Analysis
-
max time kernel
97s -
max time network
142s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
-
submitted
18-08-2024 08:17
General
-
Target
Downloads/C963AEC1-6D52-EB4D-61BC-64DB2602EE5F/gui35.exe
-
Size
276KB
-
MD5
03a63c096b9757439264b57e4fdf49d1
-
SHA1
a5007873ce19a398274aec9f61e1f90e9b45cc81
-
SHA256
22ea129b0f57184f30b1771c62a3233ba92e581c1f111b4e8abfa318dc92cc46
-
SHA512
0d656d807572f6be4574024e2bbcf0cbd291fe13a1adeb86a333177ee38db16b06da9a18509e599db0d2cf8206b84f6856a9674dba29a2cbeb844a216cb45ddd
-
SSDEEP
6144:9TSe4rz5Fp8kXadSZApaMi7KsXzyJYHLomyN8AfEN0VremOEuaJuoFan:hQv5PXJmpeX1omyNbESVremOEuaJuoFE
Score
10/10
Malware Config
Extracted
Path
C:\Users\Admin\AppData\Local\Temp\Downloads\C963AEC1-6D52-EB4D-61BC-64DB2602EE5F\global_options.ini
Ransom Note
26=Jami_decryptionguy
27=sql;sqlite;sqlite3;sqlitedb;mdf;mdb;adb;db;db3;dbf;dbs;udb;dbv;dbx;edb;exb;1cd;fdb;idb;mpd;myd;odb;xls;xlsx;doc;docx;bac;bak;back;zip;rar;dt;4dd;4dl;abcddb;abs;abx;accdb;accdc;accde;accdr;accdt;accdw;accft;ade;adf;adn;adp;alf;arc;ask;bacpac;bdf;btr;cat;cdb;chck;ckp;cma;cpd;dacpac;dad;dadiagrams;daschema;db-shm;db-wal;db2;dbc;dbt;dcb;dct;dcx;ddl;dlis;dp1;dqy;dsk;dsn;dtsx;dxl;eco;ecx;epim;fcd;fic;fm5;fmp;fmp12;fmpsl;fol;fp3;fp4;fp5;fp7;fpt;frm;gdb;grdb;gwi;hdb;his;hjt;ib;icg;icr;ihx;itdb;itw;jet;jtx;kdb;kexi;kexic;kexis;lgc;lut;lwx;maf;maq;mar;mas;mav;maw;mdn;mdt;mrg;mud;mwb;ndf;nnt;nrmlib;ns2;ns3;ns4;nsf;nv;nv2;nwdb;nyf;oqy;ora;orx;owc;p96;p97;pan;pdb;pdm;pnz;qry;qvd;rbf;rctd;rod;rodx;rpd;rsd;s2db;sas7bdat;sbf;scx;sdb;sdc;sdf;sis;sl3;spq;sqlite2;te;temx;tmd;tps;trc;trm;udl;usr;v12;vis;vpd;vvv;wdb;wmdb;wrk;xdb;xld;xmlff;
28=386;cmd;deskthemepack;diagcab;diagcfg;diagpkg;dll;info;mui;sys;theme;tmp;
29=steamapps;Cache;Boot;Chrome;Firefox;Mozilla;Mozilla Firefox;MicrosoftEdge;Internet Explorer;Tor Browser;Opera;Opera Software;Common Files;Config.Msi;Intel;Microsoft;Microsoft Shared;Microsoft.NET;MSBuild;MSOCache;Packages;PerfLogs;ProgramData;System Volume Information;tmp;Temp;USOShared;Windows;Windows Defender;Windows Journal;Windows NT;Windows Photo Viewer;Windows Security;Windows.old;WindowsApps;WindowsPowerShell;WINNT;$RECYCLE.BIN;$WINDOWS.~BT;$Windows.~WS;:\Users\Public\;:\Users\Default\;
30=desktop.ini;iconcache.db;thumbs.db;
31=AcronisAgent;ARSM;backup;BackupExecAgentAccelerator;BackupExecAgentBrowser;BackupExecDiveciMediaService;BackupExecJobEngine;BackupExecManagementService;BackupExecRPCService;BackupExecVSSProvider;CAARCUpdateSvc;CASAD2DWebSvc;ccEvtMgr;ccSetMgr;Culserver;dbeng8;dbsrv12;DefWatch;FishbowlMySQL;GxBlr;GxCIMgr;GxCVD;GxFWD;GxVss;memtas;mepocs;msexchange;MSExchange$;msftesql-Exchange;msmdsrv;MSSQL;MSSQL$;MSSQL$KAV_CS_ADMIN_KIT;MSSQL$MICROSOFT##SSEE;MSSQL$MICROSOFT##WID;MSSQL$SBSMONITORING;MSSQL$SHAREPOINT;MSSQL$VEEAMSQL2012;MSSQLFDLauncher$SBSMONITORING;MSSQLFDLauncher$SHAREPOINT;MSSQLServerADHelper100;MVArmor;MVarmor64;svc$;sophos;RTVscan;MySQL57;PDVFSService;QBCFMonitorService;QBFCService;QBIDPService;QBVSS;SavRoam;SQL;SQLADHLP;sqlagent;SQLAgent$KAV_CS_ADMIN_KIT;SQLAgent$SBSMONITORING;SQLAgent$SHAREPOINT;SQLAgent$VEEAMSQL2012;sqlbrowser;Sqlservr;SQLWriter;stc_raw_agent;tomcat6;veeam;VeeamDeploymentService;VeeamNFSSvc;VeeamTransportSvc;vmware-converter;vmware-usbarbitator64;VSNAPVSS;vss;wrapper;WSBExchange;YooBackup;YooIT;
32=agntsvc;AutodeskDesktopApp;axlbridge;bedbh;benetns;bengien;beserver;CoreSync;Creative Cloud;dbeng50;dbsnmp;encsvc;EnterpriseClient;fbguard;fbserver;fdhost;fdlauncher;httpd;isqlplussvc;msaccess;MsDtSrvr;msftesql;mspub;mydesktopqos;mydesktopservice;mysqld;mysqld-nt;mysqld-opt;ocautoupds;ocomm;ocssd;oracle;pvlsvr;node;java;python;wpython;QBDBMgr;QBDBMgrN;QBIDPService;qbupdate;QBW32;QBW64;Raccine;Raccine_x86;RaccineElevatedCfg;RaccineSettings;VeeamDeploymentSvc;RAgui;raw_agent_svc;SimplyConnectionManager;sqbcoreservice;sql;sqlagent;sqlbrowser;sqlmangr;sqlservr;sqlwriter;Ssms;Sysmon;Sysmon64;tbirdconfig;tomcat6;vsnapvss;vxmon;wdswfsafe;wsa_service;wxServer;wxServerView;xfssvccon;1cv8s;1cv8;1cv8c;
33=reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "AllowMultipleTSSessions" /t REG_DWORD /d 0x1 /f;reg add "HKLM\system\CurrentControlSet\Control\Terminal Server" /v "fSingleSessionPerUser" /t REG_DWORD /d 0x0 /f;
34=1
35=2
36=0
37=0
38=0
39=1
40=0
41=1
42=1
43=1
44=1
45=1
46=1
47=0
48=0
49=0
50=0
51=0
53=1
54=0
55=1
56=1
57=1
58=1
59=1
60=1
61=1
62=1
63=NOT YOUR LANGUAGE? USE https://translate.google.com\n \nWhat happened to your files ?\nAll of your files were protected by a strong encryption with RSA4096\nMore information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)\n \nHow did this happen ?\n!!! Specially for your PC was generated personal RSA4096 Key , both public and private.\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.\n!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server\n \nWhat do I do ?\nSo , there are two ways you can choose: wait for a _miracle_ and get _your_ PRICE DOUBLED! Or start obtaining *BITCOIN NOW! , and restore _YOUR_ _DATA_ easy way\nIf You have really valuable _DATA_, you better _NOT_ _WASTE_ _YOUR_ _TIME_, because there is _NO_ other way to get your files, except make a _PAYMENT_\n \n \nYour personal ID: ID_PLACEHOLDER \n \n\nIf you want to recover your files, write us\n1)Jami messenger (Fastest and anonymous)\nhttps://jami.net/\nAlso you can find it on your phone at google play/app store\nInstall it on your server,phone or tablet\nPress sign up and do your own nickname\nAnd add me/write message - Decryptionguy (use search)\n2) TOX messenger (fast and anonymous)\nhttps://tox.chat/download.html\nInstall qtox\nPress sign up\nCreate your own name\nPress plus\nPut there our tox ID:\nE9164A982410EFAEBC451C1D5629A2CBB75DBB6BCDBD6D2BA94F4D0A7B0B616F911496E469FB\nAnd add me/write message\n3)Mail - [email protected] (USE ONLY IF WE NOT REPLY MORE THEN 24H)\nContact us soon, because those who don't have their data leaked in our press release blog and the price they'll have to pay will go up significantly.\n\nAttention!\n\nDo not rename encrypted files. \nDo not try to decrypt your data using third party software - it may cause permanent data loss. \nWe are always ready to cooperate and find the best way to solve your problem. \nThe faster you write - the more favorable conditions will be for you. \nOur company values its reputation. We give all guarantees of your files decryption.\n \n--------------------------------------------------------------------------------------------------------------------------------------------
66=1
Emails
Signatures
Processes
-
C:\Users\Admin\AppData\Local\Temp\Downloads\C963AEC1-6D52-EB4D-61BC-64DB2602EE5F\gui35.exe"C:\Users\Admin\AppData\Local\Temp\Downloads\C963AEC1-6D52-EB4D-61BC-64DB2602EE5F\gui35.exe"1⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD50c3e7b05417301bcac2636e8a21a1fb7
SHA14186602be145bb699a121997983e8fb380eada09
SHA256470066d3bb8afba7ea400c3f07e2b0d7828e521c6cb8dacb5cacc1786bf38cf4
SHA51292a8cae88d37f2369d1b442b314d58e0270d85ec27f39e2fe02622793d0f62a8011d4b40b6bd2799ba845df09c2f8ac93f0aaeb363684e5fa04c00a5624c9330
-
Filesize
336KB
-
Filesize
24KB
-
Filesize
24KB
-
Filesize
4KB
-
Filesize
9.6MB
-
Filesize
624KB
-
Filesize
9.6MB
-
Filesize
32KB
-
Filesize
4.8MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
4KB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB