903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56

General

Target

903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56.exe
Size

1.1MB
MD5

f7bf40a04f42e1f14e54a18d3c61897f
SHA1

3eebc14f1c70ae9d4fa493c650a94d12257b2435
SHA256

903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56
SHA512

18aeeebd2733f3e0db865a3bd79433162cf6459bc75fc1883373c94800223334610eb3c8a123c760cf6378fe2b9741ba8299aeab6cb72682375619ee558503fb
SSDEEP

12288:gpQzNWXXasPZqh+unTEDA9ukiVATu83lf6YiRuRVlbEU6kw801pyVklLgjN25Kt7:g5asBpDDkqAT31Bi0RQ1EqG2+EC

Score

10^/10

ransomware

Malware Config

Extracted

Path

C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DecryptAllFiles 7294856.txt

Ransom Note

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. 1. Type the address http://torproject.org in your Internet browser. It opens the Tor site. 2. Press 'Download Tor', then press 'DOWNLOAD Tor Browser Bundle', install and run it.\ 3. Now you have Tor Browser. In the Tor Browser open the http://wypwtzc2kaceyufw.onion Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. 4. Copy and paste the following public key in the input form on server. Avoid missprints. JAKL2V-XLAYFZ-CE4YMQ-GD5U3D-P3WLYJ-4DL2TI-DKJ2VJ-4YZATX ULJEAR-TTKNMB-SC6BFA-WOOEDE-EK2DMO-IBY77V-2Z4P2A-K6EI5R LAXCK5-J62FT2-WMEX7A-PAEIBX-S2I6CG-SCDSUD-42HHMI-ZFLSZZ 5. Follow the instructions on the server.

URLs

http://wypwtzc2kaceyufw.onion

Signatures

Executes dropped EXE 2 IoCs

Processes:

obvnomb.exeobvnomb.exe

pid process

1976 obvnomb.exe
1752 obvnomb.exe

pid	process
1976	obvnomb.exe
1752	obvnomb.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56.exeobvnomb.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Control Panel\International\Geo\Nation	903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Control Panel\International\Geo\Nation	obvnomb.exe

Loads dropped DLL 1 IoCs

Processes:

obvnomb.exe

pid process

1976 obvnomb.exe

pid	process
1976	obvnomb.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56.exeobvnomb.exe

description	pid	process	target process
PID 1776 set thread context of 1968	1776	903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56.exe	903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56.exe
PID 1976 set thread context of 1752	1976	obvnomb.exe	obvnomb.exe

Drops file in Program Files directory 2 IoCs

Processes:

obvnomb.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DecryptAllFiles 7294856.txt	obvnomb.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AllFilesAreLocked 7294856.bmp	obvnomb.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56.exe903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56.exeobvnomb.exeobvnomb.exe

pid	process
1776	903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56.exe
1776	903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56.exe
1968	903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56.exe
1976	obvnomb.exe
1976	obvnomb.exe
1752	obvnomb.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56.exeobvnomb.exe

pid	process
1776	903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56.exe
1776	903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56.exe
1976	obvnomb.exe
1976	obvnomb.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56.exetaskeng.exeobvnomb.exe

description	pid	process	target process
PID 1776 wrote to memory of 1968	1776	903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56.exe	903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56.exe
PID 1776 wrote to memory of 1968	1776	903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56.exe	903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56.exe
PID 1776 wrote to memory of 1968	1776	903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56.exe	903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56.exe
PID 1776 wrote to memory of 1968	1776	903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56.exe	903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56.exe
PID 1776 wrote to memory of 1968	1776	903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56.exe	903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56.exe
PID 1776 wrote to memory of 1968	1776	903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56.exe	903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56.exe
PID 1776 wrote to memory of 1968	1776	903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56.exe	903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56.exe
PID 564 wrote to memory of 1976	564	taskeng.exe	obvnomb.exe
PID 564 wrote to memory of 1976	564	taskeng.exe	obvnomb.exe
PID 564 wrote to memory of 1976	564	taskeng.exe	obvnomb.exe
PID 564 wrote to memory of 1976	564	taskeng.exe	obvnomb.exe
PID 1976 wrote to memory of 1752	1976	obvnomb.exe	obvnomb.exe
PID 1976 wrote to memory of 1752	1976	obvnomb.exe	obvnomb.exe
PID 1976 wrote to memory of 1752	1976	obvnomb.exe	obvnomb.exe
PID 1976 wrote to memory of 1752	1976	obvnomb.exe	obvnomb.exe
PID 1976 wrote to memory of 1752	1976	obvnomb.exe	obvnomb.exe
PID 1976 wrote to memory of 1752	1976	obvnomb.exe	obvnomb.exe
PID 1976 wrote to memory of 1752	1976	obvnomb.exe	obvnomb.exe

C:\Users\Admin\AppData\Local\Temp\903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56.exe
"C:\Users\Admin\AppData\Local\Temp\903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1776

C:\Users\Admin\AppData\Local\Temp\903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56.exe
C:\Users\Admin\AppData\Local\Temp\903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56.exe
2⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
PID:1968

C:\Windows\system32\taskeng.exe
taskeng.exe {979C1381-9E32-4842-BF1C-152D40824640} S-1-5-21-3406023954-474543476-3319432036-1000:VUIIVLGQ\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:564

C:\Users\Admin\AppData\Local\Temp\obvnomb.exe
C:\Users\Admin\AppData\Local\Temp\obvnomb.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1976

C:\Users\Admin\AppData\Local\Temp\obvnomb.exe
C:\Users\Admin\AppData\Local\Temp\obvnomb.exe
3⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:1752

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Adobe\lvixnfh
Filesize
654B

MD5
5b30cb92b9e3277ca58212446ae7431f

SHA1
0f5a70a9d222b40e185501f2acb70de3f35ca9a3

SHA256
b3142edf56ec003a0ae4cfa077946143726a5f69b072aaa01792f51bfaca1c63

SHA512
1e690dde7fa08d9f449b0e1e5e491679b42307784df9fc1f3f626de16fda3ba2a1ab2d6c7d734d4d52c17ec79977243b34839a608a136e66fbadcdf35e156d21

Download Submit
C:\Users\Admin\AppData\Local\Temp\obvnomb.exe
Filesize
1.1MB

MD5
f7bf40a04f42e1f14e54a18d3c61897f

SHA1
3eebc14f1c70ae9d4fa493c650a94d12257b2435

SHA256
903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56

SHA512
18aeeebd2733f3e0db865a3bd79433162cf6459bc75fc1883373c94800223334610eb3c8a123c760cf6378fe2b9741ba8299aeab6cb72682375619ee558503fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\obvnomb.exe
Filesize
1.1MB

MD5
f7bf40a04f42e1f14e54a18d3c61897f

SHA1
3eebc14f1c70ae9d4fa493c650a94d12257b2435

SHA256
903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56

SHA512
18aeeebd2733f3e0db865a3bd79433162cf6459bc75fc1883373c94800223334610eb3c8a123c760cf6378fe2b9741ba8299aeab6cb72682375619ee558503fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\obvnomb.exe
Filesize
1.1MB

MD5
f7bf40a04f42e1f14e54a18d3c61897f

SHA1
3eebc14f1c70ae9d4fa493c650a94d12257b2435

SHA256
903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56

SHA512
18aeeebd2733f3e0db865a3bd79433162cf6459bc75fc1883373c94800223334610eb3c8a123c760cf6378fe2b9741ba8299aeab6cb72682375619ee558503fb

Download Submit
\Users\Admin\AppData\Local\Temp\obvnomb.exe
Filesize
1.1MB

MD5
f7bf40a04f42e1f14e54a18d3c61897f

SHA1
3eebc14f1c70ae9d4fa493c650a94d12257b2435

SHA256
903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56

SHA512
18aeeebd2733f3e0db865a3bd79433162cf6459bc75fc1883373c94800223334610eb3c8a123c760cf6378fe2b9741ba8299aeab6cb72682375619ee558503fb

Download Submit
memory/1752-80-0x0000000000890000-0x0000000000AD1000-memory.dmp

Filesize
2.3MB

Download
memory/1752-75-0x00000000004707F5-mapping.dmp

Download
memory/1776-54-0x0000000075D61000-0x0000000075D63000-memory.dmp

Filesize
8KB

Download
memory/1776-60-0x0000000000230000-0x0000000000234000-memory.dmp

Filesize
16KB

Download
memory/1968-58-0x0000000000400000-0x00000000004A7000-memory.dmp

Filesize
668KB

Download
memory/1968-65-0x0000000000880000-0x0000000000AC1000-memory.dmp

Filesize
2.3MB

Download
memory/1968-63-0x0000000000400000-0x00000000004A6E00-memory.dmp

Filesize
667KB

Download
memory/1968-62-0x0000000000670000-0x0000000000880000-memory.dmp

Filesize
2.1MB

Download
memory/1968-59-0x00000000004707F5-mapping.dmp

Download
memory/1968-55-0x0000000000400000-0x00000000004A7000-memory.dmp

Filesize
668KB

Download
memory/1968-56-0x0000000000400000-0x00000000004A7000-memory.dmp

Filesize
668KB

Download
memory/1976-67-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads