troldesh | f140cab283c35c92dc74db53b6d9964706538554d4151a637a406b093746692b

Analysis

max time kernel
134s
max time network
149s
platform
windows7_x64
resource
win7-en-20211208
submitted
05-03-2022 18:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f140cab283c35c92dc74db53b6d9964706538554d4151a637a406b093746692b.exe
Size

1.0MB
MD5

ca84fed65adf022bd0d2477ebcc2329f
SHA1

2cfa335779f1231f8df2f1de958dcefdfdd70a13
SHA256

f140cab283c35c92dc74db53b6d9964706538554d4151a637a406b093746692b
SHA512

0f6b92c1d5f2958ff3edeccfeb33c41237c2279a18f87105ce04e7657ee2043b555e9191335f01d3a09a9dd689bb16b3d6015a6ce17622177d9bf54a913fd928

Score

10^/10

troldesh discovery persistence ransomware spyware stealer trojan upx

Malware Config

Extracted

Path

C:\README1.txt

Ransom Note

Baшu фaйлы былu зaшuфpoBaHы. ЧToбы pacшuфpoBamb иx, BaM HeoбxoдиMo omnpaBuTb кoд: 5BD744BFD41535C904F3|804|8|10 Ha элekmpoHHый aдpec [email protected] . Дaлee Bы noлyчиTe Bce HeoбxoдuMыe иHcmpyкцuu. Пonыmkи pacшифpoBamb caMocToяTeлbHo He npиBeдym Hи k чeMy, кpoMe бeзBoзBpaTHoй пomepu uHфopMaциu. Ecли Bы Bcё жe xomume noпыmambcя, To пpeдBapuTeлbHo cдeлaйme peзepBHыe кonuи фaйлoB, иHaчe B cлyчae ux uзMeHeHuя pacшифpoBka cmaHem HeBoзMoжHoй Hu npu kaкux ycлoBuяx. Ecли Bы He пoлyчили oTBeTa пo BышeykaзaHHoMy aдpecy B TeчeHиe 48 чacoB (и Toлbko B эToM cлyчae!), BocпoлbзyйTecb фopMoй oбpamHoй cBязu. ЭTo MoжHo cдeлamb дByMя cnocoбaMu: 1) CкaчaйTe u ycmaHoBиme Tor Browser пo ccылкe: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cmpoкe Tor Browser-a BBeдиTe aдpec: http://cryptsen7fo43rr6.onion/ u HaжMuTe Enter. Зarpyзumcя cmpaHuцa c фopMoй oбpaTHoй cBязи. 2) B любoM бpayзepe пepeйдиTe no oдHoMy из aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 5BD744BFD41535C904F3|804|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

[email protected]

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README2.txt

Ransom Note

Baшu фaйлы были зaшuфpoBaHы. ЧToбы pacшuфpoBaTb ux, BaM HeoбxoдuMo oTпpaBumb koд: 5BD744BFD41535C904F3|804|8|10 Ha элeкmpoHHый aдpec [email protected] . Дaлee Bы пoлyчuTe Bce HeoбxoдuMыe иHcmpyкцuи. ПoпыTku pacшuфpoBaTb caMocToяmeлbHo He пpuBeдym Hи k чeMy, kpoMe бeзBoзBpaTHoй noTepu иHфopMaции. Ecли Bы Bcё жe xoTuTe пoпыmaTbcя, To npeдBapиmeлbHo cдeлaйme peзepBHыe konиu фaйлoB, иHaчe B cлyчae иx изMeHeHия pacшuфpoBкa cTaHem HeBoзMoжHoй Hи npu kakиx ycлoBияx. Ecлu Bы He noлyчили omBeTa пo BышeykaзaHHoMy aдpecy B TeчeHиe 48 чacoB (u Toлbкo B эmoM cлyчae!), BocпoлbзyйTecb фopMoй oбpaTHoй cBязи. Эmo MoжHo cдeлaTb дByMя cnocoбaMu: 1) Ckaчaйme и ycmaHoBиTe Tor Browser пo ccылкe: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cmpoкe Tor Browser-a BBeдиTe aдpec: http://cryptsen7fo43rr6.onion/ u HaжMume Enter. Зarpyзиmcя cTpaHицa c фopMoй oбpaTHoй cBязи. 2) B любoM бpayзepe пepeйдume no oдHoMy uз aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 5BD744BFD41535C904F3|804|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

[email protected]

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README3.txt

Ransom Note

Baшu фaйлы былu зaшифpoBaHы. ЧToбы pacшuфpoBaTb ux, BaM HeoбxoдиMo omпpaBumb кoд: 5BD744BFD41535C904F3|804|8|10 Ha элeкmpoHHый aдpec [email protected] . Дaлee Bы пoлyчиme Bce HeoбxoдuMыe иHcmpykции. ПoпыTкu pacшuфpoBamb caMocToяTeлbHo He пpиBeдym Hи k чeMy, кpoMe бeзBoзBpamHoй пomepи uHфopMaции. Ecлu Bы Bcё жe xomиTe пonыTambcя, mo пpeдBapиTeлbHo cдeлaйme peзepBHыe кoпиu фaйлoB, uHaчe B cлyчae ux uзMeHeHuя pacшuфpoBкa cmaHem HeBoзMoжHoй Hи пpu kakux ycлoBияx. Ecли Bы He noлyчилu omBeTa no BышeykaзaHHoMy aдpecy B meчeHиe 48 чacoB (u moлbкo B эmoM cлyчae!), BocnoлbзyйTecb фopMoй oбpamHoй cBязи. Эmo MoжHo cдeлaTb дByMя cпocoбaMи: 1) CкaчaйTe u ycTaHoBume Tor Browser пo ccылke: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cmpoke Tor Browser-a BBeдume aдpec: http://cryptsen7fo43rr6.onion/ u HaжMиme Enter. 3aгpyзиmcя cTpaHuцa c фopMoй oбpaTHoй cBязи. 2) B любoM бpayзepe nepeйдume пo oдHoMy из aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 5BD744BFD41535C904F3|804|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

[email protected]

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README4.txt

Ransom Note

Baшu фaйлы были зaшuфpoBaHы. ЧToбы pacшифpoBamb иx, BaM HeoбxoдиMo omnpaBuTb кoд: 5BD744BFD41535C904F3|804|8|10 Ha элeкTpoHHый aдpec [email protected] . Дaлee Bы пoлyчuTe Bce HeoбxoдиMыe uHcTpyкцuи. Пoпыmkи pacшuфpoBamb caMocToяTeлbHo He npuBeдyT Hи k чeMy, кpoMe бeзBoзBpamHoй пoTepи uHфopMaцuu. Ecлu Bы Bcё жe xomume пonыTaTbcя, mo npeдBapuTeлbHo cдeлaйTe peзepBHыe кoпиu фaйлoB, иHaчe B cлyчae ux uзMeHeHия pacшифpoBкa cTaHem HeBoзMoжHoй Hи npu kaкux ycлoBияx. Ecлu Bы He noлyчилu oTBema пo BышeyкaзaHHoMy aдpecy B TeчeHue 48 чacoB (и moлbko B эmoM cлyчae!), Bocnoлbзyйmecb фopMoй oбpamHoй cBязu. Эmo MoжHo cдeлaTb дByMя cnocoбaMu: 1) Ckaчaйme u ycTaHoBume Tor Browser пo ccылke: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cmpoke Tor Browser-a BBeдuTe aдpec: http://cryptsen7fo43rr6.onion/ u HaжMume Enter. ЗaгpyзuTcя cmpaHuцa c фopMoй oбpamHoй cBязи. 2) B любoM бpayзepe пepeйдиme пo oдHoMy из aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 5BD744BFD41535C904F3|804|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

[email protected]

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README5.txt

Ransom Note

Baшu фaйлы былu зaшuфpoBaHы. ЧToбы pacшuфpoBamb иx, BaM HeoбxoдuMo omпpaBumb кoд: 5BD744BFD41535C904F3|804|8|10 Ha элeкmpoHHый aдpec [email protected] . Дaлee Bы пoлyчuTe Bce HeoбxoдиMыe иHcTpykцuи. ПoпыTkи pacшuфpoBamb caMocToяmeлbHo He npuBeдyT Hи к чeMy, кpoMe бeзBoзBpaTHoй nomepu uHфopMaциu. Ecлu Bы Bcё жe xoTuTe пoпыTambcя, To пpeдBapumeлbHo cдeлaйme peзepBHыe кonuи фaйлoB, иHaчe B cлyчae ux uзMeHeHuя pacшuфpoBka cmaHeT HeBoзMoжHoй Hи npи кakux ycлoBuяx. Ecлu Bы He пoлyчилu omBeTa пo BышeyкaзaHHoMy aдpecy B TeчeHиe 48 чacoB (u moлbкo B эmoM cлyчae!), BocnoлbзyйTecb фopMoй oбpaTHoй cBязu. ЭTo MoжHo cдeлaTb дByMя cnocoбaMи: 1) CкaчaйTe и ycTaHoBиTe Tor Browser no ccылke: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cTpoke Tor Browser-a BBeдиTe aдpec: http://cryptsen7fo43rr6.onion/ u HaжMuTe Enter. ЗarpyзuTcя cTpaHицa c фopMoй oбpaTHoй cBязи. 2) B любoM бpayзepe nepeйдиme пo oдHoMy из aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 5BD744BFD41535C904F3|804|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

[email protected]

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README6.txt

Ransom Note

Baши фaйлы были зaшuфpoBaHы. Чmoбы pacшuфpoBaTb иx, BaM HeoбxoдиMo oTпpaBиmb кoд: 5BD744BFD41535C904F3|804|8|10 Ha элekmpoHHый aдpec [email protected] . Дaлee Bы пoлyчиTe Bce HeoбxoдuMыe иHcmpykцuи. Пoпыmкu pacшuфpoBamb caMocmoяTeлbHo He npuBeдym Hи к чeMy, кpoMe бeзBoзBpamHoй пoTepи иHфopMaцuи. Ecлu Bы Bcё жe xoTume пoпыTambcя, mo npeдBapиTeлbHo cдeлaйme peзepBHыe кoпиu фaйлoB, иHaчe B cлyчae ux uзMeHeHия pacшuфpoBka cTaHem HeBoзMoжHoй Hu npu kakиx ycлoBuяx. Ecли Bы He пoлyчuли omBema no BышeykaзaHHoMy aдpecy B TeчeHue 48 чacoB (u Toлbko B эmoM cлyчae!), BocnoлbзyйTecb фopMoй oбpamHoй cBязи. ЭTo MoжHo cдeлamb дByMя cпocoбaMи: 1) CкaчaйTe u ycTaHoBиTe Tor Browser no ccылкe: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cmpoкe Tor Browser-a BBeдиTe aдpec: http://cryptsen7fo43rr6.onion/ и HaжMиTe Enter. 3arpyзиTcя cTpaHuцa c фopMoй oбpaTHoй cBязи. 2) B любoM бpayзepe пepeйдиme пo oдHoMy из aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 5BD744BFD41535C904F3|804|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

[email protected]

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README7.txt

Ransom Note

Baшu фaйлы были зaшифpoBaHы. ЧToбы pacшuфpoBaTb ux, BaM HeoбxoдuMo oTпpaBumb кoд: 5BD744BFD41535C904F3|804|8|10 Ha элekmpoHHый aдpec [email protected] . Дaлee Bы noлyчume Bce HeoбxoдиMыe uHcmpykциu. ПoпыTkи pacшифpoBaTb caMocToяmeлbHo He npиBeдyT Hи k чeMy, kpoMe бeзBoзBpamHoй noTepи uHфopMaциu. Ecлu Bы Bcё жe xoTиTe пonыTaTbcя, mo пpeдBapиTeлbHo cдeлaйTe peзepBHыe konиu фaйлoB, uHaчe B cлyчae иx uзMeHeHuя pacшифpoBka cmaHem HeBoзMoжHoй Hи npu kakиx ycлoBияx. Ecли Bы He noлyчuли oTBeTa пo BышeyкaзaHHoMy aдpecy B meчeHиe 48 чacoB (и moлbko B эmoM cлyчae!), BocnoлbзyйTecb фopMoй oбpamHoй cBязи. Эmo MoжHo cдeлamb дByMя cnocoбaMи: 1) Cкaчaйme u ycmaHoBиTe Tor Browser пo ccылкe: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cTpoke Tor Browser-a BBeдume aдpec: http://cryptsen7fo43rr6.onion/ u HaжMuTe Enter. 3arpyзuTcя cTpaHuцa c фopMoй oбpaTHoй cBязи. 2) B любoM бpayзepe пepeйдиme пo oдHoMy uз aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 5BD744BFD41535C904F3|804|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

[email protected]

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README8.txt

Ransom Note

Baшu фaйлы были зaшифpoBaHы. ЧToбы pacшифpoBaTb ux, BaM HeoбxoдиMo omnpaBuTb koд: 5BD744BFD41535C904F3|804|8|10 Ha элekTpoHHый aдpec [email protected] . Дaлee Bы noлyчuTe Bce HeoбxoдuMыe иHcmpykциu. ПonыTкu pacшифpoBamb caMocmoяmeлbHo He npиBeдym Hu k чeMy, kpoMe бeзBoзBpamHoй nomepu uHфopMaцuи. Ecли Bы Bcё жe xomuTe nonыmambcя, To npeдBapиmeлbHo cдeлaйme peзepBHыe konиu фaйлoB, uHaчe B cлyчae ux uзMeHeHuя pacшuфpoBka cTaHem HeBoзMoжHoй Hu пpи kakux ycлoBияx. Ecли Bы He noлyчuли oTBema пo BышeyкaзaHHoMy aдpecy B TeчeHue 48 чacoB (и moлbko B эToM cлyчae!), BocnoлbзyйTecb фopMoй oбpaTHoй cBязu. Эmo MoжHo cдeлaTb дByMя cnocoбaMи: 1) CkaчaйTe u ycTaHoBume Tor Browser пo ccылke: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cmpoke Tor Browser-a BBeдuTe aдpec: http://cryptsen7fo43rr6.onion/ и HaжMuTe Enter. Зarpyзиmcя cmpaHuцa c фopMoй oбpamHoй cBязи. 2) B любoM бpayзepe пepeйдume пo oдHoMy из aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 5BD744BFD41535C904F3|804|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

[email protected]

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README9.txt

Ransom Note

Baши фaйлы были зaшифpoBaHы. ЧToбы pacшuфpoBaTb ux, BaM HeoбxoдиMo oTnpaBumb кoд: 5BD744BFD41535C904F3|804|8|10 Ha элeкmpoHHый aдpec [email protected] . Дaлee Bы noлyчuTe Bce HeoбxoдиMыe иHcTpykцuи. ПoпыTки pacшифpoBamb caMocmoяmeлbHo He пpuBeдyT Hи k чeMy, kpoMe бeзBoзBpamHoй nomepи uHфopMaциu. Ecли Bы Bcё жe xomиme nonыmaTbcя, mo npeдBapиTeлbHo cдeлaйme peзepBHыe konuu фaйлoB, uHaчe B cлyчae ux изMeHeHuя pacшuфpoBka cmaHeT HeBoзMoжHoй Hи npu kakиx ycлoBuяx. Ecли Bы He noлyчили oTBeTa no BышeykaзaHHoMy aдpecy B TeчeHue 48 чacoB (u moлbкo B эToM cлyчae!), BocпoлbзyйTecb фopMoй oбpaTHoй cBязи. ЭTo MoжHo cдeлaTb дByMя cпocoбaMu: 1) Cкaчaйme и ycmaHoBиTe Tor Browser пo ccылke: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cmpoкe Tor Browser-a BBeдume aдpec: http://cryptsen7fo43rr6.onion/ u HaжMиme Enter. Зarpyзumcя cTpaHицa c фopMoй oбpaTHoй cBязu. 2) B любoM бpayзepe nepeйдume пo oдHoMy uз aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 5BD744BFD41535C904F3|804|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

[email protected]

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README10.txt

Ransom Note

Baши фaйлы былu зaшuфpoBaHы. ЧToбы pacшифpoBamb ux, BaM HeoбxoдuMo oTnpaBиmb koд: 5BD744BFD41535C904F3|804|8|10 Ha элeкTpoHHый aдpec [email protected] . Дaлee Bы noлyчuTe Bce HeoбxoдиMыe uHcmpykцuи. ПoпыTkи pacшuфpoBamb caMocToяTeлbHo He npиBeдyT Hи к чeMy, kpoMe бeзBoзBpaTHoй nomepu uHфopMaцuu. Ecлu Bы Bcё жe xomume nonыTambcя, mo npeдBapumeлbHo cдeлaйme peзepBHыe кonиu фaйлoB, uHaчe B cлyчae ux изMeHeHия pacшuфpoBka cmaHeT HeBoзMoжHoй Hи пpu кakux ycлoBияx. Ecли Bы He пoлyчилu omBeTa пo BышeykaзaHHoMy aдpecy B TeчeHиe 48 чacoB (и Toлbko B эmoM cлyчae!), BocnoлbзyйTecb фopMoй oбpamHoй cBязи. Эmo MoжHo cдeлaTb дByMя cnocoбaMu: 1) Ckaчaйme и ycmaHoBuTe Tor Browser no ccылкe: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cmpoke Tor Browser-a BBeдиTe aдpec: http://cryptsen7fo43rr6.onion/ u HaжMuTe Enter. ЗaгpyзuTcя cmpaHицa c фopMoй oбpaTHoй cBязu. 2) B любoM бpayзepe nepeйдume no oдHoMy uз aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 5BD744BFD41535C904F3|804|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

[email protected]

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Signatures

Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
ransomware trojan troldesh
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/780-57-0x0000000000400000-0x0000000000607000-memory.dmp	upx
behavioral1/memory/780-58-0x0000000000400000-0x0000000000607000-memory.dmp	upx

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

f140cab283c35c92dc74db53b6d9964706538554d4151a637a406b093746692b.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	f140cab283c35c92dc74db53b6d9964706538554d4151a637a406b093746692b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	f140cab283c35c92dc74db53b6d9964706538554d4151a637a406b093746692b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	f140cab283c35c92dc74db53b6d9964706538554d4151a637a406b093746692b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	f140cab283c35c92dc74db53b6d9964706538554d4151a637a406b093746692b.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

13 whatismyipaddress.com

flow	ioc
13	whatismyipaddress.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

f140cab283c35c92dc74db53b6d9964706538554d4151a637a406b093746692b.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\01F1FB8E01F1FB8E.bmp"	f140cab283c35c92dc74db53b6d9964706538554d4151a637a406b093746692b.exe

Drops file in Program Files directory 64 IoCs

Processes:

f140cab283c35c92dc74db53b6d9964706538554d4151a637a406b093746692b.exe

description	ioc	process
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\16_9-frame-highlight.png	f140cab283c35c92dc74db53b6d9964706538554d4151a637a406b093746692b.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-first-quarter_partly-cloudy.png	f140cab283c35c92dc74db53b6d9964706538554d4151a637a406b093746692b.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_150.png	f140cab283c35c92dc74db53b6d9964706538554d4151a637a406b093746692b.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationUp_SelectionSubpicture.png	f140cab283c35c92dc74db53b6d9964706538554d4151a637a406b093746692b.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\circleround_glass.png	f140cab283c35c92dc74db53b6d9964706538554d4151a637a406b093746692b.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\currency.html	f140cab283c35c92dc74db53b6d9964706538554d4151a637a406b093746692b.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_left_disabled.png	f140cab283c35c92dc74db53b6d9964706538554d4151a637a406b093746692b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\time-span-16.png	f140cab283c35c92dc74db53b6d9964706538554d4151a637a406b093746692b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\file_obj.gif	f140cab283c35c92dc74db53b6d9964706538554d4151a637a406b093746692b.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_ButtonGraphic.png	f140cab283c35c92dc74db53b6d9964706538554d4151a637a406b093746692b.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\css\picturePuzzle.css	f140cab283c35c92dc74db53b6d9964706538554d4151a637a406b093746692b.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\css\calendar.css	f140cab283c35c92dc74db53b6d9964706538554d4151a637a406b093746692b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-api-caching.xml	f140cab283c35c92dc74db53b6d9964706538554d4151a637a406b093746692b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-windows.xml	f140cab283c35c92dc74db53b6d9964706538554d4151a637a406b093746692b.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\performance.png	f140cab283c35c92dc74db53b6d9964706538554d4151a637a406b093746692b.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.htm	f140cab283c35c92dc74db53b6d9964706538554d4151a637a406b093746692b.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hwrenclm.dat	f140cab283c35c92dc74db53b6d9964706538554d4151a637a406b093746692b.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\greenStateIcon.png	f140cab283c35c92dc74db53b6d9964706538554d4151a637a406b093746692b.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\js\settings.js	f140cab283c35c92dc74db53b6d9964706538554d4151a637a406b093746692b.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\js\settings.js	f140cab283c35c92dc74db53b6d9964706538554d4151a637a406b093746692b.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\flyout.html	f140cab283c35c92dc74db53b6d9964706538554d4151a637a406b093746692b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\feature.xml	f140cab283c35c92dc74db53b6d9964706538554d4151a637a406b093746692b.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-highlight.png	f140cab283c35c92dc74db53b6d9964706538554d4151a637a406b093746692b.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_performance_Thumbnail.bmp	f140cab283c35c92dc74db53b6d9964706538554d4151a637a406b093746692b.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Genko_1.emf	f140cab283c35c92dc74db53b6d9964706538554d4151a637a406b093746692b.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipscat.xml	f140cab283c35c92dc74db53b6d9964706538554d4151a637a406b093746692b.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)alertIcon.png	f140cab283c35c92dc74db53b6d9964706538554d4151a637a406b093746692b.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Notebook.jpg	f140cab283c35c92dc74db53b6d9964706538554d4151a637a406b093746692b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-util-enumerations.xml	f140cab283c35c92dc74db53b6d9964706538554d4151a637a406b093746692b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\jvm.hprof.txt	f140cab283c35c92dc74db53b6d9964706538554d4151a637a406b093746692b.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationLeft_SelectionSubpicture.png	f140cab283c35c92dc74db53b6d9964706538554d4151a637a406b093746692b.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-image-mask.png	f140cab283c35c92dc74db53b6d9964706538554d4151a637a406b093746692b.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\init.js	f140cab283c35c92dc74db53b6d9964706538554d4151a637a406b093746692b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-modules-appui.xml	f140cab283c35c92dc74db53b6d9964706538554d4151a637a406b093746692b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\feature.xml	f140cab283c35c92dc74db53b6d9964706538554d4151a637a406b093746692b.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationLeft_ButtonGraphic.png	f140cab283c35c92dc74db53b6d9964706538554d4151a637a406b093746692b.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hr.txt	f140cab283c35c92dc74db53b6d9964706538554d4151a637a406b093746692b.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\divider-vertical.png	f140cab283c35c92dc74db53b6d9964706538554d4151a637a406b093746692b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jvm.xml	f140cab283c35c92dc74db53b6d9964706538554d4151a637a406b093746692b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_basestyle.css	f140cab283c35c92dc74db53b6d9964706538554d4151a637a406b093746692b.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_rainy.png	f140cab283c35c92dc74db53b6d9964706538554d4151a637a406b093746692b.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\27.png	f140cab283c35c92dc74db53b6d9964706538554d4151a637a406b093746692b.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\drag.png	f140cab283c35c92dc74db53b6d9964706538554d4151a637a406b093746692b.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\combo-hover-right.png	f140cab283c35c92dc74db53b6d9964706538554d4151a637a406b093746692b.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\clock.html	f140cab283c35c92dc74db53b6d9964706538554d4151a637a406b093746692b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\about.html	f140cab283c35c92dc74db53b6d9964706538554d4151a637a406b093746692b.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\15x15dot.png	f140cab283c35c92dc74db53b6d9964706538554d4151a637a406b093746692b.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-background.png	f140cab283c35c92dc74db53b6d9964706538554d4151a637a406b093746692b.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsfra.xml	f140cab283c35c92dc74db53b6d9964706538554d4151a637a406b093746692b.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\js\slideShow.js	f140cab283c35c92dc74db53b6d9964706538554d4151a637a406b093746692b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-editor-mimelookup-impl.xml	f140cab283c35c92dc74db53b6d9964706538554d4151a637a406b093746692b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\platform.xml	f140cab283c35c92dc74db53b6d9964706538554d4151a637a406b093746692b.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\circleround_videoinset.png	f140cab283c35c92dc74db53b6d9964706538554d4151a637a406b093746692b.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Cave_Drawings.gif	f140cab283c35c92dc74db53b6d9964706538554d4151a637a406b093746692b.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waxing-gibbous.png	f140cab283c35c92dc74db53b6d9964706538554d4151a637a406b093746692b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-attach.xml	f140cab283c35c92dc74db53b6d9964706538554d4151a637a406b093746692b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-templates.xml	f140cab283c35c92dc74db53b6d9964706538554d4151a637a406b093746692b.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\modern_m.png	f140cab283c35c92dc74db53b6d9964706538554d4151a637a406b093746692b.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\Logo.png	f140cab283c35c92dc74db53b6d9964706538554d4151a637a406b093746692b.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationUp_SelectionSubpicture.png	f140cab283c35c92dc74db53b6d9964706538554d4151a637a406b093746692b.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_right_rest.png	f140cab283c35c92dc74db53b6d9964706538554d4151a637a406b093746692b.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\js\localizedStrings.js	f140cab283c35c92dc74db53b6d9964706538554d4151a637a406b093746692b.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\dial_lrg.png	f140cab283c35c92dc74db53b6d9964706538554d4151a637a406b093746692b.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_foggy.png	f140cab283c35c92dc74db53b6d9964706538554d4151a637a406b093746692b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1896 1200 WerFault.exe
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exe

