Analysis
-
max time kernel
151s -
max time network
133s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
08-07-2022 05:49
Static task
static1
Behavioral task
behavioral1
Sample
4168dd01b2806c36a6895f1d41eb7bf2670304df3f69e16d080894781853041e.exe
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
4168dd01b2806c36a6895f1d41eb7bf2670304df3f69e16d080894781853041e.exe
Resource
win10v2004-20220414-en
windows10-2004_x64
0 signatures
0 seconds
General
-
Target
4168dd01b2806c36a6895f1d41eb7bf2670304df3f69e16d080894781853041e.exe
-
Size
384KB
-
MD5
2a03d5b3379984537f432ba89f1a5677
-
SHA1
0cc44ac0df32264814331934c92300836ecf9d08
-
SHA256
4168dd01b2806c36a6895f1d41eb7bf2670304df3f69e16d080894781853041e
-
SHA512
3ee71379dc94c5537d2fd6ddf3f18e416385bb169f8c38a65f1c4bcec180c8bba0ba2eb4237fdf4f05602947dc92d29542cf30f0c75caccf05645a071f22bd8d
Score
10/10
Malware Config
Extracted
Path
C:\$Recycle.Bin\S-1-5-21-1819626980-2277161760-1023733287-1000\Recovery+sdkcv.txt
Family
teslacrypt
Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com
What happened to your files ?
All of your files were protected by a strong encryption with RSA-4096.
More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)
How did this happen ?
!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private.
!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.
!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server
What do I do ?
So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.
If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.
For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below:
1. http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/688F3FCB75472F80
2. http://tes543berda73i48fsdfsd.keratadze.at/688F3FCB75472F80
3. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/688F3FCB75472F80
If for some reasons the addresses are not available, follow these steps:
1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en
2. After a successful installation, run the browser
3. Type in the address bar: xlowfznrg4wf7dli.onion/688F3FCB75472F80
4. Follow the instructions on the site.
---------------- IMPORTANT INFORMATION------------------------
*-*-* Your personal pages:
http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/688F3FCB75472F80
http://tes543berda73i48fsdfsd.keratadze.at/688F3FCB75472F80
http://tt54rfdjhb34rfbnknaerg.milerteddy.com/688F3FCB75472F80
*-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/688F3FCB75472F80
URLs
http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/688F3FCB75472F80
http://tes543berda73i48fsdfsd.keratadze.at/688F3FCB75472F80
http://tt54rfdjhb34rfbnknaerg.milerteddy.com/688F3FCB75472F80
http://xlowfznrg4wf7dli.ONION/688F3FCB75472F80
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
suricata: ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon
suricata: ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
Processes:
rlaedvimvatq.exerlaedvimvatq.exepid Process 2004 rlaedvimvatq.exe 1572 rlaedvimvatq.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid Process 776 cmd.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
rlaedvimvatq.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run rlaedvimvatq.exe Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\cwkwlucyyhvy = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\rlaedvimvatq.exe\"" rlaedvimvatq.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
4168dd01b2806c36a6895f1d41eb7bf2670304df3f69e16d080894781853041e.exerlaedvimvatq.exedescription pid Process procid_target PID 1992 set thread context of 952 1992 4168dd01b2806c36a6895f1d41eb7bf2670304df3f69e16d080894781853041e.exe 27 PID 2004 set thread context of 1572 2004 rlaedvimvatq.exe 31 -
Drops file in Program Files directory 64 IoCs
Processes:
rlaedvimvatq.exedescription ioc Process File opened for modification C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\fr-FR\Recovery+sdkcv.png rlaedvimvatq.exe File opened for modification C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\ja-JP\Recovery+sdkcv.txt rlaedvimvatq.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Recovery+sdkcv.png rlaedvimvatq.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\travel.png rlaedvimvatq.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\Recovery+sdkcv.html rlaedvimvatq.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\Recovery+sdkcv.html rlaedvimvatq.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\Recovery+sdkcv.txt rlaedvimvatq.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Spades\es-ES\Recovery+sdkcv.png rlaedvimvatq.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Spades\es-ES\Recovery+sdkcv.html rlaedvimvatq.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\Recovery+sdkcv.txt rlaedvimvatq.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\Recovery+sdkcv.png rlaedvimvatq.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\windows-amd64\Recovery+sdkcv.png rlaedvimvatq.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\Recovery+sdkcv.html rlaedvimvatq.exe File opened for modification C:\Program Files\Common Files\System\ado\Recovery+sdkcv.txt rlaedvimvatq.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\chapters-static.png rlaedvimvatq.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\Recovery+sdkcv.html rlaedvimvatq.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF\Recovery+sdkcv.html rlaedvimvatq.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\es-ES\Recovery+sdkcv.txt rlaedvimvatq.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\fr-FR\Recovery+sdkcv.txt rlaedvimvatq.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Checkers\Recovery+sdkcv.txt rlaedvimvatq.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\hr\LC_MESSAGES\Recovery+sdkcv.txt rlaedvimvatq.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\nl\LC_MESSAGES\Recovery+sdkcv.txt rlaedvimvatq.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\CircleSubpicture.png rlaedvimvatq.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\gtkTSFrame.png rlaedvimvatq.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\nb\Recovery+sdkcv.html rlaedvimvatq.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\Recovery+sdkcv.html rlaedvimvatq.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\16_9-frame-highlight.png rlaedvimvatq.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\Recovery+sdkcv.html rlaedvimvatq.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\Recovery+sdkcv.html rlaedvimvatq.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Africa\Recovery+sdkcv.png rlaedvimvatq.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\Recovery+sdkcv.txt rlaedvimvatq.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\Recovery+sdkcv.png rlaedvimvatq.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Spades\ja-JP\Recovery+sdkcv.txt rlaedvimvatq.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\gd\Recovery+sdkcv.txt rlaedvimvatq.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\he\Recovery+sdkcv.txt rlaedvimvatq.exe File opened for modification C:\Program Files\7-Zip\Lang\mr.txt rlaedvimvatq.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\background.png rlaedvimvatq.exe File opened for modification C:\Program Files\Microsoft Games\Minesweeper\ja-JP\Recovery+sdkcv.html rlaedvimvatq.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\Recovery+sdkcv.txt rlaedvimvatq.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationUp_ButtonGraphic.png rlaedvimvatq.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Push\Recovery+sdkcv.txt rlaedvimvatq.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\Recovery+sdkcv.png rlaedvimvatq.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ka\Recovery+sdkcv.txt rlaedvimvatq.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\Recovery+sdkcv.png rlaedvimvatq.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\te.pak rlaedvimvatq.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\THIRDPARTYLICENSEREADME-JAVAFX.txt rlaedvimvatq.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Backgammon\de-DE\Recovery+sdkcv.html rlaedvimvatq.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\VisualElements\Recovery+sdkcv.png rlaedvimvatq.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\ShadesOfBlue.jpg rlaedvimvatq.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Backgammon\de-DE\Recovery+sdkcv.png rlaedvimvatq.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\eu\Recovery+sdkcv.txt rlaedvimvatq.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\fur\Recovery+sdkcv.png rlaedvimvatq.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\mk\LC_MESSAGES\Recovery+sdkcv.png rlaedvimvatq.exe File opened for modification C:\Program Files\DVD Maker\de-DE\Recovery+sdkcv.txt rlaedvimvatq.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\ParentMenuButtonIcon.png rlaedvimvatq.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Spades\de-DE\Recovery+sdkcv.txt rlaedvimvatq.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Recovery+sdkcv.txt rlaedvimvatq.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\locale\Recovery+sdkcv.txt rlaedvimvatq.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\Recovery+sdkcv.txt rlaedvimvatq.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\mr\LC_MESSAGES\Recovery+sdkcv.html rlaedvimvatq.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\Recovery+sdkcv.txt rlaedvimvatq.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Spades\es-ES\Recovery+sdkcv.txt rlaedvimvatq.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Backgammon\ja-JP\Recovery+sdkcv.html rlaedvimvatq.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\it-IT\Recovery+sdkcv.html rlaedvimvatq.exe -
Drops file in Windows directory 2 IoCs
Processes:
4168dd01b2806c36a6895f1d41eb7bf2670304df3f69e16d080894781853041e.exedescription ioc Process File created C:\Windows\rlaedvimvatq.exe 4168dd01b2806c36a6895f1d41eb7bf2670304df3f69e16d080894781853041e.exe File opened for modification C:\Windows\rlaedvimvatq.exe 4168dd01b2806c36a6895f1d41eb7bf2670304df3f69e16d080894781853041e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rlaedvimvatq.exepid Process 1572 rlaedvimvatq.exe 1572 rlaedvimvatq.exe 1572 rlaedvimvatq.exe 1572 rlaedvimvatq.exe 1572 rlaedvimvatq.exe 1572 rlaedvimvatq.exe 1572 rlaedvimvatq.exe 1572 rlaedvimvatq.exe 1572 rlaedvimvatq.exe 1572 rlaedvimvatq.exe 1572 rlaedvimvatq.exe 1572 rlaedvimvatq.exe 1572 rlaedvimvatq.exe 1572 rlaedvimvatq.exe 1572 rlaedvimvatq.exe 1572 rlaedvimvatq.exe 1572 rlaedvimvatq.exe 1572 rlaedvimvatq.exe 1572 rlaedvimvatq.exe 1572 rlaedvimvatq.exe 1572 rlaedvimvatq.exe 1572 rlaedvimvatq.exe 1572 rlaedvimvatq.exe 1572 rlaedvimvatq.exe 1572 rlaedvimvatq.exe 1572 rlaedvimvatq.exe 1572 rlaedvimvatq.exe 1572 rlaedvimvatq.exe 1572 rlaedvimvatq.exe 1572 rlaedvimvatq.exe 1572 rlaedvimvatq.exe 1572 rlaedvimvatq.exe 1572 rlaedvimvatq.exe 1572 rlaedvimvatq.exe 1572 rlaedvimvatq.exe 1572 rlaedvimvatq.exe 1572 rlaedvimvatq.exe 1572 rlaedvimvatq.exe 1572 rlaedvimvatq.exe 1572 rlaedvimvatq.exe 1572 rlaedvimvatq.exe 1572 rlaedvimvatq.exe 1572 rlaedvimvatq.exe 1572 rlaedvimvatq.exe 1572 rlaedvimvatq.exe 1572 rlaedvimvatq.exe 1572 rlaedvimvatq.exe 1572 rlaedvimvatq.exe 1572 rlaedvimvatq.exe 1572 rlaedvimvatq.exe 1572 rlaedvimvatq.exe 1572 rlaedvimvatq.exe 1572 rlaedvimvatq.exe 1572 rlaedvimvatq.exe 1572 rlaedvimvatq.exe 1572 rlaedvimvatq.exe 1572 rlaedvimvatq.exe 1572 rlaedvimvatq.exe 1572 rlaedvimvatq.exe 1572 rlaedvimvatq.exe 1572 rlaedvimvatq.exe 1572 rlaedvimvatq.exe 1572 rlaedvimvatq.exe 1572 rlaedvimvatq.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
4168dd01b2806c36a6895f1d41eb7bf2670304df3f69e16d080894781853041e.exerlaedvimvatq.exeWMIC.exevssvc.exedescription pid Process Token: SeDebugPrivilege 952 4168dd01b2806c36a6895f1d41eb7bf2670304df3f69e16d080894781853041e.exe Token: SeDebugPrivilege 1572 rlaedvimvatq.exe Token: SeIncreaseQuotaPrivilege 1436 WMIC.exe Token: SeSecurityPrivilege 1436 WMIC.exe Token: SeTakeOwnershipPrivilege 1436 WMIC.exe Token: SeLoadDriverPrivilege 1436 WMIC.exe Token: SeSystemProfilePrivilege 1436 WMIC.exe Token: SeSystemtimePrivilege 1436 WMIC.exe Token: SeProfSingleProcessPrivilege 1436 WMIC.exe Token: SeIncBasePriorityPrivilege 1436 WMIC.exe Token: SeCreatePagefilePrivilege 1436 WMIC.exe Token: SeBackupPrivilege 1436 WMIC.exe Token: SeRestorePrivilege 1436 WMIC.exe Token: SeShutdownPrivilege 1436 WMIC.exe Token: SeDebugPrivilege 1436 WMIC.exe Token: SeSystemEnvironmentPrivilege 1436 WMIC.exe Token: SeRemoteShutdownPrivilege 1436 WMIC.exe Token: SeUndockPrivilege 1436 WMIC.exe Token: SeManageVolumePrivilege 1436 WMIC.exe Token: 33 1436 WMIC.exe Token: 34 1436 WMIC.exe Token: 35 1436 WMIC.exe Token: SeIncreaseQuotaPrivilege 1436 WMIC.exe Token: SeSecurityPrivilege 1436 WMIC.exe Token: SeTakeOwnershipPrivilege 1436 WMIC.exe Token: SeLoadDriverPrivilege 1436 WMIC.exe Token: SeSystemProfilePrivilege 1436 WMIC.exe Token: SeSystemtimePrivilege 1436 WMIC.exe Token: SeProfSingleProcessPrivilege 1436 WMIC.exe Token: SeIncBasePriorityPrivilege 1436 WMIC.exe Token: SeCreatePagefilePrivilege 1436 WMIC.exe Token: SeBackupPrivilege 1436 WMIC.exe Token: SeRestorePrivilege 1436 WMIC.exe Token: SeShutdownPrivilege 1436 WMIC.exe Token: SeDebugPrivilege 1436 WMIC.exe Token: SeSystemEnvironmentPrivilege 1436 WMIC.exe Token: SeRemoteShutdownPrivilege 1436 WMIC.exe Token: SeUndockPrivilege 1436 WMIC.exe Token: SeManageVolumePrivilege 1436 WMIC.exe Token: 33 1436 WMIC.exe Token: 34 1436 WMIC.exe Token: 35 1436 WMIC.exe Token: SeBackupPrivilege 1776 vssvc.exe Token: SeRestorePrivilege 1776 vssvc.exe Token: SeAuditPrivilege 1776 vssvc.exe -
Suspicious use of WriteProcessMemory 34 IoCs
Processes:
4168dd01b2806c36a6895f1d41eb7bf2670304df3f69e16d080894781853041e.exe4168dd01b2806c36a6895f1d41eb7bf2670304df3f69e16d080894781853041e.exerlaedvimvatq.exerlaedvimvatq.exedescription pid Process procid_target PID 1992 wrote to memory of 952 1992 4168dd01b2806c36a6895f1d41eb7bf2670304df3f69e16d080894781853041e.exe 27 PID 1992 wrote to memory of 952 1992 4168dd01b2806c36a6895f1d41eb7bf2670304df3f69e16d080894781853041e.exe 27 PID 1992 wrote to memory of 952 1992 4168dd01b2806c36a6895f1d41eb7bf2670304df3f69e16d080894781853041e.exe 27 PID 1992 wrote to memory of 952 1992 4168dd01b2806c36a6895f1d41eb7bf2670304df3f69e16d080894781853041e.exe 27 PID 1992 wrote to memory of 952 1992 4168dd01b2806c36a6895f1d41eb7bf2670304df3f69e16d080894781853041e.exe 27 PID 1992 wrote to memory of 952 1992 4168dd01b2806c36a6895f1d41eb7bf2670304df3f69e16d080894781853041e.exe 27 PID 1992 wrote to memory of 952 1992 4168dd01b2806c36a6895f1d41eb7bf2670304df3f69e16d080894781853041e.exe 27 PID 1992 wrote to memory of 952 1992 4168dd01b2806c36a6895f1d41eb7bf2670304df3f69e16d080894781853041e.exe 27 PID 1992 wrote to memory of 952 1992 4168dd01b2806c36a6895f1d41eb7bf2670304df3f69e16d080894781853041e.exe 27 PID 1992 wrote to memory of 952 1992 4168dd01b2806c36a6895f1d41eb7bf2670304df3f69e16d080894781853041e.exe 27 PID 1992 wrote to memory of 952 1992 4168dd01b2806c36a6895f1d41eb7bf2670304df3f69e16d080894781853041e.exe 27 PID 952 wrote to memory of 2004 952 4168dd01b2806c36a6895f1d41eb7bf2670304df3f69e16d080894781853041e.exe 28 PID 952 wrote to memory of 2004 952 4168dd01b2806c36a6895f1d41eb7bf2670304df3f69e16d080894781853041e.exe 28 PID 952 wrote to memory of 2004 952 4168dd01b2806c36a6895f1d41eb7bf2670304df3f69e16d080894781853041e.exe 28 PID 952 wrote to memory of 2004 952 4168dd01b2806c36a6895f1d41eb7bf2670304df3f69e16d080894781853041e.exe 28 PID 952 wrote to memory of 776 952 4168dd01b2806c36a6895f1d41eb7bf2670304df3f69e16d080894781853041e.exe 29 PID 952 wrote to memory of 776 952 4168dd01b2806c36a6895f1d41eb7bf2670304df3f69e16d080894781853041e.exe 29 PID 952 wrote to memory of 776 952 4168dd01b2806c36a6895f1d41eb7bf2670304df3f69e16d080894781853041e.exe 29 PID 952 wrote to memory of 776 952 4168dd01b2806c36a6895f1d41eb7bf2670304df3f69e16d080894781853041e.exe 29 PID 2004 wrote to memory of 1572 2004 rlaedvimvatq.exe 31 PID 2004 wrote to memory of 1572 2004 rlaedvimvatq.exe 31 PID 2004 wrote to memory of 1572 2004 rlaedvimvatq.exe 31 PID 2004 wrote to memory of 1572 2004 rlaedvimvatq.exe 31 PID 2004 wrote to memory of 1572 2004 rlaedvimvatq.exe 31 PID 2004 wrote to memory of 1572 2004 rlaedvimvatq.exe 31 PID 2004 wrote to memory of 1572 2004 rlaedvimvatq.exe 31 PID 2004 wrote to memory of 1572 2004 rlaedvimvatq.exe 31 PID 2004 wrote to memory of 1572 2004 rlaedvimvatq.exe 31 PID 2004 wrote to memory of 1572 2004 rlaedvimvatq.exe 31 PID 2004 wrote to memory of 1572 2004 rlaedvimvatq.exe 31 PID 1572 wrote to memory of 1436 1572 rlaedvimvatq.exe 32 PID 1572 wrote to memory of 1436 1572 rlaedvimvatq.exe 32 PID 1572 wrote to memory of 1436 1572 rlaedvimvatq.exe 32 PID 1572 wrote to memory of 1436 1572 rlaedvimvatq.exe 32 -
System policy modification 1 TTPs 2 IoCs
Processes:
rlaedvimvatq.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System rlaedvimvatq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" rlaedvimvatq.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4168dd01b2806c36a6895f1d41eb7bf2670304df3f69e16d080894781853041e.exe"C:\Users\Admin\AppData\Local\Temp\4168dd01b2806c36a6895f1d41eb7bf2670304df3f69e16d080894781853041e.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Users\Admin\AppData\Local\Temp\4168dd01b2806c36a6895f1d41eb7bf2670304df3f69e16d080894781853041e.exe"C:\Users\Admin\AppData\Local\Temp\4168dd01b2806c36a6895f1d41eb7bf2670304df3f69e16d080894781853041e.exe"2⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Windows\rlaedvimvatq.exeC:\Windows\rlaedvimvatq.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\rlaedvimvatq.exeC:\Windows\rlaedvimvatq.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1572 -
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1436
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\4168DD~1.EXE3⤵
- Deletes itself
PID:776
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1776
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
384KB
MD52a03d5b3379984537f432ba89f1a5677
SHA10cc44ac0df32264814331934c92300836ecf9d08
SHA2564168dd01b2806c36a6895f1d41eb7bf2670304df3f69e16d080894781853041e
SHA5123ee71379dc94c5537d2fd6ddf3f18e416385bb169f8c38a65f1c4bcec180c8bba0ba2eb4237fdf4f05602947dc92d29542cf30f0c75caccf05645a071f22bd8d
-
Filesize
384KB
MD52a03d5b3379984537f432ba89f1a5677
SHA10cc44ac0df32264814331934c92300836ecf9d08
SHA2564168dd01b2806c36a6895f1d41eb7bf2670304df3f69e16d080894781853041e
SHA5123ee71379dc94c5537d2fd6ddf3f18e416385bb169f8c38a65f1c4bcec180c8bba0ba2eb4237fdf4f05602947dc92d29542cf30f0c75caccf05645a071f22bd8d
-
Filesize
384KB
MD52a03d5b3379984537f432ba89f1a5677
SHA10cc44ac0df32264814331934c92300836ecf9d08
SHA2564168dd01b2806c36a6895f1d41eb7bf2670304df3f69e16d080894781853041e
SHA5123ee71379dc94c5537d2fd6ddf3f18e416385bb169f8c38a65f1c4bcec180c8bba0ba2eb4237fdf4f05602947dc92d29542cf30f0c75caccf05645a071f22bd8d