85959a1fb5d3d9f5b6e222540e7fbe65cdb108388c6bc8f88766aa517dda5f37

General

Target

85959a1fb5d3d9f5b6e222540e7fbe65cdb108388c6bc8f88766aa517dda5f37.exe
Size

637KB
MD5

7da542b3bb5315c122e615782f69ecbf
SHA1

6ed5e8827874dc1ffb452511f7a0c7a8556fd954
SHA256

85959a1fb5d3d9f5b6e222540e7fbe65cdb108388c6bc8f88766aa517dda5f37
SHA512

80f3b521a64bddddcf9c6747c76e92423ad036bdc79aa88d8fb61ea5a00baf0d8c6da3f5dfd963a5fe47c4ac763da5972ff8b6f12db8c1bfcbf80fad3920a1f4
SSDEEP

12288:7Wbr5dYHRCfp7cJY2nj9pH9G3qMc7qJUHrlm63yCkhep9Mkkf:6bddfhIJN7dG3O7XH53ybheLDkf

Score

10^/10

ransomware

Malware Config

Extracted

Path

C:\ProgramData\yrnkowk.html

Ransom Note

<html><head><meta http-equiv='Content-Type' content='text/html; charset=utf-8'> </head><body bgcolor=#424242 onLoad="window.location='#list';"> Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open <a style='font-family:Tahoma;font-size:14px;color:#20FFFF' target=_blank href='http://kph3onblkthy4z37.onion.cab'>http://kph3onblkthy4z37.onion.cab</a> or <a style='font-family:Tahoma;font-size:14px;color:#20FFFF' target=_blank href='http://kph3onblkthy4z37.tor2web.org'>http://kph3onblkthy4z37.tor2web.org</a> in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from <a style='font-family:Tahoma;font-size:14px;color:#20FFFF' target=_blank href='http://www.torproject.org/download/download-easy.html.en'>http://torproject.org</a>. 2. In the Tor Browser open the <a style='font-family:Tahoma;font-size:14px;color:#20FFFF' target=_blank href='http://kph3onblkthy4z37.onion'>http://kph3onblkthy4z37.onion</a>     Note that this server is available via Tor Browser only.     Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints.<pre style='font-family:Courier New;font-size:16px;color:#FFFFFF'>QXVRCJ-RIKPWO-NU3XTR-RR7XM6-4DECXT-3DZ77G-4EIAPT-FYHPUH D35OTV-J6ZE5W-XWNE6M-CRKNXQ-ZOLCQZ-IXRBIS-F53DDK-3UOTKU CKLHBC-Y66EEN-NMYX5T-U2PQQP-PBIZIO-EYHMVV-RK6YE6-KAYYCV</pre> Follow the instructions on the server. <a name='list'>The list of your encrypted files:</a> <table style='font-family:Tahoma;font-size:12px;color:#FFFFFF;border-color:#A0A0A0' cellspacing=0 cellpadding=5 border=1> <tr><th>File</th><th>Path</th></tr> <tr><td>ClientARMRefer2019_eula.TXT</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>ClientSub2019_eula.TXT</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>WacLangPack2019Eula.TXT</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>VERSION.TXT</td><td>C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\</td></tr><tr><td>ClientOSub2019_eula.TXT</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>VERSION.TXT</td><td>C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\</td></tr><tr><td>README.TXT</td><td>C:\Program Files\Java\jre1.8.0_66\</td></tr><tr><td>README.TXT</td><td>C:\Program Files\Java\jdk1.8.0_66\jre\</td></tr><tr><td>ClientARMRefer_eula.TXT</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>README.TXT</td><td>C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\dropins\</td></tr><tr><td>WacLangPackEula.TXT</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>ClientVolumeLicense_eula.TXT</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>notice.TXT</td><td>C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\</td></tr><tr><td>ClientLangPack2019_eula.TXT</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>ClientLangPack_eula.TXT</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>ExcelMessageDismissal.TXT</td><td>C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\</td></tr><tr><td>ClientVolumeLicense2019_eula.TXT</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>ClientOSub_eula.TXT</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>card_expiration_terms_dict.TXT</td><td>C:\Program Files\Microsoft Office\root\Office16\Configuration\</td></tr><tr><td>Xusage.TXT</td><td>C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\</td></tr><tr><td>Xusage.TXT</td><td>C:\Program Files\Java\jre1.8.0_66\bin\server\</td></tr><tr><td>readme.TXT</td><td>C:\Program Files\7-Zip\</td></tr><tr><td>card_security_terms_dict.TXT</td><td>C:\Program Files\Microsoft Office\root\Office16\Configuration\</td></tr><tr><td>AccessMessageDismissal.TXT</td><td>C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\</td></tr><tr><td>README.TXT</td><td>C:\Program Files\VideoLAN\VLC\</td></tr><tr><td>License.TXT</td><td>C:\Program Files\7-Zip\</td></tr><tr><td>jvm.hprof.TXT</td><td>C:\Program Files\Java\jdk1.8.0_66\jre\lib\</td></tr><tr><td>jvm.hprof.TXT</td><td>C:\Program Files\Java\jre1.8.0_66\lib\</td></tr><tr><td>io.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>af.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>card_terms_dict.TXT</td><td>C:\Program Files\Microsoft Office\root\Office16\Configuration\</td></tr><tr><td>ms.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>cy.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>eo.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ast.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>README.TXT</td><td>C:\Program Files\VideoLAN\VLC\lua\http\requests\</td></tr><tr><td>br.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>lv.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>LyncVDI_Eula.TXT</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>THANKS.TXT</td><td>C:\Program Files\VideoLAN\VLC\</td></tr><tr><td>ku.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ssn_high_group_info.TXT</td><td>C:\Program Files\Microsoft Office\root\Office16\Configuration\</td></tr><tr><td>nn.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>sq.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>nb.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ThirdPartyNotices.TXT</td><td>C:\Program Files\Microsoft Office\root\Office16\MSIPC\</td></tr><tr><td>fy.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>va.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>LyncBasic_Eula.TXT</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>TPN.TXT</td><td>C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\</td></tr><tr><td>sr-spl.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>et.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>sv.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>uz.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>AccessRuntime_eula.TXT</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>ro.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>fur.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ext.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>lij.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>an.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>zh-tw.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>kaa.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>zh-cn.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>hu.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>da.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ga.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>id.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>vi.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>kab.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>AccessRuntime2019_eula.TXT</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>hr.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>sl.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ps.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>mn.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>fi.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>is.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>eu.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>mk.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>pl.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>nl.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>SkypeForBusinessVDI2019_eula.TXT</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>SkypeForBusinessBasic2019_eula.TXT</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>cs.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>gl.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>sk.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ca.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>pt.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>pt-br.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>lt.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>az.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>de.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>he.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>it.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ClientPreview_eula.TXT</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>es.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>tr.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ko.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>fr.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>co.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>kk.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>fa.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>mr.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>yo.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ba.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>asl-v20.TXT</td><td>C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\</td></tr><tr><td>asl-v20.TXT</td><td>C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\</td></tr><tr><td>asl-v20.TXT</td><td>C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\</td></tr><tr><td>ug.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ja.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>sr-spc.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ClientSub_M365_eula.TXT</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>be.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ClientSub_eula.TXT</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>ku-ckb.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ar.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ky.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ta.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>bg.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ne.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>hy.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>tt.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ru.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>pa-in.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>bn.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>uk.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>th.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>si.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>el.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ka.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>gu.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>hi.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>COPYING.TXT</td><td>C:\Program Files\VideoLAN\VLC\</td></tr><tr><td>sa.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>third-party-notices.TXT</td><td>C:\Program Files\Microsoft Office\root\Office16\AugLoop\</td></tr><tr><td>AUTHORS.TXT</td><td>C:\Program Files\VideoLAN\VLC\</td></tr><tr><td>mng.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>mng2.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>THIRDPARTYLICENSEREADME.TXT</td><td>C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\</td></tr><tr><td>client_eula.TXT</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>Client2019_eula.TXT</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>History.TXT</td><td>C:\Program Files\7-Zip\</td></tr><tr><td>THIRDPARTYLICENSEREADME-JAVAFX.TXT</td><td>C:\Program Files\Java\jre1.8.0_66\</td></tr><tr><td>THIRDPARTYLICENSEREADME-JAVAFX.TXT</td><td>C:\Program Files\Java\jdk1.8.0_66\</td></tr><tr><td>THIRDPARTYLICENSEREADME-JAVAFX.TXT</td><td>C:\Program Files\Java\jdk1.8.0_66\jre\</td></tr><tr><td>THIRDPARTYLICENSEREADME.TXT</td><td>C:\Program Files\Java\jdk1.8.0_66\</td></tr><tr><td>THIRDPARTYLICENSEREADME.TXT</td><td>C:\Program Files\Java\jdk1.8.0_66\jre\</td></tr><tr><td>THIRDPARTYLICENSEREADME.TXT</td><td>C:\Program Files\Java\jre1.8.0_66\</td></tr><tr><td>NEWS.TXT</td><td>C:\Program Files\VideoLAN\VLC\</td></tr><tr><td>PowerPointNaiveBayesCommandRanker.TXT</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>ExcelNaiveBayesCommandRanker.TXT</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>WordNaiveBayesCommandRanker.TXT</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>lpklegal.TXT</td><td>C:\Program Files\Microsoft Office\root\Office16\</td></tr><tr><td>METCONV.TXT</td><td>C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\</td></tr><tr><td>cacerts.PEM</td><td>C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\</td></tr><tr><td>PROTTPLN.DOC</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>PROTTPLV.DOC</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>AccessBridgeCalls.C</td><td>C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\</td></tr><tr><td>autoconfig.JS</td><td>C:\Program Files\Mozilla Firefox\defaults\pref\</td></tr><tr><td>channel-prefs.JS</td><td>C:\Program Files\Mozilla Firefox\defaults\pref\</td></tr><tr><td>personaspybridge.JS</td><td>C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\</td></tr><tr><td>ui.JS</td><td>C:\Program Files\VideoLAN\VLC\lua\http\js\</td></tr><tr><td>common.JS</td><td>C:\Program Files\VideoLAN\VLC\lua\http\js\</td></tr><tr><td>controllers.JS</td><td>C:\Program Files\VideoLAN\VLC\lua\http\js\</td></tr><tr><td>PersonaSpy.JS</td><td>C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\</td></tr><tr><td>office.core.operational.JS</td><td>C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\</td></tr><tr><td>bundle.JS</td><td>C:\Program Files\Microsoft Office\root\Office16\AugLoop\</td></tr><tr><td>jquery.jstree.JS</td><td>C:\Program Files\VideoLAN\VLC\lua\http\js\</td></tr><tr><td>Office.Runtime.JS</td><td>C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\</td></tr><tr><td>PROTTPLN.XLS</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>PROTTPLV.XLS</td><td>C:\Program Files\Microsoft Office\root\Office16\1033\</td></tr><tr><td>SOLVSAMP.XLS</td><td>C:\Program Files\Microsoft Office\root\Office16\SAMPLES\</td></tr><tr><td>Microsoft.Mashup.Container.exe.CONFIG</td><td>C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\</td></tr><tr><td>Microsoft.Mashup.Container.NetFX40.exe.CONFIG</td><td>C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\</td></tr><tr><td>Microsoft.Mashup.Container.NetFX45.exe.CONFIG</td><td>C:\Progra

URLs

http-equiv='Content-Type

Extracted

Path

C:\Users\Admin\Documents\Decrypt All Files plqrcsi.txt

Ransom Note

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://kph3onblkthy4z37.onion.cab or http://kph3onblkthy4z37.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://kph3onblkthy4z37.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. QXVRCJ-RIKPWO-NU3XTR-RR7XM6-4DECXT-3DZ77G-4EIAPT-FYHPUH D35OTV-J6ZE5W-XWNE6M-CRKNXQ-ZOLCQZ-IXRBIS-F53DDK-3UOTKU CKLHBC-Y66EEN-NMYX5T-U2PQQP-PBIZIO-EYHMVV-RK6YE6-KAYYCV Follow the instructions on the server.

URLs

http://kph3onblkthy4z37.onion.cab

http://kph3onblkthy4z37.tor2web.org

http://kph3onblkthy4z37.onion/

Extracted

Path

C:\ProgramData\yrnkowk.html

Ransom Note

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://kph3onblkthy4z37.onion.cab or http://kph3onblkthy4z37.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org. 2. In the Tor Browser open the http://kph3onblkthy4z37.onion Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. Follow the instructions on the server. The list of your encrypted files: File Path

URLs

http://kph3onblkthy4z37.onion.cab

http://kph3onblkthy4z37.tor2web.org

http://kph3onblkthy4z37.onion

Signatures

Executes dropped EXE 2 IoCs

Processes:

dajjvan.exedajjvan.exe

pid process

1340 dajjvan.exe
5088 dajjvan.exe

pid	process
1340	dajjvan.exe
5088	dajjvan.exe

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

svchost.exe

description	ioc	process
File renamed	C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\HideConnect.CRW.plqrcsi	svchost.exe
File renamed	C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\PublishEnable.RAW.plqrcsi	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

dajjvan.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation dajjvan.exe
Drops desktop.ini file(s) 1 IoCs

Processes:

svchost.exe

description ioc process

File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini svchost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	dajjvan.exe

description	ioc	process
File opened for modification	C:\$RECYCLE.BIN\S-1-5-18\desktop.ini	svchost.exe

Drops file in System32 directory 5 IoCs

Processes:

dajjvan.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	dajjvan.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	dajjvan.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	dajjvan.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\desktop.ini	dajjvan.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	dajjvan.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Documents\\Decrypt All Files plqrcsi.bmp"	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

dajjvan.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\GPU	dajjvan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x1414\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"6.2.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	dajjvan.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	dajjvan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	dajjvan.exe

Modifies data under HKEY_USERS 20 IoCs

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@%SystemRoot%\system32\shell32.dll,-50176 = "File Operation"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\ = "%SystemRoot%\\System32\\imageres.dll,-55"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\TileWallpaper = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{2339e045-0000-0000-0000-d01200000000}\MaxCapacity = "15140"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{2339e045-0000-0000-0000-d01200000000}\NukeOnDelete = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Empty = "%SystemRoot%\\System32\\imageres.dll,-55"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WallpaperStyle = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{2339e045-0000-0000-0000-d01200000000}	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum = 30002c007b00320033003300390065003000340035002d0030003000300030002d0030003000300030002d0030003000300030002d006400300031003200300030003000300030003000300030007d0000000000	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Full = "%SystemRoot%\\System32\\imageres.dll,-54"	svchost.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

85959a1fb5d3d9f5b6e222540e7fbe65cdb108388c6bc8f88766aa517dda5f37.exedajjvan.exe

pid	process
4412	85959a1fb5d3d9f5b6e222540e7fbe65cdb108388c6bc8f88766aa517dda5f37.exe
4412	85959a1fb5d3d9f5b6e222540e7fbe65cdb108388c6bc8f88766aa517dda5f37.exe
1340	dajjvan.exe
1340	dajjvan.exe
1340	dajjvan.exe
1340	dajjvan.exe
1340	dajjvan.exe
1340	dajjvan.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

760 Explorer.EXE
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

dajjvan.exe

description pid process

Token: SeDebugPrivilege 1340 dajjvan.exe
Token: SeDebugPrivilege 1340 dajjvan.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

dajjvan.exe

pid process

5088 dajjvan.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

dajjvan.exe

pid process

5088 dajjvan.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

dajjvan.exe

pid process

5088 dajjvan.exe
5088 dajjvan.exe

pid	process
760	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	1340	dajjvan.exe
Token: SeDebugPrivilege	1340	dajjvan.exe

pid	process
5088	dajjvan.exe

pid	process
5088	dajjvan.exe

pid	process
5088	dajjvan.exe
5088	dajjvan.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

dajjvan.exesvchost.exe

description	pid	process	target process
PID 1340 wrote to memory of 812	1340	dajjvan.exe	svchost.exe
PID 812 wrote to memory of 1668	812	svchost.exe	wmiprvse.exe
PID 812 wrote to memory of 1668	812	svchost.exe	wmiprvse.exe
PID 812 wrote to memory of 3972	812	svchost.exe	DllHost.exe
PID 812 wrote to memory of 3972	812	svchost.exe	DllHost.exe
PID 1340 wrote to memory of 760	1340	dajjvan.exe	Explorer.EXE
PID 1340 wrote to memory of 5088	1340	dajjvan.exe	dajjvan.exe
PID 1340 wrote to memory of 5088	1340	dajjvan.exe	dajjvan.exe
PID 1340 wrote to memory of 5088	1340	dajjvan.exe	dajjvan.exe
PID 812 wrote to memory of 5020	812	svchost.exe	mousocoreworker.exe
PID 812 wrote to memory of 5020	812	svchost.exe	mousocoreworker.exe

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:812

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
2⤵
PID:1668

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
2⤵
PID:3972

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
2⤵
PID:5020

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Sets desktop wallpaper using registry
- Suspicious behavior: GetForegroundWindowSpam
PID:760

C:\Users\Admin\AppData\Local\Temp\85959a1fb5d3d9f5b6e222540e7fbe65cdb108388c6bc8f88766aa517dda5f37.exe
"C:\Users\Admin\AppData\Local\Temp\85959a1fb5d3d9f5b6e222540e7fbe65cdb108388c6bc8f88766aa517dda5f37.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4412

C:\Users\Admin\AppData\Local\Temp\dajjvan.exe
C:\Users\Admin\AppData\Local\Temp\dajjvan.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1340

C:\Users\Admin\AppData\Local\Temp\dajjvan.exe
"C:\Users\Admin\AppData\Local\Temp\dajjvan.exe" -u
2⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5088

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ssh\akatxdg
Filesize
654B

MD5
89fc50408112153bca3dc685c6738d63

SHA1
2772e1ab663f1be96013e6aba275a715674b0242

SHA256
11c35006d5ac339264c16886029cdafa8eb39b98cc40b9fcbb9396d30fdb8931

SHA512
7b70860abf83fb98b5541cb1f50f0fd1191b07fe8629ccee9837d057f6f2036ea8cf93aef2e9ef650f6906309a5b1a5d631c7f4dc9e03022de9851f9f8a145a1

Download Submit
C:\ProgramData\ssh\akatxdg
Filesize
654B

MD5
cca6ce898e8fdb41e24fce416535d317

SHA1
3c859d3df0069e8cfbcfdf0d7b54a2524cab9dbf

SHA256
d4239a3f9c9b9360ce72fc5bef604ca6c5bdea8082b61a34a8eb4c944ea6bee3

SHA512
f1ef05d1baecbfd1b2c181bdb9f48cf92718eec8f6e977a374a31c70b3d3cc9dd1239bd40453f46893453418872cd3b66d3146c3609ade977c12fd728cb7f74a

Download Submit
C:\ProgramData\ssh\akatxdg
Filesize
654B

MD5
cca6ce898e8fdb41e24fce416535d317

SHA1
3c859d3df0069e8cfbcfdf0d7b54a2524cab9dbf

SHA256
d4239a3f9c9b9360ce72fc5bef604ca6c5bdea8082b61a34a8eb4c944ea6bee3

SHA512
f1ef05d1baecbfd1b2c181bdb9f48cf92718eec8f6e977a374a31c70b3d3cc9dd1239bd40453f46893453418872cd3b66d3146c3609ade977c12fd728cb7f74a

Download Submit
C:\ProgramData\yrnkowk.html
Filesize
223KB

MD5
084d681027c85fc83e9a0136a755b225

SHA1
d23c1c39873ab5fc77e064ef0d5f5ff872b98c26

SHA256
044cf2b191eedf2d4890cd524a1346a64d67dae6f564cad45d914f29cda17ae4

SHA512
cc9c0c990ea18719131966d8c22fe020a7bb860c934fadc628c7fbfc5f5178cf266b7fa477a1f6cb3e4ae1d10bc31336dfb0ca2cd7fc644d11cfc09d0ea96bd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\dajjvan.exe
Filesize
637KB

MD5
7da542b3bb5315c122e615782f69ecbf

SHA1
6ed5e8827874dc1ffb452511f7a0c7a8556fd954

SHA256
85959a1fb5d3d9f5b6e222540e7fbe65cdb108388c6bc8f88766aa517dda5f37

SHA512
80f3b521a64bddddcf9c6747c76e92423ad036bdc79aa88d8fb61ea5a00baf0d8c6da3f5dfd963a5fe47c4ac763da5972ff8b6f12db8c1bfcbf80fad3920a1f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\dajjvan.exe
Filesize
637KB

MD5
7da542b3bb5315c122e615782f69ecbf

SHA1
6ed5e8827874dc1ffb452511f7a0c7a8556fd954

SHA256
85959a1fb5d3d9f5b6e222540e7fbe65cdb108388c6bc8f88766aa517dda5f37

SHA512
80f3b521a64bddddcf9c6747c76e92423ad036bdc79aa88d8fb61ea5a00baf0d8c6da3f5dfd963a5fe47c4ac763da5972ff8b6f12db8c1bfcbf80fad3920a1f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\dajjvan.exe
Filesize
637KB

MD5
7da542b3bb5315c122e615782f69ecbf

SHA1
6ed5e8827874dc1ffb452511f7a0c7a8556fd954

SHA256
85959a1fb5d3d9f5b6e222540e7fbe65cdb108388c6bc8f88766aa517dda5f37

SHA512
80f3b521a64bddddcf9c6747c76e92423ad036bdc79aa88d8fb61ea5a00baf0d8c6da3f5dfd963a5fe47c4ac763da5972ff8b6f12db8c1bfcbf80fad3920a1f4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.JPG.plqrcsi
Filesize
36KB

MD5
f341d7a6d12b594ec30d7c4f68711058

SHA1
5f22f1105513f1628995ae3cd07ad262d6d721a8

SHA256
79582b5b76e5b557f6870411289bbf0ae724829aa8e5244a4fc14f71e9e506b4

SHA512
8e18c4a4bf8279c2c12406ed2b71bdadd6dc4d2e071405ca69c50830d3c0d499c0400f3f970c7e1caa5ff579baf50e03d10855bb3b7c63fb3b27d62700b7aab3

Download Submit
memory/812-138-0x0000000034C00000-0x0000000034C69000-memory.dmp

Filesize
420KB

Download
memory/1340-137-0x0000000000B70000-0x0000000000D91000-memory.dmp

Filesize
2.1MB

Download
memory/1668-140-0x0000000000000000-mapping.dmp

Download
memory/3972-141-0x0000000000000000-mapping.dmp

Download
memory/4412-132-0x0000000000F20000-0x0000000001110000-memory.dmp

Filesize
1.9MB

Download
memory/4412-133-0x0000000001110000-0x0000000001331000-memory.dmp

Filesize
2.1MB

Download
memory/5020-151-0x0000000000000000-mapping.dmp

Download
memory/5088-147-0x0000000001200000-0x0000000001421000-memory.dmp

Filesize
2.1MB

Download
memory/5088-144-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads