1c711ca465dace4d2a8d0542e75410c417375c4ee484294fcd959e99651fccb8

General

Target

1c711ca465.dll
Size

1.9MB
MD5

77e3dec014ebb323d0ea3a3a55845c03
SHA1

65c0b00878211d9651624dba2a26289cb7af0888
SHA256

1c711ca465dace4d2a8d0542e75410c417375c4ee484294fcd959e99651fccb8
SHA512

c88b58c8c51a3b18f6db00d941f0de8563c41c3a4223355070544b44f5d2b2bf25537fc8c89abd9873b8980a2be833462cf963e03938eb83aed42ea1e858c109
SSDEEP

49152:GDnp+vZaxa1ara1agzT78n+QuUPXA8ZGy3MuxqDQwQ0UbgOW4fjd0J4HInL4UKNb:GDnC0XA161Ke

Score

10^/10

ransomware

Malware Config

Extracted

Path

C:\Program Files (x86)\instructions_read_me.txt

Ransom Note

ATTENTION! Your network has been breached and all data was encrypted. Please contact us at: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ Login ID: b3755e21-718d-4a53-a71f-ce2cf26b0e02 *!* To access .onion websites download and install Tor Browser at: https://www.torproject.org/ (Tor Browser is not related to us) *!* To restore all your PCs and get your network working again, follow these instructions: - Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency. Please follow these simple rules to avoid data corruption: - Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. - Do not hire a recovery company. They can't decrypt without the key. They also don't care about your business. They believe that they are good negotiators, but it is not. They usually fail. So speak for yourself. Waiting you in a chat.

URLs

https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/

Signatures

Drops file in Program Files directory 55 IoCs

Processes:

rundll32.exe

description	ioc	process
File opened for modification	C:\Program Files\DVD Maker\bod_r.TTF	rundll32.exe
File opened for modification	C:\Program Files\ConfirmSwitch.png	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.chm	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\7-zip32.dll	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\License.txt	rundll32.exe
File opened for modification	C:\Program Files\JoinCheckpoint.raw	rundll32.exe
File created	C:\Program Files\DVD Maker\instructions_read_me.txt	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	rundll32.exe
File opened for modification	C:\Program Files\ApproveNew.au	rundll32.exe
File opened for modification	C:\Program Files\ClearCompare.vdx	rundll32.exe
File opened for modification	C:\Program Files\PublishCompare.vstx	rundll32.exe
File opened for modification	C:\Program Files\SwitchSuspend.ttf	rundll32.exe
File opened for modification	C:\Program Files\RegisterAdd.contact	rundll32.exe
File opened for modification	C:\Program Files\SelectApprove.vsx	rundll32.exe
File opened for modification	C:\Program Files\SelectRevoke.jpeg	rundll32.exe
File opened for modification	C:\Program Files\SetSuspend.crw	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\History.txt	rundll32.exe
File opened for modification	C:\Program Files\GroupInitialize.vsx	rundll32.exe
File opened for modification	C:\Program Files\RestoreUninstall.js	rundll32.exe
File opened for modification	C:\Program Files\SkipInstall.mp2	rundll32.exe
File opened for modification	C:\Program Files\UndoUnpublish.mpg	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\7zCon.sfx	rundll32.exe
File created	C:\Program Files\instructions_read_me.txt	rundll32.exe
File opened for modification	C:\Program Files\ApproveConnect.gif	rundll32.exe
File opened for modification	C:\Program Files\RestoreEdit.M2V	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	rundll32.exe
File opened for modification	C:\Program Files\ConfirmOut.xltm	rundll32.exe
File opened for modification	C:\Program Files\StepExit.vbe	rundll32.exe
File opened for modification	C:\Program Files\DisableRepair.xps	rundll32.exe
File opened for modification	C:\Program Files\RedoPing.zip	rundll32.exe
File opened for modification	C:\Program Files\MoveRepair.jpe	rundll32.exe
File created	C:\Program Files (x86)\instructions_read_me.txt	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\descript.ion	rundll32.exe
File opened for modification	C:\Program Files\InvokeBackup.ttf	rundll32.exe
File opened for modification	C:\Program Files\SuspendEnter.dwfx	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\7z.sfx	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	rundll32.exe
File opened for modification	C:\Program Files\DVD Maker\directshowtap.ax	rundll32.exe
File created	C:\Program Files\Google\instructions_read_me.txt	rundll32.exe
File opened for modification	C:\Program Files\SplitRename.tif	rundll32.exe
File opened for modification	C:\Program Files\CopyTest.ini	rundll32.exe
File opened for modification	C:\Program Files\RenameMerge.xlsx	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	rundll32.exe
File opened for modification	C:\Program Files\DVD Maker\audiodepthconverter.ax	rundll32.exe
File opened for modification	C:\Program Files\CompressClear.rar	rundll32.exe
File opened for modification	C:\Program Files\TestDeny.mhtml	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\readme.txt	rundll32.exe
File created	C:\Program Files\7-Zip\instructions_read_me.txt	rundll32.exe
File opened for modification	C:\Program Files\GrantHide.clr	rundll32.exe
File created	C:\Program Files\Common Files\instructions_read_me.txt	rundll32.exe
File opened for modification	C:\Program Files\UnprotectPush.emf	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.dll	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\7z.dll	rundll32.exe
File created	C:\Program Files\Internet Explorer\instructions_read_me.txt	rundll32.exe
File opened for modification	C:\Program Files\PublishBlock.xltm	rundll32.exe

Modifies registry class 3 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.7raiawg89\DefaultIcon	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.7raiawg89	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.7raiawg89\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fkdjsadasd.ico"	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1c711ca465.dll,#1
1⤵
- Drops file in Program Files directory
- Modifies registry class
PID:112

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\instructions_read_me.txt
Filesize
1KB

MD5
0d52501b4dca47e2f0d4507a8814694c

SHA1
41fde8d323ead7f5507f4c15dfb11133387196ef

SHA256
729562c350ab7780794b13fc00506bea1928f294eadf78145264d1c5b3180368

SHA512
c694c1a35a1d001cd01eab0b0df10dd21e1bb4b96a9a42c87f157623bb296b5eaecafdbb5f6d90e6bde594d076793276f53ad9eb27606af68e2df5e4d71c427e

Download Submit
memory/112-54-0x0000000180000000-0x0000000180108000-memory.dmp

Filesize
1.0MB

Download
memory/112-56-0x0000000180000000-0x0000000180108000-memory.dmp

Filesize
1.0MB

Download
memory/112-64-0x0000000180000000-0x0000000180108000-memory.dmp

Filesize
1.0MB

Download
memory/112-114-0x0000000002D80000-0x0000000002E88000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing