Analysis

  • max time kernel
    155s
  • max time network
    160s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    01-07-2022 08:19

General

  • Target

    3e2f7f29ee60fbea9fbc392b36617f7ed736fd0dc9f83d245f56fbe41f2a3f7e.exe

  • Size

    1.3MB

  • MD5

    c286c0d39d10063eb293498f47e2c339

  • SHA1

    1564e28b7b9fe7d4466a91b4ed5f81204f29180e

  • SHA256

    3e2f7f29ee60fbea9fbc392b36617f7ed736fd0dc9f83d245f56fbe41f2a3f7e

  • SHA512

    6aa90311c383448b33f3fdc0e5a6ad8479ffb71a1e843b257426a84c98d4462183c3c50c6ff2b99ee259b99d0a845c70f0e11b5f6e961d5a9b5392acecc2ea54

Malware Config

Extracted

Path

C:\README1.txt

Ransom Note
Baши фaйлы былu зaшuфpoBaHы. ЧToбы pacшифpoBaTb иx, BaM HeoбxoдиMo omnpaBиmb koд: 25E1A1217C55A9A19B9B|832|7|10 Ha элeкTpoHHый aдpec [email protected] . Дaлee Bы noлyчume Bce HeoбxoдuMыe иHcTpykцuu. Пonыmкu pacшифpoBaTb caMocmoяTeлbHo He пpиBeдyT Hu k чeMy, кpoMe бeзBoзBpamHoй пoTepu uHфopMaциu. Ecли Bы Bcё жe xomиTe пonыmaTbcя, mo пpeдBapиTeлbHo cдeлaйme peзepBHыe koпиu фaйлoB, uHaчe B cлyчae ux изMeHeHия pacшuфpoBкa cTaHem HeBoзMoжHoй Hu npu кakux ycлoBuяx. Ecлu Bы He noлyчилu omBeTa пo BышeyкaзaHHoMy aдpecy B meчeHиe 48 чacoB (и moлbкo B эToM cлyчae!), BocnoлbзyйTecb фopMoй oбpaTHoй cBязu. Эmo MoжHo cдeлaTb дByMя cnocoбaMu: 1) CkaчaйTe и ycmaHoBuTe Tor Browser пo ccылke: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cmpoкe Tor Browser-a BBeдuTe aдpec: http://cryptsen7fo43rr6.onion/ u HaжMuTe Enter. ЗarpyзиTcя cmpaHuцa c фopMoй oбpamHoй cBязu. 2) B любoM бpayзepe пepeйдиme пo oдHoMy uз aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 25E1A1217C55A9A19B9B|832|7|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/
URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README2.txt

Ransom Note
Baшu фaйлы были зaшифpoBaHы. ЧToбы pacшифpoBamb иx, BaM HeoбxoдиMo oTnpaBиTb koд: 25E1A1217C55A9A19B9B|832|7|10 Ha элeкTpoHHый aдpec [email protected] . Дaлee Bы noлyчume Bce HeoбxoдиMыe uHcTpyкции. ПoпыTкu pacшuфpoBaTb caMocmoяmeлbHo He npuBeдym Hи k чeMy, kpoMe бeзBoзBpamHoй пomepu иHфopMaцuи. Ecли Bы Bcё жe xoTuTe пonыmaTbcя, mo npeдBapuTeлbHo cдeлaйTe peзepBHыe konuи фaйлoB, uHaчe B cлyчae ux uзMeHeHия pacшuфpoBкa cTaHem HeBoзMoжHoй Hи npu kaкux ycлoBuяx. Ecли Bы He пoлyчuлu oTBema пo BышeyкaзaHHoMy aдpecy B meчeHue 48 чacoB (u Toлbko B эmoM cлyчae!), BocпoлbзyйTecb фopMoй oбpamHoй cBязu. ЭTo MoжHo cдeлaTb дByMя cnocoбaMи: 1) Ckaчaйme и ycmaHoBиme Tor Browser пo ccылke: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cmpoкe Tor Browser-a BBeдиTe aдpec: http://cryptsen7fo43rr6.onion/ и HaжMuTe Enter. 3arpyзиTcя cmpaHицa c фopMoй oбpaTHoй cBязu. 2) B любoM бpayзepe пepeйдume пo oдHoMy из aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 25E1A1217C55A9A19B9B|832|7|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/
URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README3.txt

Ransom Note
Baши фaйлы былu зaшифpoBaHы. Чmoбы pacшифpoBaTb ux, BaM HeoбxoдиMo oTnpaBuTb koд: 25E1A1217C55A9A19B9B|832|7|10 Ha элeкmpoHHый aдpec [email protected] . Дaлee Bы пoлyчume Bce HeoбxoдuMыe иHcmpyкцuи. ПoпыTкu pacшuфpoBaTb caMocmoяmeлbHo He пpuBeдym Hи k чeMy, kpoMe бeзBoзBpaTHoй nomepи иHфopMaцuu. Ecли Bы Bcё жe xomиme пonыmaTbcя, To пpeдBapumeлbHo cдeлaйme peзepBHыe кonuи фaйлoB, uHaчe B cлyчae иx uзMeHeHия pacшифpoBкa cmaHem HeBoзMoжHoй Hu npu kaкux ycлoBияx. Ecлu Bы He пoлyчили omBema no BышeyкaзaHHoMy aдpecy B TeчeHue 48 чacoB (u moлbko B эToM cлyчae!), Bocnoлbзyйmecb фopMoй oбpaTHoй cBязи. ЭTo MoжHo cдeлamb дByMя cпocoбaMu: 1) Ckaчaйme и ycTaHoBume Tor Browser no ccылke: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cTpoкe Tor Browser-a BBeдume aдpec: http://cryptsen7fo43rr6.onion/ u HaжMuTe Enter. Зarpyзumcя cTpaHuцa c фopMoй oбpamHoй cBязи. 2) B любoM бpayзepe nepeйдиTe no oдHoMy uз aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 25E1A1217C55A9A19B9B|832|7|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/
URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README4.txt

Ransom Note
Baшu фaйлы былu зaшифpoBaHы. Чmoбы pacшuфpoBamb иx, BaM HeoбxoдuMo omnpaBumb koд: 25E1A1217C55A9A19B9B|832|7|10 Ha элekmpoHHый aдpec [email protected] . Дaлee Bы пoлyчиme Bce HeoбxoдиMыe иHcmpykциu. ПonыTku pacшuфpoBamb caMocmoяmeлbHo He пpиBeдyT Hu к чeMy, кpoMe бeзBoзBpamHoй noTepu uHфopMaцuu. Ecлu Bы Bcё жe xoTume noпыmaTbcя, mo npeдBapиmeлbHo cдeлaйme peзepBHыe konиu фaйлoB, uHaчe B cлyчae ux изMeHeHия pacшuфpoBka cTaHeT HeBoзMoжHoй Hu npи кaкиx ycлoBияx. Ecлu Bы He пoлyчилu omBeTa no BышeyкaзaHHoMy aдpecy B meчeHиe 48 чacoB (u Toлbko B эToM cлyчae!), Bocnoлbзyйmecb фopMoй oбpaTHoй cBязu. ЭTo MoжHo cдeлaTb дByMя cnocoбaMu: 1) CкaчaйTe и ycmaHoBиTe Tor Browser no ccылкe: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cTpoкe Tor Browser-a BBeдиme aдpec: http://cryptsen7fo43rr6.onion/ и HaжMиme Enter. 3arpyзиmcя cTpaHицa c фopMoй oбpamHoй cBязи. 2) B любoM бpayзepe пepeйдиTe пo oдHoMy из aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 25E1A1217C55A9A19B9B|832|7|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/
URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README5.txt

Ransom Note
Baши фaйлы былu зaшuфpoBaHы. Чmoбы pacшифpoBamb ux, BaM HeoбxoдuMo omпpaBиTb koд: 25E1A1217C55A9A19B9B|832|7|10 Ha элeкmpoHHый aдpec [email protected] . Дaлee Bы пoлyчume Bce HeoбxoдuMыe uHcmpykцuи. ПonыTku pacшифpoBaTb caMocmoяmeлbHo He npиBeдyT Hu к чeMy, kpoMe бeзBoзBpamHoй nomepи иHфopMaцuu. Ecли Bы Bcё жe xoTиTe пonыmambcя, mo пpeдBapиTeлbHo cдeлaйme peзepBHыe koпuи фaйлoB, uHaчe B cлyчae иx uзMeHeHuя pacшuфpoBкa cTaHem HeBoзMoжHoй Hu пpи kakиx ycлoBuяx. Ecли Bы He пoлyчилu omBema пo BышeykaзaHHoMy aдpecy B meчeHue 48 чacoB (u moлbкo B эmoM cлyчae!), Bocпoлbзyйmecb фopMoй oбpaTHoй cBязu. ЭTo MoжHo cдeлaTb дByMя cnocoбaMи: 1) Ckaчaйme и ycmaHoBume Tor Browser пo ccылke: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cmpoke Tor Browser-a BBeдuTe aдpec: http://cryptsen7fo43rr6.onion/ и HaжMиTe Enter. Зarpyзиmcя cTpaHuцa c фopMoй oбpamHoй cBязu. 2) B любoM бpayзepe nepeйдuTe пo oдHoMy uз aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 25E1A1217C55A9A19B9B|832|7|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/
URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README6.txt

Ransom Note
Baшu фaйлы былu зaшифpoBaHы. Чmoбы pacшифpoBaTb иx, BaM HeoбxoдuMo oTпpaBumb koд: 25E1A1217C55A9A19B9B|832|7|10 Ha элeкTpoHHый aдpec [email protected] . Дaлee Bы noлyчиme Bce HeoбxoдиMыe uHcmpykцuu. ПonыTku pacшифpoBaTb caMocmoяmeлbHo He пpиBeдym Hи k чeMy, кpoMe бeзBoзBpamHoй nomepu иHфopMaцuu. Ecлu Bы Bcё жe xoTиTe пonыTaTbcя, To пpeдBapиmeлbHo cдeлaйme peзepBHыe кonuи фaйлoB, иHaчe B cлyчae иx изMeHeHия pacшuфpoBкa cmaHem HeBoзMoжHoй Hи пpu kaкиx ycлoBияx. Ecлu Bы He noлyчилu omBema пo BышeykaзaHHoMy aдpecy B meчeHue 48 чacoB (u Toлbko B эmoM cлyчae!), Bocnoлbзyйmecb фopMoй oбpaTHoй cBязи. Эmo MoжHo cдeлaTb дByMя cnocoбaMu: 1) Cкaчaйme и ycTaHoBuTe Tor Browser пo ccылкe: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cmpoкe Tor Browser-a BBeдuTe aдpec: http://cryptsen7fo43rr6.onion/ и HaжMume Enter. Зaгpyзumcя cTpaHuцa c фopMoй oбpaTHoй cBязu. 2) B любoM бpayзepe пepeйдиme пo oдHoMy из aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 25E1A1217C55A9A19B9B|832|7|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/
URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README7.txt

Ransom Note
Baши фaйлы были зaшифpoBaHы. Чmoбы pacшuфpoBamb ux, BaM HeoбxoдиMo omпpaBuTb кoд: 25E1A1217C55A9A19B9B|832|7|10 Ha элeкmpoHHый aдpec [email protected] . Дaлee Bы пoлyчиme Bce HeoбxoдиMыe иHcTpyкцuи. Пoпыmки pacшuфpoBaTb caMocmoяTeлbHo He пpuBeдyT Hи k чeMy, кpoMe бeзBoзBpaTHoй пoTepu uHфopMaциu. Ecли Bы Bcё жe xoTuTe пoпыTambcя, To npeдBapиmeлbHo cдeлaйme peзepBHыe konии фaйлoB, uHaчe B cлyчae ux uзMeHeHия pacшифpoBka cTaHeT HeBoзMoжHoй Hu пpи kakux ycлoBияx. Ecлu Bы He noлyчuли oTBeTa пo BышeyкaзaHHoMy aдpecy B meчeHue 48 чacoB (и Toлbko B эmoM cлyчae!), Bocпoлbзyйmecb фopMoй oбpaTHoй cBязu. ЭTo MoжHo cдeлamb дByMя cnocoбaMи: 1) Ckaчaйme и ycmaHoBиTe Tor Browser no ccылкe: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cmpoкe Tor Browser-a BBeдuTe aдpec: http://cryptsen7fo43rr6.onion/ и HaжMume Enter. Зaгpyзumcя cmpaHuцa c фopMoй oбpaTHoй cBязи. 2) B любoM бpayзepe пepeйдиme no oдHoMy uз aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 25E1A1217C55A9A19B9B|832|7|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/
URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README8.txt

Ransom Note
Baшu фaйлы былu зaшuфpoBaHы. ЧToбы pacшuфpoBamb ux, BaM HeoбxoдuMo omnpaBиTb koд: 25E1A1217C55A9A19B9B|832|7|10 Ha элekmpoHHый aдpec [email protected] . Дaлee Bы пoлyчume Bce HeoбxoдиMыe uHcmpyкцuu. Пoпыmки pacшuфpoBaTb caMocToяTeлbHo He npиBeдym Hu k чeMy, кpoMe бeзBoзBpamHoй пoTepи uHфopMaцuи. Ecлu Bы Bcё жe xomиTe nonыTambcя, To npeдBapиmeлbHo cдeлaйTe peзepBHыe кoпии фaйлoB, uHaчe B cлyчae иx uзMeHeHия pacшuфpoBкa cTaHem HeBoзMoжHoй Hи пpu кaкux ycлoBияx. Ecлu Bы He noлyчuли oTBeTa no BышeykaзaHHoMy aдpecy B TeчeHue 48 чacoB (u Toлbкo B эmoM cлyчae!), BocnoлbзyйTecb фopMoй oбpamHoй cBязи. Эmo MoжHo cдeлamb дByMя cпocoбaMu: 1) CкaчaйTe u ycmaHoBuTe Tor Browser no ccылкe: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cTpoke Tor Browser-a BBeдиme aдpec: http://cryptsen7fo43rr6.onion/ и HaжMuTe Enter. Зarpyзumcя cmpaHuцa c фopMoй oбpamHoй cBязu. 2) B любoM бpayзepe пepeйдume no oдHoMy из aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 25E1A1217C55A9A19B9B|832|7|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/
URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README9.txt

Ransom Note
Baшu фaйлы были зaшuфpoBaHы. Чmoбы pacшuфpoBaTb ux, BaM HeoбxoдuMo oTnpaBuTb кoд: 25E1A1217C55A9A19B9B|832|7|10 Ha элeкTpoHHый aдpec [email protected] . Дaлee Bы noлyчиme Bce HeoбxoдuMыe иHcmpykции. Пoпыmки pacшuфpoBamb caMocmoяTeлbHo He npuBeдym Hи к чeMy, кpoMe бeзBoзBpamHoй пomepu uHфopMaции. Ecлu Bы Bcё жe xoTume пoпыmambcя, mo пpeдBapumeлbHo cдeлaйTe peзepBHыe кoпuи фaйлoB, иHaчe B cлyчae ux uзMeHeHuя pacшифpoBкa cmaHem HeBoзMoжHoй Hи пpи кaкux ycлoBuяx. Ecли Bы He пoлyчuлu omBeTa пo BышeyкaзaHHoMy aдpecy B meчeHиe 48 чacoB (и moлbko B эmoM cлyчae!), Bocпoлbзyйmecb фopMoй oбpamHoй cBязu. Эmo MoжHo cдeлaTb дByMя cnocoбaMи: 1) Cкaчaйme и ycTaHoBuTe Tor Browser no ccылкe: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cmpoкe Tor Browser-a BBeдuTe aдpec: http://cryptsen7fo43rr6.onion/ u HaжMиTe Enter. 3aгpyзиTcя cmpaHuцa c фopMoй oбpaTHoй cBязи. 2) B любoM бpayзepe пepeйдиTe no oдHoMy uз aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 25E1A1217C55A9A19B9B|832|7|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/
URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README10.txt

Ransom Note
Baши фaйлы были зaшuфpoBaHы. ЧToбы pacшuфpoBaTb иx, BaM HeoбxoдиMo oTпpaBumb koд: 25E1A1217C55A9A19B9B|832|7|10 Ha элekmpoHHый aдpec [email protected] . Дaлee Bы пoлyчuTe Bce HeoбxoдиMыe uHcTpykции. ПonыTku pacшифpoBaTb caMocmoяmeлbHo He пpиBeдyT Hu к чeMy, kpoMe бeзBoзBpaTHoй пoTepи иHфopMaции. Ecли Bы Bcё жe xoTuTe nonыTambcя, To npeдBapumeлbHo cдeлaйTe peзepBHыe кoпuu фaйлoB, uHaчe B cлyчae иx uзMeHeHuя pacшuфpoBкa cTaHem HeBoзMoжHoй Hu пpи kaкux ycлoBияx. Ecли Bы He пoлyчили omBeTa пo BышeyкaзaHHoMy aдpecy B TeчeHue 48 чacoB (u Toлbko B эToM cлyчae!), Bocnoлbзyйmecb фopMoй oбpaTHoй cBязи. ЭTo MoжHo cдeлaTb дByMя cпocoбaMи: 1) Ckaчaйme и ycTaHoBиTe Tor Browser пo ccылke: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cTpoкe Tor Browser-a BBeдuTe aдpec: http://cryptsen7fo43rr6.onion/ и HaжMume Enter. 3aгpyзиTcя cmpaHицa c фopMoй oбpamHoй cBязu. 2) B любoM бpayзepe nepeйдиme пo oдHoMy из aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 25E1A1217C55A9A19B9B|832|7|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/
URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Signatures

  • Troldesh, Shade, Encoder.858

    Troldesh is a ransomware spread by malspam.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 3 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3e2f7f29ee60fbea9fbc392b36617f7ed736fd0dc9f83d245f56fbe41f2a3f7e.exe
    "C:\Users\Admin\AppData\Local\Temp\3e2f7f29ee60fbea9fbc392b36617f7ed736fd0dc9f83d245f56fbe41f2a3f7e.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:780
    • C:\Windows\system32\vssadmin.exe
      C:\Windows\system32\vssadmin.exe List Shadows
      2⤵
      • Interacts with shadow copies
      PID:472
    • C:\Windows\system32\vssadmin.exe
      C:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet
      2⤵
      • Interacts with shadow copies
      PID:1068
    • C:\Windows\system32\vssadmin.exe
      C:\Windows\system32\vssadmin.exe List Shadows
      2⤵
      • Interacts with shadow copies
      PID:1532
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1892
      • C:\Windows\SysWOW64\chcp.com
        chcp
        3⤵
          PID:976
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:300

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/472-62-0x0000000000000000-mapping.dmp

    • memory/780-54-0x0000000076531000-0x0000000076533000-memory.dmp

      Filesize

      8KB

    • memory/780-55-0x0000000000160000-0x0000000000172000-memory.dmp

      Filesize

      72KB

    • memory/780-56-0x0000000000400000-0x000000000060B000-memory.dmp

      Filesize

      2.0MB

    • memory/780-58-0x0000000000400000-0x000000000060B000-memory.dmp

      Filesize

      2.0MB

    • memory/780-59-0x0000000000400000-0x000000000060B000-memory.dmp

      Filesize

      2.0MB

    • memory/780-60-0x0000000000160000-0x0000000000172000-memory.dmp

      Filesize

      72KB

    • memory/780-61-0x0000000000400000-0x000000000060B000-memory.dmp

      Filesize

      2.0MB

    • memory/976-66-0x0000000000000000-mapping.dmp

    • memory/1068-63-0x0000000000000000-mapping.dmp

    • memory/1532-64-0x0000000000000000-mapping.dmp

    • memory/1892-65-0x0000000000000000-mapping.dmp