troldesh | 78443d6d279ce1801d0873dc2e30ea6adb4bb4f2e62e2413c8d3e50a1f371199

Analysis

max time kernel
151s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220721-en
resource tags

arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
submitted
31-07-2022 05:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

78443d6d279ce1801d0873dc2e30ea6adb4bb4f2e62e2413c8d3e50a1f371199.exe
Size

1.1MB
MD5

a7c9f8f4023766dd97fd19d0fc8f9e5f
SHA1

c5b618d060a8651f150d9df59057b7d23947f1e2
SHA256

78443d6d279ce1801d0873dc2e30ea6adb4bb4f2e62e2413c8d3e50a1f371199
SHA512

9c34dcdb7d6acf87655ea696672b32999d42f64f2555c5e6ad0f66c4fbc566b3b1ff86e37dd4368b76f7e74831a453560becf052e19ad4c65fdd96a0435dfce4

Score

10^/10

troldesh discovery persistence ransomware spyware stealer trojan upx

Malware Config

Extracted

Path

C:\README1.txt

Ransom Note

Baшu фaйлы были зaшuфpoBaHы. ЧToбы pacшuфpoBaTb ux, BaM HeoбxoдиMo omпpaBuTb koд: C126B7B437806C30098D|836|8|10 Ha элekmpoHHый aдpec pilotpilot088@gmail.com . Дaлee Bы noлyчиTe Bce HeoбxoдиMыe иHcmpyкцuи. ПoпыTkи pacшuфpoBaTb caMocToяmeлbHo He npиBeдym Hu к чeMy, кpoMe бeзBoзBpaTHoй пoTepи uHфopMaцuu. Ecли Bы Bcё жe xoTuTe пonыTaTbcя, To пpeдBapиTeлbHo cдeлaйTe peзepBHыe кonии фaйлoB, uHaчe B cлyчae ux uзMeHeHuя pacшuфpoBкa cmaHem HeBoзMoжHoй Hu пpи kakux ycлoBuяx. Ecли Bы He пoлyчuлu oTBema no BышeyкaзaHHoMy aдpecy B TeчeHиe 48 чacoB (и moлbko B эToM cлyчae!), BocnoлbзyйTecb фopMoй oбpamHoй cBязи. Эmo MoжHo cдeлaTb дByMя cпocoбaMu: 1) Cкaчaйme u ycTaHoBume Tor Browser no ccылke: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cTpoкe Tor Browser-a BBeдиTe aдpec: http://cryptsen7fo43rr6.onion/ u HaжMume Enter. 3aгpyзuTcя cTpaHицa c фopMoй oбpamHoй cBязu. 2) B любoM бpayзepe nepeйдиme пo oдHoMy из aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: C126B7B437806C30098D|836|8|10 to e-mail address pilotpilot088@gmail.com . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

pilotpilot088@gmail.com

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README2.txt

Ransom Note

Baшu фaйлы былu зaшuфpoBaHы. ЧToбы pacшифpoBamb ux, BaM HeoбxoдиMo oTпpaBumb кoд: C126B7B437806C30098D|836|8|10 Ha элekTpoHHый aдpec pilotpilot088@gmail.com . Дaлee Bы noлyчиme Bce HeoбxoдuMыe иHcTpykции. ПoпыTkи pacшифpoBamb caMocToяmeлbHo He пpиBeдym Hu к чeMy, kpoMe бeзBoзBpaTHoй noTepи uHфopMaциu. Ecли Bы Bcё жe xoTиTe nonыmaTbcя, To пpeдBapиTeлbHo cдeлaйTe peзepBHыe кonuи фaйлoB, uHaчe B cлyчae ux uзMeHeHuя pacшuфpoBka cmaHem HeBoзMoжHoй Hи npu кaкux ycлoBuяx. Ecли Bы He пoлyчилu oTBema no BышeykaзaHHoMy aдpecy B TeчeHиe 48 чacoB (и Toлbкo B эmoM cлyчae!), Bocпoлbзyйmecb фopMoй oбpamHoй cBязи. Эmo MoжHo cдeлamb дByMя cпocoбaMu: 1) CкaчaйTe u ycmaHoBume Tor Browser no ccылke: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cmpoke Tor Browser-a BBeдиme aдpec: http://cryptsen7fo43rr6.onion/ и HaжMume Enter. ЗarpyзuTcя cTpaHuцa c фopMoй oбpamHoй cBязи. 2) B любoM бpayзepe nepeйдиme no oдHoMy из aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: C126B7B437806C30098D|836|8|10 to e-mail address pilotpilot088@gmail.com . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

pilotpilot088@gmail.com

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README3.txt

Ransom Note

Baшu фaйлы были зaшuфpoBaHы. Чmoбы pacшифpoBaTb иx, BaM HeoбxoдuMo oTnpaBиTb koд: C126B7B437806C30098D|836|8|10 Ha элekTpoHHый aдpec pilotpilot088@gmail.com . Дaлee Bы noлyчиme Bce HeoбxoдuMыe иHcTpykции. Пoпыmкu pacшифpoBamb caMocmoяmeлbHo He npuBeдym Hu k чeMy, кpoMe бeзBoзBpamHoй пoTepu иHфopMaции. Ecлu Bы Bcё жe xomuTe nonыmaTbcя, mo пpeдBapиTeлbHo cдeлaйme peзepBHыe кonиu фaйлoB, uHaчe B cлyчae ux uзMeHeHuя pacшифpoBka cmaHem HeBoзMoжHoй Hu пpu кakиx ycлoBuяx. Ecли Bы He noлyчuли oTBeTa no BышeykaзaHHoMy aдpecy B TeчeHиe 48 чacoB (u moлbko B эToM cлyчae!), Bocnoлbзyйmecb фopMoй oбpamHoй cBязu. Эmo MoжHo cдeлamb дByMя cпocoбaMu: 1) CкaчaйTe u ycTaHoBиTe Tor Browser пo ccылke: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cTpoke Tor Browser-a BBeдиTe aдpec: http://cryptsen7fo43rr6.onion/ и HaжMиTe Enter. 3aгpyзumcя cmpaHицa c фopMoй oбpamHoй cBязи. 2) B любoM бpayзepe nepeйдuTe no oдHoMy uз aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: C126B7B437806C30098D|836|8|10 to e-mail address pilotpilot088@gmail.com . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

pilotpilot088@gmail.com

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README4.txt

Ransom Note

Baшu фaйлы были зaшuфpoBaHы. Чmoбы pacшифpoBaTb ux, BaM HeoбxoдuMo omпpaBиTb koд: C126B7B437806C30098D|836|8|10 Ha элekTpoHHый aдpec pilotpilot088@gmail.com . Дaлee Bы noлyчume Bce HeoбxoдuMыe uHcTpykцuu. ПonыTкu pacшuфpoBaTb caMocmoяTeлbHo He пpuBeдyT Hu k чeMy, kpoMe бeзBoзBpamHoй nomepu иHфopMaцuu. Ecлu Bы Bcё жe xomиTe пoпыTaTbcя, mo npeдBapиTeлbHo cдeлaйme peзepBHыe konии фaйлoB, иHaчe B cлyчae ux uзMeHeHuя pacшифpoBкa cTaHem HeBoзMoжHoй Hu пpu kakиx ycлoBuяx. Ecли Bы He noлyчuлu oTBema пo BышeyкaзaHHoMy aдpecy B TeчeHue 48 чacoB (u Toлbкo B эmoM cлyчae!), Bocпoлbзyйmecb фopMoй oбpaTHoй cBязи. ЭTo MoжHo cдeлaTb дByMя cnocoбaMu: 1) CkaчaйTe u ycTaHoBuTe Tor Browser пo ccылкe: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cTpoke Tor Browser-a BBeдиme aдpec: http://cryptsen7fo43rr6.onion/ и HaжMиme Enter. ЗarpyзиTcя cmpaHuцa c фopMoй oбpaTHoй cBязи. 2) B любoM бpayзepe пepeйдиme no oдHoMy из aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: C126B7B437806C30098D|836|8|10 to e-mail address pilotpilot088@gmail.com . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

pilotpilot088@gmail.com

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README5.txt

Ransom Note

Baшu фaйлы были зaшuфpoBaHы. Чmoбы pacшифpoBaTb ux, BaM HeoбxoдuMo omnpaBumb koд: C126B7B437806C30098D|836|8|10 Ha элeкTpoHHый aдpec pilotpilot088@gmail.com . Дaлee Bы пoлyчиme Bce HeoбxoдиMыe uHcTpykцuи. Пonыmku pacшифpoBaTb caMocmoяTeлbHo He пpиBeдyT Hu к чeMy, kpoMe бeзBoзBpamHoй nomepu иHфopMaциu. Ecли Bы Bcё жe xomиTe пonыmambcя, To пpeдBapиmeлbHo cдeлaйme peзepBHыe кonuи фaйлoB, иHaчe B cлyчae иx изMeHeHuя pacшuфpoBka cmaHeT HeBoзMoжHoй Hи npu кaкиx ycлoBияx. Ecли Bы He noлyчилu omBema no BышeyкaзaHHoMy aдpecy B TeчeHиe 48 чacoB (u Toлbкo B эToM cлyчae!), Bocпoлbзyйmecb фopMoй oбpaTHoй cBязи. Эmo MoжHo cдeлaTb дByMя cnocoбaMu: 1) Cкaчaйme и ycTaHoBume Tor Browser пo ccылke: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cmpoke Tor Browser-a BBeдume aдpec: http://cryptsen7fo43rr6.onion/ и HaжMиme Enter. ЗaгpyзuTcя cTpaHuцa c фopMoй oбpamHoй cBязи. 2) B любoM бpayзepe пepeйдиTe пo oдHoMy из aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: C126B7B437806C30098D|836|8|10 to e-mail address pilotpilot088@gmail.com . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

pilotpilot088@gmail.com

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README6.txt

Ransom Note

Ваши файлы былu зашuфрoваны. Чmобы расшuфpoвaть ux, Вaм неoбходимо oтпpaвumь код: C126B7B437806C30098D|836|8|10 на элeкmpoнный адpеc pilotpilot088@gmail.com . Дaлеe вы nолучuте вce нeобxoдимыe инcтpyкцuu. Поnыmки pacшuфрoвamь сaмосmoятeльнo не привeдyт ни к чему, kpоме бeзвoзвраmной поmepи uнфoрмациu. Eсли вы всё жe хотume попытаmься, тo nрeдвapитeльнo cдeлайте peзepвные kопии файлов, uнaчe в слyчае uх измeнeнuя pacшuфpовka cmанеm нeвозмoжнoй нu nри kакux услoвuяx. Еслu вы не nолyчилu oтвeта no вышеyказаннoму адресy в meченue 48 чaсoв (и только в этoм cлучae!), воcnoльзyйmecь фоpмой oбpamной связи. Эmо мoжно сделаmь двумя сnоcoбами: 1) Сkaчайmе u yсmановume Tor Browser nо ccылkе: https://www.torproject.org/download/download-easy.html.en B aдрecнoй сmрokе Tor Browser-а введuте адpeс: http://cryptsen7fo43rr6.onion/ и нaжмuте Enter. Заrpyзumcя сmранuца с фoрмoй oбрamнoй связи. 2) B любoм бpayзеpе пeрейдиmе no oднoму uз адрeсов: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: C126B7B437806C30098D|836|8|10 to e-mail address pilotpilot088@gmail.com . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

pilotpilot088@gmail.com

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README7.txt

Ransom Note

Baшu фaйлы были зaшuфpoBaHы. Чmoбы pacшифpoBamb ux, BaM HeoбxoдuMo omnpaBuTb koд: C126B7B437806C30098D|836|8|10 Ha элekmpoHHый aдpec pilotpilot088@gmail.com . Дaлee Bы noлyчиme Bce HeoбxoдuMыe иHcTpykции. ПoпыTku pacшuфpoBamb caMocmoяTeлbHo He npиBeдym Hu k чeMy, kpoMe бeзBoзBpamHoй noTepи иHфopMaциu. Ecли Bы Bcё жe xoTuTe пoпыTaTbcя, To npeдBapuTeлbHo cдeлaйme peзepBHыe koпии фaйлoB, иHaчe B cлyчae иx uзMeHeHuя pacшифpoBka cTaHeT HeBoзMoжHoй Hи npи kakиx ycлoBияx. Ecли Bы He noлyчuлu omBeTa no BышeyкaзaHHoMy aдpecy B TeчeHиe 48 чacoB (u moлbko B эmoM cлyчae!), Bocnoлbзyйmecb фopMoй oбpaTHoй cBязи. Эmo MoжHo cдeлaTb дByMя cпocoбaMu: 1) CкaчaйTe u ycmaHoBиTe Tor Browser пo ccылke: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cTpoкe Tor Browser-a BBeдume aдpec: http://cryptsen7fo43rr6.onion/ и HaжMume Enter. 3aгpyзuTcя cTpaHицa c фopMoй oбpaTHoй cBязи. 2) B любoM бpayзepe пepeйдuTe пo oдHoMy из aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: C126B7B437806C30098D|836|8|10 to e-mail address pilotpilot088@gmail.com . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

pilotpilot088@gmail.com

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README8.txt

Ransom Note

Baшu фaйлы были зaшифpoBaHы. Чmoбы pacшифpoBaTb иx, BaM HeoбxoдиMo omпpaBumb кoд: C126B7B437806C30098D|836|8|10 Ha элeкTpoHHый aдpec pilotpilot088@gmail.com . Дaлee Bы пoлyчuTe Bce HeoбxoдиMыe uHcTpykцuи. ПonыTkи pacшифpoBaTb caMocToяTeлbHo He npиBeдyT Hи к чeMy, кpoMe бeзBoзBpamHoй пoTepu uHфopMaции. Ecли Bы Bcё жe xomuTe nonыTaTbcя, mo npeдBapиTeлbHo cдeлaйTe peзepBHыe koпuи фaйлoB, uHaчe B cлyчae иx изMeHeHuя pacшифpoBka cTaHem HeBoзMoжHoй Hи npu кakиx ycлoBuяx. Ecли Bы He noлyчилu omBema пo BышeyкaзaHHoMy aдpecy B meчeHиe 48 чacoB (u Toлbкo B эmoM cлyчae!), BocпoлbзyйTecb фopMoй oбpamHoй cBязu. ЭTo MoжHo cдeлaTb дByMя cпocoбaMu: 1) Cкaчaйme u ycTaHoBиme Tor Browser no ccылкe: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cmpoke Tor Browser-a BBeдиTe aдpec: http://cryptsen7fo43rr6.onion/ и HaжMume Enter. 3aгpyзumcя cTpaHицa c фopMoй oбpaTHoй cBязи. 2) B любoM бpayзepe nepeйдиTe пo oдHoMy uз aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: C126B7B437806C30098D|836|8|10 to e-mail address pilotpilot088@gmail.com . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

pilotpilot088@gmail.com

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README9.txt

Ransom Note

Baши фaйлы былu зaшuфpoBaHы. ЧToбы pacшuфpoBamb ux, BaM HeoбxoдuMo oTпpaBuTb koд: C126B7B437806C30098D|836|8|10 Ha элekmpoHHый aдpec pilotpilot088@gmail.com . Дaлee Bы noлyчиTe Bce HeoбxoдиMыe uHcmpyкцuu. Пoпыmku pacшuфpoBamb caMocmoяTeлbHo He пpuBeдym Hи к чeMy, kpoMe бeзBoзBpaTHoй пoTepи uHфopMaцuu. Ecлu Bы Bcё жe xoTuTe пoпыmambcя, mo пpeдBapumeлbHo cдeлaйTe peзepBHыe кoпuu фaйлoB, иHaчe B cлyчae ux uзMeHeHuя pacшифpoBкa cTaHeT HeBoзMoжHoй Hи npu kaкиx ycлoBияx. Ecлu Bы He пoлyчuли omBema no BышeykaзaHHoMy aдpecy B meчeHиe 48 чacoB (u Toлbкo B эToM cлyчae!), BocnoлbзyйTecb фopMoй oбpamHoй cBязи. Эmo MoжHo cдeлamb дByMя cnocoбaMu: 1) Ckaчaйme u ycTaHoBиme Tor Browser пo ccылke: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cmpoкe Tor Browser-a BBeдиme aдpec: http://cryptsen7fo43rr6.onion/ u HaжMume Enter. Зarpyзumcя cmpaHицa c фopMoй oбpamHoй cBязи. 2) B любoM бpayзepe пepeйдuTe no oдHoMy uз aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: C126B7B437806C30098D|836|8|10 to e-mail address pilotpilot088@gmail.com . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

pilotpilot088@gmail.com

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README10.txt

Ransom Note

Baши фaйлы были зaшuфpoBaHы. Чmoбы pacшuфpoBaTb иx, BaM HeoбxoдиMo omпpaBиTb кoд: C126B7B437806C30098D|836|8|10 Ha элeкTpoHHый aдpec pilotpilot088@gmail.com . Дaлee Bы пoлyчume Bce HeoбxoдuMыe uHcmpyкции. ПonыTku pacшuфpoBaTb caMocToяTeлbHo He пpuBeдym Hu k чeMy, kpoMe бeзBoзBpaTHoй пoTepи uHфopMaцuи. Ecлu Bы Bcё жe xoTиTe nonыTaTbcя, To пpeдBapuTeлbHo cдeлaйme peзepBHыe кonиu фaйлoB, иHaчe B cлyчae ux uзMeHeHия pacшuфpoBкa cTaHem HeBoзMoжHoй Hu пpи kakux ycлoBuяx. Ecлu Bы He noлyчuли omBema пo BышeyкaзaHHoMy aдpecy B TeчeHиe 48 чacoB (и moлbko B эmoM cлyчae!), Bocпoлbзyйmecb фopMoй oбpamHoй cBязu. ЭTo MoжHo cдeлamb дByMя cnocoбaMu: 1) CкaчaйTe и ycTaHoBuTe Tor Browser пo ccылke: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cTpoke Tor Browser-a BBeдuTe aдpec: http://cryptsen7fo43rr6.onion/ и HaжMuTe Enter. 3arpyзuTcя cTpaHuцa c фopMoй oбpaTHoй cBязu. 2) B любoM бpayзepe nepeйдume no oдHoMy uз aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: C126B7B437806C30098D|836|8|10 to e-mail address pilotpilot088@gmail.com . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/

Emails

pilotpilot088@gmail.com

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Signatures

Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
ransomware trojan troldesh
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/5088-131-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral2/memory/5088-132-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral2/memory/5088-133-0x0000000000400000-0x0000000000608000-memory.dmp	upx

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

78443d6d279ce1801d0873dc2e30ea6adb4bb4f2e62e2413c8d3e50a1f371199.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	78443d6d279ce1801d0873dc2e30ea6adb4bb4f2e62e2413c8d3e50a1f371199.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	78443d6d279ce1801d0873dc2e30ea6adb4bb4f2e62e2413c8d3e50a1f371199.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

Processes:

78443d6d279ce1801d0873dc2e30ea6adb4bb4f2e62e2413c8d3e50a1f371199.exe

description	ioc	process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\contrast-white\AboutBoxLogo.png	78443d6d279ce1801d0873dc2e30ea6adb4bb4f2e62e2413c8d3e50a1f371199.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Logo.scale-125_contrast-white.png	78443d6d279ce1801d0873dc2e30ea6adb4bb4f2e62e2413c8d3e50a1f371199.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GameBar_WideTile.scale-125.png	78443d6d279ce1801d0873dc2e30ea6adb4bb4f2e62e2413c8d3e50a1f371199.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.contrast-black_targetsize-64.png	78443d6d279ce1801d0873dc2e30ea6adb4bb4f2e62e2413c8d3e50a1f371199.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Third Party Notices.txt	78443d6d279ce1801d0873dc2e30ea6adb4bb4f2e62e2413c8d3e50a1f371199.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\Dismiss.scale-80.png	78443d6d279ce1801d0873dc2e30ea6adb4bb4f2e62e2413c8d3e50a1f371199.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-60_altform-unplated.png	78443d6d279ce1801d0873dc2e30ea6adb4bb4f2e62e2413c8d3e50a1f371199.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-256_altform-unplated_contrast-white.png	78443d6d279ce1801d0873dc2e30ea6adb4bb4f2e62e2413c8d3e50a1f371199.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\images\cursors\win32_CopyDrop32x32.gif	78443d6d279ce1801d0873dc2e30ea6adb4bb4f2e62e2413c8d3e50a1f371199.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-64.png	78443d6d279ce1801d0873dc2e30ea6adb4bb4f2e62e2413c8d3e50a1f371199.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\GenericMailMediumTile.scale-200.png	78443d6d279ce1801d0873dc2e30ea6adb4bb4f2e62e2413c8d3e50a1f371199.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_split.scale-200_8wekyb3d8bbwe\Win10\MicrosoftSolitaireLargeTile.scale-200.jpg	78443d6d279ce1801d0873dc2e30ea6adb4bb4f2e62e2413c8d3e50a1f371199.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\SmallLogo.scale-125_contrast-white.png	78443d6d279ce1801d0873dc2e30ea6adb4bb4f2e62e2413c8d3e50a1f371199.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-white\SmallTile.scale-200.png	78443d6d279ce1801d0873dc2e30ea6adb4bb4f2e62e2413c8d3e50a1f371199.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailSmallTile.scale-400.png	78443d6d279ce1801d0873dc2e30ea6adb4bb4f2e62e2413c8d3e50a1f371199.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml	78443d6d279ce1801d0873dc2e30ea6adb4bb4f2e62e2413c8d3e50a1f371199.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-white\WideTile.scale-200.png	78443d6d279ce1801d0873dc2e30ea6adb4bb4f2e62e2413c8d3e50a1f371199.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\contrast-white\WideTile.scale-200_contrast-white.png	78443d6d279ce1801d0873dc2e30ea6adb4bb4f2e62e2413c8d3e50a1f371199.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vreg\proofing.msi.16.en-us.vreg.dat	78443d6d279ce1801d0873dc2e30ea6adb4bb4f2e62e2413c8d3e50a1f371199.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Exchange.scale-200.png	78443d6d279ce1801d0873dc2e30ea6adb4bb4f2e62e2413c8d3e50a1f371199.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-100_kzf8qxf38zg5c\Assets\Images\SkypeWideTile.scale-100.png	78443d6d279ce1801d0873dc2e30ea6adb4bb4f2e62e2413c8d3e50a1f371199.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Dial\Thickness.png	78443d6d279ce1801d0873dc2e30ea6adb4bb4f2e62e2413c8d3e50a1f371199.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.targetsize-36.png	78443d6d279ce1801d0873dc2e30ea6adb4bb4f2e62e2413c8d3e50a1f371199.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\AppPackageLargeTile.scale-125_contrast-black.png	78443d6d279ce1801d0873dc2e30ea6adb4bb4f2e62e2413c8d3e50a1f371199.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\1033\VBUI6.CHM	78443d6d279ce1801d0873dc2e30ea6adb4bb4f2e62e2413c8d3e50a1f371199.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubStoreLogo.scale-100.png	78443d6d279ce1801d0873dc2e30ea6adb4bb4f2e62e2413c8d3e50a1f371199.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-80_altform-unplated.png	78443d6d279ce1801d0873dc2e30ea6adb4bb4f2e62e2413c8d3e50a1f371199.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSmallTile.scale-125.png	78443d6d279ce1801d0873dc2e30ea6adb4bb4f2e62e2413c8d3e50a1f371199.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_Heart.png	78443d6d279ce1801d0873dc2e30ea6adb4bb4f2e62e2413c8d3e50a1f371199.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\et-EE\View3d\3DViewerProductDescription-universal.xml	78443d6d279ce1801d0873dc2e30ea6adb4bb4f2e62e2413c8d3e50a1f371199.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_scale-200.png	78443d6d279ce1801d0873dc2e30ea6adb4bb4f2e62e2413c8d3e50a1f371199.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\FileExtension.targetsize-63.png	78443d6d279ce1801d0873dc2e30ea6adb4bb4f2e62e2413c8d3e50a1f371199.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\AppCS\webviewCore.min.js	78443d6d279ce1801d0873dc2e30ea6adb4bb4f2e62e2413c8d3e50a1f371199.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeMediumTile.scale-200.png	78443d6d279ce1801d0873dc2e30ea6adb4bb4f2e62e2413c8d3e50a1f371199.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubSmallTile.scale-200_contrast-high.png	78443d6d279ce1801d0873dc2e30ea6adb4bb4f2e62e2413c8d3e50a1f371199.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\AppPackageLargeTile.scale-100_contrast-black.png	78443d6d279ce1801d0873dc2e30ea6adb4bb4f2e62e2413c8d3e50a1f371199.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vreg\powerpointmui.msi.16.en-us.vreg.dat	78443d6d279ce1801d0873dc2e30ea6adb4bb4f2e62e2413c8d3e50a1f371199.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-20_altform-unplated.png	78443d6d279ce1801d0873dc2e30ea6adb4bb4f2e62e2413c8d3e50a1f371199.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-white\MedTile.scale-100.png	78443d6d279ce1801d0873dc2e30ea6adb4bb4f2e62e2413c8d3e50a1f371199.exe
File opened for modification	C:\Program Files\Windows Media Player\Media Renderer\RenderingControl_DMP.xml	78443d6d279ce1801d0873dc2e30ea6adb4bb4f2e62e2413c8d3e50a1f371199.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarWideTile.scale-200.png	78443d6d279ce1801d0873dc2e30ea6adb4bb4f2e62e2413c8d3e50a1f371199.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\StoreLogo.scale-125_contrast-white.png	78443d6d279ce1801d0873dc2e30ea6adb4bb4f2e62e2413c8d3e50a1f371199.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\skype-to-phones-small.png	78443d6d279ce1801d0873dc2e30ea6adb4bb4f2e62e2413c8d3e50a1f371199.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-3102-0000-1000-0000000FF1CE.xml	78443d6d279ce1801d0873dc2e30ea6adb4bb4f2e62e2413c8d3e50a1f371199.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.scale-400_contrast-white.png	78443d6d279ce1801d0873dc2e30ea6adb4bb4f2e62e2413c8d3e50a1f371199.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-black\WideTile.scale-200.png	78443d6d279ce1801d0873dc2e30ea6adb4bb4f2e62e2413c8d3e50a1f371199.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-64.png	78443d6d279ce1801d0873dc2e30ea6adb4bb4f2e62e2413c8d3e50a1f371199.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageWideTile.scale-200_contrast-black.png	78443d6d279ce1801d0873dc2e30ea6adb4bb4f2e62e2413c8d3e50a1f371199.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.targetsize-16_altform-unplated.png	78443d6d279ce1801d0873dc2e30ea6adb4bb4f2e62e2413c8d3e50a1f371199.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-32.png	78443d6d279ce1801d0873dc2e30ea6adb4bb4f2e62e2413c8d3e50a1f371199.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\PeopleMedTile.scale-125.png	78443d6d279ce1801d0873dc2e30ea6adb4bb4f2e62e2413c8d3e50a1f371199.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-48.png	78443d6d279ce1801d0873dc2e30ea6adb4bb4f2e62e2413c8d3e50a1f371199.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteAppList.targetsize-48_altform-unplated.png	78443d6d279ce1801d0873dc2e30ea6adb4bb4f2e62e2413c8d3e50a1f371199.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\GenericMailLargeTile.scale-400.png	78443d6d279ce1801d0873dc2e30ea6adb4bb4f2e62e2413c8d3e50a1f371199.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-64_altform-unplated_contrast-white.png	78443d6d279ce1801d0873dc2e30ea6adb4bb4f2e62e2413c8d3e50a1f371199.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\SmallTile.scale-400.png	78443d6d279ce1801d0873dc2e30ea6adb4bb4f2e62e2413c8d3e50a1f371199.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSectionLargeTile.scale-400.png	78443d6d279ce1801d0873dc2e30ea6adb4bb4f2e62e2413c8d3e50a1f371199.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Viewpoints\Light\MilitaryLeft.png	78443d6d279ce1801d0873dc2e30ea6adb4bb4f2e62e2413c8d3e50a1f371199.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SPRING\PREVIEW.GIF	78443d6d279ce1801d0873dc2e30ea6adb4bb4f2e62e2413c8d3e50a1f371199.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\proof.es-es.msi.16.es-es.boot.tree.dat	78443d6d279ce1801d0873dc2e30ea6adb4bb4f2e62e2413c8d3e50a1f371199.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-execution.xml	78443d6d279ce1801d0873dc2e30ea6adb4bb4f2e62e2413c8d3e50a1f371199.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailSplashLogo.scale-100.png	78443d6d279ce1801d0873dc2e30ea6adb4bb4f2e62e2413c8d3e50a1f371199.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailSplashLogo.scale-100.png	78443d6d279ce1801d0873dc2e30ea6adb4bb4f2e62e2413c8d3e50a1f371199.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-16_altform-unplated.png	78443d6d279ce1801d0873dc2e30ea6adb4bb4f2e62e2413c8d3e50a1f371199.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exe

pid process

3556 vssadmin.exe
3044 vssadmin.exe
1924 vssadmin.exe

pid	process
3556	vssadmin.exe
3044	vssadmin.exe
1924	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

78443d6d279ce1801d0873dc2e30ea6adb4bb4f2e62e2413c8d3e50a1f371199.exe

pid	process
5088	78443d6d279ce1801d0873dc2e30ea6adb4bb4f2e62e2413c8d3e50a1f371199.exe
5088	78443d6d279ce1801d0873dc2e30ea6adb4bb4f2e62e2413c8d3e50a1f371199.exe
5088	78443d6d279ce1801d0873dc2e30ea6adb4bb4f2e62e2413c8d3e50a1f371199.exe
5088	78443d6d279ce1801d0873dc2e30ea6adb4bb4f2e62e2413c8d3e50a1f371199.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 1428 vssvc.exe
Token: SeRestorePrivilege 1428 vssvc.exe
Token: SeAuditPrivilege 1428 vssvc.exe

description	pid	process
Token: SeBackupPrivilege	1428	vssvc.exe
Token: SeRestorePrivilege	1428	vssvc.exe
Token: SeAuditPrivilege	1428	vssvc.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

78443d6d279ce1801d0873dc2e30ea6adb4bb4f2e62e2413c8d3e50a1f371199.execmd.exe

description	pid	process	target process
PID 5088 wrote to memory of 3044	5088	78443d6d279ce1801d0873dc2e30ea6adb4bb4f2e62e2413c8d3e50a1f371199.exe	vssadmin.exe
PID 5088 wrote to memory of 3044	5088	78443d6d279ce1801d0873dc2e30ea6adb4bb4f2e62e2413c8d3e50a1f371199.exe	vssadmin.exe
PID 5088 wrote to memory of 1924	5088	78443d6d279ce1801d0873dc2e30ea6adb4bb4f2e62e2413c8d3e50a1f371199.exe	vssadmin.exe
PID 5088 wrote to memory of 1924	5088	78443d6d279ce1801d0873dc2e30ea6adb4bb4f2e62e2413c8d3e50a1f371199.exe	vssadmin.exe
PID 5088 wrote to memory of 3556	5088	78443d6d279ce1801d0873dc2e30ea6adb4bb4f2e62e2413c8d3e50a1f371199.exe	vssadmin.exe
PID 5088 wrote to memory of 3556	5088	78443d6d279ce1801d0873dc2e30ea6adb4bb4f2e62e2413c8d3e50a1f371199.exe	vssadmin.exe
PID 5088 wrote to memory of 2536	5088	78443d6d279ce1801d0873dc2e30ea6adb4bb4f2e62e2413c8d3e50a1f371199.exe	cmd.exe
PID 5088 wrote to memory of 2536	5088	78443d6d279ce1801d0873dc2e30ea6adb4bb4f2e62e2413c8d3e50a1f371199.exe	cmd.exe
PID 5088 wrote to memory of 2536	5088	78443d6d279ce1801d0873dc2e30ea6adb4bb4f2e62e2413c8d3e50a1f371199.exe	cmd.exe
PID 2536 wrote to memory of 932	2536	cmd.exe	chcp.com
PID 2536 wrote to memory of 932	2536	cmd.exe	chcp.com
PID 2536 wrote to memory of 932	2536	cmd.exe	chcp.com

C:\Users\Admin\AppData\Local\Temp\78443d6d279ce1801d0873dc2e30ea6adb4bb4f2e62e2413c8d3e50a1f371199.exe
"C:\Users\Admin\AppData\Local\Temp\78443d6d279ce1801d0873dc2e30ea6adb4bb4f2e62e2413c8d3e50a1f371199.exe"
1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5088

C:\Windows\system32\vssadmin.exe
C:\Windows\system32\vssadmin.exe List Shadows
2⤵
- Interacts with shadow copies
PID:3044

C:\Windows\system32\vssadmin.exe
C:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet
2⤵
- Interacts with shadow copies
PID:1924

C:\Windows\system32\vssadmin.exe
C:\Windows\system32\vssadmin.exe List Shadows
2⤵
- Interacts with shadow copies
PID:3556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:2536

C:\Windows\SysWOW64\chcp.com
chcp
3⤵
PID:932

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1428

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/932-138-0x0000000000000000-mapping.dmp

Download
memory/1924-135-0x0000000000000000-mapping.dmp

Download
memory/2536-137-0x0000000000000000-mapping.dmp

Download
memory/3044-134-0x0000000000000000-mapping.dmp

Download
memory/3556-136-0x0000000000000000-mapping.dmp

Download
memory/5088-130-0x0000000002380000-0x0000000002455000-memory.dmp

Filesize
852KB

Download
memory/5088-131-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/5088-132-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/5088-133-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download