85959a1fb5d3d9f5b6e222540e7fbe65cdb108388c6bc8f88766aa517dda5f37

General

Target

85959a1fb5d3d9f5b6e222540e7fbe65cdb108388c6bc8f88766aa517dda5f37.exe
Size

637KB
MD5

7da542b3bb5315c122e615782f69ecbf
SHA1

6ed5e8827874dc1ffb452511f7a0c7a8556fd954
SHA256

85959a1fb5d3d9f5b6e222540e7fbe65cdb108388c6bc8f88766aa517dda5f37
SHA512

80f3b521a64bddddcf9c6747c76e92423ad036bdc79aa88d8fb61ea5a00baf0d8c6da3f5dfd963a5fe47c4ac763da5972ff8b6f12db8c1bfcbf80fad3920a1f4
SSDEEP

12288:7Wbr5dYHRCfp7cJY2nj9pH9G3qMc7qJUHrlm63yCkhep9Mkkf:6bddfhIJN7dG3O7XH53ybheLDkf

Score

10^/10

ransomware

Malware Config

Extracted

Path

C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\Decrypt All Files qtogicl.txt

Ransom Note

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://kph3onblkthy4z37.onion.cab or http://kph3onblkthy4z37.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://kph3onblkthy4z37.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. RYG4TR-AEEFLE-KUA5WV-V6VE3Z-6XVHRX-O2SHDC-VDK7OC-B4B5FR EUHY4K-CNE4X7-FOU4WA-O6LXEG-AJWX33-3VF3NV-L3SVHI-XT2UOQ HPRN3A-OBDZP2-VFC2UK-BHNK4N-TFM2X3-4MC4GH-XOFED7-HMVNRC Follow the instructions on the server.

URLs

http://kph3onblkthy4z37.onion.cab

http://kph3onblkthy4z37.tor2web.org

http://kph3onblkthy4z37.onion/

Signatures

Executes dropped EXE 1 IoCs

Processes:

gejzibk.exe

pid process

1960 gejzibk.exe

pid	process
1960	gejzibk.exe

Drops file in Program Files directory 2 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\Decrypt All Files qtogicl.txt	svchost.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\Decrypt All Files qtogicl.bmp	svchost.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

85959a1fb5d3d9f5b6e222540e7fbe65cdb108388c6bc8f88766aa517dda5f37.exegejzibk.exe

pid process

900 85959a1fb5d3d9f5b6e222540e7fbe65cdb108388c6bc8f88766aa517dda5f37.exe
1960 gejzibk.exe
1960 gejzibk.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

gejzibk.exe

description pid process

Token: SeDebugPrivilege 1960 gejzibk.exe

pid	process
900	85959a1fb5d3d9f5b6e222540e7fbe65cdb108388c6bc8f88766aa517dda5f37.exe
1960	gejzibk.exe
1960	gejzibk.exe

description	pid	process
Token: SeDebugPrivilege	1960	gejzibk.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

taskeng.exegejzibk.exe

description	pid	process	target process
PID 1924 wrote to memory of 1960	1924	taskeng.exe	gejzibk.exe
PID 1924 wrote to memory of 1960	1924	taskeng.exe	gejzibk.exe
PID 1924 wrote to memory of 1960	1924	taskeng.exe	gejzibk.exe
PID 1924 wrote to memory of 1960	1924	taskeng.exe	gejzibk.exe
PID 1960 wrote to memory of 596	1960	gejzibk.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\85959a1fb5d3d9f5b6e222540e7fbe65cdb108388c6bc8f88766aa517dda5f37.exe
"C:\Users\Admin\AppData\Local\Temp\85959a1fb5d3d9f5b6e222540e7fbe65cdb108388c6bc8f88766aa517dda5f37.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:900

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
- Drops file in Program Files directory
PID:596

C:\Windows\system32\taskeng.exe
taskeng.exe {034E196F-D4AE-4B17-B266-3A49E64EBF08} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1924

C:\Users\Admin\AppData\Local\Temp\gejzibk.exe
C:\Users\Admin\AppData\Local\Temp\gejzibk.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1960

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Package Cache\qrsyusl
Filesize
654B

MD5
7e61b09bec6ad6bd66348da07a79c555

SHA1
ea658f2b3f7380d41f7da0102d16f4ce22c29cda

SHA256
f4b809a5334d8d083baeaeb177e92d383245bec71fc8e34105567743ba4e758e

SHA512
af9f903d7f6593fd3b2079422bab551607e6151fc5a6d03ed12ad921ca07bf5368d9cf465b56edccc30ddcb80aa9501119774c52cbf22abe6c4de8bf153621a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\gejzibk.exe
Filesize
637KB

MD5
7da542b3bb5315c122e615782f69ecbf

SHA1
6ed5e8827874dc1ffb452511f7a0c7a8556fd954

SHA256
85959a1fb5d3d9f5b6e222540e7fbe65cdb108388c6bc8f88766aa517dda5f37

SHA512
80f3b521a64bddddcf9c6747c76e92423ad036bdc79aa88d8fb61ea5a00baf0d8c6da3f5dfd963a5fe47c4ac763da5972ff8b6f12db8c1bfcbf80fad3920a1f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\gejzibk.exe
Filesize
637KB

MD5
7da542b3bb5315c122e615782f69ecbf

SHA1
6ed5e8827874dc1ffb452511f7a0c7a8556fd954

SHA256
85959a1fb5d3d9f5b6e222540e7fbe65cdb108388c6bc8f88766aa517dda5f37

SHA512
80f3b521a64bddddcf9c6747c76e92423ad036bdc79aa88d8fb61ea5a00baf0d8c6da3f5dfd963a5fe47c4ac763da5972ff8b6f12db8c1bfcbf80fad3920a1f4

Download Submit
memory/596-63-0x0000000000670000-0x00000000006D9000-memory.dmp

Filesize
420KB

Download
memory/596-65-0x0000000000670000-0x00000000006D9000-memory.dmp

Filesize
420KB

Download
memory/900-54-0x0000000000720000-0x0000000000910000-memory.dmp

Filesize
1.9MB

Download
memory/900-55-0x0000000075571000-0x0000000075573000-memory.dmp

Filesize
8KB

Download
memory/900-56-0x0000000000910000-0x0000000000B31000-memory.dmp

Filesize
2.1MB

Download
memory/1960-58-0x0000000000000000-mapping.dmp

Download
memory/1960-62-0x0000000000860000-0x0000000000A81000-memory.dmp

Filesize
2.1MB

Download

Analysis

Sharing