Analysis
-
max time kernel
152s -
max time network
191s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
08-07-2022 03:34
Static task
static1
Behavioral task
behavioral1
Sample
421f75f77c368d6cddcc41d6b90583d23c7a4bdcff60fef41c465758d36995e4.exe
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
421f75f77c368d6cddcc41d6b90583d23c7a4bdcff60fef41c465758d36995e4.exe
Resource
win10v2004-20220414-en
windows10-2004_x64
0 signatures
0 seconds
General
-
Target
421f75f77c368d6cddcc41d6b90583d23c7a4bdcff60fef41c465758d36995e4.exe
-
Size
344KB
-
MD5
1f311617d8a88f03e86576bd13680834
-
SHA1
53037f750f4c1cb4c527792c02b1878a5ffcf0e3
-
SHA256
421f75f77c368d6cddcc41d6b90583d23c7a4bdcff60fef41c465758d36995e4
-
SHA512
0b5408aa72b44c2a11d97ad936600ac968f0d34d2dc242614cf15bf83fc27e6d066c164bc901b29c4e303f4a43e4839c9dd8a110ac32819f0eb5203cc1c39939
Score
10/10
Malware Config
Extracted
Path
C:\$Recycle.Bin\S-1-5-21-1083475884-596052423-1669053738-1000\_RECOVERY_+pebcp.txt
Family
teslacrypt
Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com
What happened to your files ?
All of your files were protected by a strong encryption with AES
More information about the encryption keys using AES can be found here: http://en.wikipedia.org/wiki/AES
How did this happen ?
!!! Specially for your PC was generated personal AES KEY, both public and private.
!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.
!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server
What do I do ?
So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.
If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.
For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below:
1. http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/A54A98633B61FF6
2. http://tes543berda73i48fsdfsd.keratadze.at/A54A98633B61FF6
3. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/A54A98633B61FF6
If for some reasons the addresses are not available, follow these steps:
1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en
2. After a successful installation, run the browser
3. Type in the address bar: xlowfznrg4wf7dli.onion/A54A98633B61FF6
4. Follow the instructions on the site.
---------------- IMPORTANT INFORMATION------------------------
*-*-* Your personal pages:
http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/A54A98633B61FF6
http://tes543berda73i48fsdfsd.keratadze.at/A54A98633B61FF6
http://tt54rfdjhb34rfbnknaerg.milerteddy.com/A54A98633B61FF6
*-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/A54A98633B61FF6
URLs
http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/A54A98633B61FF6
http://tes543berda73i48fsdfsd.keratadze.at/A54A98633B61FF6
http://tt54rfdjhb34rfbnknaerg.milerteddy.com/A54A98633B61FF6
http://xlowfznrg4wf7dli.ONION/A54A98633B61FF6
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
suricata: ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon
suricata: ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
Processes:
qfptdkxpgksa.exeqfptdkxpgksa.exepid Process 1812 qfptdkxpgksa.exe 1216 qfptdkxpgksa.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid Process 572 cmd.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
qfptdkxpgksa.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run qfptdkxpgksa.exe Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\gedeltysgcgs = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\qfptdkxpgksa.exe\"" qfptdkxpgksa.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
421f75f77c368d6cddcc41d6b90583d23c7a4bdcff60fef41c465758d36995e4.exeqfptdkxpgksa.exedescription pid Process procid_target PID 1652 set thread context of 1620 1652 421f75f77c368d6cddcc41d6b90583d23c7a4bdcff60fef41c465758d36995e4.exe 28 PID 1812 set thread context of 1216 1812 qfptdkxpgksa.exe 32 -
Drops file in Program Files directory 15 IoCs
Processes:
qfptdkxpgksa.exedescription ioc Process File opened for modification C:\Program Files\7-Zip\Lang\af.txt qfptdkxpgksa.exe File opened for modification C:\Program Files\7-Zip\Lang\be.txt qfptdkxpgksa.exe File opened for modification C:\Program Files\7-Zip\Lang\bg.txt qfptdkxpgksa.exe File opened for modification C:\Program Files\7-Zip\Lang\br.txt qfptdkxpgksa.exe File opened for modification C:\Program Files\7-Zip\Lang\cy.txt qfptdkxpgksa.exe File opened for modification C:\Program Files\7-Zip\Lang\ast.txt qfptdkxpgksa.exe File opened for modification C:\Program Files\7-Zip\Lang\az.txt qfptdkxpgksa.exe File opened for modification C:\Program Files\7-Zip\Lang\ba.txt qfptdkxpgksa.exe File opened for modification C:\Program Files\7-Zip\Lang\bn.txt qfptdkxpgksa.exe File opened for modification C:\Program Files\7-Zip\Lang\co.txt qfptdkxpgksa.exe File opened for modification C:\Program Files\7-Zip\Lang\cs.txt qfptdkxpgksa.exe File opened for modification C:\Program Files\7-Zip\History.txt qfptdkxpgksa.exe File opened for modification C:\Program Files\7-Zip\Lang\an.txt qfptdkxpgksa.exe File opened for modification C:\Program Files\7-Zip\Lang\ar.txt qfptdkxpgksa.exe File opened for modification C:\Program Files\7-Zip\Lang\ca.txt qfptdkxpgksa.exe -
Drops file in Windows directory 2 IoCs
Processes:
421f75f77c368d6cddcc41d6b90583d23c7a4bdcff60fef41c465758d36995e4.exedescription ioc Process File opened for modification C:\Windows\qfptdkxpgksa.exe 421f75f77c368d6cddcc41d6b90583d23c7a4bdcff60fef41c465758d36995e4.exe File created C:\Windows\qfptdkxpgksa.exe 421f75f77c368d6cddcc41d6b90583d23c7a4bdcff60fef41c465758d36995e4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
qfptdkxpgksa.exepid Process 1216 qfptdkxpgksa.exe 1216 qfptdkxpgksa.exe 1216 qfptdkxpgksa.exe 1216 qfptdkxpgksa.exe 1216 qfptdkxpgksa.exe 1216 qfptdkxpgksa.exe 1216 qfptdkxpgksa.exe 1216 qfptdkxpgksa.exe 1216 qfptdkxpgksa.exe 1216 qfptdkxpgksa.exe 1216 qfptdkxpgksa.exe 1216 qfptdkxpgksa.exe 1216 qfptdkxpgksa.exe 1216 qfptdkxpgksa.exe 1216 qfptdkxpgksa.exe 1216 qfptdkxpgksa.exe 1216 qfptdkxpgksa.exe 1216 qfptdkxpgksa.exe 1216 qfptdkxpgksa.exe 1216 qfptdkxpgksa.exe 1216 qfptdkxpgksa.exe 1216 qfptdkxpgksa.exe 1216 qfptdkxpgksa.exe 1216 qfptdkxpgksa.exe 1216 qfptdkxpgksa.exe 1216 qfptdkxpgksa.exe 1216 qfptdkxpgksa.exe 1216 qfptdkxpgksa.exe 1216 qfptdkxpgksa.exe 1216 qfptdkxpgksa.exe 1216 qfptdkxpgksa.exe 1216 qfptdkxpgksa.exe 1216 qfptdkxpgksa.exe 1216 qfptdkxpgksa.exe 1216 qfptdkxpgksa.exe 1216 qfptdkxpgksa.exe 1216 qfptdkxpgksa.exe 1216 qfptdkxpgksa.exe 1216 qfptdkxpgksa.exe 1216 qfptdkxpgksa.exe 1216 qfptdkxpgksa.exe 1216 qfptdkxpgksa.exe 1216 qfptdkxpgksa.exe 1216 qfptdkxpgksa.exe 1216 qfptdkxpgksa.exe 1216 qfptdkxpgksa.exe 1216 qfptdkxpgksa.exe 1216 qfptdkxpgksa.exe 1216 qfptdkxpgksa.exe 1216 qfptdkxpgksa.exe 1216 qfptdkxpgksa.exe 1216 qfptdkxpgksa.exe 1216 qfptdkxpgksa.exe 1216 qfptdkxpgksa.exe 1216 qfptdkxpgksa.exe 1216 qfptdkxpgksa.exe 1216 qfptdkxpgksa.exe 1216 qfptdkxpgksa.exe 1216 qfptdkxpgksa.exe 1216 qfptdkxpgksa.exe 1216 qfptdkxpgksa.exe 1216 qfptdkxpgksa.exe 1216 qfptdkxpgksa.exe 1216 qfptdkxpgksa.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
421f75f77c368d6cddcc41d6b90583d23c7a4bdcff60fef41c465758d36995e4.exeqfptdkxpgksa.exeWMIC.exevssvc.exedescription pid Process Token: SeDebugPrivilege 1620 421f75f77c368d6cddcc41d6b90583d23c7a4bdcff60fef41c465758d36995e4.exe Token: SeDebugPrivilege 1216 qfptdkxpgksa.exe Token: SeIncreaseQuotaPrivilege 608 WMIC.exe Token: SeSecurityPrivilege 608 WMIC.exe Token: SeTakeOwnershipPrivilege 608 WMIC.exe Token: SeLoadDriverPrivilege 608 WMIC.exe Token: SeSystemProfilePrivilege 608 WMIC.exe Token: SeSystemtimePrivilege 608 WMIC.exe Token: SeProfSingleProcessPrivilege 608 WMIC.exe Token: SeIncBasePriorityPrivilege 608 WMIC.exe Token: SeCreatePagefilePrivilege 608 WMIC.exe Token: SeBackupPrivilege 608 WMIC.exe Token: SeRestorePrivilege 608 WMIC.exe Token: SeShutdownPrivilege 608 WMIC.exe Token: SeDebugPrivilege 608 WMIC.exe Token: SeSystemEnvironmentPrivilege 608 WMIC.exe Token: SeRemoteShutdownPrivilege 608 WMIC.exe Token: SeUndockPrivilege 608 WMIC.exe Token: SeManageVolumePrivilege 608 WMIC.exe Token: 33 608 WMIC.exe Token: 34 608 WMIC.exe Token: 35 608 WMIC.exe Token: SeIncreaseQuotaPrivilege 608 WMIC.exe Token: SeSecurityPrivilege 608 WMIC.exe Token: SeTakeOwnershipPrivilege 608 WMIC.exe Token: SeLoadDriverPrivilege 608 WMIC.exe Token: SeSystemProfilePrivilege 608 WMIC.exe Token: SeSystemtimePrivilege 608 WMIC.exe Token: SeProfSingleProcessPrivilege 608 WMIC.exe Token: SeIncBasePriorityPrivilege 608 WMIC.exe Token: SeCreatePagefilePrivilege 608 WMIC.exe Token: SeBackupPrivilege 608 WMIC.exe Token: SeRestorePrivilege 608 WMIC.exe Token: SeShutdownPrivilege 608 WMIC.exe Token: SeDebugPrivilege 608 WMIC.exe Token: SeSystemEnvironmentPrivilege 608 WMIC.exe Token: SeRemoteShutdownPrivilege 608 WMIC.exe Token: SeUndockPrivilege 608 WMIC.exe Token: SeManageVolumePrivilege 608 WMIC.exe Token: 33 608 WMIC.exe Token: 34 608 WMIC.exe Token: 35 608 WMIC.exe Token: SeBackupPrivilege 676 vssvc.exe Token: SeRestorePrivilege 676 vssvc.exe Token: SeAuditPrivilege 676 vssvc.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
421f75f77c368d6cddcc41d6b90583d23c7a4bdcff60fef41c465758d36995e4.exe421f75f77c368d6cddcc41d6b90583d23c7a4bdcff60fef41c465758d36995e4.exeqfptdkxpgksa.exeqfptdkxpgksa.exedescription pid Process procid_target PID 1652 wrote to memory of 1620 1652 421f75f77c368d6cddcc41d6b90583d23c7a4bdcff60fef41c465758d36995e4.exe 28 PID 1652 wrote to memory of 1620 1652 421f75f77c368d6cddcc41d6b90583d23c7a4bdcff60fef41c465758d36995e4.exe 28 PID 1652 wrote to memory of 1620 1652 421f75f77c368d6cddcc41d6b90583d23c7a4bdcff60fef41c465758d36995e4.exe 28 PID 1652 wrote to memory of 1620 1652 421f75f77c368d6cddcc41d6b90583d23c7a4bdcff60fef41c465758d36995e4.exe 28 PID 1652 wrote to memory of 1620 1652 421f75f77c368d6cddcc41d6b90583d23c7a4bdcff60fef41c465758d36995e4.exe 28 PID 1652 wrote to memory of 1620 1652 421f75f77c368d6cddcc41d6b90583d23c7a4bdcff60fef41c465758d36995e4.exe 28 PID 1652 wrote to memory of 1620 1652 421f75f77c368d6cddcc41d6b90583d23c7a4bdcff60fef41c465758d36995e4.exe 28 PID 1652 wrote to memory of 1620 1652 421f75f77c368d6cddcc41d6b90583d23c7a4bdcff60fef41c465758d36995e4.exe 28 PID 1652 wrote to memory of 1620 1652 421f75f77c368d6cddcc41d6b90583d23c7a4bdcff60fef41c465758d36995e4.exe 28 PID 1652 wrote to memory of 1620 1652 421f75f77c368d6cddcc41d6b90583d23c7a4bdcff60fef41c465758d36995e4.exe 28 PID 1620 wrote to memory of 1812 1620 421f75f77c368d6cddcc41d6b90583d23c7a4bdcff60fef41c465758d36995e4.exe 29 PID 1620 wrote to memory of 1812 1620 421f75f77c368d6cddcc41d6b90583d23c7a4bdcff60fef41c465758d36995e4.exe 29 PID 1620 wrote to memory of 1812 1620 421f75f77c368d6cddcc41d6b90583d23c7a4bdcff60fef41c465758d36995e4.exe 29 PID 1620 wrote to memory of 1812 1620 421f75f77c368d6cddcc41d6b90583d23c7a4bdcff60fef41c465758d36995e4.exe 29 PID 1620 wrote to memory of 572 1620 421f75f77c368d6cddcc41d6b90583d23c7a4bdcff60fef41c465758d36995e4.exe 30 PID 1620 wrote to memory of 572 1620 421f75f77c368d6cddcc41d6b90583d23c7a4bdcff60fef41c465758d36995e4.exe 30 PID 1620 wrote to memory of 572 1620 421f75f77c368d6cddcc41d6b90583d23c7a4bdcff60fef41c465758d36995e4.exe 30 PID 1620 wrote to memory of 572 1620 421f75f77c368d6cddcc41d6b90583d23c7a4bdcff60fef41c465758d36995e4.exe 30 PID 1812 wrote to memory of 1216 1812 qfptdkxpgksa.exe 32 PID 1812 wrote to memory of 1216 1812 qfptdkxpgksa.exe 32 PID 1812 wrote to memory of 1216 1812 qfptdkxpgksa.exe 32 PID 1812 wrote to memory of 1216 1812 qfptdkxpgksa.exe 32 PID 1812 wrote to memory of 1216 1812 qfptdkxpgksa.exe 32 PID 1812 wrote to memory of 1216 1812 qfptdkxpgksa.exe 32 PID 1812 wrote to memory of 1216 1812 qfptdkxpgksa.exe 32 PID 1812 wrote to memory of 1216 1812 qfptdkxpgksa.exe 32 PID 1812 wrote to memory of 1216 1812 qfptdkxpgksa.exe 32 PID 1812 wrote to memory of 1216 1812 qfptdkxpgksa.exe 32 PID 1216 wrote to memory of 608 1216 qfptdkxpgksa.exe 33 PID 1216 wrote to memory of 608 1216 qfptdkxpgksa.exe 33 PID 1216 wrote to memory of 608 1216 qfptdkxpgksa.exe 33 PID 1216 wrote to memory of 608 1216 qfptdkxpgksa.exe 33 -
System policy modification 1 TTPs 2 IoCs
Processes:
qfptdkxpgksa.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System qfptdkxpgksa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" qfptdkxpgksa.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\421f75f77c368d6cddcc41d6b90583d23c7a4bdcff60fef41c465758d36995e4.exe"C:\Users\Admin\AppData\Local\Temp\421f75f77c368d6cddcc41d6b90583d23c7a4bdcff60fef41c465758d36995e4.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Users\Admin\AppData\Local\Temp\421f75f77c368d6cddcc41d6b90583d23c7a4bdcff60fef41c465758d36995e4.exe"C:\Users\Admin\AppData\Local\Temp\421f75f77c368d6cddcc41d6b90583d23c7a4bdcff60fef41c465758d36995e4.exe"2⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\qfptdkxpgksa.exeC:\Windows\qfptdkxpgksa.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Windows\qfptdkxpgksa.exeC:\Windows\qfptdkxpgksa.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1216 -
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
PID:608
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\421F75~1.EXE3⤵
- Deletes itself
PID:572
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:676
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
344KB
MD51f311617d8a88f03e86576bd13680834
SHA153037f750f4c1cb4c527792c02b1878a5ffcf0e3
SHA256421f75f77c368d6cddcc41d6b90583d23c7a4bdcff60fef41c465758d36995e4
SHA5120b5408aa72b44c2a11d97ad936600ac968f0d34d2dc242614cf15bf83fc27e6d066c164bc901b29c4e303f4a43e4839c9dd8a110ac32819f0eb5203cc1c39939
-
Filesize
344KB
MD51f311617d8a88f03e86576bd13680834
SHA153037f750f4c1cb4c527792c02b1878a5ffcf0e3
SHA256421f75f77c368d6cddcc41d6b90583d23c7a4bdcff60fef41c465758d36995e4
SHA5120b5408aa72b44c2a11d97ad936600ac968f0d34d2dc242614cf15bf83fc27e6d066c164bc901b29c4e303f4a43e4839c9dd8a110ac32819f0eb5203cc1c39939
-
Filesize
344KB
MD51f311617d8a88f03e86576bd13680834
SHA153037f750f4c1cb4c527792c02b1878a5ffcf0e3
SHA256421f75f77c368d6cddcc41d6b90583d23c7a4bdcff60fef41c465758d36995e4
SHA5120b5408aa72b44c2a11d97ad936600ac968f0d34d2dc242614cf15bf83fc27e6d066c164bc901b29c4e303f4a43e4839c9dd8a110ac32819f0eb5203cc1c39939