de51ca8c619a690007fef423d20379d4e949997da159ec037d65bcc444bdf09b

General

Target

de51ca8c619a690007fef423d20379d4e949997da159ec037d65bcc444bdf09b.exe
Size

637KB
MD5

17740a31da003de7d03e1a89ffa01b40
SHA1

1c7089eb6f37035a18cee7a7bda7fa83c85d18c1
SHA256

de51ca8c619a690007fef423d20379d4e949997da159ec037d65bcc444bdf09b
SHA512

41683bc9c98a5f2fdb75d815cb866a03166cf56d745d1876ebb1d4bfbabaa5df32ca3fdb6d291f793acc4266231688e5a9b9d4b18113a47f21ebb7f1b39c5d61
SSDEEP

12288:7Wbr5dYHRCfp7cJY2nj9pH9G3qMc7qJUHrlm63yCkhep9Mkkf:6bddfhIJN7dG3O7XH53ybheLDkf

Score

10^/10

ransomware

Malware Config

Extracted

Path

C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\Decrypt All Files gbtcmzk.txt

Ransom Note

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://uwm2wosrob3gplxy.onion.cab or http://uwm2wosrob3gplxy.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://uwm2wosrob3gplxy.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. FTZATU-DTQQWZ-ROZHZP-CUTWQE-XFROHP-NVHVUR-U24CUW-RJ3KLK QSGEHR-VELHLP-PV7YN2-DMWZE4-4FLJDP-2YWCPR-52XJQL-6QAGIH K2TZIO-47EBZL-QWP6DO-ZL6SNT-KTJEIR-3WJQNX-BUKEIG-I6DRP7 Follow the instructions on the server.

URLs

http://uwm2wosrob3gplxy.onion.cab

http://uwm2wosrob3gplxy.tor2web.org

http://uwm2wosrob3gplxy.onion/

Extracted

Path

C:\ProgramData\orxfdbk.html

Ransom Note

<html><head><meta http-equiv='Content-Type' content='text/html; charset=utf-8'> </head><body bgcolor=#424242 onLoad="window.location='#list';"> Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open <a style='font-family:Tahoma;font-size:14px;color:#20FFFF' target=_blank href='http://uwm2wosrob3gplxy.onion.cab'>http://uwm2wosrob3gplxy.onion.cab</a> or <a style='font-family:Tahoma;font-size:14px;color:#20FFFF' target=_blank href='http://uwm2wosrob3gplxy.tor2web.org'>http://uwm2wosrob3gplxy.tor2web.org</a> in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from <a style='font-family:Tahoma;font-size:14px;color:#20FFFF' target=_blank href='http://www.torproject.org/download/download-easy.html.en'>http://torproject.org</a>. 2. In the Tor Browser open the <a style='font-family:Tahoma;font-size:14px;color:#20FFFF' target=_blank href='http://uwm2wosrob3gplxy.onion'>http://uwm2wosrob3gplxy.onion</a>     Note that this server is available via Tor Browser only.     Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints.<pre style='font-family:Courier New;font-size:16px;color:#FFFFFF'>FTZATU-DTQQWZ-ROZHZP-CUTWQE-XFROHP-NVHVUR-U24CUW-RJ3KLK QSGEHR-VELHLP-PV7YN2-DMWZE4-4FLJDP-2YWCPR-52XJQL-6QAGIH K2TZIO-47EBZL-QWP6DO-ZL6SNT-KTJEIR-3WJQNX-BUKEIG-I6DRP7</pre> Follow the instructions on the server. <a name='list'>The list of your encrypted files:</a> <table style='font-family:Tahoma;font-size:12px;color:#FFFFFF;border-color:#A0A0A0' cellspacing=0 cellpadding=5 border=1> <tr><th>File</th><th>Path</th></tr> <tr><td>VERSION.TXT</td><td>C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\</td></tr><tr><td>VERSION.TXT</td><td>C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\</td></tr><tr><td>README.TXT</td><td>C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\</td></tr><tr><td>README.TXT</td><td>C:\Program Files\Java\jdk1.7.0_80\jre\</td></tr><tr><td>README.TXT</td><td>C:\Program Files\Java\jre7\</td></tr><tr><td>Mso Example Setup File A.TXT</td><td>C:\Program Files\Microsoft Office\Office14\</td></tr><tr><td>Mso Example Intl Setup File B.TXT</td><td>C:\Program Files\Microsoft Office\Office14\1033\</td></tr><tr><td>Mso Example Intl Setup File A.TXT</td><td>C:\Program Files\Microsoft Office\Office14\1033\</td></tr><tr><td>README.TXT</td><td>C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\</td></tr><tr><td>Xusage.TXT</td><td>C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\</td></tr><tr><td>Xusage.TXT</td><td>C:\Program Files\Java\jre7\bin\server\</td></tr><tr><td>readme.TXT</td><td>C:\Program Files\7-Zip\</td></tr><tr><td>README.TXT</td><td>C:\Program Files\VideoLAN\VLC\</td></tr><tr><td>License.TXT</td><td>C:\Program Files\7-Zip\</td></tr><tr><td>jvm.hprof.TXT</td><td>C:\Program Files\Java\jdk1.7.0_80\jre\lib\</td></tr><tr><td>jvm.hprof.TXT</td><td>C:\Program Files\Java\jre7\lib\</td></tr><tr><td>io.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>af.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ms.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>cy.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>eo.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ast.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>README.TXT</td><td>C:\Program Files\VideoLAN\VLC\lua\http\requests\</td></tr><tr><td>br.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>lv.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>THANKS.TXT</td><td>C:\Program Files\VideoLAN\VLC\</td></tr><tr><td>ku.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>nn.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>sq.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>nb.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>fy.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>va.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>sr-spl.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>et.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>sv.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>uz.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ro.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>fur.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ext.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>lij.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>an.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>zh-tw.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>kaa.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>zh-cn.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>hu.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>da.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ga.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>id.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>vi.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>kab.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>hr.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>sl.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ps.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>mn.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>fi.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>is.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>eu.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>mk.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>pl.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>nl.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>cs.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>gl.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>sk.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ca.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>pt.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>pt-br.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>lt.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>az.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>de.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>he.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>it.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>es.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>tr.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ko.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>fr.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>co.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>kk.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>fa.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>mr.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>yo.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ba.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>asl-v20.TXT</td><td>C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\</td></tr><tr><td>asl-v20.TXT</td><td>C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\</td></tr><tr><td>asl-v20.TXT</td><td>C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\</td></tr><tr><td>ug.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ja.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>sr-spc.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>be.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ku-ckb.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ar.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ky.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ta.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>bg.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ne.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>hy.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>tt.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ru.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>pa-in.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>bn.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>uk.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>th.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>si.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>el.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ka.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>gu.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>hi.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>COPYING.TXT</td><td>C:\Program Files\VideoLAN\VLC\</td></tr><tr><td>sa.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>AUTHORS.TXT</td><td>C:\Program Files\VideoLAN\VLC\</td></tr><tr><td>mng.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>mng2.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>THIRDPARTYLICENSEREADME.TXT</td><td>C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\</td></tr><tr><td>History.TXT</td><td>C:\Program Files\7-Zip\</td></tr><tr><td>THIRDPARTYLICENSEREADME-JAVAFX.TXT</td><td>C:\Program Files\Java\jdk1.7.0_80\jre\</td></tr><tr><td>THIRDPARTYLICENSEREADME-JAVAFX.TXT</td><td>C:\Program Files\Java\jdk1.7.0_80\</td></tr><tr><td>THIRDPARTYLICENSEREADME-JAVAFX.TXT</td><td>C:\Program Files\Java\jre7\</td></tr><tr><td>THIRDPARTYLICENSEREADME.TXT</td><td>C:\Program Files\Java\jre7\</td></tr><tr><td>THIRDPARTYLICENSEREADME.TXT</td><td>C:\Program Files\Java\jdk1.7.0_80\</td></tr><tr><td>THIRDPARTYLICENSEREADME.TXT</td><td>C:\Program Files\Java\jdk1.7.0_80\jre\</td></tr><tr><td>NEWS.TXT</td><td>C:\Program Files\VideoLAN\VLC\</td></tr><tr><td>vcredist2010_x64.log-MSI_vc_red.msi.TXT</td><td>C:\</td></tr><tr><td>vcredist2010_x86.log-MSI_vc_red.msi.TXT</td><td>C:\</td></tr><tr><td>METCONV.TXT</td><td>C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\</td></tr><tr><td>VeriSign_Class_3_Public_Primary_CA.CER</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\Verisign\Components\</td></tr><tr><td>SignedManagedObjects.CER</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\ManagedObjects\</td></tr><tr><td>Thawte Root Certificate.CER</td><td>C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\</td></tr><tr><td>SignedComponents.CER</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\Components\</td></tr><tr><td>VS_ComponentSigningIntermediate.CER</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\Verisign\Components\</td></tr><tr><td>VeriSign_Class_3_Code_Signing_2001-4_CA.CER</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\Verisign\Components\</td></tr><tr><td>Management.CER</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\Servers\</td></tr><tr><td>RELAY.CER</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\Servers\</td></tr><tr><td>Adobe Root Certificate.CER</td><td>C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\</td></tr><tr><td>AdobeAUM_rootCert.CER</td><td>C:\Program Files (x86)\Common Files\Adobe\Updater6\</td></tr><tr><td>AdobeUpdate.CER</td><td>C:\Program Files (x86)\Common Files\Adobe\Updater6\</td></tr><tr><td>AdobeUpdater.CER</td><td>C:\Program Files (x86)\Common Files\Adobe\Updater6\</td></tr><tr><td>PROTTPLN.DOC</td><td>C:\Program Files (x86)\Microsoft Office\Office14\1033\</td></tr><tr><td>PROTTPLV.DOC</td><td>C:\Program Files (x86)\Microsoft Office\Office14\1033\</td></tr><tr><td>AccessBridgeCalls.C</td><td>C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\</td></tr><tr><td>viewDblClick.JS</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\</td></tr><tr><td>autoconfig.JS</td><td>C:\Program Files\Mozilla Firefox\defaults\pref\</td></tr><tr><td>viewSelectionChanged.JS</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\</td></tr><tr><td>channel-prefs.JS</td><td>C:\Program Files\Mozilla Firefox\defaults\pref\</td></tr><tr><td>MENUS.JS</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\</td></tr><tr><td>ui.JS</td><td>C:\Program Files\VideoLAN\VLC\lua\http\js\</td></tr><tr><td>PublicFunctions.JS</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\</td></tr><tr><td>utilityfunctions.JS</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\</td></tr><tr><td>common.JS</td><td>C:\Program Files\VideoLAN\VLC\lua\http\js\</td></tr><tr><td>FormsHomePageScript.JS</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\</td></tr><tr><td>Hierarchy.JS</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\Project Report Type\Fancy\</td></tr><tr><td>VIEW.JS</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\</td></tr><tr><td>FormsHomePageScript.JS</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\</td></tr><tr><td>FormsHomePageScript.JS</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\</td></tr><tr><td>VIEW.JS</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\</td></tr><tr><td>PublicFunctions.JS</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\</td></tr><tr><td>form_edit.JS</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\</td></tr><tr><td>form_edit.JS</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\</td></tr><tr><td>form_edit.JS</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\</td></tr><tr><td>PublicFunctions.JS</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\</td></tr><tr><td>validation.JS</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\</td></tr><tr><td>VIEW.JS</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\</td></tr><tr><td>controllers.JS</td><td>C:\Program Files\VideoLAN\VLC\lua\http\js\</td></tr><tr><td>validation.JS</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\</td></tr><tr><td>validation.JS</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\</td></tr><tr><td>utilityfunctions.JS</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\</td></tr><tr><td>validation.JS</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\</td></tr><tr><td>SUBMIT.JS</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\</td></tr><tr><td>utilityfunctions.JS</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\</td></tr><tr><td>utilityfunctions.JS</td><td>C:\Program Files (x86)\Microsoft

URLs

http-equiv='Content-Type

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 1 IoCs

Processes:

vhbumzm.exe

pid process

580 vhbumzm.exe
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
ransomware

Processes:

svchost.exe

description ioc process

File renamed C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\HideAdd.CRW.gbtcmzk svchost.exe
Drops desktop.ini file(s) 1 IoCs

Processes:

svchost.exe

description ioc process

File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini svchost.exe

pid	process
580	vhbumzm.exe

description	ioc	process
File renamed	C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\HideAdd.CRW.gbtcmzk	svchost.exe

description	ioc	process
File opened for modification	C:\$RECYCLE.BIN\S-1-5-18\desktop.ini	svchost.exe

Drops file in Program Files directory 2 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\Decrypt All Files gbtcmzk.txt	svchost.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\Decrypt All Files gbtcmzk.bmp	svchost.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1496 vssadmin.exe

pid	process
1496	vssadmin.exe

Modifies data under HKEY_USERS 20 IoCs

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\ = "%SystemRoot%\\System32\\imageres.dll,-55"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Empty = "%SystemRoot%\\System32\\imageres.dll,-55"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum = 30002c007b00620039003800620062006100340034002d0036003200310039002d0031003100650064002d0039003800300035002d003800300036006500360066003600650036003900360033007d0000000000	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WallpaperStyle = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{b98bba44-6219-11ed-9805-806e6f6e6963}\MaxCapacity = "15140"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{b98bba44-6219-11ed-9805-806e6f6e6963}\NukeOnDelete = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Full = "%SystemRoot%\\System32\\imageres.dll,-54"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\TileWallpaper = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{b98bba44-6219-11ed-9805-806e6f6e6963}	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

de51ca8c619a690007fef423d20379d4e949997da159ec037d65bcc444bdf09b.exevhbumzm.exe

pid process

1788 de51ca8c619a690007fef423d20379d4e949997da159ec037d65bcc444bdf09b.exe
580 vhbumzm.exe
580 vhbumzm.exe
580 vhbumzm.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

vhbumzm.exe

description pid process

Token: SeDebugPrivilege 580 vhbumzm.exe
Token: SeDebugPrivilege 580 vhbumzm.exe

pid	process
1788	de51ca8c619a690007fef423d20379d4e949997da159ec037d65bcc444bdf09b.exe
580	vhbumzm.exe
580	vhbumzm.exe
580	vhbumzm.exe

description	pid	process
Token: SeDebugPrivilege	580	vhbumzm.exe
Token: SeDebugPrivilege	580	vhbumzm.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

taskeng.exevhbumzm.exesvchost.exe

description	pid	process	target process
PID 680 wrote to memory of 580	680	taskeng.exe	vhbumzm.exe
PID 680 wrote to memory of 580	680	taskeng.exe	vhbumzm.exe
PID 680 wrote to memory of 580	680	taskeng.exe	vhbumzm.exe
PID 680 wrote to memory of 580	680	taskeng.exe	vhbumzm.exe
PID 580 wrote to memory of 588	580	vhbumzm.exe	svchost.exe
PID 588 wrote to memory of 1320	588	svchost.exe	DllHost.exe
PID 588 wrote to memory of 1320	588	svchost.exe	DllHost.exe
PID 588 wrote to memory of 1320	588	svchost.exe	DllHost.exe
PID 580 wrote to memory of 1376	580	vhbumzm.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1376
- C:\Users\Admin\AppData\Local\Temp\de51ca8c619a690007fef423d20379d4e949997da159ec037d65bcc444bdf09b.exe
  "C:\Users\Admin\AppData\Local\Temp\de51ca8c619a690007fef423d20379d4e949997da159ec037d65bcc444bdf09b.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1788

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:588
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
  2⤵
  PID:1320

C:\Windows\system32\taskeng.exe
taskeng.exe {C202A14E-CC78-4BE5-886C-7D1E31F632F1} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:680
- C:\Users\Admin\AppData\Local\Temp\vhbumzm.exe
  C:\Users\Admin\AppData\Local\Temp\vhbumzm.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:580
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin delete shadows all
    3⤵
    - Interacts with shadow copies
    PID:1496

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Mozilla\jbnjrvg

Filesize
654B

MD5
b7c2c48971bef20992080b909f37a273

SHA1
833962a2de1672125809c2ad195105bb8e3a532b

SHA256
29fa7d5c67dd7ba5e43b20a52e42c0e3078f574dafb83b4c79da7ff7d7e3b60f

SHA512
b52dc19f2ba762a0e8f1fcb120ff7acf1f43acf3206c7f247baec31fc62113c021ee7608295d97612ad9779ebd061308ba21c3801ca54352534592be5e2cab72

Download Submit
C:\ProgramData\Mozilla\jbnjrvg

Filesize
654B

MD5
4dc77917c050814f004ed48a4a1bdf7b

SHA1
381219dab10e77d92f13144bc22dc4a991eda320

SHA256
b52f150a1d4ee29ce4f38d1c4fb774265b6ea501a16e5ca54c52ed3ab7ec6d0e

SHA512
ec016e21656de6d6ca4294c35771b6b2465c0159fcb2e9b047bb23151e2b9b391a7ea3e11b65c2c430ae4e9dc6872ebb108d572b43005277a8bfdc00683ab148

Download Submit
C:\Users\Admin\AppData\Local\Temp\vhbumzm.exe

Filesize
637KB

MD5
17740a31da003de7d03e1a89ffa01b40

SHA1
1c7089eb6f37035a18cee7a7bda7fa83c85d18c1

SHA256
de51ca8c619a690007fef423d20379d4e949997da159ec037d65bcc444bdf09b

SHA512
41683bc9c98a5f2fdb75d815cb866a03166cf56d745d1876ebb1d4bfbabaa5df32ca3fdb6d291f793acc4266231688e5a9b9d4b18113a47f21ebb7f1b39c5d61

Download Submit
C:\Users\Admin\AppData\Local\Temp\vhbumzm.exe

Filesize
637KB

MD5
17740a31da003de7d03e1a89ffa01b40

SHA1
1c7089eb6f37035a18cee7a7bda7fa83c85d18c1

SHA256
de51ca8c619a690007fef423d20379d4e949997da159ec037d65bcc444bdf09b

SHA512
41683bc9c98a5f2fdb75d815cb866a03166cf56d745d1876ebb1d4bfbabaa5df32ca3fdb6d291f793acc4266231688e5a9b9d4b18113a47f21ebb7f1b39c5d61

Download Submit
memory/580-58-0x0000000000000000-mapping.dmp

Download
memory/580-62-0x00000000005F0000-0x0000000000811000-memory.dmp

Filesize
2.1MB

Download
memory/588-65-0x0000000000600000-0x0000000000669000-memory.dmp

Filesize
420KB

Download
memory/588-63-0x0000000000600000-0x0000000000669000-memory.dmp

Filesize
420KB

Download
memory/588-68-0x000007FEFC4E1000-0x000007FEFC4E3000-memory.dmp

Filesize
8KB

Download
memory/1320-67-0x0000000000000000-mapping.dmp

Download
memory/1788-54-0x0000000000510000-0x0000000000700000-memory.dmp

Filesize
1.9MB

Download
memory/1788-56-0x0000000000950000-0x0000000000B71000-memory.dmp

Filesize
2.1MB

Download
memory/1788-55-0x0000000076411000-0x0000000076413000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads