General

  • Target

    85959a1fb5d3d9f5b6e222540e7fbe65cdb108388c6bc8f88766aa517dda5f37

  • Size

    637KB

  • Sample

    221126-sr7afsdd82

  • MD5

    7da542b3bb5315c122e615782f69ecbf

  • SHA1

    6ed5e8827874dc1ffb452511f7a0c7a8556fd954

  • SHA256

    85959a1fb5d3d9f5b6e222540e7fbe65cdb108388c6bc8f88766aa517dda5f37

  • SHA512

    80f3b521a64bddddcf9c6747c76e92423ad036bdc79aa88d8fb61ea5a00baf0d8c6da3f5dfd963a5fe47c4ac763da5972ff8b6f12db8c1bfcbf80fad3920a1f4

  • SSDEEP

    12288:7Wbr5dYHRCfp7cJY2nj9pH9G3qMc7qJUHrlm63yCkhep9Mkkf:6bddfhIJN7dG3O7XH53ybheLDkf

Score
10/10

Malware Config

Extracted

Path

C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\Decrypt All Files qtogicl.txt

Ransom Note
Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://kph3onblkthy4z37.onion.cab or http://kph3onblkthy4z37.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://kph3onblkthy4z37.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. RYG4TR-AEEFLE-KUA5WV-V6VE3Z-6XVHRX-O2SHDC-VDK7OC-B4B5FR EUHY4K-CNE4X7-FOU4WA-O6LXEG-AJWX33-3VF3NV-L3SVHI-XT2UOQ HPRN3A-OBDZP2-VFC2UK-BHNK4N-TFM2X3-4MC4GH-XOFED7-HMVNRC Follow the instructions on the server.
URLs

http://kph3onblkthy4z37.onion.cab

http://kph3onblkthy4z37.tor2web.org

http://kph3onblkthy4z37.onion/

Extracted

Path

C:\ProgramData\yrnkowk.html

Ransom Note
<html><head><meta http-equiv='Content-Type' content='text/html; charset=utf-8'> </head><body bgcolor=#424242 onLoad="window.location='#list';"> <p style='font-family:Tahoma;font-size:14px;color:#FFFFFF'> Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer.<br> Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key.<br> If you see the main locker window, follow the instructions on the locker.<br> Overwise, it's seems that you or your antivirus deleted the locker program.<br> Now you have the last chance to decrypt your files.<br><br> Open <a style='font-family:Tahoma;font-size:14px;color:#20FFFF' target=_blank href='http://kph3onblkthy4z37.onion.cab'>http://kph3onblkthy4z37.onion.cab</a> or <a style='font-family:Tahoma;font-size:14px;color:#20FFFF' target=_blank href='http://kph3onblkthy4z37.tor2web.org'>http://kph3onblkthy4z37.tor2web.org</a> in your browser. They are public gates to the secret server. <br><br> If you have problems with gates, use direct connection:<br><br> 1. Download Tor Browser from <a style='font-family:Tahoma;font-size:14px;color:#20FFFF' target=_blank href='http://www.torproject.org/download/download-easy.html.en'>http://torproject.org</a>.<br> 2. In the Tor Browser open the <a style='font-family:Tahoma;font-size:14px;color:#20FFFF' target=_blank href='http://kph3onblkthy4z37.onion'>http://kph3onblkthy4z37.onion</a><br> &nbsp;&nbsp;&nbsp;&nbsp;Note that this server is available via Tor Browser only.<br> &nbsp;&nbsp;&nbsp;&nbsp;Retry in 1 hour if site is not reachable.<br> Copy and paste the following public key in the input form on server. Avoid missprints.</p><pre style='font-family:Courier New;font-size:16px;color:#FFFFFF'>QXVRCJ-RIKPWO-NU3XTR-RR7XM6-4DECXT-3DZ77G-4EIAPT-FYHPUH D35OTV-J6ZE5W-XWNE6M-CRKNXQ-ZOLCQZ-IXRBIS-F53DDK-3UOTKU CKLHBC-Y66EEN-NMYX5T-U2PQQP-PBIZIO-EYHMVV-RK6YE6-KAYYCV</pre> <p style='font-family:Tahoma;font-size:14px;color:#FFFFFF'> Follow the instructions on the server.<br><br> <a name='list'>The list of your encrypted files:</a></p> <table style='font-family:Tahoma;font-size:12px;color:#FFFFFF;border-color:#A0A0A0' cellspacing=0 cellpadding=5 border=1> <tr><th><b>File</b></th><th><b>Path</b></th></tr> <tr><td>ClientARMRefer2019_eula.TXT</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>ClientSub2019_eula.TXT</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>WacLangPack2019Eula.TXT</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>VERSION.TXT</td><td>C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\</td></tr><tr><td>ClientOSub2019_eula.TXT</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>VERSION.TXT</td><td>C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\</td></tr><tr><td>README.TXT</td><td>C:\Program Files\Java\jre1.8.0_66\</td></tr><tr><td>README.TXT</td><td>C:\Program Files\Java\jdk1.8.0_66\jre\</td></tr><tr><td>ClientARMRefer_eula.TXT</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>README.TXT</td><td>C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\dropins\</td></tr><tr><td>WacLangPackEula.TXT</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>ClientVolumeLicense_eula.TXT</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>notice.TXT</td><td>C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\</td></tr><tr><td>ClientLangPack2019_eula.TXT</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>ClientLangPack_eula.TXT</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>ExcelMessageDismissal.TXT</td><td>C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\</td></tr><tr><td>ClientVolumeLicense2019_eula.TXT</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>ClientOSub_eula.TXT</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>card_expiration_terms_dict.TXT</td><td>C:\Program Files\Microsoft Office\root\Office16\Configuration\</td></tr><tr><td>Xusage.TXT</td><td>C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\</td></tr><tr><td>Xusage.TXT</td><td>C:\Program Files\Java\jre1.8.0_66\bin\server\</td></tr><tr><td>readme.TXT</td><td>C:\Program Files\7-Zip\</td></tr><tr><td>card_security_terms_dict.TXT</td><td>C:\Program Files\Microsoft Office\root\Office16\Configuration\</td></tr><tr><td>AccessMessageDismissal.TXT</td><td>C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\</td></tr><tr><td>README.TXT</td><td>C:\Program Files\VideoLAN\VLC\</td></tr><tr><td>License.TXT</td><td>C:\Program Files\7-Zip\</td></tr><tr><td>jvm.hprof.TXT</td><td>C:\Program Files\Java\jdk1.8.0_66\jre\lib\</td></tr><tr><td>jvm.hprof.TXT</td><td>C:\Program Files\Java\jre1.8.0_66\lib\</td></tr><tr><td>io.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>af.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>card_terms_dict.TXT</td><td>C:\Program Files\Microsoft Office\root\Office16\Configuration\</td></tr><tr><td>ms.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>cy.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>eo.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ast.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>README.TXT</td><td>C:\Program Files\VideoLAN\VLC\lua\http\requests\</td></tr><tr><td>br.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>lv.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>LyncVDI_Eula.TXT</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>THANKS.TXT</td><td>C:\Program Files\VideoLAN\VLC\</td></tr><tr><td>ku.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ssn_high_group_info.TXT</td><td>C:\Program Files\Microsoft Office\root\Office16\Configuration\</td></tr><tr><td>nn.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>sq.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>nb.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ThirdPartyNotices.TXT</td><td>C:\Program Files\Microsoft Office\root\Office16\MSIPC\</td></tr><tr><td>fy.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>va.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>LyncBasic_Eula.TXT</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>TPN.TXT</td><td>C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\</td></tr><tr><td>sr-spl.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>et.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>sv.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>uz.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>AccessRuntime_eula.TXT</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>ro.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>fur.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ext.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>lij.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>an.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>zh-tw.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>kaa.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>zh-cn.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>hu.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>da.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ga.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>id.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>vi.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>kab.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>AccessRuntime2019_eula.TXT</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>hr.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>sl.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ps.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>mn.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>fi.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>is.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>eu.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>mk.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>pl.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>nl.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>SkypeForBusinessVDI2019_eula.TXT</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>SkypeForBusinessBasic2019_eula.TXT</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>cs.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>gl.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>sk.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ca.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>pt.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>pt-br.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>lt.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>az.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>de.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>he.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>it.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ClientPreview_eula.TXT</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>es.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>tr.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ko.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>fr.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>co.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>kk.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>fa.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>mr.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>yo.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ba.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>asl-v20.TXT</td><td>C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\</td></tr><tr><td>asl-v20.TXT</td><td>C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\</td></tr><tr><td>asl-v20.TXT</td><td>C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\</td></tr><tr><td>ug.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ja.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>sr-spc.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ClientSub_M365_eula.TXT</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>be.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ClientSub_eula.TXT</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>ku-ckb.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ar.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ky.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ta.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>bg.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ne.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>hy.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>tt.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ru.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>pa-in.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>bn.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>uk.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>th.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>si.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>el.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ka.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>gu.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>hi.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>COPYING.TXT</td><td>C:\Program Files\VideoLAN\VLC\</td></tr><tr><td>sa.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>third-party-notices.TXT</td><td>C:\Program Files\Microsoft Office\root\Office16\AugLoop\</td></tr><tr><td>AUTHORS.TXT</td><td>C:\Program Files\VideoLAN\VLC\</td></tr><tr><td>mng.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>mng2.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>THIRDPARTYLICENSEREADME.TXT</td><td>C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\</td></tr><tr><td>client_eula.TXT</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>Client2019_eula.TXT</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>History.TXT</td><td>C:\Program Files\7-Zip\</td></tr><tr><td>THIRDPARTYLICENSEREADME-JAVAFX.TXT</td><td>C:\Program Files\Java\jre1.8.0_66\</td></tr><tr><td>THIRDPARTYLICENSEREADME-JAVAFX.TXT</td><td>C:\Program Files\Java\jdk1.8.0_66\</td></tr><tr><td>THIRDPARTYLICENSEREADME-JAVAFX.TXT</td><td>C:\Program Files\Java\jdk1.8.0_66\jre\</td></tr><tr><td>THIRDPARTYLICENSEREADME.TXT</td><td>C:\Program Files\Java\jdk1.8.0_66\</td></tr><tr><td>THIRDPARTYLICENSEREADME.TXT</td><td>C:\Program Files\Java\jdk1.8.0_66\jre\</td></tr><tr><td>THIRDPARTYLICENSEREADME.TXT</td><td>C:\Program Files\Java\jre1.8.0_66\</td></tr><tr><td>NEWS.TXT</td><td>C:\Program Files\VideoLAN\VLC\</td></tr><tr><td>PowerPointNaiveBayesCommandRanker.TXT</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>ExcelNaiveBayesCommandRanker.TXT</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>WordNaiveBayesCommandRanker.TXT</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>lpklegal.TXT</td><td>C:\Program Files\Microsoft Office\root\Office16\</td></tr><tr><td>METCONV.TXT</td><td>C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\</td></tr><tr><td>cacerts.PEM</td><td>C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\</td></tr><tr><td>PROTTPLN.DOC</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>PROTTPLV.DOC</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>AccessBridgeCalls.C</td><td>C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\</td></tr><tr><td>autoconfig.JS</td><td>C:\Program Files\Mozilla Firefox\defaults\pref\</td></tr><tr><td>channel-prefs.JS</td><td>C:\Program Files\Mozilla Firefox\defaults\pref\</td></tr><tr><td>personaspybridge.JS</td><td>C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\</td></tr><tr><td>ui.JS</td><td>C:\Program Files\VideoLAN\VLC\lua\http\js\</td></tr><tr><td>common.JS</td><td>C:\Program Files\VideoLAN\VLC\lua\http\js\</td></tr><tr><td>controllers.JS</td><td>C:\Program Files\VideoLAN\VLC\lua\http\js\</td></tr><tr><td>PersonaSpy.JS</td><td>C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\</td></tr><tr><td>office.core.operational.JS</td><td>C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\</td></tr><tr><td>bundle.JS</td><td>C:\Program Files\Microsoft Office\root\Office16\AugLoop\</td></tr><tr><td>jquery.jstree.JS</td><td>C:\Program Files\VideoLAN\VLC\lua\http\js\</td></tr><tr><td>Office.Runtime.JS</td><td>C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\</td></tr><tr><td>PROTTPLN.XLS</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>PROTTPLV.XLS</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>SOLVSAMP.XLS</td><td>C:\Program Files\Microsoft Office\root\Office16\SAMPLES\</td></tr><tr><td>Microsoft.Mashup.Container.exe.CONFIG</td><td>C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\</td></tr><tr><td>Microsoft.Mashup.Container.NetFX40.exe.CONFIG</td><td>C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\</td></tr><tr><td>Microsoft.Mashup.Container.NetFX45.exe.CONFIG</td><td>C:\Progra
URLs

http-equiv='Content-Type

Extracted

Path

C:\Users\Admin\Documents\Decrypt All Files plqrcsi.txt

Ransom Note
Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://kph3onblkthy4z37.onion.cab or http://kph3onblkthy4z37.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://kph3onblkthy4z37.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. QXVRCJ-RIKPWO-NU3XTR-RR7XM6-4DECXT-3DZ77G-4EIAPT-FYHPUH D35OTV-J6ZE5W-XWNE6M-CRKNXQ-ZOLCQZ-IXRBIS-F53DDK-3UOTKU CKLHBC-Y66EEN-NMYX5T-U2PQQP-PBIZIO-EYHMVV-RK6YE6-KAYYCV Follow the instructions on the server.
URLs

http://kph3onblkthy4z37.onion.cab

http://kph3onblkthy4z37.tor2web.org

http://kph3onblkthy4z37.onion/

Extracted

Path

C:\ProgramData\yrnkowk.html

Ransom Note
Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://kph3onblkthy4z37.onion.cab or http://kph3onblkthy4z37.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org. 2. In the Tor Browser open the http://kph3onblkthy4z37.onion Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. Follow the instructions on the server. The list of your encrypted files: File Path
URLs

http://kph3onblkthy4z37.onion.cab

http://kph3onblkthy4z37.tor2web.org

http://kph3onblkthy4z37.onion

Targets

    • Target

      85959a1fb5d3d9f5b6e222540e7fbe65cdb108388c6bc8f88766aa517dda5f37

    • Size

      637KB

    • MD5

      7da542b3bb5315c122e615782f69ecbf

    • SHA1

      6ed5e8827874dc1ffb452511f7a0c7a8556fd954

    • SHA256

      85959a1fb5d3d9f5b6e222540e7fbe65cdb108388c6bc8f88766aa517dda5f37

    • SHA512

      80f3b521a64bddddcf9c6747c76e92423ad036bdc79aa88d8fb61ea5a00baf0d8c6da3f5dfd963a5fe47c4ac763da5972ff8b6f12db8c1bfcbf80fad3920a1f4

    • SSDEEP

      12288:7Wbr5dYHRCfp7cJY2nj9pH9G3qMc7qJUHrlm63yCkhep9Mkkf:6bddfhIJN7dG3O7XH53ybheLDkf

    Score
    10/10
    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops desktop.ini file(s)

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Modify Registry

2
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Impact

Defacement

1
T1491

Tasks