Overview

overview

10

Static

static

4ea468d8b8...51.exe

windows7-x64

10

4ea468d8b8...51.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-20220715-en
  • resource tags

    arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system
  • submitted
    20-07-2022 16:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4ea468d8b8015903bba0103eec44f772492a93c3d345d81bae253a492d8b1f51.exe

  • Size

    424KB

  • MD5

    627e7f4f2a1e8436da14489e7215b7da

  • SHA1

    d72ecb51d1a6a0f18f0939c37ed06a0b90b50a0e

  • SHA256

    4ea468d8b8015903bba0103eec44f772492a93c3d345d81bae253a492d8b1f51

  • SHA512

    da583a7ff28f0aa65ac360e66717e7b53fe911cdabc592fde03e914b21cb18f703c45f3f59045f32af4f686bec841651849f97ddfd2e4155f1577b12b35f9c97

Score
10/10
teslacryptpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-3440072777-2118400376-1759599358-1000\_RECoVERY_+ysiny.txt

Family

teslacrypt

Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with AES More information about the encryption keys using AES can be found here: http://en.wikipedia.org/wiki/AES How did this happen ? !!! Specially for your PC was generated personal AES KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/4C69C74C334A5A 2. http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/4C69C74C334A5A 3. http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/4C69C74C334A5A If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/4C69C74C334A5A 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/4C69C74C334A5A http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/4C69C74C334A5A http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/4C69C74C334A5A *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/4C69C74C334A5A
URLs

http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/4C69C74C334A5A

http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/4C69C74C334A5A

http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/4C69C74C334A5A

http://xlowfznrg4wf7dli.ONION/4C69C74C334A5A

Signatures

  • TeslaCrypt, AlphaCrypt

    Ransomware based on CryptoLocker. Shut down by the developers in 2016.

    ransomwareteslacrypt
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Executes dropped EXE 1 IoCs
  • Modifies extensions of user files 5 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Deletes itself 1 IoCs
  • Drops startup file 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 25 IoCs
    adwarespyware
  • Modifies system certificate store 2 TTPs 6 IoCs
    evasionspywaretrojan
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\4ea468d8b8015903bba0103eec44f772492a93c3d345d81bae253a492d8b1f51.exe
    "C:\Users\Admin\AppData\Local\Temp\4ea468d8b8015903bba0103eec44f772492a93c3d345d81bae253a492d8b1f51.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1972
    • C:\Windows\xbdndvmxvvvd.exe
      C:\Windows\xbdndvmxvvvd.exe
      2⤵
      • Executes dropped EXE
      • Modifies extensions of user files
      • Drops startup file
      • Adds Run key to start application
      • Drops file in Program Files directory
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2004
      • C:\Windows\System32\wbem\WMIC.exe
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1532
      • C:\Windows\SysWOW64\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
        3⤵
        • Opens file in notepad (likely ransom note)
        PID:1036
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:828
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:828 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:988
      • C:\Windows\System32\wbem\WMIC.exe
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1128
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\XBDNDV~1.EXE
        3⤵
          PID:884
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\4EA468~1.EXE
        2⤵
        • Deletes itself
        PID:1552
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:856
    • C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
      1⤵
      • Suspicious use of FindShellTrayWindow
      PID:1644

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\Desktop\RECOVERY.HTM
      Filesize

      11KB

      MD5

      eb93e1919e9d5455114b5c81175be39a

      SHA1

      3ada71abe5af75a123824fcd948091b1babeafed

      SHA256

      60631e5a72360127154c23f9aa38ff128832ff9a507dc354b9966e4e19594971

      SHA512

      070273a514040c6c4f5214bc4a2045e068057887869692cb26977be579fb40581f9787a8d9d9e221a9bcc88a8790e7ac3aa63fd18d29f2d86c1aa837c9c22b00

      Download Submit

    • C:\Users\Admin\Desktop\RECOVERY.TXT
      Filesize

      1KB

      MD5

      0c455988a04e6cf0a17178806156ee14

      SHA1

      af6f08538e68700fe15582425a8111979cf79bbb

      SHA256

      c7c31549f40f72030dd1090abac1a64827660eeac18ea593057744e29181638f

      SHA512

      80cc2ef97156fd5dda710a6cd4437b59ebb0f74fb74f1c74cf25e22a6919dfba698d2020796339ebf985eb6a62ec5b8f0977c711f7bd871f4e06c2963a7091aa

      Download Submit

    • C:\Users\Admin\Desktop\RECOVERY.png
      Filesize

      63KB

      MD5

      05c82a2220faa5b23e83f46add516b04

      SHA1

      01cc687e378e4ea70d6c7152ef8ba34f6c70c5a2

      SHA256

      12866d48baf0679058521ef1ff7dca9b9ec889d120fbe28dca3350e1a026fd6e

      SHA512

      057c90a5ecf4d5c21e4879ec5a299e9955caa12cc7d9679cc40fa13256b2a3e72bfe8a71067f4c8b14c5ddcabc3c2a44222301459d37a055c3cd123af60b3674

      Download Submit

    • C:\Windows\xbdndvmxvvvd.exe
      Filesize

      424KB

      MD5

      627e7f4f2a1e8436da14489e7215b7da

      SHA1

      d72ecb51d1a6a0f18f0939c37ed06a0b90b50a0e

      SHA256

      4ea468d8b8015903bba0103eec44f772492a93c3d345d81bae253a492d8b1f51

      SHA512

      da583a7ff28f0aa65ac360e66717e7b53fe911cdabc592fde03e914b21cb18f703c45f3f59045f32af4f686bec841651849f97ddfd2e4155f1577b12b35f9c97

      Download Submit

    • C:\Windows\xbdndvmxvvvd.exe
      Filesize

      424KB

      MD5

      627e7f4f2a1e8436da14489e7215b7da

      SHA1

      d72ecb51d1a6a0f18f0939c37ed06a0b90b50a0e

      SHA256

      4ea468d8b8015903bba0103eec44f772492a93c3d345d81bae253a492d8b1f51

      SHA512

      da583a7ff28f0aa65ac360e66717e7b53fe911cdabc592fde03e914b21cb18f703c45f3f59045f32af4f686bec841651849f97ddfd2e4155f1577b12b35f9c97

      Download Submit

    • memory/1972-54-0x0000000075371000-0x0000000075373000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1972-59-0x00000000004B0000-0x0000000000535000-memory.dmp

      Filesize

      532KB

      Download

    • memory/1972-55-0x0000000000400000-0x00000000004AD000-memory.dmp

      Filesize

      692KB

      Download

    • memory/2004-64-0x0000000000400000-0x00000000004AD000-memory.dmp

      Filesize

      692KB

      Download

    • memory/2004-68-0x0000000001EE0000-0x0000000001F65000-memory.dmp

      Filesize

      532KB

      Download