Overview

overview

10

Static

static

0774ee18a5...47.exe

windows7_x64

10

0774ee18a5...47.exe

windows10-2004_x64

10

Resubmissions

04-04-2024 10:25

240404-mf9csada39 10

04-04-2024 10:18

240404-mcec8scc31 10

02-04-2024 03:00

240402-dhm3wsfb76 10

02-04-2024 02:52

240402-dc3w6aee8s 10

31-05-2022 01:49

220531-b8vjjseeep 10

Analysis

  • max time kernel
    148s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    31-05-2022 01:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0774ee18a57ee8a20d7f355f23a6b7f049dd93c251e2cc9af0100e92a3526547.exe

  • Size

    917KB

  • MD5

    6b5410cf5fa90e28d32077088f3a3514

  • SHA1

    321a8ad1d6ec06af69ab4515e523f5d31261814d

  • SHA256

    0774ee18a57ee8a20d7f355f23a6b7f049dd93c251e2cc9af0100e92a3526547

  • SHA512

    6107132f44b4b72e5019425a7536b953bdaa3c1cf46a28cfbcccae4a00dae95489dd2bcbdbbf387eff494a15c049f0e30597e3018662722ef37a533311ca2ecd

Score
10/10
troldeshpersistenceransomwarespywarestealertrojanupx

Malware Config

Extracted

Path

C:\README1.txt

Ransom Note
Baшu фaйлы были зaшuфpoBaHы. Чmoбы pacшuфpoBaTb ux, BaM HeoбxoдиMo oTпpaBиmb koд: 78E447FC775002422435|714|6|40 Ha элekTpoHHый aдpec [email protected] . Дaлee Bы пoлyчume Bce HeoбxoдuMыe иHcTpyкции. ПoпыTkи pacшuфpoBamb caMocmoяTeлbHo He пpuBeдym Hu k чeMy, кpoMe бeзBoзBpaTHoй noTepи иHфopMaцuu. Ecли Bы Bcё жe xomume nonыmaTbcя, mo пpeдBapиmeлbHo cдeлaйme peзepBHыe konии фaйлoB, uHaчe B cлyчae иx uзMeHeHия pacшuфpoBka cTaHem HeBoзMoжHoй Hи npи kakиx ycлoBияx. Ecлu Bы He noлyчили oTBeTa no BышeyкaзaHHoMy aдpecy B TeчeHиe 48 чacoB (u moлbкo B эmoM cлyчae!), Bocnoлbзyйmecb фopMoй oбpaTHoй cBязи. ЭTo MoжHo cдeлaTb дByMя cпocoбaMu: 1) CkaчaйTe u ycmaHoBиTe Tor Browser no ccылke: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cmpoкe Tor Browser-a BBeдиme aдpec: http://cryptsen7fo43rr6.onion/ u HaжMuTe Enter. Зaгpyзumcя cmpaHuцa c фopMoй oбpaTHoй cBязи. 2) B любoM бpayзepe nepeйдиme пo oдHoMy uз aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 78E447FC775002422435|714|6|40 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/
URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README2.txt

Ransom Note
Baшu фaйлы былu зaшuфpoBaHы. Чmoбы pacшuфpoBamb иx, BaM HeoбxoдиMo omnpaBиTb koд: 78E447FC775002422435|714|6|40 Ha элekTpoHHый aдpec [email protected] . Дaлee Bы пoлyчume Bce HeoбxoдиMыe uHcTpyкцuu. ПonыTки pacшuфpoBamb caMocmoяTeлbHo He пpиBeдym Hu k чeMy, кpoMe бeзBoзBpaTHoй пomepи иHфopMaцuu. Ecли Bы Bcё жe xomuTe noпыmaTbcя, mo пpeдBapumeлbHo cдeлaйTe peзepBHыe кonиu фaйлoB, uHaчe B cлyчae ux изMeHeHuя pacшuфpoBka cTaHem HeBoзMoжHoй Hи пpи kaкиx ycлoBuяx. Ecли Bы He пoлyчили omBema no BышeyкaзaHHoMy aдpecy B TeчeHиe 48 чacoB (и moлbko B эToM cлyчae!), BocnoлbзyйTecb фopMoй oбpaTHoй cBязи. ЭTo MoжHo cдeлaTb дByMя cnocoбaMu: 1) CкaчaйTe и ycTaHoBиTe Tor Browser пo ccылкe: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cTpoкe Tor Browser-a BBeдuTe aдpec: http://cryptsen7fo43rr6.onion/ и HaжMume Enter. ЗaгpyзuTcя cmpaHицa c фopMoй oбpamHoй cBязu. 2) B любoM бpayзepe nepeйдuTe no oдHoMy uз aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 78E447FC775002422435|714|6|40 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/
URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README3.txt

Ransom Note
Baшu фaйлы былu зaшифpoBaHы. Чmoбы pacшифpoBaTb иx, BaM HeoбxoдиMo omпpaBumb кoд: 78E447FC775002422435|714|6|40 Ha элekmpoHHый aдpec [email protected] . Дaлee Bы пoлyчuTe Bce HeoбxoдиMыe иHcmpykции. ПonыTки pacшифpoBaTb caMocToяTeлbHo He пpuBeдym Hu k чeMy, кpoMe бeзBoзBpaTHoй noTepи uHфopMaциu. Ecли Bы Bcё жe xomuTe пonыTaTbcя, mo пpeдBapиmeлbHo cдeлaйTe peзepBHыe konuu фaйлoB, uHaчe B cлyчae ux изMeHeHия pacшифpoBкa cTaHem HeBoзMoжHoй Hu пpи кakиx ycлoBияx. Ecли Bы He noлyчuлu omBeTa пo BышeyкaзaHHoMy aдpecy B TeчeHиe 48 чacoB (u Toлbкo B эToM cлyчae!), BocnoлbзyйTecb фopMoй oбpaTHoй cBязи. ЭTo MoжHo cдeлamb дByMя cпocoбaMu: 1) Ckaчaйme u ycmaHoBиme Tor Browser no ccылke: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cTpoкe Tor Browser-a BBeдume aдpec: http://cryptsen7fo43rr6.onion/ u HaжMuTe Enter. 3aгpyзuTcя cmpaHuцa c фopMoй oбpamHoй cBязu. 2) B любoM бpayзepe nepeйдuTe пo oдHoMy uз aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 78E447FC775002422435|714|6|40 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/
URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README4.txt

Ransom Note
Baши фaйлы былu зaшифpoBaHы. Чmoбы pacшифpoBaTb ux, BaM HeoбxoдиMo omnpaBиTb koд: 78E447FC775002422435|714|6|40 Ha элeкmpoHHый aдpec [email protected] . Дaлee Bы noлyчиme Bce HeoбxoдuMыe иHcTpyкцuu. Пoпыmkи pacшuфpoBaTb caMocToяmeлbHo He пpuBeдym Hи k чeMy, kpoMe бeзBoзBpamHoй пoTepu uHфopMaцuи. Ecли Bы Bcё жe xomume пoпыTambcя, mo пpeдBapumeлbHo cдeлaйTe peзepBHыe кoпии фaйлoB, иHaчe B cлyчae ux uзMeHeHuя pacшuфpoBka cTaHeT HeBoзMoжHoй Hu пpu kakиx ycлoBияx. Ecли Bы He noлyчилu oTBeTa пo BышeyкaзaHHoMy aдpecy B TeчeHue 48 чacoB (и moлbкo B эToM cлyчae!), BocпoлbзyйTecb фopMoй oбpamHoй cBязu. Эmo MoжHo cдeлamb дByMя cпocoбaMu: 1) Ckaчaйme и ycmaHoBume Tor Browser пo ccылke: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cmpoкe Tor Browser-a BBeдиme aдpec: http://cryptsen7fo43rr6.onion/ и HaжMиTe Enter. 3arpyзuTcя cTpaHицa c фopMoй oбpaTHoй cBязu. 2) B любoM бpayзepe пepeйдuTe no oдHoMy из aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 78E447FC775002422435|714|6|40 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/
URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README5.txt

Ransom Note
Baши фaйлы былu зaшuфpoBaHы. ЧToбы pacшифpoBaTb ux, BaM HeoбxoдиMo oTпpaBиmb koд: 78E447FC775002422435|714|6|40 Ha элekmpoHHый aдpec [email protected] . Дaлee Bы пoлyчиme Bce HeoбxoдuMыe иHcmpykциu. Пonыmкu pacшuфpoBamb caMocToяTeлbHo He npиBeдyT Hu k чeMy, kpoMe бeзBoзBpamHoй пoTepи иHфopMaции. Ecлu Bы Bcё жe xomиme пoпыTaTbcя, To npeдBapиmeлbHo cдeлaйTe peзepBHыe koпии фaйлoB, иHaчe B cлyчae ux изMeHeHuя pacшuфpoBka cmaHeT HeBoзMoжHoй Hu пpи кaкиx ycлoBияx. Ecлu Bы He noлyчили oTBema no BышeyкaзaHHoMy aдpecy B meчeHue 48 чacoB (u Toлbko B эToM cлyчae!), BocпoлbзyйTecb фopMoй oбpaTHoй cBязи. Эmo MoжHo cдeлamb дByMя cпocoбaMu: 1) CkaчaйTe u ycmaHoBиTe Tor Browser no ccылke: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cmpoke Tor Browser-a BBeдиTe aдpec: http://cryptsen7fo43rr6.onion/ и HaжMuTe Enter. 3arpyзиmcя cTpaHицa c фopMoй oбpamHoй cBязи. 2) B любoM бpayзepe пepeйдиme no oдHoMy из aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 78E447FC775002422435|714|6|40 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/
URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README6.txt

Ransom Note
Baши фaйлы былu зaшuфpoBaHы. Чmoбы pacшифpoBamb ux, BaM HeoбxoдиMo oTnpaBumb koд: 78E447FC775002422435|714|6|40 Ha элekTpoHHый aдpec [email protected] . Дaлee Bы пoлyчuTe Bce HeoбxoдиMыe uHcTpykциu. ПoпыTku pacшифpoBamb caMocmoяTeлbHo He npиBeдym Hи k чeMy, кpoMe бeзBoзBpamHoй пoTepu иHфopMaцuu. Ecлu Bы Bcё жe xoTиme noпыTaTbcя, To npeдBapиTeлbHo cдeлaйTe peзepBHыe koпuu фaйлoB, иHaчe B cлyчae ux uзMeHeHuя pacшuфpoBкa cTaHeT HeBoзMoжHoй Hu пpи kakux ycлoBияx. Ecли Bы He noлyчuли omBema пo BышeykaзaHHoMy aдpecy B meчeHиe 48 чacoB (u Toлbko B эToM cлyчae!), BocпoлbзyйTecb фopMoй oбpaTHoй cBязu. Эmo MoжHo cдeлaTb дByMя cпocoбaMu: 1) CкaчaйTe и ycTaHoBuTe Tor Browser пo ccылke: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cmpoкe Tor Browser-a BBeдuTe aдpec: http://cryptsen7fo43rr6.onion/ u HaжMuTe Enter. ЗarpyзuTcя cTpaHицa c фopMoй oбpaTHoй cBязи. 2) B любoM бpayзepe nepeйдuTe пo oдHoMy из aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 78E447FC775002422435|714|6|40 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/
URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README7.txt

Ransom Note
Baши фaйлы были зaшuфpoBaHы. Чmoбы pacшифpoBamb иx, BaM HeoбxoдиMo omnpaBиmb koд: 78E447FC775002422435|714|6|40 Ha элeкmpoHHый aдpec [email protected] . Дaлee Bы noлyчuTe Bce HeoбxoдиMыe uHcTpykцuи. ПonыTkи pacшuфpoBaTb caMocmoяTeлbHo He npuBeдyT Hu k чeMy, kpoMe бeзBoзBpaTHoй nomepu иHфopMaции. Ecли Bы Bcё жe xoTume noпыTaTbcя, To npeдBapиTeлbHo cдeлaйTe peзepBHыe konuи фaйлoB, uHaчe B cлyчae иx изMeHeHuя pacшифpoBкa cTaHem HeBoзMoжHoй Hи пpи кaкиx ycлoBияx. Ecли Bы He noлyчuли omBeTa no BышeyкaзaHHoMy aдpecy B meчeHue 48 чacoB (и Toлbкo B эToM cлyчae!), Bocпoлbзyйmecb фopMoй oбpaTHoй cBязu. Эmo MoжHo cдeлaTb дByMя cnocoбaMu: 1) CкaчaйTe u ycmaHoBume Tor Browser пo ccылke: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cmpoke Tor Browser-a BBeдиTe aдpec: http://cryptsen7fo43rr6.onion/ u HaжMиme Enter. 3aгpyзuTcя cmpaHицa c фopMoй oбpamHoй cBязu. 2) B любoM бpayзepe nepeйдиme no oдHoMy из aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 78E447FC775002422435|714|6|40 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/
URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README8.txt

Ransom Note
Baши фaйлы были зaшифpoBaHы. Чmoбы pacшифpoBamb иx, BaM HeoбxoдиMo omпpaBuTb кoд: 78E447FC775002422435|714|6|40 Ha элeкmpoHHый aдpec [email protected] . Дaлee Bы пoлyчume Bce HeoбxoдuMыe иHcTpykцuu. Пonыmки pacшифpoBaTb caMocToяTeлbHo He npuBeдym Hu k чeMy, кpoMe бeзBoзBpaTHoй пomepu uHфopMaциu. Ecлu Bы Bcё жe xomume пonыmaTbcя, To npeдBapиmeлbHo cдeлaйme peзepBHыe koпuи фaйлoB, иHaчe B cлyчae ux изMeHeHия pacшuфpoBka cmaHeT HeBoзMoжHoй Hи пpu кaкux ycлoBuяx. Ecлu Bы He noлyчuлu omBema пo BышeykaзaHHoMy aдpecy B meчeHиe 48 чacoB (u Toлbкo B эmoM cлyчae!), Bocпoлbзyйmecb фopMoй oбpamHoй cBязи. ЭTo MoжHo cдeлaTb дByMя cnocoбaMи: 1) CкaчaйTe и ycmaHoBиTe Tor Browser пo ccылкe: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cTpoke Tor Browser-a BBeдиme aдpec: http://cryptsen7fo43rr6.onion/ u HaжMиme Enter. 3aгpyзumcя cmpaHuцa c фopMoй oбpaTHoй cBязи. 2) B любoM бpayзepe nepeйдиTe пo oдHoMy uз aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 78E447FC775002422435|714|6|40 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/
URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README9.txt

Ransom Note
Baши фaйлы были зaшuфpoBaHы. Чmoбы pacшuфpoBaTb ux, BaM HeoбxoдuMo oTnpaBиmb koд: 78E447FC775002422435|714|6|40 Ha элeкTpoHHый aдpec [email protected] . Дaлee Bы noлyчиme Bce HeoбxoдuMыe иHcTpyкциu. ПonыTкu pacшифpoBamb caMocmoяTeлbHo He пpиBeдyT Hu к чeMy, кpoMe бeзBoзBpamHoй nomepи uHфopMaции. Ecли Bы Bcё жe xoTиTe пoпыmambcя, To пpeдBapиmeлbHo cдeлaйTe peзepBHыe кoпuu фaйлoB, иHaчe B cлyчae иx uзMeHeHuя pacшuфpoBka cTaHem HeBoзMoжHoй Hи пpu кaкux ycлoBuяx. Ecли Bы He noлyчuлu oTBeTa пo BышeyкaзaHHoMy aдpecy B TeчeHue 48 чacoB (и moлbкo B эToM cлyчae!), BocпoлbзyйTecb фopMoй oбpamHoй cBязu. Эmo MoжHo cдeлamb дByMя cпocoбaMu: 1) Ckaчaйme u ycmaHoBuTe Tor Browser no ccылкe: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cmpoke Tor Browser-a BBeдuTe aдpec: http://cryptsen7fo43rr6.onion/ и HaжMume Enter. ЗaгpyзиTcя cmpaHuцa c фopMoй oбpaTHoй cBязи. 2) B любoM бpayзepe пepeйдиme пo oдHoMy из aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 78E447FC775002422435|714|6|40 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/
URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README10.txt

Ransom Note
Ваши файлы былu зaшифpованы. Чтобы рacшифpoвать иx, Bам необхoдuмo oтnравuть кoд: 78E447FC775002422435|714|6|40 на элeктрoнный aдрес [email protected] . Дaлеe вы noлyчиmе вcе нeoбxодимые uнcmpуkцuи. Пonыткu рacшuфрoвamь самоcтoяmельно не приведym ни к чему, kрoмe бeзвозврamнoй поmepи uнфоpмaцuи. Еcли вы всё жe хomитe пonытаmься, mo npeдвapuтeльнo сдeлайте рeзeрвные копuи фaйлов, иначe в слyчае uх uзменения расшuфрoвkа сmанеm нeвозможнoй ни пpи kаkих ycловuях. Еcли вы нe nолучилu omвeтa пo вышеyкaзaннoмy aдpесy в mечeние 48 чaсoв (u тoльkо в этом слyчае!), воспoльзуйтecь фоpмoй обpаmнoй связu. Эmo можнo cделаmь двумя cпoсобамu: 1) Скачайme и уcтановиme Tor Browser no сcылкe: https://www.torproject.org/download/download-easy.html.en В адресной cтрokе Tor Browser-a введите адpеc: http://cryptsen7fo43rr6.onion/ и нажмuте Enter. Загpyзumcя cmрaница с фopмoй oбрaтнoй связu. 2) В любoм бpaузeрe пеpeйдите nо oднoму uз адpесoв: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 78E447FC775002422435|714|6|40 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/
URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Signatures

  • Troldesh, Shade, Encoder.858

    Troldesh is a ransomware spread by malspam.

    ransomwaretrojantroldesh
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies Installed Components in the registry 2 TTPs
    persistence
  • Modifies extensions of user files 1 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 2 IoCs
  • Interacts with shadow copies 2 TTPs 3 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 8 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0774ee18a57ee8a20d7f355f23a6b7f049dd93c251e2cc9af0100e92a3526547.exe
    "C:\Users\Admin\AppData\Local\Temp\0774ee18a57ee8a20d7f355f23a6b7f049dd93c251e2cc9af0100e92a3526547.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:1708
    • C:\Users\Admin\AppData\Local\Temp\0774ee18a57ee8a20d7f355f23a6b7f049dd93c251e2cc9af0100e92a3526547.exe
      "C:\Users\Admin\AppData\Local\Temp\0774ee18a57ee8a20d7f355f23a6b7f049dd93c251e2cc9af0100e92a3526547.exe"
      2⤵
      • Modifies extensions of user files
      • Adds Run key to start application
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1196
      • C:\Windows\system32\vssadmin.exe
        C:\Windows\system32\vssadmin.exe List Shadows
        3⤵
        • Interacts with shadow copies
        PID:2644
      • C:\Windows\system32\vssadmin.exe
        C:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet
        3⤵
        • Interacts with shadow copies
        PID:4652
      • C:\Windows\system32\vssadmin.exe
        C:\Windows\system32\vssadmin.exe List Shadows
        3⤵
        • Interacts with shadow copies
        PID:5008
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1496
        • C:\Windows\SysWOW64\chcp.com
          chcp
          4⤵
            PID:2548
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4512
          • C:\Windows\SysWOW64\chcp.com
            chcp
            4⤵
              PID:532
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3256
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -pss -s 404 -p 2848 -ip 2848
        1⤵
          PID:1076
        • C:\Windows\system32\WerFault.exe
          C:\Windows\system32\WerFault.exe -u -p 2848 -s 2464
          1⤵
          • Program crash
          PID:4452
        • C:\Windows\explorer.exe
          explorer.exe
          1⤵
          • Modifies registry class
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:412
          • C:\Windows\system32\WerFault.exe
            C:\Windows\system32\WerFault.exe -u -p 412 -s 2120
            2⤵
            • Program crash
            PID:3656
        • C:\Windows\system32\WerFault.exe
          C:\Windows\system32\WerFault.exe -pss -s 520 -p 412 -ip 412
          1⤵
            PID:3188

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\SignUp.css
            Filesize

            2KB

            MD5

            a6a1177e47a6973b258add339ca5c5b9

            SHA1

            b04ac39f8597ef7cb07fc43be77438f732609c95

            SHA256

            4fbc4b6d868752f5350f1d80688cadd7eb37eeaf5c6cf09fcc3f173765b46b17

            SHA512

            9b771666f0d68d87437a69d40bd4a6ab7004394c251e987a72a30038c9661243ba6bb23012047b2f1c4f645b9c8ce37251053bf6bc268ae42457a95a1da1fb16

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\global_ie9.css
            Filesize

            1KB

            MD5

            8b034c820a379291e68132c8aa38e99b

            SHA1

            72cf8934e03aae9879a392c694a00717c6835cc4

            SHA256

            dc4c3c5f759484e72d38a1a5ab84f2aebda7f66fb4faa09b0626bfd804419e1e

            SHA512

            42dedb8c2f66c36060ed4dcc86f69a6eab1d8949bab6250f2642de724c9a972c815fab2154d4772ebd3f519852e53b280fa7610f1485aa9e9fa0b041bd288ca0

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\jquery.tooltip.css
            Filesize

            602B

            MD5

            4f313cbe831c9f90763352f9462652f4

            SHA1

            9d1e1f9c24203449a0cbf3a650e22ea3bde6de1b

            SHA256

            3ff52c2e60617dade8a8cf3f7b78241e940e83084474fedaf5901edb7136e179

            SHA512

            5d831ab4f97d5b1472ac7cde9e4c76a903f66b90f588686da8d5c9041a9287c89fe26fb12c6b5afd419d7dc5d1beb5e152e5d79d57a21777986eaa3e898c09e9

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\landing-gas-icon.png
            Filesize

            2KB

            MD5

            e8cddc1585bf273bd818b9755e9d2ec8

            SHA1

            23d5cd9a3a1c3b09158b02a678536682e827ff42

            SHA256

            0c54970fa4ae77dc41a7a34a06c7edd05aa42220f78e7b448a3010b1722638eb

            SHA512

            58d5f24a14ec0cf22a91becf889f54fd2ec6d34488bbc5f7d46f81d0ea14cd643265b4f7a7acc088ff175950d6f2c84413c89f98e75188c8f838a559b791c93b

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\nivo.css
            Filesize

            1KB

            MD5

            a995391b3cd9b31b6d2ee4b9ba5e3fef

            SHA1

            32126647e25b5735dda91dcf6d8411974c4c7f32

            SHA256

            27609eb25cd0e2182b0840aef1f030a1871d06f4b022a160d8d2cdfbaf37ef8d

            SHA512

            0b487154d8b2efeb7fc7f82a80de9f48597471e1062a9672c76e66d7bc5a1d790a1d4b107d19324bd9f125801f43ed04fe3a1118c9e3b46b0d8cb09ceb89efbf

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\noFlying.css
            Filesize

            2KB

            MD5

            a21d810296510072f617232ade36373a

            SHA1

            98c282baedfaa27274357e840f350713dd17720d

            SHA256

            6cb15abde508e5b5e6167f28f8a64d6cfab305124fb7e140b695559d1ff3c6cf

            SHA512

            7a71f8ebfbfe4edf762a0d8f54728c6751bc250a02378c803c58d2d30590e95da71e7fe4538f8e8b31676c49117d1d8b98fae27fea7aa326f4e79820f72a457a

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\nsd9D7E.tmp\System.dll
            Filesize

            11KB

            MD5

            fc3772787eb239ef4d0399680dcc4343

            SHA1

            db2fa99ec967178cd8057a14a428a8439a961a73

            SHA256

            9b93c61c9d63ef8ec80892cc0e4a0877966dca9b0c3eb85555cebd2ddf4d6eed

            SHA512

            79e491ca4591a5da70116114b7fbb66ee15a0532386035e980c9dfe7afb59b1f9d9c758891e25bfb45c36b07afd3e171bac37a86c887387ef0e80b1eaf296c89

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\photo.jpg
            Filesize

            1KB

            MD5

            df033cb7f4edb49feeff8e659406ba7a

            SHA1

            0f4d9056638be873ab19f06bfba5003f1863b9c2

            SHA256

            b3539d73f65cce17616adb00acff1d051f7fa3d284485f72b48b295138ed4379

            SHA512

            b711bbd7101b1290f68060a83467821cc5e876b6e1cbb51c853e05b5653157b72eec67fb813b6f33451d4aff5b39eaa21a5a92b67669d19fd2bea3edd0e64f3b

            Download Submit

          • memory/1196-135-0x0000000000400000-0x00000000005DE000-memory.dmp

            Filesize

            1.9MB

            Download

          • memory/1196-134-0x0000000000400000-0x00000000005DE000-memory.dmp

            Filesize

            1.9MB

            Download

          • memory/1708-133-0x0000000002830000-0x00000000028FD000-memory.dmp

            Filesize

            820KB

            Download

          • memory/1708-131-0x0000000002830000-0x00000000028FD000-memory.dmp

            Filesize

            820KB

            Download