Overview

overview

10

Static

static

59f3d25993...e7.exe

windows7-x64

10

59f3d25993...e7.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20220715-en
  • resource tags

    arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system
  • submitted
    24-07-2022 02:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    59f3d25993b1678406b72625c721ace54355ecf73181cd7a69a5f255141ef1e7.exe

  • Size

    328KB

  • MD5

    5af091523bc0899413a7b601ee2b2abb

  • SHA1

    ea2ee777b59f0bc17dfd319ce609616cb47ddd01

  • SHA256

    59f3d25993b1678406b72625c721ace54355ecf73181cd7a69a5f255141ef1e7

  • SHA512

    d37ec05ca494493c78b7a28174f0ac541b4bc69d54a330a36828be69f773b4cdf1bc70935c2e7399999efd096cb283768d8e7c44b550003bc4603d02e16fde64

Score
10/10
teslacryptpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-3440072777-2118400376-1759599358-1000\Recovery+oasli.txt

Family

teslacrypt

Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-4096. More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/6468D4AADBD77D91 2. http://kkd47eh4hdjshb5t.angortra.at/6468D4AADBD77D91 3. http://ytrest84y5i456hghadefdsd.pontogrot.com/6468D4AADBD77D91 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/6468D4AADBD77D91 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://tt54rfdjhb34rfbnknaerg.milerteddy.com/6468D4AADBD77D91 http://kkd47eh4hdjshb5t.angortra.at/6468D4AADBD77D91 http://ytrest84y5i456hghadefdsd.pontogrot.com/6468D4AADBD77D91 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/6468D4AADBD77D91
URLs

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/6468D4AADBD77D91

http://kkd47eh4hdjshb5t.angortra.at/6468D4AADBD77D91

http://ytrest84y5i456hghadefdsd.pontogrot.com/6468D4AADBD77D91

http://xlowfznrg4wf7dli.ONION/6468D4AADBD77D91

Signatures

  • TeslaCrypt, AlphaCrypt

    Ransomware based on CryptoLocker. Shut down by the developers in 2016.

    ransomwareteslacrypt
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Executes dropped EXE 1 IoCs
  • Modifies extensions of user files 2 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Deletes itself 1 IoCs
  • Drops startup file 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 25 IoCs
    adwarespyware
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 42 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\59f3d25993b1678406b72625c721ace54355ecf73181cd7a69a5f255141ef1e7.exe
    "C:\Users\Admin\AppData\Local\Temp\59f3d25993b1678406b72625c721ace54355ecf73181cd7a69a5f255141ef1e7.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1064
    • C:\Windows\gnabnmnyjxga.exe
      C:\Windows\gnabnmnyjxga.exe
      2⤵
      • Executes dropped EXE
      • Modifies extensions of user files
      • Drops startup file
      • Adds Run key to start application
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1176
      • C:\Windows\System32\wbem\WMIC.exe
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1724
      • C:\Windows\SysWOW64\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
        3⤵
        • Opens file in notepad (likely ransom note)
        PID:1980
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1628
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1628 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1064
      • C:\Windows\System32\wbem\WMIC.exe
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1600
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\59F3D2~1.EXE
      2⤵
      • Deletes itself
      PID:1004
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • Suspicious use of FindShellTrayWindow
    PID:1288

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\Desktop\RECOVERY.HTM
    Filesize

    7KB

    MD5

    3689dcc26ff17031a0f77d3bfe7e2522

    SHA1

    41edd958c38530f60fb529d19a10b013f1ca4af1

    SHA256

    4a8b46f9b92b0eb07df8be6028064437f691df05f19bcf0bf291f1a550518c33

    SHA512

    a3fcfa37f755bbf836181b7bf19675ab4d0ce2fbb438581ee02e9a030b1c9770f3b8bcc9978eef6750b0f411cdc8145d48d562de5df0274f5c5fe6b5fc0957d4

    Download Submit

  • C:\Users\Admin\Desktop\RECOVERY.TXT
    Filesize

    1KB

    MD5

    424acf15847537d90c3cb9fcf18a53ca

    SHA1

    fd14ff8c2a476d969389cdfebf8724b62cc1240f

    SHA256

    f2e6150d84ef4529ecb833fe8bc20ff3e2375eaf231874b745d286f8014f21ac

    SHA512

    b8528104f01285d9f26443dd903d232e6fb1a3be17312d343a16f144ef86c2ddc266d051441d6aec5ea1079eeb68e03516b06ed637cab968af9a150d67d65178

    Download Submit

  • C:\Users\Admin\Desktop\RECOVERY.png
    Filesize

    63KB

    MD5

    6d949e346e7258b4f5f4dab1d4f640c5

    SHA1

    fd4df50ebe0e441d47fb8f379f8f3fefe7ff209a

    SHA256

    a752a8662cd9ee4590fe21b7f8b5506b1f89b8b99abe6e2e525551a10aa0cefa

    SHA512

    5098f05c17e698c2c43eb90dede3ebd704f23e2db6e9034ce3707ba090789db8f7fcfb4da0b1f0c935efe6d77f9014f114e5b622705c95166a7a0ce8ea014779

    Download Submit

  • C:\Windows\gnabnmnyjxga.exe
    Filesize

    328KB

    MD5

    5af091523bc0899413a7b601ee2b2abb

    SHA1

    ea2ee777b59f0bc17dfd319ce609616cb47ddd01

    SHA256

    59f3d25993b1678406b72625c721ace54355ecf73181cd7a69a5f255141ef1e7

    SHA512

    d37ec05ca494493c78b7a28174f0ac541b4bc69d54a330a36828be69f773b4cdf1bc70935c2e7399999efd096cb283768d8e7c44b550003bc4603d02e16fde64

    Download Submit

  • C:\Windows\gnabnmnyjxga.exe
    Filesize

    328KB

    MD5

    5af091523bc0899413a7b601ee2b2abb

    SHA1

    ea2ee777b59f0bc17dfd319ce609616cb47ddd01

    SHA256

    59f3d25993b1678406b72625c721ace54355ecf73181cd7a69a5f255141ef1e7

    SHA512

    d37ec05ca494493c78b7a28174f0ac541b4bc69d54a330a36828be69f773b4cdf1bc70935c2e7399999efd096cb283768d8e7c44b550003bc4603d02e16fde64

    Download Submit

  • memory/1064-55-0x0000000000400000-0x0000000000494000-memory.dmp

    Filesize

    592KB

    Download

  • memory/1064-59-0x0000000000350000-0x00000000003D5000-memory.dmp

    Filesize

    532KB

    Download

  • memory/1064-54-0x0000000076091000-0x0000000076093000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1176-68-0x0000000001C60000-0x0000000001CE5000-memory.dmp

    Filesize

    532KB

    Download