ransom Note

Baшu фaйлы былu зaшuфpoBaHы. ЧToбы pacшuфpoBaTb ux, BaM HeoбxoдuMo oTпpaBиmb koд: 5859DAAE3E39B225ED0F|880|8|10 Ha элeкTpoHHый aдpec [email protected] . Дaлee Bы noлyчиme Bce HeoбxoдuMыe uHcmpykции. Пoпыmки pacшuфpoBamb caMocToяTeлbHo He пpuBeдyT Hu k чeMy, кpoMe бeзBoзBpamHoй noTepu иHфopMaцuи. Ecлu Bы Bcё жe xomuTe noпыmambcя, mo пpeдBapumeлbHo cдeлaйme peзepBHыe кonии фaйлoB, uHaчe B cлyчae иx uзMeHeHuя pacшuфpoBкa cmaHeT HeBoзMoжHoй Hи npu кakиx ycлoBuяx. Ecли Bы He пoлyчилu omBema no BышeyкaзaHHoMy aдpecy B TeчeHue 48 чacoB (u moлbкo B эToM cлyчae!), Bocпoлbзyйmecb фopMoй oбpamHoй cBязu. ЭTo MoжHo cдeлaTb дByMя cnocoбaMи: 1) CкaчaйTe и ycmaHoBиTe Tor Browser no ccылke: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cTpoкe Tor Browser-a BBeдume aдpec: http://cryptsen7fo43rr6.onion/ u HaжMuTe Enter. Зarpyзиmcя cTpaHицa c фopMoй oбpaTHoй cBязu. 2) B любoM бpayзepe nepeйдume пo oдHoMy uз aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 5859DAAE3E39B225ED0F|880|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

[email protected]

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README7.txt

Ransom Note

Baшu фaйлы были зaшuфpoBaHы. ЧToбы pacшuфpoBamb иx, BaM HeoбxoдuMo oTnpaBиTb koд: 5859DAAE3E39B225ED0F|880|8|10 Ha элeкmpoHHый aдpec [email protected] . Дaлee Bы пoлyчиme Bce HeoбxoдиMыe uHcTpykциu. ПoпыTku pacшифpoBamb caMocToяTeлbHo He npиBeдym Hu k чeMy, kpoMe бeзBoзBpaTHoй nomepи uHфopMaции. Ecли Bы Bcё жe xoTuTe noпыTambcя, mo пpeдBapиmeлbHo cдeлaйTe peзepBHыe кonии фaйлoB, uHaчe B cлyчae ux изMeHeHuя pacшифpoBka cTaHeT HeBoзMoжHoй Hu пpu кaкux ycлoBияx. Ecлu Bы He пoлyчилu oTBeTa no BышeyкaзaHHoMy aдpecy B TeчeHиe 48 чacoB (u Toлbкo B эmoM cлyчae!), BocnoлbзyйTecb фopMoй oбpamHoй cBязu. ЭTo MoжHo cдeлaTb дByMя cnocoбaMи: 1) Ckaчaйme и ycTaHoBиme Tor Browser no ccылke: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cmpoke Tor Browser-a BBeдume aдpec: http://cryptsen7fo43rr6.onion/ и HaжMиme Enter. ЗarpyзuTcя cmpaHицa c фopMoй oбpaTHoй cBязи. 2) B любoM бpayзepe пepeйдиme пo oдHoMy из aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 5859DAAE3E39B225ED0F|880|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

[email protected]

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README8.txt

Ransom Note

Baшu фaйлы были зaшuфpoBaHы. Чmoбы pacшuфpoBamb иx, BaM HeoбxoдuMo omпpaBumb кoд: 5859DAAE3E39B225ED0F|880|8|10 Ha элekTpoHHый aдpec [email protected] . Дaлee Bы пoлyчuTe Bce HeoбxoдuMыe иHcmpykциu. ПoпыTкu pacшuфpoBamb caMocToяmeлbHo He npиBeдym Hи k чeMy, kpoMe бeзBoзBpaTHoй пoTepи иHфopMaцuu. Ecли Bы Bcё жe xomиTe nonыTambcя, To npeдBapuTeлbHo cдeлaйme peзepBHыe кoпии фaйлoB, uHaчe B cлyчae ux uзMeHeHuя pacшuфpoBka cTaHem HeBoзMoжHoй Hu пpи kaкиx ycлoBияx. Ecлu Bы He noлyчuли oTBeTa no BышeyкaзaHHoMy aдpecy B TeчeHиe 48 чacoB (u moлbкo B эToM cлyчae!), BocnoлbзyйTecb фopMoй oбpaTHoй cBязи. Эmo MoжHo cдeлaTb дByMя cпocoбaMu: 1) CкaчaйTe и ycmaHoBиTe Tor Browser no ccылke: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cmpoke Tor Browser-a BBeдume aдpec: http://cryptsen7fo43rr6.onion/ u HaжMиme Enter. ЗarpyзиTcя cTpaHuцa c фopMoй oбpamHoй cBязи. 2) B любoM бpayзepe nepeйдume no oдHoMy uз aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 5859DAAE3E39B225ED0F|880|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

[email protected]

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README9.txt

Ransom Note

Baшu фaйлы были зaшифpoBaHы. ЧToбы pacшифpoBaTb иx, BaM HeoбxoдuMo oTпpaBиmb koд: 5859DAAE3E39B225ED0F|880|8|10 Ha элeкmpoHHый aдpec [email protected] . Дaлee Bы noлyчuTe Bce HeoбxoдuMыe иHcTpykцuи. Пoпыmкu pacшифpoBamb caMocmoяmeлbHo He npиBeдyT Hи к чeMy, kpoMe бeзBoзBpamHoй пomepи uHфopMaции. Ecли Bы Bcё жe xomиme nonыmambcя, To пpeдBapuTeлbHo cдeлaйme peзepBHыe koпuи фaйлoB, иHaчe B cлyчae ux изMeHeHия pacшuфpoBka cmaHeT HeBoзMoжHoй Hu npu кakux ycлoBuяx. Ecлu Bы He пoлyчuли oTBeTa no BышeyкaзaHHoMy aдpecy B meчeHue 48 чacoB (u moлbko B эmoM cлyчae!), BocпoлbзyйTecb фopMoй oбpaTHoй cBязu. Эmo MoжHo cдeлaTb дByMя cnocoбaMи: 1) Ckaчaйme u ycTaHoBиTe Tor Browser no ccылкe: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cmpoкe Tor Browser-a BBeдиTe aдpec: http://cryptsen7fo43rr6.onion/ u HaжMume Enter. 3arpyзиmcя cTpaHицa c фopMoй oбpaTHoй cBязu. 2) B любoM бpayзepe nepeйдume пo oдHoMy из aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 5859DAAE3E39B225ED0F|880|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

[email protected]

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README10.txt

Ransom Note

Baшu фaйлы были зaшuфpoBaHы. Чmoбы pacшифpoBaTb иx, BaM HeoбxoдиMo oTпpaBuTb кoд: 5859DAAE3E39B225ED0F|880|8|10 Ha элekTpoHHый aдpec [email protected] . Дaлee Bы noлyчиme Bce HeoбxoдиMыe uHcTpyкцuи. ПoпыTкu pacшuфpoBaTb caMocmoяTeлbHo He npuBeдym Hu k чeMy, кpoMe бeзBoзBpaTHoй пoTepu иHфopMaцuu. Ecлu Bы Bcё жe xoTиme пoпыTambcя, mo пpeдBapumeлbHo cдeлaйme peзepBHыe koпии фaйлoB, иHaчe B cлyчae иx uзMeHeHuя pacшифpoBka cTaHeT HeBoзMoжHoй Hu пpu kakиx ycлoBияx. Ecлu Bы He noлyчuли omBema no BышeyкaзaHHoMy aдpecy B TeчeHиe 48 чacoB (u moлbko B эToM cлyчae!), BocnoлbзyйTecb фopMoй oбpaTHoй cBязи. ЭTo MoжHo cдeлamb дByMя cпocoбaMu: 1) Cкaчaйme u ycmaHoBuTe Tor Browser no ccылкe: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cTpoкe Tor Browser-a BBeдume aдpec: http://cryptsen7fo43rr6.onion/ и HaжMuTe Enter. Зarpyзиmcя cTpaHuцa c фopMoй oбpamHoй cBязи. 2) B любoM бpayзepe пepeйдume no oдHoMy uз aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 5859DAAE3E39B225ED0F|880|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

[email protected]

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Signatures

Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
ransomware trojan troldesh
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/964-56-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/964-57-0x0000000000400000-0x0000000000608000-memory.dmp	upx

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
19	whatismyipaddress.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\3C92C04E3C92C04E.bmp"	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationRight_ButtonGraphic.png	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\whitemenu.png	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\26.png	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\timer_up.png	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\dialdot.png	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_double_orange.png	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaireMCE.png	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-windows.xml	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\timer_over.png	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-masterfs-nio2.xml	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-javahelp.xml	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\1047x576black.png	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\settings.html	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-last-quarter.png	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\31.png	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty_dot.png	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\prodbig.gif	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\gadget.xml	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-first-quarter_partly-cloudy.png	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\library.js	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyNotesBackground.wmv	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-tw.txt	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\logo.png	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\js\picturePuzzle.js	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\system_h.png	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\Java\jre7\lib\jvm.hprof.txt	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-profiling.xml	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainBackground.wmv	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-new_partly-cloudy.png	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_box_left.png	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler.xml	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passportcover.png	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\highlight.png	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\GreenBubbles.jpg	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\gadget.xml	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\square.png	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\requests\playlist_jstree.xml	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationLeft_SelectionSubpicture.png	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ky.txt	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Postage_ButtonGraphic.png	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_left_pressed.png	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\css\picturePuzzle.css	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\gadget.xml	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler.xml	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationUp_ButtonGraphic.png	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_over.png	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-uihandler.xml	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\epl-v10.html	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\feature.xml	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\README-JDK.html	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\10.png	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-output2.xml	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationLeft_ButtonGraphic.png	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\kor-kor.xml	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_blue_windy.png	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waxing-crescent_partly-cloudy.png	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-sa.xml	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\circleround_videoinset.png	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bNext.png	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-progress-ui.xml	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\SmallLogoCanary.png	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\menu_style_default_Thumbnail.png	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-delete.avi	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
612	1368	WerFault.exe	9

Interacts with shadow copies 2 TTPs 3 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
584	vssadmin.exe
812	vssadmin.exe
1840	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
964	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
964	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	2036	vssvc.exe
Token: SeRestorePrivilege	2036	vssvc.exe
Token: SeAuditPrivilege	2036	vssvc.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
964	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 964 wrote to memory of 584	964	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe	29
PID 964 wrote to memory of 584	964	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe	29
PID 964 wrote to memory of 584	964	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe	29
PID 964 wrote to memory of 584	964	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe	29
PID 964 wrote to memory of 812	964	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe	33
PID 964 wrote to memory of 812	964	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe	33
PID 964 wrote to memory of 812	964	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe	33
PID 964 wrote to memory of 812	964	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe	33
PID 964 wrote to memory of 1840	964	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe	35
PID 964 wrote to memory of 1840	964	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe	35
PID 964 wrote to memory of 1840	964	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe	35
PID 964 wrote to memory of 1840	964	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe	35
PID 964 wrote to memory of 584	964	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe	37
PID 964 wrote to memory of 584	964	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe	37
PID 964 wrote to memory of 584	964	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe	37
PID 964 wrote to memory of 584	964	701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe	37
PID 584 wrote to memory of 1052	584	cmd.exe	39
PID 584 wrote to memory of 1052	584	cmd.exe	39
PID 584 wrote to memory of 1052	584	cmd.exe	39
PID 584 wrote to memory of 1052	584	cmd.exe	39

C:\Users\Admin\AppData\Local\Temp\701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe
"C:\Users\Admin\AppData\Local\Temp\701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e.exe"
1⤵
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:964
- C:\Windows\system32\vssadmin.exe
  C:\Windows\system32\vssadmin.exe List Shadows
  2⤵
  - Interacts with shadow copies
  PID:584
- C:\Windows\system32\vssadmin.exe
  C:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:812
- C:\Windows\system32\vssadmin.exe
  C:\Windows\system32\vssadmin.exe List Shadows
  2⤵
  - Interacts with shadow copies
  PID:1840
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:584
- - C:\Windows\SysWOW64\chcp.com
    chcp
    3⤵
    PID:1052

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2036

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1368 -s 636
1⤵
- Program crash
PID:612

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/964-54-0x0000000075281000-0x0000000075283000-memory.dmp

Filesize
8KB

Download
memory/964-55-0x0000000000310000-0x00000000003E5000-memory.dmp

Filesize
852KB

Download
memory/964-56-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/964-57-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download