58553fc3eff5d458d6ae936e2439eca019b7767d4d6f16761b867a3a72ca3e9b

General

Target

58553fc3eff5d458d6ae936e2439eca019b7767d4d6f16761b867a3a72ca3e9b.exe
Size

702KB
MD5

dc8bc1f88c3da5aa04fea4933d74f3b6
SHA1

392a0dfa4eb522e9e187f32274b3597c6a8bb221
SHA256

58553fc3eff5d458d6ae936e2439eca019b7767d4d6f16761b867a3a72ca3e9b
SHA512

1d74b615b3ae7d126636a006c7e2081ed3c3372d8a6e66df548612577740fedca5c4a517287effcf8ccd5090f0bca5aee05840fb67e42a24418a8ae71b8162cf
SSDEEP

12288:/lGfhvKuL+jhzhCVNW40CpGSKU9+R5r73mtyq/KeNPBrUw64mvecNFFbs:/lGfhvKp2RpGU9or73mtyq/Kxw3mvecR

Score

10^/10

ransomware

Malware Config

Extracted

Path

C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\Decrypt-All-Files-jozrmsb.txt

Ransom Note

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://w7yue5dc5amppggs.onion.cab or http://w7yue5dc5amppggs.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://w7yue5dc5amppggs.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. W3AGRIV-Y5FABQK-NGYL5Y4-NK7P6PM-NUBFQWL-2UY4CEK-PQS35UY-3LG7LZW NL6VBDN-F6ZEZZD-EUBAK4U-5PXOTLV-QNC4LEG-W5C3IGM-GMDW2UJ-KC75MVK 3CZZRNM-QRTEBH4-2GXDR6C-3AOMLHQ-SA265D7-NTTPYP3-ZMHDWCO-RNRGJTE Follow the instructions on the server.

URLs

http://w7yue5dc5amppggs.onion.cab

http://w7yue5dc5amppggs.tor2web.org

http://w7yue5dc5amppggs.onion/

Signatures

Executes dropped EXE 1 IoCs

Processes:

obvnomb.exe

pid process

1860 obvnomb.exe

pid	process
1860	obvnomb.exe

Drops file in Program Files directory 2 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\Decrypt-All-Files-jozrmsb.txt	svchost.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\Decrypt-All-Files-jozrmsb.bmp	svchost.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

58553fc3eff5d458d6ae936e2439eca019b7767d4d6f16761b867a3a72ca3e9b.exeobvnomb.exe

pid process

1888 58553fc3eff5d458d6ae936e2439eca019b7767d4d6f16761b867a3a72ca3e9b.exe
1860 obvnomb.exe
1860 obvnomb.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

obvnomb.exe

description pid process

Token: SeDebugPrivilege 1860 obvnomb.exe

pid	process
1888	58553fc3eff5d458d6ae936e2439eca019b7767d4d6f16761b867a3a72ca3e9b.exe
1860	obvnomb.exe
1860	obvnomb.exe

description	pid	process
Token: SeDebugPrivilege	1860	obvnomb.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

taskeng.exeobvnomb.exe

description	pid	process	target process
PID 540 wrote to memory of 1860	540	taskeng.exe	obvnomb.exe
PID 540 wrote to memory of 1860	540	taskeng.exe	obvnomb.exe
PID 540 wrote to memory of 1860	540	taskeng.exe	obvnomb.exe
PID 540 wrote to memory of 1860	540	taskeng.exe	obvnomb.exe
PID 1860 wrote to memory of 588	1860	obvnomb.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\58553fc3eff5d458d6ae936e2439eca019b7767d4d6f16761b867a3a72ca3e9b.exe
"C:\Users\Admin\AppData\Local\Temp\58553fc3eff5d458d6ae936e2439eca019b7767d4d6f16761b867a3a72ca3e9b.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1888

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
- Drops file in Program Files directory
PID:588

C:\Windows\system32\taskeng.exe
taskeng.exe {167B7BA6-06B9-477A-95A7-2F3846B2D114} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:540
- C:\Users\Admin\AppData\Local\Temp\obvnomb.exe
  C:\Users\Admin\AppData\Local\Temp\obvnomb.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1860

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\lvixnfh

Filesize
654B

MD5
6dcde364550bd21d4efdfd69355785ba

SHA1
614f3e81be1ff5545f4ffa5c6632d76a511831c0

SHA256
bb0400e6e0895ce8b1ac656c7e1f27a4fcdd775208655b009716c892e0053610

SHA512
b6bc8c239242eaf0ab2bf57fd7ce0bfa5ccd66f0a6ccd586384ce2346655ac0d54467a5653b598adbfa42de04bba034b63f752c49c85d5e1867b717e6f010540

Download Submit
C:\ProgramData\Microsoft\lvixnfh

Filesize
654B

MD5
6dcde364550bd21d4efdfd69355785ba

SHA1
614f3e81be1ff5545f4ffa5c6632d76a511831c0

SHA256
bb0400e6e0895ce8b1ac656c7e1f27a4fcdd775208655b009716c892e0053610

SHA512
b6bc8c239242eaf0ab2bf57fd7ce0bfa5ccd66f0a6ccd586384ce2346655ac0d54467a5653b598adbfa42de04bba034b63f752c49c85d5e1867b717e6f010540

Download Submit
C:\Users\Admin\AppData\Local\Temp\obvnomb.exe

Filesize
702KB

MD5
dc8bc1f88c3da5aa04fea4933d74f3b6

SHA1
392a0dfa4eb522e9e187f32274b3597c6a8bb221

SHA256
58553fc3eff5d458d6ae936e2439eca019b7767d4d6f16761b867a3a72ca3e9b

SHA512
1d74b615b3ae7d126636a006c7e2081ed3c3372d8a6e66df548612577740fedca5c4a517287effcf8ccd5090f0bca5aee05840fb67e42a24418a8ae71b8162cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\obvnomb.exe

Filesize
702KB

MD5
dc8bc1f88c3da5aa04fea4933d74f3b6

SHA1
392a0dfa4eb522e9e187f32274b3597c6a8bb221

SHA256
58553fc3eff5d458d6ae936e2439eca019b7767d4d6f16761b867a3a72ca3e9b

SHA512
1d74b615b3ae7d126636a006c7e2081ed3c3372d8a6e66df548612577740fedca5c4a517287effcf8ccd5090f0bca5aee05840fb67e42a24418a8ae71b8162cf

Download Submit
memory/588-69-0x0000000000130000-0x00000000001A4000-memory.dmp

Filesize
464KB

Download
memory/588-67-0x0000000000130000-0x00000000001A4000-memory.dmp

Filesize
464KB

Download
memory/1860-60-0x0000000000000000-mapping.dmp

Download
memory/1860-66-0x0000000000FF0000-0x0000000001230000-memory.dmp

Filesize
2.2MB

Download
memory/1888-55-0x0000000000401000-0x00000000004A4000-memory.dmp

Filesize
652KB

Download
memory/1888-58-0x0000000002250000-0x0000000002490000-memory.dmp

Filesize
2.2MB

Download
memory/1888-57-0x00000000757E1000-0x00000000757E3000-memory.dmp

Filesize
8KB

Download
memory/1888-56-0x0000000002040000-0x000000000224F000-memory.dmp

Filesize
2.1MB

Download
memory/1888-54-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download

Analysis

Sharing