45c91234b6ad5955140973834c39a8cf2e4e6b7f1b3900a85a4903ba40f82cc5

General

Target

45c91234b6ad5955140973834c39a8cf2e4e6b7f1b3900a85a4903ba40f82cc5.exe
Size

396KB
MD5

369c33b9e8e9839f9f6299d969d6017f
SHA1

dfe0698639787b5554bc8fe6e3851e1800b1f15a
SHA256

45c91234b6ad5955140973834c39a8cf2e4e6b7f1b3900a85a4903ba40f82cc5
SHA512

cc4b33a6aa8c83d9b3d696eedd386b39941ed3ccbd5cd73b011d2f21ff6f9f59e586a5956ba60eb728c3a0e4f7e3509d9822b09e01d360f1447c1071764cce25

Score

10^/10

persistence ransomware suricata

Malware Config

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-2632097139-1792035885-811742494-1000\RECOVERwfpto.txt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What's the matter with your files? Your data was secured using a strong encryption with RSA4096. Use the link down below to find additional information on the encryption keys using RSA4096:https://en.wikipedia.org/wiki/RSA_(cryptosystem) What exactly that means? It means that on a structural level your files have been transformed. You won't be able to use, read, see or work with them anymore. In other words they are useless, however, there is a possibility to restore them with our help. What exactly happened to your files? *** Two personal RSA4096 keys were generated for your PC/Laptop; one key is public, another key is private. *** All your data and files were encrypted by the means of the public key, which you received over the web. *** In order to decrypt your data and gain access to your computer you need a private key and a decryption software, which can be found on one of our secret servers. What should you do next? There are several options for you to consider: 1. You can wait for a while until the price of a private key will raise, so you will have to pay twice as much to access your files or 2. You can start getting BitCoins right now and get access to your data quite fast. In case you have valuable files, we advise you to act fast as there is no other option rather than paying in order to get back your data. In order to obtain specific instructions, please access your personal homepage by choosing one of the few addresses down below: http://h5nuwefkuh134ljngkasdbasfg.corolbugan.com/3B6B8DAC725D355 http://p54dhkus4tlkfashdb6vjetgsdfg.greetingshere.at/3B6B8DAC725D355 http://f4dsbjhb45wfiuqeib4fkqeg.meccaledgy.at/3B6B8DAC725D355 If you can't access your personal homepage or the addresses are not working, complete the following steps: 1 Download TOR Browser - http://www.torproject.org/projects/torbrowser.html.en 2 Install TOR Browser 3 Open TOR Browser 4 Insert the following link in the address bar: k7tlx3ghr3m4n2tu.onion/3B6B8DAC725D355 5 Follow the steps on your screen IMPORTANT INFORMATION Your personal homepages: http://h5nuwefkuh134ljngkasdbasfg.corolbugan.com/3B6B8DAC725D355 http://p54dhkus4tlkfashdb6vjetgsdfg.greetingshere.at/3B6B8DAC725D355 http://f4dsbjhb45wfiuqeib4fkqeg.meccaledgy.at/3B6B8DAC725D355 Your personal page Tor-Browser k7tlx3ghr3m4n2tu.onion/3B6B8DAC725D355 Your personal identification ID: 3B6B8DAC725D355

URLs

http://h5nuwefkuh134ljngkasdbasfg.corolbugan.com/3B6B8DAC725D355

http://p54dhkus4tlkfashdb6vjetgsdfg.greetingshere.at/3B6B8DAC725D355

http://f4dsbjhb45wfiuqeib4fkqeg.meccaledgy.at/3B6B8DAC725D355

http://k7tlx3ghr3m4n2tu.onion/3B6B8DAC725D355

Signatures

suricata: ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon
suricata: ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon
suricata
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 2 IoCs

Processes:

tqsbvq.exetqsbvq.exe

pid process

4076 tqsbvq.exe
3504 tqsbvq.exe

pid	process
4076	tqsbvq.exe
3504	tqsbvq.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

45c91234b6ad5955140973834c39a8cf2e4e6b7f1b3900a85a4903ba40f82cc5.exetqsbvq.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	45c91234b6ad5955140973834c39a8cf2e4e6b7f1b3900a85a4903ba40f82cc5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	tqsbvq.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tqsbvq.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows\CurrentVersion\Run	tqsbvq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\_vbsk = "C:\\Windows\\SYSTEM32\\CMD.EXE /C START C:\\Users\\Admin\\Documents\\tqsbvq.exe"	tqsbvq.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

45c91234b6ad5955140973834c39a8cf2e4e6b7f1b3900a85a4903ba40f82cc5.exetqsbvq.exe

description	pid	process	target process
PID 3804 set thread context of 2136	3804	45c91234b6ad5955140973834c39a8cf2e4e6b7f1b3900a85a4903ba40f82cc5.exe	45c91234b6ad5955140973834c39a8cf2e4e6b7f1b3900a85a4903ba40f82cc5.exe
PID 4076 set thread context of 3504	4076	tqsbvq.exe	tqsbvq.exe

Drops file in Program Files directory 64 IoCs

Processes:

tqsbvq.exe

description	ioc	process
File opened for modification	C:\Program Files\Google\Chrome\Application\RECOVERwfpto.html	tqsbvq.exe
File opened for modification	C:\Program Files\7-Zip\Lang\yo.txt	tqsbvq.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ThirdPartyNotices.MSHWLatin.txt	tqsbvq.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Triedit\RECOVERwfpto.txt	tqsbvq.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Triedit\RECOVERwfpto.html	tqsbvq.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\fr-FR\RECOVERwfpto.txt	tqsbvq.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\fr-FR\RECOVERwfpto.html	tqsbvq.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\ja-JP\RECOVERwfpto.png	tqsbvq.exe
File opened for modification	C:\Program Files\Internet Explorer\SIGNUP\RECOVERwfpto.png	tqsbvq.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\RECOVERwfpto.txt	tqsbvq.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\lv-LV\RECOVERwfpto.txt	tqsbvq.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\pl-PL\RECOVERwfpto.png	tqsbvq.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\tr-TR\RECOVERwfpto.png	tqsbvq.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\TextConv\en-US\RECOVERwfpto.txt	tqsbvq.exe
File opened for modification	C:\Program Files\Common Files\System\en-US\RECOVERwfpto.png	tqsbvq.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_100_percent.pak	tqsbvq.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\bg.pak	tqsbvq.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\RECOVERwfpto.txt	tqsbvq.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hy.txt	tqsbvq.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nn.txt	tqsbvq.exe
File opened for modification	C:\Program Files\7-Zip\Lang\RECOVERwfpto.txt	tqsbvq.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\RECOVERwfpto.txt	tqsbvq.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\RECOVERwfpto.png	tqsbvq.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\include\RECOVERwfpto.txt	tqsbvq.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\RECOVERwfpto.html	tqsbvq.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	tqsbvq.exe
File opened for modification	C:\Program Files\7-Zip\Lang\he.txt	tqsbvq.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ko-KR\RECOVERwfpto.txt	tqsbvq.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\sl-SI\RECOVERwfpto.png	tqsbvq.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\zh-CN\RECOVERwfpto.txt	tqsbvq.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Triedit\en-US\RECOVERwfpto.html	tqsbvq.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\RECOVERwfpto.html	tqsbvq.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pa-in.txt	tqsbvq.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ru.txt	tqsbvq.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spl.txt	tqsbvq.exe
File opened for modification	C:\Program Files\7-Zip\Lang\RECOVERwfpto.png	tqsbvq.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\es-MX\RECOVERwfpto.txt	tqsbvq.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\es-ES\RECOVERwfpto.txt	tqsbvq.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\el-GR\RECOVERwfpto.png	tqsbvq.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\RECOVERwfpto.txt	tqsbvq.exe
File opened for modification	C:\Program Files\Common Files\System\ado\fr-FR\RECOVERwfpto.txt	tqsbvq.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\da.pak	tqsbvq.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\pt-BR.pak	tqsbvq.exe
File opened for modification	C:\Program Files\Google\Chrome\RECOVERwfpto.png	tqsbvq.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\RECOVERwfpto.html	tqsbvq.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\RECOVERwfpto.png	tqsbvq.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\it-IT\RECOVERwfpto.html	tqsbvq.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\RECOVERwfpto.png	tqsbvq.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\RECOVERwfpto.html	tqsbvq.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\RECOVERwfpto.html	tqsbvq.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\it-IT\RECOVERwfpto.txt	tqsbvq.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\SmallLogoBeta.png	tqsbvq.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\applet\RECOVERwfpto.html	tqsbvq.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\sv-SE\RECOVERwfpto.html	tqsbvq.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\zh-TW\RECOVERwfpto.html	tqsbvq.exe
File opened for modification	C:\Program Files\Common Files\System\fr-FR\RECOVERwfpto.html	tqsbvq.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\ko.pak	tqsbvq.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\sw.pak	tqsbvq.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\RECOVERwfpto.png	tqsbvq.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\RECOVERwfpto.txt	tqsbvq.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\RECOVERwfpto.txt	tqsbvq.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\de-DE\RECOVERwfpto.txt	tqsbvq.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\RECOVERwfpto.html	tqsbvq.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\RECOVERwfpto.html	tqsbvq.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

2332 vssadmin.exe
Modifies data under HKEY_USERS 1 IoCs

Processes:

tqsbvq.exe

description ioc process

Key created \REGISTRY\USER\.DEFAULT\Software\trueimg tqsbvq.exe

pid	process
2332	vssadmin.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\trueimg	tqsbvq.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

tqsbvq.exe

pid	process
3504	tqsbvq.exe
3504	tqsbvq.exe
3504	tqsbvq.exe
3504	tqsbvq.exe
3504	tqsbvq.exe
3504	tqsbvq.exe
3504	tqsbvq.exe
3504	tqsbvq.exe
3504	tqsbvq.exe
3504	tqsbvq.exe
3504	tqsbvq.exe
3504	tqsbvq.exe
3504	tqsbvq.exe
3504	tqsbvq.exe
3504	tqsbvq.exe
3504	tqsbvq.exe
3504	tqsbvq.exe
3504	tqsbvq.exe
3504	tqsbvq.exe
3504	tqsbvq.exe
3504	tqsbvq.exe
3504	tqsbvq.exe
3504	tqsbvq.exe
3504	tqsbvq.exe
3504	tqsbvq.exe
3504	tqsbvq.exe
3504	tqsbvq.exe
3504	tqsbvq.exe
3504	tqsbvq.exe
3504	tqsbvq.exe
3504	tqsbvq.exe
3504	tqsbvq.exe
3504	tqsbvq.exe
3504	tqsbvq.exe
3504	tqsbvq.exe
3504	tqsbvq.exe
3504	tqsbvq.exe
3504	tqsbvq.exe
3504	tqsbvq.exe
3504	tqsbvq.exe
3504	tqsbvq.exe
3504	tqsbvq.exe
3504	tqsbvq.exe
3504	tqsbvq.exe
3504	tqsbvq.exe
3504	tqsbvq.exe
3504	tqsbvq.exe
3504	tqsbvq.exe
3504	tqsbvq.exe
3504	tqsbvq.exe
3504	tqsbvq.exe
3504	tqsbvq.exe
3504	tqsbvq.exe
3504	tqsbvq.exe
3504	tqsbvq.exe
3504	tqsbvq.exe
3504	tqsbvq.exe
3504	tqsbvq.exe
3504	tqsbvq.exe
3504	tqsbvq.exe
3504	tqsbvq.exe
3504	tqsbvq.exe
3504	tqsbvq.exe
3504	tqsbvq.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

tqsbvq.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	3504	tqsbvq.exe
Token: SeBackupPrivilege	2832	vssvc.exe
Token: SeRestorePrivilege	2832	vssvc.exe
Token: SeAuditPrivilege	2832	vssvc.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

45c91234b6ad5955140973834c39a8cf2e4e6b7f1b3900a85a4903ba40f82cc5.exe45c91234b6ad5955140973834c39a8cf2e4e6b7f1b3900a85a4903ba40f82cc5.exetqsbvq.exetqsbvq.exe

description	pid	process	target process
PID 3804 wrote to memory of 2136	3804	45c91234b6ad5955140973834c39a8cf2e4e6b7f1b3900a85a4903ba40f82cc5.exe	45c91234b6ad5955140973834c39a8cf2e4e6b7f1b3900a85a4903ba40f82cc5.exe
PID 3804 wrote to memory of 2136	3804	45c91234b6ad5955140973834c39a8cf2e4e6b7f1b3900a85a4903ba40f82cc5.exe	45c91234b6ad5955140973834c39a8cf2e4e6b7f1b3900a85a4903ba40f82cc5.exe
PID 3804 wrote to memory of 2136	3804	45c91234b6ad5955140973834c39a8cf2e4e6b7f1b3900a85a4903ba40f82cc5.exe	45c91234b6ad5955140973834c39a8cf2e4e6b7f1b3900a85a4903ba40f82cc5.exe
PID 3804 wrote to memory of 2136	3804	45c91234b6ad5955140973834c39a8cf2e4e6b7f1b3900a85a4903ba40f82cc5.exe	45c91234b6ad5955140973834c39a8cf2e4e6b7f1b3900a85a4903ba40f82cc5.exe
PID 3804 wrote to memory of 2136	3804	45c91234b6ad5955140973834c39a8cf2e4e6b7f1b3900a85a4903ba40f82cc5.exe	45c91234b6ad5955140973834c39a8cf2e4e6b7f1b3900a85a4903ba40f82cc5.exe
PID 3804 wrote to memory of 2136	3804	45c91234b6ad5955140973834c39a8cf2e4e6b7f1b3900a85a4903ba40f82cc5.exe	45c91234b6ad5955140973834c39a8cf2e4e6b7f1b3900a85a4903ba40f82cc5.exe
PID 3804 wrote to memory of 2136	3804	45c91234b6ad5955140973834c39a8cf2e4e6b7f1b3900a85a4903ba40f82cc5.exe	45c91234b6ad5955140973834c39a8cf2e4e6b7f1b3900a85a4903ba40f82cc5.exe
PID 3804 wrote to memory of 2136	3804	45c91234b6ad5955140973834c39a8cf2e4e6b7f1b3900a85a4903ba40f82cc5.exe	45c91234b6ad5955140973834c39a8cf2e4e6b7f1b3900a85a4903ba40f82cc5.exe
PID 3804 wrote to memory of 2136	3804	45c91234b6ad5955140973834c39a8cf2e4e6b7f1b3900a85a4903ba40f82cc5.exe	45c91234b6ad5955140973834c39a8cf2e4e6b7f1b3900a85a4903ba40f82cc5.exe
PID 3804 wrote to memory of 2136	3804	45c91234b6ad5955140973834c39a8cf2e4e6b7f1b3900a85a4903ba40f82cc5.exe	45c91234b6ad5955140973834c39a8cf2e4e6b7f1b3900a85a4903ba40f82cc5.exe
PID 2136 wrote to memory of 4076	2136	45c91234b6ad5955140973834c39a8cf2e4e6b7f1b3900a85a4903ba40f82cc5.exe	tqsbvq.exe
PID 2136 wrote to memory of 4076	2136	45c91234b6ad5955140973834c39a8cf2e4e6b7f1b3900a85a4903ba40f82cc5.exe	tqsbvq.exe
PID 2136 wrote to memory of 4076	2136	45c91234b6ad5955140973834c39a8cf2e4e6b7f1b3900a85a4903ba40f82cc5.exe	tqsbvq.exe
PID 2136 wrote to memory of 2176	2136	45c91234b6ad5955140973834c39a8cf2e4e6b7f1b3900a85a4903ba40f82cc5.exe	cmd.exe
PID 2136 wrote to memory of 2176	2136	45c91234b6ad5955140973834c39a8cf2e4e6b7f1b3900a85a4903ba40f82cc5.exe	cmd.exe
PID 2136 wrote to memory of 2176	2136	45c91234b6ad5955140973834c39a8cf2e4e6b7f1b3900a85a4903ba40f82cc5.exe	cmd.exe
PID 4076 wrote to memory of 3504	4076	tqsbvq.exe	tqsbvq.exe
PID 4076 wrote to memory of 3504	4076	tqsbvq.exe	tqsbvq.exe
PID 4076 wrote to memory of 3504	4076	tqsbvq.exe	tqsbvq.exe
PID 4076 wrote to memory of 3504	4076	tqsbvq.exe	tqsbvq.exe
PID 4076 wrote to memory of 3504	4076	tqsbvq.exe	tqsbvq.exe
PID 4076 wrote to memory of 3504	4076	tqsbvq.exe	tqsbvq.exe
PID 4076 wrote to memory of 3504	4076	tqsbvq.exe	tqsbvq.exe
PID 4076 wrote to memory of 3504	4076	tqsbvq.exe	tqsbvq.exe
PID 4076 wrote to memory of 3504	4076	tqsbvq.exe	tqsbvq.exe
PID 4076 wrote to memory of 3504	4076	tqsbvq.exe	tqsbvq.exe
PID 3504 wrote to memory of 2332	3504	tqsbvq.exe	vssadmin.exe
PID 3504 wrote to memory of 2332	3504	tqsbvq.exe	vssadmin.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

tqsbvq.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	tqsbvq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	tqsbvq.exe

C:\Users\Admin\AppData\Local\Temp\45c91234b6ad5955140973834c39a8cf2e4e6b7f1b3900a85a4903ba40f82cc5.exe
"C:\Users\Admin\AppData\Local\Temp\45c91234b6ad5955140973834c39a8cf2e4e6b7f1b3900a85a4903ba40f82cc5.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3804

C:\Users\Admin\AppData\Local\Temp\45c91234b6ad5955140973834c39a8cf2e4e6b7f1b3900a85a4903ba40f82cc5.exe
"C:\Users\Admin\AppData\Local\Temp\45c91234b6ad5955140973834c39a8cf2e4e6b7f1b3900a85a4903ba40f82cc5.exe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2136

C:\Users\Admin\Documents\tqsbvq.exe
C:\Users\Admin\Documents\tqsbvq.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4076

C:\Users\Admin\Documents\tqsbvq.exe
C:\Users\Admin\Documents\tqsbvq.exe
4⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3504

C:\Windows\System32\vssadmin.exe
"C:\Windows\System32\vssadmin.exe" Delete Shadows /All /Quiet
5⤵
- Interacts with shadow copies
PID:2332

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\45C912~1.EXE >> NUL
3⤵
PID:2176

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2832

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Documents\tqsbvq.exe
Filesize
396KB

MD5
369c33b9e8e9839f9f6299d969d6017f

SHA1
dfe0698639787b5554bc8fe6e3851e1800b1f15a

SHA256
45c91234b6ad5955140973834c39a8cf2e4e6b7f1b3900a85a4903ba40f82cc5

SHA512
cc4b33a6aa8c83d9b3d696eedd386b39941ed3ccbd5cd73b011d2f21ff6f9f59e586a5956ba60eb728c3a0e4f7e3509d9822b09e01d360f1447c1071764cce25

Download Submit
C:\Users\Admin\Documents\tqsbvq.exe
Filesize
396KB

MD5
369c33b9e8e9839f9f6299d969d6017f

SHA1
dfe0698639787b5554bc8fe6e3851e1800b1f15a

SHA256
45c91234b6ad5955140973834c39a8cf2e4e6b7f1b3900a85a4903ba40f82cc5

SHA512
cc4b33a6aa8c83d9b3d696eedd386b39941ed3ccbd5cd73b011d2f21ff6f9f59e586a5956ba60eb728c3a0e4f7e3509d9822b09e01d360f1447c1071764cce25

Download Submit
C:\Users\Admin\Documents\tqsbvq.exe
Filesize
396KB

MD5
369c33b9e8e9839f9f6299d969d6017f

SHA1
dfe0698639787b5554bc8fe6e3851e1800b1f15a

SHA256
45c91234b6ad5955140973834c39a8cf2e4e6b7f1b3900a85a4903ba40f82cc5

SHA512
cc4b33a6aa8c83d9b3d696eedd386b39941ed3ccbd5cd73b011d2f21ff6f9f59e586a5956ba60eb728c3a0e4f7e3509d9822b09e01d360f1447c1071764cce25

Download Submit
memory/2136-135-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2136-142-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2136-143-0x0000000074BD0000-0x0000000074C09000-memory.dmp

Filesize
228KB

Download
memory/2136-136-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2136-137-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2136-133-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2136-132-0x0000000000000000-mapping.dmp

Download
memory/2176-141-0x0000000000000000-mapping.dmp

Download
memory/2332-152-0x0000000000000000-mapping.dmp

Download
memory/3504-150-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3504-145-0x0000000000000000-mapping.dmp

Download
memory/3504-148-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3504-149-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3504-151-0x0000000074BD0000-0x0000000074C09000-memory.dmp

Filesize
228KB

Download
memory/3504-153-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3804-130-0x00000000020B0000-0x00000000020B6000-memory.dmp

Filesize
24KB

Download
memory/3804-131-0x00000000020B0000-0x00000000020B6000-memory.dmp

Filesize
24KB

Download
memory/3804-134-0x00000000020B0000-0x00000000020B6000-memory.dmp

Filesize
24KB

Download
memory/4076-144-0x0000000000600000-0x0000000000606000-memory.dmp

Filesize
24KB

Download
memory/4076-138-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads