Overview

overview

10

Static

static

1

RNSM00367.7z

windows10-2004-x64

10

Resubmissions

14-12-2024 08:02

241214-jxh1dawla1 1

07-11-2024 16:14

241107-tp2gvsvmat 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    RNSM00367.7z

  • Size

    22.7MB

  • Sample

    241107-tp2gvsvmat

  • MD5

    8ee12d4c434d7584881c61eca64b6b58

  • SHA1

    04a7f16dd939f2c275059cd0678de82bb5c5d3a9

  • SHA256

    191e22ebc970d41dd9dfae0d33555bbd6328b03ec5e7dcf047b3020ca31b9ade

  • SHA512

    b076c35d5a418fe4f2f57c012d3ff5a459fc17e142e62901b2206e3a051b857ea40112b745f5e7f5a486a26cd5b2f8abb8a3642523d4819e7b6b242de6151d69

  • SSDEEP

    393216:Srag8u6vHum94V9qliWOtHl1hwToU526fO7nZfiOFH1PvvpPo3ocS+lQieqqMDQO:jgx6P/TiW0F1dm26fIRRH1HhwYR+telO

Score
10/10
dharmaemotetgandcrabgozijigsawkronossodinokibitroldeshwarzonerat100020epoch246aspackv2backdoorbankerbootkitbotnetcollectioncredential_accessdefense_evasiondiscoveryevasionexecutionimpactinfostealerisfbpersistenceransomwareratspywarestealertrojanupx

Malware Config

Extracted

Family

emotet

Botnet

Epoch2

C2

81.109.227.123:80

82.15.36.209:443

142.4.198.249:7080

162.144.119.216:8080

142.93.88.16:443

31.12.67.62:7080

91.83.93.103:7080

178.152.78.149:20

104.131.208.175:8080

136.243.177.26:8080

206.189.98.125:8080

178.79.161.166:443

195.242.117.231:8080

187.163.222.244:465

186.144.64.31:53

104.236.99.225:8080

71.244.60.230:8080

91.205.215.66:8080

212.71.234.16:8080

190.25.255.98:443
rsa_pubkey.plain

Extracted

Family

sodinokibi

Botnet

20

Campaign

46

Decoy

aberdeenartwalk.org

happycatering.de

amyandzac.com

livedeveloper.com

alexwenzel.de

trainiumacademy.com

nuohous.com

epsondriversforwindows.com

slideevents.be

skooppi.fi

golfclublandgoednieuwkerk.nl

santastoy.store

mieleshopping.it

innovationgames-brabant.nl

ideamode.com

internalresults.com

mondolandscapes.com

axisoflove.org:443

adaduga.info

jlwilsonbooks.com
Attributes
  • net

    true

  • pid

    20

  • prc

    sqlservr.exe

    mysql.exe

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    46

Extracted

Family

warzonerat

C2

maine007.hopto.org:5200

Extracted

Path

C:\$Recycle.Bin\WAVZI-DECRYPT.txt

Ransom Note
---= GANDCRAB V5.0 =--- Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .WAVZI The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/9bb33c11cab9f1c5 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAADvlpMF2BCIQF0fUavDV8VsStCuPeH19w4kaN/2NliyJnYeC1loq82VLXG4B7CI7CNCl0KvbQH199n8I5PU1lreeQzK3/zJuyt/1D21nsMSlWi+5Qn7yRbsb+AJg+mH0kMegakbP1XpXuUmQoMj3RFdt8CUa2n/pFY/1NklfFPGbgut2PGwgR7EuLaUvZmZUpp0jVq4SplBz2K/TnVxXt82lhevzr63hWuR4L+h3I/8uonnJFGOwtJmFcYFRCy6bUVpz792BrHHJllf/JgOMWPUWdVGMm/rqMr2OPAkd0WtkgCfSlkLMDtRokFGvkEzuc/SpHHOdfGaPJr6so4XVox+V/M8zsrz5/u8vLOJnSCFbUvKjv/jbTURwuqWz33ntQwmsWkqQaYFI5QMuEXIXI1YlRw+thcYwIpSxIohzLLlEMfnorAa2ebJWdWCquIAKjN6asPLQJnfhSwQcNpGPtZA8kWEB8aW8QdA1gjO3uJTJW1LJnKFzqhCb9w6Q75wLZMpKnZQSXvstiPaf3cHAMi9cb/TxV1TzGmHke39IuVCkK0CuSqTQK93JVsQR7sufAxMqVUg9ZpgGOpvxHNtVoSzX6aN0fv3d1oeXXnORzvhpiLxIIfXGZ9X+KPwD2MONDqeVeXRn5vU9uO+Th4Mq4RuiaMNQdGn9NNzxp4EJFtK53o6T8atyYYWpv83/CYTyotr5SEDL2DrpRq2jZkcIPCdbleWcZ7m6zCDAA7u31eXZAkSXaTt0JRdYg6ADt8Veg8fmzSZZ2am3QjhBL5Jpyx2ZhUGYnVvIYrg3ZI3SxTO/osAd+IQpBoxUADGcUlq6y7rHT3cmOtHcikOwS2Na87/ucHfDgZG/w9D1+d1O/e7Lp7yuAWTxJf4/QTe1VDW6Cowit3iVCRipjwTOkVnILyFUNeP0MrZRq/y6t32Ht0PLiA7favzF/vfFwffx0Rt06VbSG/BalOkEBeo/irkLqdk+d2BYghYHgv00w89o9Ff/Y1zl/UjFts7cLCrBQnDk42/Y6NNnZI0G/CKZ3ajNLLQieZDRcltmpDopX5vTXshX4ahlb+aOn2NVUVbFhQHZguMNJvvmF28bxwiZIu0xUm1ZOYLkHEJyjbjYyDNODRfHp+S5Sc5F4q7nEUWdz3mOcKv2cIZA90Br0EhFMzPfKdJxUHp0+M8sPE5bgsaFh8MGCJ5bAxDlkInkpPqx870+FrbULBq7MbsTQo9/ydUYSTenRXprZaf1O9d8IVhybbvQPltst5bhNUQQOZM7eTXrF1FPZX8uXJrBY3xJAt72IMybzFfilPNkJiv9/EZvgDwQV4amYCLU35bgzVZbSX8od7PVC+24Yhq7tUpxFBudqJnrsZuOvwNnBU13NR7SNKxP65ATWqXYUslrxjHaF7TR7LhvCvxCzS5lY5jw6MYUXo6uXWGew1F8Zg60ElJZr3KRZLLP/kET2Dc1L6jG3yG+de/xBEOUI1uly9O0SAYYqudwucsx1WvveDhdpNk4DgyRHIQTN2YGtRTgmHpxElYyiIf6uiu4Q4eWLAVmaiGRAB40xorMIbfKBOOwVihPfq5jawB250YTHoghOegtNbA8FWYDHexTDHudWS5mhALfnEBXMU4jD0seOXyCZO7dFdfOZjHUvYrH5KVmNSOdafispTOH6SZbpcChNkttTPTBVZSCzhvhaK4b1J5tqI+dwut1ZjMLsUqBkFkc79bWk3j/1dt2jTlhatKigzYuj98Emz10CKz5CPREo+Nbvrf8RJS/MFUA9BkfKui94H9QMZDZj/sesewVVthf1vUv9BhKFIyK0ZkwVFf2p2azLBKFgvEJ9bti9Nek7nPZPZBT5h09n0OeZTzcuQcrq8zbn53HBgnabSB3ilpnQvoAtgCLKmH6zKWH5pHR3Ciu8Ywoalz5mCrcuBQkn29wdgrjq0IXzE5oxWZWgcBEVReq4geaUOPOFuJAEWt07Wvj7oE4HycXU5Vz7T4MU/3z/+W1X3a4FZp+STMFeFv8aB2yEU/fYx/iopxhNDkFLdRzZctHf9p1kPM+pF2dp0DaEeFFDYMKFJOnI6qOkl8lcIh1GGLgn5TgBK6c5cW5de/SU5hsaW5ri3BDpiTvHZHffqzHFfXdMo2ppW75yFVwU3OVs5RAYpZ4GOS/cpfDqlmYA2AmDNRbs20fuJ96SjLlfX9SbqB1o6WIUUNsjLPSMnVMdo9pViZLP2Pxfei0SiqxgYyGHhGbgKUtdbQ= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- wfKD6iudumBkmpL8IRr4U4exEVaoOXLtwDwmOrT1y1YWvOiWMx5GYaRdvZZQTo5RtnYe7mtWqrfZTHKHhh5qBJzzs9MC7736UkGSDDniUJJG8/LFF//kmGmoAZAGLo2j5/wd2UrxMJK+iqKhTkS3ArgAxrZOOOiXrbnhbWMkLHQnbYuWlMClYZxYU6SDxpopRo5r292AV1KIZBZV4APBuUHcKSIr2MWMI0O1MKIP2IpKLE2TS5wNmoQoAHZIP7k/TfrG1tVzlDb3jcZAB3gql9dnWN0lCD4xdg7bDNQrvH1xSi3FCw+6kfktKtizqdynr7r154JiurEmkUXB6eL2/zQ2EuslGohYbVqCBnTt/BGEEdAb9ycT4oq4Pqb3Y5NyPYz32XaispQRTRkqF1PXJPcJ15EHwNAoARPLnK8+Au5ZALyfhGEwg6hrKQ3vxBFKwg70Zi7pDxFE3vfLNuau1w8ZNHQURlWKYDmn1lvgAn90mSDf7SyGQSZnn7Ivlsuw7HIKVYbpfzf2fBccdMBnP2lNhH9TQ3fC2KZCEuHtLEigBZ9MNJGhHpcOdL/YRZoP4YksV8zuv7OczMv9MHYTh4gzvuwKRb5tB/+FbmHWs+IUXo5eM9Q99BNhaVKZ2udgzWmELVozygtVfjv5QmE= ---END PC DATA---
URLs

http://gandcrabmfe6mnef.onion/9bb33c11cab9f1c5

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

1000

C2

vachiderk.com

siberponis.com
Attributes
  • exe_type

    worker

  • server_id

    12

rsa_pubkey.plain
serpent.plain

Extracted

Path

C:\Users\VEONJCZU-MANUAL.txt

Family

gandcrab

Ransom Note
---= GANDCRAB V5.2 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .VEONJCZU The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/9bb33c11cab9f1c5 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAFl1zpFepOd5H6mF/5Rn+lqTPPTCUUPuMaLgE87R9j96m71DUkekXyKih7+CBGe+tM2i7IKcenJLj7uDPDH2D9z2knNWr41RPQdFQVtGS1k8b6R7YAk7vT0bN1QIvsksvr6L0H/XV0YpkWBxWlb6RL/gok6UV1jVo1bBXBADCwF1MOapVjAhLfSymi5DAYRUA1g4V1xEula4IzaqhvHNg9/UpkxvNAJEvmiy2ezYwHeFjJWtAa5sw9lSszkyBbIcFueAEgickL8ezCT7vrUJkYnWDSJ4hBZV+sdMs+lOp17GZYo+e9MTrlls/JpuOTLg5skwkHNBA5dwjj94LzFvbirig7H9RnvQ0qDFe2iNjIlStB4lr3VaXb4VjLwninaR0qLTo6P2vlHUIihdUX6fGAO2Qr2IGubQ/c3tQF8MsR59MdpvTj2Xk+mClttkWCn5CQjrrpAOBNldrJw88687neRanVuXLB5hEv2wVmEUG4NTcAjbJu6KBoy+ly9Ee8VBYvN88AVhUjbhecqBAxYaZrkKm5i6vIgvqednrOKTqHScbSVKW4EDJ2rdO0u7QiPr+y19BuX4LLsS1kIGo40mi6/yB4nuLnxDxUt/JMK1WWgFWYVPJvacVYMOIZC3dgfCf068jx77MDKBnvJz78chsWiqu/f4CIyKnqycZB8X4ICj2br2K8K2qEvEnnMKZpCye4tmQw+6+SKC2/FIqDsih3rWpXwTxkSn7frklqYzjswyO4ejsG+Rr8txV1G3FGlIQSNrlpfYAlJUN+KU0zX5p9nVauR0kBtlIA6rHp0j+1oDMRepaL0V6b/d7b4Eme4s+WfKqjORc6fP5692NkpDSDRWBB5EOig4JIIYd60U/XK+TlxBJVrrsR7a36h+CTkjuyqxJLwmteVPH++dk6xWnA5uSCrwxqETLxAZViXZrO28KXaPIiwxNJyTbxAtE8qpaB7Yvv36Kk9KHkeUTs8f7bPWl1QaNbtIzl51XzuwlsK2QgYlMeXRgbgVJgGMw/6vHU8dgTXlCYkziMmkyMj0G//x6QfI6mym+aygfWA1bo1IyysIQOSMhT/u1WA1J8hKfjxo5/rTifcTBwdQKy/4nFW5PKBIpweMeq63YNd/hNb35TozAImJ+Sb0jJPGSS9sZUbFrzcUOEA7KqW2Gk3qW/tY3645Q/Tk6i/FRFMRVfU7wYDIPIZPntmNU7ABSxWZMWhgy1fW5s5adyfweFqWxSAv9bsDZGY726v6lo7t5LO+7DcwrrtyLyWAYvOZjPJylClspNVVLwteziCJ9myEj6aFKLrgvlpR4PlwTPzW7oafgYKBMa326DYh7tGwClPI7TqjapRkdW5WiLQ2DgsARPqCKQTyxCzxyzJ+U0CShYMvbWjqOGc3iQ5GW8JRPFjnsCouQtaiFe1yCJWuVte+vmPe8UGRu3f98CFq2w1/LF/F7IPZIiuHIWUiPBShXHpbFtyEYzuPuFr5KdJs/0VZIPfmNB3IlAXSlXqr3Xt0Vn/8sKFq3TVeInoSistyylfkkNXwNu0rFGNXn5/1nixRMocaq7fMjP49RokWlGOfACpifj2Bc8lkpvwbRJ/Bg1mSVac98gKMFDk+Qj1mQJddPWIgRQFMF1IE1ZdZu6wDV5622mLS8O68hK8kB9l7f7DuYMDQ3lf3haTwRaQibYKZRCoUu27U8pILm3qBr5h+qjUHE4DHu/VhbgNCDVR9476RNqUmAyM7uUaczTakFCabpwai+7qe0l4RUUZj1MOxB33STartFKm4gMoo5+9ZH9ccxAP1ouoRXeypxKS2VrdUSsUED1TZ9NhBxfGQ0zHS4ALFBzxUFv1YXXvdlmgwkjOB6ggbNhcnKbOkczJchS/hLWyrRxZGWZze8i2KL3Tb7MoWf61amk6pjP23IzyPjFCOgr7qd4RWS0ktwOv5MKENbm03kBCDZnmxGJPtZAhzAZKIFtXV5fzNqT1Fk2+oJO5kfYDl2c6VjOixObyS4QbKBxy2SajmJsOTUrkwKM/7btTeR70gptelWgAi0SWa7Z+QC1tNjBZbkS9xpn9runjerczsU5wOM6rWgM10UKdUBpsB/h8LO6baIvU/RnO9H8SGLL4pI3PYLnE7Xmtxr1oVODwuXtoWtLHlJznjf1aT9/52SFKEHWiPvfzqGM4dVpoNY10kY7XrqMGO2RkcNVgAij88T4MObA65uoi/xoPkZZuYXMf09JHeqqj+/oxavJuXNyusKFI= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- 7ftDEgLb/ZS0lcmZbHM61KDJ6AOtD78KkA7absMgUXYxWLsC+5+UYF9xVmD59MXJNJDbAveVquDMRXjIKnQXQzua3LPyzokSUuglaqKXwabsGM4pXku5In6gtMQMqg7sgEh1XW1iPMFgiUj/s1LdWpJHdiPjMpn7rCZNO/A31mak0K8RefoREu3BxtlAsseHWfVIIKN0U4NnA3w0Ga7XDLlF3iOIB6ImYbF6Z/7MBN2mgBr2rZ2gU1R7jNx2WKAyu4W+5zlHFnKwMISBi1CwemOo6FrxnP+Z5F9bSR7OvDBsmLj7oYD6GBgpBqj3RSAVfvfE0yZSXyCRtLeJdNBfBnZqrcY9R7O3MLHNmYeR3UfSP9DyqvNkLOfjXKP0r1BW4eYoT03JrPa/L0B0wffnS0ez96BFoTHFq52HPDCx6yhEudvoPVoM6iaVy+mvqAdvYbwBrtoyoS8D1fulWTmT7q54A+w4gT2wK0yub5gfz9wpLQCj3bimwDPi8jPeKPiggI2bWKz+7QkWvC2ihYFfEuZEsyM8ANzhw9QSIE71V0GZyf6MN51c1gY/++QTe24EznTbCqfrOdcnPBOVfcolLq8b/wmbcC6V7bCGEZisVbSQnNiaPkJ9b5I041HXc2vSx6IODB3F1IH8qANwhkbcxMPGvnUSm+rK ---END PC DATA---
URLs

http://gandcrabmfe6mnef.onion/9bb33c11cab9f1c5

Extracted

Path

C:\Users\3159sb8nje-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 3159sb8nje. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/E34383FCCAB9F1C5 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/E34383FCCAB9F1C5 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: XepGYxRH0A4ACi5yei61OfAJZ7r4e/ZpIOwpFfwFmhW9NqQ6PneI3CaGwDj8wp47 ASdc11igwXBhYtQn0TBYq7IEDsHVD3JQe33LR9gL5eRofnuptNzGqnVGivOct9TT P0Tjkmpip92G5dOyQSkU1gnuoQsRP6eajFd3OMUSpv014Qr1tU6xNEpb9d40iBEU TuNP4AbUVBvET3GRg3rpw07zFYJ1E1tTarbokuQs/LiWrUSh3tuwswh5HnW1jLaS nyjq2L7CsjCiBWO1ZIMZJzNZMkVfZLWW9wzbplFgc7q+MaafI5IsIlOykKLeuWjt U5uXgX0z0F2ygpAPsMyChvM3mGQecY1eWC3YPU1718XptSHWtVqnoEcXw7FBpgpx ivFkPwnpCQMabCT8E11moEIZYeD0sMLQOk4zful1Sks5UZ6mTecZHo7CtpEq0I5o PmQrgskx29n0z0xHOGcifwrF56LnOh3wdwQ0YI+aRcPfMlmdzOaeq7q9hS9GkE8b NlmhLKYWJWmR+vuMJnOlPGNTHsSbEoXvznzj8sksupldjzc/xvk2GAccsBunnRMn Rr2RaSvQnYbTqLq4TJKnOwMzHcytU9ZDVTlJDkljM0Kt4D5rpQEE12N5VyLT6qCK ueLUfR1of+e7asVcwBWpPvhhQCK7PHIXg0/59yYJGBrpzxDFI6IFW5WPkSEVfqV1 Ppnd5TTrHcUyihNazaxeqsA/3QUhrXsyTg2f15VvBTXCy6SLIvkwJi0CdnhaTP+m bWNYLYnfMHVVb8LLI/IYzBURKbE9Q9C4/Ns2KEkA43KeVQzV8Vd4UX4DYEheiFNA ja5h/95GXo1nOIVLEhqECqCqX4+Odo4Xp9GylN3s8MMUedN7MUseMTfBHHNiK9ZH VZEMf8qpRdvi7b4p4MTgC/YXuY9JyivN+mtTYNWKlH5IVk3ApysZev6d2Wu3Qu99 fGfH1BRGzEXBj3ma9G3yL7E6+spaA2CFLTUzBRK1iXdHhtQmVLR+wUPH/Q6iZP3G WhB68BoK4z9ctc5r+4PxPGEyXupDZmV/gF+R5xSFHOkSJWP2BqofDhiCjXEgTEtV 3il1dwfegKwt+tx4zA/DvQV9Ryunuk5jSpQJwlS27ZaAzNHV1XHQ347U1+vskGmZ 9NOPE45Lb1fQKrIH2MKiJe3GphNrzvN9Hu6BfpJYeqQ= Extension name: 3159sb8nje ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/E34383FCCAB9F1C5

http://decryptor.top/E34383FCCAB9F1C5

Extracted

Path

C:\Users\Default\Downloads\!HELP_SOS.hta

Ransom Note
<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>Decryption Instructions</title> <HTA:APPLICATION ID='App' APPLICATIONNAME="Decryption Instructions" SCROLL="yes" SINGLEINSTANCE="yes" WINDOWSTATE="maximize"> <style> a { color: #04a; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #222; font-family: "Lucida Sans Unicode", "Lucida Grande", sans-serif; font-size: 12pt; line-height: 16pt; } body, h1 { margin: 0; padding: 0; } h1 { color: #555; text-align: center; padding-bottom: 1.5em; line-height: 1.2; } h2 { color: #555; text-align: center; line-height: 1.2; } ol li { padding-bottom: 13pt; } .container { background-color: #EEE; border: 2pt solid #C7C7C7; margin: 3%; min-width: 600px; padding: 5% 10%; color: #444; } .filecontainer{ padding: 5% 10%; display: none; } .header { border-bottom: 2pt solid #c7c7c7; padding-bottom: 5%; } .hr { background: #bda; display: block; height: 2pt; margin-top: 1.5%; margin-bottom: 1.5%; overflow: hidden; width: 100%; } .key{ background-color: #A1D490; border: 1px solid #506A48; display: block; text-align: center; margin: 0.5em 0; padding: 1em 1.5em; word-wrap: break-word; } .keys{ margin: 3em 0; } .filename{ border: 3px solid #AAA; display: block; text-align: center; margin: 0.5em 0em; padding: 1em 1.5em; background-color: #DCC; } .us{ text-decoration: strong; color: #333; } .info{ background-color: #E4E4E4; padding: 0.5em 3em; margin: 1em 0; } .text{ text-align: justify; } #file{ background-color: #FCC; } .lsb{ display: none; margin: 3%; text-align: center; } .ls{ border: 1px solid #888; border-radius: 3px; padding: 0 0.5em; margin: 0.2em 0.1em; line-height: 2em; display: inline-block; } .ls:hover{ background-color: #D0D0D0; } .l{ display:none; } .lu{ display:none; } </style> <script language="vbscript"> Function GetCmd GetCmd = App.commandLine End Function </script> <script language="javascript"> function openlink(url){ new ActiveXObject("WScript.Shell").Run(url); return false; } function aIndexOf(arr, v){ for(var i = 0; i < arr.length; i++) if(arr[i] == v) return i; return -1; } function tweakClass(cl, f){ var els; if(document.getElementByClassName != null){ els = document.getElementsByClassName(cl); } else{ els = []; var tmp = document.getElementsByTagName('*'); for (var i = 0; i < tmp.length; i++){ var c = tmp[i].className; if( (c == cl) || ((c.indexOf(cl) != 1) && ((' '+c+' ').indexOf(' '+cl+' ') != -1)) ) els.push(tmp[i]); } } for(var i = 0; i < els.length; i++) f(els[i]); } function show(el){ el.style.display = 'block'; } function hide(el){ el.style.display = 'none'; } var langs = ["en","de","it","fr","es","no","pt","nl","kr","ms","zh","tr","vi","hi","jv","fa","ar"]; function setLang(lang){ if(aIndexOf(langs, lang) == -1) lang = langs[0]; for(var i = 0; i < langs.length; i++){ var clang = langs[i]; tweakClass('l-'+clang, function(el){ el.style.display = (clang == lang) ? 'block' : 'none'; }); tweakClass('ls-'+clang, function(el){ el.style.backgroundColor = (clang == lang) ? '#BBB' : ''; }); } } function newXHR() { if (window.XMLHttpRequest) return new window.XMLHttpRequest; try { return new ActiveXObject("MSXML2.XMLHTTP.3.0"); } catch(error) { return null; } } function getPage(url, cb) { try{ var xhr = newXHR(); if(!xhr) return cb('no xhr'); xhr.onreadystatechange = function() { if(xhr.readyState != 4) return; if(xhr.status != 200 || !xhr.responseText) return cb(xhr.status) cb(null, xhr.responseText); }; xhr.open("GET", url+((url.indexOf('?') == -1) ? "?" : "&") + "_=" + new Date().getTime(), true); xhr.send(); } catch(e){ cb(e); } } function decodeTxString(hex){ var m = '0123456789abcdef'; var s = ''; var c = 0xAA; hex = hex.toLowerCase(); for(var i = 0; i < hex.length; i+=2){ var a = m.indexOf(hex.charAt(i)); var b = m.indexOf(hex.charAt(i+1)); if(a == -1 || b == -1) throw hex[i]+hex[i+1]+' '+a+' '+b; s+= String.fromCharCode(c = (c ^ ((a << 4) | b))); } return s; } var OR = 'OP_RE'+'TURN '; var sources = [ {bp:'btc.b'+'lockr.i'+'o/api/v1/', txp:'tx/i'+'nfo/', adp:'add'+'ress/txs/', ptxs: function(json){ if(json.status != 'success') return null; var res = []; for(var i = 0; i < json.data.txs.length - 1; i++) res.push(json.data.txs[i].tx); return res; }, ptx: function(json){ if(json.status != 'success') return null; var os = json.data.vouts; for(var i = 0; i < os.length; i++) if(os[i].extras.asm.indexOf(OR) == 0) return decodeTxString(os[i].extras.asm.substr(10)); return null; } }, {bp:'ch'+'ain.s'+'o/api/v2/', txp:'get_t'+'x_out'+'puts/btc/', adp:'get_tx_uns'+'pent/btc/', ptxs: function(json){ if(json.status != 'success') return null; var res = []; for(var i = json.data.txs.length - 1; i >= 0; i--) res.push(json.data.txs[i].txid); return res; }, ptx: function(json){ if(json.status != 'success') return null; var os = json.data.outputs; for(var i = 0; i < os.length; i++) if(os[i].script.indexOf(OR) == 0) return decodeTxString(os[i].script.substr(10)); return null; } }, {bp:'bit'+'aps.co'+'m/api/', txp:'trans'+'action/', adp:'ad'+'dress/tra'+'nsactions/', adpb:'/0/sen'+'t/all', ptxs: function(json){ var res = []; for(var i = 0; i < json.length; i++) res.push(json[i][1]); return res; }, ptx: function(json){ var os = json.output; for(var i = 0; i < os.length; i++) if(os[i].script.asm.indexOf(OR) == 0) return decodeTxString(os[i].script.asm.substr(10)); return null; } }, {bp:'api.b'+'lockcyp'+'her.com/v1/b'+'tc/main/', txp:'txs/', adp:'addrs/', ptxs: function(json){ var res = []; var m = {}; for(var i = 0; i < json.txrefs.length; i++){ var tx = json.txrefs[i].tx_hash; if(m[tx]) continue; m[tx] = 1; res.push(tx); } return res; }, ptx: function(json){ var os = json.outputs; for(var i = 0; i < os.length; i++) if(os[i].data_hex != null) return decodeTxString(os[i].data_hex); return null; } } ]; function eachUntil(a,f,c){ var i = 0; var n = function(){ if(i >= a.length) return c('f'); f(a[i++], function(err, res){ if(err == null) return c(null, res); n(); }); }; n(); } function getJson(url, cb){ getPage(url, function(err, res){ if(err != null) return cb(err); var json; try{ if(window.JSON && window.JSON.parse){ json = window.JSON.parse(res); } else{ json = eval('('+res+')'); } } catch(e){ cb(e); } cb(null, json); }); } function getDomains(ad, cb){ eachUntil(sources, function(s, cb){ var url = 'http://'+s.bp; url+= s.adp+ad; if(s.adpb) url+= s.adpb; getJson(url, function(err, json){ if(err != null) return cb(err); try{ cb(null, s.ptxs(json)); } catch(e){ cb(e); } }); }, function(err, txs){ if(err != null) return cb(err); if(txs.length == 0) return cb('f'); eachUntil(txs, function(tx, cb){ eachUntil(sources, function(s, cb){ var url = 'http://'+s.bp+s.txp+tx; getJson(url, function(err, json){ if(err != null) return cb(err); try{ cb(null, s.ptx(json)); } catch(e){ cb(e); } }); }, function(err, res){ if(err != null) return cb(err); if(res == null) return cb('f'); cb(null, res.split(':')); }); }, cb); }); } function updateLinks(){ tweakClass('lu', hide); tweakClass('lu-updating', show); getDomains('1783wBG'+'sr'+'1zkxenfE'+'ELXA25PLSkL'+'dfJ4B7', function(err, ds){ tweakClass('lu', hide); if(err != null){ tweakClass('lu-error', show); return; } tweakClass('lu-done', show); var html = ''; for(var i = 0; i < ds.length; i++) html+= '<div class="key"><a href="http://z5dq36kjy5swjtmr.'+ds[i]+'/login/AeWTq5F-QSxXudKik4hkCRw1WezCWICl26cztcp6ir1ZdJeNSTmDiT7A" onclick="javascript:return openlink(this.href)">http://z5dq36kjy5swjtmr.'+ds[i]+'/</a></div>'; tweakClass('links', function(el){ el.innerHTML = html; }); }); return false; } function onPageLoaded(){ try{ tweakClass('lsb', show); }catch(e){} try{ tweakClass('lu-orig', show); }catch(e){} try{ setLang('en'); }catch(e){} try{ var args = GetCmd().match(/"[^"]+"|[^ ]+/g); if(args.length > 1){ var file = args[args.length-1]; if(file.charAt(0) == '"' && file.charAt(file.length-1) == '"') file = file.substr(1, file.length-2); document.getElementById('filename').innerHTML = file; show(document.getElementById('file')); document.title = 'File is encrypted'; } }catch(e){} } </script> </head> <body onload='javascript:onPageLoaded()'> <div class='lsb'> <span class='ls ls-en' onclick="javascript:return setLang('en')">English</span> <span class='ls ls-de' onclick="javascript:return setLang('de')">Deutsch</span> <span class='ls ls-it' onclick="javascript:return setLang('it')">Italiano</span> <span class='ls ls-fr' onclick="javascript:return setLang('fr')">Français</span> <span class='ls ls-es' onclick="javascript:return setLang('es')">Español</span> <span class='ls ls-no' onclick="javascript:return setLang('no')">Norsk</span> <span class='ls ls-pt' onclick="javascript:return setLang('pt')">Português</span> <span class='ls ls-nl' onclick="javascript:return setLang('nl')">Nederlands</span> <br/><span class='ls ls-kr' onclick="javascript:return setLang('kr')">한국어</span> <span class='ls ls-ms' onclick="javascript:return setLang('ms')">Bahasa Melayu</span> <span class='ls ls-zh' onclick="javascript:return setLang('zh')">中文</span> <span class='ls ls-tr' onclick="javascript:return setLang('tr')">Türkçe</span> <span class='ls ls-vi' onclick="javascript:return setLang('vi')">Tiếng Việt</span> <span class='ls ls-hi' onclick="javascript:return setLang('hi')">हिन्दी</span> <span class='ls ls-jv' onclick="javascript:return setLang('jv')">Basa Jawa</span> <span class='ls ls-fa' onclick="javascript:return setLang('fa')">فارسی</span> <span class='ls ls-ar' onclick="javascript:return setLang('ar')">العربية</span> </div> <div id='file' class='container filecontainer'> <div class='filename'> <div style='float:left; padding:18px 0'><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAADEAAABACAYAAACz4p94AAAABmJLR0QA/wD/AP+gvaeTAAAACXBIWXMAARCQAAEQkAGJrNK4AAAAB3RJTUUH4QEcFBoaYAOrHQAABThJREFUaN7tmlloXGUUx3/3ziRtTa2xcZ1gtaJFDFjtwSqllaKiiEilKOKDNS2UivXF+qD0QRBRUMQXN/TBBcFifahYFC0urfpghSMqaDSkdQMvojZpIk2zTMaHe776MZ17M6u9ozkwzAwz3/ed/9m+s9yABkhEUFX/+43ATcBy4FxgMdABTAB/Aj8CXwO7VfVdb10AlPy9aqGgTuYDVS3Z56XA48AtdWz1OrBdVQ82AiaoVfJATlWLIrIAeAbYWKciS975LwJ3q+pEJQ03DYRJKVDVGRFZCew0kylnqFaaAULgB+B2Vd1fru3ZKFcDAFS1JCLXA7uBMxs1S29t0fzn5kKhMBBF0WAURYgIURQ1DsIAhKaBVcAbwKk0l0JgGlgIrCkUChpF0U/VAgmrOCBvPrAEeBY4jdZQ3jRyDvCEiJxl2ne+mLowTQs5VZ0yJ95mobMaRx0A3gMGgSPAycCFwHXARQlrfKFeDjwMbG7IsT0zKorIauBtYFGFvxY9s3wZ2Kaqwyn7dgNPpkQ1t9/PwGZV3TNbxErThAOwCOhPADBtexwGNqrqrrR4bxFnBNgkIm8CrwFdCX66BNgA7KlLE2aDeVWdFpHlwPsVfMEBGAXuUtUd1YRGH6CIrLdAESZoYxC4Q1U/r8exQwMQAFdb+CuP7U6LO6oF4MK0d+47ZlpJfJ0HXFsm3OpB2HsPsCZBUtgF9VSZo85KFq7zqnrUTOq3ChYyA3QCq7x1NYFwZnYKsKJCFOqwz59YJKo5VTAmAQ4CuxKiHUCviCyryZzMhIqeOnsSDh8B9qnqTJqU0kKyAT8MfJwiyB5gWa0+ETjGgPOBeQkSGgG+rPdmM99wfjUEHEoA0Q0srRmEaSRv+VFHAogx84lGyO01ChxI+E8XcHq9aUdnhahU8uL471bszJoWVEFHbL8kHhfXCyIE5qesGXX+UW9F5mli0jSbRPMaAdGZ8vtUtSG1ykg1mXIRdzaaxVYjSU7kPmFKaAsq5DW+dBY2WAyV89GV8ntXran4tGfzW4B7K0grAI5WMIF6zAjgD2ATsDXhrPFaGwGZJhE59jrOPMraMIuBK4EzTFqlE8x7YNr6TFUP+dkwQCAiobuhRWQt8DTQl2FlfAtsVdW9DoyviUeA7U1owbSSfL4eU9UHjlVRInI/8FDGATizcvytLhQKQRRFewMRuQJ4y+y/Xcg13IaA/tBCWxftRe5+uwC4NQTWzpabZFgbAFeF1qzKtSEIp40+l+QFtC91hvwHaA7E/xlEKesgZrz6u19VA/eytH64FUGkmSCKtt8XwKWq+opL0GxE8AKwknh6mkkQ03bXRMTT0F9d7m/pfdGy5SHgPtclyRoIZyLfAR95APC6If4A5sOsgfB7UQe88jbJoceI+6+ZdeyOKrWWzxqIwJN+H/F8rlJDzR8XrMiyT1wM3OnX7V797oBeQzxYbF6lJCLTTcpi3fhrBNiiqjsrNCBuIx5Ozs+qT+SJW5vdxHPoS3yHlrjH8nyzAbTCsZ1ZjfPPoMa/DMdpAc0lgHMg2gREqcxPSrSoHdoqx+4Ceu3Sc4x3c/wkNpMgclZT9AIPisjZFl57gUeZZeKThcuuvDhyAppsFfOt9gl/385/w7FLtDmFwF9ebdxO5IQ/HBIPLabaGMT+kLitP9GGAELi4ecHIfAqyc9VZJWc+SvwUi6KorFCofANsA44qQ0AuEfrfgHuUdWB0IqWT4Ebml3At4hywPfAelXd5y47sIfY7XbdQNytuwxYkCHmR4GvgOfcM4fGL38Dzdjo/H/3PFAAAAAASUVORK5CYII=" style='padding:0 7.5px'/></div> <div> <h2 class='l l-en' style='display:block'>The file is encrypted but can be restored</h2><h2 class='l l-de' >Die Datei ist verschlüsselt, aber kann wiederhergestellt werden</h2><h2 class='l l-it' >Il file è crittografato, ma può essere ripristinato</h2><h2 class='l l-fr' >Le fichier est crypté mais peut être restauré</h2><h2 class='l l-es' >El archivo está encriptado pero puede ser restaurado</h2><h2 class='l l-no' >Filen er kryptert men kan bli gjenopprettet</h2><h2 class='l l-pt' >O arquivo está criptografado, mas poderá ser descriptografado</h2><h2 class='l l-nl' >Het bestand is versleuteld maar kan worden hersteld</h2><h2 class='l l-kr' >파일은 암호화되었지만 복원 할 수 있습니다</h2><h2 class='l l-ms' >Fail ini dienkripsikan tetapi boleh dipulih semula.</h2><h2 class='l l-zh' >文件已被加密,但是可以解密</h2><h2 class='l l-tr' >Dosya şifrelenmiş ancak geri yüklenebilir.</h2><h2 class='l l-vi' >Tập tin bị mã hóa nhưng có thể được khôi phục</h2><h2 class='l l-hi' >फाइल एनक्रिप्‍टड हैं लेकिन रिस्‍टोर की जा सकती हैं</h2><h2 class='l l-jv' >File ini dienkripsi tetapi dapat dikembalikan</h2><h2 class='l l-fa' >این فایل رمزگذاری شده است اما می تواند بازیابی شود</h2><h2 class='l l-ar' > الملف مشفر لكن من الممكن إسترجاعه </h2> <p><span id='filename'></span></p> </div> </div> <h2 class='l l-en' style='display:block'>The file you tried to open and other important files on your computer were encrypted by "SAGE 2.2 Ransomware".</h2><h2 class='l l-de' >Die Datei, die Sie öffnen wollten, und andere wichtige Dateien auf ihrem Computer wurden von "SAGE 2.2 Ransomware" verschlüsselt.</h2><h2 class='l l-it' >Il file che hai tentato di aprire e altri file importanti del tuo computer sono stati crittografati da "SAGE 2.2 Ransomware".</h2><h2 class='l l-fr' > Le fichier que vous essayez d’ouvrir et d’autres fichiers importants sur votre ordinateur ont été cryptés par "SAGE 2.2 Ransomware".</h2><h2 class='l l-es' >El archivo que intentó abrir y otros importantes archivos en su computadora fueron encriptados por "SAGE 2.2 Ransomware".</h2><h2 class='l l-no' >Filen du prøvde åpne og andre viktige filer på datamaskinen din ble kryptert av "SAGE 2.2 Ransomware".</h2><h2 class='l l-pt' >O arquivo que você está tentando acessar está criptografado, outros arquivos importantes em seu computador também foram criptografados por "SAGE 2.2 Ransomware".</h2><h2 class='l l-nl' >Het bestand dat je probeert te openen en andere belangrijke bestanden op je computer zijn beveiliged door "SAGE 2.2 Ransomware".</h2><h2 class='l l-kr' >컴퓨터에서 여는 파일 및 기타 중요한 파일은 "SAGE 2.2 Ransomware"에 의해 암호화되었습니다.</h2><h2 class='l l-ms' >Fail yang anda cuba buka dan fail penting yang lain di komputer anda telah dienkripskan oleh "SAGE 2.2 Ransomware".</h2><h2 class='l l-zh' >您试图打开的文件以及您计算机上的其它文件已经用"SAGE 2.2 Ransomware"进行了加密。</h2><h2 class='l l-tr' >Açmaya çalıştığınız dosya ve diğer önemli dosyalarınızı bilgisayarınızda "SAGE 2.2 Ransomware" tarafından şifrelenmiş.</h2><h2 class='l l-vi' >Tập tin mà bạn cố mở và những tập tin quan trọng khác trên máy tính của bạn bị mã hóa bởi "SAGE 2.2 Ransomware".</h2><h2 class='l l-hi' >वो फाइल जिसे आपने खोलने की कोशिश की और आपके कंप्‍यूटर पर बाकी महत्‍वपूर्ण फाइले हमारी ओर से इंक्रिप्टिड की गई हैं "SAGE 2.2 Ransomware"।</h2><h2 class='l l-jv' >File yang Anda coba untuk buka dan file penting lain di komputer Anda yang dienkripsi oleh "SAGE 2.2 Ransomware".</h2><h2 class='l l-fa' >فایلی که ش�
URLs

http://'+s.bp

http://'+s.bp+s.txp+tx

Targets

    • Target

      RNSM00367.7z

    • Size

      22.7MB

    • MD5

      8ee12d4c434d7584881c61eca64b6b58

    • SHA1

      04a7f16dd939f2c275059cd0678de82bb5c5d3a9

    • SHA256

      191e22ebc970d41dd9dfae0d33555bbd6328b03ec5e7dcf047b3020ca31b9ade

    • SHA512

      b076c35d5a418fe4f2f57c012d3ff5a459fc17e142e62901b2206e3a051b857ea40112b745f5e7f5a486a26cd5b2f8abb8a3642523d4819e7b6b242de6151d69

    • SSDEEP

      393216:Srag8u6vHum94V9qliWOtHl1hwToU526fO7nZfiOFH1PvvpPo3ocS+lQieqqMDQO:jgx6P/TiW0F1dm26fIRRH1HhwYR+telO

    Score
    10/10
    dharmaemotetgandcrabgozijigsawkronossodinokibitroldeshwarzonerat100020epoch246aspackv2backdoorbankerbootkitbotnetcollectioncredential_accessdefense_evasiondiscoveryevasionexecutionimpactinfostealerisfbpersistenceransomwareratspywarestealertrojanupx

    • Dharma

      Dharma is a ransomware that uses security software installation to hide malicious activities.

      ransomwaredharma

    • Dharma family

      dharma

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

      trojanbankeremotet

    • Emotet family

      emotet

    • GandCrab payload

    • Gandcrab

      Gandcrab is a Trojan horse that encrypts files on a computer.

      ransomwarebackdoorgandcrab

    • Gandcrab family

      gandcrab

    • Gozi

      Gozi is a well-known and widely distributed banking trojan.

      bankertrojangozi

    • Gozi family

      gozi

    • Jigsaw Ransomware

      Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.

      ransomwarejigsaw

    • Jigsaw family

      jigsaw

    • Kronos

      bankerbotnetkronos

    • Kronos family

      kronos

    • Modifies WinLogon for persistence

      persistence

    • Modifies firewall policy service

      evasion

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Sodinokibi family

      sodinokibi

    • Sodinokibi/Revil sample

    • Troldesh family

      troldesh

    • Troldesh, Shade, Encoder.858

      Troldesh is a ransomware spread by malspam.

      ransomwaretrojantroldesh

    • UAC bypass

      evasiontrojan

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

      ratinfostealerwarzonerat

    • Warzonerat family

      warzonerat

    • Contacts a large (7834) amount of remote hosts

      This may indicate a network scan to discover remotely running services.

      discovery

    • Creates a large amount of network flows

      This may indicate a network scan to discover remotely running services.

      discovery

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Renames multiple (10282) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Warzone RAT payload

      rat

    • Disables RegEdit via registry modification

      evasion

    • Disables Task Manager via registry modification

      evasion

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

      credential_accessstealer

    • Drops startup file

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook accounts

      collection

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Network Share Discovery

      Attempt to gather information on host network.

      discovery

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

    • Enumerates processes with tasklist

      discovery

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1
T1091

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Direct Volume Access

1
T1006

Impair Defenses

2
T1562

Disable or Modify System Firewall

1
T1562.004

Disable or Modify Tools

1
T1562.001

Indicator Removal

2
T1070

File Deletion

2
T1070.004

Modify Registry

9
T1112

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Credentials from Password Stores

2
T1555

Credentials from Web Browsers

1
T1555.003

Windows Credential Manager

1
T1555.004

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

Network Service Discovery

2
T1046

Network Share Discovery

1
T1135

Peripheral Device Discovery

2
T1120

Process Discovery

1
T1057

Query Registry

10
T1012

Remote System Discovery

1
T1018

System Information Discovery

10
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Time Discovery

1
T1124

Virtualization/Sandbox Evasion

2
T1497

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Data from Local System

1
T1005

Email Collection

2
T1114

Command and Control

Exfiltration

Impact

Defacement

1
T1491

Inhibit System Recovery

2
T1490

Tasks