Analysis
-
max time kernel
151s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
12-07-2022 09:45
General
-
Target
4b7f328bb05d97e371c0b7873e9a7eebad756971970948283c3bf6e46ac61103.exe
-
Size
360KB
-
MD5
0b7d136cbc2a52f4a836f99fa3fed5d5
-
SHA1
a8a501329c2d47c16dc7c31e18b667aafbbd3df1
-
SHA256
4b7f328bb05d97e371c0b7873e9a7eebad756971970948283c3bf6e46ac61103
-
SHA512
bc24815c309dc6530c82be0f5dbb2f92fb729b0f85cae3ee415b5e33f0938e16abc9a6e7216063dcc8b3661b3530655e27a00ed03168238988d2f1f25f10cf29
Malware Config
Extracted
C:\$Recycle.Bin\S-1-5-21-1809750270-3141839489-3074374771-1000\_RECOVERY_+xkmmu.txt
teslacrypt
http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/143255AA299DE23
http://tes543berda73i48fsdfsd.keratadze.at/143255AA299DE23
http://tt54rfdjhb34rfbnknaerg.milerteddy.com/143255AA299DE23
http://xlowfznrg4wf7dli.ONION/143255AA299DE23
Extracted
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\_RECOVERY_+xkmmu.html
http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/143255AA299DE23
http://tes543berda73i48fsdfsd.keratadze.at/143255AA299DE23
http://tt54rfdjhb34rfbnknaerg.milerteddy.com/143255AA299DE23
http://xlowfznrg4wf7dli.onion/143255AA299DE23
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
suricata: ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon
suricata: ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 1 IoCs
-
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 6 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 2 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\4b7f328bb05d97e371c0b7873e9a7eebad756971970948283c3bf6e46ac61103.exe"C:\Users\Admin\AppData\Local\Temp\4b7f328bb05d97e371c0b7873e9a7eebad756971970948283c3bf6e46ac61103.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\tfkxfbmjbmdv.exeC:\Windows\tfkxfbmjbmdv.exe2⤵
- Executes dropped EXE
- Modifies extensions of user files
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT3⤵
- Opens file in notepad (likely ransom note)
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM3⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffeae0846f8,0x7ffeae084708,0x7ffeae0847184⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,6266379236413064570,13255013660806177812,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:34⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,6266379236413064570,13255013660806177812,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:24⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,6266379236413064570,13255013660806177812,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2740 /prefetch:84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6266379236413064570,13255013660806177812,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6266379236413064570,13255013660806177812,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2132,6266379236413064570,13255013660806177812,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4760 /prefetch:84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2132,6266379236413064570,13255013660806177812,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5644 /prefetch:84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6266379236413064570,13255013660806177812,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6266379236413064570,13255013660806177812,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5552 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,6266379236413064570,13255013660806177812,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6044 /prefetch:84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x25c,0x260,0x264,0x218,0x268,0x7ff67c215460,0x7ff67c215470,0x7ff67c2154805⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,6266379236413064570,13255013660806177812,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6044 /prefetch:84⤵
-
-
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Windows\TFKXFB~1.EXE3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\4B7F32~1.EXE2⤵
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD503594c00260425c9340407c32e170670
SHA1b65e2cc9ff3b513e576a6d3a6603432a77bfa15b
SHA256d269ace27e354d991fa77c05f41313ae22fb488cd6aa1877f08cb05fa25b7299
SHA512e65087de7bba21968374bb930ba255eed7ca0463633bdd2ccd2dd8c1c186b6846f606402772e81bbf867789fd742e8377e3346a7f2cf2b4bf28b5cafe191df56
-
Filesize
62KB
MD50e33f3c524e7194225289376f62ca0e7
SHA101bdd48089b7d2e6482982560396de707188346d
SHA25675990d4b16b44709f8b0061f9d4adff3dc8dc0010eae2e3f8e98748d75a10962
SHA512023a594d781588b784e544800eb158ab2cbe8c4cdfe982bd97511ce2b6034cc985c3024504481b5784d22f3fd2c17b2238d6bdfbe8df89875fbe485e012e7669
-
Filesize
1KB
MD52dd8bab87ab68f7831548e1f3711b629
SHA1c24439c514db611f2de8e5f45506b82255eea441
SHA256f2cad7b21a20c6776d37546a3b729e00c2f76c2c8bcb3f14516fa36b3b6bc029
SHA512fca8325e9369d324f34bb0cb8cbac8d38da060b40ad30ae5829603b5e7f693f584c60aab1a2479559cc8c25c62fd2edfcbc43ebe379b3e092ad47d6ef7452fb9
-
Filesize
11KB
MD503594c00260425c9340407c32e170670
SHA1b65e2cc9ff3b513e576a6d3a6603432a77bfa15b
SHA256d269ace27e354d991fa77c05f41313ae22fb488cd6aa1877f08cb05fa25b7299
SHA512e65087de7bba21968374bb930ba255eed7ca0463633bdd2ccd2dd8c1c186b6846f606402772e81bbf867789fd742e8377e3346a7f2cf2b4bf28b5cafe191df56
-
Filesize
62KB
MD50e33f3c524e7194225289376f62ca0e7
SHA101bdd48089b7d2e6482982560396de707188346d
SHA25675990d4b16b44709f8b0061f9d4adff3dc8dc0010eae2e3f8e98748d75a10962
SHA512023a594d781588b784e544800eb158ab2cbe8c4cdfe982bd97511ce2b6034cc985c3024504481b5784d22f3fd2c17b2238d6bdfbe8df89875fbe485e012e7669
-
Filesize
1KB
MD52dd8bab87ab68f7831548e1f3711b629
SHA1c24439c514db611f2de8e5f45506b82255eea441
SHA256f2cad7b21a20c6776d37546a3b729e00c2f76c2c8bcb3f14516fa36b3b6bc029
SHA512fca8325e9369d324f34bb0cb8cbac8d38da060b40ad30ae5829603b5e7f693f584c60aab1a2479559cc8c25c62fd2edfcbc43ebe379b3e092ad47d6ef7452fb9
-
Filesize
11KB
MD503594c00260425c9340407c32e170670
SHA1b65e2cc9ff3b513e576a6d3a6603432a77bfa15b
SHA256d269ace27e354d991fa77c05f41313ae22fb488cd6aa1877f08cb05fa25b7299
SHA512e65087de7bba21968374bb930ba255eed7ca0463633bdd2ccd2dd8c1c186b6846f606402772e81bbf867789fd742e8377e3346a7f2cf2b4bf28b5cafe191df56
-
Filesize
62KB
MD50e33f3c524e7194225289376f62ca0e7
SHA101bdd48089b7d2e6482982560396de707188346d
SHA25675990d4b16b44709f8b0061f9d4adff3dc8dc0010eae2e3f8e98748d75a10962
SHA512023a594d781588b784e544800eb158ab2cbe8c4cdfe982bd97511ce2b6034cc985c3024504481b5784d22f3fd2c17b2238d6bdfbe8df89875fbe485e012e7669
-
Filesize
1KB
MD52dd8bab87ab68f7831548e1f3711b629
SHA1c24439c514db611f2de8e5f45506b82255eea441
SHA256f2cad7b21a20c6776d37546a3b729e00c2f76c2c8bcb3f14516fa36b3b6bc029
SHA512fca8325e9369d324f34bb0cb8cbac8d38da060b40ad30ae5829603b5e7f693f584c60aab1a2479559cc8c25c62fd2edfcbc43ebe379b3e092ad47d6ef7452fb9
-
Filesize
11KB
MD503594c00260425c9340407c32e170670
SHA1b65e2cc9ff3b513e576a6d3a6603432a77bfa15b
SHA256d269ace27e354d991fa77c05f41313ae22fb488cd6aa1877f08cb05fa25b7299
SHA512e65087de7bba21968374bb930ba255eed7ca0463633bdd2ccd2dd8c1c186b6846f606402772e81bbf867789fd742e8377e3346a7f2cf2b4bf28b5cafe191df56
-
Filesize
62KB
MD50e33f3c524e7194225289376f62ca0e7
SHA101bdd48089b7d2e6482982560396de707188346d
SHA25675990d4b16b44709f8b0061f9d4adff3dc8dc0010eae2e3f8e98748d75a10962
SHA512023a594d781588b784e544800eb158ab2cbe8c4cdfe982bd97511ce2b6034cc985c3024504481b5784d22f3fd2c17b2238d6bdfbe8df89875fbe485e012e7669
-
Filesize
1KB
MD52dd8bab87ab68f7831548e1f3711b629
SHA1c24439c514db611f2de8e5f45506b82255eea441
SHA256f2cad7b21a20c6776d37546a3b729e00c2f76c2c8bcb3f14516fa36b3b6bc029
SHA512fca8325e9369d324f34bb0cb8cbac8d38da060b40ad30ae5829603b5e7f693f584c60aab1a2479559cc8c25c62fd2edfcbc43ebe379b3e092ad47d6ef7452fb9
-
Filesize
11KB
MD503594c00260425c9340407c32e170670
SHA1b65e2cc9ff3b513e576a6d3a6603432a77bfa15b
SHA256d269ace27e354d991fa77c05f41313ae22fb488cd6aa1877f08cb05fa25b7299
SHA512e65087de7bba21968374bb930ba255eed7ca0463633bdd2ccd2dd8c1c186b6846f606402772e81bbf867789fd742e8377e3346a7f2cf2b4bf28b5cafe191df56
-
Filesize
62KB
MD50e33f3c524e7194225289376f62ca0e7
SHA101bdd48089b7d2e6482982560396de707188346d
SHA25675990d4b16b44709f8b0061f9d4adff3dc8dc0010eae2e3f8e98748d75a10962
SHA512023a594d781588b784e544800eb158ab2cbe8c4cdfe982bd97511ce2b6034cc985c3024504481b5784d22f3fd2c17b2238d6bdfbe8df89875fbe485e012e7669
-
Filesize
1KB
MD52dd8bab87ab68f7831548e1f3711b629
SHA1c24439c514db611f2de8e5f45506b82255eea441
SHA256f2cad7b21a20c6776d37546a3b729e00c2f76c2c8bcb3f14516fa36b3b6bc029
SHA512fca8325e9369d324f34bb0cb8cbac8d38da060b40ad30ae5829603b5e7f693f584c60aab1a2479559cc8c25c62fd2edfcbc43ebe379b3e092ad47d6ef7452fb9
-
Filesize
11KB
MD503594c00260425c9340407c32e170670
SHA1b65e2cc9ff3b513e576a6d3a6603432a77bfa15b
SHA256d269ace27e354d991fa77c05f41313ae22fb488cd6aa1877f08cb05fa25b7299
SHA512e65087de7bba21968374bb930ba255eed7ca0463633bdd2ccd2dd8c1c186b6846f606402772e81bbf867789fd742e8377e3346a7f2cf2b4bf28b5cafe191df56
-
Filesize
1KB
MD52dd8bab87ab68f7831548e1f3711b629
SHA1c24439c514db611f2de8e5f45506b82255eea441
SHA256f2cad7b21a20c6776d37546a3b729e00c2f76c2c8bcb3f14516fa36b3b6bc029
SHA512fca8325e9369d324f34bb0cb8cbac8d38da060b40ad30ae5829603b5e7f693f584c60aab1a2479559cc8c25c62fd2edfcbc43ebe379b3e092ad47d6ef7452fb9
-
Filesize
360KB
MD50b7d136cbc2a52f4a836f99fa3fed5d5
SHA1a8a501329c2d47c16dc7c31e18b667aafbbd3df1
SHA2564b7f328bb05d97e371c0b7873e9a7eebad756971970948283c3bf6e46ac61103
SHA512bc24815c309dc6530c82be0f5dbb2f92fb729b0f85cae3ee415b5e33f0938e16abc9a6e7216063dcc8b3661b3530655e27a00ed03168238988d2f1f25f10cf29
-
Filesize
360KB
MD50b7d136cbc2a52f4a836f99fa3fed5d5
SHA1a8a501329c2d47c16dc7c31e18b667aafbbd3df1
SHA2564b7f328bb05d97e371c0b7873e9a7eebad756971970948283c3bf6e46ac61103
SHA512bc24815c309dc6530c82be0f5dbb2f92fb729b0f85cae3ee415b5e33f0938e16abc9a6e7216063dcc8b3661b3530655e27a00ed03168238988d2f1f25f10cf29
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Filesize
632KB
-
Filesize
532KB
-
-
-
-
-
Filesize
532KB
-
