Overview

overview

10

Static

static

1

daa8c6c1ca...0b.exe

windows7-x64

10

daa8c6c1ca...0b.exe

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    daa8c6c1ca41044a3da2b00e50eb8cbb78765fccc5bfb64c843def7c6bf5c40b

  • Size

    773KB

  • Sample

    221126-kfky3seh42

  • MD5

    f47b209aa25c3426286be59241c54080

  • SHA1

    5ea33d22675205abee0456816607df747f1d8fd9

  • SHA256

    daa8c6c1ca41044a3da2b00e50eb8cbb78765fccc5bfb64c843def7c6bf5c40b

  • SHA512

    082ff17de2f0d3d39230a357f243e81ad5ac9b78b515d1097ca613707ddb44721dd96900d55009c7bc732e4d5bfc03bf8902a0c71d9caa771d93cd0dd6951aa7

  • SSDEEP

    24576:jmLWMKfN5UrJFZQg3V8Y3gkatvpyn/xJ9TVHYcY:jb3U5XrYDypqcY

Score
10/10
ransomware

Malware Config

Extracted

Path

C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\Decrypt-All-Files-dcxclmn.txt

Ransom Note
Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://jssestaew3e7ao3q.onion.cab or http://jssestaew3e7ao3q.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://jssestaew3e7ao3q.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. KMYC634-LW3PJWD-7PNFIAC-IASBZDO-VQMNGEM-ISP7GF3-CRVJMUG-3BWD2C6 LNRXO73-HIX6Q45-K36KK6U-YGKRT2N-DXNMWBH-D7BSSO3-K2ZPHCL-RILXCLP 3TVITJU-H4MF6PW-RCYGVX7-BGFLF7W-LJU4VM2-4WBCWQ3-N4ECBT2-Z46VYZO Follow the instructions on the server.
URLs

http://jssestaew3e7ao3q.onion.cab

http://jssestaew3e7ao3q.tor2web.org

http://jssestaew3e7ao3q.onion/

Extracted

Path

C:\Users\Admin\Documents\Decrypt-All-Files-dcxclmn.txt

Ransom Note
Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://jssestaew3e7ao3q.onion.cab or http://jssestaew3e7ao3q.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://jssestaew3e7ao3q.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. KMYC634-LW3PJWD-7PNFIAC-IASBZDO-VQMNGEM-ISP7GF3-CRVJMUG-3BWD2C6 LNRXO73-HIX6Q45-K36KK6U-YGKRT2N-DXNMWBH-D7BSSO3-K2ZPHCL-RILXCLP 3TVITJU-H4MF6PW-RCYGVX7-BGFLF7W-LJU4P62-SHBCWQ3-N4ECBT2-Z46VHJT Follow the instructions on the server.
URLs

http://jssestaew3e7ao3q.onion.cab

http://jssestaew3e7ao3q.tor2web.org

http://jssestaew3e7ao3q.onion/

Extracted

Path

C:\ProgramData\nydzthc.html

Ransom Note
Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://jssestaew3e7ao3q.onion.cab or http://jssestaew3e7ao3q.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org. 2. In the Tor Browser open the http://jssestaew3e7ao3q.onion Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. Follow the instructions on the server. The list of your encrypted files: Path File
URLs

http://jssestaew3e7ao3q.onion.cab

http://jssestaew3e7ao3q.tor2web.org

http://jssestaew3e7ao3q.onion

Targets

    • Target

      daa8c6c1ca41044a3da2b00e50eb8cbb78765fccc5bfb64c843def7c6bf5c40b

    • Size

      773KB

    • MD5

      f47b209aa25c3426286be59241c54080

    • SHA1

      5ea33d22675205abee0456816607df747f1d8fd9

    • SHA256

      daa8c6c1ca41044a3da2b00e50eb8cbb78765fccc5bfb64c843def7c6bf5c40b

    • SHA512

      082ff17de2f0d3d39230a357f243e81ad5ac9b78b515d1097ca613707ddb44721dd96900d55009c7bc732e4d5bfc03bf8902a0c71d9caa771d93cd0dd6951aa7

    • SSDEEP

      24576:jmLWMKfN5UrJFZQg3V8Y3gkatvpyn/xJ9TVHYcY:jb3U5XrYDypqcY

    Score
    10/10
    ransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Drops desktop.ini file(s)

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks