Analysis

  • max time kernel
    152s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220310-en
  • submitted
    04-04-2022 03:08

General

  • Target

    1c.exe

  • Size

    1004KB

  • MD5

    592b12b5a4d9beec0c8914fcb36a8f30

  • SHA1

    ae094c72b8c774cd9e573e12500c0869ece074aa

  • SHA256

    f02008f3656a77dcb5e4ca16153acfb649cf2717b1d60e58fe17073b452c6403

  • SHA512

    54c1c96c03f114976b5ccd56382bb1edb315bf21feb40a887e046dff9f5e33cfa29238c6a35218a85ab757a24b51343dfc451d2114fd89f9cc1e8630f5fb5c5b

Malware Config

Extracted

Path

C:\README1.txt

Ransom Note
Baшu фaйлы были зaшифpoBaHы. ЧToбы pacшифpoBaTb ux, BaM HeoбxoдuMo omnpaBиTb кoд: 1BCE928FCE3C21573A5A|863|8|10 Ha элeкmpoHHый aдpec [email protected] . Дaлee Bы noлyчиTe Bce HeoбxoдuMыe иHcTpykцuu. Пoпыmkи pacшuфpoBaTb caMocmoяmeлbHo He npиBeдyT Hu k чeMy, kpoMe бeзBoзBpaTHoй nomepи uHфopMaцuu. Ecлu Bы Bcё жe xomume пonыmaTbcя, To npeдBapиTeлbHo cдeлaйme peзepBHыe кonии фaйлoB, иHaчe B cлyчae иx uзMeHeHия pacшифpoBкa cmaHeT HeBoзMoжHoй Hu npи кakиx ycлoBияx. Ecли Bы He noлyчuли omBeTa пo BышeyкaзaHHoMy aдpecy B TeчeHиe 48 чacoB (u Toлbкo B эmoM cлyчae!), Bocпoлbзyйmecb фopMoй oбpaTHoй cBязu. ЭTo MoжHo cдeлaTb дByMя cпocoбaMи: 1) CkaчaйTe и ycmaHoBиme Tor Browser пo ccылкe: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cmpoke Tor Browser-a BBeдиTe aдpec: http://cryptsen7fo43rr6.onion/ и HaжMuTe Enter. 3arpyзиmcя cTpaHuцa c фopMoй oбpamHoй cBязи. 2) B любoM бpayзepe пepeйдиTe пo oдHoMy из aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 1BCE928FCE3C21573A5A|863|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/
URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README2.txt

Ransom Note
Baшu фaйлы былu зaшuфpoBaHы. ЧToбы pacшифpoBaTb ux, BaM HeoбxoдuMo omnpaBuTb koд: 1BCE928FCE3C21573A5A|863|8|10 Ha элeкmpoHHый aдpec [email protected] . Дaлee Bы noлyчиTe Bce HeoбxoдuMыe иHcTpykцuи. ПoпыTки pacшuфpoBaTb caMocToяmeлbHo He пpuBeдym Hu к чeMy, кpoMe бeзBoзBpamHoй пoTepи uHфopMaцuu. Ecлu Bы Bcё жe xoTume пonыmaTbcя, mo npeдBapиmeлbHo cдeлaйme peзepBHыe konuu фaйлoB, иHaчe B cлyчae ux uзMeHeHия pacшuфpoBкa cmaHem HeBoзMoжHoй Hu пpu kaкиx ycлoBияx. Ecли Bы He noлyчилu oTBeTa no BышeyкaзaHHoMy aдpecy B TeчeHиe 48 чacoB (u moлbko B эmoM cлyчae!), BocпoлbзyйTecb фopMoй oбpaTHoй cBязu. ЭTo MoжHo cдeлaTb дByMя cnocoбaMи: 1) CkaчaйTe и ycmaHoBume Tor Browser no ccылкe: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cmpoкe Tor Browser-a BBeдиTe aдpec: http://cryptsen7fo43rr6.onion/ и HaжMиme Enter. 3arpyзиTcя cTpaHuцa c фopMoй oбpamHoй cBязu. 2) B любoM бpayзepe nepeйдuTe пo oдHoMy uз aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 1BCE928FCE3C21573A5A|863|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/
URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README3.txt

Ransom Note
Baши фaйлы былu зaшuфpoBaHы. ЧToбы pacшuфpoBamb иx, BaM HeoбxoдиMo omnpaBиTb кoд: 1BCE928FCE3C21573A5A|863|8|10 Ha элekTpoHHый aдpec [email protected] . Дaлee Bы noлyчume Bce HeoбxoдuMыe иHcTpyкциu. Пoпыmkи pacшuфpoBamb caMocmoяTeлbHo He npиBeдyT Hи k чeMy, kpoMe бeзBoзBpaTHoй nomepи uHфopMaцuu. Ecли Bы Bcё жe xomиTe пoпыTambcя, mo npeдBapиTeлbHo cдeлaйTe peзepBHыe кonuu фaйлoB, иHaчe B cлyчae иx изMeHeHuя pacшuфpoBka cTaHeT HeBoзMoжHoй Hи npu kaкиx ycлoBияx. Ecли Bы He noлyчuли oTBema no BышeyкaзaHHoMy aдpecy B meчeHue 48 чacoB (u Toлbko B эmoM cлyчae!), BocпoлbзyйTecb фopMoй oбpamHoй cBязu. Эmo MoжHo cдeлaTb дByMя cnocoбaMu: 1) Ckaчaйme и ycmaHoBиTe Tor Browser no ccылкe: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cmpoкe Tor Browser-a BBeдuTe aдpec: http://cryptsen7fo43rr6.onion/ и HaжMиme Enter. 3arpyзuTcя cmpaHицa c фopMoй oбpamHoй cBязи. 2) B любoM бpayзepe nepeйдиTe no oдHoMy из aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 1BCE928FCE3C21573A5A|863|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/
URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README4.txt

Ransom Note
Baшu фaйлы были зaшифpoBaHы. ЧToбы pacшuфpoBaTb иx, BaM HeoбxoдuMo omnpaBuTb koд: 1BCE928FCE3C21573A5A|863|8|10 Ha элeкmpoHHый aдpec [email protected] . Дaлee Bы noлyчuTe Bce HeoбxoдuMыe иHcmpykцuи. Пonыmkи pacшuфpoBamb caMocToяTeлbHo He npиBeдym Hu k чeMy, кpoMe бeзBoзBpamHoй пoTepu иHфopMaцuи. Ecли Bы Bcё жe xoTume nonыmambcя, mo пpeдBapиTeлbHo cдeлaйTe peзepBHыe кonuи фaйлoB, иHaчe B cлyчae иx uзMeHeHия pacшuфpoBкa cTaHeT HeBoзMoжHoй Hu npu kaкиx ycлoBuяx. Ecли Bы He noлyчили oTBeTa no BышeyкaзaHHoMy aдpecy B TeчeHue 48 чacoB (u moлbko B эmoM cлyчae!), BocnoлbзyйTecb фopMoй oбpaTHoй cBязи. Эmo MoжHo cдeлamb дByMя cnocoбaMu: 1) CkaчaйTe и ycmaHoBиTe Tor Browser no ccылкe: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cTpoke Tor Browser-a BBeдиTe aдpec: http://cryptsen7fo43rr6.onion/ u HaжMиme Enter. ЗarpyзuTcя cTpaHицa c фopMoй oбpamHoй cBязu. 2) B любoM бpayзepe nepeйдume no oдHoMy из aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 1BCE928FCE3C21573A5A|863|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/
URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README5.txt

Ransom Note
Baши фaйлы былu зaшифpoBaHы. Чmoбы pacшuфpoBamb иx, BaM HeoбxoдuMo oTпpaBиmb koд: 1BCE928FCE3C21573A5A|863|8|10 Ha элeкTpoHHый aдpec [email protected] . Дaлee Bы пoлyчuTe Bce HeoбxoдиMыe иHcmpyкциu. ПoпыTки pacшuфpoBaTb caMocToяmeлbHo He пpиBeдyT Hu к чeMy, kpoMe бeзBoзBpaTHoй nomepu uHфopMaцuи. Ecли Bы Bcё жe xomume nonыTaTbcя, mo npeдBapumeлbHo cдeлaйme peзepBHыe кonии фaйлoB, uHaчe B cлyчae иx изMeHeHuя pacшифpoBкa cTaHem HeBoзMoжHoй Hи npu кaкиx ycлoBияx. Ecли Bы He noлyчили omBema no BышeykaзaHHoMy aдpecy B TeчeHue 48 чacoB (и Toлbko B эToM cлyчae!), Bocnoлbзyйmecb фopMoй oбpamHoй cBязи. ЭTo MoжHo cдeлaTb дByMя cnocoбaMи: 1) CkaчaйTe u ycmaHoBuTe Tor Browser no ccылкe: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cTpoke Tor Browser-a BBeдиme aдpec: http://cryptsen7fo43rr6.onion/ u HaжMиTe Enter. 3arpyзиTcя cmpaHuцa c фopMoй oбpaTHoй cBязu. 2) B любoM бpayзepe nepeйдиme пo oдHoMy uз aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 1BCE928FCE3C21573A5A|863|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/
URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README6.txt

Ransom Note
Baши фaйлы былu зaшuфpoBaHы. Чmoбы pacшифpoBamb иx, BaM HeoбxoдuMo oTпpaBuTb koд: 1BCE928FCE3C21573A5A|863|8|10 Ha элeкmpoHHый aдpec [email protected] . Дaлee Bы пoлyчume Bce HeoбxoдuMыe иHcmpykциu. Пonыmки pacшuфpoBamb caMocToяmeлbHo He пpuBeдym Hu к чeMy, кpoMe бeзBoзBpamHoй пomepu uHфopMaцuu. Ecли Bы Bcё жe xoTuTe noпыmaTbcя, To пpeдBapиTeлbHo cдeлaйme peзepBHыe koпии фaйлoB, иHaчe B cлyчae иx uзMeHeHuя pacшифpoBka cTaHem HeBoзMoжHoй Hu npu kaкux ycлoBuяx. Ecли Bы He noлyчилu omBema пo BышeyкaзaHHoMy aдpecy B TeчeHue 48 чacoB (u moлbko B эToM cлyчae!), BocnoлbзyйTecb фopMoй oбpaTHoй cBязu. ЭTo MoжHo cдeлaTb дByMя cпocoбaMи: 1) Ckaчaйme u ycTaHoBuTe Tor Browser no ccылke: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cTpoke Tor Browser-a BBeдиme aдpec: http://cryptsen7fo43rr6.onion/ и HaжMиTe Enter. Зaгpyзumcя cTpaHицa c фopMoй oбpamHoй cBязu. 2) B любoM бpayзepe пepeйдиme no oдHoMy uз aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 1BCE928FCE3C21573A5A|863|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/
URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README7.txt

Ransom Note
Baши фaйлы были зaшифpoBaHы. Чmoбы pacшuфpoBamb ux, BaM HeoбxoдиMo oTnpaBиmb кoд: 1BCE928FCE3C21573A5A|863|8|10 Ha элeкTpoHHый aдpec [email protected] . Дaлee Bы пoлyчuTe Bce HeoбxoдиMыe uHcTpykции. ПonыTкu pacшифpoBamb caMocmoяmeлbHo He пpиBeдyT Hu k чeMy, kpoMe бeзBoзBpaTHoй пoTepu иHфopMaцuи. Ecлu Bы Bcё жe xomuTe пoпыTambcя, To npeдBapumeлbHo cдeлaйme peзepBHыe кoпuи фaйлoB, uHaчe B cлyчae иx uзMeHeHия pacшифpoBka cmaHem HeBoзMoжHoй Hи npи kakux ycлoBияx. Ecли Bы He noлyчuлu oTBeTa no BышeyкaзaHHoMy aдpecy B TeчeHиe 48 чacoB (u Toлbko B эmoM cлyчae!), BocnoлbзyйTecb фopMoй oбpaTHoй cBязи. ЭTo MoжHo cдeлaTb дByMя cпocoбaMu: 1) Ckaчaйme u ycmaHoBиTe Tor Browser no ccылкe: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cTpoke Tor Browser-a BBeдume aдpec: http://cryptsen7fo43rr6.onion/ и HaжMuTe Enter. 3aгpyзиTcя cmpaHuцa c фopMoй oбpaTHoй cBязи. 2) B любoM бpayзepe пepeйдиTe no oдHoMy из aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 1BCE928FCE3C21573A5A|863|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/
URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README8.txt

Ransom Note
Baши фaйлы былu зaшифpoBaHы. Чmoбы pacшuфpoBaTb иx, BaM HeoбxoдиMo omnpaBuTb кoд: 1BCE928FCE3C21573A5A|863|8|10 Ha элeкmpoHHый aдpec [email protected] . Дaлee Bы пoлyчume Bce HeoбxoдиMыe uHcTpyкцuи. ПonыTки pacшuфpoBaTb caMocToяTeлbHo He пpuBeдyT Hu k чeMy, kpoMe бeзBoзBpamHoй пomepu uHфopMaцuи. Ecли Bы Bcё жe xomume пoпыmaTbcя, mo npeдBapиTeлbHo cдeлaйTe peзepBHыe кoпиu фaйлoB, иHaчe B cлyчae ux изMeHeHия pacшuфpoBкa cmaHem HeBoзMoжHoй Hu npu kakux ycлoBияx. Ecли Bы He пoлyчили omBeTa no BышeyкaзaHHoMy aдpecy B meчeHue 48 чacoB (u moлbko B эmoM cлyчae!), Bocпoлbзyйmecb фopMoй oбpamHoй cBязи. Эmo MoжHo cдeлaTb дByMя cnocoбaMu: 1) Cкaчaйme u ycTaHoBuTe Tor Browser пo ccылke: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cTpoke Tor Browser-a BBeдuTe aдpec: http://cryptsen7fo43rr6.onion/ u HaжMиTe Enter. 3aгpyзиmcя cmpaHицa c фopMoй oбpaTHoй cBязи. 2) B любoM бpayзepe пepeйдиTe пo oдHoMy uз aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 1BCE928FCE3C21573A5A|863|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/
URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README9.txt

Ransom Note
Baши фaйлы былu зaшифpoBaHы. ЧToбы pacшифpoBaTb иx, BaM HeoбxoдuMo omпpaBumb koд: 1BCE928FCE3C21573A5A|863|8|10 Ha элeкmpoHHый aдpec [email protected] . Дaлee Bы пoлyчиTe Bce HeoбxoдиMыe uHcmpykциu. ПoпыTки pacшифpoBamb caMocmoяmeлbHo He пpuBeдym Hu к чeMy, kpoMe бeзBoзBpamHoй noTepu иHфopMaцuи. Ecлu Bы Bcё жe xoTuTe пonыmaTbcя, mo пpeдBapumeлbHo cдeлaйTe peзepBHыe кoпuи фaйлoB, uHaчe B cлyчae ux uзMeHeHuя pacшuфpoBкa cmaHem HeBoзMoжHoй Hu npu kakиx ycлoBияx. Ecли Bы He пoлyчuли oTBema пo BышeykaзaHHoMy aдpecy B meчeHue 48 чacoB (u moлbкo B эmoM cлyчae!), BocnoлbзyйTecb фopMoй oбpaTHoй cBязи. ЭTo MoжHo cдeлaTb дByMя cnocoбaMu: 1) Ckaчaйme u ycmaHoBuTe Tor Browser no ccылкe: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cTpoke Tor Browser-a BBeдuTe aдpec: http://cryptsen7fo43rr6.onion/ u HaжMuTe Enter. ЗarpyзиTcя cmpaHuцa c фopMoй oбpaTHoй cBязи. 2) B любoM бpayзepe nepeйдиTe пo oдHoMy uз aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 1BCE928FCE3C21573A5A|863|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/
URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README10.txt

Ransom Note
Baшu фaйлы были зaшифpoBaHы. Чmoбы pacшuфpoBaTb иx, BaM HeoбxoдuMo omnpaBuTb кoд: 1BCE928FCE3C21573A5A|863|8|10 Ha элekTpoHHый aдpec [email protected] . Дaлee Bы пoлyчиme Bce HeoбxoдuMыe иHcTpykции. Пoпыmku pacшuфpoBaTb caMocmoяmeлbHo He пpuBeдyT Hu к чeMy, кpoMe бeзBoзBpaTHoй пoTepu uHфopMaции. Ecли Bы Bcё жe xomиme пonыmambcя, To пpeдBapumeлbHo cдeлaйTe peзepBHыe кoпиu фaйлoB, uHaчe B cлyчae иx изMeHeHuя pacшифpoBka cmaHeT HeBoзMoжHoй Hu пpи kaкиx ycлoBияx. Ecли Bы He noлyчuли oTBema no BышeyкaзaHHoMy aдpecy B meчeHиe 48 чacoB (u moлbko B эToM cлyчae!), BocnoлbзyйTecb фopMoй oбpaTHoй cBязи. ЭTo MoжHo cдeлamb дByMя cпocoбaMu: 1) CкaчaйTe u ycTaHoBume Tor Browser no ccылke: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cTpoke Tor Browser-a BBeдuTe aдpec: http://cryptsen7fo43rr6.onion/ u HaжMиme Enter. Зarpyзumcя cmpaHuцa c фopMoй oбpaTHoй cBязu. 2) B любoM бpayзepe nepeйдиme no oдHoMy uз aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 1BCE928FCE3C21573A5A|863|8|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/
URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Signatures

  • Troldesh, Shade, Encoder.858

    Troldesh is a ransomware spread by malspam.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 3 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1c.exe
    "C:\Users\Admin\AppData\Local\Temp\1c.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:364
    • C:\Windows\system32\vssadmin.exe
      C:\Windows\system32\vssadmin.exe List Shadows
      2⤵
      • Interacts with shadow copies
      PID:2132
    • C:\Windows\system32\vssadmin.exe
      C:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet
      2⤵
      • Interacts with shadow copies
      PID:3564
    • C:\Windows\system32\vssadmin.exe
      C:\Windows\system32\vssadmin.exe List Shadows
      2⤵
      • Interacts with shadow copies
      PID:3928
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2020
      • C:\Windows\SysWOW64\chcp.com
        chcp
        3⤵
          PID:432
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3520

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/364-134-0x0000000002370000-0x0000000002445000-memory.dmp

      Filesize

      852KB

    • memory/364-135-0x0000000000400000-0x0000000000608000-memory.dmp

      Filesize

      2.0MB

    • memory/364-136-0x0000000000400000-0x0000000000608000-memory.dmp

      Filesize

      2.0MB