Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
25-06-2022 17:45
Static task
static1
Behavioral task
behavioral1
Sample
3921cb707f4e47deafff47d53d066217f4fe97546f7427ecb2c0fca1ce015a3a.exe
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
3921cb707f4e47deafff47d53d066217f4fe97546f7427ecb2c0fca1ce015a3a.exe
Resource
win10v2004-20220414-en
windows10-2004_x64
0 signatures
0 seconds
General
-
Target
3921cb707f4e47deafff47d53d066217f4fe97546f7427ecb2c0fca1ce015a3a.exe
-
Size
410KB
-
MD5
80dc3c416941c3d8955fd132d29d2500
-
SHA1
5800d69fbb28e74b7683bdfcc2d230095e44e996
-
SHA256
3921cb707f4e47deafff47d53d066217f4fe97546f7427ecb2c0fca1ce015a3a
-
SHA512
ac0434782766d7ff161818133c6a5d5f4819f03abd93fdd38b40aa3dcb2332a63ba88f09ff6245ceb28cc9517713df7072048e384bc7236b3fa8047a19252247
Score
10/10
Malware Config
Extracted
Path
C:\$Recycle.Bin\S-1-5-21-3751123196-3323558407-1869646069-1000\RECOVERnlxbd.txt
Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com
What's the matter with your files?
Your data was secured using a strong encryption with RSA4096.
Use the link down below to find additional information on the encryption keys using RSA4096:https://en.wikipedia.org/wiki/RSA_(cryptosystem)
What exactly that means?
It means that on a structural level your files have been transformed. You won't be able to use, read, see or work with them anymore.
In other words they are useless, however, there is a possibility to restore them with our help.
What exactly happened to your files?
*** Two personal RSA4096 keys were generated for your PC/Laptop; one key is public, another key is private.
*** All your data and files were encrypted by the means of the public key, which you received over the web.
*** In order to decrypt your data and gain access to your computer you need a private key and a decryption software, which can be found on one of our secret servers.
What should you do next?
There are several options for you to consider:
1. You can wait for a while until the price of a private key will raise, so you will have to pay twice as much to access your files or
2. You can start getting BitCoins right now and get access to your data quite fast.
In case you have valuable files, we advise you to act fast as there is no other option rather than paying in order to get back your data.
In order to obtain specific instructions, please access your personal homepage by choosing one of the few addresses down below:
http://kkr4hbwdklf234bfl84uoqleflqwrfqwuelfh.brazabaya.com/39F1AA9E73F6D5A
http://974gfbjhb23hbfkyfaby3byqlyuebvly5q254y.mendilobo.com/39F1AA9E73F6D5A
http://a64gfdsjhb4htbiwaysbdvukyft5q.zobodine.at/39F1AA9E73F6D5A
If you can't access your personal homepage or the addresses are not working, complete the following steps:
1. Download TOR Browser - http://www.torproject.org/projects/torbrowser.html.en
2. Install TOR Browser
3. Open TOR Browser
4. Insert the following link in the address bar: k7tlx3ghr3m4n2tu.onion/39F1AA9E73F6D5A
5. Follow the steps on your screen
IMPORTANT INFORMATION
Your personal homepages:
http://kkr4hbwdklf234bfl84uoqleflqwrfqwuelfh.brazabaya.com/39F1AA9E73F6D5A
http://974gfbjhb23hbfkyfaby3byqlyuebvly5q254y.mendilobo.com/39F1AA9E73F6D5A
http://a64gfdsjhb4htbiwaysbdvukyft5q.zobodine.at/39F1AA9E73F6D5A
Your personal page Tor-Browser k7tlx3ghr3m4n2tu.onion/39F1AA9E73F6D5A
Your personal identification ID: 39F1AA9E73F6D5A
URLs
http://kkr4hbwdklf234bfl84uoqleflqwrfqwuelfh.brazabaya.com/39F1AA9E73F6D5A
http://974gfbjhb23hbfkyfaby3byqlyuebvly5q254y.mendilobo.com/39F1AA9E73F6D5A
http://a64gfdsjhb4htbiwaysbdvukyft5q.zobodine.at/39F1AA9E73F6D5A
http://k7tlx3ghr3m4n2tu.onion/39F1AA9E73F6D5A
Signatures
-
suricata: ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon
suricata: ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
Processes:
ayepmv.exeayepmv.exepid Process 2164 ayepmv.exe 4392 ayepmv.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
3921cb707f4e47deafff47d53d066217f4fe97546f7427ecb2c0fca1ce015a3a.exeayepmv.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation 3921cb707f4e47deafff47d53d066217f4fe97546f7427ecb2c0fca1ce015a3a.exe Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation ayepmv.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
3921cb707f4e47deafff47d53d066217f4fe97546f7427ecb2c0fca1ce015a3a.exeayepmv.exedescription pid Process procid_target PID 4748 set thread context of 1476 4748 3921cb707f4e47deafff47d53d066217f4fe97546f7427ecb2c0fca1ce015a3a.exe 82 PID 2164 set thread context of 4392 2164 ayepmv.exe 90 -
Drops file in Program Files directory 64 IoCs
Processes:
ayepmv.exedescription ioc Process File opened for modification C:\Program Files\7-Zip\Lang\cs.txt ayepmv.exe File opened for modification C:\Program Files\7-Zip\Lang\lv.txt ayepmv.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\pt-PT\RECOVERnlxbd.png ayepmv.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\sl-SI\RECOVERnlxbd.txt ayepmv.exe File opened for modification C:\Program Files\7-Zip\Lang\fa.txt ayepmv.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\RECOVERnlxbd.txt ayepmv.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\RECOVERnlxbd.html ayepmv.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\RECOVERnlxbd.txt ayepmv.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\RECOVERnlxbd.txt ayepmv.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\pt-BR\RECOVERnlxbd.html ayepmv.exe File opened for modification C:\Program Files\7-Zip\Lang\it.txt ayepmv.exe File opened for modification C:\Program Files\7-Zip\Lang\mn.txt ayepmv.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fi-FI\RECOVERnlxbd.png ayepmv.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\RECOVERnlxbd.png ayepmv.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\RECOVERnlxbd.html ayepmv.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\et-EE\RECOVERnlxbd.html ayepmv.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\RECOVERnlxbd.txt ayepmv.exe File opened for modification C:\Program Files\7-Zip\Lang\sq.txt ayepmv.exe File opened for modification C:\Program Files\7-Zip\Lang\th.txt ayepmv.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ar-SA\RECOVERnlxbd.png ayepmv.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\nl-NL\RECOVERnlxbd.txt ayepmv.exe File opened for modification C:\Program Files\7-Zip\Lang\an.txt ayepmv.exe File opened for modification C:\Program Files\7-Zip\Lang\ko.txt ayepmv.exe File opened for modification C:\Program Files\7-Zip\Lang\mng2.txt ayepmv.exe File opened for modification C:\Program Files\7-Zip\RECOVERnlxbd.txt ayepmv.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\en-GB\RECOVERnlxbd.png ayepmv.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\it-IT\RECOVERnlxbd.txt ayepmv.exe File opened for modification C:\Program Files\7-Zip\Lang\kk.txt ayepmv.exe File opened for modification C:\Program Files\Common Files\DESIGNER\RECOVERnlxbd.png ayepmv.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\hr-HR\RECOVERnlxbd.png ayepmv.exe File opened for modification C:\Program Files\7-Zip\Lang\ast.txt ayepmv.exe File opened for modification C:\Program Files\7-Zip\Lang\fr.txt ayepmv.exe File opened for modification C:\Program Files\7-Zip\Lang\vi.txt ayepmv.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\he-IL\RECOVERnlxbd.txt ayepmv.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\el-GR\RECOVERnlxbd.txt ayepmv.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\RECOVERnlxbd.html ayepmv.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\RECOVERnlxbd.html ayepmv.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ko-KR\RECOVERnlxbd.html ayepmv.exe File opened for modification C:\Program Files\7-Zip\Lang\bn.txt ayepmv.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\RECOVERnlxbd.txt ayepmv.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\pt-PT\RECOVERnlxbd.html ayepmv.exe File opened for modification C:\Program Files\7-Zip\Lang\ca.txt ayepmv.exe File opened for modification C:\Program Files\7-Zip\Lang\va.txt ayepmv.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\hu-HU\RECOVERnlxbd.txt ayepmv.exe File opened for modification C:\Program Files\7-Zip\Lang\fi.txt ayepmv.exe File opened for modification C:\Program Files\7-Zip\Lang\si.txt ayepmv.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\es-ES\RECOVERnlxbd.png ayepmv.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\es-ES\RECOVERnlxbd.txt ayepmv.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\pl-PL\RECOVERnlxbd.txt ayepmv.exe File opened for modification C:\Program Files\7-Zip\Lang\tr.txt ayepmv.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\RECOVERnlxbd.txt ayepmv.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ko-KR\RECOVERnlxbd.png ayepmv.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ru-RU\RECOVERnlxbd.png ayepmv.exe File opened for modification C:\Program Files\7-Zip\Lang\mk.txt ayepmv.exe File opened for modification C:\Program Files\7-Zip\Lang\pt.txt ayepmv.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\de-DE\RECOVERnlxbd.txt ayepmv.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\RECOVERnlxbd.png ayepmv.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ja-JP\RECOVERnlxbd.txt ayepmv.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\RECOVERnlxbd.png ayepmv.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\RECOVERnlxbd.png ayepmv.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\lv-LV\RECOVERnlxbd.png ayepmv.exe File opened for modification C:\Program Files\7-Zip\Lang\ext.txt ayepmv.exe File opened for modification C:\Program Files\7-Zip\Lang\hr.txt ayepmv.exe File opened for modification C:\Program Files\7-Zip\Lang\mr.txt ayepmv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid Process 2380 vssadmin.exe -
Modifies data under HKEY_USERS 1 IoCs
Processes:
ayepmv.exedescription ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\trueimg ayepmv.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
ayepmv.exepid Process 4392 ayepmv.exe 4392 ayepmv.exe 4392 ayepmv.exe 4392 ayepmv.exe 4392 ayepmv.exe 4392 ayepmv.exe 4392 ayepmv.exe 4392 ayepmv.exe 4392 ayepmv.exe 4392 ayepmv.exe 4392 ayepmv.exe 4392 ayepmv.exe 4392 ayepmv.exe 4392 ayepmv.exe 4392 ayepmv.exe 4392 ayepmv.exe 4392 ayepmv.exe 4392 ayepmv.exe 4392 ayepmv.exe 4392 ayepmv.exe 4392 ayepmv.exe 4392 ayepmv.exe 4392 ayepmv.exe 4392 ayepmv.exe 4392 ayepmv.exe 4392 ayepmv.exe 4392 ayepmv.exe 4392 ayepmv.exe 4392 ayepmv.exe 4392 ayepmv.exe 4392 ayepmv.exe 4392 ayepmv.exe 4392 ayepmv.exe 4392 ayepmv.exe 4392 ayepmv.exe 4392 ayepmv.exe 4392 ayepmv.exe 4392 ayepmv.exe 4392 ayepmv.exe 4392 ayepmv.exe 4392 ayepmv.exe 4392 ayepmv.exe 4392 ayepmv.exe 4392 ayepmv.exe 4392 ayepmv.exe 4392 ayepmv.exe 4392 ayepmv.exe 4392 ayepmv.exe 4392 ayepmv.exe 4392 ayepmv.exe 4392 ayepmv.exe 4392 ayepmv.exe 4392 ayepmv.exe 4392 ayepmv.exe 4392 ayepmv.exe 4392 ayepmv.exe 4392 ayepmv.exe 4392 ayepmv.exe 4392 ayepmv.exe 4392 ayepmv.exe 4392 ayepmv.exe 4392 ayepmv.exe 4392 ayepmv.exe 4392 ayepmv.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
ayepmv.exevssvc.exedescription pid Process Token: SeDebugPrivilege 4392 ayepmv.exe Token: SeBackupPrivilege 1704 vssvc.exe Token: SeRestorePrivilege 1704 vssvc.exe Token: SeAuditPrivilege 1704 vssvc.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
3921cb707f4e47deafff47d53d066217f4fe97546f7427ecb2c0fca1ce015a3a.exe3921cb707f4e47deafff47d53d066217f4fe97546f7427ecb2c0fca1ce015a3a.exeayepmv.exeayepmv.exedescription pid Process procid_target PID 4748 wrote to memory of 1476 4748 3921cb707f4e47deafff47d53d066217f4fe97546f7427ecb2c0fca1ce015a3a.exe 82 PID 4748 wrote to memory of 1476 4748 3921cb707f4e47deafff47d53d066217f4fe97546f7427ecb2c0fca1ce015a3a.exe 82 PID 4748 wrote to memory of 1476 4748 3921cb707f4e47deafff47d53d066217f4fe97546f7427ecb2c0fca1ce015a3a.exe 82 PID 4748 wrote to memory of 1476 4748 3921cb707f4e47deafff47d53d066217f4fe97546f7427ecb2c0fca1ce015a3a.exe 82 PID 4748 wrote to memory of 1476 4748 3921cb707f4e47deafff47d53d066217f4fe97546f7427ecb2c0fca1ce015a3a.exe 82 PID 4748 wrote to memory of 1476 4748 3921cb707f4e47deafff47d53d066217f4fe97546f7427ecb2c0fca1ce015a3a.exe 82 PID 4748 wrote to memory of 1476 4748 3921cb707f4e47deafff47d53d066217f4fe97546f7427ecb2c0fca1ce015a3a.exe 82 PID 4748 wrote to memory of 1476 4748 3921cb707f4e47deafff47d53d066217f4fe97546f7427ecb2c0fca1ce015a3a.exe 82 PID 4748 wrote to memory of 1476 4748 3921cb707f4e47deafff47d53d066217f4fe97546f7427ecb2c0fca1ce015a3a.exe 82 PID 4748 wrote to memory of 1476 4748 3921cb707f4e47deafff47d53d066217f4fe97546f7427ecb2c0fca1ce015a3a.exe 82 PID 1476 wrote to memory of 2164 1476 3921cb707f4e47deafff47d53d066217f4fe97546f7427ecb2c0fca1ce015a3a.exe 83 PID 1476 wrote to memory of 2164 1476 3921cb707f4e47deafff47d53d066217f4fe97546f7427ecb2c0fca1ce015a3a.exe 83 PID 1476 wrote to memory of 2164 1476 3921cb707f4e47deafff47d53d066217f4fe97546f7427ecb2c0fca1ce015a3a.exe 83 PID 1476 wrote to memory of 3896 1476 3921cb707f4e47deafff47d53d066217f4fe97546f7427ecb2c0fca1ce015a3a.exe 84 PID 1476 wrote to memory of 3896 1476 3921cb707f4e47deafff47d53d066217f4fe97546f7427ecb2c0fca1ce015a3a.exe 84 PID 1476 wrote to memory of 3896 1476 3921cb707f4e47deafff47d53d066217f4fe97546f7427ecb2c0fca1ce015a3a.exe 84 PID 2164 wrote to memory of 4392 2164 ayepmv.exe 90 PID 2164 wrote to memory of 4392 2164 ayepmv.exe 90 PID 2164 wrote to memory of 4392 2164 ayepmv.exe 90 PID 2164 wrote to memory of 4392 2164 ayepmv.exe 90 PID 2164 wrote to memory of 4392 2164 ayepmv.exe 90 PID 2164 wrote to memory of 4392 2164 ayepmv.exe 90 PID 2164 wrote to memory of 4392 2164 ayepmv.exe 90 PID 2164 wrote to memory of 4392 2164 ayepmv.exe 90 PID 2164 wrote to memory of 4392 2164 ayepmv.exe 90 PID 2164 wrote to memory of 4392 2164 ayepmv.exe 90 PID 4392 wrote to memory of 2380 4392 ayepmv.exe 91 PID 4392 wrote to memory of 2380 4392 ayepmv.exe 91 PID 4392 wrote to memory of 4384 4392 ayepmv.exe 93 PID 4392 wrote to memory of 4384 4392 ayepmv.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\3921cb707f4e47deafff47d53d066217f4fe97546f7427ecb2c0fca1ce015a3a.exe"C:\Users\Admin\AppData\Local\Temp\3921cb707f4e47deafff47d53d066217f4fe97546f7427ecb2c0fca1ce015a3a.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4748 -
C:\Users\Admin\AppData\Local\Temp\3921cb707f4e47deafff47d53d066217f4fe97546f7427ecb2c0fca1ce015a3a.exe"C:\Users\Admin\AppData\Local\Temp\3921cb707f4e47deafff47d53d066217f4fe97546f7427ecb2c0fca1ce015a3a.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Users\Admin\Documents\ayepmv.exeC:\Users\Admin\Documents\ayepmv.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Users\Admin\Documents\ayepmv.exeC:\Users\Admin\Documents\ayepmv.exe4⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4392 -
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" Delete Shadows /All /Quiet5⤵
- Interacts with shadow copies
PID:2380
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\eeexf.bat5⤵PID:4384
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\3921CB~1.EXE >> NUL3⤵PID:3896
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1704
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
410KB
MD580dc3c416941c3d8955fd132d29d2500
SHA15800d69fbb28e74b7683bdfcc2d230095e44e996
SHA2563921cb707f4e47deafff47d53d066217f4fe97546f7427ecb2c0fca1ce015a3a
SHA512ac0434782766d7ff161818133c6a5d5f4819f03abd93fdd38b40aa3dcb2332a63ba88f09ff6245ceb28cc9517713df7072048e384bc7236b3fa8047a19252247
-
Filesize
410KB
MD580dc3c416941c3d8955fd132d29d2500
SHA15800d69fbb28e74b7683bdfcc2d230095e44e996
SHA2563921cb707f4e47deafff47d53d066217f4fe97546f7427ecb2c0fca1ce015a3a
SHA512ac0434782766d7ff161818133c6a5d5f4819f03abd93fdd38b40aa3dcb2332a63ba88f09ff6245ceb28cc9517713df7072048e384bc7236b3fa8047a19252247
-
Filesize
410KB
MD580dc3c416941c3d8955fd132d29d2500
SHA15800d69fbb28e74b7683bdfcc2d230095e44e996
SHA2563921cb707f4e47deafff47d53d066217f4fe97546f7427ecb2c0fca1ce015a3a
SHA512ac0434782766d7ff161818133c6a5d5f4819f03abd93fdd38b40aa3dcb2332a63ba88f09ff6245ceb28cc9517713df7072048e384bc7236b3fa8047a19252247