Overview

overview

10

Static

static

5e68cae759...f6.exe

windows7-x64

10

5e68cae759...f6.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20220715-en
  • resource tags

    arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system
  • submitted
    31-07-2022 20:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5e68cae75960dba2cee2077ec2e574ffe14cd97349b41caf75287901c245c1f6.exe

  • Size

    424KB

  • MD5

    433ae2e449f0fa084f63bb9c636de14b

  • SHA1

    b4d47fc8a358ad0e36ce935b0bcdbf868f06a1d5

  • SHA256

    5e68cae75960dba2cee2077ec2e574ffe14cd97349b41caf75287901c245c1f6

  • SHA512

    ac2bd0e448398bc18ac61084d4d202847e09212edd859834acfa1c2f3c4ff151a1232a8f524fc3003274933ebb8802607232fbdbb91bab348467443f0766bc05

Score
10/10
teslacryptpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-3440072777-2118400376-1759599358-1000\_RECoVERY_+beewm.txt

Family

teslacrypt

Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with AES More information about the encryption keys using AES can be found here: http://en.wikipedia.org/wiki/AES How did this happen ? !!! Specially for your PC was generated personal AES KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://yyre45dbvn2nhbefbmh.begumvelic.at/B874A9D234B0E2E1 2. http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/B874A9D234B0E2E1 3. http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/B874A9D234B0E2E1 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/B874A9D234B0E2E1 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://yyre45dbvn2nhbefbmh.begumvelic.at/B874A9D234B0E2E1 http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/B874A9D234B0E2E1 http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/B874A9D234B0E2E1 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/B874A9D234B0E2E1
URLs

http://yyre45dbvn2nhbefbmh.begumvelic.at/B874A9D234B0E2E1

http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/B874A9D234B0E2E1

http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/B874A9D234B0E2E1

http://xlowfznrg4wf7dli.ONION/B874A9D234B0E2E1

Signatures

  • TeslaCrypt, AlphaCrypt

    Ransomware based on CryptoLocker. Shut down by the developers in 2016.

    ransomwareteslacrypt
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Executes dropped EXE 1 IoCs
  • Modifies extensions of user files 5 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Deletes itself 1 IoCs
  • Drops startup file 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 25 IoCs
    adwarespyware
  • Modifies system certificate store 2 TTPs 6 IoCs
    evasionspywaretrojan
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\5e68cae75960dba2cee2077ec2e574ffe14cd97349b41caf75287901c245c1f6.exe
    "C:\Users\Admin\AppData\Local\Temp\5e68cae75960dba2cee2077ec2e574ffe14cd97349b41caf75287901c245c1f6.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1088
    • C:\Windows\ixrminfgsjqv.exe
      C:\Windows\ixrminfgsjqv.exe
      2⤵
      • Executes dropped EXE
      • Modifies extensions of user files
      • Drops startup file
      • Adds Run key to start application
      • Drops file in Program Files directory
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1652
      • C:\Windows\System32\wbem\WMIC.exe
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1704
      • C:\Windows\SysWOW64\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
        3⤵
        • Opens file in notepad (likely ransom note)
        PID:1492
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1752
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1752 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1816
      • C:\Windows\System32\wbem\WMIC.exe
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:856
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\IXRMIN~1.EXE
        3⤵
          PID:1696
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\5E68CA~1.EXE
        2⤵
        • Deletes itself
        PID:1244
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1192
    • C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
      1⤵
      • Suspicious use of FindShellTrayWindow
      PID:1096

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\Desktop\RECOVERY.HTM
      Filesize

      11KB

      MD5

      60214557888f0e8aa436660dd425213b

      SHA1

      7351e1d3c22de86fee7ea34c95334abd8768f708

      SHA256

      896f3f41d3294a6e0f757bfac364032ec766f8b875188f0fb468d02019dbca1b

      SHA512

      cd1c4f97925e2a4788d99b5c4883a8d2c2d6859a3e87362f320947ba921f60f402b262490ae40af3fda312ec01d918b4173e43da694b7c7a1d336a838a6374a9

      Download Submit

    • C:\Users\Admin\Desktop\RECOVERY.TXT
      Filesize

      1KB

      MD5

      0fd773e5023addd473e22b8a87f05e0b

      SHA1

      e0926d5c933265911e4099a30dfd27533016bc83

      SHA256

      c65333e458682075c603dc780ef223d0282e29f5d25d6a847682361e960f9070

      SHA512

      41118c51953e1f93efaf87ed60bb4feb7c58d47bb12fbe01ddb38052446e985d8a9e0fdbd0ef0c9665790b94e30b60cc823aa1792d94518fde6ed3ca115a7862

      Download Submit

    • C:\Users\Admin\Desktop\RECOVERY.png
      Filesize

      63KB

      MD5

      1b7030f6924b6ba6178d5d87c2404eb3

      SHA1

      90fe53327d8b2ab4f8e3d019d381542e90e96f49

      SHA256

      00d87633c7eb45df0f8a58669fb139e141e364211b6658b8c8964c327fd3ad73

      SHA512

      1d6e78deddc6b50275e3c56303cdb70a9c2b22e10b8552c378ed3cd6581fc9a2d4f53ffaee832806ac77cbbba0e7a186d09efea308ed45755997198dc5085275

      Download Submit

    • C:\Windows\ixrminfgsjqv.exe
      Filesize

      424KB

      MD5

      433ae2e449f0fa084f63bb9c636de14b

      SHA1

      b4d47fc8a358ad0e36ce935b0bcdbf868f06a1d5

      SHA256

      5e68cae75960dba2cee2077ec2e574ffe14cd97349b41caf75287901c245c1f6

      SHA512

      ac2bd0e448398bc18ac61084d4d202847e09212edd859834acfa1c2f3c4ff151a1232a8f524fc3003274933ebb8802607232fbdbb91bab348467443f0766bc05

      Download Submit

    • C:\Windows\ixrminfgsjqv.exe
      Filesize

      424KB

      MD5

      433ae2e449f0fa084f63bb9c636de14b

      SHA1

      b4d47fc8a358ad0e36ce935b0bcdbf868f06a1d5

      SHA256

      5e68cae75960dba2cee2077ec2e574ffe14cd97349b41caf75287901c245c1f6

      SHA512

      ac2bd0e448398bc18ac61084d4d202847e09212edd859834acfa1c2f3c4ff151a1232a8f524fc3003274933ebb8802607232fbdbb91bab348467443f0766bc05

      Download Submit

    • memory/1088-54-0x0000000076231000-0x0000000076233000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1088-59-0x0000000001D50000-0x0000000001DD5000-memory.dmp

      Filesize

      532KB

      Download

    • memory/1088-55-0x0000000000400000-0x00000000004AE000-memory.dmp

      Filesize

      696KB

      Download

    • memory/1652-64-0x0000000000400000-0x00000000004AE000-memory.dmp

      Filesize

      696KB

      Download

    • memory/1652-68-0x0000000000520000-0x00000000005A5000-memory.dmp

      Filesize

      532KB

      Download