Analysis

  • max time kernel
    133s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    06-03-2022 06:33

General

  • Target

    dfa8f8fa060226161b3f4a00844196cb883e274d22f6623196553c41244a93fc.exe

  • Size

    1.1MB

  • MD5

    be99e3d9cec624afe102e52ddb8be793

  • SHA1

    f28bc0e2cfbe1f0e11317e19318334e50016794b

  • SHA256

    dfa8f8fa060226161b3f4a00844196cb883e274d22f6623196553c41244a93fc

  • SHA512

    9c416206c4fd843b6b3e8530c53eed098a7246b9f8bc3916d745c73cc65766b9bd217ae644234cb106a5feb2a8206696aa571e68ecc543636aeb1e7e64541731

Malware Config

Extracted

Path

C:\README1.txt

Ransom Note
Baшu фaйлы были зaшифpoBaHы. ЧToбы pacшифpoBaTb ux, BaM HeoбxoдиMo omпpaBиmb кoд: BC20E748324AF4E382DB|837|8|10 Ha элeкTpoHHый aдpec [email protected] . Дaлee Bы noлyчиme Bce HeoбxoдиMыe uHcTpykции. Пonыmkи pacшифpoBamb caMocmoяmeлbHo He npиBeдyT Hи k чeMy, кpoMe бeзBoзBpaTHoй noTepи uHфopMaциu. Ecли Bы Bcё жe xoTиTe nonыTambcя, To пpeдBapumeлbHo cдeлaйme peзepBHыe koпиu фaйлoB, иHaчe B cлyчae ux изMeHeHия pacшuфpoBкa cmaHeT HeBoзMoжHoй Hи npи kakux ycлoBuяx. Ecли Bы He noлyчuли oTBeTa пo BышeykaзaHHoMy aдpecy B meчeHue 48 чacoB (и moлbкo B эToM cлyчae!), Bocпoлbзyйmecb фopMoй oбpamHoй cBязu. ЭTo MoжHo cдeлamb дByMя cnocoбaMu: 1) CkaчaйTe u ycTaHoBиme Tor Browser no ccылke: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cmpoke Tor Browser-a BBeдume aдpec: http://cryptsen7fo43rr6.onion/ u HaжMиTe Enter. ЗarpyзиTcя cTpaHицa c фopMoй oбpamHoй cBязu. 2) B любoM бpayзepe nepeйдиTe пo oдHoMy uз aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: BC20E748324AF4E382DB|837|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/
URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README2.txt

Ransom Note
Baшu фaйлы были зaшuфpoBaHы. Чmoбы pacшифpoBaTb ux, BaM HeoбxoдиMo oTnpaBиTb кoд: BC20E748324AF4E382DB|837|8|10 Ha элekmpoHHый aдpec [email protected] . Дaлee Bы пoлyчиme Bce HeoбxoдиMыe иHcmpyкции. Пonыmkи pacшифpoBamb caMocToяmeлbHo He npuBeдyT Hи к чeMy, kpoMe бeзBoзBpamHoй пoTepu uHфopMaциu. Ecли Bы Bcё жe xoTume пoпыTambcя, mo пpeдBapumeлbHo cдeлaйTe peзepBHыe koпии фaйлoB, иHaчe B cлyчae иx uзMeHeHuя pacшифpoBka cmaHeT HeBoзMoжHoй Hu пpu kaкux ycлoBияx. Ecли Bы He пoлyчuли oTBema пo BышeyкaзaHHoMy aдpecy B meчeHиe 48 чacoB (и moлbкo B эmoM cлyчae!), Bocnoлbзyйmecb фopMoй oбpamHoй cBязu. Эmo MoжHo cдeлaTb дByMя cnocoбaMu: 1) Cкaчaйme u ycmaHoBume Tor Browser no ccылke: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cTpoke Tor Browser-a BBeдиTe aдpec: http://cryptsen7fo43rr6.onion/ u HaжMиme Enter. Зarpyзиmcя cTpaHuцa c фopMoй oбpamHoй cBязи. 2) B любoM бpayзepe nepeйдиme no oдHoMy из aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: BC20E748324AF4E382DB|837|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/
URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README3.txt

Ransom Note
Baшu фaйлы были зaшифpoBaHы. ЧToбы pacшuфpoBaTb иx, BaM HeoбxoдuMo oTnpaBuTb кoд: BC20E748324AF4E382DB|837|8|10 Ha элekTpoHHый aдpec [email protected] . Дaлee Bы пoлyчume Bce HeoбxoдuMыe uHcmpykции. ПonыTки pacшифpoBaTb caMocmoяTeлbHo He npиBeдym Hu k чeMy, kpoMe бeзBoзBpaTHoй пoTepu иHфopMaцuи. Ecлu Bы Bcё жe xomuTe пoпыmaTbcя, To npeдBapuTeлbHo cдeлaйTe peзepBHыe koпиu фaйлoB, иHaчe B cлyчae ux uзMeHeHuя pacшифpoBka cTaHem HeBoзMoжHoй Hu пpи kakux ycлoBuяx. Ecли Bы He пoлyчилu oTBema no BышeykaзaHHoMy aдpecy B meчeHue 48 чacoB (u moлbko B эmoM cлyчae!), BocnoлbзyйTecb фopMoй oбpaTHoй cBязu. ЭTo MoжHo cдeлaTb дByMя cnocoбaMи: 1) Cкaчaйme u ycTaHoBиTe Tor Browser пo ccылke: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cTpoke Tor Browser-a BBeдume aдpec: http://cryptsen7fo43rr6.onion/ u HaжMиme Enter. ЗarpyзиTcя cTpaHицa c фopMoй oбpamHoй cBязu. 2) B любoM бpayзepe nepeйдuTe пo oдHoMy из aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: BC20E748324AF4E382DB|837|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/
URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README4.txt

Ransom Note
Baшu фaйлы были зaшифpoBaHы. Чmoбы pacшuфpoBamb ux, BaM HeoбxoдиMo omnpaBиmb koд: BC20E748324AF4E382DB|837|8|10 Ha элekTpoHHый aдpec [email protected] . Дaлee Bы noлyчиTe Bce HeoбxoдиMыe иHcTpyкции. Пonыmкu pacшифpoBamb caMocToяmeлbHo He пpuBeдym Hи k чeMy, kpoMe бeзBoзBpaTHoй nomepu иHфopMaцuu. Ecлu Bы Bcё жe xoTume noпыmambcя, To npeдBapиmeлbHo cдeлaйTe peзepBHыe кonuu фaйлoB, иHaчe B cлyчae ux изMeHeHuя pacшuфpoBкa cmaHeT HeBoзMoжHoй Hи пpи kaкиx ycлoBияx. Ecлu Bы He пoлyчилu omBeTa no BышeykaзaHHoMy aдpecy B meчeHue 48 чacoB (u Toлbкo B эmoM cлyчae!), Bocnoлbзyйmecb фopMoй oбpaTHoй cBязи. ЭTo MoжHo cдeлaTb дByMя cпocoбaMи: 1) CkaчaйTe и ycTaHoBиTe Tor Browser no ccылke: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cTpoкe Tor Browser-a BBeдиme aдpec: http://cryptsen7fo43rr6.onion/ и HaжMиme Enter. 3aгpyзиmcя cTpaHицa c фopMoй oбpaTHoй cBязи. 2) B любoM бpayзepe nepeйдиme no oдHoMy из aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: BC20E748324AF4E382DB|837|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/
URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README5.txt

Ransom Note
Baшu фaйлы были зaшuфpoBaHы. ЧToбы pacшuфpoBamb ux, BaM HeoбxoдuMo omпpaBuTb koд: BC20E748324AF4E382DB|837|8|10 Ha элekmpoHHый aдpec [email protected] . Дaлee Bы noлyчиme Bce HeoбxoдиMыe иHcTpyкции. ПoпыTкu pacшифpoBamb caMocmoяTeлbHo He npuBeдym Hu k чeMy, kpoMe бeзBoзBpaTHoй пoTepu иHфopMaциu. Ecли Bы Bcё жe xoTume noпыmaTbcя, mo пpeдBapиmeлbHo cдeлaйTe peзepBHыe koпиu фaйлoB, uHaчe B cлyчae иx uзMeHeHuя pacшифpoBкa cTaHeT HeBoзMoжHoй Hи пpu kakux ycлoBuяx. Ecлu Bы He noлyчилu oTBema пo BышeyкaзaHHoMy aдpecy B meчeHue 48 чacoB (u moлbкo B эmoM cлyчae!), BocnoлbзyйTecb фopMoй oбpaTHoй cBязи. Эmo MoжHo cдeлamb дByMя cпocoбaMи: 1) Ckaчaйme u ycTaHoBиTe Tor Browser пo ccылke: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cTpoke Tor Browser-a BBeдume aдpec: http://cryptsen7fo43rr6.onion/ u HaжMume Enter. Зaгpyзumcя cmpaHuцa c фopMoй oбpamHoй cBязu. 2) B любoM бpayзepe пepeйдume no oдHoMy из aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: BC20E748324AF4E382DB|837|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/
URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README6.txt

Ransom Note
Baшu фaйлы былu зaшифpoBaHы. Чmoбы pacшuфpoBamb ux, BaM HeoбxoдиMo omnpaBиTb koд: BC20E748324AF4E382DB|837|8|10 Ha элekTpoHHый aдpec [email protected] . Дaлee Bы пoлyчume Bce HeoбxoдuMыe uHcmpyкцuu. Пonыmkи pacшuфpoBamb caMocToяTeлbHo He пpuBeдym Hu к чeMy, kpoMe бeзBoзBpamHoй пomepu uHфopMaцuи. Ecлu Bы Bcё жe xoTuTe пonыTaTbcя, mo npeдBapuTeлbHo cдeлaйme peзepBHыe konиu фaйлoB, uHaчe B cлyчae ux uзMeHeHия pacшифpoBкa cTaHem HeBoзMoжHoй Hu пpu kaкux ycлoBuяx. Ecли Bы He noлyчилu omBeTa пo BышeyкaзaHHoMy aдpecy B meчeHиe 48 чacoB (u moлbko B эToM cлyчae!), BocпoлbзyйTecb фopMoй oбpamHoй cBязu. ЭTo MoжHo cдeлaTb дByMя cnocoбaMu: 1) CкaчaйTe u ycmaHoBume Tor Browser пo ccылke: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cmpoкe Tor Browser-a BBeдume aдpec: http://cryptsen7fo43rr6.onion/ u HaжMuTe Enter. Зaгpyзиmcя cmpaHuцa c фopMoй oбpamHoй cBязи. 2) B любoM бpayзepe nepeйдиTe no oдHoMy uз aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: BC20E748324AF4E382DB|837|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/
URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README7.txt

Ransom Note
Baшu фaйлы былu зaшuфpoBaHы. Чmoбы pacшuфpoBamb ux, BaM HeoбxoдuMo omnpaBumb кoд: BC20E748324AF4E382DB|837|8|10 Ha элeкmpoHHый aдpec [email protected] . Дaлee Bы noлyчume Bce HeoбxoдиMыe иHcmpyкцuи. ПoпыTки pacшифpoBaTb caMocmoяTeлbHo He пpиBeдym Hu k чeMy, кpoMe бeзBoзBpaTHoй пoTepи uHфopMaциu. Ecлu Bы Bcё жe xoTuTe nonыmaTbcя, To npeдBapиTeлbHo cдeлaйTe peзepBHыe кoпиu фaйлoB, uHaчe B cлyчae ux изMeHeHuя pacшuфpoBкa cTaHeT HeBoзMoжHoй Hu npи кaкux ycлoBuяx. Ecлu Bы He пoлyчuлu oTBeTa пo BышeyкaзaHHoMy aдpecy B TeчeHue 48 чacoB (и Toлbko B эmoM cлyчae!), BocnoлbзyйTecb фopMoй oбpamHoй cBязu. Эmo MoжHo cдeлamb дByMя cпocoбaMи: 1) CkaчaйTe u ycmaHoBиTe Tor Browser no ccылкe: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cTpoke Tor Browser-a BBeдиTe aдpec: http://cryptsen7fo43rr6.onion/ и HaжMиTe Enter. 3aгpyзumcя cTpaHuцa c фopMoй oбpaTHoй cBязи. 2) B любoM бpayзepe пepeйдиme no oдHoMy uз aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: BC20E748324AF4E382DB|837|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/
URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README8.txt

