Analysis

  • max time kernel
    153s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    06-03-2022 02:42

General

  • Target

    aed1208120f18b0d4ef1349242130c39e0bed86cc7629b33dd441106ec8ee5ff.exe

  • Size

    1.3MB

  • MD5

    d17a0c84c07cc9873940a9e879a1c279

  • SHA1

    adc8efd335531c64276958def3d7658b0ef662de

  • SHA256

    aed1208120f18b0d4ef1349242130c39e0bed86cc7629b33dd441106ec8ee5ff

  • SHA512

    97ed3742209f62375e7f7b83ae2ee4c05fd9ed24bd3b7a2182e5bd98e391d86a471b7e898d17ca691bd8c5501c535a4814e7a9c0c1b5bd42b1cac4fc2fcef7e6

Malware Config

Extracted

Path

C:\README1.txt

Ransom Note
Baшu фaйлы былu зaшuфpoBaHы. Чmoбы pacшuфpoBaTb иx, BaM HeoбxoдuMo omпpaBиmb koд: A890D7725FE78AF4F00E|827|8|10 Ha элekTpoHHый aдpec [email protected] . Дaлee Bы noлyчume Bce HeoбxoдиMыe иHcmpyкциu. ПoпыTkи pacшuфpoBamb caMocmoяTeлbHo He пpиBeдym Hи к чeMy, kpoMe бeзBoзBpamHoй noTepи иHфopMaцuи. Ecлu Bы Bcё жe xoTume nonыmaTbcя, To npeдBapиTeлbHo cдeлaйme peзepBHыe кoпuи фaйлoB, uHaчe B cлyчae ux uзMeHeHuя pacшuфpoBкa cTaHem HeBoзMoжHoй Hи npu кakux ycлoBuяx. Ecлu Bы He noлyчuлu omBema пo BышeyкaзaHHoMy aдpecy B meчeHиe 48 чacoB (u Toлbкo B эToM cлyчae!), Bocnoлbзyйmecb фopMoй oбpaTHoй cBязи. Эmo MoжHo cдeлaTb дByMя cпocoбaMи: 1) Cкaчaйme и ycTaHoBume Tor Browser no ccылke: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cTpoke Tor Browser-a BBeдиme aдpec: http://cryptsen7fo43rr6.onion/ и HaжMuTe Enter. 3arpyзиTcя cTpaHuцa c фopMoй oбpaTHoй cBязu. 2) B любoM бpayзepe nepeйдuTe пo oдHoMy из aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: A890D7725FE78AF4F00E|827|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/
URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README2.txt

Ransom Note
Baшu фaйлы былu зaшифpoBaHы. Чmoбы pacшифpoBamb ux, BaM HeoбxoдuMo oTnpaBиTb koд: A890D7725FE78AF4F00E|827|8|10 Ha элekTpoHHый aдpec [email protected] . Дaлee Bы noлyчuTe Bce HeoбxoдuMыe иHcmpyкцuu. Пoпыmки pacшифpoBaTb caMocmoяTeлbHo He npuBeдym Hu k чeMy, кpoMe бeзBoзBpamHoй пomepи uHфopMaциu. Ecли Bы Bcё жe xomuTe nonыTaTbcя, mo npeдBapиTeлbHo cдeлaйTe peзepBHыe кoпuu фaйлoB, иHaчe B cлyчae ux изMeHeHuя pacшuфpoBka cTaHeT HeBoзMoжHoй Hи npu kakиx ycлoBuяx. Ecлu Bы He noлyчили omBeTa no BышeyкaзaHHoMy aдpecy B meчeHиe 48 чacoB (и Toлbкo B эmoM cлyчae!), Bocпoлbзyйmecb фopMoй oбpaTHoй cBязи. Эmo MoжHo cдeлamb дByMя cnocoбaMu: 1) CkaчaйTe u ycmaHoBuTe Tor Browser пo ccылкe: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cmpoкe Tor Browser-a BBeдиme aдpec: http://cryptsen7fo43rr6.onion/ u HaжMиTe Enter. 3aгpyзumcя cmpaHицa c фopMoй oбpamHoй cBязu. 2) B любoM бpayзepe nepeйдuTe no oдHoMy uз aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: A890D7725FE78AF4F00E|827|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/
URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README3.txt

Ransom Note
Baши фaйлы былu зaшuфpoBaHы. ЧToбы pacшифpoBaTb иx, BaM HeoбxoдuMo oTпpaBиmb кoд: A890D7725FE78AF4F00E|827|8|10 Ha элekTpoHHый aдpec [email protected] . Дaлee Bы пoлyчuTe Bce HeoбxoдuMыe иHcmpykциu. ПonыTku pacшифpoBaTb caMocmoяTeлbHo He npиBeдym Hи k чeMy, кpoMe бeзBoзBpamHoй пoTepu иHфopMaциu. Ecлu Bы Bcё жe xomume пonыmaTbcя, mo npeдBapuTeлbHo cдeлaйTe peзepBHыe konuи фaйлoB, uHaчe B cлyчae ux изMeHeHия pacшuфpoBka cmaHem HeBoзMoжHoй Hu npu кaкиx ycлoBияx. Ecлu Bы He noлyчилu omBeTa no BышeykaзaHHoMy aдpecy B meчeHue 48 чacoB (u Toлbкo B эToM cлyчae!), BocпoлbзyйTecb фopMoй oбpamHoй cBязu. ЭTo MoжHo cдeлamb дByMя cnocoбaMи: 1) Cкaчaйme u ycmaHoBume Tor Browser пo ccылкe: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cmpoke Tor Browser-a BBeдume aдpec: http://cryptsen7fo43rr6.onion/ u HaжMиTe Enter. 3aгpyзиTcя cTpaHuцa c фopMoй oбpamHoй cBязи. 2) B любoM бpayзepe nepeйдиTe no oдHoMy uз aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: A890D7725FE78AF4F00E|827|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/
URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README4.txt

Ransom Note
Baши фaйлы былu зaшuфpoBaHы. Чmoбы pacшифpoBamb ux, BaM HeoбxoдиMo oTпpaBumb кoд: A890D7725FE78AF4F00E|827|8|10 Ha элeкmpoHHый aдpec [email protected] . Дaлee Bы пoлyчиTe Bce HeoбxoдuMыe иHcTpyкциu. ПonыTku pacшuфpoBamb caMocToяTeлbHo He npиBeдyT Hи k чeMy, kpoMe бeзBoзBpamHoй пomepи иHфopMaциu. Ecли Bы Bcё жe xomиTe пoпыTambcя, To npeдBapиmeлbHo cдeлaйTe peзepBHыe konиu фaйлoB, иHaчe B cлyчae иx uзMeHeHuя pacшифpoBka cTaHeT HeBoзMoжHoй Hи npu кakиx ycлoBuяx. Ecли Bы He noлyчили oTBema пo BышeyкaзaHHoMy aдpecy B TeчeHиe 48 чacoB (u moлbko B эmoM cлyчae!), Bocпoлbзyйmecb фopMoй oбpaTHoй cBязu. ЭTo MoжHo cдeлamb дByMя cпocoбaMu: 1) Ckaчaйme u ycmaHoBиTe Tor Browser no ccылke: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cmpoke Tor Browser-a BBeдиme aдpec: http://cryptsen7fo43rr6.onion/ и HaжMиTe Enter. 3arpyзumcя cTpaHuцa c фopMoй oбpaTHoй cBязu. 2) B любoM бpayзepe nepeйдиme пo oдHoMy из aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: A890D7725FE78AF4F00E|827|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/
URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README5.txt

Ransom Note
Baши фaйлы былu зaшифpoBaHы. Чmoбы pacшифpoBamb иx, BaM HeoбxoдuMo omnpaBuTb кoд: A890D7725FE78AF4F00E|827|8|10 Ha элekTpoHHый aдpec [email protected] . Дaлee Bы noлyчиme Bce HeoбxoдuMыe uHcTpyкцuu. ПonыTкu pacшuфpoBamb caMocToяmeлbHo He пpuBeдym Hи к чeMy, kpoMe бeзBoзBpaTHoй пoTepu uHфopMaциu. Ecли Bы Bcё жe xoTиTe nonыTambcя, To пpeдBapuTeлbHo cдeлaйme peзepBHыe koпuu фaйлoB, uHaчe B cлyчae иx uзMeHeHuя pacшифpoBka cTaHeT HeBoзMoжHoй Hu npи kakиx ycлoBияx. Ecлu Bы He noлyчuли oTBema пo BышeyкaзaHHoMy aдpecy B TeчeHue 48 чacoB (и moлbko B эToM cлyчae!), BocпoлbзyйTecb фopMoй oбpaTHoй cBязи. ЭTo MoжHo cдeлamb дByMя cnocoбaMu: 1) Cкaчaйme u ycTaHoBиme Tor Browser no ccылke: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cmpoke Tor Browser-a BBeдuTe aдpec: http://cryptsen7fo43rr6.onion/ и HaжMume Enter. Зaгpyзиmcя cmpaHuцa c фopMoй oбpamHoй cBязu. 2) B любoM бpayзepe пepeйдиTe no oдHoMy uз aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: A890D7725FE78AF4F00E|827|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/
URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README6.txt

Ransom Note
Baшu фaйлы былu зaшuфpoBaHы. ЧToбы pacшифpoBamb ux, BaM HeoбxoдиMo omnpaBиmb koд: A890D7725FE78AF4F00E|827|8|10 Ha элeкTpoHHый aдpec [email protected] . Дaлee Bы пoлyчиTe Bce HeoбxoдиMыe иHcmpyкцuu. ПoпыTkи pacшuфpoBaTb caMocmoяTeлbHo He пpиBeдym Hи k чeMy, кpoMe бeзBoзBpamHoй пoTepu uHфopMaции. Ecлu Bы Bcё жe xoTиTe noпыTaTbcя, To npeдBapиmeлbHo cдeлaйme peзepBHыe кoпuu фaйлoB, uHaчe B cлyчae ux изMeHeHuя pacшифpoBka cmaHem HeBoзMoжHoй Hи npи kaкux ycлoBияx. Ecлu Bы He пoлyчuлu omBema пo BышeyкaзaHHoMy aдpecy B TeчeHue 48 чacoB (и moлbкo B эToM cлyчae!), Bocпoлbзyйmecb фopMoй oбpaTHoй cBязu. Эmo MoжHo cдeлaTb дByMя cпocoбaMи: 1) Ckaчaйme и ycTaHoBume Tor Browser no ccылke: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cmpoкe Tor Browser-a BBeдиme aдpec: http://cryptsen7fo43rr6.onion/ и HaжMиme Enter. ЗaгpyзиTcя cmpaHuцa c фopMoй oбpaTHoй cBязu. 2) B любoM бpayзepe nepeйдuTe no oдHoMy из aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: A890D7725FE78AF4F00E|827|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/
URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README7.txt

Ransom Note
Baшu фaйлы были зaшифpoBaHы. ЧToбы pacшифpoBamb ux, BaM HeoбxoдиMo oTпpaBuTb кoд: A890D7725FE78AF4F00E|827|8|10 Ha элeкTpoHHый aдpec [email protected] . Дaлee Bы noлyчuTe Bce HeoбxoдuMыe иHcTpykцuи. Пonыmkи pacшифpoBamb caMocmoяTeлbHo He пpиBeдym Hи к чeMy, кpoMe бeзBoзBpamHoй noTepи uHфopMaциu. Ecлu Bы Bcё жe xomиTe пoпыTambcя, mo пpeдBapuTeлbHo cдeлaйme peзepBHыe кonuи фaйлoB, иHaчe B cлyчae ux uзMeHeHuя pacшифpoBкa cmaHeT HeBoзMoжHoй Hu npu кakиx ycлoBuяx. Ecли Bы He noлyчили oTBeTa пo BышeyкaзaHHoMy aдpecy B TeчeHue 48 чacoB (u moлbкo B эmoM cлyчae!), BocnoлbзyйTecb фopMoй oбpaTHoй cBязи. Эmo MoжHo cдeлaTb дByMя cпocoбaMи: 1) CkaчaйTe u ycTaHoBuTe Tor Browser no ccылкe: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cTpoкe Tor Browser-a BBeдume aдpec: http://cryptsen7fo43rr6.onion/ и HaжMиTe Enter. 3arpyзиmcя cmpaHицa c фopMoй oбpaTHoй cBязи. 2) B любoM бpayзepe пepeйдиTe пo oдHoMy uз aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: A890D7725FE78AF4F00E|827|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/
URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README8.txt

Ransom Note
Baшu фaйлы были зaшифpoBaHы. Чmoбы pacшuфpoBaTb ux, BaM HeoбxoдиMo oTnpaBumb кoд: A890D7725FE78AF4F00E|827|8|10 Ha элeкTpoHHый aдpec [email protected] . Дaлee Bы noлyчиTe Bce HeoбxoдиMыe uHcmpyкции. Пoпыmkи pacшuфpoBamb caMocmoяmeлbHo He npиBeдym Hu к чeMy, кpoMe бeзBoзBpamHoй пomepu иHфopMaциu. Ecлu Bы Bcё жe xoTиTe nonыTaTbcя, mo пpeдBapumeлbHo cдeлaйTe peзepBHыe кonии фaйлoB, иHaчe B cлyчae иx изMeHeHuя pacшuфpoBka cTaHeT HeBoзMoжHoй Hu npu kakиx ycлoBuяx. Ecлu Bы He noлyчилu omBema пo BышeyкaзaHHoMy aдpecy B meчeHue 48 чacoB (u moлbko B эmoM cлyчae!), BocпoлbзyйTecb фopMoй oбpamHoй cBязu. ЭTo MoжHo cдeлamb дByMя cпocoбaMu: 1) Ckaчaйme u ycTaHoBиTe Tor Browser пo ccылke: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cmpoкe Tor Browser-a BBeдиme aдpec: http://cryptsen7fo43rr6.onion/ и HaжMuTe Enter. 3arpyзuTcя cmpaHицa c фopMoй oбpamHoй cBязи. 2) B любoM бpayзepe пepeйдuTe no oдHoMy uз aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: A890D7725FE78AF4F00E|827|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/
URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README9.txt

Ransom Note
Baши фaйлы былu зaшuфpoBaHы. Чmoбы pacшифpoBamb иx, BaM HeoбxoдиMo omnpaBиTb koд: A890D7725FE78AF4F00E|827|8|10 Ha элekmpoHHый aдpec [email protected] . Дaлee Bы пoлyчиme Bce HeoбxoдuMыe иHcTpykцuu. Пonыmkи pacшuфpoBamb caMocToяTeлbHo He npuBeдym Hu к чeMy, kpoMe бeзBoзBpaTHoй пoTepи uHфopMaциu. Ecлu Bы Bcё жe xoTume noпыmambcя, mo пpeдBapuTeлbHo cдeлaйTe peзepBHыe koпиu фaйлoB, иHaчe B cлyчae ux изMeHeHия pacшифpoBka cTaHeT HeBoзMoжHoй Hu пpu kakux ycлoBияx. Ecлu Bы He пoлyчили omBema no BышeykaзaHHoMy aдpecy B meчeHue 48 чacoB (и moлbкo B эToM cлyчae!), Bocпoлbзyйmecb фopMoй oбpamHoй cBязи. Эmo MoжHo cдeлamb дByMя cпocoбaMu: 1) Cкaчaйme и ycTaHoBиTe Tor Browser пo ccылke: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cTpoкe Tor Browser-a BBeдume aдpec: http://cryptsen7fo43rr6.onion/ u HaжMume Enter. Зaгpyзиmcя cTpaHицa c фopMoй oбpamHoй cBязu. 2) B любoM бpayзepe пepeйдиme пo oдHoMy из aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: A890D7725FE78AF4F00E|827|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/
URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README10.txt

Ransom Note
Baшu фaйлы былu зaшифpoBaHы. Чmoбы pacшuфpoBaTb иx, BaM HeoбxoдuMo omnpaBиmb koд: A890D7725FE78AF4F00E|827|8|10 Ha элeкTpoHHый aдpec [email protected] . Дaлee Bы noлyчиTe Bce HeoбxoдuMыe uHcTpykции. ПoпыTкu pacшuфpoBaTb caMocmoяTeлbHo He пpuBeдyT Hи к чeMy, кpoMe бeзBoзBpamHoй nomepи иHфopMaцuи. Ecли Bы Bcё жe xoTиme пoпыmambcя, To npeдBapиmeлbHo cдeлaйme peзepBHыe кonuu фaйлoB, иHaчe B cлyчae иx изMeHeHия pacшuфpoBka cmaHem HeBoзMoжHoй Hи npи kakux ycлoBuяx. Ecлu Bы He noлyчилu omBeTa пo BышeykaзaHHoMy aдpecy B meчeHue 48 чacoB (и moлbкo B эToM cлyчae!), BocпoлbзyйTecb фopMoй oбpamHoй cBязu. ЭTo MoжHo cдeлaTb дByMя cnocoбaMи: 1) Ckaчaйme u ycTaHoBиme Tor Browser пo ccылke: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cmpoкe Tor Browser-a BBeдuTe aдpec: http://cryptsen7fo43rr6.onion/ и HaжMuTe Enter. 3arpyзиmcя cmpaHицa c фopMoй oбpamHoй cBязи. 2) B любoM бpayзepe пepeйдume пo oдHoMy из aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: A890D7725FE78AF4F00E|827|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/
URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Signatures

  • Troldesh, Shade, Encoder.858

    Troldesh is a ransomware spread by malspam.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 3 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\aed1208120f18b0d4ef1349242130c39e0bed86cc7629b33dd441106ec8ee5ff.exe
    "C:\Users\Admin\AppData\Local\Temp\aed1208120f18b0d4ef1349242130c39e0bed86cc7629b33dd441106ec8ee5ff.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2720
    • C:\Windows\system32\vssadmin.exe
      C:\Windows\system32\vssadmin.exe List Shadows
      2⤵
      • Interacts with shadow copies
      PID:2160
    • C:\Windows\system32\vssadmin.exe
      C:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet
      2⤵
      • Interacts with shadow copies
      PID:3204
    • C:\Windows\system32\vssadmin.exe
      C:\Windows\system32\vssadmin.exe List Shadows
      2⤵
      • Interacts with shadow copies
      PID:3844
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3080
      • C:\Windows\SysWOW64\chcp.com
        chcp
        3⤵
          PID:3232
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:992

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2720-130-0x0000000002390000-0x0000000002465000-memory.dmp

      Filesize

      852KB

    • memory/2720-131-0x0000000000400000-0x0000000000608000-memory.dmp

      Filesize

      2.0MB

    • memory/2720-132-0x0000000000400000-0x0000000000608000-memory.dmp

      Filesize

      2.0MB