fefd1117c2f0ab88d8090bc3bdcb8213daf8065f12de1ee6a6c641e888a27eab

General

Target

fefd1117c2f0ab88d8090bc3bdcb8213daf8065f12de1ee6a6c641e888a27eab.exe
Size

38KB
MD5

22a006b6d19558c3cebd708b2b0543bc
SHA1

2d92468b5982fbbb39776030fab6ac35c4a9b889
SHA256

fefd1117c2f0ab88d8090bc3bdcb8213daf8065f12de1ee6a6c641e888a27eab
SHA512

821833b5ffbb2f80f12214d969c033c23126fc2f4ef44f30d8b88236906512db5631e029f55d13869a4dc90e7bbee27fcfb8a391300178e4f055e22213d7b97b

Score

10^/10

ransomware

Malware Config

Extracted

Path

C:\NOKOYAWA_readme.txt

Ransom Note

Dear usernamme, your files were encrypted, some are compromised. Be sure, you can't restore it without our help. You need a private key that only we have. Contact us to reach an agreement or we will leak your black shit to media: charlefletcher@onionmail.org Johnatannielson@protonmail.com 亲爱的用户名，您的文件已加密，有些已被泄露。请确保，如果没有我们的帮助，您将无法恢复它。您需要一个只有我们拥有的私钥。联系我们以达成协议，否则我们会将您的黑屎泄露给媒体： charlefletcher@onionmail.org Johnatannielson@protonmail.com

Emails

charlefletcher@onionmail.org

Johnatannielson@protonmail.com

Signatures

Modifies extensions of user files 4 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

fefd1117c2f0ab88d8090bc3bdcb8213daf8065f12de1ee6a6c641e888a27eab.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\CloseExport.raw => C:\Users\Admin\Pictures\CloseExport.raw.NOKOYAWA	fefd1117c2f0ab88d8090bc3bdcb8213daf8065f12de1ee6a6c641e888a27eab.exe
File renamed	C:\Users\Admin\Pictures\GrantWatch.crw => C:\Users\Admin\Pictures\GrantWatch.crw.NOKOYAWA	fefd1117c2f0ab88d8090bc3bdcb8213daf8065f12de1ee6a6c641e888a27eab.exe
File renamed	C:\Users\Admin\Pictures\PingLock.crw => C:\Users\Admin\Pictures\PingLock.crw.NOKOYAWA	fefd1117c2f0ab88d8090bc3bdcb8213daf8065f12de1ee6a6c641e888a27eab.exe
File renamed	C:\Users\Admin\Pictures\SwitchLimit.png => C:\Users\Admin\Pictures\SwitchLimit.png.NOKOYAWA	fefd1117c2f0ab88d8090bc3bdcb8213daf8065f12de1ee6a6c641e888a27eab.exe

Drops desktop.ini file(s) 13 IoCs

Processes:

fefd1117c2f0ab88d8090bc3bdcb8213daf8065f12de1ee6a6c641e888a27eab.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	fefd1117c2f0ab88d8090bc3bdcb8213daf8065f12de1ee6a6c641e888a27eab.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	fefd1117c2f0ab88d8090bc3bdcb8213daf8065f12de1ee6a6c641e888a27eab.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	fefd1117c2f0ab88d8090bc3bdcb8213daf8065f12de1ee6a6c641e888a27eab.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	fefd1117c2f0ab88d8090bc3bdcb8213daf8065f12de1ee6a6c641e888a27eab.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	fefd1117c2f0ab88d8090bc3bdcb8213daf8065f12de1ee6a6c641e888a27eab.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	fefd1117c2f0ab88d8090bc3bdcb8213daf8065f12de1ee6a6c641e888a27eab.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	fefd1117c2f0ab88d8090bc3bdcb8213daf8065f12de1ee6a6c641e888a27eab.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	fefd1117c2f0ab88d8090bc3bdcb8213daf8065f12de1ee6a6c641e888a27eab.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	fefd1117c2f0ab88d8090bc3bdcb8213daf8065f12de1ee6a6c641e888a27eab.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	fefd1117c2f0ab88d8090bc3bdcb8213daf8065f12de1ee6a6c641e888a27eab.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	fefd1117c2f0ab88d8090bc3bdcb8213daf8065f12de1ee6a6c641e888a27eab.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	fefd1117c2f0ab88d8090bc3bdcb8213daf8065f12de1ee6a6c641e888a27eab.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	fefd1117c2f0ab88d8090bc3bdcb8213daf8065f12de1ee6a6c641e888a27eab.exe

C:\Users\Admin\AppData\Local\Temp\fefd1117c2f0ab88d8090bc3bdcb8213daf8065f12de1ee6a6c641e888a27eab.exe
"C:\Users\Admin\AppData\Local\Temp\fefd1117c2f0ab88d8090bc3bdcb8213daf8065f12de1ee6a6c641e888a27eab.exe"
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
PID:1688

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads