Resubmissions

21-01-2024 14:52

240121-r8syqaeac7 10

21-01-2024 14:51

240121-r8k8waeac5 10

01-01-2024 13:55

240101-q776kscacp 10

General

  • Target

    Cat Research 2023-07-15.zip

  • Size

    4.5MB

  • Sample

    240121-r8syqaeac7

  • MD5

    e56e18b0de08e733d57e92e6d033bf17

  • SHA1

    0e8d037a03a1855b3614174ba7e1a98424314449

  • SHA256

    ee65e9d7a7bc9d17e894e0b775fc0bbfb35e72c65c3d768e34bfe059d521cc16

  • SHA512

    ea9ed41545b843b89d5638c59448d53cf0e20298f2fa09989898ba1771626ce71d1661782980c6a826c2eabe0bb55145df09f5ae87a412474992d7013257c15d

  • SSDEEP

    98304:vampW+t8jmbIlfnE3+2mNntZaXItRbFLbf7jLxPbM0biQaMYQ/j/:vampW+6jmOlbNm4tRFLjLxjpso7

Malware Config

Extracted

Path

\Device\HarddiskVolume1\Boot\How_to_back_files.html

Ransom Note
<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; word-break: break-all; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">JJ7+8Xa1aWJcLml2z0sYLIbrBMEnq4x0Rg323lYDo6dpJiLjdQdGtuKYkEVC+fCKvAOEKXNCi2xntwiR9q7Ko7js9S6RY+amwnPuma/sGxQad6uTiJtBiiX7VI/bz023cst8FQac+yYf9sxjAFf1WIQujNHsztzxSN9sRSah5rkO5qQKFNXm3U4h7J9q9QWmmbSEUGviWwVgn80DM3YpVKoVSYDzE4hGkbH5anPWC+xXNzPo0gcd888tQEZiU5uBLXLjygOgVYbh6WFDR+0PJObNf6F/vKiRnobzEr6pMZraPGG6BT5p+K6KmA7ceGAVsTk2VJJF4mJG9lshS2Q8GV8hGDqzoX+M5z0isrSAcPItPIR+w3RojglLLfky23uxuzDVbFNZdksADky7UEve3ulIuCVRHS3AmiEi5lt6SkpxtXhDGN1e4NFDDEKpDbOuxkgp7hCZ8YyvJ3vvhi2dvQGTi4jQSYr5Pk5MgCj8JpUVewZwnHL58jOUy1mXTqi3RsxNXjl05sU+46uKBLb+GibenvNWRG27mRoTCLUeufd6daIdXq1pwByLMYgZn/JP/JOqaW7f7T8TFDXtuxe0GBz7iJV+G8pk9e1QPY7xaRsC7pdgnqA/bjVdEV/faUruP55tbF45TczpK2EL6jB89GPdevIe1PN5sA6Zd1elzsael/h637tEVt7CGseyrcEJJ1etvE03LPzcakwD2Euc3sCSmqkAD7q8aiGWUcrYhey79imRSiYSMB2liW1kAt32YRp0VDeiudURKNcb570FkmjYSa/OgnWzpckQAJ7QOFwb2/y1xy5U/v53dlYvF5xR+7RZlRzVWu8G37tw+D4A1YllES8RfeVyFlM+eDhRDBgopfF/4aLVYj59HClftfMIPpgS6G7pGHC5OSi53uD9tmgOOqM/3WLXnYtteZ3RnXhvpcmJ01Z67AZdEs89iF8aJtgac5KlCwNiFlZy8kw/dneTq+wJ3bqYp+UdcDBSG18HEGDuvk1vCO9w8HK49EmHflEPKneaMNHhhna7sjTX6+WhApDl9WGA7wlmNy3m/J4IBkx4r0j8mIe1GIEUv/2aeMBoz98TJR5hyLUpjyGHuGncLROHEThFfhS6SAVgW4fZNRUf+Xnsulsgc5AbwYJTAgmx1N0ilelMSCNiv4pRd/okSFTrj4nmjS3hSyF1kfjUXdMFF+BhqYPjK8KfoJX4Kwrc3TPVGsIHwyEX40N7FGiMDPwgXAikx2hLX4Rm2Rw/E8OBm/8YCxGIpqds1svcG6AHCLa/aXOZquzKzRTVfWJ6h0HLotXyEK1mixndlocy4fhxywApXWgWaER1lDnROytR+jpaybV4GGBgZ+sJ7jPo4WFElYQM83ieKzWvgv8IJJj1/n29fo2FYLIFYhqzxJxBimxvx/tL9vdmprDHXHctH81HiZaj3cBfm1jkFD3JM/t12TbALrpj60CexjalrMQ3cFQbJsZh1BsmX5xP8YFAZEt4UB3bMGKFBmhPqap+vG01DhBAKA15vNTN+wLwPc8HSTU7HL6vK37JvXpTby63R5i9QKXhKU4Kx8F0GbuRplZwkvNGY3IZutkheoW7HRZDaInO018/eBDekAKqifElPz3Gmh52CH61wHpcAW8ow+uT283gHmbwib7LuLg/Dmz3gtWpmyJS/Xy1a/179x8qdkS3iKC9MEQAdM0hvSM=</span> <br> <!-- !!! dont changing this !!! --> </div> </div> <!-- --> <div class="tabs"> <!--tab--> <div class="tab"> <div id="tab-content1" class="content"> <div class="text"> <!--text data --> <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br> <!--text data --> <hr> <b>Contact us for price and get decryption software.</b><br><br> <hr> <b>email:</b><br> <a href="[email protected] ">[email protected] </a> <br> <a href="[email protected] ">[email protected] </a> <br> <p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br> <b> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> <p>* Tor-chat to always be in touch: <a href<a href<b> </div> </div> </div> <!--tab--> <b> <b> <b> <span style="font-size: 22px">qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</span> </b><br><br> </b><br> <!--text data --> </div> </div> <!--tab--> </div> </div> </body> </html>

Extracted

Path

C:\Program Files\How_to_back_files.html

Ransom Note
<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; word-break: break-all; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">bLlwAHKii/wL4gEdMplyLjRMj75PITHBLIynsBDDURidfvDSmb36koPk4zaXBBZHO40fw28HNTyhZviwzroHydSioGOmmb6zaB5F7qTSwU6tHi0KlVgu/99+uRxWmn0auqgSQ6fHT4AnyBlwHbJjWUtuLgWfB6MsLk7KXw1X950x9q9hV4oqphXWuzl7UqJz/OCPoQXXxtE81QPoWwl4nkiItO52XIzLTJLvwVNKc6kaIXuZk20m+HZfJegAoZ05HS5dLnhiu24Zrn6w7Vrng8sR04jVeFmDJgE+o30ktwVH69e+QSSMBNfcWxScD8uQWtTOmA0SELxVfnfcVldo0vVs7hiWhLEz0PMv3mSlV7LkltCNA22DODQ+24IMPNl2sroY0irKVhx94o7gXcZwth4g9xLFLzKpvdV+/WEcpdBRHvgVUzPlAC/BWo9/Y6DawDGPM1y3p1vu4xkOJLl8zP+5JOaXu6HfUm8cJLYcgP/1MnBKc+vbjK1T+wJrSlM0QnIJYpanCtuy9gm/JlbJWNq1X1cBpAiz1P02dhRnxXECIImkPljfi6Egh+OAeKYweznKULOScojys56CA7guvjs/B35guLwxqioNGPitQ++Mt0QpqvOwFb0pmysJhOh7jiB7hiOlEzgxbKRyj08CJJy4Oqg8Z4HEiuSXYS1b1VCcEd8P/1lMCOxhJJhNfuy6Pk8eEDfYAaRcneXeqDFkNqTiL1i+V7v9mlnDuKucgrfDGjwUwfwTXB9RzDxhp52zdp+Hzg4KsEGZ92aVgzGlpzxm6/TUDxcMwT8PEQQPcZGEtx1A9UaIDre94biFDTyb09DjFHXwgcg8gvorMBsHJ1t8dlbUhBfGijeSjMiYru3nzLdH+CuX0zEpNX2tlqhiD5VdJk2tMlNtVYPnDMlSwy15DVBN5rFtHOwhgGM1bfDgmX91mMv6BdKqarpEKmj5CsQvg1t4WmzQAf6AM0mdTy61GZQHkzBgjKS/CeKM0TqMEyNwT5TJnA/hO1M1wmEsnbHNinESZxZRxv0vccBISSA+yqQXTaGuox7tX41kyqb8uZoURUsRMyy9Q8+zEb1sXtJgOKZw/mID9u2LMZC7gz0FbrggYofwlbxTlq86zwykcHYqQRJCIHAA50pfWid06/+kNanaP9hUmgoOor6fxRCG1M5BLZa0mKiQNsYbR9/4ZDpXQdRNsVfVROEUANW/3EtteLa1VT4trVBQwm9lHMwICWA18DtsrcFoYObVc/MA6G83zAng5Meya0V4TY7AOT49+ZNnrxKzM3ZFqNc7DcfcgEksbq/sMZD3uDzTZHmBPTFE44ocsS9JXyJtHPPOb8bQi6GHP3urtqmc9q761zJsP6rGu7AZJTjuelMVoiKETt/T91XSx9lNKWvjxhftJFtUAJH5uRTJVUR1Sidv4udT29SUU+8Ri/++ThTY+3oMM17aJQws8e7+gy9Ip1DWohDz9gX0lNcvsXAiknqT31o6niUNwLmIykQnUsJsdqjIi4aq47ousPCtatCz/Hwj3FNwksep0I1qbTcCYxGCQcEmkiMD7x6iKgk6mZC+9GasHZtAxNsYqmtnpkoWEwSvMkfkiNXJI9H9ygjP7jP0J7QX1hnFCp9UAAZcfDxH2SuyULGqtDDFdPhV/cInQcF3XYmq1H9BWF1LJ87SMvuxthKFf+pxDVG2iPOAdZldDp4=</span> <br> <!-- !!! dont changing this !!! --> </div> </div> <!-- --> <div class="tabs"> <!--tab--> <div class="tab"> <div id="tab-content1" class="content"> <div class="text"> <!--text data --> <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br> <!--text data --> <hr> <b>Contact us for price and get decryption software.</b><br><br> <hr> <b>email:</b><br> <a href="[email protected] ">[email protected] </a> <br> <a href="[email protected] ">[email protected] </a> <br> <p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br> <b> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> <p>* Tor-chat to always be in touch: <a href<a href<b> </div> </div> </div> <!--tab--> <b> <b> <b> <span style="font-size: 22px">qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</span> </b><br><br> </b><br> <!--text data --> </div> </div> <!--tab--> </div> </div> </body> </html>

Extracted

Path

C:\$Recycle.Bin\readme.txt

Ransom Note
Dear user! Your computer is encrypted! We demand a ransom! Decryption service is paid !!!! PAYMENT FOR BITCOIN !!! To decrypt your computer, you need to download the TOR browser at https://www.torproject.org/download/ Install it and visit our website for further action http://paymen45oxzpnouz.onion/a08e87d5a7 Also from your servers files, documents, databases SQL, PDF were uploaded to our cloud storage After we agree, you will receive a decryption program, valuable advice in order not to fall into this situation in the future, as well as all your files on our server will be deleted. Otherwise, they will fall into the open access of the Internet! Use any third party software for restoring your data or antivirus solutions will result in a loose of data. Please be sure that we will find common languge. We will restore all the data and give you recommedations how to configure the protection of your server.
URLs

http://paymen45oxzpnouz.onion/a08e87d5a7

Extracted

Path

C:\PerfLogs\readme.txt

Ransom Note
Dear user! Your computer is encrypted! We demand a ransom! Decryption service is paid !!!! PAYMENT FOR BITCOIN !!! To decrypt your computer, you need to download the TOR browser at https://www.torproject.org/download/ Install it and visit our website for further action http://paymen45oxzpnouz.onion/f1d3a75b0b Also from your servers files, documents, databases SQL, PDF were uploaded to our cloud storage After we agree, you will receive a decryption program, valuable advice in order not to fall into this situation in the future, as well as all your files on our server will be deleted. Otherwise, they will fall into the open access of the Internet! Use any third party software for restoring your data or antivirus solutions will result in a loose of data. Please be sure that we will find common languge. We will restore all the data and give you recommedations how to configure the protection of your server.
URLs

http://paymen45oxzpnouz.onion/f1d3a75b0b

Extracted

Path

C:\Users\Admin\Favorites\Links\How To Recover Encrypted Files.hta

Ransom Note
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta charset="windows-1251"> <title>HOW TO DECRYPT YOUR FILES</title> <HTA:APPLICATION ICON="mstsc.exe" SINGLEINSTANCE="yes"> <script language="JScript"> window.moveTo(50, 50); window.resizeTo(screen.width - 100, screen.height - 100); </script> <style type="text/css"> body { font: 15px Tahoma, sans-serif; margin: 10px; line-height: 25px; background-color: #C1AB8F; } .bold { font-weight: bold; } .xx { border: 1px dashed #000; background: #E3D5F1; } .mark { background: #D0D0E8; padding: 2px 5px; } .header { font-size: 30px; height: 50px; line-height: 50px; font-weight: bold; border-bottom: 10px solid #D0D0E8; } .info { background: #D0D0E8; border-left: 10px solid #00008B; } .alert { background: #FFE4E4; border-left: 10px solid #FF0000; } .private { border: 1px dashed #000; background: #FFFFEF; } .note { height: auto; padding-bottom: 1px; margin: 15px 0; } .note .title { font-weight: bold; text-indent: 10px; height: 30px; line-height: 30px; padding-top: 10px; } .note .mark { background: #A2A2B5; } .note ul { margin-top: 0; } .note pre { margin-left: 15px; line-height: 13px; font-size: 13px; } </style> </head> <body> <div class="header">Your files are encrypted!</div> <div class="note private"> <div class="title">Your personal ID</div> <pre>1694849638447832794713449828002177543338498978972462641284454793015754351826697174149522388922523967 2145875963802969811625899845445275608574655597438154555657338823886664184398634008087827860347782648 9179948285656065959157722973794448952100005915556778946288243898374542747759025818833191552570687680 6379158601167392631881252589376838571414132013967868666170024144080527567023002345385064015658103067 9248638176981128590158244960883133791686413778406450950653017391643490122584304911264299901325071385 5488161218340132451181896115479886163633768214553758370991723880034751149959471232222797579641146812 052322097865106774</pre><!-- !!! ������ �� ������ !!! --> </div> <div class="bold"> <div align="left">All your important data has been encrypted.</div> </div> <div class="bold">To recover data you need decryptor.</div> <div> <h2 align="center">To get the decryptor you should:</h2> <h1 align="left">pay for decrypt:</h1> <div class="note xx"> <div align="left"> <h1>to send 1 bitcoin today (tomorrow 2 bitcoins) to bitcoin the address 1EQiMGLApzDdPYLWoDMyUo27q5ashMXdQ<br> </h1> </div> <div align="left"> <strong>Here are our recommendations:</strong> </div> <div align="left"> <ol> <li><strong>If you have no Bitcoin address register https://blockchain.info/wallet</strong></li> <li><strong>fill up your wallet some of the ways:</strong></li> <li><strong>Btcdirect.eu - Good service for Europe</strong></li> <li><strong>Bittylicious.com - Bitcoins through Visa / MC or through SEPA (��) transfer</strong></li> <li><strong>Localbitcoins.com - Here you can find people who want to sell Bitcoins directly (WU, in cash, SEPA, Paypal u.s.).</strong></li> <li><strong>Cex.io - buy bitcoins with Visa / Mastercard or Wire Transfer.</strong></li> <li><strong>Coincafe.com - Designed for quick and easy service. Payment methods: Western Union, Bank of America, cash by FedEx, Moneygram, as money transfer</strong></li> <li><strong>Bitstamp.net - well known and established Bitcoins seller</strong></li> <li><strong>Coinmama.com - Visa / Mastercard</strong></li> <li><strong>Btc-e.com - Bitcoins vendor (Visa / Mastercard, etc.)</strong></li> <li><strong>If you have not found any bitcoins in your region, try to find them here:</strong></li> <li><strong>Buybitcoinworldwide.com - International Bicoins Exchange Directory</strong></li> <li><strong>Bitcoin-net.com - Another directory of Bitcoins sellers</strong></li> <li><strong>Howtobuybitcoins.info - International Bicoins Exchange Directory</strong></li> <li><strong>Bittybot.co/eu - Directory for countries of the European Union</strong></li> <li><strong>write to Google how to buy Bitcoin in your country?</strong></li> </ol> </div> <div align="left"> <h1>mail support [email protected]<br> </h1> </div> <h1>After the payment: </h1> </div> <div><p>Send screenshot of payment to mail support <span class="mark">[email protected]</span>. In the letter include your personal ID (look at the beginning of this document).</p> </div> <div> <h1 align="center">After you will receive a decryptor and instructions</h1> </div> <div class="note alert"> <div class="title">Attention!</div> <ul><li>No Payment = No decryption</li> <li>You really get the decryptor after payment</li> <li>Do not attempt to remove the program or run the anti-virus tools</li> <li>Attempts to self-decrypting files will result in the loss of your data</li> <li>Decoders other users are not compatible with your data, because each user's unique encryption key</li> </ul> </div> </body> </html>
Emails

[email protected]<br>

class="mark">[email protected]</span>

Extracted

Path

C:\Users\Admin\Downloads\How To Recover Encrypted Files.hta

Ransom Note
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta charset="windows-1251"> <title>HOW TO DECRYPT YOUR FILES</title> <HTA:APPLICATION ICON="mstsc.exe" SINGLEINSTANCE="yes"> <script language="JScript"> window.moveTo(50, 50); window.resizeTo(screen.width - 100, screen.height - 100); </script> <style type="text/css"> body { font: 15px Tahoma, sans-serif; margin: 10px; line-height: 25px; background-color: #C1AB8F; } .bold { font-weight: bold; } .xx { border: 1px dashed #000; background: #E3D5F1; } .mark { background: #D0D0E8; padding: 2px 5px; } .header { font-size: 30px; height: 50px; line-height: 50px; font-weight: bold; border-bottom: 10px solid #D0D0E8; } .info { background: #D0D0E8; border-left: 10px solid #00008B; } .alert { background: #FFE4E4; border-left: 10px solid #FF0000; } .private { border: 1px dashed #000; background: #FFFFEF; } .note { height: auto; padding-bottom: 1px; margin: 15px 0; } .note .title { font-weight: bold; text-indent: 10px; height: 30px; line-height: 30px; padding-top: 10px; } .note .mark { background: #A2A2B5; } .note ul { margin-top: 0; } .note pre { margin-left: 15px; line-height: 13px; font-size: 13px; } </style> </head> <body> <div class="header">Your files are encrypted!</div> <div class="note private"> <div class="title">Your personal ID</div> <pre>2121799001076345843398507332297735432140395940899429037042670857175831500401266119286287252971283123 4495241325948945463131010101442835947155524655048827951478038478281115743408090469407154796500430651 1656415659115466750320384538396022671477191235175253064099845600822834070612521996255603114465590012 0368740700193747251300626987759436380742088937764114804984156784162938553827257042828448709915952061 9591386834580868785306595995567439326697111279941721974452866024950064318087298077539872215648240245 8561245373608898492764439102035002410606758391921866346896049768038179824074748755229201944362876391 540585417571153367</pre><!-- !!! ������ �� ������ !!! --> </div> <div class="bold"> <div align="left">All your important data has been encrypted.</div> </div> <div class="bold">To recover data you need decryptor.</div> <div> <h2 align="center">To get the decryptor you should:</h2> <h1 align="left">pay for decrypt:</h1> <div class="note xx"> <div align="left"> <h1>to send 1 bitcoin today (tomorrow 2 bitcoins) to bitcoin the address 1EQiMGLApzDdPYLWoDMyUo27q5ashMXdQ<br> </h1> </div> <div align="left"> <strong>Here are our recommendations:</strong> </div> <div align="left"> <ol> <li><strong>If you have no Bitcoin address register https://blockchain.info/wallet</strong></li> <li><strong>fill up your wallet some of the ways:</strong></li> <li><strong>Btcdirect.eu - Good service for Europe</strong></li> <li><strong>Bittylicious.com - Bitcoins through Visa / MC or through SEPA (��) transfer</strong></li> <li><strong>Localbitcoins.com - Here you can find people who want to sell Bitcoins directly (WU, in cash, SEPA, Paypal u.s.).</strong></li> <li><strong>Cex.io - buy bitcoins with Visa / Mastercard or Wire Transfer.</strong></li> <li><strong>Coincafe.com - Designed for quick and easy service. Payment methods: Western Union, Bank of America, cash by FedEx, Moneygram, as money transfer</strong></li> <li><strong>Bitstamp.net - well known and established Bitcoins seller</strong></li> <li><strong>Coinmama.com - Visa / Mastercard</strong></li> <li><strong>Btc-e.com - Bitcoins vendor (Visa / Mastercard, etc.)</strong></li> <li><strong>If you have not found any bitcoins in your region, try to find them here:</strong></li> <li><strong>Buybitcoinworldwide.com - International Bicoins Exchange Directory</strong></li> <li><strong>Bitcoin-net.com - Another directory of Bitcoins sellers</strong></li> <li><strong>Howtobuybitcoins.info - International Bicoins Exchange Directory</strong></li> <li><strong>Bittybot.co/eu - Directory for countries of the European Union</strong></li> <li><strong>write to Google how to buy Bitcoin in your country?</strong></li> </ol> </div> <div align="left"> <h1>mail support [email protected]<br> </h1> </div> <h1>After the payment: </h1> </div> <div><p>Send screenshot of payment to mail support <span class="mark">[email protected]</span>. In the letter include your personal ID (look at the beginning of this document).</p> </div> <div> <h1 align="center">After you will receive a decryptor and instructions</h1> </div> <div class="note alert"> <div class="title">Attention!</div> <ul><li>No Payment = No decryption</li> <li>You really get the decryptor after payment</li> <li>Do not attempt to remove the program or run the anti-virus tools</li> <li>Attempts to self-decrypting files will result in the loss of your data</li> <li>Decoders other users are not compatible with your data, because each user's unique encryption key</li> </ul> </div> </body> </html>
Emails

[email protected]<br>

class="mark">[email protected]</span>

Extracted

Path

F:\$RECYCLE.BIN\readme.txt

Ransom Note
Dear user! Your computer is encrypted! We demand a ransom! Decryption service is paid !!!! PAYMENT FOR BITCOIN !!! To decrypt your computer, you need to download the TOR browser at https://www.torproject.org/download/ Install it and visit our website for further action http://paymen45oxzpnouz.onion/68454b34bb Also from your servers files, documents, databases SQL, PDF were uploaded to our cloud storage After we agree, you will receive a decryption program, valuable advice in order not to fall into this situation in the future, as well as all your files on our server will be deleted. Otherwise, they will fall into the open access of the Internet! Use any third party software for restoring your data or antivirus solutions will result in a loose of data. Please be sure that we will find common languge. We will restore all the data and give you recommedations how to configure the protection of your server.
URLs

http://paymen45oxzpnouz.onion/68454b34bb

Targets

    • Target

      323389cde5a3059c6c6e5c6c711d11e434a577b11dc07a9aeb7f8e1fb661ecf3

    • Size

      1.4MB

    • MD5

      b0b732188bc83ee4ad3b5e5b7dd34a26

    • SHA1

      4c1e68eebda46ead2563192b137f42b7a976ed2b

    • SHA256

      323389cde5a3059c6c6e5c6c711d11e434a577b11dc07a9aeb7f8e1fb661ecf3

    • SHA512

      51f2328cdd77ff287814618c9cb617da0f2c2fa189f466a633adb80b10c1fe0b2eaddcb3dfb58df9344181294294485f4a7527c3e5dac5964f2054bf779746a4

    • SSDEEP

      24576:l8ku9/++Rod4z2JOtqKf6bvkbRbEAsk7fQl7z:mkGi4DdRbdEAwl7z

    Score
    1/10
    • Target

      365712147d687fb2eb2d5cb612586c7d3d7364277441491a3ab379a4a1128ba7

    • Size

      450KB

    • MD5

      e70b33103c17c000ac11025d2d8e70a1

    • SHA1

      df898d9d0e8e6f2d4eb5d4742d4c206092cdcb34

    • SHA256

      365712147d687fb2eb2d5cb612586c7d3d7364277441491a3ab379a4a1128ba7

    • SHA512

      632461a9c6bff4e013cf3e77a7262d1daaa8775156c61c70dab685ae59114b22d00a47a0214204f6c514c6be77ad5b0c371a889076072fdb1eaf574cb6d4c42c

    • SSDEEP

      12288:krYn2GbqdcOuAKi1kcwyEOywAx1gT+yFCv6oE4E:kcNbqdFtVkcwyEOix1GtFCv6F4E

    Score
    10/10
    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Renames multiple (8412) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Drops desktop.ini file(s)

    • Drops file in System32 directory

    • Target

      5474e75872eeb1e34cbe407c73409d4c65da7bd6aa9378b356bb3c12f316c506

    • Size

      263KB

    • MD5

      111e7dd338f7a7db306c95e05797747f

    • SHA1

      aff72034cbbc21693425306ad42b1bb182582743

    • SHA256

      5474e75872eeb1e34cbe407c73409d4c65da7bd6aa9378b356bb3c12f316c506

    • SHA512

      215ee93c5faf2af3a55cceed281b56aecb5990baf4ae508f02eb481c7c22081f05b73a2657279205ff5d4edfc63722ea1405a9e8cdf65939021c9f052ffb6fec

    • SSDEEP

      6144:jeHgRe/IfHES0cVZrDjuNywKGOCWVoYkNMbU:jeHgM4HxZG1KGjWVoVO

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Target

      out.upx

    • Size

      436KB

    • MD5

      aec0dac2b75880cd43dcf189fde97e42

    • SHA1

      3159ec24c4e766ee8af2dfeda0e9d87e64e08139

    • SHA256

      975bb21e0b4941b1569e968ff02b8969d53ec3e090cb3a3ae28ad629cfe2453a

    • SHA512

      4bf22c844e7df5f06adc2273872216ce57881df0affe4ebacd82c8e59b911575cfe00138615ef25e83062aa5da050c5a306c9c1fafc752444396d712c9831920

    • SSDEEP

      6144:i4nt4N8qyv/j2+9cN9VNzmjhlPhdUiWing72gF/qXIWHsTfoaaYt+2ZOtFEmv0L:dt4K/i+89E9Wing72gFtWW+gOEmM

    Score
    3/10
    • Target

      59c59ef90d1370297375d4e3195eabe2a031251bc939fae962a835d8336a8a4d

    • Size

      477KB

    • MD5

      ebbb782bafaa3ab64a3e4b006a698fe0

    • SHA1

      2800cd4dd62ba63f38d0452bf80cb35b4359a3dd

    • SHA256

      59c59ef90d1370297375d4e3195eabe2a031251bc939fae962a835d8336a8a4d

    • SHA512

      cd6681d7987901eb27064c4a833052abccef60383f9b0e53360ae9e3e66a19d0d0405bdeb5a609c7d668aa8720eb49f5fc3f060920ec042ec6584eebfd9f09ae

    • SSDEEP

      6144:ko4FuDncVzUJOH5bpX3Q92J6fHgaEFx9BQOJvZTsMJfOg2lOMxPEiarVb0J0:kzuwVzUW5bN3Y6LmO13Gg2IMyxrt0u

    Score
    10/10
    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Renames multiple (8388) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Deletes itself

    • Drops desktop.ini file(s)

    • Target

      63fb410fc5267c61c5099927af714a8f5f4ba6dcdeeb1f297b022879767c7222

    • Size

      924KB

    • MD5

      ec9c3efe831aaa203058927df7de6138

    • SHA1

      b77581e047551a70aaba0db7a57349136bd9e411

    • SHA256

      63fb410fc5267c61c5099927af714a8f5f4ba6dcdeeb1f297b022879767c7222

    • SHA512

      0d5aedcebaa660f345c549b9ae07b4d18fc01b563907b378c1cd905029bb0c6f6849e0f03c7c4a724c3448eb9c693138265a0b0129a298af3aada9bb0f447d6a

    • SSDEEP

      12288:tZqu3sRwqpxGCMF3dera2ybCPWy5SqZWj+6GJZy82VS1ToBgdoByOHGae0r2ivr:B3yEoro2PEpUA

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Target

      9443472de461e9e7a9d7b7d89fa13815521db1ecebea5054643664953ee366e5

    • Size

      102KB

    • MD5

      9cea7a7505d2eff4b1109d0e70a52baf

    • SHA1

      455fab0bf9e5f3e27c232aea89904c929db0a92b

    • SHA256

      9443472de461e9e7a9d7b7d89fa13815521db1ecebea5054643664953ee366e5

    • SHA512

      681fd65cb210f215db206f165e3a86ecc83285e928eab6e1660e33ea182f8b3059e1e68f9377faf47d2ccddad4c1b0019a4252febfb91b90b6f070d2ca0c7764

    • SSDEEP

      1536:SeN+oVQkMaz9GRQl4g9FlpIm1QUnv2+qQl4g9FlpIm1i:hbVQkIg9FlCv3g9FlCJ

    Score
    1/10
    • Target

      97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d

    • Size

      333KB

    • MD5

      db88a1bd11ca3aab7a0890a10a10f45d

    • SHA1

      0e01e118613962e364b76869bcfb9d26cf0a6505

    • SHA256

      97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d

    • SHA512

      b6e374ea42e023d973baa2c8c3ce8c34a7c8ffa1aefd52f787eb51f980e1e1f8c2c6081d90cd0cf1b15166b86ed57dc2d7b9adde5021dd00cc629f8aae8df023

    • SSDEEP

      6144:YemY9cZrt2pF+M9htFl/1M0lpj9G/OaZE8ABInatk1:/9cm+M9vFl/1HrNInatk1

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies boot configuration data using bcdedit

    • Renames multiple (7577) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Deletes System State backups

      Uses wbadmin.exe to inhibit system recovery.

    • Modifies Installed Components in the registry

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Target

      a0f5def5aaaefa3ae538da9c643a5e381ea89cdee3e451ab1d0c52181d758593

    • Size

      41KB

    • MD5

      a06225459ff7b32f1408726f5d8007cf

    • SHA1

      db14f8b54194f41383a0a0b1f181020d93774268

    • SHA256

      a0f5def5aaaefa3ae538da9c643a5e381ea89cdee3e451ab1d0c52181d758593

    • SHA512

      0401e6423b359020161c26c9583d55007b00de451831e9523d752941d9815f63cd74f7cd649da4232070a2dbef2c9e584bf62a3d656532cdc2d32a06d8d305e5

    • SSDEEP

      768:lL+ntTLPgn6CI1uGukUcjI2Hp9xG6e7j6oERZVvrd7SRBl+Lkl+XkvDuQndwjv:lwtTLEtI1RUcdJ861s0cJdw

    Score
    1/10
    • Target

      abfe4422828c6515e7b53c50a8f07dda0169f4ee34173357b6fa35b06fe144b1

    • Size

      352KB

    • MD5

      04f36999713a138ebde1adbdd7aa01f6

    • SHA1

      a3c66353d9ea491f96dc63f0e9d8cb0878e1123d

    • SHA256

      abfe4422828c6515e7b53c50a8f07dda0169f4ee34173357b6fa35b06fe144b1

    • SHA512

      484ea18d1ed358156058d185b46a9e0caf4a44a710e638a75109996e1a974b935b3f3a0fdf5c04d2c64ec1d7e2f8fac28e2a0cf09461bc881e21f9b19c329fa6

    • SSDEEP

      768:GoXcYoibzZl5KMIjz9ofRouZ1OTgggggggggggggggggggggggggggggggggggg3:G4Tb55oua8byL76qXXZ5oulx3yzFH+

    Score
    1/10
    • Target

      b21f34ecfa7135153d506b3fde2a0d0bd23b44eccedc635cbfa474e321040273

    • Size

      352KB

    • MD5

      4f88b5e510ecbd0adefdfc87c552289c

    • SHA1

      047ec67b8e3c001086284d7176b2d239db565fb5

    • SHA256

      b21f34ecfa7135153d506b3fde2a0d0bd23b44eccedc635cbfa474e321040273

    • SHA512

      75b86d6de4bec5285559f7e9a0dbf46df48dbdf78386023e5f8668a7814bc1db5322d8bf9d306cfd65175112b94366641d671175d59d3edacc3d2b2ba802f348

    • SSDEEP

      6144:X9PrHO8306KFnBCzDIZXY3HJmui45mkA2/1:drHBpgkDuoEuXbJ

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Renames multiple (101) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Target

      b4b97aa67e2fbfa344053be1c101cbd6560b0a5cfe2de8e2e637ba90c4df2ca9

    • Size

      667KB

    • MD5

      c6dbf15baa48e2ffac11c419513ce890

    • SHA1

      3ea88a0037805607f0d08f5be4a813378708c00a

    • SHA256

      b4b97aa67e2fbfa344053be1c101cbd6560b0a5cfe2de8e2e637ba90c4df2ca9

    • SHA512

      83e927ebb7605ad96e906f14581118ffdfdd4d9322dba93f6ac453daea28cdfbc1ec37296144f661404d98cdd125eb3fa1c53fdea6b4a3eb56eea592e334697c

    • SSDEEP

      12288:GmudacqGbVLzCG1L6MfYBwe56n4NDkfvowfuUWCdiQM0gDbBho0dcv124VVkmTBO:08GbJzj1GCe56n4Fkfvow2U/FMN7hdcU

    Score
    1/10
    • Target

      svchost.exe

    • Size

      1.4MB

    • MD5

      1e56e3201f99af1f63c3b95b6d05d64f

    • SHA1

      f5d32ac198ed52ded940ff5fffb1f513bb2b607f

    • SHA256

      b8e40563f749016a1557ea461198661f501eadddba50d6528ffe4e9c52664666

    • SHA512

      36b77e56cf6d5c07a6a62cb5ff21e3316db2a70d4c285649cdc48d6403b8eb27c8c01b483f9bff135e92ea66e203871e783231f4938af1202e51389006c13f83

    • SSDEEP

      24576:Wmchf1ZHB7TZqSsulRicD2fdxs1isw/c169CDX/S6o1JLax:WVfvDqSsu2cAdxvvE0ADS

    • Clears Windows event logs

    • Creates a large amount of network flows

      This may indicate a network scan to discover remotely running services.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Creates new service(s)

    • Stops running service(s)

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Target

      b8ce0174783c9c7ec30f96f8857c356e61365562463457d3ef0d1f62f4d302a8

    • Size

      245KB

    • MD5

      78db42a978dbaeec6b87e718b0e00160

    • SHA1

      226616df9b26e9ca327805755b75813ad67c1f3f

    • SHA256

      b8ce0174783c9c7ec30f96f8857c356e61365562463457d3ef0d1f62f4d302a8

    • SHA512

      8a8a29eb8679512ab214d16b3e207a4545dbd63a8410ce41eef8d2c249131a5947a157344932b6041feb3084ad14d437627d754a34b977a6c2f71159a54b2b5c

    • SSDEEP

      6144:ZU1aQUdyXTFDhznLOoAM4zkw7nMnp5PdleQRWsvBoCRt7Y0x:ZUQd4TFJLOolqk/72QksvBBt7Y0

    Score
    9/10
    • Renames multiple (184) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Deletes itself

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Target

      bbb46278959b4628106319457405a8cc04681c82c2c8afa30475d50ed63417f2

    • Size

      131KB

    • MD5

      6dd2b52d5af3fb6591d52a695a09d025

    • SHA1

      9ec21f57bf3f524dccca9e78f95974c7e4951785

    • SHA256

      bbb46278959b4628106319457405a8cc04681c82c2c8afa30475d50ed63417f2

    • SHA512

      5a0c63c6163df1315a24bca6307aedec584a563fac17f7f3ab7e8f7fd57f189fd9db8dcb1d53b9f756ec7f7c721041958925202ab43868bfc57ddb2d3b3cd59a

    • SSDEEP

      3072:oZIzt7KLtx3kaKP/V0ZLKaQvPS5rrT0tYHJdP73wJOvpPX7:oezNqTADa5rrTLJFcJ8P

    Score
    1/10
    • Target

      bdf06acf03785275d01d4135b432b56b31c7f352f9be3cf8eca00286251aa163

    • Size

      41KB

    • MD5

      ef51aa91d5cbed5f57b85571b528bf7e

    • SHA1

      fbaaac20cff25f931c3480165ebf3b7ee9f7e4b3

    • SHA256

      bdf06acf03785275d01d4135b432b56b31c7f352f9be3cf8eca00286251aa163

    • SHA512

      c84fb47cc627c5148841b7a2a72abe17aabd18d449a2f46a6a538ef27a2de7a753c8431c5a0930502ea26ed60fea77310436e812e0c494e9523370aabf64fea5

    • SSDEEP

      768:BL+ntTLPgnHCI1uGukUcjI2Hp9xG6e7j6oERZVvrd7SRBl+Lkl+XkvDgYGZwRSAb:BwtTLEiI1RUcdJ861s0cgBZwMH

    Score
    1/10

MITRE ATT&CK Enterprise v15

Tasks

static1

upxmedusalockermakoptrigona
Score
10/10

behavioral1

Score
1/10

behavioral2

Score
1/10

behavioral3

ransomware
Score
10/10

behavioral4

ransomware
Score
10/10

behavioral5

persistenceransomwareupx
Score
10/10

behavioral6

ransomwareupx
Score
10/10

behavioral7

Score
3/10

behavioral8

Score
3/10

behavioral9

ransomware
Score
10/10

behavioral10

Score
1/10

behavioral11

persistencespywarestealer
Score
7/10

behavioral12

persistencespywarestealer
Score
7/10

behavioral13

Score
1/10

behavioral14

Score
1/10

behavioral15

evasionransomware
Score
10/10

behavioral16

evasionpersistenceransomware
Score
10/10

behavioral17

Score
1/10

behavioral18

Score
1/10

behavioral19

Score
1/10

behavioral20

Score
1/10

behavioral21

persistenceransomware
Score
9/10

behavioral22

persistenceransomware
Score
9/10

behavioral23

Score
1/10

behavioral24

Score
1/10

behavioral25

discoveryevasionpersistenceransomwarespywarestealer
Score
9/10

behavioral26

discoveryevasionpersistenceransomware
Score
9/10

behavioral27

ransomware
Score
9/10

behavioral28

ransomware
Score
9/10

behavioral29

Score
1/10

behavioral30

Score
1/10

behavioral31

Score
1/10

behavioral32

Score
1/10