Overview

overview

10

Static

static

250684f6de...43.exe

windows7-x64

10

250684f6de...43.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    52s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    28-11-2022 04:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    250684f6de27ae57738e361aa0b3cc967f27e8d017817dcef0199f5cbd0e7743.exe

  • Size

    1009KB

  • MD5

    63280dedabfe7caec283920f1b5ee3dd

  • SHA1

    5efc119e54f35770a9dae6997b550982c82cc86b

  • SHA256

    250684f6de27ae57738e361aa0b3cc967f27e8d017817dcef0199f5cbd0e7743

  • SHA512

    45e0108743f5922352980565df9f24ac1bddf8b15aca4e00a58affd8bc9136eee5144fa53fa91c2a76cd0bdbbc366b41f9b9d978da88328ef7c91ff55c6a9983

  • SSDEEP

    12288:RKfc7b5LkodZkB0YH6lmtSOE2UfQS/x1W5bUPodfCEVYHBF60GRGq4B:RKE7ttoBEmN3a/x1wBYh0I

Score
10/10
ransomware

Malware Config

Extracted

Path

C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\Decrypt All Files yqyhzxi.txt

Ransom Note
Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://65y3g34c4zk3xkh2.onion.cab or http://65y3g34c4zk3xkh2.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://65y3g34c4zk3xkh2.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. IIWDFT-JZHCB6-SGAUJH-PENPL5-2VDDDP-CEAEE6-QJ6D37-WHTV7E JW5MRG-6W54PT-CGVNL6-YZLGCV-UIP6V3-STKOYS-KQRVR2-VZWNML HWW2CP-3KHEVJ-ZCGPW4-BJY5MH-G5BUY6-KVY36F-KY5FST-TGVPWX Follow the instructions on the server.
URLs

http://65y3g34c4zk3xkh2.onion.cab

http://65y3g34c4zk3xkh2.tor2web.org

http://65y3g34c4zk3xkh2.onion/

Extracted

Path

C:\ProgramData\zlwdkgg.html

Ransom Note
<html><head><meta http-equiv='Content-Type' content='text/html; charset=utf-8'> </head><body bgcolor=#424242 onLoad="window.location='#list';"> <p style='font-family:Tahoma;font-size:14px;color:#FFFFFF'> Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer.<br> Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key.<br> If you see the main locker window, follow the instructions on the locker.<br> Overwise, it's seems that you or your antivirus deleted the locker program.<br> Now you have the last chance to decrypt your files.<br><br> Open <a style='font-family:Tahoma;font-size:14px;color:#20FFFF' target=_blank href='http://65y3g34c4zk3xkh2.onion.cab'>http://65y3g34c4zk3xkh2.onion.cab</a> or <a style='font-family:Tahoma;font-size:14px;color:#20FFFF' target=_blank href='http://65y3g34c4zk3xkh2.tor2web.org'>http://65y3g34c4zk3xkh2.tor2web.org</a> in your browser. They are public gates to the secret server. <br><br> If you have problems with gates, use direct connection:<br><br> 1. Download Tor Browser from <a style='font-family:Tahoma;font-size:14px;color:#20FFFF' target=_blank href='http://www.torproject.org/download/download-easy.html.en'>http://torproject.org</a>.<br> 2. In the Tor Browser open the <a style='font-family:Tahoma;font-size:14px;color:#20FFFF' target=_blank href='http://65y3g34c4zk3xkh2.onion'>http://65y3g34c4zk3xkh2.onion</a><br> &nbsp;&nbsp;&nbsp;&nbsp;Note that this server is available via Tor Browser only.<br> &nbsp;&nbsp;&nbsp;&nbsp;Retry in 1 hour if site is not reachable.<br> Copy and paste the following public key in the input form on server. Avoid missprints.</p><pre style='font-family:Courier New;font-size:16px;color:#FFFFFF'>IIWDFT-JZHCB6-SGAUJH-PENPL5-2VDDDP-CEAEE6-QJ6D37-WHTV7E JW5MRG-6W54PT-CGVNL6-YZLGCV-UIP6V3-STKOYS-KQRVR2-VZWNML HWW2CP-3KHEVJ-ZCGPW4-BJY5MH-G5BUY6-KVY36F-KY5FST-TGVPWX</pre> <p style='font-family:Tahoma;font-size:14px;color:#FFFFFF'> Follow the instructions on the server.<br><br> <a name='list'>The list of your encrypted files:</a></p> <table style='font-family:Tahoma;font-size:12px;color:#FFFFFF;border-color:#A0A0A0' cellspacing=0 cellpadding=5 border=1> <tr><th><b>File</b></th><th><b>Path</b></th></tr> <tr><td>VERSION.TXT</td><td>C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\</td></tr><tr><td>VERSION.TXT</td><td>C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\</td></tr><tr><td>README.TXT</td><td>C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\</td></tr><tr><td>README.TXT</td><td>C:\Program Files\Java\jre7\</td></tr><tr><td>README.TXT</td><td>C:\Program Files\Java\jdk1.7.0_80\jre\</td></tr><tr><td>Mso Example Setup File A.TXT</td><td>C:\Program Files\Microsoft Office\Office14\</td></tr><tr><td>Mso Example Intl Setup File B.TXT</td><td>C:\Program Files\Microsoft Office\Office14\1033\</td></tr><tr><td>Mso Example Intl Setup File A.TXT</td><td>C:\Program Files\Microsoft Office\Office14\1033\</td></tr><tr><td>README.TXT</td><td>C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\</td></tr><tr><td>Xusage.TXT</td><td>C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\</td></tr><tr><td>Xusage.TXT</td><td>C:\Program Files\Java\jre7\bin\server\</td></tr><tr><td>readme.TXT</td><td>C:\Program Files\7-Zip\</td></tr><tr><td>README.TXT</td><td>C:\Program Files\VideoLAN\VLC\</td></tr><tr><td>License.TXT</td><td>C:\Program Files\7-Zip\</td></tr><tr><td>jvm.hprof.TXT</td><td>C:\Program Files\Java\jdk1.7.0_80\jre\lib\</td></tr><tr><td>jvm.hprof.TXT</td><td>C:\Program Files\Java\jre7\lib\</td></tr><tr><td>io.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>af.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ms.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>cy.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>eo.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ast.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>README.TXT</td><td>C:\Program Files\VideoLAN\VLC\lua\http\requests\</td></tr><tr><td>br.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>lv.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>THANKS.TXT</td><td>C:\Program Files\VideoLAN\VLC\</td></tr><tr><td>ku.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>nn.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>sq.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>nb.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>fy.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>va.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>sr-spl.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>et.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>sv.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>uz.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ro.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>fur.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ext.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>lij.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>an.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>zh-tw.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>kaa.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>zh-cn.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>hu.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>da.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ga.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>id.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>vi.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>kab.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>hr.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>sl.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ps.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>mn.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>fi.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>is.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>eu.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>mk.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>pl.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>nl.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>cs.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>gl.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>sk.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ca.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>pt.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>pt-br.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>lt.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>az.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>he.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>de.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>it.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>es.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>tr.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ko.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>fr.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>co.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>kk.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>fa.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>mr.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>yo.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ba.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>asl-v20.TXT</td><td>C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\</td></tr><tr><td>asl-v20.TXT</td><td>C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\</td></tr><tr><td>asl-v20.TXT</td><td>C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\</td></tr><tr><td>ug.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ja.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>sr-spc.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>be.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ku-ckb.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ar.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ky.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ta.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>bg.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ne.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>hy.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>tt.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ru.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>pa-in.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>bn.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>uk.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>th.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>si.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>el.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>ka.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>gu.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>hi.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>COPYING.TXT</td><td>C:\Program Files\VideoLAN\VLC\</td></tr><tr><td>sa.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>AUTHORS.TXT</td><td>C:\Program Files\VideoLAN\VLC\</td></tr><tr><td>mng.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>mng2.TXT</td><td>C:\Program Files\7-Zip\Lang\</td></tr><tr><td>THIRDPARTYLICENSEREADME.TXT</td><td>C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\</td></tr><tr><td>History.TXT</td><td>C:\Program Files\7-Zip\</td></tr><tr><td>THIRDPARTYLICENSEREADME-JAVAFX.TXT</td><td>C:\Program Files\Java\jre7\</td></tr><tr><td>THIRDPARTYLICENSEREADME-JAVAFX.TXT</td><td>C:\Program Files\Java\jdk1.7.0_80\jre\</td></tr><tr><td>THIRDPARTYLICENSEREADME-JAVAFX.TXT</td><td>C:\Program Files\Java\jdk1.7.0_80\</td></tr><tr><td>THIRDPARTYLICENSEREADME.TXT</td><td>C:\Program Files\Java\jdk1.7.0_80\</td></tr><tr><td>THIRDPARTYLICENSEREADME.TXT</td><td>C:\Program Files\Java\jdk1.7.0_80\jre\</td></tr><tr><td>THIRDPARTYLICENSEREADME.TXT</td><td>C:\Program Files\Java\jre7\</td></tr><tr><td>NEWS.TXT</td><td>C:\Program Files\VideoLAN\VLC\</td></tr><tr><td>METCONV.TXT</td><td>C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\</td></tr><tr><td>Thawte Root Certificate.CER</td><td>C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\</td></tr><tr><td>Adobe Root Certificate.CER</td><td>C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\</td></tr><tr><td>AdobeAUM_rootCert.CER</td><td>C:\Program Files (x86)\Common Files\Adobe\Updater6\</td></tr><tr><td>AdobeUpdate.CER</td><td>C:\Program Files (x86)\Common Files\Adobe\Updater6\</td></tr><tr><td>AdobeUpdater.CER</td><td>C:\Program Files (x86)\Common Files\Adobe\Updater6\</td></tr><tr><td>PROTTPLN.DOC</td><td>C:\Program Files (x86)\Microsoft Office\Office14\1033\</td></tr><tr><td>PROTTPLV.DOC</td><td>C:\Program Files (x86)\Microsoft Office\Office14\1033\</td></tr><tr><td>RestoreCopy.DOC</td><td>C:\Program Files\</td></tr><tr><td>vcredist2010_x64.log-MSI_vc_red.msi.TXT</td><td>C:\</td></tr><tr><td>vcredist2010_x86.log-MSI_vc_red.msi.TXT</td><td>C:\</td></tr><tr><td>VeriSign_Class_3_Public_Primary_CA.CER</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\Verisign\Components\</td></tr><tr><td>SignedManagedObjects.CER</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\ManagedObjects\</td></tr><tr><td>SignedComponents.CER</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\Components\</td></tr><tr><td>VS_ComponentSigningIntermediate.CER</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\Verisign\Components\</td></tr><tr><td>VeriSign_Class_3_Code_Signing_2001-4_CA.CER</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\Verisign\Components\</td></tr><tr><td>Management.CER</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\Servers\</td></tr><tr><td>RELAY.CER</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\Servers\</td></tr><tr><td>AccessBridgeCalls.C</td><td>C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\</td></tr><tr><td>viewDblClick.JS</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\</td></tr><tr><td>autoconfig.JS</td><td>C:\Program Files\Mozilla Firefox\defaults\pref\</td></tr><tr><td>viewSelectionChanged.JS</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\</td></tr><tr><td>channel-prefs.JS</td><td>C:\Program Files\Mozilla Firefox\defaults\pref\</td></tr><tr><td>MENUS.JS</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\</td></tr><tr><td>ui.JS</td><td>C:\Program Files\VideoLAN\VLC\lua\http\js\</td></tr><tr><td>PublicFunctions.JS</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\</td></tr><tr><td>utilityfunctions.JS</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\</td></tr><tr><td>common.JS</td><td>C:\Program Files\VideoLAN\VLC\lua\http\js\</td></tr><tr><td>FormsHomePageScript.JS</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\</td></tr><tr><td>Hierarchy.JS</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\Project Report Type\Fancy\</td></tr><tr><td>VIEW.JS</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\</td></tr><tr><td>FormsHomePageScript.JS</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\</td></tr><tr><td>FormsHomePageScript.JS</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\</td></tr><tr><td>VIEW.JS</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\</td></tr><tr><td>PublicFunctions.JS</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\</td></tr><tr><td>form_edit.JS</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\</td></tr><tr><td>form_edit.JS</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\</td></tr><tr><td>form_edit.JS</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\</td></tr><tr><td>PublicFunctions.JS</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\</td></tr><tr><td>validation.JS</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\</td></tr><tr><td>VIEW.JS</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\</td></tr><tr><td>controllers.JS</td><td>C:\Program Files\VideoLAN\VLC\lua\http\js\</td></tr><tr><td>validation.JS</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\</td></tr><tr><td>validation.JS</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\</td></tr><tr><td>utilityfunctions.JS</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\</td></tr><tr><td>validation.JS</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\</td></tr><tr><td>SUBMIT.JS</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\</td></tr><tr><td>utilityfunctions.JS</td><td>C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\</td></tr><tr><td>ut
URLs

http-equiv='Content-Type

Extracted

Path

C:\ProgramData\zlwdkgg.html

Ransom Note
Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://65y3g34c4zk3xkh2.onion.cab or http://65y3g34c4zk3xkh2.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org. 2. In the Tor Browser open the http://65y3g34c4zk3xkh2.onion Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. Follow the instructions on the server. The list of your encrypted files: File Path
URLs

http://65y3g34c4zk3xkh2.onion.cab

http://65y3g34c4zk3xkh2.tor2web.org

http://65y3g34c4zk3xkh2.onion

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Executes dropped EXE 6 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops desktop.ini file(s) 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Suspicious use of SetThreadContext 6 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 20 IoCs
  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Sets desktop wallpaper using registry
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    PID:1220
    • C:\Users\Admin\AppData\Local\Temp\250684f6de27ae57738e361aa0b3cc967f27e8d017817dcef0199f5cbd0e7743.exe
      "C:\Users\Admin\AppData\Local\Temp\250684f6de27ae57738e361aa0b3cc967f27e8d017817dcef0199f5cbd0e7743.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:960
      • C:\Users\Admin\AppData\Local\Temp\250684f6de27ae57738e361aa0b3cc967f27e8d017817dcef0199f5cbd0e7743.exe
        "C:\Users\Admin\AppData\Local\Temp\250684f6de27ae57738e361aa0b3cc967f27e8d017817dcef0199f5cbd0e7743.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1376
        • C:\Users\Admin\AppData\Local\Temp\250684f6de27ae57738e361aa0b3cc967f27e8d017817dcef0199f5cbd0e7743.exe
          "C:\Users\Admin\AppData\Local\Temp\250684f6de27ae57738e361aa0b3cc967f27e8d017817dcef0199f5cbd0e7743.exe"
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:1904
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    1⤵
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • Modifies data under HKEY_USERS
    • Suspicious use of WriteProcessMemory
    PID:600
    • C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
      2⤵
        PID:828
      • C:\Windows\system32\DllHost.exe
        C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
        2⤵
          PID:752
      • C:\Windows\system32\taskeng.exe
        taskeng.exe {6507ABD5-57C0-41DE-A45E-BC736315DD6A} S-1-5-18:NT AUTHORITY\System:Service:
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:1692
        • C:\Users\Admin\AppData\Local\Temp\pdfisga.exe
          C:\Users\Admin\AppData\Local\Temp\pdfisga.exe
          2⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:1404
          • C:\Users\Admin\AppData\Local\Temp\pdfisga.exe
            C:\Users\Admin\AppData\Local\Temp\pdfisga.exe
            3⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:700
            • C:\Users\Admin\AppData\Local\Temp\pdfisga.exe
              C:\Users\Admin\AppData\Local\Temp\pdfisga.exe
              4⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1724
              • C:\Windows\SysWOW64\vssadmin.exe
                vssadmin delete shadows all
                5⤵
                • Interacts with shadow copies
                PID:1208
              • C:\Users\Admin\AppData\Local\Temp\pdfisga.exe
                "C:\Users\Admin\AppData\Local\Temp\pdfisga.exe" -u
                5⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious use of WriteProcessMemory
                PID:628
                • C:\Users\Admin\AppData\Local\Temp\pdfisga.exe
                  "C:\Users\Admin\AppData\Local\Temp\pdfisga.exe" -u
                  6⤵
                  • Executes dropped EXE
                  • Suspicious use of SetThreadContext
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of WriteProcessMemory
                  PID:1584
                  • C:\Users\Admin\AppData\Local\Temp\pdfisga.exe
                    "C:\Users\Admin\AppData\Local\Temp\pdfisga.exe" -u
                    7⤵
                    • Executes dropped EXE
                    • Checks computer location settings
                    • Drops file in System32 directory
                    • Modifies Internet Explorer settings
                    • Suspicious use of FindShellTrayWindow
                    • Suspicious use of SendNotifyMessage
                    • Suspicious use of SetWindowsHookEx
                    PID:560

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      File Deletion

      2
      T1107

      Modify Registry

      2
      T1112

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Inhibit System Recovery

      2
      T1490

      Defacement

      1
      T1491

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\Microsoft Help\xptppml
        Filesize

        654B

        MD5

        44350d7c4133a3bd6184b8dc15294d9f

        SHA1

        0953aa71844ac3d37c619c1e8fb7ad0ca91a36ce

        SHA256

        4f4d0402be8ba7a3f72cb93dc54a4e283ead390929f6d9ce342724cb20cb13d5

        SHA512

        62aca8bd3ce24a53cf8d7fe406072b6c7ba55c6e713b1e307c6fe51ca8f98763594610c4fc154bdb60f3fe534815399ebb30d5cc2aaf7bccc9d5124bcdd6ec8b

        Download Submit
      • C:\ProgramData\Microsoft Help\xptppml
        Filesize

        654B

        MD5

        6102ee41cf560b0df699e3e36e74fd6b

        SHA1

        5ed750abbda811bae02c10d0a64f5520ae431868

        SHA256

        9b692a6a0372f497c71c70e6743153ec5fca8fbfbdebb96cdc9e009ee060ea03

        SHA512

        e67bddf30fdbf160bc9dee76ebb1438e6b0dc1a25ceae4a63a6cd2b27624f3b57557a3715fb9571dd314e6a0a8d024f50af783b0d7e0441c17481a083dcb943e

        Download Submit
      • C:\ProgramData\Microsoft Help\xptppml
        Filesize

        654B

        MD5

        ef283492055b476911ace10e952615e3

        SHA1

        6c4cbd7ae5f73a8e131ecd47756909b4c53ee723

        SHA256

        bb7d9b7c446a2e98ec90d749a54dc271a5e3ab0dc38815cd878e30a489517a21

        SHA512

        2d23ef818ef590a8d8f1786a19923fc2a530348b2529b250a37f9cfa0b51b96a9237a3e39fe0e870333dbca824d57fe142c0e308972b92e92e75a0c9510addd0

        Download Submit
      • C:\ProgramData\zlwdkgg.html
        Filesize

        60KB

        MD5

        ca2fb3385bebe297ad319354ae1f5e13

        SHA1

        3a3d132e6d3065ec9c2fb4e3e433838ca51d7ff3

        SHA256

        f30dbb237d1ace818a2cb92ac55b3159d4bef2273e4dc49dfed8c855c38b8045

        SHA512

        554cc27e79db17485782e9269a47e091e9f33536f019026b7459ad4cc08619e4f8d11e9656035405a2a4a4cd53cb006c1b2abec96186f170b985239bd09f6e8a

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\pdfisga.exe
        Filesize

        1009KB

        MD5

        63280dedabfe7caec283920f1b5ee3dd

        SHA1

        5efc119e54f35770a9dae6997b550982c82cc86b

        SHA256

        250684f6de27ae57738e361aa0b3cc967f27e8d017817dcef0199f5cbd0e7743

        SHA512

        45e0108743f5922352980565df9f24ac1bddf8b15aca4e00a58affd8bc9136eee5144fa53fa91c2a76cd0bdbbc366b41f9b9d978da88328ef7c91ff55c6a9983

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\pdfisga.exe
        Filesize

        1009KB

        MD5

        63280dedabfe7caec283920f1b5ee3dd

        SHA1

        5efc119e54f35770a9dae6997b550982c82cc86b

        SHA256

        250684f6de27ae57738e361aa0b3cc967f27e8d017817dcef0199f5cbd0e7743

        SHA512

        45e0108743f5922352980565df9f24ac1bddf8b15aca4e00a58affd8bc9136eee5144fa53fa91c2a76cd0bdbbc366b41f9b9d978da88328ef7c91ff55c6a9983

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\pdfisga.exe
        Filesize

        1009KB

        MD5

        63280dedabfe7caec283920f1b5ee3dd

        SHA1

        5efc119e54f35770a9dae6997b550982c82cc86b

        SHA256

        250684f6de27ae57738e361aa0b3cc967f27e8d017817dcef0199f5cbd0e7743

        SHA512

        45e0108743f5922352980565df9f24ac1bddf8b15aca4e00a58affd8bc9136eee5144fa53fa91c2a76cd0bdbbc366b41f9b9d978da88328ef7c91ff55c6a9983

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\pdfisga.exe
        Filesize

        1009KB

        MD5

        63280dedabfe7caec283920f1b5ee3dd

        SHA1

        5efc119e54f35770a9dae6997b550982c82cc86b

        SHA256

        250684f6de27ae57738e361aa0b3cc967f27e8d017817dcef0199f5cbd0e7743

        SHA512

        45e0108743f5922352980565df9f24ac1bddf8b15aca4e00a58affd8bc9136eee5144fa53fa91c2a76cd0bdbbc366b41f9b9d978da88328ef7c91ff55c6a9983

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\pdfisga.exe
        Filesize

        1009KB

        MD5

        63280dedabfe7caec283920f1b5ee3dd

        SHA1

        5efc119e54f35770a9dae6997b550982c82cc86b

        SHA256

        250684f6de27ae57738e361aa0b3cc967f27e8d017817dcef0199f5cbd0e7743

        SHA512

        45e0108743f5922352980565df9f24ac1bddf8b15aca4e00a58affd8bc9136eee5144fa53fa91c2a76cd0bdbbc366b41f9b9d978da88328ef7c91ff55c6a9983

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\pdfisga.exe
        Filesize

        1009KB

        MD5

        63280dedabfe7caec283920f1b5ee3dd

        SHA1

        5efc119e54f35770a9dae6997b550982c82cc86b

        SHA256

        250684f6de27ae57738e361aa0b3cc967f27e8d017817dcef0199f5cbd0e7743

        SHA512

        45e0108743f5922352980565df9f24ac1bddf8b15aca4e00a58affd8bc9136eee5144fa53fa91c2a76cd0bdbbc366b41f9b9d978da88328ef7c91ff55c6a9983

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\pdfisga.exe
        Filesize

        1009KB

        MD5

        63280dedabfe7caec283920f1b5ee3dd

        SHA1

        5efc119e54f35770a9dae6997b550982c82cc86b

        SHA256

        250684f6de27ae57738e361aa0b3cc967f27e8d017817dcef0199f5cbd0e7743

        SHA512

        45e0108743f5922352980565df9f24ac1bddf8b15aca4e00a58affd8bc9136eee5144fa53fa91c2a76cd0bdbbc366b41f9b9d978da88328ef7c91ff55c6a9983

        Download Submit
      • memory/560-151-0x00000000004054BA-mapping.dmp
        Download
      • memory/600-120-0x000007FEFC011000-0x000007FEFC013000-memory.dmp
        Filesize

        8KB

        Download
      • memory/600-117-0x0000000000460000-0x00000000004C9000-memory.dmp
        Filesize

        420KB

        Download
      • memory/600-115-0x0000000000460000-0x00000000004C9000-memory.dmp
        Filesize

        420KB

        Download
      • memory/628-127-0x0000000000000000-mapping.dmp
        Download
      • memory/700-99-0x0000000000402A02-mapping.dmp
        Download
      • memory/700-114-0x0000000000400000-0x0000000001215000-memory.dmp
        Filesize

        14.1MB

        Download
      • memory/752-159-0x0000000000000000-mapping.dmp
        Download
      • memory/828-119-0x0000000000000000-mapping.dmp
        Download
      • memory/960-54-0x00000000757A1000-0x00000000757A3000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1208-126-0x0000000000000000-mapping.dmp
        Download
      • memory/1376-64-0x0000000000400000-0x0000000001215000-memory.dmp
        Filesize

        14.1MB

        Download
      • memory/1376-56-0x0000000000400000-0x0000000001215000-memory.dmp
        Filesize

        14.1MB

        Download
      • memory/1376-58-0x0000000000400000-0x0000000001215000-memory.dmp
        Filesize

        14.1MB

        Download
      • memory/1376-60-0x0000000000400000-0x0000000001215000-memory.dmp
        Filesize

        14.1MB

        Download
      • memory/1376-79-0x0000000000400000-0x0000000001215000-memory.dmp
        Filesize

        14.1MB

        Download
      • memory/1376-62-0x0000000000400000-0x0000000001215000-memory.dmp
        Filesize

        14.1MB

        Download
      • memory/1376-66-0x0000000000400000-0x0000000001215000-memory.dmp
        Filesize

        14.1MB

        Download
      • memory/1376-81-0x00000000003B0000-0x00000000003E4000-memory.dmp
        Filesize

        208KB

        Download
      • memory/1376-55-0x0000000000400000-0x0000000001215000-memory.dmp
        Filesize

        14.1MB

        Download
      • memory/1376-70-0x0000000000400000-0x0000000001215000-memory.dmp
        Filesize

        14.1MB

        Download
      • memory/1376-67-0x0000000000402A02-mapping.dmp
        Download
      • memory/1404-84-0x0000000000000000-mapping.dmp
        Download
      • memory/1584-142-0x0000000000402A02-mapping.dmp
        Download
      • memory/1584-157-0x0000000000400000-0x0000000001215000-memory.dmp
        Filesize

        14.1MB

        Download
      • memory/1724-113-0x00000000005E0000-0x00000000006E9000-memory.dmp
        Filesize

        1.0MB

        Download
      • memory/1724-108-0x00000000004054BA-mapping.dmp
        Download
      • memory/1904-71-0x0000000000400000-0x0000000000423000-memory.dmp
        Filesize

        140KB

        Download
      • memory/1904-72-0x0000000000400000-0x0000000000423000-memory.dmp
        Filesize

        140KB

        Download
      • memory/1904-75-0x00000000004054BA-mapping.dmp
        Download
      • memory/1904-74-0x0000000000400000-0x0000000000423000-memory.dmp
        Filesize

        140KB

        Download
      • memory/1904-77-0x0000000000220000-0x00000000002F8000-memory.dmp
        Filesize

        864KB

        Download
      • memory/1904-80-0x0000000000400000-0x0000000000422E00-memory.dmp
        Filesize

        139KB

        Download
      • memory/1904-82-0x0000000000430000-0x0000000000539000-memory.dmp
        Filesize

        1.0MB

        Download