Overview
overview
7Static
static
3Turtlee.ga...es.exe
windows7_x64
1Turtlee.ga...es.exe
windows10_x64
7Turtlee.ga...st.xml
windows7_x64
1Turtlee.ga...st.xml
windows10_x64
1Turtlee.ga...40.dll
windows7_x64
1Turtlee.ga...40.dll
windows10_x64
3Turtlee.ga...yd.dll
windows7_x64
1Turtlee.ga...yd.dll
windows10_x64
3Turtlee.ga...yd.dll
windows7_x64
1Turtlee.ga...yd.dll
windows10_x64
3Turtlee.ga...yd.dll
windows7_x64
1Turtlee.ga...yd.dll
windows10_x64
3Turtlee.ga...yd.dll
windows7_x64
1Turtlee.ga...yd.dll
windows10_x64
3Turtlee.ga...yd.dll
windows7_x64
1Turtlee.ga...yd.dll
windows10_x64
3Turtlee.ga...yd.dll
windows7_x64
1Turtlee.ga...yd.dll
windows10_x64
3Turtlee.ga...yd.dll
windows7_x64
1Turtlee.ga...yd.dll
windows10_x64
3Turtlee.ga...yd.dll
windows7_x64
1Turtlee.ga...yd.dll
windows10_x64
3Turtlee.ga...yd.dll
windows7_x64
1Turtlee.ga...yd.dll
windows10_x64
3Turtlee.ga...yd.dll
windows7_x64
1Turtlee.ga...yd.dll
windows10_x64
1encodings/cp1255.pyc
windows7_x64
3encodings/cp1255.pyc
windows10_x64
3encodings/cp1256.pyc
windows7_x64
3encodings/cp1256.pyc
windows10_x64
3encodings/cp1257.pyc
windows7_x64
3encodings/cp1257.pyc
windows10_x64
3Analysis
-
max time kernel
151s -
max time network
92s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
27-06-2021 01:22
Static task
static1
Behavioral task
behavioral1
Sample
Turtlee.games/Turtlee.games.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
Turtlee.games/Turtlee.games.exe
Resource
win10v20210410
Behavioral task
behavioral3
Sample
Turtlee.games/Turtlee.games.exe.manifest.xml
Resource
win7v20210408
Behavioral task
behavioral4
Sample
Turtlee.games/Turtlee.games.exe.manifest.xml
Resource
win10v20210410
Behavioral task
behavioral5
Sample
Turtlee.games/VCRUNTIME140.dll
Resource
win7v20210410
Behavioral task
behavioral6
Sample
Turtlee.games/VCRUNTIME140.dll
Resource
win10v20210408
Behavioral task
behavioral7
Sample
Turtlee.games/_asyncio.pyd.dll
Resource
win7v20210410
Behavioral task
behavioral8
Sample
Turtlee.games/_asyncio.pyd.dll
Resource
win10v20210408
Behavioral task
behavioral9
Sample
Turtlee.games/_bz2.pyd.dll
Resource
win7v20210410
Behavioral task
behavioral10
Sample
Turtlee.games/_bz2.pyd.dll
Resource
win10v20210408
Behavioral task
behavioral11
Sample
Turtlee.games/_ctypes.pyd.dll
Resource
win7v20210410
Behavioral task
behavioral12
Sample
Turtlee.games/_ctypes.pyd.dll
Resource
win10v20210410
Behavioral task
behavioral13
Sample
Turtlee.games/_decimal.pyd.dll
Resource
win7v20210408
Behavioral task
behavioral14
Sample
Turtlee.games/_decimal.pyd.dll
Resource
win10v20210410
Behavioral task
behavioral15
Sample
Turtlee.games/_hashlib.pyd.dll
Resource
win7v20210408
Behavioral task
behavioral16
Sample
Turtlee.games/_hashlib.pyd.dll
Resource
win10v20210410
Behavioral task
behavioral17
Sample
Turtlee.games/_lzma.pyd.dll
Resource
win7v20210408
Behavioral task
behavioral18
Sample
Turtlee.games/_lzma.pyd.dll
Resource
win10v20210410
Behavioral task
behavioral19
Sample
Turtlee.games/_multiprocessing.pyd.dll
Resource
win7v20210410
Behavioral task
behavioral20
Sample
Turtlee.games/_multiprocessing.pyd.dll
Resource
win10v20210408
Behavioral task
behavioral21
Sample
Turtlee.games/_overlapped.pyd.dll
Resource
win7v20210410
Behavioral task
behavioral22
Sample
Turtlee.games/_overlapped.pyd.dll
Resource
win10v20210408
Behavioral task
behavioral23
Sample
Turtlee.games/_queue.pyd.dll
Resource
win7v20210410
Behavioral task
behavioral24
Sample
Turtlee.games/_queue.pyd.dll
Resource
win10v20210408
Behavioral task
behavioral25
Sample
Turtlee.games/_ssl.pyd.dll
Resource
win7v20210410
Behavioral task
behavioral26
Sample
Turtlee.games/_ssl.pyd.dll
Resource
win10v20210410
Behavioral task
behavioral27
Sample
encodings/cp1255.pyc
Resource
win7v20210408
Behavioral task
behavioral28
Sample
encodings/cp1255.pyc
Resource
win10v20210410
Behavioral task
behavioral29
Sample
encodings/cp1256.pyc
Resource
win7v20210408
Behavioral task
behavioral30
Sample
encodings/cp1256.pyc
Resource
win10v20210410
Behavioral task
behavioral31
Sample
encodings/cp1257.pyc
Resource
win7v20210408
Behavioral task
behavioral32
Sample
encodings/cp1257.pyc
Resource
win10v20210410
General
-
Target
encodings/cp1256.pyc
-
Size
2KB
-
MD5
7abf6cc5920b3f43a4cdbffe17fd4cd8
-
SHA1
f338f85d50a5fb7126fc15c5552fe1966e48c24a
-
SHA256
e541416b8d0bd827bac6fe214d75af1ff0f2e10bd2b01837f723fe36ed3652d6
-
SHA512
e5f9ea0ad456e7798e3270ad546ce01cf034495dbdaf8828b359973cbc12962d1e543472f7541d571294f7489b4acccaaecb5383163a1898d58a3ab9df2b4e57
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 10 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\.pyc\ = "pyc_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\pyc_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\pyc_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\pyc_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\pyc_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\.pyc rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\pyc_auto_file\shell\Read\command rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid process 1744 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
AcroRd32.exepid process 1744 AcroRd32.exe 1744 AcroRd32.exe 1744 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
cmd.exerundll32.exedescription pid process target process PID 1348 wrote to memory of 1360 1348 cmd.exe rundll32.exe PID 1348 wrote to memory of 1360 1348 cmd.exe rundll32.exe PID 1348 wrote to memory of 1360 1348 cmd.exe rundll32.exe PID 1360 wrote to memory of 1744 1360 rundll32.exe AcroRd32.exe PID 1360 wrote to memory of 1744 1360 rundll32.exe AcroRd32.exe PID 1360 wrote to memory of 1744 1360 rundll32.exe AcroRd32.exe PID 1360 wrote to memory of 1744 1360 rundll32.exe AcroRd32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\encodings\cp1256.pyc1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\encodings\cp1256.pyc2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\encodings\cp1256.pyc"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx