Analysis
-
max time kernel
170s -
max time network
176s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
12/07/2022, 07:52
General
-
Target
4c1047afcf72657f290338efac15c4bb109735512edee5556f76307f975c4f68.exe
-
Size
371KB
-
MD5
3d1d21040e9d68cbf02e146ad0ad67eb
-
SHA1
1ba5dc500339977ef248125ccc8f6f66f3cb0f6f
-
SHA256
4c1047afcf72657f290338efac15c4bb109735512edee5556f76307f975c4f68
-
SHA512
bb14db6c812f3acd1777c10ad6fea24b4a3b10975d7f8811355d42bc493bddc3c07aa9129b065b061fe021473c64dc7da940885ba9bd42d59d9b1feefbe86865
Malware Config
Extracted
C:\$Recycle.Bin\S-1-5-21-2277218442-1199762539-2004043321-1000\_RECoVERY_+fcjay.txt
teslacrypt
http://yyre45dbvn2nhbefbmh.begumvelic.at/A65B85DCF3D611E
http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/A65B85DCF3D611E
http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/A65B85DCF3D611E
http://xlowfznrg4wf7dli.ONION/A65B85DCF3D611E
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
suricata: ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon
suricata: ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
-
Deletes itself 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 60 IoCs
-
Suspicious use of AdjustPrivilegeToken 45 IoCs
-
Suspicious use of WriteProcessMemory 32 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\4c1047afcf72657f290338efac15c4bb109735512edee5556f76307f975c4f68.exe"C:\Users\Admin\AppData\Local\Temp\4c1047afcf72657f290338efac15c4bb109735512edee5556f76307f975c4f68.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\4c1047afcf72657f290338efac15c4bb109735512edee5556f76307f975c4f68.exe"C:\Users\Admin\AppData\Local\Temp\4c1047afcf72657f290338efac15c4bb109735512edee5556f76307f975c4f68.exe"2⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\ouiuoetwvgfq.exeC:\Windows\ouiuoetwvgfq.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\ouiuoetwvgfq.exeC:\Windows\ouiuoetwvgfq.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\4C1047~1.EXE3⤵
- Deletes itself
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
371KB
MD53d1d21040e9d68cbf02e146ad0ad67eb
SHA11ba5dc500339977ef248125ccc8f6f66f3cb0f6f
SHA2564c1047afcf72657f290338efac15c4bb109735512edee5556f76307f975c4f68
SHA512bb14db6c812f3acd1777c10ad6fea24b4a3b10975d7f8811355d42bc493bddc3c07aa9129b065b061fe021473c64dc7da940885ba9bd42d59d9b1feefbe86865
-
Filesize
371KB
MD53d1d21040e9d68cbf02e146ad0ad67eb
SHA11ba5dc500339977ef248125ccc8f6f66f3cb0f6f
SHA2564c1047afcf72657f290338efac15c4bb109735512edee5556f76307f975c4f68
SHA512bb14db6c812f3acd1777c10ad6fea24b4a3b10975d7f8811355d42bc493bddc3c07aa9129b065b061fe021473c64dc7da940885ba9bd42d59d9b1feefbe86865
-
Filesize
371KB
MD53d1d21040e9d68cbf02e146ad0ad67eb
SHA11ba5dc500339977ef248125ccc8f6f66f3cb0f6f
SHA2564c1047afcf72657f290338efac15c4bb109735512edee5556f76307f975c4f68
SHA512bb14db6c812f3acd1777c10ad6fea24b4a3b10975d7f8811355d42bc493bddc3c07aa9129b065b061fe021473c64dc7da940885ba9bd42d59d9b1feefbe86865
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
12KB
-
Filesize
12KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
8KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB