Analysis
-
max time kernel
150s -
max time network
162s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
20-07-2022 15:17
Static task
static1
Behavioral task
behavioral1
Sample
4f292888693babedc7ebc4f904a2a898dd9d128c0213bf472a50c405fb3b4fc5.exe
Resource
win7-20220718-en
windows7-x64
13 signatures
150 seconds
Behavioral task
behavioral2
Sample
4f292888693babedc7ebc4f904a2a898dd9d128c0213bf472a50c405fb3b4fc5.exe
Resource
win10v2004-20220718-en
windows10-2004-x64
13 signatures
150 seconds
General
-
Target
4f292888693babedc7ebc4f904a2a898dd9d128c0213bf472a50c405fb3b4fc5.exe
-
Size
344KB
-
MD5
3403d7a8943208af02fcfdc6f78cbfc5
-
SHA1
7a0ed12ec4df575dd2b5e6105d3febe5aa10bdfe
-
SHA256
4f292888693babedc7ebc4f904a2a898dd9d128c0213bf472a50c405fb3b4fc5
-
SHA512
d9d7ed904dfdfb80fff705a50f00a01728a469e40f4aad2ee7f74dd45882775db04b2976a70d747f5b43feba7412d54adde1644ed908de3f600c100852ad2196
Score
10/10
Malware Config
Extracted
Path
C:\$Recycle.Bin\S-1-5-21-4084403625-2215941253-1760665084-1000\_RECOVERY_+ussdw.txt
Family
teslacrypt
Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com
What happened to your files ?
All of your files were protected by a strong encryption with AES
More information about the encryption keys using AES can be found here: http://en.wikipedia.org/wiki/AES
How did this happen ?
!!! Specially for your PC was generated personal AES KEY, both public and private.
!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.
!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server
What do I do ?
So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.
If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.
For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below:
1. http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/A6C19862CEE3C6FE
2. http://tes543berda73i48fsdfsd.keratadze.at/A6C19862CEE3C6FE
3. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/A6C19862CEE3C6FE
If for some reasons the addresses are not available, follow these steps:
1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en
2. After a successful installation, run the browser
3. Type in the address bar: xlowfznrg4wf7dli.onion/A6C19862CEE3C6FE
4. Follow the instructions on the site.
---------------- IMPORTANT INFORMATION------------------------
*-*-* Your personal pages:
http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/A6C19862CEE3C6FE
http://tes543berda73i48fsdfsd.keratadze.at/A6C19862CEE3C6FE
http://tt54rfdjhb34rfbnknaerg.milerteddy.com/A6C19862CEE3C6FE
*-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/A6C19862CEE3C6FE
URLs
http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/A6C19862CEE3C6FE
http://tes543berda73i48fsdfsd.keratadze.at/A6C19862CEE3C6FE
http://tt54rfdjhb34rfbnknaerg.milerteddy.com/A6C19862CEE3C6FE
http://xlowfznrg4wf7dli.ONION/A6C19862CEE3C6FE
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
Processes:
ufrxdwryckvy.exeufrxdwryckvy.exepid Process 1532 ufrxdwryckvy.exe 1724 ufrxdwryckvy.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid Process 1368 cmd.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
ufrxdwryckvy.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Windows\CurrentVersion\Run ufrxdwryckvy.exe Set value (str) \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Windows\CurrentVersion\Run\qbjfucgjteaq = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\ufrxdwryckvy.exe\"" ufrxdwryckvy.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
4f292888693babedc7ebc4f904a2a898dd9d128c0213bf472a50c405fb3b4fc5.exeufrxdwryckvy.exedescription pid Process procid_target PID 1328 set thread context of 964 1328 4f292888693babedc7ebc4f904a2a898dd9d128c0213bf472a50c405fb3b4fc5.exe 27 PID 1532 set thread context of 1724 1532 ufrxdwryckvy.exe 31 -
Drops file in Program Files directory 9 IoCs
Processes:
ufrxdwryckvy.exedescription ioc Process File opened for modification C:\Program Files\7-Zip\History.txt ufrxdwryckvy.exe File opened for modification C:\Program Files\7-Zip\Lang\af.txt ufrxdwryckvy.exe File opened for modification C:\Program Files\7-Zip\Lang\an.txt ufrxdwryckvy.exe File opened for modification C:\Program Files\7-Zip\Lang\ar.txt ufrxdwryckvy.exe File opened for modification C:\Program Files\7-Zip\Lang\az.txt ufrxdwryckvy.exe File opened for modification C:\Program Files\7-Zip\Lang\be.txt ufrxdwryckvy.exe File opened for modification C:\Program Files\7-Zip\Lang\bg.txt ufrxdwryckvy.exe File opened for modification C:\Program Files\7-Zip\Lang\ast.txt ufrxdwryckvy.exe File opened for modification C:\Program Files\7-Zip\Lang\ba.txt ufrxdwryckvy.exe -
Drops file in Windows directory 2 IoCs
Processes:
4f292888693babedc7ebc4f904a2a898dd9d128c0213bf472a50c405fb3b4fc5.exedescription ioc Process File created C:\Windows\ufrxdwryckvy.exe 4f292888693babedc7ebc4f904a2a898dd9d128c0213bf472a50c405fb3b4fc5.exe File opened for modification C:\Windows\ufrxdwryckvy.exe 4f292888693babedc7ebc4f904a2a898dd9d128c0213bf472a50c405fb3b4fc5.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 53 IoCs
Processes:
ufrxdwryckvy.exepid Process 1724 ufrxdwryckvy.exe 1724 ufrxdwryckvy.exe 1724 ufrxdwryckvy.exe 1724 ufrxdwryckvy.exe 1724 ufrxdwryckvy.exe 1724 ufrxdwryckvy.exe 1724 ufrxdwryckvy.exe 1724 ufrxdwryckvy.exe 1724 ufrxdwryckvy.exe 1724 ufrxdwryckvy.exe 1724 ufrxdwryckvy.exe 1724 ufrxdwryckvy.exe 1724 ufrxdwryckvy.exe 1724 ufrxdwryckvy.exe 1724 ufrxdwryckvy.exe 1724 ufrxdwryckvy.exe 1724 ufrxdwryckvy.exe 1724 ufrxdwryckvy.exe 1724 ufrxdwryckvy.exe 1724 ufrxdwryckvy.exe 1724 ufrxdwryckvy.exe 1724 ufrxdwryckvy.exe 1724 ufrxdwryckvy.exe 1724 ufrxdwryckvy.exe 1724 ufrxdwryckvy.exe 1724 ufrxdwryckvy.exe 1724 ufrxdwryckvy.exe 1724 ufrxdwryckvy.exe 1724 ufrxdwryckvy.exe 1724 ufrxdwryckvy.exe 1724 ufrxdwryckvy.exe 1724 ufrxdwryckvy.exe 1724 ufrxdwryckvy.exe 1724 ufrxdwryckvy.exe 1724 ufrxdwryckvy.exe 1724 ufrxdwryckvy.exe 1724 ufrxdwryckvy.exe 1724 ufrxdwryckvy.exe 1724 ufrxdwryckvy.exe 1724 ufrxdwryckvy.exe 1724 ufrxdwryckvy.exe 1724 ufrxdwryckvy.exe 1724 ufrxdwryckvy.exe 1724 ufrxdwryckvy.exe 1724 ufrxdwryckvy.exe 1724 ufrxdwryckvy.exe 1724 ufrxdwryckvy.exe 1724 ufrxdwryckvy.exe 1724 ufrxdwryckvy.exe 1724 ufrxdwryckvy.exe 1724 ufrxdwryckvy.exe 1724 ufrxdwryckvy.exe 1724 ufrxdwryckvy.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
4f292888693babedc7ebc4f904a2a898dd9d128c0213bf472a50c405fb3b4fc5.exeufrxdwryckvy.exeWMIC.exevssvc.exedescription pid Process Token: SeDebugPrivilege 964 4f292888693babedc7ebc4f904a2a898dd9d128c0213bf472a50c405fb3b4fc5.exe Token: SeDebugPrivilege 1724 ufrxdwryckvy.exe Token: SeIncreaseQuotaPrivilege 776 WMIC.exe Token: SeSecurityPrivilege 776 WMIC.exe Token: SeTakeOwnershipPrivilege 776 WMIC.exe Token: SeLoadDriverPrivilege 776 WMIC.exe Token: SeSystemProfilePrivilege 776 WMIC.exe Token: SeSystemtimePrivilege 776 WMIC.exe Token: SeProfSingleProcessPrivilege 776 WMIC.exe Token: SeIncBasePriorityPrivilege 776 WMIC.exe Token: SeCreatePagefilePrivilege 776 WMIC.exe Token: SeBackupPrivilege 776 WMIC.exe Token: SeRestorePrivilege 776 WMIC.exe Token: SeShutdownPrivilege 776 WMIC.exe Token: SeDebugPrivilege 776 WMIC.exe Token: SeSystemEnvironmentPrivilege 776 WMIC.exe Token: SeRemoteShutdownPrivilege 776 WMIC.exe Token: SeUndockPrivilege 776 WMIC.exe Token: SeManageVolumePrivilege 776 WMIC.exe Token: 33 776 WMIC.exe Token: 34 776 WMIC.exe Token: 35 776 WMIC.exe Token: SeIncreaseQuotaPrivilege 776 WMIC.exe Token: SeSecurityPrivilege 776 WMIC.exe Token: SeTakeOwnershipPrivilege 776 WMIC.exe Token: SeLoadDriverPrivilege 776 WMIC.exe Token: SeSystemProfilePrivilege 776 WMIC.exe Token: SeSystemtimePrivilege 776 WMIC.exe Token: SeProfSingleProcessPrivilege 776 WMIC.exe Token: SeIncBasePriorityPrivilege 776 WMIC.exe Token: SeCreatePagefilePrivilege 776 WMIC.exe Token: SeBackupPrivilege 776 WMIC.exe Token: SeRestorePrivilege 776 WMIC.exe Token: SeShutdownPrivilege 776 WMIC.exe Token: SeDebugPrivilege 776 WMIC.exe Token: SeSystemEnvironmentPrivilege 776 WMIC.exe Token: SeRemoteShutdownPrivilege 776 WMIC.exe Token: SeUndockPrivilege 776 WMIC.exe Token: SeManageVolumePrivilege 776 WMIC.exe Token: 33 776 WMIC.exe Token: 34 776 WMIC.exe Token: 35 776 WMIC.exe Token: SeBackupPrivilege 1004 vssvc.exe Token: SeRestorePrivilege 1004 vssvc.exe Token: SeAuditPrivilege 1004 vssvc.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
4f292888693babedc7ebc4f904a2a898dd9d128c0213bf472a50c405fb3b4fc5.exe4f292888693babedc7ebc4f904a2a898dd9d128c0213bf472a50c405fb3b4fc5.exeufrxdwryckvy.exeufrxdwryckvy.exedescription pid Process procid_target PID 1328 wrote to memory of 964 1328 4f292888693babedc7ebc4f904a2a898dd9d128c0213bf472a50c405fb3b4fc5.exe 27 PID 1328 wrote to memory of 964 1328 4f292888693babedc7ebc4f904a2a898dd9d128c0213bf472a50c405fb3b4fc5.exe 27 PID 1328 wrote to memory of 964 1328 4f292888693babedc7ebc4f904a2a898dd9d128c0213bf472a50c405fb3b4fc5.exe 27 PID 1328 wrote to memory of 964 1328 4f292888693babedc7ebc4f904a2a898dd9d128c0213bf472a50c405fb3b4fc5.exe 27 PID 1328 wrote to memory of 964 1328 4f292888693babedc7ebc4f904a2a898dd9d128c0213bf472a50c405fb3b4fc5.exe 27 PID 1328 wrote to memory of 964 1328 4f292888693babedc7ebc4f904a2a898dd9d128c0213bf472a50c405fb3b4fc5.exe 27 PID 1328 wrote to memory of 964 1328 4f292888693babedc7ebc4f904a2a898dd9d128c0213bf472a50c405fb3b4fc5.exe 27 PID 1328 wrote to memory of 964 1328 4f292888693babedc7ebc4f904a2a898dd9d128c0213bf472a50c405fb3b4fc5.exe 27 PID 1328 wrote to memory of 964 1328 4f292888693babedc7ebc4f904a2a898dd9d128c0213bf472a50c405fb3b4fc5.exe 27 PID 1328 wrote to memory of 964 1328 4f292888693babedc7ebc4f904a2a898dd9d128c0213bf472a50c405fb3b4fc5.exe 27 PID 964 wrote to memory of 1532 964 4f292888693babedc7ebc4f904a2a898dd9d128c0213bf472a50c405fb3b4fc5.exe 28 PID 964 wrote to memory of 1532 964 4f292888693babedc7ebc4f904a2a898dd9d128c0213bf472a50c405fb3b4fc5.exe 28 PID 964 wrote to memory of 1532 964 4f292888693babedc7ebc4f904a2a898dd9d128c0213bf472a50c405fb3b4fc5.exe 28 PID 964 wrote to memory of 1532 964 4f292888693babedc7ebc4f904a2a898dd9d128c0213bf472a50c405fb3b4fc5.exe 28 PID 964 wrote to memory of 1368 964 4f292888693babedc7ebc4f904a2a898dd9d128c0213bf472a50c405fb3b4fc5.exe 29 PID 964 wrote to memory of 1368 964 4f292888693babedc7ebc4f904a2a898dd9d128c0213bf472a50c405fb3b4fc5.exe 29 PID 964 wrote to memory of 1368 964 4f292888693babedc7ebc4f904a2a898dd9d128c0213bf472a50c405fb3b4fc5.exe 29 PID 964 wrote to memory of 1368 964 4f292888693babedc7ebc4f904a2a898dd9d128c0213bf472a50c405fb3b4fc5.exe 29 PID 1532 wrote to memory of 1724 1532 ufrxdwryckvy.exe 31 PID 1532 wrote to memory of 1724 1532 ufrxdwryckvy.exe 31 PID 1532 wrote to memory of 1724 1532 ufrxdwryckvy.exe 31 PID 1532 wrote to memory of 1724 1532 ufrxdwryckvy.exe 31 PID 1532 wrote to memory of 1724 1532 ufrxdwryckvy.exe 31 PID 1532 wrote to memory of 1724 1532 ufrxdwryckvy.exe 31 PID 1532 wrote to memory of 1724 1532 ufrxdwryckvy.exe 31 PID 1532 wrote to memory of 1724 1532 ufrxdwryckvy.exe 31 PID 1532 wrote to memory of 1724 1532 ufrxdwryckvy.exe 31 PID 1532 wrote to memory of 1724 1532 ufrxdwryckvy.exe 31 PID 1724 wrote to memory of 776 1724 ufrxdwryckvy.exe 32 PID 1724 wrote to memory of 776 1724 ufrxdwryckvy.exe 32 PID 1724 wrote to memory of 776 1724 ufrxdwryckvy.exe 32 PID 1724 wrote to memory of 776 1724 ufrxdwryckvy.exe 32 -
System policy modification 1 TTPs 2 IoCs
Processes:
ufrxdwryckvy.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System ufrxdwryckvy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" ufrxdwryckvy.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4f292888693babedc7ebc4f904a2a898dd9d128c0213bf472a50c405fb3b4fc5.exe"C:\Users\Admin\AppData\Local\Temp\4f292888693babedc7ebc4f904a2a898dd9d128c0213bf472a50c405fb3b4fc5.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1328 -
C:\Users\Admin\AppData\Local\Temp\4f292888693babedc7ebc4f904a2a898dd9d128c0213bf472a50c405fb3b4fc5.exe"C:\Users\Admin\AppData\Local\Temp\4f292888693babedc7ebc4f904a2a898dd9d128c0213bf472a50c405fb3b4fc5.exe"2⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Windows\ufrxdwryckvy.exeC:\Windows\ufrxdwryckvy.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Windows\ufrxdwryckvy.exeC:\Windows\ufrxdwryckvy.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1724 -
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
PID:776
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\4F2928~1.EXE3⤵
- Deletes itself
PID:1368
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1004
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
344KB
MD53403d7a8943208af02fcfdc6f78cbfc5
SHA17a0ed12ec4df575dd2b5e6105d3febe5aa10bdfe
SHA2564f292888693babedc7ebc4f904a2a898dd9d128c0213bf472a50c405fb3b4fc5
SHA512d9d7ed904dfdfb80fff705a50f00a01728a469e40f4aad2ee7f74dd45882775db04b2976a70d747f5b43feba7412d54adde1644ed908de3f600c100852ad2196
-
Filesize
344KB
MD53403d7a8943208af02fcfdc6f78cbfc5
SHA17a0ed12ec4df575dd2b5e6105d3febe5aa10bdfe
SHA2564f292888693babedc7ebc4f904a2a898dd9d128c0213bf472a50c405fb3b4fc5
SHA512d9d7ed904dfdfb80fff705a50f00a01728a469e40f4aad2ee7f74dd45882775db04b2976a70d747f5b43feba7412d54adde1644ed908de3f600c100852ad2196
-
Filesize
344KB
MD53403d7a8943208af02fcfdc6f78cbfc5
SHA17a0ed12ec4df575dd2b5e6105d3febe5aa10bdfe
SHA2564f292888693babedc7ebc4f904a2a898dd9d128c0213bf472a50c405fb3b4fc5
SHA512d9d7ed904dfdfb80fff705a50f00a01728a469e40f4aad2ee7f74dd45882775db04b2976a70d747f5b43feba7412d54adde1644ed908de3f600c100852ad2196