Analysis
-
max time kernel
957s -
max time network
962s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
29-11-2022 15:43
General
-
Target
trig_e7c9ec3048d3ea5b16dce3.exe
-
Size
1.1MB
-
MD5
2de26af68d2d6d73dae987eb2cdedd6e
-
SHA1
34d7fdb906b79f2912598378359668c57e65bb5d
-
SHA256
e7c9ec3048d3ea5b16dce31ec01fd0f1a965f5ae1cbc1276d35e224831d307fc
-
SHA512
e85e9c998042e1292312450ef44a9b913b8a67e1ee329fa1dbafc588b6cf1f6aa796fe694b6ae856d5b1c96c65fed71cf8ddee674c6ea49716f9788babc8fc57
-
SSDEEP
24576:kYj5E9T+xHeQhNmYOnW8FQrbID+u9v8zKLU:t5E9LQvRrtSvCUU
Score
10/10
Malware Config
Extracted
Path
C:\Users\Admin\appdata\local\temp\how_to_decrypt.hta
Ransom Note
--START_OF_DATA-- 40434C41444944413033383044414237393636314537464133464431383136383346303432324234313934324539353745393936443533363630463732433543344230343135460000001641463532443238312D454639312D3346344445464243000006F2000002002D24C698F3AF7328DBA01EED619A97C32C463575EEA85A59BC3D28E95E2405B592A1C15E0F72B1702B290E21757CD3886FC78A9E0ADA091D2D1A81CB0CC30B7D13703FEB9F73DDBEB602888CE4592B3A55C5DCBA2EAA2FD4C5E1CF1574BA1E15F3E69AA59263176DBA2C6EB45877F55B6DEA9EB2E7567A1B03C49A4637EC02D362D0E9769E6B8D1842B9A1FF35FA4AEA629A0287F216A45FEE6E287200102A1DE8B952BB1D0A956BF9776AB93994886C11B0F6CF174CA301B25111E7578A9B3CC04E082CE53A12C26CE7681D2B5A1881F79C85D95FEDD28469089AE0D3B6B579F2FD489C29E0462AFBBB22EEA94638ABBB759BC6C1D01F6A5DFAF8FDE1098D1CFC380F493504A6D1BF2D8E255BF46A21E4F912D94442C8C9141EF7FB2AC8A0B350CD0965105A8FDF7818FF98D8BF5E9D737C090707EB09B21550FD15823501A6A0BF632DE70E04F639F03D0735A372455E6664824CCD3422D14B829CF7D1286AC8D7A826B40D31591131ED3C54AAC781045668A7CA995998DC961FAEDCA2B91B918E036017A554C8211A246D4A9E22C98BFD5B0DFCB3251A3B2C4F73E75A5084D9F399181A25EEA77F17383FD39CC298F54672F53CBDDCFEB6B43181518904FD4BAC67266E646D72AAD9F550BCF25B7C8E01FECF37A3010EC8E7D662512AEEF8E9D6CC1792135BE5CEABBC0EF4E9C7230F732EA6D2B8D0821C58C46ECF9174C5000004EA9468940B033B60FB2C963401028FBBDDA137B15EE21361FCD12E73B9ADC9476AB6B0ACC4AFF544D9C7D60F3950D340B54F4D79A202F374E058FABF452284DE81A700388FCC1BC901DF928746ED226AD8C4684BDCFC6838EA28281A8F7250BA6DD6AA962C6B891D7EF37AEF427895C886F62A1C1D60924D6D1123CCB06C3733DC2909024B5458EB4F84595E37C3CF7590C815E52039CFF17DEC8CEE2E357C02117602FDDE21BAC671FB00F7E2142CC536F0290F1B02B174A151AE9B9235F5C8D0A407DA937143898A865C2A2BD9943C3D2DD835A18672D079E0ACFC607B10B798CACE52DAE6CC1B0B30311812CA2CF7C4D1E31ECF5464DB69D5F46213BB0CC0EB0934B5B5FF91141A21CFE763861A102C16FEF238EE8102409C7A59933E9CF4B060F7913BD6E8350E9F0909CAFFB8F962B04EB135AB72661E13D05549A547C22DCCB2B68B06F4F924DB07A0875F487D2699C3E8DDB4BB3EDE5DD3F923536D40036D6B440F0F8830AE816FE64EA07F5DBA5D7B1E92510DE14B87F095870FA41DDF39A60D7799621660A65463C602B01346D42ED97FC39E297F729777B896E4BE2A28199CF885B2A345B9893001B6226860CB4E347C06C67F1A2AB8C1E8C98ACF036FD12EDF7F01BCE16582CC52F606ABA7681C7C6DECE9F087778F987B18AF53F792F507E43F2F4FEE300805128BEE2A23BE6401ABF1D8839637C4BD454537AA86CDFEBF37725D2E203AB1D702D3A8491F61D2085D9723EEEBA362BD705AB8260AD08A786003BB97182EB7EEC6F693CE9843C7ABE06F1EFB72BFDA1B98CF5202FEB13D90BDB281E1A19469D8A48D49640E0E182733EDC5861237DE2E236ADBC69D5171EC5DCF2F2A2B7A31D49ABE574B2BC75DCB70F017EB0716ACC8D31CBA113651548735304050910BFEAE750879A6B4F04D0698ECE5307C1215FB2C153F292B3779C6AD0B30E5B9D9122467E4CFA1788AB43D367ACFDFD755B92FC757F39D6226F91ACE1978FB7B872DBAD57FFE10D5B6B49A6BD72CE3067B2E4CE85AD75D7C0AF84FD9B40644EC614DF974302789705CFEB9AF9D4C695606E50273F27EDEA530CA4F83649276A15DE537AD7D6AC8B62728809CB663C216C8487D91234952C03EDB09897266EC602372C5918D01ADEB7078E9AC47DD826FD34638739627575FCC2848A59A2CB71C16E517319ABDD68250BC98CD18EE42CC2776369D930A8D0005DFDC86B91D4A4FB25E5F72B11C1ED5D0769A15D3F354099EA5E63CF3AA3DAEC86E501030057BA0FE7AEE20E159A98E6A3F80759089FB910167C81A8D36AC191B56DF2BB8246542205D9D4E492554FB21208C15568BCEE30784B8CECE02B96243E1BFA08F8BE31B8E211F3FEDD3E54F70241897747E8B39612C39EAFE4291E4951D6D397AF79A74934F0D7D627D7568A9996821357051FCFDC1B691529BEBCE245781C78201989290F83F0FD6FD8197C77DE00D3F0F4ADD1789C20E07D66C42595FCBFB422D504CCD2E09449766D89BEF0FF346B1B9EFF48D7297A666EC7BEB6AEB0920C3B5759620DFC02A1DBCB1B9600D3D3EC37D429CB03E0D54DE0F40194B734EC8CB146881CF62B4F1E46A63B5831CD1CF455F202FEB901C5E4CC4A456AC81A9E4093ADF03B32ED8EE73340B821AB26472CD1286D13BB3BFD96AB2C8D18745955990897091059A8E9D76E7D6389353EFD36029671452CCB56F7AAF9C1BE74C3BD654FF301585726FE49D3184E6E4EB2C496E479FDFC2A0B863E4BF46BB6A7BAD073336B188ED1C06783C440B130B9E29330AACBF1D4DB2EDF81DC6EE4A4AA1BFF227481B68E2853BCD71BF86F31F545BDB644142959CD47CD9FB58F35CB215AAC6D24EBC5D8307AA2ACF3070DCA6E803184163B9209867D09C96294B700AC366424270E4F21A013B943112D92FA811FCCD269090A08B65120CE5915C98341D14532EF81520F47B0190888A3F9E0000008633373030374446353636444339414545423633364136353435443133393430319BBA997F047C0AA4E81CB873DCC8012FFCC108F49AB9FB6C17836D77ABE069C84645353842333546423836334145323036424433464238304333393546313637 --END_OF_DATA--
the entire network is encrypted
your business is losing money
▲
All documents, databases, backups and other critical data were encrypted and leaked
▲
The program uses a secure AES algorithm, which makes decryption impossible without contacting us
▲
If you refuse to negotiate, the data will be auctioned off
To recover your data, please follow the instructions
1
Download Tor Browser Download
2
Open decryption page Copy
3
Auth using this key Copy
The price depends on how soon you will contact us Need help?
●
Don't doubt
You can decrypt 3 files for free as a guarantee
●
Don't waste time
Decryption price increases every hour
●
Don't contact resellers
They resell our services at a premium
●
Don't recover files
Additional recovery software will damage your data
var authkey = '';
var email = 'phandaledr@onionmail.org';
var url = 'http://3x55o3u2b7cjs54eifja5m3ottxntlubhjzt6k6htp5nrocjmsxxh7ad.onion/';
var vid = 'UNITED_ELECTRIC_SUPPLY';
var cid = 'AF52D281-EF91-3F4DEFBC';
var uniqueid;
function Start() {
window.resizeTo(658,500);
if (vid == '') {
uniqueid = cid;
} else {
uniqueid = vid;
}
}
function copytext(s) {
window.clipboardData.setData("Text", s);
alert('Auth Key copied to clipboard');
};
function openpage(url) {
window.clipboardData.setData("Text", url);
alert('URL copied to buffer. Open it in TOR Browser');
}
function help() {
window.clipboardData.setData("Text", uniqueid);
alert('If you have trouble with the main contacts, write to '+email+'. Your ID copied to buffer');
}
function document.onkeydown() {
var alt = window.event.altKey;
if (event.keyCode == 116 || event.keyCode == 27 || alt && event.keyCode == 115) {
event.keyCode = 0;
event.cancelBubble = true;
return false;
}
}
Start();
var authkey = '';
var email = 'phandaledr@onionmail.org';
var url = 'http://3x55o3u2b7cjs54eifja5m3ottxntlubhjzt6k6htp5nrocjmsxxh7ad.onion/';
var vid = 'UNITED_ELECTRIC_SUPPLY';
var cid = 'AF52D281-EF91-3F4DEFBC';
var uniqueid;
function Start() {
window.resizeTo(658,500);
if (vid == '') {
uniqueid = cid;
} else {
uniqueid = vid;
}
}
function copytext(s) {
window.clipboardData.setData("Text", s);
alert('Auth Key copied to clipboard');
};
function openpage(url) {
window.clipboardData.setData("Text", url);
alert('URL copied to buffer. Open it in TOR Browser');
}
function help() {
window.clipboardData.setData("Text", uniqueid);
alert('If you have trouble with the main contacts, write to '+email+'. Your ID copied to buffer');
}
function document.onkeydown() {
var alt = window.event.altKey;
if (event.keyCode == 116 || event.keyCode == 27 || alt && event.keyCode == 115) {
event.keyCode = 0;
event.cancelBubble = true;
return false;
}
}
Start();
Emails
phandaledr@onionmail.org
URLs
http://3x55o3u2b7cjs54eifja5m3ottxntlubhjzt6k6htp5nrocjmsxxh7ad.onion/
Signatures
-
Modifies extensions of user files 5 IoCs
Ransomware generally changes the extension on encrypted files.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops desktop.ini file(s) 1 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\trig_e7c9ec3048d3ea5b16dce3.exe"C:\Users\Admin\AppData\Local\Temp\trig_e7c9ec3048d3ea5b16dce3.exe"1⤵
- Modifies extensions of user files
- Checks computer location settings
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\appdata\local\temp\how_to_decrypt.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\appdata\local\temp\how_to_decrypt.htaFilesize
12KB
MD529133ad0bfbad7f15ccd5575914a24be
SHA16900fe95449cf08feeb4ffa96c1754bdaa2213cb
SHA2564cd1acbac658d8e7a09603f86eb9c65df619c7b79d4c3472ee717b8ac0e2b1d3
SHA512d14a09bf880c9435994e1ec64857bf827672a0ad8f5e96a03358207f3f2e6f611d2fff47cfb571d00cb2d50b837d842ca471200f1300f344f0fa52dc5f979428
-
memory/10784-132-0x0000000000000000-mapping.dmp