Overview

overview

10

Static

static

903ba9c840...56.exe

windows7-x64

10

903ba9c840...56.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56

  • Size

    1.1MB

  • Sample

    221126-adsk2abf3w

  • MD5

    f7bf40a04f42e1f14e54a18d3c61897f

  • SHA1

    3eebc14f1c70ae9d4fa493c650a94d12257b2435

  • SHA256

    903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56

  • SHA512

    18aeeebd2733f3e0db865a3bd79433162cf6459bc75fc1883373c94800223334610eb3c8a123c760cf6378fe2b9741ba8299aeab6cb72682375619ee558503fb

  • SSDEEP

    12288:gpQzNWXXasPZqh+unTEDA9ukiVATu83lf6YiRuRVlbEU6kw801pyVklLgjN25Kt7:g5asBpDDkqAT31Bi0RQ1EqG2+EC

Score
10/10
persistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DecryptAllFiles 7294856.txt

Ransom Note
Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. 1. Type the address http://torproject.org in your Internet browser. It opens the Tor site. 2. Press 'Download Tor', then press 'DOWNLOAD Tor Browser Bundle', install and run it.\ 3. Now you have Tor Browser. In the Tor Browser open the http://wypwtzc2kaceyufw.onion Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. 4. Copy and paste the following public key in the input form on server. Avoid missprints. JAKL2V-XLAYFZ-CE4YMQ-GD5U3D-P3WLYJ-4DL2TI-DKJ2VJ-4YZATX ULJEAR-TTKNMB-SC6BFA-WOOEDE-EK2DMO-IBY77V-2Z4P2A-K6EI5R LAXCK5-J62FT2-WMEX7A-PAEIBX-S2I6CG-SCDSUD-42HHMI-ZFLSZZ 5. Follow the instructions on the server.
URLs

http://wypwtzc2kaceyufw.onion

Extracted

Path

C:\Users\Admin\Documents\yrnkowk.html

Ransom Note
<html><head><meta http-equiv='Content-Type' content='text/html; charset=utf-8'> </head><body bgcolor=#424242> <p style='font-family:Tahoma;font-size:14px;color:#FFFFFF'> Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer.<br> Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key.<br> If you see the main locker window, follow the instructions on the locker.<br> Overwise, it's seems that you or your antivirus deleted the locker program.<br> Now you have the last chance to decrypt your files.<br><br> 1. Go to site <a style='font-family:Tahoma;font-size:14px;color:#20FFFF' href='http://www.torproject.org/download/download-easy.html.en'>http://torproject.org</a>.<br> 2. Press 'DOWNLOAD Tor Browser Bundle', install and run it.<br> 3. Now you have Tor Browser. In the Tor Browser open the <a style='font-family:Tahoma;font-size:14px;color:#20FFFF' href='http://wypwtzc2kaceyufw.onion'>http://wypwtzc2kaceyufw.onion</a><br> &nbsp;&nbsp;&nbsp;&nbsp;Note that this server is available via Tor Browser only.<br> &nbsp;&nbsp;&nbsp;&nbsp;Retry in 1 hour if site is not reachable.<br> 4. Copy and paste the following public key in the input form on server. Avoid missprints.</p><pre style='font-family:Courier New;font-size:16px;color:#FFFFFF'>WVH2PS-MNWHOD-WPQHK3-E3NRFE-FMGCS7-YOA7DM-J7LPQM-KN2UGV UVMIBG-KFLWVE-A7W7RK-ZNYZMX-N7AV74-7R5VBE-X744IM-XNFQVQ 5YPPDK-Q6V572-RSYFL2-PQYZUD-OVKM7F-IWUZSM-PFVWRJ-2GKT47</pre> <p style='font-family:Tahoma;font-size:14px;color:#FFFFFF'> 5. Follow the instructions on the server.<br><br> The list of your encrypted files:<br><a name='list'></a></p> <table style='font-family:Tahoma;font-size:12px;color:#FFFFFF;border-color:#A0A0A0' cellspacing=0 cellpadding=5 border=1> <tr><th><b>File</b></th><th><b>Path</b></th></tr> <tr><td>ClientARMRefer2019_eula.txt</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>ClientOSub2019_eula.txt</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>WacLangPack2019Eula.txt</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>VERSION.txt</td><td>C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\</td></tr><tr><td>ClientSub2019_eula.txt</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>VERSION.txt</td><td>C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\</td></tr><tr><td>README.txt</td><td>C:\Program Files\Java\jre1.8.0_66\</td></tr><tr><td>README.txt</td><td>C:\Program Files\Java\jdk1.8.0_66\jre\</td></tr><tr><td>ClientARMRefer_eula.txt</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>README.TXT</td><td>C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\dropins\</td></tr><tr><td>WacLangPackEula.txt</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>ClientVolumeLicense_eula.txt</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>notice.txt</td><td>C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\</td></tr><tr><td>ClientLangPack2019_eula.txt</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>ClientLangPack_eula.txt</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>ExcelMessageDismissal.txt</td><td>C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\</td></tr><tr><td>ClientVolumeLicense2019_eula.txt</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>ClientOSub_eula.txt</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>card_expiration_terms_dict.txt</td><td>C:\Program Files\Microsoft Office\root\Office16\Configuration\</td></tr><tr><td>Xusage.txt</td><td>C:\Program Files\Java\jre1.8.0_66\bin\server\</td></tr><tr><td>Xusage.txt</td><td>C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\</td></tr><tr><td>readme.txt</td><td>C:\Program Files\7-Zip\</td></tr><tr><td>card_security_terms_dict.txt</td><td>C:\Program Files\Microsoft Office\root\Office16\Configuration\</td></tr><tr><td>AccessMessageDismissal.txt</td><td>C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\</td></tr><tr><td>README.txt</td><td>C:\Program Files\VideoLAN\VLC\</td></tr><tr><td>License.txt</td><td>C:\Program Files\7-Zip\</td></tr><tr><td>jvm.hprof.txt</td><td>C:\Program Files\Java\jdk1.8.0_66\jre\lib\</td></tr><tr><td>jvm.hprof.txt</td><td>C:\Program Files\Java\jre1.8.0_66\lib\</td></tr><tr><td>io.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>af.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>card_terms_dict.txt</td><td>C:\Program Files\Microsoft Office\root\Office16\Configuration\</td></tr><tr><td>ms.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>cy.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>eo.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ast.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>README.txt</td><td>C:\Program Files\VideoLAN\VLC\lua\http\requests\</td></tr><tr><td>br.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>lv.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>LyncVDI_Eula.txt</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>THANKS.txt</td><td>C:\Program Files\VideoLAN\VLC\</td></tr><tr><td>ku.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ssn_high_group_info.txt</td><td>C:\Program Files\Microsoft Office\root\Office16\Configuration\</td></tr><tr><td>nn.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>sq.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>nb.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ThirdPartyNotices.txt</td><td>C:\Program Files\Microsoft Office\root\Office16\MSIPC\</td></tr><tr><td>fy.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>va.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>LyncBasic_Eula.txt</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>TPN.txt</td><td>C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\</td></tr><tr><td>sr-spl.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>et.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>sv.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>uz.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>AccessRuntime_eula.txt</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>ro.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>fur.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ext.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>lij.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>an.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>zh-tw.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>kaa.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>zh-cn.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>hu.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>da.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ga.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>id.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>vi.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>kab.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>AccessRuntime2019_eula.txt</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>hr.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>sl.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ps.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>mn.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>fi.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>is.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>eu.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>mk.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>pl.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>nl.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>SkypeForBusinessVDI2019_eula.txt</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>SkypeForBusinessBasic2019_eula.txt</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>cs.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>gl.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>sk.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ca.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>pt.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>pt-br.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>lt.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>az.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>he.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>de.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>it.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ClientPreview_eula.txt</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>es.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>tr.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ko.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>fr.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>co.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>kk.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>fa.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>mr.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>yo.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ba.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>asl-v20.txt</td><td>C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\</td></tr><tr><td>asl-v20.txt</td><td>C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\</td></tr><tr><td>asl-v20.txt</td><td>C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\</td></tr><tr><td>ug.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ja.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>sr-spc.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ClientSub_M365_eula.txt</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>be.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ClientSub_eula.txt</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>ku-ckb.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ar.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ky.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ta.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>bg.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ne.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>hy.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>tt.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ru.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>pa-in.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>bn.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>uk.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>th.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>si.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>el.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ka.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>gu.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>hi.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>COPYING.txt</td><td>C:\Program Files\VideoLAN\VLC\</td></tr><tr><td>sa.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>third-party-notices.txt</td><td>C:\Program Files\Microsoft Office\root\Office16\AugLoop\</td></tr><tr><td>AUTHORS.txt</td><td>C:\Program Files\VideoLAN\VLC\</td></tr><tr><td>mng.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>mng2.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>THIRDPARTYLICENSEREADME.txt</td><td>C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\</td></tr><tr><td>client_eula.txt</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>Client2019_eula.txt</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>History.txt</td><td>C:\Program Files\7-Zip\</td></tr><tr><td>THIRDPARTYLICENSEREADME-JAVAFX.txt</td><td>C:\Program Files\Java\jre1.8.0_66\</td></tr><tr><td>THIRDPARTYLICENSEREADME-JAVAFX.txt</td><td>C:\Program Files\Java\jdk1.8.0_66\jre\</td></tr><tr><td>THIRDPARTYLICENSEREADME-JAVAFX.txt</td><td>C:\Program Files\Java\jdk1.8.0_66\</td></tr><tr><td>THIRDPARTYLICENSEREADME.txt</td><td>C:\Program Files\Java\jdk1.8.0_66\</td></tr><tr><td>THIRDPARTYLICENSEREADME.txt</td><td>C:\Program Files\Java\jdk1.8.0_66\jre\</td></tr><tr><td>THIRDPARTYLICENSEREADME.txt</td><td>C:\Program Files\Java\jre1.8.0_66\</td></tr><tr><td>NEWS.txt</td><td>C:\Program Files\VideoLAN\VLC\</td></tr><tr><td>PowerPointNaiveBayesCommandRanker.txt</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>ExcelNaiveBayesCommandRanker.txt</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>WordNaiveBayesCommandRanker.txt</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>lpklegal.txt</td><td>C:\Program Files\Microsoft Office\root\Office16\</td></tr><tr><td>METCONV.TXT</td><td>C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\</td></tr><tr><td>cacerts.pem</td><td>C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\</td></tr><tr><td>PROTTPLN.DOC</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>PROTTPLV.DOC</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>PROTTPLV.XLS</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>PROTTPLN.XLS</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>SOLVSAMP.XLS</td><td>C:\Program Files\Microsoft Office\root\Office16\SAMPLES\</td></tr><tr><td>EXCEL12.XLSX</td><td>C:\Program Files\Microsoft Office\root\vfs\Windows\SHELLNEW\</td></tr><tr><td>MS.JPG</td><td>C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\</td></tr><tr><td>PROTTPLV.PPT</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>PROTTPLN.PPT</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>ffjcext.zip</td><td>C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\</td></tr><tr><td>ffjcext.zip</td><td>C:\Program Files\Java\jre1.8.0_66\lib\deploy\</td></tr><tr><td>eclipse_update_120.jpg</td><td>C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\</td></tr><tr><td>eclipse_update_120.jpg</td><td>C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\</td></tr><tr><td>GetRedo.dwg</td><td>C:\Program Files\</td></tr><tr><td>javafx-src.zip</td><td>C:\Program Files\Java\jdk1.8.0_66\</td></tr><tr><td>chrome.7z</td><td>C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\</td></tr><tr><td>osver.txt</td><td>C:\ProgramData\Microsoft\Diagnosis\</td></tr><tr><td>excluded.txt</td><td>C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_GB\</td></tr><tr><td>List.txt</td><td>C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\</td></tr><tr><td>excluded.txt</td><td>C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_CA\</td></tr><tr><td>Excluded.txt</td><td>C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_US\</td></tr><tr><td>List.txt</td><td>C:\Program Files (x86)\Common Files\
URLs

http-equiv='Content-Type

Extracted

Path

C:\Users\Admin\Documents\DecryptAllFiles 240628218.txt

Ransom Note
Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. 1. Type the address http://torproject.org in your Internet browser. It opens the Tor site. 2. Press 'Download Tor', then press 'DOWNLOAD Tor Browser Bundle', install and run it.\ 3. Now you have Tor Browser. In the Tor Browser open the http://wypwtzc2kaceyufw.onion Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. 4. Copy and paste the following public key in the input form on server. Avoid missprints. WVH2PS-MNWHOD-WPQHK3-E3NRFE-FMGCS7-YOA7DM-J7LPQM-KN2UGV UVMIBG-KFLWVE-A7W7RK-ZNYZMX-N7AV74-7R5VBE-X744IM-XNFQVQ 5YPPDK-Q6V572-RSYFL2-PQYZUD-OVKM7F-IWUZSM-PFVWRJ-2GKT47 5. Follow the instructions on the server.
URLs

http://wypwtzc2kaceyufw.onion

Targets

    • Target

      903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56

    • Size

      1.1MB

    • MD5

      f7bf40a04f42e1f14e54a18d3c61897f

    • SHA1

      3eebc14f1c70ae9d4fa493c650a94d12257b2435

    • SHA256

      903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56

    • SHA512

      18aeeebd2733f3e0db865a3bd79433162cf6459bc75fc1883373c94800223334610eb3c8a123c760cf6378fe2b9741ba8299aeab6cb72682375619ee558503fb

    • SSDEEP

      12288:gpQzNWXXasPZqh+unTEDA9ukiVATu83lf6YiRuRVlbEU6kw801pyVklLgjN25Kt7:g5asBpDDkqAT31Bi0RQ1EqG2+EC

    Score
    10/10
    ransomwarepersistencespywarestealer

    • Executes dropped EXE

    • Modifies Installed Components in the registry

      persistence

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Tasks