maktub | d351ac17dc0d9476ef029484a165f99e258f546bba2d619b1c6485cb8875ac7a

Resubmissions

18-04-2024 05:22

240418-f2z8nscc74 10

18-04-2024 05:22

18-04-2024 05:21

18-04-2024 05:21

18-04-2024 05:21

Analysis

max time kernel
591s
max time network
503s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
14-04-2024 14:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d351ac17dc0d9476ef029484a165f99e258f546bba2d619b1c6485cb8875ac7a.exe
Size

371KB
MD5

bb8cd5df2be7e8bcc5be439675b3d0a2
SHA1

627ac60f64974d5caaf81c2de8ca0977c91f4219
SHA256

d351ac17dc0d9476ef029484a165f99e258f546bba2d619b1c6485cb8875ac7a
SHA512

57031eb7d7b2c27d7ecacdc085d07065ced46a742128f9818f62c9fe6633c31aa8eb20ffc52c8415613787946060f5a6b5adf8b977d5ca4fed9656233ebd9cfa
SSDEEP

6144:tnzQnu/cmM1oSigOQT2F8U92Iu7DMVQZhWLvLRXdYX9ji+uhi2PsrhY:hzQnkM1oSiBGI8bxn5m6i+uo20tY

Score

10^/10

maktub ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{453ef255-e920-4f38-be1d-8e1a4370a94e}\_DECRYPT_INFO_tvrqve.html

Ransom Note

<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>  <html xmlns='http://www.w3.org/1999/xhtml'> <head> <meta http-equiv='Content-Type' content='text/html; charset=UTF-8' /> <title>tvrqve decrypt</title> <style type='text/css'>  </style> <script type='text/javascript'> function init() { var xtime; document.getElementById('fe_text').innerHTML = '00:00:00'; var language = window.navigator.userLanguage || window.navigator.language; if (language.indexOf('-') !== -1) language = language.split('-')[0]; if (language.indexOf('_') !== -1) language = language.split('_')[0]; change_lang(language); var ua = window.navigator.userAgent; var msie = ua.indexOf('MSIE '); xtime = Math.floor( (1713104897+(12*60*60)) - (Date.now()/1000)); if (msie == 0) window.setTimeout('update_timestamp('+xtime+')',1000); else update_timestamp(xtime); } function component(x, y, z) { var res if (z == 1) res = Math.floor(x / y); else res = Math.floor(x / y) % z; if (res < 10) res = '0'+res; return res; } function update_timestamp(tstamp) { if (tstamp < 1) { document.getElementById('fe_text').innerHTML = '00:00:00'; } else { var hours = component(tstamp, 60*60, 1), minutes = component(tstamp, 60, 60), seconds = component(tstamp, 1, 60); document.getElementById('fe_text').innerHTML = hours+':'+minutes+':'+seconds; tstamp-=1; window.setTimeout('update_timestamp('+tstamp+')',1000); } } function change_lang(lang) { if (lang == "de") show_de(); else if (lang == "es") show_es(); else if (lang == "fr") show_fr(); else if (lang == "it") show_it(); else if (lang == "nl") show_nl(); else show_en(); } function show_en() { document.getElementById('text_01').innerHTML = 'WARNING!'; document.getElementById('text_02').innerHTML = 'Your personal files are encrypted.'; document.getElementById('text_03').innerHTML = 'Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. The server will eliminate the key after a time period specified in this window.'; document.getElementById('text_09').innerHTML = 'Download TOR Browser from'; document.getElementById('text_10').innerHTML = 'In the Tor Browser open the'; document.getElementById('text_11').innerHTML = '(Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable).'; document.getElementById('text_12').innerHTML = 'Write in the following public key in the input from on server:'; } function show_de() { document.getElementById('text_01').innerHTML = 'WARNUNG!'; document.getElementById('text_02').innerHTML = 'Ihre persönlichen Dateien sind verschlüsselt!'; document.getElementById('text_03').innerHTML = 'Ihre Dokumente, Fotos, Datenbanken und andere wichtige Dateien wurden mit der stärkste Verschlüsselung und einem einzigartigen Schlüssel verschlüsselt, der für diesen Computer generiert wurde. Der Dechiffrierschlüssel ist auf einem geheimen Internet-Server gespeichert und niemand kann Ihre Dateien entschlüsseln, bis Sie bezahlen und den privaten Schlüssel erhalten. Der Server wird den Schlüssel nach einer bestimmten Zeit löschen, die in diesem Fenster angezeigt wird.'; document.getElementById('text_09').innerHTML = 'Laden Sie TOR-Browser von'; document.getElementById('text_10').innerHTML = 'Im Tor-Browser öffnen Sie'; document.getElementById('text_11').innerHTML = '(Beachten Sie, dass dieser Server nur über den Tor-Browser verfügbar ist. Wiederholen Sie den Vorgang nach 1 Stunde, wenn die Website nicht erreichbar ist).'; document.getElementById('text_12').innerHTML = 'Schreiben Sie den folgenden öffentlichen Schlüssel in die Eingabemaske auf dem Server:'; } function show_es() { document.getElementById('text_01').innerHTML = '¡PELIGRO!'; document.getElementById('text_02').innerHTML = '¡Tus archivos personales han sido encriptados!'; document.getElementById('text_03').innerHTML = 'Tus documentos, fotos, bases de datos y otros archivos importantes han sido encriptados con una encriptación extremadamente fuerte y una clave única, generada para este computador. La clave de desencriptación privada está almacenada en un servidor de internet secreto. El servidor eliminará la clave luego del tiempo especificado en esta ventana.'; document.getElementById('text_09').innerHTML = 'Descarga el navegador TOR desde'; document.getElementById('text_10').innerHTML = 'En el navegador TOR abre'; document.getElementById('text_11').innerHTML = '(Nota que este servidor solo es accesible desde el navegador TOR. Intenta nuevamente en 1 hora si no puedes acceder).'; document.getElementById('text_12').innerHTML = 'Escribe la siguiente clave publica en la forma de ingreso del servidor:'; } function show_fr() { document.getElementById('text_01').innerHTML = 'ATTENTION!'; document.getElementById('text_02').innerHTML = 'Vos fichiers personnels ont été cryptés !'; document.getElementById('text_03').innerHTML = 'Vos documents, photos, bases de données, et autres fichiers importants ont été cryptées avec le meilleur processus de cryptage et une clé unique générée pour cet ordinateur. La clé privée de cryptage est accessible sur un serveur Internet secret et personne ne peut décrypter vos fichiers à moins que vous ne payiez et obtenez cette clé. Le serveur éliminera la clé après le compte à rebours affiché sur cette fenêtre.'; document.getElementById('text_09').innerHTML = 'Télécharger le navigateur TOR de'; document.getElementById('text_10').innerHTML = 'Dans le navigateur, ouvrez '; document.getElementById('text_11').innerHTML = '(Veuillez noter que ce serveur est disponible via le navigateur Tor uniquement. Réessayez dans 1 heure si le site n’est pas accessible).'; document.getElementById('text_12').innerHTML = 'Ecrivez les clés publiques suivantes sur le portail d’entrée du serveur :'; } function show_it() { document.getElementById('text_01').innerHTML = 'ATTENZIONE!'; document.getElementById('text_02').innerHTML = 'I tuoi file personali sono criptati!'; document.getElementById('text_03').innerHTML = 'I tuoi documenti, le tue foto, database e altri file importanti sono stati criptati con forte codificazione ed una chiave unica, generata appositamente per questo computer. La chiave segreta di decriptazione è conservata su un server Internet segreto e nessuno può decriptare i tuoi file finché non paghi per ottenere la chiave. Il server eliminerà la chiave dopo il tempo indicato in questa finestra.'; document.getElementById('text_09').innerHTML = 'Scarica il Browser TOR da'; document.getElementById('text_10').innerHTML = 'Nel Browser TOR apri il link'; document.getElementById('text_11').innerHTML = '(Nota che questo server è disponibile solo tramite il Browser TOR. Riprova tra un’ora se il sito non è raggiungibile).'; document.getElementById('text_12').innerHTML = 'Scrivi la seguente chiave pubblica nel modulo di input sul server:'; } function show_nl() { document.getElementById('text_01').innerHTML = 'WAARSCHUWING!'; document.getElementById('text_02').innerHTML = 'Uw persoonlijke bestanden zijn gecodeerd!'; document.getElementById('text_03').innerHTML = 'Uw documenten, foto’s, databases en andere belangrijke bestanden zijn gecodeerd met de sterkste encryptie en een unieke sleutel, gegenereerd voor deze computer. De persoonlijke decoderingssleutel is te vinden op een geheime Internet server en niemand kan uw bestanden decoderen totdat u betaalt en de persoonlijke sleutel heeft. De server zal de sleutel elimineren na de tijdsperiode genoemd in dit venster.'; document.getElementById('text_09').innerHTML = 'Download de TOR Browser van'; document.getElementById('text_10').innerHTML = 'In de Tor Browser, open'; document.getElementById('text_11').innerHTML = '(Let op dat deze server alleen via de Tor Browser te bereiken is. Probeer het na een uur weer als de site niet werkt).'; document.getElementById('text_12').innerHTML = 'Schrijf in de volgende openbare sleutel in het invoerformulier op de server:'; } //var language = window.navigator.userLanguage || window.navigator.language; //alert(language); </script> </head> <body onload='init();'> <div align='center'> <table width='700' height='100%' border='0' cellpadding='0' cellspacing='0' bgcolor='#000000'> <tr> <td width='225' align='left'><img src='file:///C:/Users/Admin/AppData/Local/Temp/tvrqve.gif' width='225' height='221' /></td> <td width='415' valign='top'><div align='center' class='style1' id='text_01'>WARNING!</div><br /> <div align='center' id='text_02'>Your personal files are encrypted.<br /> <br /> <br /> </div> <div align='center' class='style3' id='fe_text'></div></p> <div class="styled-select" align='center'> <select id ="ddl" name="ddl" onmousedown="this.value='';" onchange="change_lang(this.value);"> <option selected disabled value="" style="display:none;">Select language</option> <option value='en'>   ENGLISH</option> <option value='de'>   GERMAN</option> <option value='es'>   SPANISH</option> <option value='fr'>   FRENCH</option> <option value='it'>   ITALIAN</option> <option value='nl'>   DUTCH</option> </select> </div> </td> </tr> <tr> <td colspan='2' align='center'><table width='97%' border='0' cellpadding='0' cellspacing='0'> <tr> <td colspan='2' align='left'> <br /> <div id='text_03'>Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. The server will eliminate the key after a time period specified in this window.</div><br /> <br /> </td> </tr> <tr> <td colspan='2' align='left'> 1) <span id='text_09'>Download TOR Browser from</span> <a href='http://torproject.org' class='style4'>http://torproject.org</a><br /> 2) <span id='text_10'>In the Tor Browser open the</span> <span class='style6'>http://maktubmpcxqmo6gi.onion</span><br /><br /> <span id='text_11'>(Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable).</span><br /> <br /> <span class='style5' id='text_12'>Write in the following public key in the input from on server:</span><br /><br /> <div align='center'><textarea class='style7'> HXUHG-6KMHW-D842Y-D4Z75-63RW7-T2244-EYP5X-BB8DV-6A5A0-8DNMP-TEQ7D-6AJRT-CBHZ0-CQS1D W3CQ6-8NYW2-76FR4-DKFCV-F3E55-QYZKT-1SGFG-PP00S-FWAGB-UQFVB-ZU8H1-N052W-1MD26-FAPE3 AMS7Q-RPGJX-51TZP-CBCNG-6QCMG-SUQZQ-K7GNW-DAEVY-XXKPJ-VR8B2-8BGDF-8PQ55-NMQ7D-8PZGW VJKPV-HWRF5-XTBHF-3D85W-7WAEB-2VXE8-CJF4Z-UJWZA-47GC6-1K5PY-2GYUA-BT8Y0-VY4X0-7P6N4 6M0VE-NRYEW-05N8N-KZHH1-XVUJM-PYUQF-FJS2G-E2WC2-JJQ6S-71J71-1NDFT-76EAT-ZK8AP-TAVTY UE5S4-FPZA2-BZRRP-A0BYT-K2YCT-PHPRW-S43RF-ZBCG1-7851G-8DG5E-0SSE7-786D1 </textarea> <br /> </div> <br /> <br /> <br /> </div> </td> </tr> </table></td> </tr> </table> </div> </body> </html>

URLs

http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>

http-equiv='Content-Type

Extracted

Path

C:\Users\Admin\Favorites\_DECRYPT_INFO_tvrqve.html

Ransom Note

<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>  <html xmlns='http://www.w3.org/1999/xhtml'> <head> <meta http-equiv='Content-Type' content='text/html; charset=UTF-8' /> <title>tvrqve decrypt</title> <style type='text/css'>  </style> <script type='text/javascript'> function init() { var xtime; document.getElementById('fe_text').innerHTML = '00:00:00'; var language = window.navigator.userLanguage || window.navigator.language; if (language.indexOf('-') !== -1) language = language.split('-')[0]; if (language.indexOf('_') !== -1) language = language.split('_')[0]; change_lang(language); var ua = window.navigator.userAgent; var msie = ua.indexOf('MSIE '); xtime = Math.floor( (1713104899+(12*60*60)) - (Date.now()/1000)); if (msie == 0) window.setTimeout('update_timestamp('+xtime+')',1000); else update_timestamp(xtime); } function component(x, y, z) { var res if (z == 1) res = Math.floor(x / y); else res = Math.floor(x / y) % z; if (res < 10) res = '0'+res; return res; } function update_timestamp(tstamp) { if (tstamp < 1) { document.getElementById('fe_text').innerHTML = '00:00:00'; } else { var hours = component(tstamp, 60*60, 1), minutes = component(tstamp, 60, 60), seconds = component(tstamp, 1, 60); document.getElementById('fe_text').innerHTML = hours+':'+minutes+':'+seconds; tstamp-=1; window.setTimeout('update_timestamp('+tstamp+')',1000); } } function change_lang(lang) { if (lang == "de") show_de(); else if (lang == "es") show_es(); else if (lang == "fr") show_fr(); else if (lang == "it") show_it(); else if (lang == "nl") show_nl(); else show_en(); } function show_en() { document.getElementById('text_01').innerHTML = 'WARNING!'; document.getElementById('text_02').innerHTML = 'Your personal files are encrypted.'; document.getElementById('text_03').innerHTML = 'Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. The server will eliminate the key after a time period specified in this window.'; document.getElementById('text_09').innerHTML = 'Download TOR Browser from'; document.getElementById('text_10').innerHTML = 'In the Tor Browser open the'; document.getElementById('text_11').innerHTML = '(Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable).'; document.getElementById('text_12').innerHTML = 'Write in the following public key in the input from on server:'; } function show_de() { document.getElementById('text_01').innerHTML = 'WARNUNG!'; document.getElementById('text_02').innerHTML = 'Ihre persönlichen Dateien sind verschlüsselt!'; document.getElementById('text_03').innerHTML = 'Ihre Dokumente, Fotos, Datenbanken und andere wichtige Dateien wurden mit der stärkste Verschlüsselung und einem einzigartigen Schlüssel verschlüsselt, der für diesen Computer generiert wurde. Der Dechiffrierschlüssel ist auf einem geheimen Internet-Server gespeichert und niemand kann Ihre Dateien entschlüsseln, bis Sie bezahlen und den privaten Schlüssel erhalten. Der Server wird den Schlüssel nach einer bestimmten Zeit löschen, die in diesem Fenster angezeigt wird.'; document.getElementById('text_09').innerHTML = 'Laden Sie TOR-Browser von'; document.getElementById('text_10').innerHTML = 'Im Tor-Browser öffnen Sie'; document.getElementById('text_11').innerHTML = '(Beachten Sie, dass dieser Server nur über den Tor-Browser verfügbar ist. Wiederholen Sie den Vorgang nach 1 Stunde, wenn die Website nicht erreichbar ist).'; document.getElementById('text_12').innerHTML = 'Schreiben Sie den folgenden öffentlichen Schlüssel in die Eingabemaske auf dem Server:'; } function show_es() { document.getElementById('text_01').innerHTML = '¡PELIGRO!'; document.getElementById('text_02').innerHTML = '¡Tus archivos personales han sido encriptados!'; document.getElementById('text_03').innerHTML = 'Tus documentos, fotos, bases de datos y otros archivos importantes han sido encriptados con una encriptación extremadamente fuerte y una clave única, generada para este computador. La clave de desencriptación privada está almacenada en un servidor de internet secreto. El servidor eliminará la clave luego del tiempo especificado en esta ventana.'; document.getElementById('text_09').innerHTML = 'Descarga el navegador TOR desde'; document.getElementById('text_10').innerHTML = 'En el navegador TOR abre'; document.getElementById('text_11').innerHTML = '(Nota que este servidor solo es accesible desde el navegador TOR. Intenta nuevamente en 1 hora si no puedes acceder).'; document.getElementById('text_12').innerHTML = 'Escribe la siguiente clave publica en la forma de ingreso del servidor:'; } function show_fr() { document.getElementById('text_01').innerHTML = 'ATTENTION!'; document.getElementById('text_02').innerHTML = 'Vos fichiers personnels ont été cryptés !'; document.getElementById('text_03').innerHTML = 'Vos documents, photos, bases de données, et autres fichiers importants ont été cryptées avec le meilleur processus de cryptage et une clé unique générée pour cet ordinateur. La clé privée de cryptage est accessible sur un serveur Internet secret et personne ne peut décrypter vos fichiers à moins que vous ne payiez et obtenez cette clé. Le serveur éliminera la clé après le compte à rebours affiché sur cette fenêtre.'; document.getElementById('text_09').innerHTML = 'Télécharger le navigateur TOR de'; document.getElementById('text_10').innerHTML = 'Dans le navigateur, ouvrez '; document.getElementById('text_11').innerHTML = '(Veuillez noter que ce serveur est disponible via le navigateur Tor uniquement. Réessayez dans 1 heure si le site n’est pas accessible).'; document.getElementById('text_12').innerHTML = 'Ecrivez les clés publiques suivantes sur le portail d’entrée du serveur :'; } function show_it() { document.getElementById('text_01').innerHTML = 'ATTENZIONE!'; document.getElementById('text_02').innerHTML = 'I tuoi file personali sono criptati!'; document.getElementById('text_03').innerHTML = 'I tuoi documenti, le tue foto, database e altri file importanti sono stati criptati con forte codificazione ed una chiave unica, generata appositamente per questo computer. La chiave segreta di decriptazione è conservata su un server Internet segreto e nessuno può decriptare i tuoi file finché non paghi per ottenere la chiave. Il server eliminerà la chiave dopo il tempo indicato in questa finestra.'; document.getElementById('text_09').innerHTML = 'Scarica il Browser TOR da'; document.getElementById('text_10').innerHTML = 'Nel Browser TOR apri il link'; document.getElementById('text_11').innerHTML = '(Nota che questo server è disponibile solo tramite il Browser TOR. Riprova tra un’ora se il sito non è raggiungibile).'; document.getElementById('text_12').innerHTML = 'Scrivi la seguente chiave pubblica nel modulo di input sul server:'; } function show_nl() { document.getElementById('text_01').innerHTML = 'WAARSCHUWING!'; document.getElementById('text_02').innerHTML = 'Uw persoonlijke bestanden zijn gecodeerd!'; document.getElementById('text_03').innerHTML = 'Uw documenten, foto’s, databases en andere belangrijke bestanden zijn gecodeerd met de sterkste encryptie en een unieke sleutel, gegenereerd voor deze computer. De persoonlijke decoderingssleutel is te vinden op een geheime Internet server en niemand kan uw bestanden decoderen totdat u betaalt en de persoonlijke sleutel heeft. De server zal de sleutel elimineren na de tijdsperiode genoemd in dit venster.'; document.getElementById('text_09').innerHTML = 'Download de TOR Browser van'; document.getElementById('text_10').innerHTML = 'In de Tor Browser, open'; document.getElementById('text_11').innerHTML = '(Let op dat deze server alleen via de Tor Browser te bereiken is. Probeer het na een uur weer als de site niet werkt).'; document.getElementById('text_12').innerHTML = 'Schrijf in de volgende openbare sleutel in het invoerformulier op de server:'; } //var language = window.navigator.userLanguage || window.navigator.language; //alert(language); </script> </head> <body onload='init();'> <div align='center'> <table width='700' height='100%' border='0' cellpadding='0' cellspacing='0' bgcolor='#000000'> <tr> <td width='225' align='left'><img src='file:///C:/Users/Admin/AppData/Local/Temp/tvrqve.gif' width='225' height='221' /></td> <td width='415' valign='top'><div align='center' class='style1' id='text_01'>WARNING!</div><br /> <div align='center' id='text_02'>Your personal files are encrypted.<br /> <br /> <br /> </div> <div align='center' class='style3' id='fe_text'></div></p> <div class="styled-select" align='center'> <select id ="ddl" name="ddl" onmousedown="this.value='';" onchange="change_lang(this.value);"> <option selected disabled value="" style="display:none;">Select language</option> <option value='en'>   ENGLISH</option> <option value='de'>   GERMAN</option> <option value='es'>   SPANISH</option> <option value='fr'>   FRENCH</option> <option value='it'>   ITALIAN</option> <option value='nl'>   DUTCH</option> </select> </div> </td> </tr> <tr> <td colspan='2' align='center'><table width='97%' border='0' cellpadding='0' cellspacing='0'> <tr> <td colspan='2' align='left'> <br /> <div id='text_03'>Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. The server will eliminate the key after a time period specified in this window.</div><br /> <br /> </td> </tr> <tr> <td colspan='2' align='left'> 1) <span id='text_09'>Download TOR Browser from</span> <a href='http://torproject.org' class='style4'>http://torproject.org</a><br /> 2) <span id='text_10'>In the Tor Browser open the</span> <span class='style6'>http://maktubmpcxqmo6gi.onion</span><br /><br /> <span id='text_11'>(Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable).</span><br /> <br /> <span class='style5' id='text_12'>Write in the following public key in the input from on server:</span><br /><br /> <div align='center'><textarea class='style7'> HXUHG-6KMHW-D842Y-D4Z75-63RW7-T2244-EYP5X-BB8DV-6A5A0-8DNMP-TEQ7D-6AJRT-CBHZ0-CQS1D W3CQ6-8NYW2-76FR4-DKFCV-F3E55-QYZKT-1SGFG-PP00S-FWAGB-UQFVB-ZU8H1-N052W-1MD26-FAPE3 AMS7Q-RPGJX-51TZP-CBCNG-6QCMG-SUQZQ-K7GNW-DAEVY-XXKPJ-VR8B2-8BGDF-8PQ55-NMQ7D-8PZGW VJKPV-HWRF5-XTBHF-3D85W-7WAEB-2VXE8-CJF4Z-UJWZA-47GC6-1K5PY-2GYUA-BT8Y0-VY4X0-7P6N4 6M0VE-NRYEW-05N8N-KZHH1-XVUJM-PYUQF-FJS2G-E2WC2-JJQ6S-71J71-1NDFT-76EAT-ZK8AP-TAVTY UE5S4-FPZA2-BZRRP-A0BYT-K2YCT-PHPRW-S43RF-ZBCG1-7851G-8DG5E-0SSE7-786D1 </textarea> <br /> </div> <br /> <br /> <br /> </div> </td> </tr> </table></td> </tr> </table> </div> </body> </html>

URLs

http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>

http-equiv='Content-Type

Extracted

Path

C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\_DECRYPT_INFO_tvrqve.html

Ransom Note

<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>  <html xmlns='http://www.w3.org/1999/xhtml'> <head> <meta http-equiv='Content-Type' content='text/html; charset=UTF-8' /> <title>tvrqve decrypt</title> <style type='text/css'>  </style> <script type='text/javascript'> function init() { var xtime; document.getElementById('fe_text').innerHTML = '00:00:00'; var language = window.navigator.userLanguage || window.navigator.language; if (language.indexOf('-') !== -1) language = language.split('-')[0]; if (language.indexOf('_') !== -1) language = language.split('_')[0]; change_lang(language); var ua = window.navigator.userAgent; var msie = ua.indexOf('MSIE '); xtime = Math.floor( (1713104900+(12*60*60)) - (Date.now()/1000)); if (msie == 0) window.setTimeout('update_timestamp('+xtime+')',1000); else update_timestamp(xtime); } function component(x, y, z) { var res if (z == 1) res = Math.floor(x / y); else res = Math.floor(x / y) % z; if (res < 10) res = '0'+res; return res; } function update_timestamp(tstamp) { if (tstamp < 1) { document.getElementById('fe_text').innerHTML = '00:00:00'; } else { var hours = component(tstamp, 60*60, 1), minutes = component(tstamp, 60, 60), seconds = component(tstamp, 1, 60); document.getElementById('fe_text').innerHTML = hours+':'+minutes+':'+seconds; tstamp-=1; window.setTimeout('update_timestamp('+tstamp+')',1000); } } function change_lang(lang) { if (lang == "de") show_de(); else if (lang == "es") show_es(); else if (lang == "fr") show_fr(); else if (lang == "it") show_it(); else if (lang == "nl") show_nl(); else show_en(); } function show_en() { document.getElementById('text_01').innerHTML = 'WARNING!'; document.getElementById('text_02').innerHTML = 'Your personal files are encrypted.'; document.getElementById('text_03').innerHTML = 'Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. The server will eliminate the key after a time period specified in this window.'; document.getElementById('text_09').innerHTML = 'Download TOR Browser from'; document.getElementById('text_10').innerHTML = 'In the Tor Browser open the'; document.getElementById('text_11').innerHTML = '(Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable).'; document.getElementById('text_12').innerHTML = 'Write in the following public key in the input from on server:'; } function show_de() { document.getElementById('text_01').innerHTML = 'WARNUNG!'; document.getElementById('text_02').innerHTML = 'Ihre persönlichen Dateien sind verschlüsselt!'; document.getElementById('text_03').innerHTML = 'Ihre Dokumente, Fotos, Datenbanken und andere wichtige Dateien wurden mit der stärkste Verschlüsselung und einem einzigartigen Schlüssel verschlüsselt, der für diesen Computer generiert wurde. Der Dechiffrierschlüssel ist auf einem geheimen Internet-Server gespeichert und niemand kann Ihre Dateien entschlüsseln, bis Sie bezahlen und den privaten Schlüssel erhalten. Der Server wird den Schlüssel nach einer bestimmten Zeit löschen, die in diesem Fenster angezeigt wird.'; document.getElementById('text_09').innerHTML = 'Laden Sie TOR-Browser von'; document.getElementById('text_10').innerHTML = 'Im Tor-Browser öffnen Sie'; document.getElementById('text_11').innerHTML = '(Beachten Sie, dass dieser Server nur über den Tor-Browser verfügbar ist. Wiederholen Sie den Vorgang nach 1 Stunde, wenn die Website nicht erreichbar ist).'; document.getElementById('text_12').innerHTML = 'Schreiben Sie den folgenden öffentlichen Schlüssel in die Eingabemaske auf dem Server:'; } function show_es() { document.getElementById('text_01').innerHTML = '¡PELIGRO!'; document.getElementById('text_02').innerHTML = '¡Tus archivos personales han sido encriptados!'; document.getElementById('text_03').innerHTML = 'Tus documentos, fotos, bases de datos y otros archivos importantes han sido encriptados con una encriptación extremadamente fuerte y una clave única, generada para este computador. La clave de desencriptación privada está almacenada en un servidor de internet secreto. El servidor eliminará la clave luego del tiempo especificado en esta ventana.'; document.getElementById('text_09').innerHTML = 'Descarga el navegador TOR desde'; document.getElementById('text_10').innerHTML = 'En el navegador TOR abre'; document.getElementById('text_11').innerHTML = '(Nota que este servidor solo es accesible desde el navegador TOR. Intenta nuevamente en 1 hora si no puedes acceder).'; document.getElementById('text_12').innerHTML = 'Escribe la siguiente clave publica en la forma de ingreso del servidor:'; } function show_fr() { document.getElementById('text_01').innerHTML = 'ATTENTION!'; document.getElementById('text_02').innerHTML = 'Vos fichiers personnels ont été cryptés !'; document.getElementById('text_03').innerHTML = 'Vos documents, photos, bases de données, et autres fichiers importants ont été cryptées avec le meilleur processus de cryptage et une clé unique générée pour cet ordinateur. La clé privée de cryptage est accessible sur un serveur Internet secret et personne ne peut décrypter vos fichiers à moins que vous ne payiez et obtenez cette clé. Le serveur éliminera la clé après le compte à rebours affiché sur cette fenêtre.'; document.getElementById('text_09').innerHTML = 'Télécharger le navigateur TOR de'; document.getElementById('text_10').innerHTML = 'Dans le navigateur, ouvrez '; document.getElementById('text_11').innerHTML = '(Veuillez noter que ce serveur est disponible via le navigateur Tor uniquement. Réessayez dans 1 heure si le site n’est pas accessible).'; document.getElementById('text_12').innerHTML = 'Ecrivez les clés publiques suivantes sur le portail d’entrée du serveur :'; } function show_it() { document.getElementById('text_01').innerHTML = 'ATTENZIONE!'; document.getElementById('text_02').innerHTML = 'I tuoi file personali sono criptati!'; document.getElementById('text_03').innerHTML = 'I tuoi documenti, le tue foto, database e altri file importanti sono stati criptati con forte codificazione ed una chiave unica, generata appositamente per questo computer. La chiave segreta di decriptazione è conservata su un server Internet segreto e nessuno può decriptare i tuoi file finché non paghi per ottenere la chiave. Il server eliminerà la chiave dopo il tempo indicato in questa finestra.'; document.getElementById('text_09').innerHTML = 'Scarica il Browser TOR da'; document.getElementById('text_10').innerHTML = 'Nel Browser TOR apri il link'; document.getElementById('text_11').innerHTML = '(Nota che questo server è disponibile solo tramite il Browser TOR. Riprova tra un’ora se il sito non è raggiungibile).'; document.getElementById('text_12').innerHTML = 'Scrivi la seguente chiave pubblica nel modulo di input sul server:'; } function show_nl() { document.getElementById('text_01').innerHTML = 'WAARSCHUWING!'; document.getElementById('text_02').innerHTML = 'Uw persoonlijke bestanden zijn gecodeerd!'; document.getElementById('text_03').innerHTML = 'Uw documenten, foto’s, databases en andere belangrijke bestanden zijn gecodeerd met de sterkste encryptie en een unieke sleutel, gegenereerd voor deze computer. De persoonlijke decoderingssleutel is te vinden op een geheime Internet server en niemand kan uw bestanden decoderen totdat u betaalt en de persoonlijke sleutel heeft. De server zal de sleutel elimineren na de tijdsperiode genoemd in dit venster.'; document.getElementById('text_09').innerHTML = 'Download de TOR Browser van'; document.getElementById('text_10').innerHTML = 'In de Tor Browser, open'; document.getElementById('text_11').innerHTML = '(Let op dat deze server alleen via de Tor Browser te bereiken is. Probeer het na een uur weer als de site niet werkt).'; document.getElementById('text_12').innerHTML = 'Schrijf in de volgende openbare sleutel in het invoerformulier op de server:'; } //var language = window.navigator.userLanguage || window.navigator.language; //alert(language); </script> </head> <body onload='init();'> <div align='center'> <table width='700' height='100%' border='0' cellpadding='0' cellspacing='0' bgcolor='#000000'> <tr> <td width='225' align='left'><img src='file:///C:/Users/Admin/AppData/Local/Temp/tvrqve.gif' width='225' height='221' /></td> <td width='415' valign='top'><div align='center' class='style1' id='text_01'>WARNING!</div><br /> <div align='center' id='text_02'>Your personal files are encrypted.<br /> <br /> <br /> </div> <div align='center' class='style3' id='fe_text'></div></p> <div class="styled-select" align='center'> <select id ="ddl" name="ddl" onmousedown="this.value='';" onchange="change_lang(this.value);"> <option selected disabled value="" style="display:none;">Select language</option> <option value='en'>   ENGLISH</option> <option value='de'>   GERMAN</option> <option value='es'>   SPANISH</option> <option value='fr'>   FRENCH</option> <option value='it'>   ITALIAN</option> <option value='nl'>   DUTCH</option> </select> </div> </td> </tr> <tr> <td colspan='2' align='center'><table width='97%' border='0' cellpadding='0' cellspacing='0'> <tr> <td colspan='2' align='left'> <br /> <div id='text_03'>Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. The server will eliminate the key after a time period specified in this window.</div><br /> <br /> </td> </tr> <tr> <td colspan='2' align='left'> 1) <span id='text_09'>Download TOR Browser from</span> <a href='http://torproject.org' class='style4'>http://torproject.org</a><br /> 2) <span id='text_10'>In the Tor Browser open the</span> <span class='style6'>http://maktubmpcxqmo6gi.onion</span><br /><br /> <span id='text_11'>(Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable).</span><br /> <br /> <span class='style5' id='text_12'>Write in the following public key in the input from on server:</span><br /><br /> <div align='center'><textarea class='style7'> HXUHG-6KMHW-D842Y-D4Z75-63RW7-T2244-EYP5X-BB8DV-6A5A0-8DNMP-TEQ7D-6AJRT-CBHZ0-CQS1D W3CQ6-8NYW2-76FR4-DKFCV-F3E55-QYZKT-1SGFG-PP00S-FWAGB-UQFVB-ZU8H1-N052W-1MD26-FAPE3 AMS7Q-RPGJX-51TZP-CBCNG-6QCMG-SUQZQ-K7GNW-DAEVY-XXKPJ-VR8B2-8BGDF-8PQ55-NMQ7D-8PZGW VJKPV-HWRF5-XTBHF-3D85W-7WAEB-2VXE8-CJF4Z-UJWZA-47GC6-1K5PY-2GYUA-BT8Y0-VY4X0-7P6N4 6M0VE-NRYEW-05N8N-KZHH1-XVUJM-PYUQF-FJS2G-E2WC2-JJQ6S-71J71-1NDFT-76EAT-ZK8AP-TAVTY UE5S4-FPZA2-BZRRP-A0BYT-K2YCT-PHPRW-S43RF-ZBCG1-7851G-8DG5E-0SSE7-786D1 </textarea> <br /> </div> <br /> <br /> <br /> </div> </td> </tr> </table></td> </tr> </table> </div> </body> </html>

URLs

http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>

http-equiv='Content-Type

Extracted

Path

C:\Users\Admin\Desktop\backup_tvrqve\_DECRYPT_INFO_tvrqve.html

Ransom Note

<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>  <html xmlns='http://www.w3.org/1999/xhtml'> <head> <meta http-equiv='Content-Type' content='text/html; charset=UTF-8' /> <title>tvrqve decrypt</title> <style type='text/css'>  </style> <script type='text/javascript'> function init() { var xtime; document.getElementById('fe_text').innerHTML = '00:00:00'; var language = window.navigator.userLanguage || window.navigator.language; if (language.indexOf('-') !== -1) language = language.split('-')[0]; if (language.indexOf('_') !== -1) language = language.split('_')[0]; change_lang(language); var ua = window.navigator.userAgent; var msie = ua.indexOf('MSIE '); xtime = Math.floor( (1713104896+(12*60*60)) - (Date.now()/1000)); if (msie == 0) window.setTimeout('update_timestamp('+xtime+')',1000); else update_timestamp(xtime); } function component(x, y, z) { var res if (z == 1) res = Math.floor(x / y); else res = Math.floor(x / y) % z; if (res < 10) res = '0'+res; return res; } function update_timestamp(tstamp) { if (tstamp < 1) { document.getElementById('fe_text').innerHTML = '00:00:00'; } else { var hours = component(tstamp, 60*60, 1), minutes = component(tstamp, 60, 60), seconds = component(tstamp, 1, 60); document.getElementById('fe_text').innerHTML = hours+':'+minutes+':'+seconds; tstamp-=1; window.setTimeout('update_timestamp('+tstamp+')',1000); } } function change_lang(lang) { if (lang == "de") show_de(); else if (lang == "es") show_es(); else if (lang == "fr") show_fr(); else if (lang == "it") show_it(); else if (lang == "nl") show_nl(); else show_en(); } function show_en() { document.getElementById('text_01').innerHTML = 'WARNING!'; document.getElementById('text_02').innerHTML = 'Your personal files are encrypted.'; document.getElementById('text_03').innerHTML = 'Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. The server will eliminate the key after a time period specified in this window.'; document.getElementById('text_09').innerHTML = 'Download TOR Browser from'; document.getElementById('text_10').innerHTML = 'In the Tor Browser open the'; document.getElementById('text_11').innerHTML = '(Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable).'; document.getElementById('text_12').innerHTML = 'Write in the following public key in the input from on server:'; } function show_de() { document.getElementById('text_01').innerHTML = 'WARNUNG!'; document.getElementById('text_02').innerHTML = 'Ihre persönlichen Dateien sind verschlüsselt!'; document.getElementById('text_03').innerHTML = 'Ihre Dokumente, Fotos, Datenbanken und andere wichtige Dateien wurden mit der stärkste Verschlüsselung und einem einzigartigen Schlüssel verschlüsselt, der für diesen Computer generiert wurde. Der Dechiffrierschlüssel ist auf einem geheimen Internet-Server gespeichert und niemand kann Ihre Dateien entschlüsseln, bis Sie bezahlen und den privaten Schlüssel erhalten. Der Server wird den Schlüssel nach einer bestimmten Zeit löschen, die in diesem Fenster angezeigt wird.'; document.getElementById('text_09').innerHTML = 'Laden Sie TOR-Browser von'; document.getElementById('text_10').innerHTML = 'Im Tor-Browser öffnen Sie'; document.getElementById('text_11').innerHTML = '(Beachten Sie, dass dieser Server nur über den Tor-Browser verfügbar ist. Wiederholen Sie den Vorgang nach 1 Stunde, wenn die Website nicht erreichbar ist).'; document.getElementById('text_12').innerHTML = 'Schreiben Sie den folgenden öffentlichen Schlüssel in die Eingabemaske auf dem Server:'; } function show_es() { document.getElementById('text_01').innerHTML = '¡PELIGRO!'; document.getElementById('text_02').innerHTML = '¡Tus archivos personales han sido encriptados!'; document.getElementById('text_03').innerHTML = 'Tus documentos, fotos, bases de datos y otros archivos importantes han sido encriptados con una encriptación extremadamente fuerte y una clave única, generada para este computador. La clave de desencriptación privada está almacenada en un servidor de internet secreto. El servidor eliminará la clave luego del tiempo especificado en esta ventana.'; document.getElementById('text_09').innerHTML = 'Descarga el navegador TOR desde'; document.getElementById('text_10').innerHTML = 'En el navegador TOR abre'; document.getElementById('text_11').innerHTML = '(Nota que este servidor solo es accesible desde el navegador TOR. Intenta nuevamente en 1 hora si no puedes acceder).'; document.getElementById('text_12').innerHTML = 'Escribe la siguiente clave publica en la forma de ingreso del servidor:'; } function show_fr() { document.getElementById('text_01').innerHTML = 'ATTENTION!'; document.getElementById('text_02').innerHTML = 'Vos fichiers personnels ont été cryptés !'; document.getElementById('text_03').innerHTML = 'Vos documents, photos, bases de données, et autres fichiers importants ont été cryptées avec le meilleur processus de cryptage et une clé unique générée pour cet ordinateur. La clé privée de cryptage est accessible sur un serveur Internet secret et personne ne peut décrypter vos fichiers à moins que vous ne payiez et obtenez cette clé. Le serveur éliminera la clé après le compte à rebours affiché sur cette fenêtre.'; document.getElementById('text_09').innerHTML = 'Télécharger le navigateur TOR de'; document.getElementById('text_10').innerHTML = 'Dans le navigateur, ouvrez '; document.getElementById('text_11').innerHTML = '(Veuillez noter que ce serveur est disponible via le navigateur Tor uniquement. Réessayez dans 1 heure si le site n’est pas accessible).'; document.getElementById('text_12').innerHTML = 'Ecrivez les clés publiques suivantes sur le portail d’entrée du serveur :'; } function show_it() { document.getElementById('text_01').innerHTML = 'ATTENZIONE!'; document.getElementById('text_02').innerHTML = 'I tuoi file personali sono criptati!'; document.getElementById('text_03').innerHTML = 'I tuoi documenti, le tue foto, database e altri file importanti sono stati criptati con forte codificazione ed una chiave unica, generata appositamente per questo computer. La chiave segreta di decriptazione è conservata su un server Internet segreto e nessuno può decriptare i tuoi file finché non paghi per ottenere la chiave. Il server eliminerà la chiave dopo il tempo indicato in questa finestra.'; document.getElementById('text_09').innerHTML = 'Scarica il Browser TOR da'; document.getElementById('text_10').innerHTML = 'Nel Browser TOR apri il link'; document.getElementById('text_11').innerHTML = '(Nota che questo server è disponibile solo tramite il Browser TOR. Riprova tra un’ora se il sito non è raggiungibile).'; document.getElementById('text_12').innerHTML = 'Scrivi la seguente chiave pubblica nel modulo di input sul server:'; } function show_nl() { document.getElementById('text_01').innerHTML = 'WAARSCHUWING!'; document.getElementById('text_02').innerHTML = 'Uw persoonlijke bestanden zijn gecodeerd!'; document.getElementById('text_03').innerHTML = 'Uw documenten, foto’s, databases en andere belangrijke bestanden zijn gecodeerd met de sterkste encryptie en een unieke sleutel, gegenereerd voor deze computer. De persoonlijke decoderingssleutel is te vinden op een geheime Internet server en niemand kan uw bestanden decoderen totdat u betaalt en de persoonlijke sleutel heeft. De server zal de sleutel elimineren na de tijdsperiode genoemd in dit venster.'; document.getElementById('text_09').innerHTML = 'Download de TOR Browser van'; document.getElementById('text_10').innerHTML = 'In de Tor Browser, open'; document.getElementById('text_11').innerHTML = '(Let op dat deze server alleen via de Tor Browser te bereiken is. Probeer het na een uur weer als de site niet werkt).'; document.getElementById('text_12').innerHTML = 'Schrijf in de volgende openbare sleutel in het invoerformulier op de server:'; } //var language = window.navigator.userLanguage || window.navigator.language; //alert(language); </script> </head> <body onload='init();'> <div align='center'> <table width='700' height='100%' border='0' cellpadding='0' cellspacing='0' bgcolor='#000000'> <tr> <td width='225' align='left'><img src='file:///C:/Users/Admin/AppData/Local/Temp/tvrqve.gif' width='225' height='221' /></td> <td width='415' valign='top'><div align='center' class='style1' id='text_01'>WARNING!</div><br /> <div align='center' id='text_02'>Your personal files are encrypted.<br /> <br /> <br /> </div> <div align='center' class='style3' id='fe_text'></div></p> <div class="styled-select" align='center'> <select id ="ddl" name="ddl" onmousedown="this.value='';" onchange="change_lang(this.value);"> <option selected disabled value="" style="display:none;">Select language</option> <option value='en'>   ENGLISH</option> <option value='de'>   GERMAN</option> <option value='es'>   SPANISH</option> <option value='fr'>   FRENCH</option> <option value='it'>   ITALIAN</option> <option value='nl'>   DUTCH</option> </select> </div> </td> </tr> <tr> <td colspan='2' align='center'><table width='97%' border='0' cellpadding='0' cellspacing='0'> <tr> <td colspan='2' align='left'> <br /> <div id='text_03'>Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. The server will eliminate the key after a time period specified in this window.</div><br /> <br /> </td> </tr> <tr> <td colspan='2' align='left'> 1) <span id='text_09'>Download TOR Browser from</span> <a href='http://torproject.org' class='style4'>http://torproject.org</a><br /> 2) <span id='text_10'>In the Tor Browser open the</span> <span class='style6'>http://maktubmpcxqmo6gi.onion</span><br /><br /> <span id='text_11'>(Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable).</span><br /> <br /> <span class='style5' id='text_12'>Write in the following public key in the input from on server:</span><br /><br /> <div align='center'><textarea class='style7'> HXUHG-6KMHW-D842Y-D4Z75-63RW7-T2244-EYP5X-BB8DV-6A5A0-8DNMP-TEQ7D-6AJRT-CBHZ0-CQS1D W3CQ6-8NYW2-76FR4-DKFCV-F3E55-QYZKT-1SGFG-PP00S-FWAGB-UQFVB-ZU8H1-N052W-1MD26-FAPE3 AMS7Q-RPGJX-51TZP-CBCNG-6QCMG-SUQZQ-K7GNW-DAEVY-XXKPJ-VR8B2-8BGDF-8PQ55-NMQ7D-8PZGW VJKPV-HWRF5-XTBHF-3D85W-7WAEB-2VXE8-CJF4Z-UJWZA-47GC6-1K5PY-2GYUA-BT8Y0-VY4X0-7P6N4 6M0VE-NRYEW-05N8N-KZHH1-XVUJM-PYUQF-FJS2G-E2WC2-JJQ6S-71J71-1NDFT-76EAT-ZK8AP-TAVTY UE5S4-FPZA2-BZRRP-A0BYT-K2YCT-PHPRW-S43RF-ZBCG1-7851G-8DG5E-0SSE7-786D1 </textarea> <br /> </div> <br /> <br /> <br /> </div> </td> </tr> </table></td> </tr> </table> </div> </body> </html>

URLs

http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>

http-equiv='Content-Type

Signatures

Maktub Locker
Advanced ransomware family capable of offline decryption, generally distributed via .scr email attachments.
ransomware maktub
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (210) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

ACProtect 1.3x - 1.4x DLL software 3 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/memory/4472-215-0x0000000003990000-0x0000000003998000-memory.dmp	acprotect
behavioral2/memory/4472-219-0x0000000003990000-0x0000000003998000-memory.dmp	acprotect
behavioral2/memory/4472-220-0x0000000003990000-0x0000000003998000-memory.dmp	acprotect

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
2304	vssadmin.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings	d351ac17dc0d9476ef029484a165f99e258f546bba2d619b1c6485cb8875ac7a.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4728	WINWORD.EXE
4728	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4472	d351ac17dc0d9476ef029484a165f99e258f546bba2d619b1c6485cb8875ac7a.exe
4472	d351ac17dc0d9476ef029484a165f99e258f546bba2d619b1c6485cb8875ac7a.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	4568	vssvc.exe
Token: SeRestorePrivilege	4568	vssvc.exe
Token: SeAuditPrivilege	4568	vssvc.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
4728	WINWORD.EXE
4728	WINWORD.EXE
4728	WINWORD.EXE
4728	WINWORD.EXE
4728	WINWORD.EXE
4728	WINWORD.EXE
4728	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4472 wrote to memory of 4728	4472	d351ac17dc0d9476ef029484a165f99e258f546bba2d619b1c6485cb8875ac7a.exe	72
PID 4472 wrote to memory of 4728	4472	d351ac17dc0d9476ef029484a165f99e258f546bba2d619b1c6485cb8875ac7a.exe	72
PID 4472 wrote to memory of 2304	4472	d351ac17dc0d9476ef029484a165f99e258f546bba2d619b1c6485cb8875ac7a.exe	75
PID 4472 wrote to memory of 2304	4472	d351ac17dc0d9476ef029484a165f99e258f546bba2d619b1c6485cb8875ac7a.exe	75

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\d351ac17dc0d9476ef029484a165f99e258f546bba2d619b1c6485cb8875ac7a.exe
"C:\Users\Admin\AppData\Local\Temp\d351ac17dc0d9476ef029484a165f99e258f546bba2d619b1c6485cb8875ac7a.exe"
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4472
- C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\d351ac17dc0d9476ef029484a165f99e258f546bba2d619b1c6485cb8875ac7a.rtf" /o ""
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:4728
- C:\Windows\SYSTEM32\vssadmin.exe
  vssadmin.exe delete shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:2304

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\_DECRYPT_INFO_tvrqve.html

Filesize
12KB

MD5
73e25aa253adca6f7dac8dcc77e7fbf9

SHA1
4d4bc2de96a42c09d9139c5bd58c1b23a0d8ff38

SHA256
8e9c2807a952d91fe030700a7cd92ee25e5d50a5721d1e6c175b5b16db97cd93

SHA512
55510db0d4a8ec84dc26786801ba64ef4e64039562aa1620cd13c168c62fc7b5f37c03e82cbe4129728861cdfab8400862b2e2334a89c3eadaec6d08654854fc

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{453ef255-e920-4f38-be1d-8e1a4370a94e}\0.1.filtertrie.intermediate.txt.tvrqve

Filesize
48B

MD5
c6bce2ec0beeb65015171af31252ddfa

SHA1
21fc3c30a4072f3e00e9a1cfbf7a51e6b1cd446e

SHA256
7545778f87797fe1b1e611852719b80869089ab7b3e7fb8f504c18f1773a585a

SHA512
862eb20f925c60867127d5f3a9f0157c994a9e8ef9751e68c7cd0e13051e5ac055d41e6ea3b075b7e818f82dde2d81859cbcc2f37e317b0c7d11160b5b98628d

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{453ef255-e920-4f38-be1d-8e1a4370a94e}\0.2.filtertrie.intermediate.txt.tvrqve

Filesize
48B

MD5
241d7f364f5efc781c04772521971bd7

SHA1
278f0e4fdd42cb5aa753f5c4d9df738de5381e5b

SHA256
0481428696490e7af1c8612baa378029d70d5250cb460413dae260b8b636b1b4

SHA512
8328bc727eb46aca62970afd2f51f70fc46082eb4a4b09412bfb71c74d77e0cae97b8c0616653cee7ecddb23dfaf8b576ada51005e11a393bc49d25f57532732

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{453ef255-e920-4f38-be1d-8e1a4370a94e}\_DECRYPT_INFO_tvrqve.html

Filesize
12KB

MD5
f2e4fd7be64b3fc85aea19360021aa98

SHA1
554773e70b518271245c342b5f0b48ec654e5ed7

SHA256
c3744418cd97677f3f090f759091250eb1716d238a1cfc6718433f06b24dbda4

SHA512
cc38ee5235525f6e965ceea1790179e2b34b03cc078febfc1031881a7cdbba0e29300816399ff55c9c304cbe55118dee1dcd53cbbc6e399ac99065d38c4a9c96

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCDE981.tmp\iso690.xsl

Filesize
263KB

MD5
ff0e07eff1333cdf9fc2523d323dd654

SHA1
77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

SHA256
3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

SHA512
b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\d351ac17dc0d9476ef029484a165f99e258f546bba2d619b1c6485cb8875ac7a.rtf

Filesize
4KB

MD5
2d5020c82de674b48cfd17cc20fcbba2

SHA1
4e317eaeebd839ee5f6eb3925a9fbee819c5349c

SHA256
120becd55248f4a2ccbbc99ba9d3c2932223264a95cd72e9ae7568be61277e9a

SHA512
ffbbdda009237d6825f6cd6f751a41f4f9d716186901ffdbeed56c2d1410245771decd07f591cf56cafdd4bbebd4e4c74f009ff15736d5321635e34ff17d0d8d

Download Submit
C:\Users\Admin\Desktop\backup_tvrqve\_DECRYPT_INFO_tvrqve.html

Filesize
12KB

MD5
560f6c48103e49277f58310f277bcacd

SHA1
6a7fbbfe5d720f55b76a7f763201275872373a72

SHA256
587ed6bd4ec3e662e50bca5705758b21a2d04f01e4b588aacd6a6f1902de9b3b

SHA512
7f8121c76d911c937bc9ba8a7c814bfe2b0820e7a2b5d0dd1f4962d0fc6a7cca3ed6d8abd288b4b12d483fe559408806f8d3c262afbb314497b7efde29cc9bda

Download Submit
C:\Users\Admin\Favorites\_DECRYPT_INFO_tvrqve.html

Filesize
12KB

MD5
c1e008de08dd8844259dd2d61bd8f4e7

SHA1
7c3a3cb79e66d28ed9b12279fc58e94653852965

SHA256
b0fb19f2c0be8c502121612cd31a06e8147425d8e803d2b9eebaa1ef2dcc2c9f

SHA512
f2c54202f359b5603cd64f0f491974431156abf136ebca106c24ff880bbec05234d38a0bbef448fd95e37794a0f9f5d668aec6e889f9af8e17aca5ce2f930c7d

Download Submit
memory/4472-232-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/4472-214-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/4472-12-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/4472-1-0x0000000002F10000-0x0000000002F11000-memory.dmp

Filesize
4KB

Download
memory/4472-2-0x00000000029E0000-0x0000000002A38000-memory.dmp

Filesize
352KB

Download
memory/4472-3-0x0000000002F10000-0x0000000002F11000-memory.dmp

Filesize
4KB

Download
memory/4472-4-0x0000000002F10000-0x0000000002F11000-memory.dmp

Filesize
4KB

Download
memory/4472-5-0x0000000002F10000-0x0000000002F11000-memory.dmp

Filesize
4KB

Download
memory/4472-6-0x0000000002F10000-0x0000000002F11000-memory.dmp

Filesize
4KB

Download
memory/4472-7-0x0000000002F10000-0x0000000002F11000-memory.dmp

Filesize
4KB

Download
memory/4472-8-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/4472-0-0x00000000029E0000-0x0000000002A38000-memory.dmp

Filesize
352KB

Download
memory/4472-228-0x00000000039A0000-0x00000000039C8000-memory.dmp

Filesize
160KB

Download
memory/4472-224-0x00000000039A0000-0x00000000039C8000-memory.dmp

Filesize
160KB

Download
memory/4472-225-0x00000000039A0000-0x00000000039C8000-memory.dmp

Filesize
160KB

Download
memory/4472-11-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/4472-221-0x00000000039A0000-0x00000000039C8000-memory.dmp

Filesize
160KB

Download
memory/4472-220-0x0000000003990000-0x0000000003998000-memory.dmp

Filesize
32KB

Download
memory/4472-36-0x0000000002F10000-0x0000000002F11000-memory.dmp

Filesize
4KB

Download
memory/4472-219-0x0000000003990000-0x0000000003998000-memory.dmp

Filesize
32KB

Download
memory/4472-216-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/4472-215-0x0000000003990000-0x0000000003998000-memory.dmp

Filesize
32KB

Download
memory/4472-10-0x0000000002F10000-0x0000000002F11000-memory.dmp

Filesize
4KB

Download
memory/4472-203-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/4472-210-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/4472-213-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/4728-33-0x00007FFC919C0000-0x00007FFC91B9B000-memory.dmp

Filesize
1.9MB

Download
memory/4728-786-0x00007FFC51A50000-0x00007FFC51A60000-memory.dmp

Filesize
64KB

Download
memory/4728-37-0x00007FFC919C0000-0x00007FFC91B9B000-memory.dmp

Filesize
1.9MB

Download
memory/4728-34-0x00007FFC4E400000-0x00007FFC4E410000-memory.dmp

Filesize
64KB

Download
memory/4728-35-0x00007FFC8F2A0000-0x00007FFC8F34E000-memory.dmp

Filesize
696KB

Download
memory/4728-32-0x00007FFC919C0000-0x00007FFC91B9B000-memory.dmp

Filesize
1.9MB

Download
memory/4728-31-0x00007FFC919C0000-0x00007FFC91B9B000-memory.dmp

Filesize
1.9MB

Download
memory/4728-29-0x00007FFC919C0000-0x00007FFC91B9B000-memory.dmp

Filesize
1.9MB

Download
memory/4728-227-0x00007FFC919C0000-0x00007FFC91B9B000-memory.dmp

Filesize
1.9MB

Download
memory/4728-27-0x00007FFC919C0000-0x00007FFC91B9B000-memory.dmp

Filesize
1.9MB

Download
memory/4728-229-0x00007FFC919C0000-0x00007FFC91B9B000-memory.dmp

Filesize
1.9MB

Download
memory/4728-230-0x00007FFC8F2A0000-0x00007FFC8F34E000-memory.dmp

Filesize
696KB

Download
memory/4728-231-0x00007FFC919C0000-0x00007FFC91B9B000-memory.dmp

Filesize
1.9MB

Download
memory/4728-26-0x00007FFC919C0000-0x00007FFC91B9B000-memory.dmp

Filesize
1.9MB

Download
memory/4728-23-0x00007FFC51A50000-0x00007FFC51A60000-memory.dmp

Filesize
64KB

Download
memory/4728-38-0x00007FFC4E400000-0x00007FFC4E410000-memory.dmp

Filesize
64KB

Download
memory/4728-790-0x00007FFC8F2A0000-0x00007FFC8F34E000-memory.dmp

Filesize
696KB

Download
memory/4728-789-0x00007FFC51A50000-0x00007FFC51A60000-memory.dmp

Filesize
64KB

Download
memory/4728-787-0x00007FFC51A50000-0x00007FFC51A60000-memory.dmp

Filesize
64KB

Download
memory/4728-792-0x00007FFC51A50000-0x00007FFC51A60000-memory.dmp

Filesize
64KB

Download
memory/4728-791-0x00007FFC919C0000-0x00007FFC91B9B000-memory.dmp

Filesize
1.9MB

Download
memory/4728-793-0x00007FFC919C0000-0x00007FFC91B9B000-memory.dmp

Filesize
1.9MB

Download
memory/4728-794-0x00007FFC919C0000-0x00007FFC91B9B000-memory.dmp

Filesize
1.9MB

Download
memory/4728-795-0x00007FFC919C0000-0x00007FFC91B9B000-memory.dmp

Filesize
1.9MB

Download
memory/4728-796-0x00007FFC8F2A0000-0x00007FFC8F34E000-memory.dmp

Filesize
696KB

Download
memory/4728-25-0x00007FFC8F2A0000-0x00007FFC8F34E000-memory.dmp

Filesize
696KB

Download
memory/4728-24-0x00007FFC919C0000-0x00007FFC91B9B000-memory.dmp

Filesize
1.9MB

Download
memory/4728-22-0x00007FFC51A50000-0x00007FFC51A60000-memory.dmp

Filesize
64KB

Download
memory/4728-18-0x00007FFC51A50000-0x00007FFC51A60000-memory.dmp

Filesize
64KB

Download
memory/4728-19-0x00007FFC51A50000-0x00007FFC51A60000-memory.dmp

Filesize
64KB

Download
memory/4728-21-0x00007FFC919C0000-0x00007FFC91B9B000-memory.dmp

Filesize
1.9MB

Download
memory/4728-20-0x00007FFC919C0000-0x00007FFC91B9B000-memory.dmp

Filesize
1.9MB

Download