Analysis
-
max time kernel
151s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
15-06-2022 15:08
General
-
Target
293317443192a9f2ce574febe990fad9ed399c760a350433020b06440dc92cfd.exe
-
Size
372KB
-
MD5
69a333f36443f4e490e81a021aa7148b
-
SHA1
6261856cfc12e38b9b042bf18bba88066e036112
-
SHA256
293317443192a9f2ce574febe990fad9ed399c760a350433020b06440dc92cfd
-
SHA512
62e010ae830faa99b263aa2cd9932d3f1ef309d9bdef77248a8d0d6574b814f67f489af9f83db33263dafb4054d5ea08bbe49b482b0522200baba28f1a2704b7
Malware Config
Extracted
C:\$Recycle.Bin\S-1-5-21-1819626980-2277161760-1023733287-1000\Recovery+lmltp.txt
http://prest54538hnksjn4kjfwdbhwere.hotchunman.com/66E5E6E43B3C3CD0
http://b4youfred5485jgsa3453f.italazudda.com/66E5E6E43B3C3CD0
http://5rport45vcdef345adfkksawe.bematvocal.at/66E5E6E43B3C3CD0
http://fwgrhsao3aoml7ej.onion/66E5E6E43B3C3CD0
http://fwgrhsao3aoml7ej.ONION/66E5E6E43B3C3CD0
Signatures
-
suricata: ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon
suricata: ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
-
Deletes itself 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 45 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 34 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\293317443192a9f2ce574febe990fad9ed399c760a350433020b06440dc92cfd.exe"C:\Users\Admin\AppData\Local\Temp\293317443192a9f2ce574febe990fad9ed399c760a350433020b06440dc92cfd.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\293317443192a9f2ce574febe990fad9ed399c760a350433020b06440dc92cfd.exe"C:\Users\Admin\AppData\Local\Temp\293317443192a9f2ce574febe990fad9ed399c760a350433020b06440dc92cfd.exe"2⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\qspaxnogcbpg.exeC:\Windows\qspaxnogcbpg.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\qspaxnogcbpg.exeC:\Windows\qspaxnogcbpg.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\293317~1.EXE3⤵
- Deletes itself
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
372KB
MD569a333f36443f4e490e81a021aa7148b
SHA16261856cfc12e38b9b042bf18bba88066e036112
SHA256293317443192a9f2ce574febe990fad9ed399c760a350433020b06440dc92cfd
SHA51262e010ae830faa99b263aa2cd9932d3f1ef309d9bdef77248a8d0d6574b814f67f489af9f83db33263dafb4054d5ea08bbe49b482b0522200baba28f1a2704b7
-
Filesize
372KB
MD569a333f36443f4e490e81a021aa7148b
SHA16261856cfc12e38b9b042bf18bba88066e036112
SHA256293317443192a9f2ce574febe990fad9ed399c760a350433020b06440dc92cfd
SHA51262e010ae830faa99b263aa2cd9932d3f1ef309d9bdef77248a8d0d6574b814f67f489af9f83db33263dafb4054d5ea08bbe49b482b0522200baba28f1a2704b7
-
Filesize
372KB
MD569a333f36443f4e490e81a021aa7148b
SHA16261856cfc12e38b9b042bf18bba88066e036112
SHA256293317443192a9f2ce574febe990fad9ed399c760a350433020b06440dc92cfd
SHA51262e010ae830faa99b263aa2cd9932d3f1ef309d9bdef77248a8d0d6574b814f67f489af9f83db33263dafb4054d5ea08bbe49b482b0522200baba28f1a2704b7
-
-
Filesize
12KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
12KB
-
Filesize
8KB
-
Filesize
12KB
-
-