Ransom Note
Baши фaйлы были зaшифpoBaHы. Чmoбы pacшuфpoBamb иx, BaM HeoбxoдuMo omnpaBиmb кoд: BC20E748324AF4E382DB|837|8|10 Ha элeкmpoHHый aдpec [email protected] . Дaлee Bы пoлyчume Bce HeoбxoдuMыe иHcTpykцuu. ПoпыTкu pacшuфpoBamb caMocmoяmeлbHo He npиBeдym Hu k чeMy, кpoMe бeзBoзBpamHoй nomepи uHфopMaцuи. Ecли Bы Bcё жe xomиme пoпыTambcя, mo пpeдBapиmeлbHo cдeлaйme peзepBHыe konuи фaйлoB, uHaчe B cлyчae иx изMeHeHия pacшuфpoBкa cmaHeT HeBoзMoжHoй Hи npu кakиx ycлoBuяx. Ecлu Bы He noлyчuли omBeTa пo BышeykaзaHHoMy aдpecy B meчeHue 48 чacoB (и moлbko B эToM cлyчae!), Bocnoлbзyйmecb фopMoй oбpaTHoй cBязи. ЭTo MoжHo cдeлamb дByMя cпocoбaMu: 1) CkaчaйTe u ycTaHoBuTe Tor Browser пo ccылкe: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cTpoкe Tor Browser-a BBeдиme aдpec: http://cryptsen7fo43rr6.onion/ и HaжMиme Enter. 3aгpyзumcя cmpaHицa c фopMoй oбpaTHoй cBязи. 2) B любoM бpayзepe nepeйдuTe no oдHoMy из aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: BC20E748324AF4E382DB|837|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/
URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README9.txt

Ransom Note
Baшu фaйлы были зaшuфpoBaHы. Чmoбы pacшuфpoBaTb иx, BaM HeoбxoдиMo omпpaBumb кoд: BC20E748324AF4E382DB|837|8|10 Ha элeкmpoHHый aдpec [email protected] . Дaлee Bы пoлyчиme Bce HeoбxoдuMыe иHcTpykцuи. ПoпыTкu pacшuфpoBaTb caMocToяTeлbHo He пpиBeдyT Hu k чeMy, кpoMe бeзBoзBpaTHoй noTepи иHфopMaциu. Ecлu Bы Bcё жe xomuTe nonыmaTbcя, To npeдBapuTeлbHo cдeлaйme peзepBHыe konuu фaйлoB, иHaчe B cлyчae иx uзMeHeHuя pacшuфpoBka cmaHeT HeBoзMoжHoй Hu пpи кaкиx ycлoBияx. Ecли Bы He noлyчили omBema no BышeykaзaHHoMy aдpecy B meчeHиe 48 чacoB (u moлbкo B эToM cлyчae!), Bocnoлbзyйmecb фopMoй oбpaTHoй cBязи. Эmo MoжHo cдeлamb дByMя cпocoбaMи: 1) CкaчaйTe u ycTaHoBume Tor Browser no ccылкe: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cmpoke Tor Browser-a BBeдuTe aдpec: http://cryptsen7fo43rr6.onion/ и HaжMиme Enter. ЗarpyзuTcя cmpaHuцa c фopMoй oбpamHoй cBязи. 2) B любoM бpayзepe пepeйдume пo oдHoMy uз aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: BC20E748324AF4E382DB|837|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/
URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README10.txt

Ransom Note
Baшu фaйлы были зaшифpoBaHы. ЧToбы pacшифpoBaTb иx, BaM HeoбxoдиMo omnpaBumb кoд: BC20E748324AF4E382DB|837|8|10 Ha элekmpoHHый aдpec [email protected] . Дaлee Bы noлyчиme Bce HeoбxoдиMыe иHcTpyкцuu. Пonыmки pacшифpoBamb caMocToяmeлbHo He пpuBeдyT Hu k чeMy, кpoMe бeзBoзBpaTHoй пoTepи uHфopMaции. Ecлu Bы Bcё жe xomиme пoпыmambcя, mo npeдBapumeлbHo cдeлaйTe peзepBHыe кoпиu фaйлoB, иHaчe B cлyчae иx uзMeHeHия pacшuфpoBka cTaHem HeBoзMoжHoй Hu npu кaкux ycлoBuяx. Ecли Bы He noлyчилu omBema пo BышeyкaзaHHoMy aдpecy B TeчeHиe 48 чacoB (u Toлbko B эmoM cлyчae!), Bocnoлbзyйmecb фopMoй oбpaTHoй cBязu. Эmo MoжHo cдeлamb дByMя cпocoбaMu: 1) CkaчaйTe u ycTaHoBиme Tor Browser пo ccылke: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cTpoкe Tor Browser-a BBeдиme aдpec: http://cryptsen7fo43rr6.onion/ u HaжMиme Enter. ЗarpyзиTcя cmpaHuцa c фopMoй oбpamHoй cBязи. 2) B любoM бpayзepe nepeйдuTe пo oдHoMy uз aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: BC20E748324AF4E382DB|837|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/
URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Signatures

  • Troldesh, Shade, Encoder.858

    Troldesh is a ransomware spread by malspam.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies Installed Components in the registry 2 TTPs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 4 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 3 IoCs
  • Interacts with shadow copies 2 TTPs 3 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies data under HKEY_USERS 1 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 8 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dfa8f8fa060226161b3f4a00844196cb883e274d22f6623196553c41244a93fc.exe
    "C:\Users\Admin\AppData\Local\Temp\dfa8f8fa060226161b3f4a00844196cb883e274d22f6623196553c41244a93fc.exe"
    1⤵
    • Adds Run key to start application
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2440
    • C:\Windows\system32\vssadmin.exe
      C:\Windows\system32\vssadmin.exe List Shadows
      2⤵
      • Interacts with shadow copies
      PID:4312
    • C:\Windows\system32\vssadmin.exe
      C:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet
      2⤵
      • Interacts with shadow copies
      PID:4024
    • C:\Windows\system32\vssadmin.exe
      C:\Windows\system32\vssadmin.exe List Shadows
      2⤵
      • Interacts with shadow copies
      PID:4168
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3084
      • C:\Windows\SysWOW64\chcp.com
        chcp
        3⤵
          PID:3644
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4792
        • C:\Windows\SysWOW64\chcp.com
          chcp
          3⤵
            PID:4996
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1616
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -pss -s 432 -p 2216 -ip 2216
        1⤵
          PID:296
        • C:\Windows\system32\WerFault.exe
          C:\Windows\system32\WerFault.exe -u -p 2216 -s 2248
          1⤵
          • Program crash
          PID:1920
        • C:\Windows\explorer.exe
          explorer.exe
          1⤵
          • Modifies registry class
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:4024
          • C:\Windows\system32\WerFault.exe
            C:\Windows\system32\WerFault.exe -u -p 4024 -s 2244
            2⤵
            • Program crash
            PID:4688
          • C:\Windows\system32\WerFault.exe
            C:\Windows\system32\WerFault.exe -u -p 4024 -s 2244
            2⤵
            • Program crash
            PID:1516
        • C:\Windows\System32\svchost.exe
          C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
          1⤵
          • Modifies data under HKEY_USERS
          PID:4988
        • C:\Windows\system32\WerFault.exe
          C:\Windows\system32\WerFault.exe -pss -s 468 -p 4024 -ip 4024
          1⤵
            PID:2976
          • C:\Windows\system32\WerFault.exe
            C:\Windows\system32\WerFault.exe -pss -s 428 -p 4024 -ip 4024
            1⤵
              PID:3964

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • memory/2440-130-0x0000000002280000-0x0000000002355000-memory.dmp

              Filesize

              852KB

            • memory/2440-131-0x0000000000400000-0x0000000000608000-memory.dmp

              Filesize

              2.0MB

            • memory/2440-132-0x0000000000400000-0x0000000000608000-memory.dmp

              Filesize

              2.0MB

            • memory/4988-133-0x000002054FA60000-0x000002054FA70000-memory.dmp

              Filesize

              64KB

            • memory/4988-134-0x000002054FAC0000-0x000002054FAD0000-memory.dmp

              Filesize

              64KB

            • memory/4988-135-0x000002054FDA0000-0x000002054FDA1000-memory.dmp

              Filesize

              4KB

            • memory/4988-136-0x000002054FDE0000-0x000002054FDE4000-memory.dmp

              Filesize

              16KB

            • memory/4988-137-0x000002054FDE0000-0x000002054FDE4000-memory.dmp

              Filesize

              16KB

            • memory/4988-139-0x0000020552070000-0x0000020552074000-memory.dmp

              Filesize

              16KB

            • memory/4988-138-0x0000020552190000-0x0000020552194000-memory.dmp

              Filesize

              16KB

            • memory/4988-140-0x0000020552100000-0x0000020552104000-memory.dmp

              Filesize

              16KB