Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Dec. 9, 2022, 3:08 p.m.	Dec. 9, 2022, 3:12 p.m.

Size	106.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`842d42bb052a77759c8f55d46021b2e0`
SHA256	`89844786bb2290797309c881c49a38f8502c39342bf2d9fecdc4ac5b4735f1d4`
CRC32	`2766AB0F`
ssdeep	`3072:zSXsRZb0m4BbJpVIYbQf91G3im/2Ef07JysgIXHjg+grwBR1imy3Lh+puYRJy1Cf:GHpVCzGFmRuYRKj7b8`
Yara	IsPE32 - (no description) OS_Processor_Check_Zero - OS Processor Check Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature UPX_Zero - UPX packed file

502.exe "C:\Users\test22\AppData\Local\Temp\502.exe"
2568

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Creates executable files on the filesystem (1 event)

file	C:\MSOCache\All Users\{90120000-0015-0412-0000-0000000FF1CE}-C\AccessMUI.msi

Creates known Hupigon files, registry keys and/or mutexes (1 event)

file	M:\Boot\BOOTSTAT.DAT

Writes a potential ransom message to disk (3 events)

Time & API	Arguments	Status
NtWriteFile Dec. 9, 2022, 3:08 p.m.	buffer: Attention! All your files, documents, photos, databases and other important files are encrypted The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. The server with your decryptor is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- 1. Download Tor browser - https://www.torproject.org/ 2. Install Tor browser 3. Open Tor Browser 4. Open link in TOR browser: http://34vm2smykaqtzzzm4bgycfzg5fwyhhksrkpahdbiswmmuwuu7hmvuvqd.onion/?502XJUGSDPA 5. and open ticket ---------------------------------------------------------------------------------------- Alternate communication channel here: https://yip.su/2QstD5 offset: 0 file_handle: 0x00000120 filepath: C:\GPKI\ReadMe.txt	1
NtWriteFile Dec. 9, 2022, 3:08 p.m.	buffer: Attention! All your files, documents, photos, databases and other important files are encrypted The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. The server with your decryptor is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- 1. Download Tor browser - https://www.torproject.org/ 2. Install Tor browser 3. Open Tor Browser 4. Open link in TOR browser: http://34vm2smykaqtzzzm4bgycfzg5fwyhhksrkpahdbiswmmuwuu7hmvuvqd.onion/?502XJUGSDPA 5. and open ticket ---------------------------------------------------------------------------------------- Alternate communication channel here: https://yip.su/2QstD5 offset: 0 file_handle: 0x0000016c filepath: \Device\HarddiskVolume1\Boot\cs-CZ\ReadMe.txt	1
NtWriteFile Dec. 9, 2022, 3:08 p.m.	buffer: Attention! All your files, documents, photos, databases and other important files are encrypted The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. The server with your decryptor is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- 1. Download Tor browser - https://www.torproject.org/ 2. Install Tor browser 3. Open Tor Browser 4. Open link in TOR browser: http://34vm2smykaqtzzzm4bgycfzg5fwyhhksrkpahdbiswmmuwuu7hmvuvqd.onion/?502XJUGSDPA 5. and open ticket ---------------------------------------------------------------------------------------- Alternate communication channel here: https://yip.su/2QstD5 offset: 0 file_handle: 0x00000148 filepath: C:\MSOCache\All Users\{90120000-0015-0412-0000-0000000FF1CE}-C\ReadMe.txt	1

File has been identified by 55 AntiVirus engines on VirusTotal as malicious (50 out of 55 events)

Lionic	Trojan.Win32.Gen.4!c
MicroWorld-eScan	Gen:Heur.Mint.SP.Ransomware.1
FireEye	Generic.mg.842d42bb052a7775
CAT-QuickHeal	Trojan.GenericRI.S16459571
ALYac	Gen:Heur.Mint.SP.Ransomware.1
Cylance	Unsafe
Zillya	Trojan.Filecoder.Win32.22595
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Ransomware ( 005957b11 )
K7GW	Ransomware ( 005957b11 )
Cybereason	malicious.b052a7
Arcabit	Trojan.Mint.SP.Ransomware.1
Cyren	W32/Injector.BBB.gen!Eldorado
Symantec	Ransom.Cryptolocker
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/Filecoder.OCP
Cynet	Malicious (score: 100)
APEX	Malicious
ClamAV	Win.Ransomware.DeathRansom-9866362-1
Kaspersky	HEUR:Trojan-Ransom.Win32.Generic
BitDefender	Gen:Heur.Mint.SP.Ransomware.1
NANO-Antivirus	Trojan.Win32.Filecoder.hngtyg
Avast	Win32:Malware-gen
Tencent	Malware.Win32.Gencirc.115daddd
Ad-Aware	Gen:Heur.Mint.SP.Ransomware.1
Emsisoft	Trojan.FileCoder (A)
F-Secure	Heuristic.HEUR/AGEN.1213034
DrWeb	Trojan.Encoder.32178
VIPRE	Gen:Heur.Mint.SP.Ransomware.1
TrendMicro	Ransom.Win32.CRYPTOLOCK.SM
McAfee-GW-Edition	BehavesLike.Win32.NetLoader.ch
Sophos	Mal/Generic-S
Ikarus	Trojan-Ransom.FileCrypter
Jiangmin	Trojan.Gen.bea
Avira	HEUR/AGEN.1213034
MAX	malware (ai score=88)
Antiy-AVL	Trojan/Win32.Wacatac
Gridinsoft	Ransom.Win32.DeathRansom.oa!s1
Microsoft	Trojan:Win32/Synder0s18.s18!ic
ZoneAlarm	HEUR:Trojan-Ransom.Win32.Gen.gen
GData	Gen:Heur.Mint.SP.Ransomware.1
Google	Detected
AhnLab-V3	Trojan/Win32.RansomCrypt.R343432
McAfee	GenericRXLK-YJ!842D42BB052A
TACHYON	Ransom/W32.BitRansomware.108544
VBA32	BScope.TrojanRansom.Gen
Malwarebytes	Ransom.FileCryptor
TrendMicro-HouseCall	Ransom.Win32.CRYPTOLOCK.SM
Rising	Trojan.Filecoder!8.68 (TFE:5:vS4hrXmF9DB)
Yandex	Trojan.Filecoder!K3ePO8ZFcEM

502.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All