Resubmissions

21-01-2024 14:52

240121-r8syqaeac7 10

21-01-2024 14:51

240121-r8k8waeac5 10

01-01-2024 13:55

240101-q776kscacp 10

General

  • Target

    Cat Research 2023-07-15.zip

  • Size

    4.5MB

  • Sample

    240121-r8k8waeac5

  • MD5

    e56e18b0de08e733d57e92e6d033bf17

  • SHA1

    0e8d037a03a1855b3614174ba7e1a98424314449

  • SHA256

    ee65e9d7a7bc9d17e894e0b775fc0bbfb35e72c65c3d768e34bfe059d521cc16

  • SHA512

    ea9ed41545b843b89d5638c59448d53cf0e20298f2fa09989898ba1771626ce71d1661782980c6a826c2eabe0bb55145df09f5ae87a412474992d7013257c15d

  • SSDEEP

    98304:vampW+t8jmbIlfnE3+2mNntZaXItRbFLbf7jLxPbM0biQaMYQ/j/:vampW+6jmOlbNm4tRFLjLxjpso7

Malware Config

Extracted

Path

F:\How_to_back_files.html

Ransom Note
<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; word-break: break-all; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">QBScQmwPoOK/FKgrNAUoWgQlGJTfw9fduWHloO/h82FjBRY3pAq297UcasRU7p5CIJSJlya5OBVPZhfXwb7bFJHrUIb+4MeEvGsobJ5YyLJrv1BRcx0xiTZENdxCxgezsoMMno2KAfpauDKhOFQd1PGY7e5Bs1lqHUD36gN73OuFV9tmNZhjfVztSE1okdx9j9THHvBepPzQNbN83S6E6kxgYoqOs7aRQg2ggnyXBUMx0eAL67llYxwJNx0YWkgpm8RnSlXWm2bROWt/+/SYRq++farlx33/Y6K5bMhU6qzMQz5Yc26XgxlSmvIh386GsiO0WMTJP/BQ+9+IyNkLeS9F60SFct7HWG23y5BOP7ZjXO6ALLQgPRecNKg0rIqve4pc7O7hlHSJkGhCPHWVjxGDxy8K0WsQQnbnTngQdZ8WRTsearcbRPm+FO43PFCiuxv9HilJEjX+jEq4t+/F+EzfNYK1r1zFm0wCS61Xg8SKppiTCpw4VoMFwdgo5V92XCIDXjxsINZl9XJZ7ClpAr3g8/4gnGSWyxHpk6qHIqKTdSoHvQkVOFy43AEoAeeFLY5hKjepUU6eYePUflib50ynxwQbO5xVX5U+6lp9K3jv0KVW6+2vz9B2eGztkFu+lJUjehlA77zKCWeO8fuiCPeJZbZ4w3yslftPGCXTEGUOjkMeJCYxMhOHxLt9n62fEPM4qtxPdn4P9c9ma9XFnbSwXzUfoOdJMKrToW0b7Lhvt0WwHh+xckdNeknpDftTYhu9PuTrr0wsUPMj+sJ5Y5BTQ4Hj6bBir9r3LLO3/VMbRNWswkHRJl9BIfPHOi7n1Os1pu2lgIoyqjw18xmIDxSodjRo2s0klxNVByfkDclJGJsSND34s2T5oDBwBTw82fgJY4W8JcyMYTcDprkCR/Vmijf/YzISRhdr+wKngLCGdCCf6+uqkAmHxrmvFvw8hXACUuNlrBbYfXFUTzOFWYVmlwWWZTGHtx1uFfPU6OuKgcQ4QJaSfgmHSkk50W2oxTlXvQXchkXW/IgJNt4HgHS4Z+cgjU9ac7U6wGk7FUWi2Bg2U2ljX1M2omHo57VE2nKfKhMJtyrqXTqAKaDGDlE4jvNc4EPFgZ3Tm7sH1/QPN8uQ/Tb8PaPFHLx4n7EX5t/YNmBaePyBvqpq25WI3yqnPGRizJCpRG4WJK9q8hc3UU+fhzXZAJvcEKsW+SE5qi2IiS6B0rskwtNxUoe6h3B0AelTZzMJ2+6dbhkXST/YduHyrgIpErA5o83fwtvQk53idxQ/a+zZsd0rZ4yiWQki1gT/RJ2qsByvCEg952lIMqbYvyzBjArLIc2EGOZ4UJmH5xav1pbFZPh/Bb7zLbmaznS9vfiC2HSvldjHhB8CSq/aRPikjexC9cBBMSbCHkNPzo2bEk5kdxNndcWeua8Y1SQwmdm5hN0AeM0w50DDYmJmbaWtxzQdNJLziL3rrWWFmsXJHpTqrBesa0p8kxIJ9jRQasXi8VuuuYqMUUEjy4D2up1PEO4pk57WzyzXqGYMaT0ngZ1oxIB4D+RAiezaFhnozD9w9GTRMaMs3t1v7xEPLy7pabpx9ZLm8b1hgO8xnFiz7cOhoRnAgexFFP+Qp/fFvOFrIJd4/AZLcj4/fSjHbk/CBeiovQkGPTi93YVOFMNoTBS7VM3BbXOP/C0hhf81WpW6i6P91G8eQLY=</span> <br> <!-- !!! dont changing this !!! --> </div> </div> <!-- --> <div class="tabs"> <!--tab--> <div class="tab"> <div id="tab-content1" class="content"> <div class="text"> <!--text data --> <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br> <!--text data --> <hr> <b>Contact us for price and get decryption software.</b><br><br> <hr> <b>email:</b><br> <a href="[email protected] ">[email protected] </a> <br> <a href="[email protected] ">[email protected] </a> <br> <p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br> <b> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> <p>* Tor-chat to always be in touch: <a href<a href<b> </div> </div> </div> <!--tab--> <b> <b> <b> <span style="font-size: 22px">qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</span> </b><br><br> </b><br> <!--text data --> </div> </div> <!--tab--> </div> </div> </body> </html>

Extracted

Path

C:\odt\How_to_back_files.html

Ransom Note
<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; word-break: break-all; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">dC2mgcXgpEPIw5IKcY7vnxx+e5za/Ka1O3uE5isFVzLQWBniInp+rv+Y4DoevTzKAvlQ3uNBj2/DJ1iL+hZxtamL6ArgPGoKpRq8heztciPoL3uQNW4gOAxKQCsZjW0kvm/rfK+scEMeKwmvh/8PVBw3e3G9idht43n344BBFKJLvpGm0dSxgg4zfydB+TNgahR579xg29ivfOFmwi2ntnoP2Ugb4QViutEDPanfM1STmsAxP+Z7NrqEalekxNxnobf3fIgxrKcMngVv7nP3WlWCGu1sMv+f8OqUIEMVoomdQPYjul1sDurdOjODrErDYsdQ004rBhRmfl0fc5omkK5HF2DKyoWDGcbOrNBU/VDkhsTwRtutnv0GE6fxY6WGqhJhZ6vXiqTZ/mRCDtTBAVEWjghzjwyFz158b/XroOs1l4m0twjGqYVFpw1S0slLh3MAVjSMYKN82NXyeAFXb330Sq1GgUQzoy+cD6hCSYnPOxdmiNEFpAK/6qSAeO+xkc8lXCwUVE1y+e27ugL4+YaI7TilnNmZgRmUhAN6vASVO8DdwyyK6mzOEqM9IsAupOi7QgMjhGXhCXJ5HqpFdQYJhcDcjx5wab+nkfl223tE13j4d1xTdcYw1fJP0N+Ig8vGIT/iba6DtI5soGaE/0A/tdvrnTsU/huZGCeAMIRk3n2RDO3Y0tC9d1N/5xLELBCTMPkYTtZ7fBCx1dTJPrHnw0bo2KkiqqiamCttTlRq7uXuWc7r19sp75cP7ki8csD3fqb0uB9orzdSu2aP1A4IvzOmtVTQnD90EELHTPrvXLkI71FoXT8s547fgMGGVnU5taRgV3EQqpf3cXHKw2tKC5aUDzIeVvBxVXSy4ZXIEx6TioCtS8mDjcouAlnnMxbFys/ESneQcMSqAgQPm6pRpO+PNBp7Wg0kfSVA6PO2liSEzLOlIvuRO/irVoRS+yLmEpcxHhSVjDFVUYRG+ZbqEQaw6z/fWPNFtLz0eZ/c9hrONaPEvRPzW0+j/Ic/lKcHWEg7YDG0hniF4UIzlfLQVUXMOBzTpGI3/h5xebB1F3xFfmO/BpVo+O1WNfYV+DcmZefrtFmIQSUUqSgJn5zI0r4krXtJVp+yKnserb4QIy0IDaiDAceJkCNE0BbFZwd4iFgJ/vOjUjxVEIHcy/jo1Blsr8iuqqZuYJtAYespDwLmkmwW267QAmvAM5C7Hn9Rfvc4vjwPraU9R7lEIiPQbgqY17JSBftVJxeZ2Agxxqc5ZgqjlVkoESbEPHVMpkvZ5+fRYz16oroKTSJ6PgRfre5xNB8ZtRQQiCn0LhoimoFP33rT6ByuT/0Z2+av5yreyDzzMC+U1IXV7osG3Mfj/x6UMo5gFduhB2+9icDtUVEJAzTi3LIC3kpZPPrYpx0XE2G1Ex6S2PygcGJdEP4C95hY2Z+1i8PF4BOngacQ0UaEcVIf02oN3lFXmN3bov5yiier5MllSmyubTe9gScg9PQJI60UdmGKGpSw6AaUeGiqEq+cYI5AzPFyEDK82D1wn3w4XGwvWOK24dUIBlJj3A9Sgy5j01897myc1Ycdkpv3aYoyWv/cS9zF0MDf5Z1oYzjeq+0ZV97cKEJfq0+gZvXQdqc8ZCIMjYjX7nsbsdFyQB0IdY1DMbOPIdhGym160c1wiTG9SDcFr1HaAj0FGKm0LzlEM+yl2u1LQvQ=</span> <br> <!-- !!! dont changing this !!! --> </div> </div> <!-- --> <div class="tabs"> <!--tab--> <div class="tab"> <div id="tab-content1" class="content"> <div class="text"> <!--text data --> <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br> <!--text data --> <hr> <b>Contact us for price and get decryption software.</b><br><br> <hr> <b>email:</b><br> <a href="[email protected] ">[email protected] </a> <br> <a href="[email protected] ">[email protected] </a> <br> <p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br> <b> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> <p>* Tor-chat to always be in touch: <a href<a href<b> </div> </div> </div> <!--tab--> <b> <b> <b> <span style="font-size: 22px">qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</span> </b><br><br> </b><br> <!--text data --> </div> </div> <!--tab--> </div> </div> </body> </html>

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-3470981204-343661084-3367201002-1000\readme.txt

Ransom Note
Dear user! Your computer is encrypted! We demand a ransom! Decryption service is paid !!!! PAYMENT FOR BITCOIN !!! To decrypt your computer, you need to download the TOR browser at https://www.torproject.org/download/ Install it and visit our website for further action http://paymen45oxzpnouz.onion/5e1a7c2620 Also from your servers files, documents, databases SQL, PDF were uploaded to our cloud storage After we agree, you will receive a decryption program, valuable advice in order not to fall into this situation in the future, as well as all your files on our server will be deleted. Otherwise, they will fall into the open access of the Internet! Use any third party software for restoring your data or antivirus solutions will result in a loose of data. Please be sure that we will find common languge. We will restore all the data and give you recommedations how to configure the protection of your server.
URLs

http://paymen45oxzpnouz.onion/5e1a7c2620

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-768304381-2824894965-3840216961-1000\readme.txt

Ransom Note
Dear user! Your computer is encrypted! We demand a ransom! Decryption service is paid !!!! PAYMENT FOR BITCOIN !!! To decrypt your computer, you need to download the TOR browser at https://www.torproject.org/download/ Install it and visit our website for further action http://paymen45oxzpnouz.onion/e862abe0e5 Also from your servers files, documents, databases SQL, PDF were uploaded to our cloud storage After we agree, you will receive a decryption program, valuable advice in order not to fall into this situation in the future, as well as all your files on our server will be deleted. Otherwise, they will fall into the open access of the Internet! Use any third party software for restoring your data or antivirus solutions will result in a loose of data. Please be sure that we will find common languge. We will restore all the data and give you recommedations how to configure the protection of your server.
URLs

http://paymen45oxzpnouz.onion/e862abe0e5

Extracted

Path

C:\Users\Admin\Favorites\Links\How To Recover Encrypted Files.hta

Ransom Note
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta charset="windows-1251"> <title>HOW TO DECRYPT YOUR FILES</title> <HTA:APPLICATION ICON="mstsc.exe" SINGLEINSTANCE="yes"> <script language="JScript"> window.moveTo(50, 50); window.resizeTo(screen.width - 100, screen.height - 100); </script> <style type="text/css"> body { font: 15px Tahoma, sans-serif; margin: 10px; line-height: 25px; background-color: #C1AB8F; } .bold { font-weight: bold; } .xx { border: 1px dashed #000; background: #E3D5F1; } .mark { background: #D0D0E8; padding: 2px 5px; } .header { font-size: 30px; height: 50px; line-height: 50px; font-weight: bold; border-bottom: 10px solid #D0D0E8; } .info { background: #D0D0E8; border-left: 10px solid #00008B; } .alert { background: #FFE4E4; border-left: 10px solid #FF0000; } .private { border: 1px dashed #000; background: #FFFFEF; } .note { height: auto; padding-bottom: 1px; margin: 15px 0; } .note .title { font-weight: bold; text-indent: 10px; height: 30px; line-height: 30px; padding-top: 10px; } .note .mark { background: #A2A2B5; } .note ul { margin-top: 0; } .note pre { margin-left: 15px; line-height: 13px; font-size: 13px; } </style> </head> <body> <div class="header">Your files are encrypted!</div> <div class="note private"> <div class="title">Your personal ID</div> <pre>0464082779798136411479309542052524174893666661907358417471918683091328270612838147526563650972351865 5805223247251380797941405274100563297737972541913576462136985378979428502964515593623296402131813928 8224763847760413987109110345387071561530524315489866935377406835102644254115613598432178869194766373 3007719736148127729642589559628730370409696189071389660945231364484481069885086942285017209976572250 0313458152022812206193641620466296106040970047886316806229760103319566806388028405259531751280647985 2510667838843252692887510420716149039429130255565783860790313399087445519923830747458571147028009432 747614966929296479</pre><!-- !!! ������ �� ������ !!! --> </div> <div class="bold"> <div align="left">All your important data has been encrypted.</div> </div> <div class="bold">To recover data you need decryptor.</div> <div> <h2 align="center">To get the decryptor you should:</h2> <h1 align="left">pay for decrypt:</h1> <div class="note xx"> <div align="left"> <h1>to send 1 bitcoin today (tomorrow 2 bitcoins) to bitcoin the address 1EQiMGLApzDdPYLWoDMyUo27q5ashMXdQ<br> </h1> </div> <div align="left"> <strong>Here are our recommendations:</strong> </div> <div align="left"> <ol> <li><strong>If you have no Bitcoin address register https://blockchain.info/wallet</strong></li> <li><strong>fill up your wallet some of the ways:</strong></li> <li><strong>Btcdirect.eu - Good service for Europe</strong></li> <li><strong>Bittylicious.com - Bitcoins through Visa / MC or through SEPA (��) transfer</strong></li> <li><strong>Localbitcoins.com - Here you can find people who want to sell Bitcoins directly (WU, in cash, SEPA, Paypal u.s.).</strong></li> <li><strong>Cex.io - buy bitcoins with Visa / Mastercard or Wire Transfer.</strong></li> <li><strong>Coincafe.com - Designed for quick and easy service. Payment methods: Western Union, Bank of America, cash by FedEx, Moneygram, as money transfer</strong></li> <li><strong>Bitstamp.net - well known and established Bitcoins seller</strong></li> <li><strong>Coinmama.com - Visa / Mastercard</strong></li> <li><strong>Btc-e.com - Bitcoins vendor (Visa / Mastercard, etc.)</strong></li> <li><strong>If you have not found any bitcoins in your region, try to find them here:</strong></li> <li><strong>Buybitcoinworldwide.com - International Bicoins Exchange Directory</strong></li> <li><strong>Bitcoin-net.com - Another directory of Bitcoins sellers</strong></li> <li><strong>Howtobuybitcoins.info - International Bicoins Exchange Directory</strong></li> <li><strong>Bittybot.co/eu - Directory for countries of the European Union</strong></li> <li><strong>write to Google how to buy Bitcoin in your country?</strong></li> </ol> </div> <div align="left"> <h1>mail support [email protected]<br> </h1> </div> <h1>After the payment: </h1> </div> <div><p>Send screenshot of payment to mail support <span class="mark">[email protected]</span>. In the letter include your personal ID (look at the beginning of this document).</p> </div> <div> <h1 align="center">After you will receive a decryptor and instructions</h1> </div> <div class="note alert"> <div class="title">Attention!</div> <ul><li>No Payment = No decryption</li> <li>You really get the decryptor after payment</li> <li>Do not attempt to remove the program or run the anti-virus tools</li> <li>Attempts to self-decrypting files will result in the loss of your data</li> <li>Decoders other users are not compatible with your data, because each user's unique encryption key</li> </ul> </div> </body> </html>
Emails

[email protected]<br>

class="mark">[email protected]</span>

Extracted

Path

C:\Users\Admin\Downloads\How To Recover Encrypted Files.hta

Ransom Note
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta charset="windows-1251"> <title>HOW TO DECRYPT YOUR FILES</title> <HTA:APPLICATION ICON="mstsc.exe" SINGLEINSTANCE="yes"> <script language="JScript"> window.moveTo(50, 50); window.resizeTo(screen.width - 100, screen.height - 100); </script> <style type="text/css"> body { font: 15px Tahoma, sans-serif; margin: 10px; line-height: 25px; background-color: #C1AB8F; } .bold { font-weight: bold; } .xx { border: 1px dashed #000; background: #E3D5F1; } .mark { background: #D0D0E8; padding: 2px 5px; } .header { font-size: 30px; height: 50px; line-height: 50px; font-weight: bold; border-bottom: 10px solid #D0D0E8; } .info { background: #D0D0E8; border-left: 10px solid #00008B; } .alert { background: #FFE4E4; border-left: 10px solid #FF0000; } .private { border: 1px dashed #000; background: #FFFFEF; } .note { height: auto; padding-bottom: 1px; margin: 15px 0; } .note .title { font-weight: bold; text-indent: 10px; height: 30px; line-height: 30px; padding-top: 10px; } .note .mark { background: #A2A2B5; } .note ul { margin-top: 0; } .note pre { margin-left: 15px; line-height: 13px; font-size: 13px; } </style> </head> <body> <div class="header">Your files are encrypted!</div> <div class="note private"> <div class="title">Your personal ID</div> <pre>1844076870514668776017842474950903777489498959942675600105599036382933668932192452096024613009095464 2466261120189731141233611625088917518398365784292949078367758260874399019813965767660487497973562431 1994501546703461863903048620536106534330332281879100670985593577628161794849531336369770327089959624 8654651948069375249231167314192739643087394790642885291487518273250424637997277623008948902355332068 4936485638282548442459029556139653365486911459516546842820716085986466138609741427507826543462290869 3817754704488471451031186755988555995876373501960328654106866073389567211860966730072818710940281073 587981364267220425</pre><!-- !!! ������ �� ������ !!! --> </div> <div class="bold"> <div align="left">All your important data has been encrypted.</div> </div> <div class="bold">To recover data you need decryptor.</div> <div> <h2 align="center">To get the decryptor you should:</h2> <h1 align="left">pay for decrypt:</h1> <div class="note xx"> <div align="left"> <h1>to send 1 bitcoin today (tomorrow 2 bitcoins) to bitcoin the address 1EQiMGLApzDdPYLWoDMyUo27q5ashMXdQ<br> </h1> </div> <div align="left"> <strong>Here are our recommendations:</strong> </div> <div align="left"> <ol> <li><strong>If you have no Bitcoin address register https://blockchain.info/wallet</strong></li> <li><strong>fill up your wallet some of the ways:</strong></li> <li><strong>Btcdirect.eu - Good service for Europe</strong></li> <li><strong>Bittylicious.com - Bitcoins through Visa / MC or through SEPA (��) transfer</strong></li> <li><strong>Localbitcoins.com - Here you can find people who want to sell Bitcoins directly (WU, in cash, SEPA, Paypal u.s.).</strong></li> <li><strong>Cex.io - buy bitcoins with Visa / Mastercard or Wire Transfer.</strong></li> <li><strong>Coincafe.com - Designed for quick and easy service. Payment methods: Western Union, Bank of America, cash by FedEx, Moneygram, as money transfer</strong></li> <li><strong>Bitstamp.net - well known and established Bitcoins seller</strong></li> <li><strong>Coinmama.com - Visa / Mastercard</strong></li> <li><strong>Btc-e.com - Bitcoins vendor (Visa / Mastercard, etc.)</strong></li> <li><strong>If you have not found any bitcoins in your region, try to find them here:</strong></li> <li><strong>Buybitcoinworldwide.com - International Bicoins Exchange Directory</strong></li> <li><strong>Bitcoin-net.com - Another directory of Bitcoins sellers</strong></li> <li><strong>Howtobuybitcoins.info - International Bicoins Exchange Directory</strong></li> <li><strong>Bittybot.co/eu - Directory for countries of the European Union</strong></li> <li><strong>write to Google how to buy Bitcoin in your country?</strong></li> </ol> </div> <div align="left"> <h1>mail support [email protected]<br> </h1> </div> <h1>After the payment: </h1> </div> <div><p>Send screenshot of payment to mail support <span class="mark">[email protected]</span>. In the letter include your personal ID (look at the beginning of this document).</p> </div> <div> <h1 align="center">After you will receive a decryptor and instructions</h1> </div> <div class="note alert"> <div class="title">Attention!</div> <ul><li>No Payment = No decryption</li> <li>You really get the decryptor after payment</li> <li>Do not attempt to remove the program or run the anti-virus tools</li> <li>Attempts to self-decrypting files will result in the loss of your data</li> <li>Decoders other users are not compatible with your data, because each user's unique encryption key</li> </ul> </div> </body> </html>
Emails

[email protected]<br>

class="mark">[email protected]</span>

Extracted

Path

F:\$RECYCLE.BIN\readme.txt

Ransom Note
Dear user! Your computer is encrypted! We demand a ransom! Decryption service is paid !!!! PAYMENT FOR BITCOIN !!! To decrypt your computer, you need to download the TOR browser at https://www.torproject.org/download/ Install it and visit our website for further action http://paymen45oxzpnouz.onion/d128dec973 Also from your servers files, documents, databases SQL, PDF were uploaded to our cloud storage After we agree, you will receive a decryption program, valuable advice in order not to fall into this situation in the future, as well as all your files on our server will be deleted. Otherwise, they will fall into the open access of the Internet! Use any third party software for restoring your data or antivirus solutions will result in a loose of data. Please be sure that we will find common languge. We will restore all the data and give you recommedations how to configure the protection of your server.
URLs

http://paymen45oxzpnouz.onion/d128dec973

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-1168293393-3419776239-306423207-1000\readme.txt

Ransom Note
Dear user! Your computer is encrypted! We demand a ransom! Decryption service is paid !!!! PAYMENT FOR BITCOIN !!! To decrypt your computer, you need to download the TOR browser at https://www.torproject.org/download/ Install it and visit our website for further action http://paymen45oxzpnouz.onion/2fe680d14f Also from your servers files, documents, databases SQL, PDF were uploaded to our cloud storage After we agree, you will receive a decryption program, valuable advice in order not to fall into this situation in the future, as well as all your files on our server will be deleted. Otherwise, they will fall into the open access of the Internet! Use any third party software for restoring your data or antivirus solutions will result in a loose of data. Please be sure that we will find common languge. We will restore all the data and give you recommedations how to configure the protection of your server.
URLs

http://paymen45oxzpnouz.onion/2fe680d14f

Targets

    • Target

      323389cde5a3059c6c6e5c6c711d11e434a577b11dc07a9aeb7f8e1fb661ecf3

    • Size

      1.4MB

    • MD5

      b0b732188bc83ee4ad3b5e5b7dd34a26

    • SHA1

      4c1e68eebda46ead2563192b137f42b7a976ed2b

    • SHA256

      323389cde5a3059c6c6e5c6c711d11e434a577b11dc07a9aeb7f8e1fb661ecf3

    • SHA512

      51f2328cdd77ff287814618c9cb617da0f2c2fa189f466a633adb80b10c1fe0b2eaddcb3dfb58df9344181294294485f4a7527c3e5dac5964f2054bf779746a4

    • SSDEEP

      24576:l8ku9/++Rod4z2JOtqKf6bvkbRbEAsk7fQl7z:mkGi4DdRbdEAwl7z

    Score
    1/10
    • Target

      365712147d687fb2eb2d5cb612586c7d3d7364277441491a3ab379a4a1128ba7

    • Size

      450KB

    • MD5

      e70b33103c17c000ac11025d2d8e70a1

    • SHA1

      df898d9d0e8e6f2d4eb5d4742d4c206092cdcb34

    • SHA256

      365712147d687fb2eb2d5cb612586c7d3d7364277441491a3ab379a4a1128ba7

    • SHA512

      632461a9c6bff4e013cf3e77a7262d1daaa8775156c61c70dab685ae59114b22d00a47a0214204f6c514c6be77ad5b0c371a889076072fdb1eaf574cb6d4c42c

    • SSDEEP

      12288:krYn2GbqdcOuAKi1kcwyEOywAx1gT+yFCv6oE4E:kcNbqdFtVkcwyEOix1GtFCv6F4E

    Score
    10/10
    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Renames multiple (8391) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Drops desktop.ini file(s)

    • Drops file in System32 directory

    • Target

      5474e75872eeb1e34cbe407c73409d4c65da7bd6aa9378b356bb3c12f316c506

    • Size

      263KB

    • MD5

      111e7dd338f7a7db306c95e05797747f

    • SHA1

      aff72034cbbc21693425306ad42b1bb182582743

    • SHA256

      5474e75872eeb1e34cbe407c73409d4c65da7bd6aa9378b356bb3c12f316c506

    • SHA512

      215ee93c5faf2af3a55cceed281b56aecb5990baf4ae508f02eb481c7c22081f05b73a2657279205ff5d4edfc63722ea1405a9e8cdf65939021c9f052ffb6fec

    • SSDEEP

      6144:jeHgRe/IfHES0cVZrDjuNywKGOCWVoYkNMbU:jeHgM4HxZG1KGjWVoVO

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Target

      59c59ef90d1370297375d4e3195eabe2a031251bc939fae962a835d8336a8a4d

    • Size

      477KB

    • MD5

      ebbb782bafaa3ab64a3e4b006a698fe0

    • SHA1

      2800cd4dd62ba63f38d0452bf80cb35b4359a3dd

    • SHA256

      59c59ef90d1370297375d4e3195eabe2a031251bc939fae962a835d8336a8a4d

    • SHA512

      cd6681d7987901eb27064c4a833052abccef60383f9b0e53360ae9e3e66a19d0d0405bdeb5a609c7d668aa8720eb49f5fc3f060920ec042ec6584eebfd9f09ae

    • SSDEEP

      6144:ko4FuDncVzUJOH5bpX3Q92J6fHgaEFx9BQOJvZTsMJfOg2lOMxPEiarVb0J0:kzuwVzUW5bN3Y6LmO13Gg2IMyxrt0u

    Score
    10/10
    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Renames multiple (8414) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Deletes itself

    • Drops desktop.ini file(s)

    • Target

      63fb410fc5267c61c5099927af714a8f5f4ba6dcdeeb1f297b022879767c7222

    • Size

      924KB

    • MD5

      ec9c3efe831aaa203058927df7de6138

    • SHA1

      b77581e047551a70aaba0db7a57349136bd9e411

    • SHA256

      63fb410fc5267c61c5099927af714a8f5f4ba6dcdeeb1f297b022879767c7222

    • SHA512

      0d5aedcebaa660f345c549b9ae07b4d18fc01b563907b378c1cd905029bb0c6f6849e0f03c7c4a724c3448eb9c693138265a0b0129a298af3aada9bb0f447d6a

    • SSDEEP

      12288:tZqu3sRwqpxGCMF3dera2ybCPWy5SqZWj+6GJZy82VS1ToBgdoByOHGae0r2ivr:B3yEoro2PEpUA

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Target

      9443472de461e9e7a9d7b7d89fa13815521db1ecebea5054643664953ee366e5

    • Size

      102KB

    • MD5

      9cea7a7505d2eff4b1109d0e70a52baf

    • SHA1

      455fab0bf9e5f3e27c232aea89904c929db0a92b

    • SHA256

      9443472de461e9e7a9d7b7d89fa13815521db1ecebea5054643664953ee366e5

    • SHA512

      681fd65cb210f215db206f165e3a86ecc83285e928eab6e1660e33ea182f8b3059e1e68f9377faf47d2ccddad4c1b0019a4252febfb91b90b6f070d2ca0c7764

    • SSDEEP

      1536:SeN+oVQkMaz9GRQl4g9FlpIm1QUnv2+qQl4g9FlpIm1i:hbVQkIg9FlCv3g9FlCJ

    Score
    1/10
    • Target

      97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d

    • Size

      333KB

    • MD5

      db88a1bd11ca3aab7a0890a10a10f45d

    • SHA1

      0e01e118613962e364b76869bcfb9d26cf0a6505

    • SHA256

      97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d

    • SHA512

      b6e374ea42e023d973baa2c8c3ce8c34a7c8ffa1aefd52f787eb51f980e1e1f8c2c6081d90cd0cf1b15166b86ed57dc2d7b9adde5021dd00cc629f8aae8df023

    • SSDEEP

      6144:YemY9cZrt2pF+M9htFl/1M0lpj9G/OaZE8ABInatk1:/9cm+M9vFl/1HrNInatk1

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies boot configuration data using bcdedit

    • Renames multiple (7544) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Deletes System State backups

      Uses wbadmin.exe to inhibit system recovery.

    • Modifies Installed Components in the registry

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Target

      a0f5def5aaaefa3ae538da9c643a5e381ea89cdee3e451ab1d0c52181d758593

    • Size

      41KB

    • MD5

      a06225459ff7b32f1408726f5d8007cf

    • SHA1

      db14f8b54194f41383a0a0b1f181020d93774268

    • SHA256

      a0f5def5aaaefa3ae538da9c643a5e381ea89cdee3e451ab1d0c52181d758593

    • SHA512

      0401e6423b359020161c26c9583d55007b00de451831e9523d752941d9815f63cd74f7cd649da4232070a2dbef2c9e584bf62a3d656532cdc2d32a06d8d305e5

    • SSDEEP

      768:lL+ntTLPgn6CI1uGukUcjI2Hp9xG6e7j6oERZVvrd7SRBl+Lkl+XkvDuQndwjv:lwtTLEtI1RUcdJ861s0cJdw

    Score
    1/10
    • Target

      abfe4422828c6515e7b53c50a8f07dda0169f4ee34173357b6fa35b06fe144b1

    • Size

      352KB

    • MD5

      04f36999713a138ebde1adbdd7aa01f6

    • SHA1

      a3c66353d9ea491f96dc63f0e9d8cb0878e1123d

    • SHA256

      abfe4422828c6515e7b53c50a8f07dda0169f4ee34173357b6fa35b06fe144b1

    • SHA512

      484ea18d1ed358156058d185b46a9e0caf4a44a710e638a75109996e1a974b935b3f3a0fdf5c04d2c64ec1d7e2f8fac28e2a0cf09461bc881e21f9b19c329fa6

    • SSDEEP

      768:GoXcYoibzZl5KMIjz9ofRouZ1OTgggggggggggggggggggggggggggggggggggg3:G4Tb55oua8byL76qXXZ5oulx3yzFH+

    Score
    1/10
    • Target

      b21f34ecfa7135153d506b3fde2a0d0bd23b44eccedc635cbfa474e321040273

    • Size

      352KB

    • MD5

      4f88b5e510ecbd0adefdfc87c552289c

    • SHA1

      047ec67b8e3c001086284d7176b2d239db565fb5

    • SHA256

      b21f34ecfa7135153d506b3fde2a0d0bd23b44eccedc635cbfa474e321040273

    • SHA512

      75b86d6de4bec5285559f7e9a0dbf46df48dbdf78386023e5f8668a7814bc1db5322d8bf9d306cfd65175112b94366641d671175d59d3edacc3d2b2ba802f348

    • SSDEEP

      6144:X9PrHO8306KFnBCzDIZXY3HJmui45mkA2/1:drHBpgkDuoEuXbJ

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Renames multiple (123) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Target

      svchost.exe

    • Size

      1.4MB

    • MD5

      1e56e3201f99af1f63c3b95b6d05d64f

    • SHA1

      f5d32ac198ed52ded940ff5fffb1f513bb2b607f

    • SHA256

      b8e40563f749016a1557ea461198661f501eadddba50d6528ffe4e9c52664666

    • SHA512

      36b77e56cf6d5c07a6a62cb5ff21e3316db2a70d4c285649cdc48d6403b8eb27c8c01b483f9bff135e92ea66e203871e783231f4938af1202e51389006c13f83

    • SSDEEP

      24576:Wmchf1ZHB7TZqSsulRicD2fdxs1isw/c169CDX/S6o1JLax:WVfvDqSsu2cAdxvvE0ADS

    • Clears Windows event logs

    • Creates a large amount of network flows

      This may indicate a network scan to discover remotely running services.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Creates new service(s)

    • Stops running service(s)

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Target

      b8ce0174783c9c7ec30f96f8857c356e61365562463457d3ef0d1f62f4d302a8

    • Size

      245KB

    • MD5

      78db42a978dbaeec6b87e718b0e00160

    • SHA1

      226616df9b26e9ca327805755b75813ad67c1f3f

    • SHA256

      b8ce0174783c9c7ec30f96f8857c356e61365562463457d3ef0d1f62f4d302a8

    • SHA512

      8a8a29eb8679512ab214d16b3e207a4545dbd63a8410ce41eef8d2c249131a5947a157344932b6041feb3084ad14d437627d754a34b977a6c2f71159a54b2b5c

    • SSDEEP

      6144:ZU1aQUdyXTFDhznLOoAM4zkw7nMnp5PdleQRWsvBoCRt7Y0x:ZUQd4TFJLOolqk/72QksvBBt7Y0

    Score
    9/10
    • Renames multiple (180) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Deletes itself

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Target

      bbb46278959b4628106319457405a8cc04681c82c2c8afa30475d50ed63417f2

    • Size

      131KB

    • MD5

      6dd2b52d5af3fb6591d52a695a09d025

    • SHA1

      9ec21f57bf3f524dccca9e78f95974c7e4951785

    • SHA256

      bbb46278959b4628106319457405a8cc04681c82c2c8afa30475d50ed63417f2

    • SHA512

      5a0c63c6163df1315a24bca6307aedec584a563fac17f7f3ab7e8f7fd57f189fd9db8dcb1d53b9f756ec7f7c721041958925202ab43868bfc57ddb2d3b3cd59a

    • SSDEEP

      3072:oZIzt7KLtx3kaKP/V0ZLKaQvPS5rrT0tYHJdP73wJOvpPX7:oezNqTADa5rrTLJFcJ8P

    Score
    1/10
    • Target

      bdf06acf03785275d01d4135b432b56b31c7f352f9be3cf8eca00286251aa163

    • Size

      41KB

    • MD5

      ef51aa91d5cbed5f57b85571b528bf7e

    • SHA1

      fbaaac20cff25f931c3480165ebf3b7ee9f7e4b3

    • SHA256

      bdf06acf03785275d01d4135b432b56b31c7f352f9be3cf8eca00286251aa163

    • SHA512

      c84fb47cc627c5148841b7a2a72abe17aabd18d449a2f46a6a538ef27a2de7a753c8431c5a0930502ea26ed60fea77310436e812e0c494e9523370aabf64fea5

    • SSDEEP

      768:BL+ntTLPgnHCI1uGukUcjI2Hp9xG6e7j6oERZVvrd7SRBl+Lkl+XkvDgYGZwRSAb:BwtTLEiI1RUcdJ861s0cgBZwMH

    Score
    1/10
    • Target

      db3529a2d96f82af48dd8b93615cf89ee5e0c9fe84d70222b30adcb947602881

    • Size

      213KB

    • MD5

      4b1d5fe23b954f6c80dd3f6ea0b0a0fb

    • SHA1

      0aa970ec5a3b3c9f4731230b8186c4ed0b996136

    • SHA256

      db3529a2d96f82af48dd8b93615cf89ee5e0c9fe84d70222b30adcb947602881

    • SHA512

      02837a35d55d70d1b3ee62faa002b5731799055370576516dc86125081369114325722c23e55a5b6cb047e1e9c15d91eb52495155895d818a38f108b4aeca041

    • SSDEEP

      3072:LL+mK4nBPd9/9h9OL7LUaaQS4zQtb5N5aw3IH3I/3Id:LC74BFHh9OL7NaQSoubc0IXIPI

    Score
    1/10
    • Target

      e24b84c0201106d00cb293da0216414c8bc60de61d8de5f7ffdcd660e67317db

    • Size

      11KB

    • MD5

      f4d8bb082b0d03efd6990cc2f4336165

    • SHA1

      48abb4773cdc2c70ea90aa4f38a8942f8bca60f3

    • SHA256

      e24b84c0201106d00cb293da0216414c8bc60de61d8de5f7ffdcd660e67317db

    • SHA512

      2fca524f0aa0f3bf9605f8a7007dfe14f1383f976ce519299fc0991a073d78961ecf1c1d84671016f8814dd55dcf78a7c8d1ebe86cd7f59c53f1874e8a0d65da

    • SSDEEP

      192:5QEguYoCj6K4KRUZJqBEjTedm53AebdKS5p:5GOKRUZ9aC7

    • Renames multiple (1631) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

MITRE ATT&CK Enterprise v15

Tasks

static1

upxmedusalockermakoptrigona
Score
10/10

behavioral1

Score
1/10

behavioral2

Score
1/10

behavioral3

ransomware
Score
10/10

behavioral4

ransomware
Score
10/10

behavioral5

persistenceransomwareupx
Score
10/10

behavioral6

ransomwareupx
Score
10/10

behavioral7

ransomware
Score
10/10

behavioral8

ransomware
Score
10/10

behavioral9

persistencespywarestealer
Score
7/10

behavioral10

persistencespywarestealer
Score
7/10

behavioral11

Score
1/10

behavioral12

Score
1/10

behavioral13

evasionransomware
Score
10/10

behavioral14

evasionpersistenceransomware
Score
10/10

behavioral15

Score
1/10

behavioral16

Score
1/10

behavioral17

Score
1/10

behavioral18

Score
1/10

behavioral19

persistenceransomware
Score
9/10

behavioral20

persistenceransomware
Score
9/10

behavioral21

discoveryevasionpersistenceransomwarespywarestealer
Score
9/10

behavioral22

discoveryevasionpersistenceransomware
Score
9/10

behavioral23

ransomware
Score
9/10

behavioral24

ransomware
Score
9/10

behavioral25

Score
1/10

behavioral26

Score
1/10

behavioral27

Score
1/10

behavioral28

Score
1/10

behavioral29

Score
1/10

behavioral30

Score
1/10

behavioral31

ransomwarespywarestealer
Score
9/10

behavioral32

ransomwarespywarestealer
Score
9/10