Analysis
-
max time kernel
117s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
-
submitted
16-05-2024 23:05
General
-
Target
60121ea2ab380455f7e143cd9438443e.exe
-
Size
98KB
-
MD5
60121ea2ab380455f7e143cd9438443e
-
SHA1
091fd74c5caebd9f53c34781ad6b0241883fe698
-
SHA256
b8f7c90cd170ba8c79c472997c17509e2d241a54a9cef7efea4dac23b043afe8
-
SHA512
3f42a0756999d6441721f8d4663c8af677c895c4e11ddff25d7a1216b3b4a015b7d3763c0e06f616f73eb5e9df3b42e07baf8d5ec910632f3e275c8d2fd388e6
-
SSDEEP
1536:AnTUL9I230W6mN+ZGCHMNzKR1iFAGGR10p67LsJmFMbchiRO1mbF8VrdCKcl:skC2++p6/PMbcskdhY
Score
10/10
Malware Config
Extracted
Path
C:\PerfLogs\# How to Decrypt Files-V5G6N.html
Ransom Note
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Decryption Instructions</title>
<style>
a {
color: #04a;
text-decoration: none;
}
a:hover {
text-decoration: underline;
}
body {
background-color: #e7e7e7;
color: #222;
font-family: "Lucida Sans Unicode", "Lucida Grande", sans-serif;
font-size: 12pt;
line-height: 16pt;
}
body,
h1 {
margin: 0;
padding: 0;
}
h1 {
color: #555;
text-align: center;
padding-bottom: 1.5em;
line-height: 1.2;
}
h2 {
color: #555;
text-align: center;
line-height: 1.2;
}
ol li {
padding-bottom: 13pt;
}
.container {
background-color: white;
border: 2pt solid #C7C7C7;
margin: 3%;
min-width: 600px;
padding: 5% 10%;
color: #444;
}
.header {
border-bottom: 2pt solid #c7c7c7;
padding-bottom: 5%;
}
.hr {
display: block;
height: 2pt;
margin-top: 1.5%;
margin-bottom: 1.5%;
overflow: hidden;
width: 100%;
}
.info {
border: 1px solid #888;
background-color: #E4E4E4;
padding: 0.5em 3em;
margin: 1em 0;
}
.text {
text-align: justify;
}
.lsb{
display: none;
margin: 3%;
text-align: center;
}
.ls {
cursor: pointer;
border: 1px solid #888;
border-radius: 3px;
padding: 0 0.5em;
margin: 0.2em 0.1em;
line-height: 2em;
display: inline-block;
}
.ls:hover {
background-color: #D0D0D0;
}
.l {
display: none;
}
.lu {
display: none;
}
#change_language {
float: right;
display: none;
}
</style>
</head>
<body onload='javascript:onPageLoaded()'>
<div class='lsb'>
</div>
<div class='container'>
<div class="text l l-en" style='display:block'>
<br>
<div>
<img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAL8AAAEICAMAAAA5jNVNAAAAeFBMVEX///8AAAD8/PxQUFCJiYk0NDSenp5TU1M9PT329vb6+vrv7+/z8/Pl5eXKyspfX18oKCjCwsKPj4/o6Oivr699fX1xcXGioqLa2tq7u7uTk5PS0tI6OjogICCCgoJoaGh1dXUXFxeqqqpHR0cODg4cHBxaWlotLS1/4KDGAAAHlUlEQVR4nO2daVciPRCFaRpkRzYXXNCGUf7/P3zldUZn6O6bSmrDc3I/a/IASaVSqVQ6HQWt55v97rpcLIo/el4cXnr77eNYoztBjZZ3L78KpPJqO/WmbNZks8PoX6p226437ZnuV0ca+9fvsB95M39ptqri4D91vfUGP6m7GabAf+rBey5MVunw/+t17Ug/e2XSu36CyY0A/Uk7j6ncvRKiP2lvjj9fhKkiVN6b0k9vRelPujLEX1bi+EUxMJvHPQX6k+Ym9OtSCd9mDD2+qeEXxa26X7dVpP9QqexQ3OniF8Vhpon/oI1fFH3FD2CAr/kBTPD1PoCkwwM1nGjgb6zwP6yQghmd2+EXxYs4/qyy5C9Wwvjjgyl+UQjv7eX95ZBENwSGc/ePDoKxxvv47qvypne1Xc5n6/lye9W7KavYFnZi+N1Ij7nsbdfTMxPYna43u7hI0VKKP2rhetlMWq33eH03oLe0EFrGIkZPuQn6v7OHitraqwz/O7k/ms3obqixC5ENJXXH8hrhdm1om7gnARs0pX1Zgzh73aXFTR/4/LSO4pfLGckYsV3pGaWX9yRLsSO0fMvlp8RoU3/lJaHtRx4+xXamrzOE1q95/AS/jeNoEUYny4YS2ufNsEmw/QGn+fDo5xqI8DfE+AEmwQNd/gr5GOqCMQOCtl8i4BrcWyRPsGnoTPpdAL/TCR0CJq8BQc9HKMwR8lBS/eiQ48lcW74UmsOJwYhQszdC+MHA5DHtfDU0ewU32IERlLTCj59wo5IRmkBwL8mEBgzzQRC/07nGnaUcTQbWXqnJ+6nAXEtYZ0bY+DP9wpqwo3iIt9SB4SP79Qdd6Xg3Cw+fUhg/NAOit0gjbH3EYmNfwiYoegDh3/NZHD+0BsQOILwkahz04yhlbI/Y99E4YMNbsUh7J9oYUXgGx31leDZtVPjxRibOXcEpPjr5dlPYZ5y3C8P0OsMnMICiYrl4+GtlC+LklhgfDg9/rUQ17MTFTDq4dekr4Xe6cAmLmQAvqKGeFj/2uYb0CYDPLPTS3rEFpa8Aa6F2YoX7pcf6YOBnoZcjOH5GHdPDKHD6so9EgOAujJ5UA5vRTDKFPuiCuuyP+qgZzSxffKJEnXh49dW8bIBdIOo3B/deleYdOjyBqSMXmmGZmHmb4MJJXYGh86y3+ga7HhAtNzxQ0M1xhy5oRZt6OF1J99IcjprRktNHcBKp5ocHDBAt6OdnPj++O9g3beMEtxFvuleQuzArheYBwUUwIRIcJWhAaSmJ0AZoem8nQQNKCxxA71PX/Afiln3S4IV5RQIZXVB4C0YyHnAIat+0xJEPygKAly/5wP+/wgsAZfHBB1/S50Zx/JTecQvaV41HMDOUEsPy5R/DX/+O0IKn+9AJHJxQrB90HxbqFUyg805ZfaAF66tfEIWrD4Ufuj9aof9vsWNPe19+GAKqb76758L8vfo/yAp3/177835NcPf19lT/B1nB7ou3s7/uwL++fGV+X2V+X2V+X2V+X2V+X2V+X2V+X2V+XzXyHwflBWrQlNXQxP80Ut7jpqlxZ9/Erx9jSBOVn3XjU1GZ31eZ31eZ31eZ31eZ31eZ31eZ31eZ31eZ31fW/N35ditZBdOW//F3Gt2NWMKxJf/krys0K6GcFUP++T+Fm4YyFybt+GtJnCLTwIy/oSOJS0tW/I0ZMAK/gBF/y+VDvhmy4W+7AXJkv0xgwr9uLRl3zTWjFvyoTje3JrgFP7xBzcz9NuDHFeN+8W4+6/Pj+9PckxF9/kAVLmbhEXX+cD1Y1ghS5w8UjDuJc/1Hm5/0wgRjFdPmJz2GR7mB4MM/puBzyvYp81OqORec6hfK/MRXAtJNqDI/8S3IdC9ImZ/4wkr6BVBlflj04lvp9QuU+Qmr10npN4Au4/tPN6DK/EHn7VPpPqgyP/El3XQPSJmf+LRfev0LZX7SSxOcQJC2/1aR+NMvUGrzU97jKF6T8dX5Se8MMe5vq++/CB4E5/7qBex/WRt4/fhD8Adg1Y7T5w++ZcE6BjCIvwWei7n0+FVnhB8sufT4YSCGcvnxW7gL5pausTl/aa3+wi4cZ3T+1VK6mP8WnBF/c+X6J/7D3Fbnp9OGGlwC+Ibn77UaJkOJZ9EN8x/O1rGDSNUXQ/6zBAiZt2QN+c9jiSI5QHb8NRPEiPp/y46/dg4p8h63Y/4P8+TXmr9+Cv+T8n+aKrBJPAZtxt8QyYooHu/P39SRgAU142+KRAuU/TXz3xralLjUasXfnETzc/zn5hwmfuFKI/5x8+MT/NcWjfhbwrg/Zv/YVsGWbUFt+FvLt7ItqA1/a/lNtgW14W8vIMy1oDb87WkcXAtqwj+uWvm5PqgJPzgE41pQ7/gt14Ka8KMsCOYu3oIfvj/A3MVb8OMTMF4YzoIfJ/HxdvEW/DiJj3eDwYAfv/9TlKwrJAb8uPY404Uw4A9lELAevzHg3x+HSH3W6xP5/rKvMr+vMr+vMr+vMr+vMr+vMr+vMr+vMr+vMr+vMr+vMr+vMr+vfjp/0wXRJv7jqneJWjVdLGji/0nK/L7K/L7K/L7K/L7K/L7K/L7K/L7K/L7K/L76DxuakMqfwNR4AAAAAElFTkSuQmCC" alt="LockLogo" />
</div>
<br>
<p><samp># All your files has been encrypted by "KRAKEN CRYPTOR".</samp></p>
<p><samp># Read the following instructions carefully to decrypt your files.</samp></p>
<br>
<div class="info">
-----BEGIN KRAKEN ENCRYPTED UNIQUE KEY-----
<br>
I6V/a54tjfbZc9feJDxCGVvleArdYkT1tlhAY6GoAgt2+hTD/R1DB693lEewuxUI<br>seo0Op/w1oO1qNfD6vSpUSrN/gXRDc/OXUPLITOc65T5ZrDU4WBdVsIQP6ARAZX5<br>u2H0THi5EfoG3r1vQzdddS5l+iABuq2zidyS/ifTFv8BbbZyqtnyjrkzBA5UozN0<br>IJbYvmD9QWEE4uDyNmzVC/vJTSoUGTd8tRo+dIRl5gMFZ0ZSj5ug7/YtRuEq4JPV<br>wp5I9d2gM9RR+LM0ffLvvdW3+G5sPKueB728mI+mc0up+UpvvNKgj3yYHslZchPA<br>YYG7d1a+lP22VOjcuMM6XWaC4KLdtWnODS8E5dazB3QN7DwK0zBjvomqN/zODlv8<br>ACDGxlfVKOjkvG3Bg+fdpwkpj50Vw64jOAuSfvrH/MSzmIEakx+oGO9uMRh5BWBf<br>9JPa+xIJK9+y1MtiB5F2jGcNeZQQFxCWLxygbExyW/pF4qHPEK+iisqBw6HsOKxn<br>DU80+AvfTtX/LLfXCtcop6drmBWN5FomiZNdfGo/cQsQZ1DTL8Q+/Sk1A4CCU+D5<br>9t2pmHssMn8NGUi1CZHqHAff9XkXqeBI03Rl558gDHf4FpKH3hwnSmBW3Dp33bQb<br>BFe3lCIqx07n46IfyoGRdLwGuH48Ow2cL56cSds1lJSL44so0jB3yXEvf/uEE0VQ<br>0DA3MIdhpkr187pcILAcGqTfTbo=
<br>
-----END KRAKEN ENCRYPTED UNIQUE KEY-----
</div>
<br>
Extension
<div class="info">
.V5G6N
</div>
<br>
<p style="color: #D91E18;">What happened to my computer?</p>
<hr>
<p>All of your files such as documents, images, videos and other files with the different names and extensions are encrypted by "KRAKEN CRYPTOR"!</p>
<p>Don't delete .V5G6N files! there are not virus and are your files, but encrypted!</p>
<p>The speed, power and complexity of this encryption have been high and if you are now viewing this guide.</p>
<p>It means that "KRAKEN CRYPTOR" immediately removed form your system!</p>
<p>No way to recovery your files without "KRAKEN DECRYPTOR" software and your computer "UNIQUE KEY"!</p>
<p>You need to buy it from us because only we can help you!</p>
<br>
<p style="color: #D91E18;">How can recovery my files?</p>
<hr>
<p>We guarantee that you can recover all your files soon safely.</p>
<p>You can decrypt one of your encrypted smaller file for free in the first contact with us.</p>
<p>For the decryption service, we also need your "KRAKEN ENCRYPTED UNIQUE KEY" you can see this in the top!</p>
<p>Are you want to decrypt all of your encrypted files? If yes! You need to pay for decryption service to us!</p>
<p>After your payment made, all of your encrypted files has been decrypted.</p>
<br>
<p style="color: #D91E18;">How much is need to pay?</p>
<hr>
<p>You need to pay (0.125 BTC), payment only can made as Bitcoins.</p>
<p>This links help you to understand whats is a Bitcoins and how it work.</p>
<p><a href="https://wikipedia.org/wiki/Bitcoin">https://en.wikipedia.org/wiki/Bitcoin</a></p>
<p><font size="3" color="red"> This price is for the contact with us in first week otherwise it will increase.</font></p>
<br>
<p style="color: #D91E18;">Where can buy Bitcoins?</p>
<hr>
<p>The easiest way to buy Bitcoins is LocalBitcoins website.</p>
<p>You must register on this site and click "BUY Bitcoins" then choose your country to find sellers and their prices.</p>
<p><a href="https://localBitcoins.com">https://localBitcoins.com</a></p>
<br>
<p>Other places to buy Bitcoins in exchange for other currencies worldwide:</p>
<p><a href="https://www.bestbitcoinexchange.io/">https://www.bestbitcoinexchange.io</a></p>
<br>
<p style="color: #D91E18;">How to contact you?</p>
<hr>
<p>We use best and easy way to communications. It's email support, you can see our emails below.</p>
<p>Please send your message with same subject to both address.</p>
<br>
E-Mail
<div class="info">
[email protected]
</div>
<br>
Alternative
<div class="info">
[email protected]
</div>
<br>
<p style="color: #D91E18;">Attention</p>
<hr>
<ul type="disc">
<li>DON'T MODIFY OR RENAME ENCRYPTED FILES.</li>
<li>DON'T MODIFY "KRAKEN ENCRYPT UNIQUE KEY".</li>
<li>DON'T USE THIRD PARTY, PUBLIC TOOLS/SOFTWARE TO DECRYPT YOUR FILES, THIS CAUSE DAMAGE YOUR FILES PERMANENTLY.</li>
<li>DON'T ASK PEOPLE OR DATA RECOVERY CENTERS, THEY ARE MAY ADD EXTRA CHARGE.</li>
</ul>
<br>
<p><b>Additional</b></p>
<hr>
<ul type="square">
<li>Project "KRAKEN CRYPTOR" doesn't damage any of your files, this action is reversible if you follow the instructions above.</li>
<li>Also, our policy is obvious: "NO PAYMENT, NO DECRYPT".</li>
</ul>
</div>
</div>
</body>
</html>
Signatures
-
Clears Windows event logs 1 TTPs 3 IoCs
-
Deletes itself 1 IoCs
-
Looks up external IP address via web service 7 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Drops file in Windows directory 1 IoCs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates processes with tasklist 1 TTPs 1 IoCs
-
Modifies Control Panel 2 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
-
Suspicious use of WriteProcessMemory 56 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\60121ea2ab380455f7e143cd9438443e.exe"C:\Users\Admin\AppData\Local\Temp\60121ea2ab380455f7e143cd9438443e.exe"1⤵
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C wevtutil.exe clear-log Application2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wevtutil.exewevtutil.exe clear-log Application3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C wevtutil.exe clear-log Security2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wevtutil.exewevtutil.exe clear-log Security3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C wevtutil.exe clear-log System2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wevtutil.exewevtutil.exe clear-log System3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C sc config eventlog start=disabled2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exesc config eventlog start=disabled3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" sc stop eventlog2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C REG add "HKLM\SYSTEM\CurrentControlSet\services\eventlog" / v Start / t REG_DWORD / d 4 / f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG add "HKLM\SYSTEM\CurrentControlSet\services\eventlog" / v Start / t REG_DWORD / d 4 / f3⤵
-
-
-
C:\Windows\SysWOW64\tasklist.exe"tasklist" /V /FO CSV2⤵
- Enumerates processes with tasklist
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 127.0.0.1 -n 3 > NUL&&del /Q /F /S "C:\Users\Admin\AppData\Local\Temp\60121ea2ab380455f7e143cd9438443e.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 33⤵
- Runs ping.exe
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9KB
MD59cd7bafc81fd809e6db5810f160d74f8
SHA19c1fd42e3aac53609bd802cd470c48162de13e7d
SHA2563516c1f5d2e16993819c26ae1fefefb569ed213ecaedb41a2d32604feb754f14
SHA512a34ce3f073526297686c12e52ab79086e47048ca8594d4c32a239ba87b56e88ebc639c0ada7a6ab25a42b666b4ff4d3a64bea31ebef2c8c5a471a19d4665f067
-
Filesize
4KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB