# I literally can't think of a fitting pun - MrDec Ransomware **[dissectingmalwa.re/i-literally-cant-think-of-a-fitting-pun-mrdec-ransomware.html](https://dissectingmalwa.re/i-literally-cant-think-of-a-fitting-pun-mrdec-ransomware.html)** #### Mon 23 December 2019 in Ransomware I took notice of the Ransomware Family after a series of posts in the Bleeping Computer Forum. It employs techniques that are not seen very often in other ransomware samples, so the Analysis is actually quite difficult, but I'm hoping reading this is also a bit interesting atleast. ## Work in Progress #### Because Christmas and 36c3 is coming up in the next few I days I might have to push this analysis back a bit. A general disclaimer as always: downloading and running the samples linked below will lead to the encryption of your personal data, so be f$cking careful. Also check with your local laws as owning malware binaries/ sources might be illegal depending on where you live. MrDec @ AnyRun | VirusTotal | HybridAnalysis --> sha256 ``` a700f9ced75c4143da6c4d1e09d6778e84ff570ea7d297fc130a0844e56c96ad Let's see what we're dealing with here and fire up Detect it easy: ``` ----- #### The Ransomnote is delivered via a .hta file. Like most other strains active in the last few month the criminals use two E-Mail addresses: a "primary" and a "backup". In this case they are using Protonmail and AOL which has been kind of a pattern for them (Tutanota is their third preferred service, a list of previously used mailboxes is available down below in the IOCs Section). ----- #### Opening the note in another browser (Chrome in this case) won't show the instructions but a countdown timer. The victim won't be able to see the timer in most cases because when using Internet Explorer because scrolling is disabled :D Ransomnote in Chrome ----- ----- ----- ----- ----- ----- #### In the following screenshot you can see the "Process Killing" routine of MrDec. ----- #### Last but not least we have a weird discovery. ----- ## MITRE ATT&CK #### T1215 --> Kernel Modules and Extensions --> Persistence T1179 --> Hooking --> Persistence T1060 --> Registry Run Keys / Start Folder --> Persistence T1055 --> Process Injection --> Privilege Escalation T1179 --> Hooking --> Privilege Escalation T1055 --> Process Injection --> Defense Evasion T1045 --> Software Packing --> Defense Evasion T1112 --> Modify Registry --> Defense Evasion T1107 --> File Deletion --> Defense Evasion T1179 --> Hooking --> Credential Access T1012 --> Query Registry --> Discovery T1057 --> Process Discovery --> Discovery T1076 --> Remote Desktop Protocol --> Lateral Movement ## IOCs ### MrDec ----- ``` searchfiles.exe > SHA256: a700f9ced75c4143da6c4d1e09d6778e84ff570ea7d297fc130a0844e56c96ad SSDEEP: 192:QEsTzSIs3HIuvipDu3uTtKTzTwmH+STs8fpgiRHIYGL4vKrGoO:QE0JoapKeTtKTz8s+S48h5dIYxK ### Registry Keys ``` ----- ``` HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run unlock --> "c:\Decoding help.hta" searchfiles --> C:\windows\searchfiles.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DateTime orsa--> 06 02 00 00 00 A4 00 00 52 53 41 31 00 08 00 00 01 00 01 00 07 AF 04 2E A4 1A 3C 08 5E 32 C7 4F 6A DB C8 7C 91 6B C1 FE 73 38 2F 4F 7C EA B8 B6 BC BD CB 22 5C 6B E6 1C E0 35 24 58 ED C8 BC EF A9 A6 EC AE 4F 84 AF BC E8 D7 50 4B C5 2A 6F 85 5E E9 A1 46 5F 2A 65 E7 0E 97 74 4B 16 D5 C4 4C 28 6B 17 47 EC F0 B9 A5 72 C4 DB EE 67 1D C6 0D DD 58 93 FF CE 38 64 5D 92 0E 93 AC A6 BC 31 B5 6D ED A6 74 8F 59 F3 40 EF FD A9 7D 18 12 4F 0A 51 AF D6 1F EE 1E 17 4B A2 D7 CD 20 B4 4F FD DF 5C BB CD B6 A4 BC D2 8D 85 17 F9 95 BF FD 67 16 36 15 69 7A BC A2 FD 0F EC F6 D4 A4 92 94 3A AC FC 78 77 81 4B F4 E8 2E AD 55 52 27 67 EF E9 48 1F 1D 8B F5 35 8F 71 AA DA 84 75 79 A2 1C BD 32 90 8B EB 54 88 3F CC 51 C9 48 2A 47 76 79 CE EB B4 A7 ED D5 DF C3 EB 50 09 25 CC FE F3 DB 49 29 A6 6B 4F 69 AF 10 3A 1F 2F 86 1A 0C B4 90 EB 21 DF 4E 43 B3 rsa --> 3C 53 81 1E 96 58 52 7C 67 7D 5F 60 14 15 29 1B 72 AC F5 F6 B7 B8 54 32 B7 63 1A 24 4F B2 9E B5 C7 8B 29 68 40 6B 44 80 FA E4 5E 53 7B 4A 1D DE AD 28 4A E0 EF 65 1E 09 00 75 34 15 79 59 86 C9 61 ED DD E2 AE 4F 3C DA 45 7A 20 3F 85 85 FB 05 22 1E 9D 12 D2 C7 96 AB 8A 99 46 60 F0 CB 10 6C 2E A0 39 FF 07 80 A1 A4 3B 62 E6 71 93 C6 5D 42 00 1B 00 37 76 56 14 2F 72 78 F9 A2 A6 98 49 A7 38 E0 B0 A6 81 B8 F5 7F 79 7C 29 88 79 C3 98 65 C0 69 47 93 59 28 A8 BF 36 6F 88 C0 08 98 0F 6E C8 27 28 9A C8 12 F2 B2 09 7B F0 A3 1E 9A 3A 48 CE 04 C3 61 82 6B AF 2E 0D 46 14 3A F9 47 3E 26 B0 B3 67 49 81 56 DF E8 DF A4 FC 86 88 A0 80 7C 68 6D 46 84 3E 6F 30 FA 20 AC 54 3F AC 8B C3 E9 24 C3 27 31 4C A1 07 98 C2 BD D8 84 02 17 D7 3D 63 83 8F 7C 35 D3 6C C8 29 69 E6 F5 DD D8 DB AA A5 0D 9A 12 43 5D CE CA 47 6E E5 CA A5 DB D8 A6 9F FE FD DE C2 94 24 92 43 C9 08 88 FB B2 33 2B C8 59 1D B6 F2 55 71 E2 83 C7 F5 67 89 03 06 F1 E4 FC F1 13 2D 38 7B 15 DE 05 BE 27 0A AE CD A9 84 2C 3B 66 4B 18 F7 8D 76 31 BD 37 07 ED 1C D9 68 82 94 EF 08 5C B6 29 C4 69 A9 AB 07 6B B7 46 9C 0F DD A9 76 32 B2 D7 F7 FA 3A 25 15 9B A6 F7 55 93 77 DF 67 24 E0 48 B9 CC B0 39 22 B0 51 36 5B F8 DC 2A 0D 19 CC 7E EC D3 9E 9C 68 38 E4 11 DE BD 2B AE 2E A2 FA AC 86 35 D6 DC C8 4E 9D E5 8A BE B3 EC 6C 5B BB BD CB 61 F1 81 99 1F 5E 1A 80 AF 72 75 CA 55 7E 7B 93 ED F3 EB 7A 2F 5E D9 61 32 99 0C 95 3B 4C 9C CD F7 4C A5 4C 5D DB CA 72 2E BB 7B 4D 76 C5 5D CA 27 76 29 C1 4A 36 3E 66 7F 5F 29 A1 A8 AD FC BB FF 2A 11 16 29 63 8C A8 92 75 FC 0E 56 72 DC 01 9B B9 81 1C E0 14 84 8F F2 1B 15 F8 AC 0A BA 07 22 6D E0 DA A0 8B CF C1 26 0C 69 78 48 BE 24 53 E6 5E A7 A7 10 24 58 EA 26 30 6A 37 0E 30 9A FF 6E 18 90 2F 93 33 61 11 C1 7B 62 85 A8 A0 E8 3F EA 65 FC 58 3E FD BC 20 55 03 C3 95 63 2E AD 9D 0A 8E 45 87 F6 19 34 D3 48 7E 2E F2 06 BE D0 EE B9 6D 82 62 3E 51 C9 27 96 64 07 84 70 50 C0 A1 2B 13 D3 25 EA C8 62 F1 1F C5 59 B0 6B 3B 52 54 3B 1B 21 42 7B 80 CB E7 58 3D F2 A3 7F F8 48 C0 9E 1E 78 E4 0F F0 7F 50 4D D8 06 C2 53 47 3A 93 B0 AD D7 BF 5A 3F 5A F8 5B BF 60 66 0B EC B6 AF 50 5B 52 9C 82 E3 F8 EC 40 FF ED AB 4C 5C 29 E7 C4 41 87 48 B4 C1 92 74 54 A1 47 70 8A 03 94 AE AE 57 86 FF E2 BE 14 E6 F8 0C D1 73 D9 1A 2E 2E 1E B1 9E 31 3A 3D 0A F1 19 6C 4C 48 F9 C0 7A 58 9E 8F 46 F7 9C 14 26 64 2A 57 A1 88 2A A7 D5 02 6B 76 AE AB 69 C8 64 16 7A 7F E0 43 A7 14 DE 29 19 A7 3B 78 D7 02 8C 9F F5 BF 09 1E 6B BB 47 88 3E 30 76 3B DF AF 87 CB 47 2A 84 D8 B9 88 96 09 A1 EF B0 1E 99 B1 0E 07 8D 37 FF 94 BF C6 94 17 AD 95 15 30 78 FE FC 9A AB 6E B8 8B C2 9E F0 B9 8B 83 30 45 DF F3 22 28 AD 4A 8D 69 E4 7E B6 83 1E 80 C9 8B 9C 97 BE ED FD 72 D8 A8 68 21 79 CC 53 87 54 FE CB D7 38 A0 44 ED E3 15 48 D6 CD E1 14 32 0A 49 72 FC 08 7F 36 17 60 5B CA B1 BE 89 21 08 09 02 25 94 AC E2 A0 B8 F5 B6 DF 49 17 86 C6 A3 4A 7D 48 0F 27 EF 1E 48 91 71 A1 A3 2A D3 2F CF 4F B8 39 B7 04 76 CA 26 EA CF C8 A7 0F 42 BD 7B A7 50 FC 01 D3 94 1B 8B 2C F3 1C 87 CA E0 9F E3 CA B9 FF 31 69 ED DB 5F E2 2E 04 64 52 08 C8 B3 F5 9F 04 CB 31 7C D3 AD 78 76 83 5F 53 8F 5C 3C D8 CD 4D 2D 49 8A 2C CA 4D C9 43 AC B0 88 45 E5 41 7F FA 1D BF 92 9D BF C0 06 5C 24 CE 44 A1 F6 D0 ED 0C 46 BF 88 F2 DA B1 71 D6 E6 EE 87 85 29 36 AD 84 ED 7D F8 4C 8F BB 5A 44 DA 4C A4 4B B7 60 17 B8 BE 49 12 DB 15 DC 84 D4 89 08 B5 27 84 71 92 5E 3D 5A A3 ``` ----- ``` 0A AA 0D FD 5E 32 56 DC A3 4B 89 F9 9D 28 A6 AC C3 31 68 F3 98 31 D3 0A 38 B6 E4 DD 87 8E 2E 95 A8 D4 BE 23 FB 48 42 BD 07 80 AC 8E D8 97 0F 46 C6 55 D8 F0 98 3F 33 26 47 A8 05 82 B3 D7 5D 08 A1 4A 30 F9 80 5D 7F 8A 80 98 A0 F5 C8 8A 56 FF EC 44 C3 20 40 AB 06 1C 8C 3B D1 E5 79 5B 02 F2 25 F8 06 31 54 B5 60 38 68 C7 EC 42 E9 36 BD 47 B6 BE 06 A8 1B 5B 92 0D 29 CD B3 E9 F5 7A EB E5 27 83 BC 0E 48 F6 93 21 62 81 0B CE E4 92 67 35 4E AB 23 B7 AA 86 25 78 91 22 38 CC C1 95 A5 D4 4D 20 FE E3 AE F8 8F 24 E9 38 75 B2 31 82 49 00 D4 8F 9A 93 E0 A0 DD D3 B1 F8 B9 B9 3D 2D 02 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System PromptOnSecureDesktop --> 0 EnableLUA --> 0 ConsentPromptBehaviorAdmin --> 0 HKEY_CLASSES_ROOT\[ID]PFOzv5ecUnxnfV9F[ID]_auto_file HKEY_CLASSES_ROOT\.[ID]PFOBHpZYUnxnfV9F[ID] --> HKEY_CLASSES_ROOT\ [ID]PFOBHpZYUnxnfV9F[ID]_auto_file HKEY_CLASSES_ROOT\[ID]PFOBHpZYUnxnfV9F[ID]_auto_file\shell\open\command --> %SystemRoot%\System32\rundll32.exe "%ProgramFiles%\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen %1 HKEY_CLASSES_ROOT\[ID]PFOBHpZYUnxnfV9F[ID]_auto_file\shell\open\DropTarget --> {FFE2A43C-56B9-4bf5-9A79-CC6D4285608A} HKEY_CLASSES_ROOT\[ID]PFOBHpZYUnxnfV9F[ID]_auto_file\shell\open --> @photoviewer.dll,-3043 HKEY_CLASSES_ROOT\[ID]PFOBHpZYUnxnfV9F[ID]_auto_file\shell\print\command --> %SystemRoot%\System32\rundll32.exe "%ProgramFiles%\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen %1 HKEY_CLASSES_ROOT\[ID]PFOBHpZYUnxnfV9F[ID]_auto_file\shell\print\DropTarget --> {60fd46de-f830-4894-a628-6fa81bc0190d} HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\. [ID]PFOBHpZYUnxnfV9F[ID]\OpenWithList --> PhotoViewer.dll HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\. [ID]PFOBHpZYUnxnfV9F[ID]\OpenWithProgids --> ID]PFOBHpZYUnxnfV9F[ID]_auto_file ### E-Mail Addresses ``` ----- ``` First campaign (May 2018): shine1@tutanota[.]com shine2@protonmail.com Second campaign (September/October 2019): JonStokton@Protonmail[.]com JonStokton@tutanota[.]com filessnoop@aol[.]com filessnoop@tutanota[.]com Third campaign: localgroup@protonmail[.]com localgroup@tutanota[.]com ZiCoyote@protonmail[.]com ZiCoyote@aol[.]com Forth campaign: mr.dec@protonmail[.]com mr.dec@tutanota[.]com Frederik888@protonmail[.]com Frederik888@aol[.]com ### Ransomnote V1 You are unlucky! The terrible virus has captured your files! For decoding please contact by email Frederik888@aol.com or Frederik888@protonmail.com Your [ID]PFOBHpZYUnxnfV9F[ID] 1. In the subject line, write your ID. 2. Attach 1-2 infected files that do not contain important information (less than 2 mb) are required to generate the decoder and restore the test file. Hurry up! Time is limited! Attention!!! At the end of this time, the private key for generating the decoder will be destroyed. Files will not be restored! ``` -----