{ "id": "6d53cd56-de05-424c-bd42-0eea99f52d4d", "created_at": "2026-04-06T00:06:15.789406Z", "updated_at": "2026-04-10T03:23:51.978013Z", "deleted_at": null, "sha1_hash": "6b85fdedeb527d1440e6fda3438a6c9ae60304ec", "title": "I literally can't think of a fitting pun - mrdec ransomware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1174094, "plain_text": "I literally can't think of a fitting pun - mrdec ransomware\r\nBy f0wL\r\nPublished: 2019-12-23 ยท Archived: 2026-04-05 13:58:04 UTC\r\nMon 23 December 2019 in Ransomware\r\nI took notice of the Ransomware Family after a series of posts in the Bleeping Computer Forum.\r\nIt employs techniques that are not seen very often in other ransomware samples, so the Analysis is actually quite\r\ndifficult, but I'm hoping reading this is also a bit interesting atleast.\r\nWork in Progress\r\nBecause Christmas and 36c3 is coming up in the next few I days I might have to push this analysis back a bit.\r\nA general disclaimer as always: downloading and running the samples linked below will lead to the encryption\r\nof your personal data, so be f$cking careful. Also check with your local laws as owning malware binaries/\r\nsources might be illegal depending on where you live.\r\nMrDec @ AnyRun | VirusTotal | HybridAnalysis --\u003e sha256\r\na700f9ced75c4143da6c4d1e09d6778e84ff570ea7d297fc130a0844e56c96ad\r\nLet's see what we're dealing with here and fire up Detect it easy:\r\nhttps://dissectingmalwa.re/i-literally-cant-think-of-a-fitting-pun-mrdec-ransomware.html\r\nPage 1 of 13\n\nThe Ransomnote is delivered via a .hta file. Like most other strains active in the last few month the criminals use\r\ntwo E-Mail addresses: a \"primary\" and a \"backup\". In this case they are using Protonmail and AOL which has\r\nbeen kind of a pattern for them (Tutanota is their third preferred service, a list of previously used mailboxes is\r\navailable down below in the IOCs Section).\r\nhttps://dissectingmalwa.re/i-literally-cant-think-of-a-fitting-pun-mrdec-ransomware.html\r\nPage 2 of 13\n\nOpening the note in another browser (Chrome in this case) won't show the instructions but a countdown timer. The\r\nvictim won't be able to see the timer in most cases because when using Internet Explorer because scrolling is\r\ndisabled :D\r\nRansomnote in Chrome\r\nhttps://dissectingmalwa.re/i-literally-cant-think-of-a-fitting-pun-mrdec-ransomware.html\r\nPage 3 of 13\n\nhttps://dissectingmalwa.re/i-literally-cant-think-of-a-fitting-pun-mrdec-ransomware.html\r\nPage 4 of 13\n\nhttps://dissectingmalwa.re/i-literally-cant-think-of-a-fitting-pun-mrdec-ransomware.html\r\nPage 5 of 13\n\nhttps://dissectingmalwa.re/i-literally-cant-think-of-a-fitting-pun-mrdec-ransomware.html\r\nPage 6 of 13\n\nhttps://dissectingmalwa.re/i-literally-cant-think-of-a-fitting-pun-mrdec-ransomware.html\r\nPage 7 of 13\n\nhttps://dissectingmalwa.re/i-literally-cant-think-of-a-fitting-pun-mrdec-ransomware.html\r\nPage 8 of 13\n\nIn the following screenshot you can see the \"Process Killing\" routine of MrDec.\r\nhttps://dissectingmalwa.re/i-literally-cant-think-of-a-fitting-pun-mrdec-ransomware.html\r\nPage 9 of 13\n\nLast but not least we have a weird discovery.\r\nhttps://dissectingmalwa.re/i-literally-cant-think-of-a-fitting-pun-mrdec-ransomware.html\r\nPage 10 of 13\n\nMITRE ATT\u0026CK\r\nT1215 --\u003e Kernel Modules and Extensions --\u003e Persistence\r\nT1179 --\u003e Hooking --\u003e Persistence\r\nT1060 --\u003e Registry Run Keys / Start Folder --\u003e Persistence\r\nT1055 --\u003e Process Injection --\u003e Privilege Escalation\r\nT1179 --\u003e Hooking --\u003e Privilege Escalation\r\nT1055 --\u003e Process Injection --\u003e Defense Evasion\r\nT1045 --\u003e Software Packing --\u003e Defense Evasion\r\nT1112 --\u003e Modify Registry --\u003e Defense Evasion\r\nT1107 --\u003e File Deletion --\u003e Defense Evasion\r\nT1179 --\u003e Hooking --\u003e Credential Access\r\nT1012 --\u003e Query Registry --\u003e Discovery\r\nT1057 --\u003e Process Discovery --\u003e Discovery\r\nT1076 --\u003e Remote Desktop Protocol --\u003e Lateral Movement\r\nIOCs\r\nMrDec\r\nsearchfiles.exe --\u003e SHA256: a700f9ced75c4143da6c4d1e09d6778e84ff570ea7d297fc130a0844e56c96ad\r\n SSDEEP: 192:QEsTzSIs3HIuvipDu3uTtKTzTwmH+STs8fpgiRHIYGL4vKrGoO:QE0JoapKeTtKTz8s+S\r\nhttps://dissectingmalwa.re/i-literally-cant-think-of-a-fitting-pun-mrdec-ransomware.html\r\nPage 11 of 13\n\nRegistry Keys\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\r\nunlock --\u003e \"c:\\Decoding help.hta\"\r\nsearchfiles --\u003e C:\\windows\\searchfiles.exe\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\DateTime\r\norsa--\u003e 06 02 00 00 00 A4 00 00 52 53 41 31 00 08 00 00 01 00 01 00 07 AF 04 2E A4 1A 3C 08 5E 32 C\r\nrsa --\u003e 3C 53 81 1E 96 58 52 7C 67 7D 5F 60 14 15 29 1B 72 AC F5 F6 B7 B8 54 32 B7 63 1A 24 4F B2\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\r\nPromptOnSecureDesktop --\u003e 0\r\nEnableLUA --\u003e 0\r\nConsentPromptBehaviorAdmin --\u003e 0\r\nHKEY_CLASSES_ROOT\\[ID]PFOzv5ecUnxnfV9F[ID]_auto_file\r\nHKEY_CLASSES_ROOT\\.[ID]PFOBHpZYUnxnfV9F[ID] --\u003e HKEY_CLASSES_ROOT\\[ID]PFOBHpZYUnxnfV9F[ID]_auto_file\r\nHKEY_CLASSES_ROOT\\[ID]PFOBHpZYUnxnfV9F[ID]_auto_file\\shell\\open\\command --\u003e %SystemRoot%\\System32\\run\r\nHKEY_CLASSES_ROOT\\[ID]PFOBHpZYUnxnfV9F[ID]_auto_file\\shell\\open\\DropTarget --\u003e {FFE2A43C-56B9-4bf5-9A\r\nHKEY_CLASSES_ROOT\\[ID]PFOBHpZYUnxnfV9F[ID]_auto_file\\shell\\open --\u003e @photoviewer.dll,-3043\r\nHKEY_CLASSES_ROOT\\[ID]PFOBHpZYUnxnfV9F[ID]_auto_file\\shell\\print\\command --\u003e %SystemRoot%\\System32\\ru\r\nHKEY_CLASSES_ROOT\\[ID]PFOBHpZYUnxnfV9F[ID]_auto_file\\shell\\print\\DropTarget --\u003e {60fd46de-f830-4894-a\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.[ID]PFOBHpZYUnxnfV9F[I\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.[ID]PFOBHpZYUnxnfV9F[I\r\nE-Mail Addresses\r\nFirst campaign (May 2018):\r\nshine1@tutanota[.]com\r\nshine2@protonmail.com\r\nSecond campaign (September/October 2019):\r\nJonStokton@Protonmail[.]com\r\nJonStokton@tutanota[.]com\r\nfilessnoop@aol[.]com\r\nfilessnoop@tutanota[.]com\r\nThird campaign:\r\nlocalgroup@protonmail[.]com\r\nlocalgroup@tutanota[.]com\r\nhttps://dissectingmalwa.re/i-literally-cant-think-of-a-fitting-pun-mrdec-ransomware.html\r\nPage 12 of 13\n\nZiCoyote@protonmail[.]com\r\nZiCoyote@aol[.]com\r\nForth campaign:\r\nmr.dec@protonmail[.]com\r\nmr.dec@tutanota[.]com\r\nFrederik888@protonmail[.]com\r\nFrederik888@aol[.]com\r\nRansomnote V1\r\nYou are unlucky! The terrible virus has captured your files! For decoding please contact by email Fre\r\nYour\r\n[ID]PFOBHpZYUnxnfV9F[ID]\r\n1. In the subject line, write your ID.\r\n2. Attach 1-2 infected files that do not contain important information (less than 2 mb)\r\nare required to generate the decoder and restore the test file.\r\nHurry up! Time is limited!\r\nAttention!!!\r\nAt the end of this time, the private key for generating the decoder will be destroyed. Files will not\r\nSource: https://dissectingmalwa.re/i-literally-cant-think-of-a-fitting-pun-mrdec-ransomware.html\r\nhttps://dissectingmalwa.re/i-literally-cant-think-of-a-fitting-pun-mrdec-ransomware.html\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://dissectingmalwa.re/i-literally-cant-think-of-a-fitting-pun-mrdec-ransomware.html" ], "report_names": [ "i-literally-cant-think-of-a-fitting-pun-mrdec-ransomware.html" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775433975, "ts_updated_at": 1775791431, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6b85fdedeb527d1440e6fda3438a6c9ae60304ec.pdf", "text": "https://archive.orkl.eu/6b85fdedeb527d1440e6fda3438a6c9ae60304ec.txt", "img": "https://archive.orkl.eu/6b85fdedeb527d1440e6fda3438a6c9ae60304ec.jpg" } }