dasjahn

Member
  • Content Count

    2
  • Joined

  • Last visited

Community Reputation

0 Neutral

About dasjahn

  • Rank
    New Member
  1. Xorist-decryption-Tool is working. Many thanks!
  2. Files have been crypted, their extension is .DECRYPT-ID-63100927 like desktop.ini.DECRYPT-ID-63100927, the note is attached, but on the other side, I found two files named Help_Help_Help.._.hta, which seems to belong to a known Ransomware. Intrusion point was an unsecured RDP. Any Ideas? Thanks in advance, Phil HOW TO DECRYPT FILES.txt _HELP_HELP_HELP_PD8ZDVC0_.hta https://www.virustotal.com/de/file/6e1cc8910ac86be473d2d5059ebc0209c9c76e02a8612745a1fe3fbfd5b8f861/analysis/1488238883/ For the file attached Edit: I should add that I might found the Software itself. See pictures The file backup.exe was detected by Virustotal: https://www.virustotal.com/de/file/26e590d4faf33f939743974950d92bcdaf986af19823127328a4df016a5c8a85/analysis/1488236849/ inside the \x64 folder, I found See pictures Virustotal of the minidrv.sys says: https://www.virustotal.com/de/file/8d4d0e8a874b6b5f5adfa2153a8470b841fee2f27a23c422f9f504c33b262de0/analysis/1488242021/ edit2: backup.exe is packed with UPX and written in C++ Virustotal of unpacked backup.exe: https://www.virustotal.com/en/file/f6d811a5e1bf79a192e1c3a6362fb3df6ea7e98c0296b00699bcac2816a9af75/analysis/1488243201/ edit3: Analysis of unpacked backup.exe https://www.hybrid-analysis.com/sample/f6d811a5e1bf79a192e1c3a6362fb3df6ea7e98c0296b00699bcac2816a9af75?environmentId=100 https://sandbox.deepviz.com/report/hash/727d3e8d6958ebcf2aeb6d8057e69bce/ https://www.vicheck.ca/md5query.php?hash=727d3e8d6958ebcf2aeb6d8057e69bce