11090879de7060d1ffa3188e78af8a8e710488a9b9a1f67e147a39c218783b61

General

Target

11090879de7060d1ffa3188e78af8a8e710488a9b9a1f67e147a39c218783b61.exe
Size

762KB
MD5

00e90026198266ac834b0dbcd9c4f838
SHA1

803603c0610b6e726edb201cb1fef3ad472a9afe
SHA256

11090879de7060d1ffa3188e78af8a8e710488a9b9a1f67e147a39c218783b61
SHA512

2ae4c9d4fd55215fffe592daf3770c5c91e9c7970748a575226f9ee7d6c9e760a95a74509f53cf8986988454741297ece90b9a33f8f74d37c6f974684fd2a2a9
SSDEEP

12288:aMmXLbRD6RGU2sTRL9JoCBGYLVvdq0xW1zoojZuKCPKSCOrPDQcciv9CUIyywCYp:tmXLbB6RG4TRXoCBGYLxxxW1soFurPK6

Score

10^/10

ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DecryptAllFiles 7138621.txt

Ransom Note

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. 1. Type the address http://torproject.org in your Internet browser. It opens the Tor site. 2. Press 'Download Tor', then press 'DOWNLOAD Tor Browser Bundle', install and run it.\ 3. Now you have Tor Browser. In the Tor Browser open the http://kurrmpfx6kgmsopm.onion Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. 4. Copy and paste the following public key in the input form on server. Avoid missprints. PHMJTO-6WTIFO-RACALI-D2U4KD-A5M5PN-JGHM3H-QBNDW6-U5VQZJ WFOKTM-3I7I6S-54PDQS-3CUU2D-2OPQMR-U6PKTS-GYKKXF-XLN3EN HBWNCL-OOSR46-EZIO2B-DRYEH6-HQRJOU-JGMIJJ-S4XNGG-LARFAP 5. Follow the instructions on the server.

URLs

http://kurrmpfx6kgmsopm.onion

Extracted

Path

C:\Users\Admin\Documents\zlwdkgg.html

Ransom Note

<html><head><meta http-equiv='Content-Type' content='text/html; charset=utf-8'> <head><body bgcolor=#424242> Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. 1. Go to site <a style='font-family:Tahoma;font-size:14px;color:#20FFFF' href='http://www.torproject.org/download/download-easy.html.en'>http://torproject.org</a>. 2. Press 'DOWNLOAD Tor Browser Bundle', install and run it. 3. Now you have Tor Browser. In the Tor Browser open the <a style='font-family:Tahoma;font-size:14px;color:#20FFFF' href='http://kurrmpfx6kgmsopm.onion'>http://kurrmpfx6kgmsopm.onion</a>     Note that this server is available via Tor Browser only.     Retry in 1 hour if site is not reachable. 4. Copy and paste the following public key in the input form on server. Avoid missprints.<pre style='font-family:Courier New;font-size:16px;color:#FFFFFF'>PHMJTO-6WTIFO-RACALI-D2U4KD-A5M5PN-JGHM3H-QBNDW6-U5VQZJ WFOKTM-3I7I6S-54PDQS-3CUU2D-2OPQMR-U6PKTS-GYKKXF-XLN3EN HBWNCL-OOSR46-EZIO2B-DRYEH6-HQRJOU-JGMIJJ-S4XNGG-LARFAP</pre> 5. Follow the instructions on the server. The list of your encrypted files: <a name='list'></a> <table style='font-family:Tahoma;font-size:12px;color:#FFFFFF;border-color:#A0A0A0' cellspacing=0 cellpadding=5 border=1> <tr><th>File</th><th>Path</th></tr> <tr><td>Xusage.txt</td><td>C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\</td></tr><tr><td>readme.txt</td><td>C:\Program Files\7-Zip\</td></tr><tr><td>License.txt</td><td>C:\Program Files\7-Zip\</td></tr><tr><td>io.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>af.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ms.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>cy.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>eo.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ast.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>br.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>lv.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ku.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>nn.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>sq.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>nb.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>fy.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>va.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>README.txt</td><td>C:\Program Files\Java\jdk1.7.0_80\jre\</td></tr><tr><td>README.TXT</td><td>C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\</td></tr><tr><td>jvm.hprof.txt</td><td>C:\Program Files\Java\jdk1.7.0_80\jre\lib\</td></tr><tr><td>sr-spl.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>et.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>sv.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>uz.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ro.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>fur.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ext.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>lij.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>an.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>zh-tw.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>kaa.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>zh-cn.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>hu.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>da.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ga.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>id.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>vi.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>kab.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>hr.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>sl.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ps.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>mn.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>fi.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>is.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>eu.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>mk.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>pl.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>nl.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>cs.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>gl.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>sk.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ca.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>pt.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>pt-br.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>lt.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>az.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>de.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>he.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>it.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>es.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>tr.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ko.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>fr.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>co.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>kk.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>fa.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>mr.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>yo.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ba.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>asl-v20.txt</td><td>C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\</td></tr><tr><td>asl-v20.txt</td><td>C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\</td></tr><tr><td>VERSION.txt</td><td>C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\</td></tr><tr><td>VERSION.txt</td><td>C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\</td></tr><tr><td>README.txt</td><td>C:\Program Files\Java\jre7\</td></tr><tr><td>Mso Example Setup File A.txt</td><td>C:\Program Files\Microsoft Office\Office14\</td></tr><tr><td>Mso Example Intl Setup File A.txt</td><td>C:\Program Files\Microsoft Office\Office14\1033\</td></tr><tr><td>Mso Example Intl Setup File B.txt</td><td>C:\Program Files\Microsoft Office\Office14\1033\</td></tr><tr><td>Xusage.txt</td><td>C:\Program Files\Java\jre7\bin\server\</td></tr><tr><td>jvm.hprof.txt</td><td>C:\Program Files\Java\jre7\lib\</td></tr><tr><td>README.txt</td><td>C:\Program Files\VideoLAN\VLC\lua\http\requests\</td></tr><tr><td>asl-v20.txt</td><td>C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\</td></tr><tr><td>ug.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ja.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>sr-spc.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>be.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ku-ckb.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ar.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ky.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ta.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>bg.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ne.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>hy.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>tt.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ru.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>pa-in.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>bn.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>uk.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>th.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>si.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>el.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ka.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>gu.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>hi.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>COPYING.txt</td><td>C:\Program Files\VideoLAN\VLC\</td></tr><tr><td>sa.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>AUTHORS.txt</td><td>C:\Program Files\VideoLAN\VLC\</td></tr><tr><td>mng.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>mng2.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>THIRDPARTYLICENSEREADME.txt</td><td>C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\</td></tr><tr><td>History.txt</td><td>C:\Program Files\7-Zip\</td></tr><tr><td>THIRDPARTYLICENSEREADME-JAVAFX.txt</td><td>C:\Program Files\Java\jre7\</td></tr><tr><td>THIRDPARTYLICENSEREADME-JAVAFX.txt</td><td>C:\Program Files\Java\jdk1.7.0_80\</td></tr><tr><td>THIRDPARTYLICENSEREADME-JAVAFX.txt</td><td>C:\Program Files\Java\jdk1.7.0_80\jre\</td></tr><tr><td>THIRDPARTYLICENSEREADME.txt</td><td>C:\Program Files\Java\jdk1.7.0_80\</td></tr><tr><td>THIRDPARTYLICENSEREADME.txt</td><td>C:\Program Files\Java\jre7\</td></tr><tr><td>THIRDPARTYLICENSEREADME.txt</td><td>C:\Program Files\Java\jdk1.7.0_80\jre\</td></tr><tr><td>NEWS.txt</td><td>C:\Program Files\VideoLAN\VLC\</td></tr><tr><td>StepUnblock.txt</td><td>C:\Program Files\</td></tr><tr><td>OutBackup.xls</td><td>C:\Program Files\</td></tr><tr><td>FindNew.xlsb</td><td>C:\Program Files\</td></tr><tr><td>README.TXT</td><td>C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\</td></tr><tr><td>README.txt</td><td>C:\Program Files\VideoLAN\VLC\</td></tr><tr><td>THANKS.txt</td><td>C:\Program Files\VideoLAN\VLC\</td></tr><tr><td>Thawte Root Certificate.cer</td><td>C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\</td></tr><tr><td>Adobe Root Certificate.cer</td><td>C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\</td></tr><tr><td>AdobeAUM_rootCert.cer</td><td>C:\Program Files (x86)\Common Files\Adobe\Updater6\</td></tr><tr><td>AdobeUpdate.cer</td><td>C:\Program Files (x86)\Common Files\Adobe\Updater6\</td></tr><tr><td>AdobeUpdater.cer</td><td>C:\Program Files (x86)\Common Files\Adobe\Updater6\</td></tr><tr><td>METCONV.TXT</td><td>C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\</td></tr><tr><td>MS.JPG</td><td>C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\</td></tr><tr><td>MS.EPS</td><td>C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\</td></tr><tr><td>ffjcext.zip</td><td>C:\Program Files\Java\jre7\lib\deploy\</td></tr><tr><td>ffjcext.zip</td><td>C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\</td></tr><tr><td>eclipse_update_120.jpg</td><td>C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\</td></tr><tr><td>eclipse_update_120.jpg</td><td>C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\</td></tr><tr><td>Words.pdf</td><td>C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\</td></tr><tr><td>DismountRevoke.zip</td><td>C:\Program Files\</td></tr><tr><td>DisableConvert.jpg</td><td>C:\Program Files\</td></tr><tr><td>J0099185.JPG</td><td>C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\</td></tr><tr><td>J0099154.JPG</td><td>C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\</td></tr><tr><td>J0099161.JPG</td><td>C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\</td></tr><tr><td>J0341634.JPG</td><td>C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\</td></tr><tr><td>J0341534.JPG</td><td>C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\</td></tr><tr><td>J0099189.JPG</td><td>C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\</td></tr><tr><td>J0341645.JPG</td><td>C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\</td></tr><tr><td>J0099155.JPG</td><td>C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\</td></tr><tr><td>J0099188.JPG</td><td>C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\</td></tr><tr><td>J0321179.JPG</td><td>C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\</td></tr><tr><td>J0099157.JPG</td><td>C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\</td></tr><tr><td>J0341328.JPG</td><td>C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\</td></tr><tr><td>J0309480.JPG</td><td>C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\</td></tr><tr><td>J0341344.JPG</td><td>C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\</td></tr><tr><td>J0289430.JPG</td><td>C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\</td></tr><tr><td>J0099152.JPG</td><td>C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\</td></tr><tr><td>J0337280.JPG</td><td>C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\</td></tr><tr><td>J0341636.JPG</td><td>C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\</td></tr><tr><td>J0099156.JPG</td><td>C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\</td></tr><tr><td>J0175428.JPG</td><td>C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\</td></tr><tr><td>J0099160.JPG</td><td>C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\</td></tr><tr><td>J0341654.JPG</td><td>C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\</td></tr><tr><td>J0341653.JPG</td><td>C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\</td></tr><tr><td>J0287643.JPG</td><td>C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\</td></tr><tr><td>J0341499.JPG</td><td>C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\</td></tr><tr><td>VeriSign_Class_3_Public_Primary_CA.cer</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\Verisign\Components\</td></tr><tr><td>SignedManagedObjects.cer</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\ManagedObjects\</td></tr><tr><td>SignedComponents.cer</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\Components\</td></tr><tr><td>VS_ComponentSigningIntermediate.cer</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\Verisign\Components\</td></tr><tr><td>VeriSign_Class_3_Code_Signing_2001-4_CA.cer</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\Verisign\Components\</td></tr><tr><td>Management.cer</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\Servers\</td></tr><tr><td>RELAY.CER</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\Servers\</td></tr><tr><td>PROTTPLN.DOC</td><td>C:\Program Files (x86)\Microsoft Office\Office14\1033\</td></tr><tr><td>PROTTPLV.DOC</td><td>C:\Program Files (x86)\Microsoft Office\Office14\1033\</td></tr><tr><td>PROTTPLN.XLS</td><td>C:\Program Files (x86)\Microsoft Office\Office14\1033\</td></tr><tr><td>PROTTPLV.XLS</td><td>C:\Program Files (x86)\Microsoft Office\Office14\1033\</td></tr><tr><td>PH02412K.JPG</td><td>C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\</td></tr><tr><td>PH01239K.JPG</td><td>C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\</td></tr><tr><td>PH01213K.JPG</td><td>C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\</td></tr><tr><td>PH01221K.JPG</td><td>C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\</td></tr><tr><td>J0302953.JPG</td><td>C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\</td></tr><tr><td>NotifierDisableDownArrow.jpg</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\</td></tr><tr><td>NotifierCloseButton.jpg</td><td>C:\Program F

URLs

http-equiv='Content-Type

Signatures

Executes dropped EXE 2 IoCs

Processes:

pdfisga.exepdfisga.exe

pid process

1696 pdfisga.exe
1820 pdfisga.exe

pid	process
1696	pdfisga.exe
1820	pdfisga.exe

Modifies extensions of user files 3 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

pdfisga.exe

description	ioc	process
File renamed	C:\Users\Admin\AppData\Local\Temp\0.tmp => C:\Users\Admin\Pictures\DismountOpen.raw.ctb2	pdfisga.exe
File renamed	C:\Users\Admin\AppData\Local\Temp\0.tmp => C:\Users\Admin\Pictures\GrantLimit.raw.ctb2	pdfisga.exe
File renamed	C:\Users\Admin\AppData\Local\Temp\0.tmp => C:\Users\Admin\Pictures\ReadClose.crw.ctb2	pdfisga.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

11090879de7060d1ffa3188e78af8a8e710488a9b9a1f67e147a39c218783b61.exepdfisga.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\International\Geo\Nation	11090879de7060d1ffa3188e78af8a8e710488a9b9a1f67e147a39c218783b61.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\International\Geo\Nation	pdfisga.exe

Loads dropped DLL 3 IoCs

Processes:

11090879de7060d1ffa3188e78af8a8e710488a9b9a1f67e147a39c218783b61.exepdfisga.exe

pid process

944 11090879de7060d1ffa3188e78af8a8e710488a9b9a1f67e147a39c218783b61.exe
1696 pdfisga.exe
1696 pdfisga.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
944	11090879de7060d1ffa3188e78af8a8e710488a9b9a1f67e147a39c218783b61.exe
1696	pdfisga.exe
1696	pdfisga.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

11090879de7060d1ffa3188e78af8a8e710488a9b9a1f67e147a39c218783b61.exepdfisga.exe

description	pid	process	target process
PID 944 set thread context of 668	944	11090879de7060d1ffa3188e78af8a8e710488a9b9a1f67e147a39c218783b61.exe	11090879de7060d1ffa3188e78af8a8e710488a9b9a1f67e147a39c218783b61.exe
PID 1696 set thread context of 1820	1696	pdfisga.exe	pdfisga.exe

Drops file in Program Files directory 2 IoCs

Processes:

pdfisga.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DecryptAllFiles 7138621.txt	pdfisga.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AllFilesAreLocked 7138621.bmp	pdfisga.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1516 1400 WerFault.exe

pid	pid_target	process	target process
1516	1400	WerFault.exe

NSIS installer 8 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\pdfisga.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\pdfisga.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\pdfisga.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\pdfisga.exe	nsis_installer_2
\Users\Admin\AppData\Local\Temp\pdfisga.exe	nsis_installer_1
\Users\Admin\AppData\Local\Temp\pdfisga.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\pdfisga.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\pdfisga.exe	nsis_installer_2

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

pdfisga.exe

pid process

1820 pdfisga.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

pdfisga.exe

pid process

1820 pdfisga.exe

pid	process
1820	pdfisga.exe

pid	process
1820	pdfisga.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

11090879de7060d1ffa3188e78af8a8e710488a9b9a1f67e147a39c218783b61.exetaskeng.exepdfisga.exe

description	pid	process	target process
PID 944 wrote to memory of 668	944	11090879de7060d1ffa3188e78af8a8e710488a9b9a1f67e147a39c218783b61.exe	11090879de7060d1ffa3188e78af8a8e710488a9b9a1f67e147a39c218783b61.exe
PID 944 wrote to memory of 668	944	11090879de7060d1ffa3188e78af8a8e710488a9b9a1f67e147a39c218783b61.exe	11090879de7060d1ffa3188e78af8a8e710488a9b9a1f67e147a39c218783b61.exe
PID 944 wrote to memory of 668	944	11090879de7060d1ffa3188e78af8a8e710488a9b9a1f67e147a39c218783b61.exe	11090879de7060d1ffa3188e78af8a8e710488a9b9a1f67e147a39c218783b61.exe
PID 944 wrote to memory of 668	944	11090879de7060d1ffa3188e78af8a8e710488a9b9a1f67e147a39c218783b61.exe	11090879de7060d1ffa3188e78af8a8e710488a9b9a1f67e147a39c218783b61.exe
PID 944 wrote to memory of 668	944	11090879de7060d1ffa3188e78af8a8e710488a9b9a1f67e147a39c218783b61.exe	11090879de7060d1ffa3188e78af8a8e710488a9b9a1f67e147a39c218783b61.exe
PID 944 wrote to memory of 668	944	11090879de7060d1ffa3188e78af8a8e710488a9b9a1f67e147a39c218783b61.exe	11090879de7060d1ffa3188e78af8a8e710488a9b9a1f67e147a39c218783b61.exe
PID 944 wrote to memory of 668	944	11090879de7060d1ffa3188e78af8a8e710488a9b9a1f67e147a39c218783b61.exe	11090879de7060d1ffa3188e78af8a8e710488a9b9a1f67e147a39c218783b61.exe
PID 684 wrote to memory of 1696	684	taskeng.exe	pdfisga.exe
PID 684 wrote to memory of 1696	684	taskeng.exe	pdfisga.exe
PID 684 wrote to memory of 1696	684	taskeng.exe	pdfisga.exe
PID 684 wrote to memory of 1696	684	taskeng.exe	pdfisga.exe
PID 1696 wrote to memory of 1820	1696	pdfisga.exe	pdfisga.exe
PID 1696 wrote to memory of 1820	1696	pdfisga.exe	pdfisga.exe
PID 1696 wrote to memory of 1820	1696	pdfisga.exe	pdfisga.exe
PID 1696 wrote to memory of 1820	1696	pdfisga.exe	pdfisga.exe
PID 1696 wrote to memory of 1820	1696	pdfisga.exe	pdfisga.exe
PID 1696 wrote to memory of 1820	1696	pdfisga.exe	pdfisga.exe
PID 1696 wrote to memory of 1820	1696	pdfisga.exe	pdfisga.exe

C:\Users\Admin\AppData\Local\Temp\11090879de7060d1ffa3188e78af8a8e710488a9b9a1f67e147a39c218783b61.exe
"C:\Users\Admin\AppData\Local\Temp\11090879de7060d1ffa3188e78af8a8e710488a9b9a1f67e147a39c218783b61.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:944

C:\Users\Admin\AppData\Local\Temp\11090879de7060d1ffa3188e78af8a8e710488a9b9a1f67e147a39c218783b61.exe
"C:\Users\Admin\AppData\Local\Temp\11090879de7060d1ffa3188e78af8a8e710488a9b9a1f67e147a39c218783b61.exe"
2⤵
- Checks computer location settings
PID:668

C:\Windows\system32\taskeng.exe
taskeng.exe {2A25933A-3EC9-4124-ADBD-7AAF0557874B} S-1-5-21-4063495947-34355257-727531523-1000:RYNKSFQE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:684

C:\Users\Admin\AppData\Local\Temp\pdfisga.exe
C:\Users\Admin\AppData\Local\Temp\pdfisga.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1696

C:\Users\Admin\AppData\Local\Temp\pdfisga.exe
"C:\Users\Admin\AppData\Local\Temp\pdfisga.exe"
3⤵
- Executes dropped EXE
- Modifies extensions of user files
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1820

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1400 -s 592
1⤵
- Program crash
PID:1516

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\pdfisga.exe

Filesize
762KB

MD5
00e90026198266ac834b0dbcd9c4f838

SHA1
803603c0610b6e726edb201cb1fef3ad472a9afe

SHA256
11090879de7060d1ffa3188e78af8a8e710488a9b9a1f67e147a39c218783b61

SHA512
2ae4c9d4fd55215fffe592daf3770c5c91e9c7970748a575226f9ee7d6c9e760a95a74509f53cf8986988454741297ece90b9a33f8f74d37c6f974684fd2a2a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\pdfisga.exe

Filesize
762KB

MD5
00e90026198266ac834b0dbcd9c4f838

SHA1
803603c0610b6e726edb201cb1fef3ad472a9afe

SHA256
11090879de7060d1ffa3188e78af8a8e710488a9b9a1f67e147a39c218783b61

SHA512
2ae4c9d4fd55215fffe592daf3770c5c91e9c7970748a575226f9ee7d6c9e760a95a74509f53cf8986988454741297ece90b9a33f8f74d37c6f974684fd2a2a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\pdfisga.exe

Filesize
762KB

MD5
00e90026198266ac834b0dbcd9c4f838

SHA1
803603c0610b6e726edb201cb1fef3ad472a9afe

SHA256
11090879de7060d1ffa3188e78af8a8e710488a9b9a1f67e147a39c218783b61

SHA512
2ae4c9d4fd55215fffe592daf3770c5c91e9c7970748a575226f9ee7d6c9e760a95a74509f53cf8986988454741297ece90b9a33f8f74d37c6f974684fd2a2a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tbkSwfGxpT

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Media Center Programs\xptppml

Filesize
654B

MD5
93b277a1188a454f2be34c0ccedd8430

SHA1
9fe81c4b6a97588722c584f631a3a333dcde6a12

SHA256
dde23702a22a38c496ba46e3fc0a5902f3d847417f631051dba190250d68d630

SHA512
12b2842d927b62de6b304985b405832718a71be6e06cb3a74ea7dfefa862fbb9bc00763930169a7cff07f010b51f42a57a4d7b1403c0d0c7658bfc9aebafdd0f

Download Submit
\Users\Admin\AppData\Local\Temp\nso626E.tmp\nDJkMYnUkGmsjxNz.dll

Filesize
118KB

MD5
bee2bc7ca85e944a77dcf8be9bd8b7e1

SHA1
561e8f534eb2da783e2aa72a678b4967d71bdf23

SHA256
2b1c9ebd08e2c2286590e20f1777b07163dfa2706f12735a9317c3423ca71bf8

SHA512
51e385786e6de3f8b432be3f9cff5709b3d059a9183314dc6f69ac8b19c0809622964471aac21f5f1a67b9fc888dc2ba9969d1e015bb4fbb93de18fb6251c90f

Download Submit
\Users\Admin\AppData\Local\Temp\nst947.tmp\nDJkMYnUkGmsjxNz.dll

Filesize
118KB

MD5
bee2bc7ca85e944a77dcf8be9bd8b7e1

SHA1
561e8f534eb2da783e2aa72a678b4967d71bdf23

SHA256
2b1c9ebd08e2c2286590e20f1777b07163dfa2706f12735a9317c3423ca71bf8

SHA512
51e385786e6de3f8b432be3f9cff5709b3d059a9183314dc6f69ac8b19c0809622964471aac21f5f1a67b9fc888dc2ba9969d1e015bb4fbb93de18fb6251c90f

Download Submit
\Users\Admin\AppData\Local\Temp\pdfisga.exe

Filesize
762KB

MD5
00e90026198266ac834b0dbcd9c4f838

SHA1
803603c0610b6e726edb201cb1fef3ad472a9afe

SHA256
11090879de7060d1ffa3188e78af8a8e710488a9b9a1f67e147a39c218783b61

SHA512
2ae4c9d4fd55215fffe592daf3770c5c91e9c7970748a575226f9ee7d6c9e760a95a74509f53cf8986988454741297ece90b9a33f8f74d37c6f974684fd2a2a9

Download Submit
memory/668-60-0x0000000000400000-0x00000000004A7000-memory.dmp

Filesize
668KB

Download
memory/668-66-0x0000000000400000-0x00000000004A6800-memory.dmp

Filesize
666KB

Download
memory/668-65-0x00000000008A0000-0x0000000000AE1000-memory.dmp

Filesize
2.3MB

Download
memory/668-63-0x0000000000690000-0x00000000008A0000-memory.dmp

Filesize
2.1MB

Download
memory/668-61-0x000000000047287B-mapping.dmp

Download
memory/668-58-0x0000000000400000-0x00000000004A7000-memory.dmp

Filesize
668KB

Download
memory/668-57-0x0000000000400000-0x00000000004A7000-memory.dmp

Filesize
668KB

Download
memory/944-54-0x00000000759F1000-0x00000000759F3000-memory.dmp

Filesize
8KB

Download
memory/944-56-0x0000000001D00000-0x0000000001D26000-memory.dmp

Filesize
152KB

Download
memory/1696-68-0x0000000000000000-mapping.dmp

Download
memory/1696-73-0x0000000000510000-0x0000000000536000-memory.dmp

Filesize
152KB

Download
memory/1820-79-0x000000000047287B-mapping.dmp

Download
memory/1820-84-0x00000000008C0000-0x0000000000B01000-memory.dmp

Filesize
2.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads