teslacrypt | 5df4db52ca894e079e4eac651ade8a58ee298e5759c5d0cfd190a9aa6cc9d7d0

General

Target

5df4db52ca894e079e4eac651ade8a58ee298e5759c5d0cfd190a9aa6cc9d7d0.exe
Size

252KB
MD5

40db84f7864d7d963420b832ae894873
SHA1

ecf5efe4bd6624cfde62500d9d2af95d00caca59
SHA256

5df4db52ca894e079e4eac651ade8a58ee298e5759c5d0cfd190a9aa6cc9d7d0
SHA512

2e18b2757ced8fcfc4ee8a6b5bab4bccfb81b07a0cd6ef3c4dcf31a1fc35accc1e66043387f32f0354481b4ea9a42d103d01d9fb4f1ca408d9ae794d9000f09a

Score

10^/10

teslacrypt persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-4084403625-2215941253-1760665084-1000\_RECOVERY_+hqpod.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with AES More information about the encryption keys using AES can be found here: http://en.wikipedia.org/wiki/AES How did this happen ? !!! Specially for your PC was generated personal AES KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/6FB6F320F91A1021 2. http://tes543berda73i48fsdfsd.keratadze.at/6FB6F320F91A1021 3. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/6FB6F320F91A1021 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/6FB6F320F91A1021 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/6FB6F320F91A1021 http://tes543berda73i48fsdfsd.keratadze.at/6FB6F320F91A1021 http://tt54rfdjhb34rfbnknaerg.milerteddy.com/6FB6F320F91A1021 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/6FB6F320F91A1021

URLs

http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/6FB6F320F91A1021

http://tes543berda73i48fsdfsd.keratadze.at/6FB6F320F91A1021

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/6FB6F320F91A1021

http://xlowfznrg4wf7dli.ONION/6FB6F320F91A1021

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 1 IoCs

Processes:

puqsofylaujk.exe

pid process

1988 puqsofylaujk.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

940 cmd.exe

pid	process
940	cmd.exe

Drops startup file 3 IoCs

Processes:

puqsofylaujk.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECOVERY_+hqpod.html	puqsofylaujk.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECOVERY_+hqpod.png	puqsofylaujk.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECOVERY_+hqpod.txt	puqsofylaujk.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

puqsofylaujk.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Windows\CurrentVersion\Run	puqsofylaujk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Windows\CurrentVersion\Run\jvetksitqiel = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\puqsofylaujk.exe\""	puqsofylaujk.exe

Drops file in Program Files directory 64 IoCs

Processes:

puqsofylaujk.exe

description	ioc	process
File opened for modification	C:\Program Files\Windows Media Player\en-US\_RECOVERY_+hqpod.txt	puqsofylaujk.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationUp_ButtonGraphic.png	puqsofylaujk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\SmallLogo.png	puqsofylaujk.exe
File opened for modification	C:\Program Files\Internet Explorer\fr-FR\_RECOVERY_+hqpod.html	puqsofylaujk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\_RECOVERY_+hqpod.png	puqsofylaujk.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\_RECOVERY_+hqpod.txt	puqsofylaujk.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\it-IT\_RECOVERY_+hqpod.html	puqsofylaujk.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\it-IT\_RECOVERY_+hqpod.png	puqsofylaujk.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationRight_ButtonGraphic.png	puqsofylaujk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\_RECOVERY_+hqpod.png	puqsofylaujk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\oc\LC_MESSAGES\_RECOVERY_+hqpod.html	puqsofylaujk.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_close_down.png	puqsofylaujk.exe
File opened for modification	C:\Program Files\Microsoft Games\More Games\ja-JP\_RECOVERY_+hqpod.txt	puqsofylaujk.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\divider-horizontal.png	puqsofylaujk.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\_RECOVERY_+hqpod.png	puqsofylaujk.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\background.png	puqsofylaujk.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Heart_SelectionSubpicture.png	puqsofylaujk.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\ChessMCE.png	puqsofylaujk.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\settings.js	puqsofylaujk.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\fr-FR\_RECOVERY_+hqpod.txt	puqsofylaujk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lt\LC_MESSAGES\_RECOVERY_+hqpod.txt	puqsofylaujk.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\dotsdarkoverlay.png	puqsofylaujk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\sv.pak	puqsofylaujk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\asl-v20.txt	puqsofylaujk.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\js\cpu.js	puqsofylaujk.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sk.txt	puqsofylaujk.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\_RECOVERY_+hqpod.txt	puqsofylaujk.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\de-DE\_RECOVERY_+hqpod.png	puqsofylaujk.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\en-US\_RECOVERY_+hqpod.png	puqsofylaujk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cy\_RECOVERY_+hqpod.png	puqsofylaujk.exe
File opened for modification	C:\Program Files\Java\jre7\_RECOVERY_+hqpod.html	puqsofylaujk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\de\LC_MESSAGES\_RECOVERY_+hqpod.html	puqsofylaujk.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\_RECOVERY_+hqpod.txt	puqsofylaujk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\gu\_RECOVERY_+hqpod.txt	puqsofylaujk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mn\LC_MESSAGES\_RECOVERY_+hqpod.png	puqsofylaujk.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\diner_m.png	puqsofylaujk.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\css\cpu.css	puqsofylaujk.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\js\_RECOVERY_+hqpod.txt	puqsofylaujk.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\localizedStrings.js	puqsofylaujk.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\css\_RECOVERY_+hqpod.png	puqsofylaujk.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\greenStateIcon.png	puqsofylaujk.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\PreviousMenuButtonIconSubpi.png	puqsofylaujk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\_RECOVERY_+hqpod.png	puqsofylaujk.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\en-US\_RECOVERY_+hqpod.txt	puqsofylaujk.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\es-ES\_RECOVERY_+hqpod.html	puqsofylaujk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\uz\_RECOVERY_+hqpod.html	puqsofylaujk.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\_RECOVERY_+hqpod.png	puqsofylaujk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\th\LC_MESSAGES\_RECOVERY_+hqpod.txt	puqsofylaujk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\_RECOVERY_+hqpod.html	puqsofylaujk.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\css\settings.css	puqsofylaujk.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\js\picturePuzzle.js	puqsofylaujk.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_divider_right.png	puqsofylaujk.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fa.txt	puqsofylaujk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\nl.pak	puqsofylaujk.exe
File opened for modification	C:\Program Files\Java\jre7\lib\applet\_RECOVERY_+hqpod.png	puqsofylaujk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\pref\channel-prefs.js	puqsofylaujk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hi\_RECOVERY_+hqpod.html	puqsofylaujk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sk\_RECOVERY_+hqpod.png	puqsofylaujk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\requests\README.txt	puqsofylaujk.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\_RECOVERY_+hqpod.html	puqsofylaujk.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\css\RSSFeeds.css	puqsofylaujk.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_few-showers.png	puqsofylaujk.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\16_9-frame-image-inset.png	puqsofylaujk.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_left_disabled.png	puqsofylaujk.exe

Drops file in Windows directory 2 IoCs

Processes:

5df4db52ca894e079e4eac651ade8a58ee298e5759c5d0cfd190a9aa6cc9d7d0.exe

description	ioc	process
File created	C:\Windows\puqsofylaujk.exe	5df4db52ca894e079e4eac651ade8a58ee298e5759c5d0cfd190a9aa6cc9d7d0.exe
File opened for modification	C:\Windows\puqsofylaujk.exe	5df4db52ca894e079e4eac651ade8a58ee298e5759c5d0cfd190a9aa6cc9d7d0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

puqsofylaujk.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	puqsofylaujk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	puqsofylaujk.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	puqsofylaujk.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	puqsofylaujk.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	puqsofylaujk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	puqsofylaujk.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

puqsofylaujk.exe

pid	process
1988	puqsofylaujk.exe
1988	puqsofylaujk.exe
1988	puqsofylaujk.exe
1988	puqsofylaujk.exe
1988	puqsofylaujk.exe
1988	puqsofylaujk.exe
1988	puqsofylaujk.exe
1988	puqsofylaujk.exe
1988	puqsofylaujk.exe
1988	puqsofylaujk.exe
1988	puqsofylaujk.exe
1988	puqsofylaujk.exe
1988	puqsofylaujk.exe
1988	puqsofylaujk.exe
1988	puqsofylaujk.exe
1988	puqsofylaujk.exe
1988	puqsofylaujk.exe
1988	puqsofylaujk.exe
1988	puqsofylaujk.exe
1988	puqsofylaujk.exe
1988	puqsofylaujk.exe
1988	puqsofylaujk.exe
1988	puqsofylaujk.exe
1988	puqsofylaujk.exe
1988	puqsofylaujk.exe
1988	puqsofylaujk.exe
1988	puqsofylaujk.exe
1988	puqsofylaujk.exe
1988	puqsofylaujk.exe
1988	puqsofylaujk.exe
1988	puqsofylaujk.exe
1988	puqsofylaujk.exe
1988	puqsofylaujk.exe
1988	puqsofylaujk.exe
1988	puqsofylaujk.exe
1988	puqsofylaujk.exe
1988	puqsofylaujk.exe
1988	puqsofylaujk.exe
1988	puqsofylaujk.exe
1988	puqsofylaujk.exe
1988	puqsofylaujk.exe
1988	puqsofylaujk.exe
1988	puqsofylaujk.exe
1988	puqsofylaujk.exe
1988	puqsofylaujk.exe
1988	puqsofylaujk.exe
1988	puqsofylaujk.exe
1988	puqsofylaujk.exe
1988	puqsofylaujk.exe
1988	puqsofylaujk.exe
1988	puqsofylaujk.exe
1988	puqsofylaujk.exe
1988	puqsofylaujk.exe
1988	puqsofylaujk.exe
1988	puqsofylaujk.exe
1988	puqsofylaujk.exe
1988	puqsofylaujk.exe
1988	puqsofylaujk.exe
1988	puqsofylaujk.exe
1988	puqsofylaujk.exe
1988	puqsofylaujk.exe
1988	puqsofylaujk.exe
1988	puqsofylaujk.exe
1988	puqsofylaujk.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

5df4db52ca894e079e4eac651ade8a58ee298e5759c5d0cfd190a9aa6cc9d7d0.exepuqsofylaujk.exeWMIC.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	1144	5df4db52ca894e079e4eac651ade8a58ee298e5759c5d0cfd190a9aa6cc9d7d0.exe
Token: SeDebugPrivilege	1988	puqsofylaujk.exe
Token: SeIncreaseQuotaPrivilege	788	WMIC.exe
Token: SeSecurityPrivilege	788	WMIC.exe
Token: SeTakeOwnershipPrivilege	788	WMIC.exe
Token: SeLoadDriverPrivilege	788	WMIC.exe
Token: SeSystemProfilePrivilege	788	WMIC.exe
Token: SeSystemtimePrivilege	788	WMIC.exe
Token: SeProfSingleProcessPrivilege	788	WMIC.exe
Token: SeIncBasePriorityPrivilege	788	WMIC.exe
Token: SeCreatePagefilePrivilege	788	WMIC.exe
Token: SeBackupPrivilege	788	WMIC.exe
Token: SeRestorePrivilege	788	WMIC.exe
Token: SeShutdownPrivilege	788	WMIC.exe
Token: SeDebugPrivilege	788	WMIC.exe
Token: SeSystemEnvironmentPrivilege	788	WMIC.exe
Token: SeRemoteShutdownPrivilege	788	WMIC.exe
Token: SeUndockPrivilege	788	WMIC.exe
Token: SeManageVolumePrivilege	788	WMIC.exe
Token: 33	788	WMIC.exe
Token: 34	788	WMIC.exe
Token: 35	788	WMIC.exe
Token: SeIncreaseQuotaPrivilege	788	WMIC.exe
Token: SeSecurityPrivilege	788	WMIC.exe
Token: SeTakeOwnershipPrivilege	788	WMIC.exe
Token: SeLoadDriverPrivilege	788	WMIC.exe
Token: SeSystemProfilePrivilege	788	WMIC.exe
Token: SeSystemtimePrivilege	788	WMIC.exe
Token: SeProfSingleProcessPrivilege	788	WMIC.exe
Token: SeIncBasePriorityPrivilege	788	WMIC.exe
Token: SeCreatePagefilePrivilege	788	WMIC.exe
Token: SeBackupPrivilege	788	WMIC.exe
Token: SeRestorePrivilege	788	WMIC.exe
Token: SeShutdownPrivilege	788	WMIC.exe
Token: SeDebugPrivilege	788	WMIC.exe
Token: SeSystemEnvironmentPrivilege	788	WMIC.exe
Token: SeRemoteShutdownPrivilege	788	WMIC.exe
Token: SeUndockPrivilege	788	WMIC.exe
Token: SeManageVolumePrivilege	788	WMIC.exe
Token: 33	788	WMIC.exe
Token: 34	788	WMIC.exe
Token: 35	788	WMIC.exe
Token: SeBackupPrivilege	1668	vssvc.exe
Token: SeRestorePrivilege	1668	vssvc.exe
Token: SeAuditPrivilege	1668	vssvc.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

5df4db52ca894e079e4eac651ade8a58ee298e5759c5d0cfd190a9aa6cc9d7d0.exepuqsofylaujk.exe

description	pid	process	target process
PID 1144 wrote to memory of 1988	1144	5df4db52ca894e079e4eac651ade8a58ee298e5759c5d0cfd190a9aa6cc9d7d0.exe	puqsofylaujk.exe
PID 1144 wrote to memory of 1988	1144	5df4db52ca894e079e4eac651ade8a58ee298e5759c5d0cfd190a9aa6cc9d7d0.exe	puqsofylaujk.exe
PID 1144 wrote to memory of 1988	1144	5df4db52ca894e079e4eac651ade8a58ee298e5759c5d0cfd190a9aa6cc9d7d0.exe	puqsofylaujk.exe
PID 1144 wrote to memory of 1988	1144	5df4db52ca894e079e4eac651ade8a58ee298e5759c5d0cfd190a9aa6cc9d7d0.exe	puqsofylaujk.exe
PID 1144 wrote to memory of 940	1144	5df4db52ca894e079e4eac651ade8a58ee298e5759c5d0cfd190a9aa6cc9d7d0.exe	cmd.exe
PID 1144 wrote to memory of 940	1144	5df4db52ca894e079e4eac651ade8a58ee298e5759c5d0cfd190a9aa6cc9d7d0.exe	cmd.exe
PID 1144 wrote to memory of 940	1144	5df4db52ca894e079e4eac651ade8a58ee298e5759c5d0cfd190a9aa6cc9d7d0.exe	cmd.exe
PID 1144 wrote to memory of 940	1144	5df4db52ca894e079e4eac651ade8a58ee298e5759c5d0cfd190a9aa6cc9d7d0.exe	cmd.exe
PID 1988 wrote to memory of 788	1988	puqsofylaujk.exe	WMIC.exe
PID 1988 wrote to memory of 788	1988	puqsofylaujk.exe	WMIC.exe
PID 1988 wrote to memory of 788	1988	puqsofylaujk.exe	WMIC.exe
PID 1988 wrote to memory of 788	1988	puqsofylaujk.exe	WMIC.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

puqsofylaujk.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	puqsofylaujk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	puqsofylaujk.exe

C:\Users\Admin\AppData\Local\Temp\5df4db52ca894e079e4eac651ade8a58ee298e5759c5d0cfd190a9aa6cc9d7d0.exe
"C:\Users\Admin\AppData\Local\Temp\5df4db52ca894e079e4eac651ade8a58ee298e5759c5d0cfd190a9aa6cc9d7d0.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1144
- C:\Windows\puqsofylaujk.exe
  C:\Windows\puqsofylaujk.exe
  2⤵
  - Executes dropped EXE
  - Drops startup file
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1988
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:788
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\5DF4DB~1.EXE
  2⤵
  - Deletes itself
  PID:940

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1668

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

File Deletion

1

T1107

Install Root Certificate

Modify Registry

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

1

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\puqsofylaujk.exe

Filesize
252KB

MD5
40db84f7864d7d963420b832ae894873

SHA1
ecf5efe4bd6624cfde62500d9d2af95d00caca59

SHA256
5df4db52ca894e079e4eac651ade8a58ee298e5759c5d0cfd190a9aa6cc9d7d0

SHA512
2e18b2757ced8fcfc4ee8a6b5bab4bccfb81b07a0cd6ef3c4dcf31a1fc35accc1e66043387f32f0354481b4ea9a42d103d01d9fb4f1ca408d9ae794d9000f09a

Download Submit
C:\Windows\puqsofylaujk.exe

Filesize
252KB

MD5
40db84f7864d7d963420b832ae894873

SHA1
ecf5efe4bd6624cfde62500d9d2af95d00caca59

SHA256
5df4db52ca894e079e4eac651ade8a58ee298e5759c5d0cfd190a9aa6cc9d7d0

SHA512
2e18b2757ced8fcfc4ee8a6b5bab4bccfb81b07a0cd6ef3c4dcf31a1fc35accc1e66043387f32f0354481b4ea9a42d103d01d9fb4f1ca408d9ae794d9000f09a

Download Submit
memory/788-65-0x0000000000000000-mapping.dmp

Download
memory/940-60-0x0000000000000000-mapping.dmp

Download
memory/1144-54-0x0000000076AE1000-0x0000000076AE3000-memory.dmp

Filesize
8KB

Download
memory/1144-55-0x0000000000320000-0x000000000034E000-memory.dmp

Filesize
184KB

Download
memory/1144-56-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/1144-61-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/1988-57-0x0000000000000000-mapping.dmp

Download
memory/1988-62-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/1988-64-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads