903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56

General

Target

903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56.exe
Size

1.1MB
MD5

f7bf40a04f42e1f14e54a18d3c61897f
SHA1

3eebc14f1c70ae9d4fa493c650a94d12257b2435
SHA256

903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56
SHA512

18aeeebd2733f3e0db865a3bd79433162cf6459bc75fc1883373c94800223334610eb3c8a123c760cf6378fe2b9741ba8299aeab6cb72682375619ee558503fb
SSDEEP

12288:gpQzNWXXasPZqh+unTEDA9ukiVATu83lf6YiRuRVlbEU6kw801pyVklLgjN25Kt7:g5asBpDDkqAT31Bi0RQ1EqG2+EC

Score

10^/10

persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\Documents\yrnkowk.html

Ransom Note

<html><head><meta http-equiv='Content-Type' content='text/html; charset=utf-8'> </head><body bgcolor=#424242> Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. 1. Go to site <a style='font-family:Tahoma;font-size:14px;color:#20FFFF' href='http://www.torproject.org/download/download-easy.html.en'>http://torproject.org</a>. 2. Press 'DOWNLOAD Tor Browser Bundle', install and run it. 3. Now you have Tor Browser. In the Tor Browser open the <a style='font-family:Tahoma;font-size:14px;color:#20FFFF' href='http://wypwtzc2kaceyufw.onion'>http://wypwtzc2kaceyufw.onion</a>     Note that this server is available via Tor Browser only.     Retry in 1 hour if site is not reachable. 4. Copy and paste the following public key in the input form on server. Avoid missprints.<pre style='font-family:Courier New;font-size:16px;color:#FFFFFF'>WVH2PS-MNWHOD-WPQHK3-E3NRFE-FMGCS7-YOA7DM-J7LPQM-KN2UGV UVMIBG-KFLWVE-A7W7RK-ZNYZMX-N7AV74-7R5VBE-X744IM-XNFQVQ 5YPPDK-Q6V572-RSYFL2-PQYZUD-OVKM7F-IWUZSM-PFVWRJ-2GKT47</pre> 5. Follow the instructions on the server. The list of your encrypted files: <a name='list'></a> <table style='font-family:Tahoma;font-size:12px;color:#FFFFFF;border-color:#A0A0A0' cellspacing=0 cellpadding=5 border=1> <tr><th>File</th><th>Path</th></tr> <tr><td>ClientARMRefer2019_eula.txt</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>ClientOSub2019_eula.txt</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>WacLangPack2019Eula.txt</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>VERSION.txt</td><td>C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\</td></tr><tr><td>ClientSub2019_eula.txt</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>VERSION.txt</td><td>C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\</td></tr><tr><td>README.txt</td><td>C:\Program Files\Java\jre1.8.0_66\</td></tr><tr><td>README.txt</td><td>C:\Program Files\Java\jdk1.8.0_66\jre\</td></tr><tr><td>ClientARMRefer_eula.txt</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>README.TXT</td><td>C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\dropins\</td></tr><tr><td>WacLangPackEula.txt</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>ClientVolumeLicense_eula.txt</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>notice.txt</td><td>C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\</td></tr><tr><td>ClientLangPack2019_eula.txt</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>ClientLangPack_eula.txt</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>ExcelMessageDismissal.txt</td><td>C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\</td></tr><tr><td>ClientVolumeLicense2019_eula.txt</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>ClientOSub_eula.txt</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>card_expiration_terms_dict.txt</td><td>C:\Program Files\Microsoft Office\root\Office16\Configuration\</td></tr><tr><td>Xusage.txt</td><td>C:\Program Files\Java\jre1.8.0_66\bin\server\</td></tr><tr><td>Xusage.txt</td><td>C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\</td></tr><tr><td>readme.txt</td><td>C:\Program Files\7-Zip\</td></tr><tr><td>card_security_terms_dict.txt</td><td>C:\Program Files\Microsoft Office\root\Office16\Configuration\</td></tr><tr><td>AccessMessageDismissal.txt</td><td>C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\</td></tr><tr><td>README.txt</td><td>C:\Program Files\VideoLAN\VLC\</td></tr><tr><td>License.txt</td><td>C:\Program Files\7-Zip\</td></tr><tr><td>jvm.hprof.txt</td><td>C:\Program Files\Java\jdk1.8.0_66\jre\lib\</td></tr><tr><td>jvm.hprof.txt</td><td>C:\Program Files\Java\jre1.8.0_66\lib\</td></tr><tr><td>io.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>af.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>card_terms_dict.txt</td><td>C:\Program Files\Microsoft Office\root\Office16\Configuration\</td></tr><tr><td>ms.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>cy.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>eo.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ast.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>README.txt</td><td>C:\Program Files\VideoLAN\VLC\lua\http\requests\</td></tr><tr><td>br.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>lv.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>LyncVDI_Eula.txt</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>THANKS.txt</td><td>C:\Program Files\VideoLAN\VLC\</td></tr><tr><td>ku.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ssn_high_group_info.txt</td><td>C:\Program Files\Microsoft Office\root\Office16\Configuration\</td></tr><tr><td>nn.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>sq.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>nb.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ThirdPartyNotices.txt</td><td>C:\Program Files\Microsoft Office\root\Office16\MSIPC\</td></tr><tr><td>fy.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>va.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>LyncBasic_Eula.txt</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>TPN.txt</td><td>C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\</td></tr><tr><td>sr-spl.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>et.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>sv.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>uz.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>AccessRuntime_eula.txt</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>ro.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>fur.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ext.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>lij.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>an.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>zh-tw.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>kaa.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>zh-cn.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>hu.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>da.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ga.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>id.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>vi.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>kab.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>AccessRuntime2019_eula.txt</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>hr.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>sl.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ps.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>mn.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>fi.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>is.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>eu.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>mk.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>pl.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>nl.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>SkypeForBusinessVDI2019_eula.txt</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>SkypeForBusinessBasic2019_eula.txt</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>cs.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>gl.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>sk.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ca.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>pt.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>pt-br.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>lt.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>az.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>he.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>de.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>it.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ClientPreview_eula.txt</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>es.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>tr.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ko.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>fr.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>co.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>kk.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>fa.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>mr.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>yo.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ba.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>asl-v20.txt</td><td>C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\</td></tr><tr><td>asl-v20.txt</td><td>C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\</td></tr><tr><td>asl-v20.txt</td><td>C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\</td></tr><tr><td>ug.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ja.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>sr-spc.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ClientSub_M365_eula.txt</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>be.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ClientSub_eula.txt</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>ku-ckb.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ar.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ky.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ta.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>bg.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ne.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>hy.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>tt.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ru.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>pa-in.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>bn.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>uk.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>th.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>si.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>el.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ka.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>gu.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>hi.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>COPYING.txt</td><td>C:\Program Files\VideoLAN\VLC\</td></tr><tr><td>sa.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>third-party-notices.txt</td><td>C:\Program Files\Microsoft Office\root\Office16\AugLoop\</td></tr><tr><td>AUTHORS.txt</td><td>C:\Program Files\VideoLAN\VLC\</td></tr><tr><td>mng.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>mng2.txt</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>THIRDPARTYLICENSEREADME.txt</td><td>C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\</td></tr><tr><td>client_eula.txt</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>Client2019_eula.txt</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>History.txt</td><td>C:\Program Files\7-Zip\</td></tr><tr><td>THIRDPARTYLICENSEREADME-JAVAFX.txt</td><td>C:\Program Files\Java\jre1.8.0_66\</td></tr><tr><td>THIRDPARTYLICENSEREADME-JAVAFX.txt</td><td>C:\Program Files\Java\jdk1.8.0_66\jre\</td></tr><tr><td>THIRDPARTYLICENSEREADME-JAVAFX.txt</td><td>C:\Program Files\Java\jdk1.8.0_66\</td></tr><tr><td>THIRDPARTYLICENSEREADME.txt</td><td>C:\Program Files\Java\jdk1.8.0_66\</td></tr><tr><td>THIRDPARTYLICENSEREADME.txt</td><td>C:\Program Files\Java\jdk1.8.0_66\jre\</td></tr><tr><td>THIRDPARTYLICENSEREADME.txt</td><td>C:\Program Files\Java\jre1.8.0_66\</td></tr><tr><td>NEWS.txt</td><td>C:\Program Files\VideoLAN\VLC\</td></tr><tr><td>PowerPointNaiveBayesCommandRanker.txt</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>ExcelNaiveBayesCommandRanker.txt</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>WordNaiveBayesCommandRanker.txt</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>lpklegal.txt</td><td>C:\Program Files\Microsoft Office\root\Office16\</td></tr><tr><td>METCONV.TXT</td><td>C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\</td></tr><tr><td>cacerts.pem</td><td>C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\</td></tr><tr><td>PROTTPLN.DOC</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>PROTTPLV.DOC</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>PROTTPLV.XLS</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>PROTTPLN.XLS</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>SOLVSAMP.XLS</td><td>C:\Program Files\Microsoft Office\root\Office16\SAMPLES\</td></tr><tr><td>EXCEL12.XLSX</td><td>C:\Program Files\Microsoft Office\root\vfs\Windows\SHELLNEW\</td></tr><tr><td>MS.JPG</td><td>C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\</td></tr><tr><td>PROTTPLV.PPT</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>PROTTPLN.PPT</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>ffjcext.zip</td><td>C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\</td></tr><tr><td>ffjcext.zip</td><td>C:\Program Files\Java\jre1.8.0_66\lib\deploy\</td></tr><tr><td>eclipse_update_120.jpg</td><td>C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\</td></tr><tr><td>eclipse_update_120.jpg</td><td>C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\</td></tr><tr><td>GetRedo.dwg</td><td>C:\Program Files\</td></tr><tr><td>javafx-src.zip</td><td>C:\Program Files\Java\jdk1.8.0_66\</td></tr><tr><td>chrome.7z</td><td>C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\</td></tr><tr><td>osver.txt</td><td>C:\ProgramData\Microsoft\Diagnosis\</td></tr><tr><td>excluded.txt</td><td>C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_GB\</td></tr><tr><td>List.txt</td><td>C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\</td></tr><tr><td>excluded.txt</td><td>C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_CA\</td></tr><tr><td>Excluded.txt</td><td>C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_US\</td></tr><tr><td>List.txt</td><td>C:\Program Files (x86)\Common Files\

URLs

http-equiv='Content-Type

Extracted

Path

C:\Users\Admin\Documents\DecryptAllFiles 240628218.txt

Ransom Note

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. 1. Type the address http://torproject.org in your Internet browser. It opens the Tor site. 2. Press 'Download Tor', then press 'DOWNLOAD Tor Browser Bundle', install and run it.\ 3. Now you have Tor Browser. In the Tor Browser open the http://wypwtzc2kaceyufw.onion Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. 4. Copy and paste the following public key in the input form on server. Avoid missprints. WVH2PS-MNWHOD-WPQHK3-E3NRFE-FMGCS7-YOA7DM-J7LPQM-KN2UGV UVMIBG-KFLWVE-A7W7RK-ZNYZMX-N7AV74-7R5VBE-X744IM-XNFQVQ 5YPPDK-Q6V572-RSYFL2-PQYZUD-OVKM7F-IWUZSM-PFVWRJ-2GKT47 5. Follow the instructions on the server.

URLs

http://wypwtzc2kaceyufw.onion

Signatures

Executes dropped EXE 2 IoCs

Processes:

dajjvan.exedajjvan.exe

pid process

1084 dajjvan.exe
4836 dajjvan.exe

pid	process
1084	dajjvan.exe
4836	dajjvan.exe

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
ransomware

Processes:

dajjvan.exe

description ioc process

File renamed C:\Users\Admin\AppData\Local\Temp\0.tmp => C:\Users\Admin\Pictures\SyncCompress.raw.qlvpcsi dajjvan.exe

description	ioc	process
File renamed	C:\Users\Admin\AppData\Local\Temp\0.tmp => C:\Users\Admin\Pictures\SyncCompress.raw.qlvpcsi	dajjvan.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56.exedajjvan.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	dajjvan.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

dajjvan.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Documents\\AllFilesAreLocked 240628218.bmp"	dajjvan.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56.exedajjvan.exe

description	pid	process	target process
PID 3248 set thread context of 1584	3248	903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56.exe	903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56.exe
PID 1084 set thread context of 4836	1084	dajjvan.exe	dajjvan.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

2276 2440 WerFault.exe
4524 2480 WerFault.exe explorer.exe
548 4836 WerFault.exe dajjvan.exe
3912 4836 WerFault.exe dajjvan.exe

pid	pid_target	process	target process
2276	2440	WerFault.exe
4524	2480	WerFault.exe	explorer.exe
548	4836	WerFault.exe	dajjvan.exe
3912	4836	WerFault.exe	dajjvan.exe

Modifies registry class 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-929662420-1054238289-2961194603-1000\{ADF67F87-DAB9-455A-A7AF-2835B3EBDA5E}	explorer.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56.exe903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56.exedajjvan.exedajjvan.exe

pid	process
3248	903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56.exe
3248	903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56.exe
3248	903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56.exe
3248	903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56.exe
1584	903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56.exe
1584	903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56.exe
1084	dajjvan.exe
1084	dajjvan.exe
1084	dajjvan.exe
1084	dajjvan.exe
4836	dajjvan.exe
4836	dajjvan.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

explorer.exe

description	pid	process
Token: SeShutdownPrivilege	2480	explorer.exe
Token: SeCreatePagefilePrivilege	2480	explorer.exe
Token: SeShutdownPrivilege	2480	explorer.exe
Token: SeCreatePagefilePrivilege	2480	explorer.exe
Token: SeShutdownPrivilege	2480	explorer.exe
Token: SeCreatePagefilePrivilege	2480	explorer.exe
Token: SeShutdownPrivilege	2480	explorer.exe
Token: SeCreatePagefilePrivilege	2480	explorer.exe
Token: SeShutdownPrivilege	2480	explorer.exe
Token: SeCreatePagefilePrivilege	2480	explorer.exe
Token: SeShutdownPrivilege	2480	explorer.exe
Token: SeCreatePagefilePrivilege	2480	explorer.exe

Suspicious use of FindShellTrayWindow 7 IoCs

Processes:

dajjvan.exeexplorer.exe

pid process

4836 dajjvan.exe
2480 explorer.exe
2480 explorer.exe
2480 explorer.exe
2480 explorer.exe
2480 explorer.exe
2480 explorer.exe

Suspicious use of SendNotifyMessage 9 IoCs

Processes:

dajjvan.exeexplorer.exe

pid	process
4836	dajjvan.exe
2480	explorer.exe
2480	explorer.exe
2480	explorer.exe
2480	explorer.exe
2480	explorer.exe
2480	explorer.exe
2480	explorer.exe
2480	explorer.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56.exedajjvan.exedajjvan.exe

pid	process
3248	903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56.exe
3248	903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56.exe
1084	dajjvan.exe
1084	dajjvan.exe
4836	dajjvan.exe
4836	dajjvan.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56.exedajjvan.exe

description	pid	process	target process
PID 3248 wrote to memory of 1584	3248	903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56.exe	903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56.exe
PID 3248 wrote to memory of 1584	3248	903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56.exe	903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56.exe
PID 3248 wrote to memory of 1584	3248	903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56.exe	903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56.exe
PID 3248 wrote to memory of 1584	3248	903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56.exe	903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56.exe
PID 3248 wrote to memory of 1584	3248	903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56.exe	903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56.exe
PID 3248 wrote to memory of 1584	3248	903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56.exe	903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56.exe
PID 1084 wrote to memory of 4836	1084	dajjvan.exe	dajjvan.exe
PID 1084 wrote to memory of 4836	1084	dajjvan.exe	dajjvan.exe
PID 1084 wrote to memory of 4836	1084	dajjvan.exe	dajjvan.exe
PID 1084 wrote to memory of 4836	1084	dajjvan.exe	dajjvan.exe
PID 1084 wrote to memory of 4836	1084	dajjvan.exe	dajjvan.exe
PID 1084 wrote to memory of 4836	1084	dajjvan.exe	dajjvan.exe

C:\Users\Admin\AppData\Local\Temp\903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56.exe
"C:\Users\Admin\AppData\Local\Temp\903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3248

C:\Users\Admin\AppData\Local\Temp\903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56.exe
C:\Users\Admin\AppData\Local\Temp\903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56.exe
2⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
PID:1584

C:\Users\Admin\AppData\Local\Temp\dajjvan.exe
C:\Users\Admin\AppData\Local\Temp\dajjvan.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1084

C:\Users\Admin\AppData\Local\Temp\dajjvan.exe
C:\Users\Admin\AppData\Local\Temp\dajjvan.exe
2⤵
- Executes dropped EXE
- Modifies extensions of user files
- Checks computer location settings
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 1272
3⤵
- Program crash
PID:548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 1272
3⤵
- Program crash
PID:3912

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 2440 -ip 2440
1⤵
PID:4180

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2440 -s 1528
1⤵
- Program crash
PID:2276

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2480

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2480 -s 2172
2⤵
- Program crash
PID:4524

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 448 -p 2480 -ip 2480
1⤵
PID:3068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4836 -ip 4836
1⤵
PID:2072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4836 -ip 4836
1⤵
PID:2272

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db.qlvpcsi
Filesize
622KB

MD5
bb49f5bd8fea01c9e8525f29c1c2844e

SHA1
3be0ce711036ccb7c8bb6a9003702f992b88c1f8

SHA256
dfb474f346c4a07f6c4d4cefd88cc5f2de6545ad905d1d53f03c87a27f6f64db

SHA512
f7d104d5f0108721893b671ef49d2b6eb6e1dcb892c99de1ba9f542bd2be1d5496651fd8330a4c7f058cb30ec967526ea7c5a00d8c0a948dbfeaa6d978785b22

Download Submit
C:\ProgramData\Oracle\akatxdg
Filesize
654B

MD5
70bbdbc1a4a3784da1291374334214be

SHA1
12da503f16dae445b183be3f35c7e124eb700fdc

SHA256
42787e32fd894e6ee7fbc5b0d9b8bc06fd86e07abd88ffbd655045f9ec7d7b7a

SHA512
4528630366a82b43cb36c455fbb2f452121e9c95a0c7ecbe25ce654c20fc9b65ef9dd9304b82ed12d8bcc9b3db2ae429167c6b912d7f65966111b49e602fbea7

Download Submit
C:\Users\Admin\AppData\Local\Temp\dajjvan.exe
Filesize
1.1MB

MD5
f7bf40a04f42e1f14e54a18d3c61897f

SHA1
3eebc14f1c70ae9d4fa493c650a94d12257b2435

SHA256
903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56

SHA512
18aeeebd2733f3e0db865a3bd79433162cf6459bc75fc1883373c94800223334610eb3c8a123c760cf6378fe2b9741ba8299aeab6cb72682375619ee558503fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\dajjvan.exe
Filesize
1.1MB

MD5
f7bf40a04f42e1f14e54a18d3c61897f

SHA1
3eebc14f1c70ae9d4fa493c650a94d12257b2435

SHA256
903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56

SHA512
18aeeebd2733f3e0db865a3bd79433162cf6459bc75fc1883373c94800223334610eb3c8a123c760cf6378fe2b9741ba8299aeab6cb72682375619ee558503fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\dajjvan.exe
Filesize
1.1MB

MD5
f7bf40a04f42e1f14e54a18d3c61897f

SHA1
3eebc14f1c70ae9d4fa493c650a94d12257b2435

SHA256
903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56

SHA512
18aeeebd2733f3e0db865a3bd79433162cf6459bc75fc1883373c94800223334610eb3c8a123c760cf6378fe2b9741ba8299aeab6cb72682375619ee558503fb

Download Submit
memory/1584-138-0x0000000000400000-0x00000000004A6E00-memory.dmp

Filesize
667KB

Download
memory/1584-137-0x00000000009C0000-0x0000000000C01000-memory.dmp

Filesize
2.3MB

Download
memory/1584-132-0x0000000000000000-mapping.dmp

Download
memory/1584-136-0x00000000007B0000-0x00000000009C0000-memory.dmp

Filesize
2.1MB

Download
memory/1584-133-0x0000000000400000-0x00000000004A7000-memory.dmp

Filesize
668KB

Download
memory/3248-135-0x0000000002480000-0x0000000002484000-memory.dmp

Filesize
16KB

Download
memory/4836-141-0x0000000000000000-mapping.dmp

Download
memory/4836-146-0x0000000000950000-0x0000000000B91000-memory.dmp

Filesize
2.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads