Overview

overview

10

Static

static

5529c2820a...ca.exe

windows7-x64

10

5529c2820a...ca.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20220715-en
  • resource tags

    arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system
  • submitted
    25-07-2022 16:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5529c2820a626ba0a3a9fcf82cc53e12bbe21de3c0c11e3f775a0ecfa12eeaca.exe

  • Size

    368KB

  • MD5

    742b46e5aca6f3b85a306d955ec82903

  • SHA1

    48727b21b0ece46fb80b450a586cdc38fb8e9830

  • SHA256

    5529c2820a626ba0a3a9fcf82cc53e12bbe21de3c0c11e3f775a0ecfa12eeaca

  • SHA512

    35f6137018d5a5133b41875ea6e4d6707c8f41fcd4897467335db4aa290cd1573e587e79d6a399878591dbc91cdc0d5a51493725732641a30dff464c0bf50761

Score
10/10
teslacryptpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-3440072777-2118400376-1759599358-1000\_RECoVERY_+iusld.txt

Family

teslacrypt

Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with AES More information about the encryption keys using AES can be found here: http://en.wikipedia.org/wiki/AES How did this happen ? !!! Specially for your PC was generated personal AES KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://yyre45dbvn2nhbefbmh.begumvelic.at/582E911F7CBE5A83 2. http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/582E911F7CBE5A83 3. http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/582E911F7CBE5A83 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/582E911F7CBE5A83 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://yyre45dbvn2nhbefbmh.begumvelic.at/582E911F7CBE5A83 http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/582E911F7CBE5A83 http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/582E911F7CBE5A83 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/582E911F7CBE5A83
URLs

http://yyre45dbvn2nhbefbmh.begumvelic.at/582E911F7CBE5A83

http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/582E911F7CBE5A83

http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/582E911F7CBE5A83

http://xlowfznrg4wf7dli.ONION/582E911F7CBE5A83

Signatures

  • TeslaCrypt, AlphaCrypt

    Ransomware based on CryptoLocker. Shut down by the developers in 2016.

    ransomwareteslacrypt
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Executes dropped EXE 1 IoCs
  • Modifies extensions of user files 4 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Deletes itself 1 IoCs
  • Drops startup file 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 25 IoCs
    adwarespyware
  • Modifies system certificate store 2 TTPs 6 IoCs
    evasionspywaretrojan
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\5529c2820a626ba0a3a9fcf82cc53e12bbe21de3c0c11e3f775a0ecfa12eeaca.exe
    "C:\Users\Admin\AppData\Local\Temp\5529c2820a626ba0a3a9fcf82cc53e12bbe21de3c0c11e3f775a0ecfa12eeaca.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2024
    • C:\Windows\rojragksalpy.exe
      C:\Windows\rojragksalpy.exe
      2⤵
      • Executes dropped EXE
      • Modifies extensions of user files
      • Drops startup file
      • Adds Run key to start application
      • Drops file in Program Files directory
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:552
      • C:\Windows\System32\wbem\WMIC.exe
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1660
      • C:\Windows\SysWOW64\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
        3⤵
        • Opens file in notepad (likely ransom note)
        PID:1064
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1164
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1164 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1832
      • C:\Windows\System32\wbem\WMIC.exe
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1568
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\ROJRAG~1.EXE
        3⤵
          PID:1132
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\5529C2~1.EXE
        2⤵
        • Deletes itself
        PID:1264
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1872
    • C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
      1⤵
      • Suspicious use of FindShellTrayWindow
      PID:752

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\Desktop\RECOVERY.HTM
      Filesize

      9KB

      MD5

      5f05d274936bf5add006a118aef0a648

      SHA1

      ab5f533ba0fc047a1fdeb200bfb38ec6c376ca6a

      SHA256

      2dd6b163139dc2bd05e354dafee161b61ee40f889a39e8b3f8fcf7c31f20cbe4

      SHA512

      4a433fa5795320686e1302ffe7a7c45445b36b303c1b19d71ebc63ca543ba17c234c357d32d57c18b85f62a91b4dce3896a6b2b7f1dae00052f73803be8fcbd6

      Download Submit

    • C:\Users\Admin\Desktop\RECOVERY.TXT
      Filesize

      1KB

      MD5

      e03423cc369da78fbc9f3f034768d222

      SHA1

      27df633539714165965ae6e9c9639bdc4d34cca7

      SHA256

      1c73e70ff402092ca8661da7cc995401ec98662cbc24d1743d378b0460091f92

      SHA512

      b0ee75bf0274f6407ae792e646295e259067c6eb465ae199cc46e79af78d4573e598d201ce4c3f517237af868c7d394863945a166335bdce2f9bef0dd8bcde4a

      Download Submit

    • C:\Users\Admin\Desktop\RECOVERY.png
      Filesize

      63KB

      MD5

      69e088f2d17aab2d5ba28359adbab2e3

      SHA1

      ed98535aa15b49fe32e3afbca927122e5486fd97

      SHA256

      ed5ea9d049d0ed9647bad8ac1d646c9634716d9454b2eb8c11ebb520d28c124b

      SHA512

      afdae2aaf7c14102a26556b3aaaa9a93ea6f7015f7a60c3186954bf65c7abb1bfdedba2ef1961467da1a78a23fdce92c223fa53362f5fb97f662d6154e7cbda3

      Download Submit

    • C:\Windows\rojragksalpy.exe
      Filesize

      368KB

      MD5

      742b46e5aca6f3b85a306d955ec82903

      SHA1

      48727b21b0ece46fb80b450a586cdc38fb8e9830

      SHA256

      5529c2820a626ba0a3a9fcf82cc53e12bbe21de3c0c11e3f775a0ecfa12eeaca

      SHA512

      35f6137018d5a5133b41875ea6e4d6707c8f41fcd4897467335db4aa290cd1573e587e79d6a399878591dbc91cdc0d5a51493725732641a30dff464c0bf50761

      Download Submit

    • C:\Windows\rojragksalpy.exe
      Filesize

      368KB

      MD5

      742b46e5aca6f3b85a306d955ec82903

      SHA1

      48727b21b0ece46fb80b450a586cdc38fb8e9830

      SHA256

      5529c2820a626ba0a3a9fcf82cc53e12bbe21de3c0c11e3f775a0ecfa12eeaca

      SHA512

      35f6137018d5a5133b41875ea6e4d6707c8f41fcd4897467335db4aa290cd1573e587e79d6a399878591dbc91cdc0d5a51493725732641a30dff464c0bf50761

      Download Submit

    • memory/552-64-0x0000000000400000-0x00000000004A1000-memory.dmp

      Filesize

      644KB

      Download

    • memory/552-68-0x00000000004B0000-0x0000000000536000-memory.dmp

      Filesize

      536KB

      Download

    • memory/552-60-0x0000000000000000-mapping.dmp

      Download

    • memory/1064-71-0x0000000000000000-mapping.dmp

      Download

    • memory/1132-78-0x0000000000000000-mapping.dmp

      Download

    • memory/1264-63-0x0000000000000000-mapping.dmp

      Download

    • memory/1568-75-0x0000000000000000-mapping.dmp

      Download

    • memory/1660-70-0x0000000000000000-mapping.dmp

      Download

    • memory/2024-54-0x00000000765D1000-0x00000000765D3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2024-59-0x0000000001E30000-0x0000000001EB6000-memory.dmp

      Filesize

      536KB

      Download

    • memory/2024-55-0x0000000000400000-0x00000000004A1000-memory.dmp

      Filesize

      644KB

      Download