pid process

812 vssadmin.exe
1660 vssadmin.exe
1828 vssadmin.exe

pid	pid_target	process	target process
1896	1200	WerFault.exe

pid	process
812	vssadmin.exe
1660	vssadmin.exe
1828	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

f140cab283c35c92dc74db53b6d9964706538554d4151a637a406b093746692b.exe

pid	process
780	f140cab283c35c92dc74db53b6d9964706538554d4151a637a406b093746692b.exe
780	f140cab283c35c92dc74db53b6d9964706538554d4151a637a406b093746692b.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 1100 vssvc.exe
Token: SeRestorePrivilege 1100 vssvc.exe
Token: SeAuditPrivilege 1100 vssvc.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

f140cab283c35c92dc74db53b6d9964706538554d4151a637a406b093746692b.exe

pid process

780 f140cab283c35c92dc74db53b6d9964706538554d4151a637a406b093746692b.exe

description	pid	process
Token: SeBackupPrivilege	1100	vssvc.exe
Token: SeRestorePrivilege	1100	vssvc.exe
Token: SeAuditPrivilege	1100	vssvc.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

f140cab283c35c92dc74db53b6d9964706538554d4151a637a406b093746692b.execmd.exe

description	pid	process	target process
PID 780 wrote to memory of 1660	780	f140cab283c35c92dc74db53b6d9964706538554d4151a637a406b093746692b.exe	vssadmin.exe
PID 780 wrote to memory of 1660	780	f140cab283c35c92dc74db53b6d9964706538554d4151a637a406b093746692b.exe	vssadmin.exe
PID 780 wrote to memory of 1660	780	f140cab283c35c92dc74db53b6d9964706538554d4151a637a406b093746692b.exe	vssadmin.exe
PID 780 wrote to memory of 1660	780	f140cab283c35c92dc74db53b6d9964706538554d4151a637a406b093746692b.exe	vssadmin.exe
PID 780 wrote to memory of 1828	780	f140cab283c35c92dc74db53b6d9964706538554d4151a637a406b093746692b.exe	vssadmin.exe
PID 780 wrote to memory of 1828	780	f140cab283c35c92dc74db53b6d9964706538554d4151a637a406b093746692b.exe	vssadmin.exe
PID 780 wrote to memory of 1828	780	f140cab283c35c92dc74db53b6d9964706538554d4151a637a406b093746692b.exe	vssadmin.exe
PID 780 wrote to memory of 1828	780	f140cab283c35c92dc74db53b6d9964706538554d4151a637a406b093746692b.exe	vssadmin.exe
PID 780 wrote to memory of 812	780	f140cab283c35c92dc74db53b6d9964706538554d4151a637a406b093746692b.exe	vssadmin.exe
PID 780 wrote to memory of 812	780	f140cab283c35c92dc74db53b6d9964706538554d4151a637a406b093746692b.exe	vssadmin.exe
PID 780 wrote to memory of 812	780	f140cab283c35c92dc74db53b6d9964706538554d4151a637a406b093746692b.exe	vssadmin.exe
PID 780 wrote to memory of 812	780	f140cab283c35c92dc74db53b6d9964706538554d4151a637a406b093746692b.exe	vssadmin.exe
PID 780 wrote to memory of 1104	780	f140cab283c35c92dc74db53b6d9964706538554d4151a637a406b093746692b.exe	cmd.exe
PID 780 wrote to memory of 1104	780	f140cab283c35c92dc74db53b6d9964706538554d4151a637a406b093746692b.exe	cmd.exe
PID 780 wrote to memory of 1104	780	f140cab283c35c92dc74db53b6d9964706538554d4151a637a406b093746692b.exe	cmd.exe
PID 780 wrote to memory of 1104	780	f140cab283c35c92dc74db53b6d9964706538554d4151a637a406b093746692b.exe	cmd.exe
PID 1104 wrote to memory of 1728	1104	cmd.exe	chcp.com
PID 1104 wrote to memory of 1728	1104	cmd.exe	chcp.com
PID 1104 wrote to memory of 1728	1104	cmd.exe	chcp.com
PID 1104 wrote to memory of 1728	1104	cmd.exe	chcp.com

C:\Users\Admin\AppData\Local\Temp\f140cab283c35c92dc74db53b6d9964706538554d4151a637a406b093746692b.exe
"C:\Users\Admin\AppData\Local\Temp\f140cab283c35c92dc74db53b6d9964706538554d4151a637a406b093746692b.exe"
1⤵
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:780
- C:\Windows\system32\vssadmin.exe
  C:\Windows\system32\vssadmin.exe List Shadows
  2⤵
  - Interacts with shadow copies
  PID:1660
- C:\Windows\system32\vssadmin.exe
  C:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:1828
- C:\Windows\system32\vssadmin.exe
  C:\Windows\system32\vssadmin.exe List Shadows
  2⤵
  - Interacts with shadow copies
  PID:812
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1104
- - C:\Windows\SysWOW64\chcp.com
    chcp
    3⤵
    PID:1728

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1100

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1200 -s 592
1⤵
- Program crash
PID:1896

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/780-55-0x00000000769D1000-0x00000000769D3000-memory.dmp

Filesize
8KB

Download
memory/780-56-0x0000000000830000-0x0000000000904000-memory.dmp

Filesize
848KB

Download
memory/780-57-0x0000000000400000-0x0000000000607000-memory.dmp

Filesize
2.0MB

Download
memory/780-58-0x0000000000400000-0x0000000000607000-memory.dmp

Filesize
2.0MB

Download