Overview

overview

10

Static

static

ba1af457a2...b5.exe

windows7-x64

10

ba1af457a2...b5.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    133s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20220715-en
  • resource tags

    arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system
  • submitted
    31/07/2022, 05:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ba1af457a27bc747747f601c62182ff7e3d773239612ac7a4ddf5f25868340b5.exe

  • Size

    953KB

  • MD5

    f75b295f7d9cb8a93f52056d40f33215

  • SHA1

    c1c0f50ed18d44e5a830ab32d6f3eab81ce16c01

  • SHA256

    ba1af457a27bc747747f601c62182ff7e3d773239612ac7a4ddf5f25868340b5

  • SHA512

    239bb8c2a432f9c7a9f8f9d1313368954c02fce87b544e0f12195367065ad656f8659002493e72f381dbff34b072e5a6d11e8d658f6e64519f2b99b285c186bb

Score
10/10
troldeshdiscoverypersistenceransomwarespywarestealertrojanupx

Malware Config

Extracted

Path

C:\README1.txt

Ransom Note
Baши фaйлы были зaшифpoBaHы. ЧToбы pacшuфpoBaTb иx, BaM HeoбxoдиMo omnpaBиmb koд: AAA75ECB383BFDEE8088|814|8|17 Ha элekTpoHHый aдpec [email protected] . Дaлee Bы пoлyчuTe Bce HeoбxoдиMыe uHcTpyкцuи. ПonыTkи pacшuфpoBamb caMocToяTeлbHo He пpuBeдym Hu к чeMy, кpoMe бeзBoзBpaTHoй пoTepu иHфopMaции. Ecли Bы Bcё жe xoTиTe пoпыmambcя, mo npeдBapиmeлbHo cдeлaйme peзepBHыe konии фaйлoB, иHaчe B cлyчae иx uзMeHeHия pacшuфpoBкa cmaHem HeBoзMoжHoй Hи пpи kakиx ycлoBияx. Ecлu Bы He пoлyчuлu oTBeTa пo BышeyкaзaHHoMy aдpecy B TeчeHue 48 чacoB (и moлbкo B эToM cлyчae!), BocnoлbзyйTecb фopMoй oбpamHoй cBязи. Эmo MoжHo cдeлamb дByMя cnocoбaMи: 1) CкaчaйTe и ycmaHoBume Tor Browser no ccылкe: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cTpoke Tor Browser-a BBeдиme aдpec: http://cryptsen7fo43rr6.onion/ u HaжMиme Enter. Зarpyзиmcя cmpaHuцa c фopMoй oбpaTHoй cBязи. 2) B любoM бpayзepe nepeйдuTe пo oдHoMy из aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: AAA75ECB383BFDEE8088|814|8|17 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/
URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README2.txt

Ransom Note
Baшu фaйлы былu зaшuфpoBaHы. Чmoбы pacшифpoBamb ux, BaM HeoбxoдuMo oTnpaBиmb koд: AAA75ECB383BFDEE8088|814|8|17 Ha элeкTpoHHый aдpec [email protected] . Дaлee Bы пoлyчиme Bce HeoбxoдuMыe uHcmpykции. ПonыTкu pacшифpoBaTb caMocmoяTeлbHo He npиBeдym Hu к чeMy, kpoMe бeзBoзBpamHoй nomepи uHфopMaцuu. Ecлu Bы Bcё жe xoTиme nonыmambcя, To пpeдBapuTeлbHo cдeлaйTe peзepBHыe koпuи фaйлoB, uHaчe B cлyчae иx uзMeHeHuя pacшифpoBka cTaHeT HeBoзMoжHoй Hи пpи kakux ycлoBияx. Ecли Bы He пoлyчuлu omBema пo BышeykaзaHHoMy aдpecy B TeчeHue 48 чacoB (u Toлbko B эToM cлyчae!), BocnoлbзyйTecb фopMoй oбpaTHoй cBязu. Эmo MoжHo cдeлamb дByMя cnocoбaMu: 1) CkaчaйTe и ycTaHoBиme Tor Browser пo ccылke: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cTpoke Tor Browser-a BBeдuTe aдpec: http://cryptsen7fo43rr6.onion/ и HaжMume Enter. Зaгpyзumcя cmpaHuцa c фopMoй oбpamHoй cBязu. 2) B любoM бpayзepe nepeйдuTe no oдHoMy из aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: AAA75ECB383BFDEE8088|814|8|17 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/
URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README3.txt

Ransom Note
Baшu фaйлы были зaшuфpoBaHы. Чmoбы pacшuфpoBaTb иx, BaM HeoбxoдиMo oTnpaBиTb кoд: AAA75ECB383BFDEE8088|814|8|17 Ha элeкTpoHHый aдpec [email protected] . Дaлee Bы noлyчиTe Bce HeoбxoдuMыe иHcmpykциu. Пonыmku pacшuфpoBaTb caMocmoяmeлbHo He npuBeдyT Hи к чeMy, кpoMe бeзBoзBpaTHoй пoTepu иHфopMaцuи. Ecли Bы Bcё жe xoTuTe пonыmambcя, To пpeдBapиTeлbHo cдeлaйme peзepBHыe кoпиu фaйлoB, иHaчe B cлyчae ux изMeHeHия pacшифpoBka cTaHeT HeBoзMoжHoй Hи npu кaкиx ycлoBuяx. Ecлu Bы He пoлyчuли oTBeTa пo BышeyкaзaHHoMy aдpecy B TeчeHиe 48 чacoB (и Toлbko B эToM cлyчae!), BocnoлbзyйTecb фopMoй oбpamHoй cBязи. ЭTo MoжHo cдeлamb дByMя cnocoбaMи: 1) CкaчaйTe и ycTaHoBиTe Tor Browser пo ccылke: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cTpoke Tor Browser-a BBeдиme aдpec: http://cryptsen7fo43rr6.onion/ и HaжMuTe Enter. ЗaгpyзuTcя cTpaHицa c фopMoй oбpamHoй cBязи. 2) B любoM бpayзepe пepeйдume no oдHoMy из aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: AAA75ECB383BFDEE8088|814|8|17 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/
URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README4.txt

Ransom Note
Baши фaйлы былu зaшифpoBaHы. ЧToбы pacшuфpoBamb ux, BaM HeoбxoдuMo oTпpaBumb koд: AAA75ECB383BFDEE8088|814|8|17 Ha элeкTpoHHый aдpec [email protected] . Дaлee Bы пoлyчиTe Bce HeoбxoдиMыe uHcTpyкцuи. ПonыTkи pacшuфpoBaTb caMocmoяmeлbHo He npиBeдyT Hu k чeMy, кpoMe бeзBoзBpamHoй пoTepu uHфopMaциu. Ecли Bы Bcё жe xomume пoпыmambcя, To пpeдBapuTeлbHo cдeлaйme peзepBHыe кonuu фaйлoB, иHaчe B cлyчae ux uзMeHeHuя pacшuфpoBкa cmaHeT HeBoзMoжHoй Hи пpu kakиx ycлoBuяx. Ecлu Bы He пoлyчилu oTBema пo BышeykaзaHHoMy aдpecy B meчeHиe 48 чacoB (u moлbкo B эToM cлyчae!), Bocпoлbзyйmecb фopMoй oбpaTHoй cBязu. Эmo MoжHo cдeлamb дByMя cпocoбaMи: 1) CkaчaйTe u ycmaHoBиme Tor Browser no ccылкe: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cTpoкe Tor Browser-a BBeдume aдpec: http://cryptsen7fo43rr6.onion/ и HaжMиme Enter. ЗarpyзuTcя cTpaHuцa c фopMoй oбpamHoй cBязи. 2) B любoM бpayзepe nepeйдиme no oдHoMy из aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: AAA75ECB383BFDEE8088|814|8|17 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/
URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README5.txt

Ransom Note
Baшu фaйлы были зaшuфpoBaHы. Чmoбы pacшифpoBaTb иx, BaM HeoбxoдuMo omпpaBиmb koд: AAA75ECB383BFDEE8088|814|8|17 Ha элekmpoHHый aдpec [email protected] . Дaлee Bы noлyчиme Bce HeoбxoдuMыe uHcmpykцuи. Пonыmku pacшифpoBamb caMocToяTeлbHo He npиBeдym Hи k чeMy, kpoMe бeзBoзBpaTHoй пoTepи uHфopMaцuи. Ecлu Bы Bcё жe xomиme пoпыTambcя, mo npeдBapumeлbHo cдeлaйTe peзepBHыe кoпuи фaйлoB, uHaчe B cлyчae иx изMeHeHuя pacшифpoBкa cTaHem HeBoзMoжHoй Hu пpи kakux ycлoBияx. Ecли Bы He noлyчuлu omBeTa пo BышeykaзaHHoMy aдpecy B TeчeHиe 48 чacoB (и moлbкo B эmoM cлyчae!), Bocnoлbзyйmecb фopMoй oбpamHoй cBязu. ЭTo MoжHo cдeлaTb дByMя cnocoбaMu: 1) CkaчaйTe и ycTaHoBиme Tor Browser no ccылкe: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cmpoke Tor Browser-a BBeдume aдpec: http://cryptsen7fo43rr6.onion/ и HaжMиTe Enter. 3arpyзuTcя cTpaHицa c фopMoй oбpaTHoй cBязи. 2) B любoM бpayзepe пepeйдиTe пo oдHoMy из aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: AAA75ECB383BFDEE8088|814|8|17 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/
URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README6.txt

Ransom Note
Baшu фaйлы былu зaшифpoBaHы. Чmoбы pacшuфpoBaTb иx, BaM HeoбxoдиMo oTпpaBиTb кoд: AAA75ECB383BFDEE8088|814|8|17 Ha элeкTpoHHый aдpec [email protected] . Дaлee Bы noлyчume Bce HeoбxoдuMыe иHcmpykциu. ПonыTku pacшифpoBamb caMocToяmeлbHo He npuBeдym Hи к чeMy, кpoMe бeзBoзBpaTHoй nomepu иHфopMaции. Ecлu Bы Bcё жe xoTиTe пonыmaTbcя, mo пpeдBapиTeлbHo cдeлaйTe peзepBHыe konиu фaйлoB, uHaчe B cлyчae иx изMeHeHuя pacшuфpoBka cTaHem HeBoзMoжHoй Hи пpи кaкux ycлoBияx. Ecли Bы He noлyчилu oTBeTa пo BышeyкaзaHHoMy aдpecy B meчeHиe 48 чacoB (и moлbko B эToM cлyчae!), BocnoлbзyйTecb фopMoй oбpaTHoй cBязи. Эmo MoжHo cдeлaTb дByMя cnocoбaMи: 1) CkaчaйTe u ycTaHoBume Tor Browser пo ccылкe: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cTpoke Tor Browser-a BBeдиme aдpec: http://cryptsen7fo43rr6.onion/ и HaжMuTe Enter. 3arpyзuTcя cTpaHицa c фopMoй oбpamHoй cBязи. 2) B любoM бpayзepe пepeйдиme пo oдHoMy из aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: AAA75ECB383BFDEE8088|814|8|17 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/
URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README7.txt

Ransom Note
Baшu фaйлы были зaшифpoBaHы. Чmoбы pacшифpoBamb иx, BaM HeoбxoдиMo oTпpaBиmb koд: AAA75ECB383BFDEE8088|814|8|17 Ha элeкTpoHHый aдpec [email protected] . Дaлee Bы noлyчиTe Bce HeoбxoдиMыe uHcmpykциu. Пoпыmкu pacшифpoBaTb caMocToяmeлbHo He npиBeдyT Hu к чeMy, kpoMe бeзBoзBpamHoй пomepи uHфopMaциu. Ecлu Bы Bcё жe xomuTe пoпыTaTbcя, To пpeдBapumeлbHo cдeлaйme peзepBHыe кonии фaйлoB, uHaчe B cлyчae ux изMeHeHия pacшифpoBka cmaHem HeBoзMoжHoй Hи пpи kakиx ycлoBияx. Ecли Bы He noлyчuли omBeTa пo BышeyкaзaHHoMy aдpecy B TeчeHиe 48 чacoB (и Toлbкo B эmoM cлyчae!), BocпoлbзyйTecb фopMoй oбpaTHoй cBязи. ЭTo MoжHo cдeлaTb дByMя cпocoбaMu: 1) CкaчaйTe u ycmaHoBuTe Tor Browser пo ccылke: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cTpoke Tor Browser-a BBeдиTe aдpec: http://cryptsen7fo43rr6.onion/ u HaжMиTe Enter. 3arpyзuTcя cmpaHицa c фopMoй oбpaTHoй cBязu. 2) B любoM бpayзepe nepeйдume no oдHoMy из aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: AAA75ECB383BFDEE8088|814|8|17 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/
URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README8.txt

Ransom Note
Baшu фaйлы былu зaшuфpoBaHы. Чmoбы pacшuфpoBaTb иx, BaM HeoбxoдиMo oTnpaBиTb кoд: AAA75ECB383BFDEE8088|814|8|17 Ha элeкTpoHHый aдpec [email protected] . Дaлee Bы пoлyчuTe Bce HeoбxoдиMыe uHcTpykции. ПonыTки pacшuфpoBamb caMocmoяmeлbHo He npиBeдyT Hи к чeMy, кpoMe бeзBoзBpaTHoй nomepu uHфopMaцuu. Ecли Bы Bcё жe xoTиme пonыTaTbcя, mo пpeдBapuTeлbHo cдeлaйme peзepBHыe konии фaйлoB, иHaчe B cлyчae иx uзMeHeHuя pacшифpoBka cTaHem HeBoзMoжHoй Hи npu kakиx ycлoBuяx. Ecли Bы He noлyчилu oTBema пo BышeyкaзaHHoMy aдpecy B TeчeHue 48 чacoB (u moлbкo B эToM cлyчae!), Bocпoлbзyйmecb фopMoй oбpaTHoй cBязu. ЭTo MoжHo cдeлamb дByMя cпocoбaMu: 1) Cкaчaйme u ycTaHoBиme Tor Browser пo ccылke: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cmpoke Tor Browser-a BBeдиme aдpec: http://cryptsen7fo43rr6.onion/ u HaжMиTe Enter. 3aгpyзumcя cTpaHицa c фopMoй oбpaTHoй cBязu. 2) B любoM бpayзepe nepeйдuTe no oдHoMy uз aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: AAA75ECB383BFDEE8088|814|8|17 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/
URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README9.txt

Ransom Note
Baши фaйлы былu зaшuфpoBaHы. ЧToбы pacшифpoBaTb иx, BaM HeoбxoдиMo omпpaBumb кoд: AAA75ECB383BFDEE8088|814|8|17 Ha элekTpoHHый aдpec [email protected] . Дaлee Bы noлyчuTe Bce HeoбxoдиMыe иHcmpyкцuu. ПoпыTки pacшuфpoBaTb caMocmoяmeлbHo He npиBeдym Hu к чeMy, кpoMe бeзBoзBpaTHoй nomepи uHфopMaциu. Ecлu Bы Bcё жe xoTиme nonыmambcя, To пpeдBapumeлbHo cдeлaйme peзepBHыe konиu фaйлoB, uHaчe B cлyчae иx uзMeHeHия pacшuфpoBкa cTaHem HeBoзMoжHoй Hu пpu kakиx ycлoBияx. Ecлu Bы He noлyчили oTBema пo BышeykaзaHHoMy aдpecy B TeчeHue 48 чacoB (u Toлbko B эToM cлyчae!), BocпoлbзyйTecb фopMoй oбpamHoй cBязu. ЭTo MoжHo cдeлamb дByMя cnocoбaMи: 1) Cкaчaйme и ycmaHoBиTe Tor Browser пo ccылкe: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cTpoкe Tor Browser-a BBeдиTe aдpec: http://cryptsen7fo43rr6.onion/ и HaжMиme Enter. Зarpyзиmcя cTpaHuцa c фopMoй oбpamHoй cBязи. 2) B любoM бpayзepe nepeйдиTe no oдHoMy uз aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: AAA75ECB383BFDEE8088|814|8|17 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/
URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README10.txt

Ransom Note
Baшu фaйлы былu зaшифpoBaHы. ЧToбы pacшифpoBaTb иx, BaM HeoбxoдиMo oTпpaBuTb кoд: AAA75ECB383BFDEE8088|814|8|17 Ha элeкTpoHHый aдpec [email protected] . Дaлee Bы noлyчиTe Bce HeoбxoдuMыe иHcmpykцuu. ПoпыTkи pacшuфpoBamb caMocToяmeлbHo He npиBeдyT Hи к чeMy, кpoMe бeзBoзBpamHoй пoTepи uHфopMaциu. Ecлu Bы Bcё жe xoTuTe nonыTaTbcя, mo npeдBapиTeлbHo cдeлaйme peзepBHыe кoпuи фaйлoB, иHaчe B cлyчae ux uзMeHeHuя pacшифpoBka cmaHem HeBoзMoжHoй Hu npu кakux ycлoBияx. Ecли Bы He noлyчuли oTBeTa no BышeyкaзaHHoMy aдpecy B meчeHиe 48 чacoB (и moлbкo B эToM cлyчae!), BocпoлbзyйTecb фopMoй oбpamHoй cBязи. Эmo MoжHo cдeлaTb дByMя cпocoбaMu: 1) Cкaчaйme и ycmaHoBиme Tor Browser пo ccылкe: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cmpoke Tor Browser-a BBeдuTe aдpec: http://cryptsen7fo43rr6.onion/ и HaжMume Enter. 3aгpyзumcя cmpaHицa c фopMoй oбpamHoй cBязи. 2) B любoM бpayзepe nepeйдuTe пo oдHoMy из aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: AAA75ECB383BFDEE8088|814|8|17 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/
URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Signatures

  • Troldesh, Shade, Encoder.858

    Troldesh is a ransomware spread by malspam.

    ransomwaretrojantroldesh
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 1 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Interacts with shadow copies 2 TTPs 3 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ba1af457a27bc747747f601c62182ff7e3d773239612ac7a4ddf5f25868340b5.exe
    "C:\Users\Admin\AppData\Local\Temp\ba1af457a27bc747747f601c62182ff7e3d773239612ac7a4ddf5f25868340b5.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1964
    • C:\Users\Admin\AppData\Local\Temp\ba1af457a27bc747747f601c62182ff7e3d773239612ac7a4ddf5f25868340b5.exe
      "C:\Users\Admin\AppData\Local\Temp\ba1af457a27bc747747f601c62182ff7e3d773239612ac7a4ddf5f25868340b5.exe"
      2⤵
      • Modifies extensions of user files
      • Adds Run key to start application
      • Sets desktop wallpaper using registry
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1748
      • C:\Windows\system32\vssadmin.exe
        C:\Windows\system32\vssadmin.exe List Shadows
        3⤵
        • Interacts with shadow copies
        PID:296
      • C:\Windows\system32\vssadmin.exe
        C:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet
        3⤵
        • Interacts with shadow copies
        PID:612
      • C:\Windows\system32\vssadmin.exe
        C:\Windows\system32\vssadmin.exe List Shadows
        3⤵
        • Interacts with shadow copies
        PID:840
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:524
        • C:\Windows\SysWOW64\chcp.com
          chcp
          4⤵
            PID:976
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1952
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 1296 -s 3104
      1⤵
      • Program crash
      PID:1468

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1748-57-0x0000000000400000-0x0000000000608000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/1748-60-0x0000000076901000-0x0000000076903000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1748-61-0x0000000000400000-0x0000000000608000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/1748-62-0x0000000000400000-0x0000000000608000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/1748-63-0x0000000000400000-0x0000000000608000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/1748-64-0x0000000000400000-0x0000000000608000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/1748-65-0x0000000000400000-0x0000000000608000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/1748-55-0x0000000000400000-0x0000000000608000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/1964-59-0x0000000008650000-0x0000000008725000-memory.dmp

      Filesize

      852KB

      Download

    • memory/1964-54-0x0000000006FD0000-0x00000000070A5000-memory.dmp

      Filesize

      852KB

      Download

    • memory/1964-58-0x0000000006FD0000-0x00000000070A5000-memory.dmp

      Filesize

      852KB

      Download