maktub | 0145f04a8356780d52774ce5f7dd0a02f6d5b321694ed805ce3e27bdf04d3c94

Resubmissions

18-04-2024 11:18

240418-ned1xsbd66 10

18-04-2024 11:18

18-04-2024 11:18

18-04-2024 11:18

18-04-2024 11:18

18-04-2024 09:59

Analysis

max time kernel
1795s
max time network
1802s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
18-04-2024 11:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0145f04a8356780d52774ce5f7dd0a02f6d5b321694ed805ce3e27bdf04d3c94.exe
Size

371KB
MD5

eafe645b56c3f5cb746fb5f8504f6035
SHA1

f539987de9fe59bff20483ac7a124afafc27036b
SHA256

0145f04a8356780d52774ce5f7dd0a02f6d5b321694ed805ce3e27bdf04d3c94
SHA512

61af2cfa960a72b66d54d0ee121acb5c54d455b05eb85fb2d7df2958d3134d348c87a5aef2aa46319532407f7ebf01eaedfb8dd889bb0f67ce5edc067445e806
SSDEEP

6144:hnzQnu/cmM1oSigOQT2F8U92Iu7DMVQZhWLv3RXdYX9ji+uhi2PsrhY:dzQnkM1oSiBGI8bxn5W6i+uo20tY

Score

10^/10

maktub ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{ceb59717-d40a-45f9-a495-84bc8499f736}\_DECRYPT_INFO_izuvc.html

Ransom Note

<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>  <html xmlns='http://www.w3.org/1999/xhtml'> <head> <meta http-equiv='Content-Type' content='text/html; charset=UTF-8' /> <title>izuvc decrypt</title> <style type='text/css'>  </style> <script type='text/javascript'> function init() { var xtime; document.getElementById('fe_text').innerHTML = '00:00:00'; var language = window.navigator.userLanguage || window.navigator.language; if (language.indexOf('-') !== -1) language = language.split('-')[0]; if (language.indexOf('_') !== -1) language = language.split('_')[0]; change_lang(language); var ua = window.navigator.userAgent; var msie = ua.indexOf('MSIE '); xtime = Math.floor( (1713440908+(12*60*60)) - (Date.now()/1000)); if (msie == 0) window.setTimeout('update_timestamp('+xtime+')',1000); else update_timestamp(xtime); } function component(x, y, z) { var res if (z == 1) res = Math.floor(x / y); else res = Math.floor(x / y) % z; if (res < 10) res = '0'+res; return res; } function update_timestamp(tstamp) { if (tstamp < 1) { document.getElementById('fe_text').innerHTML = '00:00:00'; } else { var hours = component(tstamp, 60*60, 1), minutes = component(tstamp, 60, 60), seconds = component(tstamp, 1, 60); document.getElementById('fe_text').innerHTML = hours+':'+minutes+':'+seconds; tstamp-=1; window.setTimeout('update_timestamp('+tstamp+')',1000); } } function change_lang(lang) { if (lang == "de") show_de(); else if (lang == "es") show_es(); else if (lang == "fr") show_fr(); else if (lang == "it") show_it(); else if (lang == "nl") show_nl(); else show_en(); } function show_en() { document.getElementById('text_01').innerHTML = 'WARNING!'; document.getElementById('text_02').innerHTML = 'Your personal files are encrypted.'; document.getElementById('text_03').innerHTML = 'Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. The server will eliminate the key after a time period specified in this window.'; document.getElementById('text_09').innerHTML = 'Download TOR Browser from'; document.getElementById('text_10').innerHTML = 'In the Tor Browser open the'; document.getElementById('text_11').innerHTML = '(Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable).'; document.getElementById('text_12').innerHTML = 'Write in the following public key in the input from on server:'; } function show_de() { document.getElementById('text_01').innerHTML = 'WARNUNG!'; document.getElementById('text_02').innerHTML = 'Ihre persönlichen Dateien sind verschlüsselt!'; document.getElementById('text_03').innerHTML = 'Ihre Dokumente, Fotos, Datenbanken und andere wichtige Dateien wurden mit der stärkste Verschlüsselung und einem einzigartigen Schlüssel verschlüsselt, der für diesen Computer generiert wurde. Der Dechiffrierschlüssel ist auf einem geheimen Internet-Server gespeichert und niemand kann Ihre Dateien entschlüsseln, bis Sie bezahlen und den privaten Schlüssel erhalten. Der Server wird den Schlüssel nach einer bestimmten Zeit löschen, die in diesem Fenster angezeigt wird.'; document.getElementById('text_09').innerHTML = 'Laden Sie TOR-Browser von'; document.getElementById('text_10').innerHTML = 'Im Tor-Browser öffnen Sie'; document.getElementById('text_11').innerHTML = '(Beachten Sie, dass dieser Server nur über den Tor-Browser verfügbar ist. Wiederholen Sie den Vorgang nach 1 Stunde, wenn die Website nicht erreichbar ist).'; document.getElementById('text_12').innerHTML = 'Schreiben Sie den folgenden öffentlichen Schlüssel in die Eingabemaske auf dem Server:'; } function show_es() { document.getElementById('text_01').innerHTML = '¡PELIGRO!'; document.getElementById('text_02').innerHTML = '¡Tus archivos personales han sido encriptados!'; document.getElementById('text_03').innerHTML = 'Tus documentos, fotos, bases de datos y otros archivos importantes han sido encriptados con una encriptación extremadamente fuerte y una clave única, generada para este computador. La clave de desencriptación privada está almacenada en un servidor de internet secreto. El servidor eliminará la clave luego del tiempo especificado en esta ventana.'; document.getElementById('text_09').innerHTML = 'Descarga el navegador TOR desde'; document.getElementById('text_10').innerHTML = 'En el navegador TOR abre'; document.getElementById('text_11').innerHTML = '(Nota que este servidor solo es accesible desde el navegador TOR. Intenta nuevamente en 1 hora si no puedes acceder).'; document.getElementById('text_12').innerHTML = 'Escribe la siguiente clave publica en la forma de ingreso del servidor:'; } function show_fr() { document.getElementById('text_01').innerHTML = 'ATTENTION!'; document.getElementById('text_02').innerHTML = 'Vos fichiers personnels ont été cryptés !'; document.getElementById('text_03').innerHTML = 'Vos documents, photos, bases de données, et autres fichiers importants ont été cryptées avec le meilleur processus de cryptage et une clé unique générée pour cet ordinateur. La clé privée de cryptage est accessible sur un serveur Internet secret et personne ne peut décrypter vos fichiers à moins que vous ne payiez et obtenez cette clé. Le serveur éliminera la clé après le compte à rebours affiché sur cette fenêtre.'; document.getElementById('text_09').innerHTML = 'Télécharger le navigateur TOR de'; document.getElementById('text_10').innerHTML = 'Dans le navigateur, ouvrez '; document.getElementById('text_11').innerHTML = '(Veuillez noter que ce serveur est disponible via le navigateur Tor uniquement. Réessayez dans 1 heure si le site n’est pas accessible).'; document.getElementById('text_12').innerHTML = 'Ecrivez les clés publiques suivantes sur le portail d’entrée du serveur :'; } function show_it() { document.getElementById('text_01').innerHTML = 'ATTENZIONE!'; document.getElementById('text_02').innerHTML = 'I tuoi file personali sono criptati!'; document.getElementById('text_03').innerHTML = 'I tuoi documenti, le tue foto, database e altri file importanti sono stati criptati con forte codificazione ed una chiave unica, generata appositamente per questo computer. La chiave segreta di decriptazione è conservata su un server Internet segreto e nessuno può decriptare i tuoi file finché non paghi per ottenere la chiave. Il server eliminerà la chiave dopo il tempo indicato in questa finestra.'; document.getElementById('text_09').innerHTML = 'Scarica il Browser TOR da'; document.getElementById('text_10').innerHTML = 'Nel Browser TOR apri il link'; document.getElementById('text_11').innerHTML = '(Nota che questo server è disponibile solo tramite il Browser TOR. Riprova tra un’ora se il sito non è raggiungibile).'; document.getElementById('text_12').innerHTML = 'Scrivi la seguente chiave pubblica nel modulo di input sul server:'; } function show_nl() { document.getElementById('text_01').innerHTML = 'WAARSCHUWING!'; document.getElementById('text_02').innerHTML = 'Uw persoonlijke bestanden zijn gecodeerd!'; document.getElementById('text_03').innerHTML = 'Uw documenten, foto’s, databases en andere belangrijke bestanden zijn gecodeerd met de sterkste encryptie en een unieke sleutel, gegenereerd voor deze computer. De persoonlijke decoderingssleutel is te vinden op een geheime Internet server en niemand kan uw bestanden decoderen totdat u betaalt en de persoonlijke sleutel heeft. De server zal de sleutel elimineren na de tijdsperiode genoemd in dit venster.'; document.getElementById('text_09').innerHTML = 'Download de TOR Browser van'; document.getElementById('text_10').innerHTML = 'In de Tor Browser, open'; document.getElementById('text_11').innerHTML = '(Let op dat deze server alleen via de Tor Browser te bereiken is. Probeer het na een uur weer als de site niet werkt).'; document.getElementById('text_12').innerHTML = 'Schrijf in de volgende openbare sleutel in het invoerformulier op de server:'; } //var language = window.navigator.userLanguage || window.navigator.language; //alert(language); </script> </head> <body onload='init();'> <div align='center'> <table width='700' height='100%' border='0' cellpadding='0' cellspacing='0' bgcolor='#000000'> <tr> <td width='225' align='left'><img src='file:///C:/Users/Admin/AppData/Local/Temp/izuvc.gif' width='225' height='221' /></td> <td width='415' valign='top'><div align='center' class='style1' id='text_01'>WARNING!</div><br /> <div align='center' id='text_02'>Your personal files are encrypted.<br /> <br /> <br /> </div> <div align='center' class='style3' id='fe_text'></div></p> <div class="styled-select" align='center'> <select id ="ddl" name="ddl" onmousedown="this.value='';" onchange="change_lang(this.value);"> <option selected disabled value="" style="display:none;">Select language</option> <option value='en'>   ENGLISH</option> <option value='de'>   GERMAN</option> <option value='es'>   SPANISH</option> <option value='fr'>   FRENCH</option> <option value='it'>   ITALIAN</option> <option value='nl'>   DUTCH</option> </select> </div> </td> </tr> <tr> <td colspan='2' align='center'><table width='97%' border='0' cellpadding='0' cellspacing='0'> <tr> <td colspan='2' align='left'> <br /> <div id='text_03'>Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. The server will eliminate the key after a time period specified in this window.</div><br /> <br /> </td> </tr> <tr> <td colspan='2' align='left'> 1) <span id='text_09'>Download TOR Browser from</span> <a href='http://torproject.org' class='style4'>http://torproject.org</a><br /> 2) <span id='text_10'>In the Tor Browser open the</span> <span class='style6'>http://maktubmpcxqmo6gi.onion</span><br /><br /> <span id='text_11'>(Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable).</span><br /> <br /> <span class='style5' id='text_12'>Write in the following public key in the input from on server:</span><br /><br /> <div align='center'><textarea class='style7'> 75MTJ-T87EA-13XS7-M7FEW-YJ1AS-2ZGN5-DC3VV-18E6A-7W5QK-YXWQP-S1EEQ-BC25S-XQKWV-2VXDT GMWV0-SGUZX-0ZRT7-UJEQY-VZG0E-8W3P4-H5BTJ-G2YAG-N7ENU-2KDRF-7FJ3K-X6XPU-2R0WF-V7GTW URZRD-CKY0E-TYBJJ-Y5JDY-W6RM1-RVC5B-88TN1-WPPCZ-QFJBJ-2Q24Z-H3387-YFJAC-T6N41-AHNWU 8J0CW-3ASEQ-CEN36-KEX13-JWPAT-0KK88-WV4T1-RJEFJ-WCCUU-5FFMS-PCGXK-4SUMG-YRU58-BYABN CEF8T-S7BPN-Z5PG2-FJ862-NQCVY-J4XEB-A1HNZ-WZJAQ-5ER6M-BC463-JM4EY-PWRAJ-W0PPA-0DVPM 5Y6AZ-YJ4WT-XU5WN-MKUET-F1A5R-GDKPJ-UPG47-84HDR-BBTFX-HUX6Q-53TYR-1Z1XB </textarea> <br /> </div> <br /> <br /> <br /> </div> </td> </tr> </table></td> </tr> </table> </div> </body> </html>

URLs

http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>

http-equiv='Content-Type

Extracted

Path

C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\_DECRYPT_INFO_izuvc.html

Ransom Note

<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>  <html xmlns='http://www.w3.org/1999/xhtml'> <head> <meta http-equiv='Content-Type' content='text/html; charset=UTF-8' /> <title>izuvc decrypt</title> <style type='text/css'>  </style> <script type='text/javascript'> function init() { var xtime; document.getElementById('fe_text').innerHTML = '00:00:00'; var language = window.navigator.userLanguage || window.navigator.language; if (language.indexOf('-') !== -1) language = language.split('-')[0]; if (language.indexOf('_') !== -1) language = language.split('_')[0]; change_lang(language); var ua = window.navigator.userAgent; var msie = ua.indexOf('MSIE '); xtime = Math.floor( (1713440910+(12*60*60)) - (Date.now()/1000)); if (msie == 0) window.setTimeout('update_timestamp('+xtime+')',1000); else update_timestamp(xtime); } function component(x, y, z) { var res if (z == 1) res = Math.floor(x / y); else res = Math.floor(x / y) % z; if (res < 10) res = '0'+res; return res; } function update_timestamp(tstamp) { if (tstamp < 1) { document.getElementById('fe_text').innerHTML = '00:00:00'; } else { var hours = component(tstamp, 60*60, 1), minutes = component(tstamp, 60, 60), seconds = component(tstamp, 1, 60); document.getElementById('fe_text').innerHTML = hours+':'+minutes+':'+seconds; tstamp-=1; window.setTimeout('update_timestamp('+tstamp+')',1000); } } function change_lang(lang) { if (lang == "de") show_de(); else if (lang == "es") show_es(); else if (lang == "fr") show_fr(); else if (lang == "it") show_it(); else if (lang == "nl") show_nl(); else show_en(); } function show_en() { document.getElementById('text_01').innerHTML = 'WARNING!'; document.getElementById('text_02').innerHTML = 'Your personal files are encrypted.'; document.getElementById('text_03').innerHTML = 'Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. The server will eliminate the key after a time period specified in this window.'; document.getElementById('text_09').innerHTML = 'Download TOR Browser from'; document.getElementById('text_10').innerHTML = 'In the Tor Browser open the'; document.getElementById('text_11').innerHTML = '(Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable).'; document.getElementById('text_12').innerHTML = 'Write in the following public key in the input from on server:'; } function show_de() { document.getElementById('text_01').innerHTML = 'WARNUNG!'; document.getElementById('text_02').innerHTML = 'Ihre persönlichen Dateien sind verschlüsselt!'; document.getElementById('text_03').innerHTML = 'Ihre Dokumente, Fotos, Datenbanken und andere wichtige Dateien wurden mit der stärkste Verschlüsselung und einem einzigartigen Schlüssel verschlüsselt, der für diesen Computer generiert wurde. Der Dechiffrierschlüssel ist auf einem geheimen Internet-Server gespeichert und niemand kann Ihre Dateien entschlüsseln, bis Sie bezahlen und den privaten Schlüssel erhalten. Der Server wird den Schlüssel nach einer bestimmten Zeit löschen, die in diesem Fenster angezeigt wird.'; document.getElementById('text_09').innerHTML = 'Laden Sie TOR-Browser von'; document.getElementById('text_10').innerHTML = 'Im Tor-Browser öffnen Sie'; document.getElementById('text_11').innerHTML = '(Beachten Sie, dass dieser Server nur über den Tor-Browser verfügbar ist. Wiederholen Sie den Vorgang nach 1 Stunde, wenn die Website nicht erreichbar ist).'; document.getElementById('text_12').innerHTML = 'Schreiben Sie den folgenden öffentlichen Schlüssel in die Eingabemaske auf dem Server:'; } function show_es() { document.getElementById('text_01').innerHTML = '¡PELIGRO!'; document.getElementById('text_02').innerHTML = '¡Tus archivos personales han sido encriptados!'; document.getElementById('text_03').innerHTML = 'Tus documentos, fotos, bases de datos y otros archivos importantes han sido encriptados con una encriptación extremadamente fuerte y una clave única, generada para este computador. La clave de desencriptación privada está almacenada en un servidor de internet secreto. El servidor eliminará la clave luego del tiempo especificado en esta ventana.'; document.getElementById('text_09').innerHTML = 'Descarga el navegador TOR desde'; document.getElementById('text_10').innerHTML = 'En el navegador TOR abre'; document.getElementById('text_11').innerHTML = '(Nota que este servidor solo es accesible desde el navegador TOR. Intenta nuevamente en 1 hora si no puedes acceder).'; document.getElementById('text_12').innerHTML = 'Escribe la siguiente clave publica en la forma de ingreso del servidor:'; } function show_fr() { document.getElementById('text_01').innerHTML = 'ATTENTION!'; document.getElementById('text_02').innerHTML = 'Vos fichiers personnels ont été cryptés !'; document.getElementById('text_03').innerHTML = 'Vos documents, photos, bases de données, et autres fichiers importants ont été cryptées avec le meilleur processus de cryptage et une clé unique générée pour cet ordinateur. La clé privée de cryptage est accessible sur un serveur Internet secret et personne ne peut décrypter vos fichiers à moins que vous ne payiez et obtenez cette clé. Le serveur éliminera la clé après le compte à rebours affiché sur cette fenêtre.'; document.getElementById('text_09').innerHTML = 'Télécharger le navigateur TOR de'; document.getElementById('text_10').innerHTML = 'Dans le navigateur, ouvrez '; document.getElementById('text_11').innerHTML = '(Veuillez noter que ce serveur est disponible via le navigateur Tor uniquement. Réessayez dans 1 heure si le site n’est pas accessible).'; document.getElementById('text_12').innerHTML = 'Ecrivez les clés publiques suivantes sur le portail d’entrée du serveur :'; } function show_it() { document.getElementById('text_01').innerHTML = 'ATTENZIONE!'; document.getElementById('text_02').innerHTML = 'I tuoi file personali sono criptati!'; document.getElementById('text_03').innerHTML = 'I tuoi documenti, le tue foto, database e altri file importanti sono stati criptati con forte codificazione ed una chiave unica, generata appositamente per questo computer. La chiave segreta di decriptazione è conservata su un server Internet segreto e nessuno può decriptare i tuoi file finché non paghi per ottenere la chiave. Il server eliminerà la chiave dopo il tempo indicato in questa finestra.'; document.getElementById('text_09').innerHTML = 'Scarica il Browser TOR da'; document.getElementById('text_10').innerHTML = 'Nel Browser TOR apri il link'; document.getElementById('text_11').innerHTML = '(Nota che questo server è disponibile solo tramite il Browser TOR. Riprova tra un’ora se il sito non è raggiungibile).'; document.getElementById('text_12').innerHTML = 'Scrivi la seguente chiave pubblica nel modulo di input sul server:'; } function show_nl() { document.getElementById('text_01').innerHTML = 'WAARSCHUWING!'; document.getElementById('text_02').innerHTML = 'Uw persoonlijke bestanden zijn gecodeerd!'; document.getElementById('text_03').innerHTML = 'Uw documenten, foto’s, databases en andere belangrijke bestanden zijn gecodeerd met de sterkste encryptie en een unieke sleutel, gegenereerd voor deze computer. De persoonlijke decoderingssleutel is te vinden op een geheime Internet server en niemand kan uw bestanden decoderen totdat u betaalt en de persoonlijke sleutel heeft. De server zal de sleutel elimineren na de tijdsperiode genoemd in dit venster.'; document.getElementById('text_09').innerHTML = 'Download de TOR Browser van'; document.getElementById('text_10').innerHTML = 'In de Tor Browser, open'; document.getElementById('text_11').innerHTML = '(Let op dat deze server alleen via de Tor Browser te bereiken is. Probeer het na een uur weer als de site niet werkt).'; document.getElementById('text_12').innerHTML = 'Schrijf in de volgende openbare sleutel in het invoerformulier op de server:'; } //var language = window.navigator.userLanguage || window.navigator.language; //alert(language); </script> </head> <body onload='init();'> <div align='center'> <table width='700' height='100%' border='0' cellpadding='0' cellspacing='0' bgcolor='#000000'> <tr> <td width='225' align='left'><img src='file:///C:/Users/Admin/AppData/Local/Temp/izuvc.gif' width='225' height='221' /></td> <td width='415' valign='top'><div align='center' class='style1' id='text_01'>WARNING!</div><br /> <div align='center' id='text_02'>Your personal files are encrypted.<br /> <br /> <br /> </div> <div align='center' class='style3' id='fe_text'></div></p> <div class="styled-select" align='center'> <select id ="ddl" name="ddl" onmousedown="this.value='';" onchange="change_lang(this.value);"> <option selected disabled value="" style="display:none;">Select language</option> <option value='en'>   ENGLISH</option> <option value='de'>   GERMAN</option> <option value='es'>   SPANISH</option> <option value='fr'>   FRENCH</option> <option value='it'>   ITALIAN</option> <option value='nl'>   DUTCH</option> </select> </div> </td> </tr> <tr> <td colspan='2' align='center'><table width='97%' border='0' cellpadding='0' cellspacing='0'> <tr> <td colspan='2' align='left'> <br /> <div id='text_03'>Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. The server will eliminate the key after a time period specified in this window.</div><br /> <br /> </td> </tr> <tr> <td colspan='2' align='left'> 1) <span id='text_09'>Download TOR Browser from</span> <a href='http://torproject.org' class='style4'>http://torproject.org</a><br /> 2) <span id='text_10'>In the Tor Browser open the</span> <span class='style6'>http://maktubmpcxqmo6gi.onion</span><br /><br /> <span id='text_11'>(Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable).</span><br /> <br /> <span class='style5' id='text_12'>Write in the following public key in the input from on server:</span><br /><br /> <div align='center'><textarea class='style7'> 75MTJ-T87EA-13XS7-M7FEW-YJ1AS-2ZGN5-DC3VV-18E6A-7W5QK-YXWQP-S1EEQ-BC25S-XQKWV-2VXDT GMWV0-SGUZX-0ZRT7-UJEQY-VZG0E-8W3P4-H5BTJ-G2YAG-N7ENU-2KDRF-7FJ3K-X6XPU-2R0WF-V7GTW URZRD-CKY0E-TYBJJ-Y5JDY-W6RM1-RVC5B-88TN1-WPPCZ-QFJBJ-2Q24Z-H3387-YFJAC-T6N41-AHNWU 8J0CW-3ASEQ-CEN36-KEX13-JWPAT-0KK88-WV4T1-RJEFJ-WCCUU-5FFMS-PCGXK-4SUMG-YRU58-BYABN CEF8T-S7BPN-Z5PG2-FJ862-NQCVY-J4XEB-A1HNZ-WZJAQ-5ER6M-BC463-JM4EY-PWRAJ-W0PPA-0DVPM 5Y6AZ-YJ4WT-XU5WN-MKUET-F1A5R-GDKPJ-UPG47-84HDR-BBTFX-HUX6Q-53TYR-1Z1XB </textarea> <br /> </div> <br /> <br /> <br /> </div> </td> </tr> </table></td> </tr> </table> </div> </body> </html>

URLs

http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>

http-equiv='Content-Type

Signatures

Maktub Locker
Advanced ransomware family capable of offline decryption, generally distributed via .scr email attachments.
ransomware maktub
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (245) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

ACProtect 1.3x - 1.4x DLL software 3 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral4/memory/4212-53-0x0000000003BA0000-0x0000000003BA8000-memory.dmp	acprotect
behavioral4/memory/4212-57-0x0000000003BA0000-0x0000000003BA8000-memory.dmp	acprotect
behavioral4/memory/4212-56-0x0000000003BA0000-0x0000000003BA8000-memory.dmp	acprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\Control Panel\International\Geo\Nation	0145f04a8356780d52774ce5f7dd0a02f6d5b321694ed805ce3e27bdf04d3c94.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
1988	vssadmin.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000_Classes\Local Settings	0145f04a8356780d52774ce5f7dd0a02f6d5b321694ed805ce3e27bdf04d3c94.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
3104	WINWORD.EXE
3104	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4212	0145f04a8356780d52774ce5f7dd0a02f6d5b321694ed805ce3e27bdf04d3c94.exe
4212	0145f04a8356780d52774ce5f7dd0a02f6d5b321694ed805ce3e27bdf04d3c94.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	4320	vssvc.exe
Token: SeRestorePrivilege	4320	vssvc.exe
Token: SeAuditPrivilege	4320	vssvc.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
3104	WINWORD.EXE
3104	WINWORD.EXE
3104	WINWORD.EXE
3104	WINWORD.EXE
3104	WINWORD.EXE
3104	WINWORD.EXE
3104	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4212 wrote to memory of 3104	4212	0145f04a8356780d52774ce5f7dd0a02f6d5b321694ed805ce3e27bdf04d3c94.exe	96
PID 4212 wrote to memory of 3104	4212	0145f04a8356780d52774ce5f7dd0a02f6d5b321694ed805ce3e27bdf04d3c94.exe	96
PID 4212 wrote to memory of 1988	4212	0145f04a8356780d52774ce5f7dd0a02f6d5b321694ed805ce3e27bdf04d3c94.exe	106
PID 4212 wrote to memory of 1988	4212	0145f04a8356780d52774ce5f7dd0a02f6d5b321694ed805ce3e27bdf04d3c94.exe	106

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\0145f04a8356780d52774ce5f7dd0a02f6d5b321694ed805ce3e27bdf04d3c94.exe
"C:\Users\Admin\AppData\Local\Temp\0145f04a8356780d52774ce5f7dd0a02f6d5b321694ed805ce3e27bdf04d3c94.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4212
- C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\0145f04a8356780d52774ce5f7dd0a02f6d5b321694ed805ce3e27bdf04d3c94.rtf" /o ""
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:3104
- C:\Windows\SYSTEM32\vssadmin.exe
  vssadmin.exe delete shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:1988

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4284,i,8757378233529949334,7852422992079505686,262144 --variations-seed-version --mojo-platform-channel-handle=1036 /prefetch:8
1⤵
PID:3904

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3852,i,8757378233529949334,7852422992079505686,262144 --variations-seed-version --mojo-platform-channel-handle=4212 /prefetch:8
1⤵
PID:1680

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\_DECRYPT_INFO_izuvc.html

Filesize
12KB

MD5
6ed0a40777714310e8078666810f7d57

SHA1
d271e2015799d08a9b7fbe97af173cc2169f6337

SHA256
22f81b773e6bcafb280816a17a7462bac1eb9ca64bb7f40b4664dff53b1f4e76

SHA512
e96b357c07c18238f47c43693f2d82ca2d26db0410073ae9e196f20ee3cb767fec3257a40b77b81e392a4ada2b991e2ad7967a57bf1886a9ddd72b1afaa2631c

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{ca80285c-0f51-4d2f-b891-6e8b2ac7fbbb}\0.1.filtertrie.intermediate.txt.izuvc

Filesize
48B

MD5
1e63e8a9a1b46d875f3a83a536c01d88

SHA1
aff7a6387c27db726d5033c217d795a3e53f8313

SHA256
eea66386596e6e5c82cd59cb187f2f2bb34d28244cd40eed3c0d0b04ffb486f9

SHA512
172e398d68a6d54d9fbaf7e5257d75151831c1fb72f232d019847072d31590cf676977ce008199a373d100dbab01e8b7dd04df66b4606bb7d73c43e795767c20

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{ceb59717-d40a-45f9-a495-84bc8499f736}\_DECRYPT_INFO_izuvc.html

Filesize
12KB

MD5
9003d7c396cefbba05902b2ed110702e

SHA1
8c99e5be7823c18b85e3ace5c365035bb7148f47

SHA256
5a14550d6e77aa4d6c0e291154ac91e2f49ba828273317ce609466b8446c97de

SHA512
7e8637181309b651cb9abaa8187f190d5e14ba46ad2faa3f98fcf6819bbd61a6c55042348205cc779612f97953c13787cb17ad65920b5abb41517697d3503b36

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{067ed5b5-96b6-4dde-b15a-f824587767fc}\0.2.filtertrie.intermediate.txt.izuvc

Filesize
48B

MD5
7ac295007c380dbbd2946b2c1daf3e60

SHA1
0f1a92568e8ebedc300bfdd79d6798aca6d4c17e

SHA256
20ab3819a552352aa814b8f5e0b5c74b62072f19f424857cd8577da497c8ed78

SHA512
8a3cc8929c9f3d28bd4ca795e284523ab66f15f2c89e18cf3e42029316e29430bbd946cb15c68260ecccc419c5dc57effd648dd798155d6e329ae1bf68d721b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\0145f04a8356780d52774ce5f7dd0a02f6d5b321694ed805ce3e27bdf04d3c94.rtf

Filesize
4KB

MD5
2d5020c82de674b48cfd17cc20fcbba2

SHA1
4e317eaeebd839ee5f6eb3925a9fbee819c5349c

SHA256
120becd55248f4a2ccbbc99ba9d3c2932223264a95cd72e9ae7568be61277e9a

SHA512
ffbbdda009237d6825f6cd6f751a41f4f9d716186901ffdbeed56c2d1410245771decd07f591cf56cafdd4bbebd4e4c74f009ff15736d5321635e34ff17d0d8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCDC262.tmp\sist02.xsl

Filesize
245KB

MD5
f883b260a8d67082ea895c14bf56dd56

SHA1
7954565c1f243d46ad3b1e2f1baf3281451fc14b

SHA256
ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

SHA512
d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

Download Submit
memory/3104-15-0x00007FFDF0870000-0x00007FFDF0A65000-memory.dmp

Filesize
2.0MB

Download
memory/3104-25-0x00007FFDF0870000-0x00007FFDF0A65000-memory.dmp

Filesize
2.0MB

Download
memory/3104-58-0x00007FFDF0870000-0x00007FFDF0A65000-memory.dmp

Filesize
2.0MB

Download
memory/3104-16-0x00007FFDB08F0000-0x00007FFDB0900000-memory.dmp

Filesize
64KB

Download
memory/3104-14-0x00007FFDB08F0000-0x00007FFDB0900000-memory.dmp

Filesize
64KB

Download
memory/3104-17-0x00007FFDF0870000-0x00007FFDF0A65000-memory.dmp

Filesize
2.0MB

Download
memory/3104-18-0x00007FFDB08F0000-0x00007FFDB0900000-memory.dmp

Filesize
64KB

Download
memory/3104-19-0x00007FFDF0870000-0x00007FFDF0A65000-memory.dmp

Filesize
2.0MB

Download
memory/3104-20-0x00007FFDF0870000-0x00007FFDF0A65000-memory.dmp

Filesize
2.0MB

Download
memory/3104-21-0x00007FFDF0870000-0x00007FFDF0A65000-memory.dmp

Filesize
2.0MB

Download
memory/3104-22-0x00007FFDF0870000-0x00007FFDF0A65000-memory.dmp

Filesize
2.0MB

Download
memory/3104-23-0x00007FFDF0870000-0x00007FFDF0A65000-memory.dmp

Filesize
2.0MB

Download
memory/3104-24-0x00007FFDF0870000-0x00007FFDF0A65000-memory.dmp

Filesize
2.0MB

Download
memory/3104-12-0x00007FFDB08F0000-0x00007FFDB0900000-memory.dmp

Filesize
64KB

Download
memory/3104-579-0x00007FFDF0870000-0x00007FFDF0A65000-memory.dmp

Filesize
2.0MB

Download
memory/3104-27-0x00007FFDF0870000-0x00007FFDF0A65000-memory.dmp

Filesize
2.0MB

Download
memory/3104-28-0x00007FFDAE6E0000-0x00007FFDAE6F0000-memory.dmp

Filesize
64KB

Download
memory/3104-29-0x00007FFDAE6E0000-0x00007FFDAE6F0000-memory.dmp

Filesize
64KB

Download
memory/3104-13-0x00007FFDF0870000-0x00007FFDF0A65000-memory.dmp

Filesize
2.0MB

Download
memory/3104-577-0x00007FFDB08F0000-0x00007FFDB0900000-memory.dmp

Filesize
64KB

Download
memory/3104-578-0x00007FFDF0870000-0x00007FFDF0A65000-memory.dmp

Filesize
2.0MB

Download
memory/3104-576-0x00007FFDB08F0000-0x00007FFDB0900000-memory.dmp

Filesize
64KB

Download
memory/3104-575-0x00007FFDB08F0000-0x00007FFDB0900000-memory.dmp

Filesize
64KB

Download
memory/3104-574-0x00007FFDB08F0000-0x00007FFDB0900000-memory.dmp

Filesize
64KB

Download
memory/3104-52-0x00007FFDF0870000-0x00007FFDF0A65000-memory.dmp

Filesize
2.0MB

Download
memory/3104-11-0x00007FFDB08F0000-0x00007FFDB0900000-memory.dmp

Filesize
64KB

Download
memory/3104-65-0x00007FFDF0870000-0x00007FFDF0A65000-memory.dmp

Filesize
2.0MB

Download
memory/4212-44-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/4212-56-0x0000000003BA0000-0x0000000003BA8000-memory.dmp

Filesize
32KB

Download
memory/4212-59-0x0000000003BB0000-0x0000000003BD8000-memory.dmp

Filesize
160KB

Download
memory/4212-62-0x0000000003BB0000-0x0000000003BD8000-memory.dmp

Filesize
160KB

Download
memory/4212-64-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/4212-63-0x0000000003BB0000-0x0000000003BD8000-memory.dmp

Filesize
160KB

Download
memory/4212-57-0x0000000003BA0000-0x0000000003BA8000-memory.dmp

Filesize
32KB

Download
memory/4212-66-0x0000000003BB0000-0x0000000003BD8000-memory.dmp

Filesize
160KB

Download
memory/4212-67-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/4212-53-0x0000000003BA0000-0x0000000003BA8000-memory.dmp

Filesize
32KB

Download
memory/4212-49-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/4212-47-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/4212-48-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/4212-0-0x0000000002E50000-0x0000000002EA8000-memory.dmp

Filesize
352KB

Download
memory/4212-39-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/4212-26-0x0000000003120000-0x0000000003121000-memory.dmp

Filesize
4KB

Download
memory/4212-5-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/4212-3-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/4212-2-0x0000000002E50000-0x0000000002EA8000-memory.dmp

Filesize
352KB

Download
memory/4212-1-0x0000000003120000-0x0000000003121000-memory.dmp

Filesize
4KB

Download