369398deff9e11a852c3fd414b6288c380b554ccfee1aa16f8e23c8db8f760b4

General

Target

369398deff9e11a852c3fd414b6288c380b554ccfee1aa16f8e23c8db8f760b4.exe
Size

642KB
MD5

a9d1f6ab9f83e46f0a3c6b1d2b8cafd2
SHA1

a1204f18c910fff65daa7f43d31a3fef5f2910d1
SHA256

369398deff9e11a852c3fd414b6288c380b554ccfee1aa16f8e23c8db8f760b4
SHA512

2dc3b0449a66baff43b1f3b1fe94f9b71deb9b6eaf98b34b5d8fa44ddbe952cfa264de5eea96899f2d2bc6e46bb491042f8244c86ddfc2bc6f65ae053885b981
SSDEEP

12288:vJOVDKwcJrtkw74Iv5Qb40r2EmT806Vb7KQnOlY0UOFeRIn:vYVDJorqwEIBQsRoBNKysY0/MRIn

Score

10^/10

ransomware

Malware Config

Extracted

Path

C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\Decrypt All Files ssnfhdd.txt

Ransom Note

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://uwm2wosrob3gplxy.onion.cab or http://uwm2wosrob3gplxy.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://uwm2wosrob3gplxy.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. 4PYROIN-7JSKMOB-AP2ESP6-J6KBF4C-KLLSNSM-THFZEF3-7SVPEIU-ML6UUP7 WAYSUOH-CVK64NA-CDF3NXZ-XMX52Y3-LD65EXZ-GJFML4Q-AZ75JTJ-ZXXEYTR HZXENGY-C3EXLUM-J4WCW6P-Q6HDYSU-5ZH7CKQ-LVEIWMD-L3BQH5Q-7VGE2O2 Follow the instructions on the server.

URLs

http://uwm2wosrob3gplxy.onion.cab

http://uwm2wosrob3gplxy.tor2web.org

http://uwm2wosrob3gplxy.onion/

Extracted

Path

C:\Users\Admin\Documents\Decrypt All Files ssnfhdd.txt

Ransom Note

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://uwm2wosrob3gplxy.onion.cab or http://uwm2wosrob3gplxy.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://uwm2wosrob3gplxy.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. 4PYROIN-7JSKMOB-AP2ESP6-J6KBF4C-KLLSNSM-THFZEF3-7SVPEIU-ML6UUP7 WAYSUOH-CVK64NA-CDF3NXZ-XMX52Y3-LD65EXZ-GJFML4Q-AZ75JTJ-ZXXEYTR HZXENGY-C3EXLUM-J4WCW6P-Q6HDYSU-5ZH734Q-DLEIWMD-L3BQH5Q-7VGE6JP Follow the instructions on the server.

URLs

http://uwm2wosrob3gplxy.onion.cab

http://uwm2wosrob3gplxy.tor2web.org

http://uwm2wosrob3gplxy.onion/

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 1 IoCs

Processes:

hlahqcg.exe

pid process

1632 hlahqcg.exe
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
ransomware

Processes:

svchost.exe

description ioc process

File renamed C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\EditConfirm.CRW.ssnfhdd svchost.exe
Drops desktop.ini file(s) 1 IoCs

Processes:

svchost.exe

description ioc process

File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini svchost.exe

pid	process
1632	hlahqcg.exe

description	ioc	process
File renamed	C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\EditConfirm.CRW.ssnfhdd	svchost.exe

description	ioc	process
File opened for modification	C:\$RECYCLE.BIN\S-1-5-18\desktop.ini	svchost.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Documents\\Decrypt All Files ssnfhdd.bmp"	Explorer.EXE

Drops file in Program Files directory 2 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\Decrypt All Files ssnfhdd.txt	svchost.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\Decrypt All Files ssnfhdd.bmp	svchost.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

644 vssadmin.exe

pid	process
644	vssadmin.exe

Modifies data under HKEY_USERS 19 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{8031afe4-1a82-11ed-a08f-806e6f6e6963}	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WallpaperStyle = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{8031afe4-1a82-11ed-a08f-806e6f6e6963}\NukeOnDelete = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\ = "%SystemRoot%\\System32\\imageres.dll,-55"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\TileWallpaper = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{8031afe4-1a82-11ed-a08f-806e6f6e6963}\MaxCapacity = "15140"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Full = "%SystemRoot%\\System32\\imageres.dll,-54"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Empty = "%SystemRoot%\\System32\\imageres.dll,-55"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum = 30002c007b00380030003300310061006600650034002d0031006100380032002d0031003100650064002d0061003000380066002d003800300036006500360066003600650036003900360033007d0000000000	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	svchost.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

369398deff9e11a852c3fd414b6288c380b554ccfee1aa16f8e23c8db8f760b4.exehlahqcg.exe

pid	process
1720	369398deff9e11a852c3fd414b6288c380b554ccfee1aa16f8e23c8db8f760b4.exe
1632	hlahqcg.exe
1632	hlahqcg.exe
1632	hlahqcg.exe
1632	hlahqcg.exe
1632	hlahqcg.exe
1632	hlahqcg.exe
1632	hlahqcg.exe
1632	hlahqcg.exe
1632	hlahqcg.exe
1632	hlahqcg.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

hlahqcg.exe

description pid process

Token: SeDebugPrivilege 1632 hlahqcg.exe
Token: SeDebugPrivilege 1632 hlahqcg.exe

description	pid	process
Token: SeDebugPrivilege	1632	hlahqcg.exe
Token: SeDebugPrivilege	1632	hlahqcg.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

taskeng.exehlahqcg.exesvchost.exe

description	pid	process	target process
PID 1520 wrote to memory of 1632	1520	taskeng.exe	hlahqcg.exe
PID 1520 wrote to memory of 1632	1520	taskeng.exe	hlahqcg.exe
PID 1520 wrote to memory of 1632	1520	taskeng.exe	hlahqcg.exe
PID 1520 wrote to memory of 1632	1520	taskeng.exe	hlahqcg.exe
PID 1632 wrote to memory of 588	1632	hlahqcg.exe	svchost.exe
PID 588 wrote to memory of 1780	588	svchost.exe	DllHost.exe
PID 588 wrote to memory of 1780	588	svchost.exe	DllHost.exe
PID 588 wrote to memory of 1780	588	svchost.exe	DllHost.exe
PID 1632 wrote to memory of 1260	1632	hlahqcg.exe	Explorer.EXE
PID 1632 wrote to memory of 644	1632	hlahqcg.exe	vssadmin.exe
PID 1632 wrote to memory of 644	1632	hlahqcg.exe	vssadmin.exe
PID 1632 wrote to memory of 644	1632	hlahqcg.exe	vssadmin.exe
PID 1632 wrote to memory of 644	1632	hlahqcg.exe	vssadmin.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Sets desktop wallpaper using registry
PID:1260
- C:\Users\Admin\AppData\Local\Temp\369398deff9e11a852c3fd414b6288c380b554ccfee1aa16f8e23c8db8f760b4.exe
  "C:\Users\Admin\AppData\Local\Temp\369398deff9e11a852c3fd414b6288c380b554ccfee1aa16f8e23c8db8f760b4.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1720

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:588
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
  2⤵
  PID:1780

C:\Windows\system32\taskeng.exe
taskeng.exe {DD7F0207-18F3-44C1-B228-F10D8F062F9A} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1520
- C:\Users\Admin\AppData\Local\Temp\hlahqcg.exe
  C:\Users\Admin\AppData\Local\Temp\hlahqcg.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1632
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin delete shadows all
    3⤵
    - Interacts with shadow copies
    PID:644

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Mozilla\epmlysm

Filesize
654B

MD5
0d00d753ff42f40041959b4cc17ef835

SHA1
dd2e31db8f84fdb9494d0fec706b2c8063f3a54a

SHA256
e5bf8f7ce2d5be0990e1b48d31f63f1827e485d3d5218f25c4543bf89d2ea851

SHA512
a52d285fbf6845b7d594c8344af85cb74a70a4fb64bf9020cb7352bf692e7eecf13db6d9e3249b3aa4191c2789098ea8149d8c8b526e1a9fc1c33fa2727976aa

Download Submit
C:\ProgramData\Mozilla\epmlysm

Filesize
654B

MD5
4aacd44b6bf66c12406d356c9aa4c5b4

SHA1
02c4b4146dca04afedabb491d8b465e125d74089

SHA256
d49b2fba0e7bf195a2a921c944dc1453afff50b36342b2c54177c0b4465c53ed

SHA512
bf80d77c3fb60a17b64613785f2e8b6201f776e362c0e3bf58356b21d04da259ffd3fe4548efc539361991ad5945eccdb7c355bddb12842446fc8b5f2d2f832b

Download Submit
C:\ProgramData\Mozilla\epmlysm

Filesize
654B

MD5
dc77d0bae83e325b53cadf7c8b601597

SHA1
ac01e92df385bc927d31eadab06fadd43befdbfe

SHA256
a86ac4a20ff0f14fcbccaec526b61a13bf26b749871cec2fd4ea57876551f147

SHA512
1fb5f40c67d2f5396921c094496f050780b7c2e2eeb0faee0cf864edcc998b9f0db7fbc5de0796f4915c7534b788fd01684dfcfac3fb0c958af945534f4e5a3f

Download Submit
C:\ProgramData\Mozilla\epmlysm

Filesize
654B

MD5
99a2c45928470c28ea6f16852f97b99b

SHA1
d659a8300d48fa58840646f13d398167cb876a1c

SHA256
77e7a9b1d1adb68c78d903a1012cabc4bb695ec8f62b321aeb155980f46f1bfa

SHA512
1ddeb325967f35d77b18f770ea1ff88255c23415dcfb39fd529730e5ca06fbc1f9c5f87b1a5f36201eae50fee6424d77d4c2b0634aeb81166cc1242b0812f76a

Download Submit
C:\Users\Admin\AppData\Local\Temp\hlahqcg.exe

Filesize
642KB

MD5
a9d1f6ab9f83e46f0a3c6b1d2b8cafd2

SHA1
a1204f18c910fff65daa7f43d31a3fef5f2910d1

SHA256
369398deff9e11a852c3fd414b6288c380b554ccfee1aa16f8e23c8db8f760b4

SHA512
2dc3b0449a66baff43b1f3b1fe94f9b71deb9b6eaf98b34b5d8fa44ddbe952cfa264de5eea96899f2d2bc6e46bb491042f8244c86ddfc2bc6f65ae053885b981

Download Submit
C:\Users\Admin\AppData\Local\Temp\hlahqcg.exe

Filesize
642KB

MD5
a9d1f6ab9f83e46f0a3c6b1d2b8cafd2

SHA1
a1204f18c910fff65daa7f43d31a3fef5f2910d1

SHA256
369398deff9e11a852c3fd414b6288c380b554ccfee1aa16f8e23c8db8f760b4

SHA512
2dc3b0449a66baff43b1f3b1fe94f9b71deb9b6eaf98b34b5d8fa44ddbe952cfa264de5eea96899f2d2bc6e46bb491042f8244c86ddfc2bc6f65ae053885b981

Download Submit
memory/588-69-0x000007FEFBC01000-0x000007FEFBC03000-memory.dmp

Filesize
8KB

Download
memory/588-63-0x0000000000130000-0x000000000019D000-memory.dmp

Filesize
436KB

Download
memory/588-65-0x0000000000130000-0x000000000019D000-memory.dmp

Filesize
436KB

Download
memory/644-75-0x0000000000000000-mapping.dmp

Download
memory/1632-62-0x0000000000CE0000-0x0000000000F0D000-memory.dmp

Filesize
2.2MB

Download
memory/1632-58-0x0000000000000000-mapping.dmp

Download
memory/1720-54-0x00000000004B0000-0x00000000006AC000-memory.dmp

Filesize
2.0MB

Download
memory/1720-56-0x00000000006B0000-0x00000000008DD000-memory.dmp

Filesize
2.2MB

Download
memory/1720-55-0x0000000075BD1000-0x0000000075BD3000-memory.dmp

Filesize
8KB

Download
memory/1780-68-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads