99f3f126c0da424357b510e2b1bb7b80b0a83e77802e9eeaec5119cb26b13231

General

Target

ransomware.exe
Size

259KB
MD5

61e7fef300b01614836c82051d840615
SHA1

df05c78a8b88ecd1b8e2db6dcc42f027065db6ac
SHA256

99f3f126c0da424357b510e2b1bb7b80b0a83e77802e9eeaec5119cb26b13231
SHA512

29e890068caca97e3f09eed17f9c02e367bf1c4e1d5fdc77b373e6d91223fd61355057e2ab36e6615de0c3cd62ef523a7accd214a44a1e7b5083fdefcde02185

Score

10^/10

ransomware

Malware Config

Extracted

Path

C:\Program Files\Java\jre7\bin\!!_FILES_ENCRYPTED_.txt

Ransom Note

Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm. Backups, replications were either encrypted or wiped. Shadow copies also removed. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME OR MOVE the encrypted and readme files. DO NOT DELETE *.ESCAL-p9yqoly files. This may lead to the impossibility of recovery of the certain files. To get info how to decrypt your files, contact us at: imperial755@protonmail.com imperial@mailfence.com To confirm our honest intentions we will decrypt few files for free. Send 2 different files with extension *.ESCAL-p9yqoly. Files should not contain essential information. Files should be inside ZIP archive and mailed to us (SUBJ : your domain or network name). It can be from different computers on your network to be sure we decrypts everything. The procedure to decrypt the rest is simple: After payment we will send you decryption software. Don't waste time, send email with files attached as soon as possible. if you contact the police, they completely BLOCK any activity (mainly financial) of the company until the end of the proceedings on their part. It's just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. It's not in our interests. If you will not cooperate with our service - for us, it's doesn't matter. But you will lose your time and data, cause just we have the private key. �

Emails

imperial755@protonmail.com

imperial@mailfence.com

Signatures

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

NOTEPAD.EXE

pid process

620 NOTEPAD.EXE

pid	process
620	NOTEPAD.EXE

Drops file in Program Files directory 7440 IoCs

Processes:

ransomware.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.update.configurator.nl_ja_4.4.0.v20140623020002.jar.ESCAL-p9yqoly	ransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-charts.xml.ESCAL-p9yqoly	ransomware.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0341447.JPG.ESCAL-p9yqoly	ransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\VDK10.STC.ESCAL-p9yqoly	ransomware.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\!!_FILES_ENCRYPTED_.txt	ransomware.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Oslo.ESCAL-p9yqoly	ransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Chuuk.ESCAL-p9yqoly	ransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Cordoba.ESCAL-p9yqoly	ransomware.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\TAB_ON.GIF.ESCAL-p9yqoly	ransomware.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\CALENDAR.GIF.ESCAL-p9yqoly	ransomware.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\HH02282_.WMF.ESCAL-p9yqoly	ransomware.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\AG00175_.GIF.ESCAL-p9yqoly	ransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jmx.xml.ESCAL-p9yqoly	ransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.common_3.6.200.v20130402-1505.jar.ESCAL-p9yqoly	ransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm.api.ESCAL-p9yqoly	ransomware.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.CO.IN.XML.ESCAL-p9yqoly	ransomware.exe
File opened for modification	C:\Program Files\Microsoft Office\Templates\1033\WidescreenPresentation.potx.ESCAL-p9yqoly	ransomware.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\PUBWIZ\LETTHEAD.DPV.ESCAL-p9yqoly	ransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\TURKISH.TXT	ransomware.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\Xlate_Complete.xsn.ESCAL-p9yqoly	ransomware.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\HEADER.GIF.ESCAL-p9yqoly	ransomware.exe
File opened for modification	C:\Program Files\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14656_.GIF.ESCAL-p9yqoly	ransomware.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0099201.GIF.ESCAL-p9yqoly	ransomware.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mr\!!_FILES_ENCRYPTED_.txt	ransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\La_Rioja.ESCAL-p9yqoly	ransomware.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0152704.WMF.ESCAL-p9yqoly	ransomware.exe
File opened for modification	C:\Program Files\Microsoft Office\MEDIA\OFFICE14\LINES\BD21323_.GIF.ESCAL-p9yqoly	ransomware.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\PUBSPAPR\PDIR50F.GIF.ESCAL-p9yqoly	ransomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\stream_config_window.html.ESCAL-p9yqoly	ransomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\images\vlc16x16.png.ESCAL-p9yqoly	ransomware.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_ContactHighMask.bmp.ESCAL-p9yqoly	ransomware.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\!!_FILES_ENCRYPTED_.txt	ransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-text_ja.jar.ESCAL-p9yqoly	ransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Aqtobe.ESCAL-p9yqoly	ransomware.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\DD01140_.WMF.ESCAL-p9yqoly	ransomware.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0105328.WMF.ESCAL-p9yqoly	ransomware.exe
File opened for modification	C:\Program Files\Microsoft Office\MEDIA\OFFICE14\LINES\BD21313_.GIF.ESCAL-p9yqoly	ransomware.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PE00720_.WMF.ESCAL-p9yqoly	ransomware.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Microsoft.Office.Interop.InfoPath.Xml.xml.ESCAL-p9yqoly	ransomware.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\STS2\background.gif.ESCAL-p9yqoly	ransomware.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\MSPUB_K_COL.HXK.ESCAL-p9yqoly	ransomware.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\NA00452_.WMF.ESCAL-p9yqoly	ransomware.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\!!_FILES_ENCRYPTED_.txt	ransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-threaddump.xml.ESCAL-p9yqoly	ransomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ffffff_256x240.png.ESCAL-p9yqoly	ransomware.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\WINWORD_F_COL.HXK.ESCAL-p9yqoly	ransomware.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\WB01748_.GIF.ESCAL-p9yqoly	ransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\!!_FILES_ENCRYPTED_.txt	ransomware.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0148757.JPG.ESCAL-p9yqoly	ransomware.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\PUBWIZ\CATWIZ.POC.ESCAL-p9yqoly	ransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.attach_5.5.0.165303.jar.ESCAL-p9yqoly	ransomware.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\PUBWIZ\PICSTYLES.DPV.ESCAL-p9yqoly	ransomware.exe
File opened for modification	C:\Program Files\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14532_.GIF.ESCAL-p9yqoly	ransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.model.workbench_1.1.0.v20140512-1820.jar.ESCAL-p9yqoly	ransomware.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mr.txt.ESCAL-p9yqoly	ransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding_1.4.2.v20140729-1044.jar.ESCAL-p9yqoly	ransomware.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\PUBWIZ\DGWEBREF.XML.ESCAL-p9yqoly	ransomware.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\PUBWIZ\DGBORDER.DPV.ESCAL-p9yqoly	ransomware.exe
File opened for modification	C:\Program Files\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21421_.GIF.ESCAL-p9yqoly	ransomware.exe
File opened for modification	C:\Program Files\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14867_.GIF.ESCAL-p9yqoly	ransomware.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\IN00919_.WMF.ESCAL-p9yqoly	ransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Pago_Pago.ESCAL-p9yqoly	ransomware.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\!!_FILES_ENCRYPTED_.txt	ransomware.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.equinox.nl_ja_4.4.0.v20140623020002.jar.ESCAL-p9yqoly	ransomware.exe

C:\Users\Admin\AppData\Local\Temp\ransomware.exe
"C:\Users\Admin\AppData\Local\Temp\ransomware.exe"
1⤵
- Drops file in Program Files directory
PID:288

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1764

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Documents\!!_FILES_ENCRYPTED_.txt
1⤵
- Suspicious use of FindShellTrayWindow
PID:620

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads