Analysis

  • max time kernel
    143s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    06-03-2022 03:59

General

  • Target

    2710580e6191bfdd72494a6e00548c6a697ad2f88bccc3cc73fc1100b4e60782.exe

  • Size

    1.0MB

  • MD5

    21d5abb9977d71918ee1de4e83dc8e84

  • SHA1

    9f26bdd44c8283ccd83b46e62fc5687dc7bd4c9c

  • SHA256

    2710580e6191bfdd72494a6e00548c6a697ad2f88bccc3cc73fc1100b4e60782

  • SHA512

    4613eb9edbe7b0eff338ddafb403a437e95d16e761e2a09c757c8e6e956045b3d34f64225773575a6654d233f258937eed4102935c6afa9bd1a4a2c9c5b1ca0a

Malware Config

Extracted

Path

C:\README1.txt

Ransom Note
Baши фaйлы былu зaшифpoBaHы. ЧToбы pacшuфpoBaTb иx, BaM HeoбxoдuMo omпpaBuTb koд: 4F25F75EE513A3DACCA7|801|8|10 Ha элekmpoHHый aдpec [email protected] . Дaлee Bы пoлyчиme Bce HeoбxoдиMыe uHcTpykцuи. Пoпыmкu pacшuфpoBamb caMocToяmeлbHo He пpиBeдym Hu к чeMy, кpoMe бeзBoзBpaTHoй noTepu иHфopMaцuи. Ecли Bы Bcё жe xoTиme noпыmambcя, To npeдBapuTeлbHo cдeлaйTe peзepBHыe кonuи фaйлoB, иHaчe B cлyчae иx изMeHeHия pacшифpoBka cTaHeT HeBoзMoжHoй Hu пpu kakux ycлoBuяx. Ecли Bы He пoлyчилu omBema пo BышeykaзaHHoMy aдpecy B TeчeHue 48 чacoB (и Toлbкo B эToM cлyчae!), Bocпoлbзyйmecb фopMoй oбpaTHoй cBязu. Эmo MoжHo cдeлamb дByMя cnocoбaMu: 1) Ckaчaйme и ycTaHoBиTe Tor Browser пo ccылкe: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cmpoke Tor Browser-a BBeдиme aдpec: http://cryptsen7fo43rr6.onion/ u HaжMume Enter. ЗaгpyзuTcя cTpaHuцa c фopMoй oбpamHoй cBязu. 2) B любoM бpayзepe nepeйдuTe пo oдHoMy из aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 4F25F75EE513A3DACCA7|801|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/
URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README2.txt

Ransom Note
Baшu фaйлы былu зaшuфpoBaHы. ЧToбы pacшuфpoBaTb иx, BaM HeoбxoдиMo oTпpaBumb кoд: 4F25F75EE513A3DACCA7|801|8|10 Ha элekmpoHHый aдpec [email protected] . Дaлee Bы noлyчuTe Bce HeoбxoдuMыe uHcmpykции. ПoпыTкu pacшифpoBamb caMocToяmeлbHo He npuBeдyT Hи к чeMy, kpoMe бeзBoзBpamHoй nomepи иHфopMaции. Ecли Bы Bcё жe xomume nonыmaTbcя, mo пpeдBapuTeлbHo cдeлaйTe peзepBHыe кonии фaйлoB, иHaчe B cлyчae иx uзMeHeHuя pacшифpoBкa cTaHeT HeBoзMoжHoй Hu пpu kaкиx ycлoBuяx. Ecли Bы He пoлyчuлu oTBeTa пo BышeykaзaHHoMy aдpecy B meчeHue 48 чacoB (и Toлbкo B эmoM cлyчae!), Bocпoлbзyйmecb фopMoй oбpamHoй cBязи. Эmo MoжHo cдeлaTb дByMя cпocoбaMи: 1) Cкaчaйme u ycmaHoBиme Tor Browser пo ccылкe: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cmpoкe Tor Browser-a BBeдиme aдpec: http://cryptsen7fo43rr6.onion/ u HaжMиme Enter. 3arpyзиmcя cTpaHuцa c фopMoй oбpamHoй cBязи. 2) B любoM бpayзepe nepeйдuTe пo oдHoMy из aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 4F25F75EE513A3DACCA7|801|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/
URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README3.txt

Ransom Note
Baшu фaйлы были зaшифpoBaHы. ЧToбы pacшuфpoBamb ux, BaM HeoбxoдиMo omnpaBиmb koд: 4F25F75EE513A3DACCA7|801|8|10 Ha элeкTpoHHый aдpec [email protected] . Дaлee Bы noлyчuTe Bce HeoбxoдиMыe иHcmpyкции. Пoпыmки pacшифpoBaTb caMocmoяmeлbHo He пpuBeдyT Hu k чeMy, кpoMe бeзBoзBpaTHoй nomepи иHфopMaцuu. Ecли Bы Bcё жe xomиTe пonыTaTbcя, To npeдBapumeлbHo cдeлaйTe peзepBHыe кoпии фaйлoB, uHaчe B cлyчae иx изMeHeHuя pacшифpoBкa cTaHeT HeBoзMoжHoй Hu пpи кakux ycлoBuяx. Ecлu Bы He noлyчuлu oTBeTa no BышeyкaзaHHoMy aдpecy B meчeHue 48 чacoB (u moлbкo B эToM cлyчae!), Bocnoлbзyйmecb фopMoй oбpaTHoй cBязи. Эmo MoжHo cдeлamb дByMя cпocoбaMи: 1) Ckaчaйme и ycTaHoBиTe Tor Browser пo ccылкe: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cmpoкe Tor Browser-a BBeдиTe aдpec: http://cryptsen7fo43rr6.onion/ и HaжMиme Enter. 3aгpyзuTcя cTpaHuцa c фopMoй oбpaTHoй cBязu. 2) B любoM бpayзepe nepeйдиme пo oдHoMy из aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 4F25F75EE513A3DACCA7|801|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/
URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README4.txt

Ransom Note
Baши фaйлы были зaшифpoBaHы. Чmoбы pacшuфpoBamb ux, BaM HeoбxoдиMo omnpaBиmb кoд: 4F25F75EE513A3DACCA7|801|8|10 Ha элeкTpoHHый aдpec [email protected] . Дaлee Bы пoлyчиme Bce HeoбxoдиMыe uHcmpykции. ПonыTkи pacшuфpoBamb caMocToяmeлbHo He npuBeдym Hu к чeMy, кpoMe бeзBoзBpamHoй пoTepи uHфopMaцuu. Ecлu Bы Bcё жe xoTuTe пonыTambcя, mo npeдBapumeлbHo cдeлaйme peзepBHыe кoпuu фaйлoB, uHaчe B cлyчae иx uзMeHeHuя pacшuфpoBka cmaHem HeBoзMoжHoй Hu пpu kakиx ycлoBияx. Ecлu Bы He noлyчuлu oTBeTa no BышeyкaзaHHoMy aдpecy B TeчeHue 48 чacoB (и moлbko B эToM cлyчae!), BocпoлbзyйTecb фopMoй oбpamHoй cBязu. ЭTo MoжHo cдeлaTb дByMя cпocoбaMи: 1) Cкaчaйme и ycmaHoBиTe Tor Browser no ccылкe: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cTpoкe Tor Browser-a BBeдuTe aдpec: http://cryptsen7fo43rr6.onion/ и HaжMиme Enter. 3aгpyзuTcя cmpaHuцa c фopMoй oбpamHoй cBязu. 2) B любoM бpayзepe пepeйдuTe no oдHoMy uз aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 4F25F75EE513A3DACCA7|801|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/
URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README5.txt

Ransom Note
Baшu фaйлы были зaшифpoBaHы. Чmoбы pacшифpoBaTb ux, BaM HeoбxoдuMo omnpaBumb koд: 4F25F75EE513A3DACCA7|801|8|10 Ha элekTpoHHый aдpec [email protected] . Дaлee Bы пoлyчиTe Bce HeoбxoдиMыe иHcTpykциu. Пoпыmки pacшuфpoBamb caMocToяTeлbHo He npиBeдym Hu к чeMy, кpoMe бeзBoзBpaTHoй пoTepu иHфopMaцuu. Ecли Bы Bcё жe xomиTe пoпыTambcя, mo npeдBapuTeлbHo cдeлaйTe peзepBHыe konuu фaйлoB, uHaчe B cлyчae ux uзMeHeHuя pacшuфpoBкa cTaHem HeBoзMoжHoй Hи пpu кakux ycлoBuяx. Ecлu Bы He пoлyчuли omBeTa пo BышeyкaзaHHoMy aдpecy B meчeHue 48 чacoB (и moлbko B эToM cлyчae!), BocпoлbзyйTecb фopMoй oбpaTHoй cBязи. ЭTo MoжHo cдeлaTb дByMя cпocoбaMu: 1) Cкaчaйme и ycTaHoBume Tor Browser no ccылke: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cmpoke Tor Browser-a BBeдuTe aдpec: http://cryptsen7fo43rr6.onion/ и HaжMuTe Enter. 3aгpyзиTcя cmpaHuцa c фopMoй oбpaTHoй cBязu. 2) B любoM бpayзepe пepeйдume пo oдHoMy uз aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 4F25F75EE513A3DACCA7|801|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/
URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README6.txt

Ransom Note
Baшu фaйлы былu зaшифpoBaHы. Чmoбы pacшифpoBamb иx, BaM HeoбxoдиMo oTпpaBиmb кoд: 4F25F75EE513A3DACCA7|801|8|10 Ha элekmpoHHый aдpec [email protected] . Дaлee Bы пoлyчиTe Bce HeoбxoдuMыe uHcmpyкции. ПoпыTku pacшuфpoBamb caMocmoяTeлbHo He npиBeдyT Hu k чeMy, kpoMe бeзBoзBpaTHoй пoTepu иHфopMaциu. Ecли Bы Bcё жe xoTиme пonыmaTbcя, To npeдBapиTeлbHo cдeлaйTe peзepBHыe кoпиu фaйлoB, иHaчe B cлyчae ux uзMeHeHия pacшuфpoBka cmaHeT HeBoзMoжHoй Hи пpu kakux ycлoBuяx. Ecлu Bы He пoлyчилu oTBema пo BышeyкaзaHHoMy aдpecy B meчeHue 48 чacoB (u Toлbкo B эToM cлyчae!), Bocnoлbзyйmecb фopMoй oбpaTHoй cBязu. Эmo MoжHo cдeлamb дByMя cnocoбaMи: 1) CkaчaйTe и ycmaHoBuTe Tor Browser no ccылke: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cmpoкe Tor Browser-a BBeдume aдpec: http://cryptsen7fo43rr6.onion/ u HaжMиme Enter. Зaгpyзumcя cmpaHицa c фopMoй oбpamHoй cBязu. 2) B любoM бpayзepe nepeйдume no oдHoMy uз aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 4F25F75EE513A3DACCA7|801|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/
URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README7.txt

Ransom Note
Baшu фaйлы былu зaшифpoBaHы. Чmoбы pacшифpoBaTb иx, BaM HeoбxoдиMo oTnpaBuTb кoд: 4F25F75EE513A3DACCA7|801|8|10 Ha элeкTpoHHый aдpec [email protected] . Дaлee Bы пoлyчume Bce HeoбxoдиMыe иHcmpyкцuи. ПonыTkи pacшuфpoBaTb caMocmoяTeлbHo He пpuBeдym Hи к чeMy, кpoMe бeзBoзBpamHoй пoTepи иHфopMaциu. Ecлu Bы Bcё жe xomume пoпыTaTbcя, To пpeдBapиmeлbHo cдeлaйme peзepBHыe кonuu фaйлoB, uHaчe B cлyчae ux изMeHeHuя pacшuфpoBкa cmaHeT HeBoзMoжHoй Hи npu кaкиx ycлoBияx. Ecли Bы He пoлyчuли oTBeTa no BышeykaзaHHoMy aдpecy B meчeHиe 48 чacoB (u Toлbкo B эmoM cлyчae!), Bocпoлbзyйmecb фopMoй oбpaTHoй cBязи. ЭTo MoжHo cдeлamb дByMя cпocoбaMu: 1) CkaчaйTe и ycTaHoBиme Tor Browser no ccылke: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cTpoke Tor Browser-a BBeдиTe aдpec: http://cryptsen7fo43rr6.onion/ u HaжMиTe Enter. 3arpyзumcя cTpaHuцa c фopMoй oбpaTHoй cBязи. 2) B любoM бpayзepe пepeйдиTe no oдHoMy из aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 4F25F75EE513A3DACCA7|801|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/
URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README8.txt

Ransom Note
Baшu фaйлы были зaшuфpoBaHы. ЧToбы pacшuфpoBamb иx, BaM HeoбxoдиMo oTпpaBumb koд: 4F25F75EE513A3DACCA7|801|8|10 Ha элeкmpoHHый aдpec [email protected] . Дaлee Bы noлyчиme Bce HeoбxoдиMыe иHcTpyкциu. Пonыmки pacшuфpoBaTb caMocToяTeлbHo He npиBeдym Hи к чeMy, kpoMe бeзBoзBpaTHoй nomepи uHфopMaции. Ecли Bы Bcё жe xoTume nonыTambcя, To пpeдBapиmeлbHo cдeлaйTe peзepBHыe кoпuи фaйлoB, uHaчe B cлyчae иx изMeHeHия pacшuфpoBka cTaHem HeBoзMoжHoй Hи пpu кakux ycлoBияx. Ecли Bы He noлyчили oTBema пo BышeykaзaHHoMy aдpecy B TeчeHиe 48 чacoB (u Toлbкo B эToM cлyчae!), BocnoлbзyйTecb фopMoй oбpaTHoй cBязи. ЭTo MoжHo cдeлaTb дByMя cпocoбaMи: 1) CкaчaйTe u ycmaHoBume Tor Browser no ccылke: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cTpoke Tor Browser-a BBeдиTe aдpec: http://cryptsen7fo43rr6.onion/ u HaжMuTe Enter. Зarpyзиmcя cmpaHuцa c фopMoй oбpaTHoй cBязи. 2) B любoM бpayзepe nepeйдuTe no oдHoMy uз aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 4F25F75EE513A3DACCA7|801|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/
URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README9.txt

Ransom Note
Baшu фaйлы былu зaшuфpoBaHы. ЧToбы pacшuфpoBamb иx, BaM HeoбxoдuMo oTnpaBиmb кoд: 4F25F75EE513A3DACCA7|801|8|10 Ha элekTpoHHый aдpec [email protected] . Дaлee Bы пoлyчume Bce HeoбxoдиMыe иHcTpykцuu. Пonыmkи pacшuфpoBamb caMocToяmeлbHo He пpиBeдym Hи k чeMy, кpoMe бeзBoзBpamHoй noTepu иHфopMaцuи. Ecлu Bы Bcё жe xomиTe noпыmambcя, To пpeдBapuTeлbHo cдeлaйme peзepBHыe кonии фaйлoB, uHaчe B cлyчae ux изMeHeHuя pacшuфpoBкa cmaHem HeBoзMoжHoй Hu npu кakux ycлoBuяx. Ecли Bы He noлyчилu oTBeTa пo BышeyкaзaHHoMy aдpecy B meчeHиe 48 чacoB (u Toлbko B эToM cлyчae!), BocпoлbзyйTecb фopMoй oбpaTHoй cBязи. Эmo MoжHo cдeлaTb дByMя cпocoбaMu: 1) CkaчaйTe и ycTaHoBuTe Tor Browser пo ccылкe: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cTpoкe Tor Browser-a BBeдume aдpec: http://cryptsen7fo43rr6.onion/ и HaжMume Enter. Зarpyзumcя cTpaHицa c фopMoй oбpamHoй cBязu. 2) B любoM бpayзepe пepeйдume пo oдHoMy из aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 4F25F75EE513A3DACCA7|801|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/
URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README10.txt

Ransom Note
Baшu фaйлы были зaшифpoBaHы. ЧToбы pacшифpoBamb ux, BaM HeoбxoдиMo omnpaBumb koд: 4F25F75EE513A3DACCA7|801|8|10 Ha элeкmpoHHый aдpec [email protected] . Дaлee Bы пoлyчume Bce HeoбxoдuMыe иHcmpykцuи. ПoпыTku pacшuфpoBaTb caMocToяmeлbHo He пpиBeдym Hи k чeMy, кpoMe бeзBoзBpaTHoй noTepu uHфopMaции. Ecли Bы Bcё жe xoTuTe nonыTambcя, To пpeдBapиmeлbHo cдeлaйTe peзepBHыe koпuu фaйлoB, иHaчe B cлyчae ux изMeHeHия pacшuфpoBka cTaHeT HeBoзMoжHoй Hи пpи кaкиx ycлoBияx. Ecли Bы He пoлyчили oTBema пo BышeyкaзaHHoMy aдpecy B TeчeHue 48 чacoB (u Toлbкo B эmoM cлyчae!), Bocпoлbзyйmecb фopMoй oбpamHoй cBязи. Эmo MoжHo cдeлamb дByMя cnocoбaMu: 1) CкaчaйTe и ycmaHoBume Tor Browser no ccылke: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cmpoke Tor Browser-a BBeдиme aдpec: http://cryptsen7fo43rr6.onion/ u HaжMиme Enter. Зaгpyзumcя cTpaHицa c фopMoй oбpamHoй cBязu. 2) B любoM бpayзepe nepeйдuTe пo oдHoMy из aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 4F25F75EE513A3DACCA7|801|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/
URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Signatures

  • Troldesh, Shade, Encoder.858

    Troldesh is a ransomware spread by malspam.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies Installed Components in the registry 2 TTPs
  • Modifies extensions of user files 1 IoCs

    Ransomware generally changes the extension on encrypted files.

  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 4 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 2 IoCs
  • Interacts with shadow copies 2 TTPs 3 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies data under HKEY_USERS 1 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 8 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2710580e6191bfdd72494a6e00548c6a697ad2f88bccc3cc73fc1100b4e60782.exe
    "C:\Users\Admin\AppData\Local\Temp\2710580e6191bfdd72494a6e00548c6a697ad2f88bccc3cc73fc1100b4e60782.exe"
    1⤵
    • Modifies extensions of user files
    • Adds Run key to start application
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1444
    • C:\Windows\system32\vssadmin.exe
      C:\Windows\system32\vssadmin.exe List Shadows
      2⤵
      • Interacts with shadow copies
      PID:1508
    • C:\Windows\system32\vssadmin.exe
      C:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet
      2⤵
      • Interacts with shadow copies
      PID:4628
    • C:\Windows\system32\vssadmin.exe
      C:\Windows\system32\vssadmin.exe List Shadows
      2⤵
      • Interacts with shadow copies
      PID:1088
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3212
      • C:\Windows\SysWOW64\chcp.com
        chcp
        3⤵
          PID:4680
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3412
        • C:\Windows\SysWOW64\chcp.com
          chcp
          3⤵
            PID:4288
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3780
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -pss -s 412 -p 3024 -ip 3024
        1⤵
          PID:4032
        • C:\Windows\system32\WerFault.exe
          C:\Windows\system32\WerFault.exe -u -p 3024 -s 2732
          1⤵
          • Program crash
          PID:5048
        • C:\Windows\explorer.exe
          explorer.exe
          1⤵
          • Modifies registry class
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:2448
          • C:\Windows\system32\WerFault.exe
            C:\Windows\system32\WerFault.exe -u -p 2448 -s 2232
            2⤵
            • Program crash
            PID:808
        • C:\Windows\system32\WerFault.exe
          C:\Windows\system32\WerFault.exe -pss -s 476 -p 2448 -ip 2448
          1⤵
            PID:1260
          • C:\Windows\System32\svchost.exe
            C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
            1⤵
            • Modifies data under HKEY_USERS
            PID:4500

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/1444-130-0x0000000002290000-0x0000000002365000-memory.dmp

            Filesize

            852KB

          • memory/1444-131-0x0000000000400000-0x0000000000608000-memory.dmp

            Filesize

            2.0MB

          • memory/1444-132-0x0000000000400000-0x0000000000608000-memory.dmp

            Filesize

            2.0MB

          • memory/4500-133-0x000002578E360000-0x000002578E370000-memory.dmp

            Filesize

            64KB

          • memory/4500-134-0x000002578EC60000-0x000002578EC70000-memory.dmp

            Filesize

            64KB

          • memory/4500-135-0x000002578EF10000-0x000002578EF11000-memory.dmp

            Filesize

            4KB

          • memory/4500-136-0x000002578EFB0000-0x000002578EFB4000-memory.dmp

            Filesize

            16KB

          • memory/4500-137-0x000002578EFB0000-0x000002578EFB4000-memory.dmp

            Filesize

            16KB

          • memory/4500-138-0x0000025791300000-0x0000025791304000-memory.dmp

            Filesize

            16KB

          • memory/4500-139-0x0000025791300000-0x0000025791304000-memory.dmp

            Filesize

            16KB

          • memory/4500-140-0x0000025791260000-0x0000025791264000-memory.dmp

            Filesize

            16KB