01ceb3445a65c9eff5fcc0e559ee8616a59c9c0f8fa4576cf51103ce28cbd7a7

General

Target

01ceb3445a65c9eff5fcc0e559ee8616a59c9c0f8fa4576cf51103ce28cbd7a7.exe
Size

384KB
MD5

380623574a4955f0cc60f397669f9461
SHA1

39c1bfffe33b24053c54f66620a68b494d8a9d0e
SHA256

01ceb3445a65c9eff5fcc0e559ee8616a59c9c0f8fa4576cf51103ce28cbd7a7
SHA512

d74ba7671937c9703b077765c3cfdda1b294227a227f4d6df5dc69dd60966c67c7a766b018ab58203003cb462c522475693d061f7ec0d1b5db3a2fc29418d2f4

Score

10^/10

persistence ransomware suricata

Malware Config

Signatures

suricata: ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon
suricata: ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon
suricata
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 2 IoCs

Processes:

tasbjkloxbjw.exetasbjkloxbjw.exe

pid process

3876 tasbjkloxbjw.exe
4364 tasbjkloxbjw.exe

pid	process
3876	tasbjkloxbjw.exe
4364	tasbjkloxbjw.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

01ceb3445a65c9eff5fcc0e559ee8616a59c9c0f8fa4576cf51103ce28cbd7a7.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	01ceb3445a65c9eff5fcc0e559ee8616a59c9c0f8fa4576cf51103ce28cbd7a7.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tasbjkloxbjw.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows\CurrentVersion\Run	tasbjkloxbjw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\njkvvxvvtaoo = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\tasbjkloxbjw.exe\""	tasbjkloxbjw.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

01ceb3445a65c9eff5fcc0e559ee8616a59c9c0f8fa4576cf51103ce28cbd7a7.exetasbjkloxbjw.exe

description	pid	process	target process
PID 1708 set thread context of 4136	1708	01ceb3445a65c9eff5fcc0e559ee8616a59c9c0f8fa4576cf51103ce28cbd7a7.exe	01ceb3445a65c9eff5fcc0e559ee8616a59c9c0f8fa4576cf51103ce28cbd7a7.exe
PID 3876 set thread context of 4364	3876	tasbjkloxbjw.exe	tasbjkloxbjw.exe

Drops file in Windows directory 2 IoCs

Processes:

01ceb3445a65c9eff5fcc0e559ee8616a59c9c0f8fa4576cf51103ce28cbd7a7.exe

description	ioc	process
File created	C:\Windows\tasbjkloxbjw.exe	01ceb3445a65c9eff5fcc0e559ee8616a59c9c0f8fa4576cf51103ce28cbd7a7.exe
File opened for modification	C:\Windows\tasbjkloxbjw.exe	01ceb3445a65c9eff5fcc0e559ee8616a59c9c0f8fa4576cf51103ce28cbd7a7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

tasbjkloxbjw.exe

pid process

4364 tasbjkloxbjw.exe
4364 tasbjkloxbjw.exe
4364 tasbjkloxbjw.exe
4364 tasbjkloxbjw.exe

pid	process
4364	tasbjkloxbjw.exe
4364	tasbjkloxbjw.exe
4364	tasbjkloxbjw.exe
4364	tasbjkloxbjw.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

01ceb3445a65c9eff5fcc0e559ee8616a59c9c0f8fa4576cf51103ce28cbd7a7.exetasbjkloxbjw.exe

description	pid	process
Token: SeDebugPrivilege	4136	01ceb3445a65c9eff5fcc0e559ee8616a59c9c0f8fa4576cf51103ce28cbd7a7.exe
Token: SeDebugPrivilege	4364	tasbjkloxbjw.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

01ceb3445a65c9eff5fcc0e559ee8616a59c9c0f8fa4576cf51103ce28cbd7a7.exetasbjkloxbjw.exe

pid process

1708 01ceb3445a65c9eff5fcc0e559ee8616a59c9c0f8fa4576cf51103ce28cbd7a7.exe
3876 tasbjkloxbjw.exe

pid	process
1708	01ceb3445a65c9eff5fcc0e559ee8616a59c9c0f8fa4576cf51103ce28cbd7a7.exe
3876	tasbjkloxbjw.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

01ceb3445a65c9eff5fcc0e559ee8616a59c9c0f8fa4576cf51103ce28cbd7a7.exe01ceb3445a65c9eff5fcc0e559ee8616a59c9c0f8fa4576cf51103ce28cbd7a7.exetasbjkloxbjw.exe

description	pid	process	target process
PID 1708 wrote to memory of 4136	1708	01ceb3445a65c9eff5fcc0e559ee8616a59c9c0f8fa4576cf51103ce28cbd7a7.exe	01ceb3445a65c9eff5fcc0e559ee8616a59c9c0f8fa4576cf51103ce28cbd7a7.exe
PID 1708 wrote to memory of 4136	1708	01ceb3445a65c9eff5fcc0e559ee8616a59c9c0f8fa4576cf51103ce28cbd7a7.exe	01ceb3445a65c9eff5fcc0e559ee8616a59c9c0f8fa4576cf51103ce28cbd7a7.exe
PID 1708 wrote to memory of 4136	1708	01ceb3445a65c9eff5fcc0e559ee8616a59c9c0f8fa4576cf51103ce28cbd7a7.exe	01ceb3445a65c9eff5fcc0e559ee8616a59c9c0f8fa4576cf51103ce28cbd7a7.exe
PID 1708 wrote to memory of 4136	1708	01ceb3445a65c9eff5fcc0e559ee8616a59c9c0f8fa4576cf51103ce28cbd7a7.exe	01ceb3445a65c9eff5fcc0e559ee8616a59c9c0f8fa4576cf51103ce28cbd7a7.exe
PID 1708 wrote to memory of 4136	1708	01ceb3445a65c9eff5fcc0e559ee8616a59c9c0f8fa4576cf51103ce28cbd7a7.exe	01ceb3445a65c9eff5fcc0e559ee8616a59c9c0f8fa4576cf51103ce28cbd7a7.exe
PID 1708 wrote to memory of 4136	1708	01ceb3445a65c9eff5fcc0e559ee8616a59c9c0f8fa4576cf51103ce28cbd7a7.exe	01ceb3445a65c9eff5fcc0e559ee8616a59c9c0f8fa4576cf51103ce28cbd7a7.exe
PID 1708 wrote to memory of 4136	1708	01ceb3445a65c9eff5fcc0e559ee8616a59c9c0f8fa4576cf51103ce28cbd7a7.exe	01ceb3445a65c9eff5fcc0e559ee8616a59c9c0f8fa4576cf51103ce28cbd7a7.exe
PID 1708 wrote to memory of 4136	1708	01ceb3445a65c9eff5fcc0e559ee8616a59c9c0f8fa4576cf51103ce28cbd7a7.exe	01ceb3445a65c9eff5fcc0e559ee8616a59c9c0f8fa4576cf51103ce28cbd7a7.exe
PID 1708 wrote to memory of 4136	1708	01ceb3445a65c9eff5fcc0e559ee8616a59c9c0f8fa4576cf51103ce28cbd7a7.exe	01ceb3445a65c9eff5fcc0e559ee8616a59c9c0f8fa4576cf51103ce28cbd7a7.exe
PID 1708 wrote to memory of 4136	1708	01ceb3445a65c9eff5fcc0e559ee8616a59c9c0f8fa4576cf51103ce28cbd7a7.exe	01ceb3445a65c9eff5fcc0e559ee8616a59c9c0f8fa4576cf51103ce28cbd7a7.exe
PID 4136 wrote to memory of 3876	4136	01ceb3445a65c9eff5fcc0e559ee8616a59c9c0f8fa4576cf51103ce28cbd7a7.exe	tasbjkloxbjw.exe
PID 4136 wrote to memory of 3876	4136	01ceb3445a65c9eff5fcc0e559ee8616a59c9c0f8fa4576cf51103ce28cbd7a7.exe	tasbjkloxbjw.exe
PID 4136 wrote to memory of 3876	4136	01ceb3445a65c9eff5fcc0e559ee8616a59c9c0f8fa4576cf51103ce28cbd7a7.exe	tasbjkloxbjw.exe
PID 4136 wrote to memory of 4320	4136	01ceb3445a65c9eff5fcc0e559ee8616a59c9c0f8fa4576cf51103ce28cbd7a7.exe	cmd.exe
PID 4136 wrote to memory of 4320	4136	01ceb3445a65c9eff5fcc0e559ee8616a59c9c0f8fa4576cf51103ce28cbd7a7.exe	cmd.exe
PID 4136 wrote to memory of 4320	4136	01ceb3445a65c9eff5fcc0e559ee8616a59c9c0f8fa4576cf51103ce28cbd7a7.exe	cmd.exe
PID 3876 wrote to memory of 4364	3876	tasbjkloxbjw.exe	tasbjkloxbjw.exe
PID 3876 wrote to memory of 4364	3876	tasbjkloxbjw.exe	tasbjkloxbjw.exe
PID 3876 wrote to memory of 4364	3876	tasbjkloxbjw.exe	tasbjkloxbjw.exe
PID 3876 wrote to memory of 4364	3876	tasbjkloxbjw.exe	tasbjkloxbjw.exe
PID 3876 wrote to memory of 4364	3876	tasbjkloxbjw.exe	tasbjkloxbjw.exe
PID 3876 wrote to memory of 4364	3876	tasbjkloxbjw.exe	tasbjkloxbjw.exe
PID 3876 wrote to memory of 4364	3876	tasbjkloxbjw.exe	tasbjkloxbjw.exe
PID 3876 wrote to memory of 4364	3876	tasbjkloxbjw.exe	tasbjkloxbjw.exe
PID 3876 wrote to memory of 4364	3876	tasbjkloxbjw.exe	tasbjkloxbjw.exe
PID 3876 wrote to memory of 4364	3876	tasbjkloxbjw.exe	tasbjkloxbjw.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

tasbjkloxbjw.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	tasbjkloxbjw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	tasbjkloxbjw.exe

C:\Users\Admin\AppData\Local\Temp\01ceb3445a65c9eff5fcc0e559ee8616a59c9c0f8fa4576cf51103ce28cbd7a7.exe
"C:\Users\Admin\AppData\Local\Temp\01ceb3445a65c9eff5fcc0e559ee8616a59c9c0f8fa4576cf51103ce28cbd7a7.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1708

C:\Users\Admin\AppData\Local\Temp\01ceb3445a65c9eff5fcc0e559ee8616a59c9c0f8fa4576cf51103ce28cbd7a7.exe
"C:\Users\Admin\AppData\Local\Temp\01ceb3445a65c9eff5fcc0e559ee8616a59c9c0f8fa4576cf51103ce28cbd7a7.exe"
2⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4136

C:\Windows\tasbjkloxbjw.exe
C:\Windows\tasbjkloxbjw.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3876

C:\Windows\tasbjkloxbjw.exe
C:\Windows\tasbjkloxbjw.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4364

C:\Windows\System32\wbem\WMIC.exe
"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
5⤵
PID:1452

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\01CEB3~1.EXE
3⤵
PID:4320

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1332

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

File Deletion

1

T1107

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

1

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\tasbjkloxbjw.exe
Filesize
242KB

MD5
64835a3265f9fa9b5e05e3a82affda2e

SHA1
2a2d8415d53492a7ed3b5a68bdbbe87e2cbd8c92

SHA256
942bc329b40ae00a8e3f93868454cc51625bbdaab0fc60b8c3251aa27f67ca6b

SHA512
9eb80b4228453dc3b2e2bd73abe68884a01f5fdddb9a3ea30a9cbe18fc00cdefaed250e18999a55e752aabbf9acc52163a708009bee71240e742c2e7872a3903

Download Submit
C:\Windows\tasbjkloxbjw.exe
Filesize
175KB

MD5
08cdbc2309d647ed2f9342610e2ffbe1

SHA1
f5452434f7f54fdcaefed64c07bf00b860a9986a

SHA256
87ca3e761a99cb161b8fed118f295cc242f890d53c90a27d5f457861b9de3538

SHA512
ba7b39248d5197a8b8cc2ad71ff77a5a60cc79a8c42d444b1fc1dd719bd2ac87b943b93192130d19ae31b921159e92b8054f040129062b25769bb7875299426b

Download Submit
C:\Windows\tasbjkloxbjw.exe
Filesize
169KB

MD5
4a16a89ccd45867dae7834c0fea35add

SHA1
703e69acd91e2a7a023f2e5759df17a974d46dc3

SHA256
5f3957fd03a562dd2b41002752c8c7eae6a8cbce186843bdf3f7759403b3d37e

SHA512
14020b7709af86cd8ffe0cad50cb651c160acad0141c69b7506d7763f45840be5eb8068ca8ef966b7f38a391fe420f919ece1322e2693c768b05eba80174fccc

Download Submit
memory/1452-146-0x0000000000000000-mapping.dmp

Download
memory/1708-130-0x0000000002880000-0x0000000002883000-memory.dmp

Filesize
12KB

Download
memory/3876-135-0x0000000000000000-mapping.dmp

Download
memory/4136-139-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4136-132-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4136-133-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4136-134-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4136-131-0x0000000000000000-mapping.dmp

Download
memory/4320-138-0x0000000000000000-mapping.dmp

Download
memory/4364-140-0x0000000000000000-mapping.dmp

Download
memory/4364-144-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4364-143-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4364-145-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads