Overview

overview

7

Static

static

3

TeleportUl...al.pdf

windows7-x64

1

TeleportUl...al.pdf

windows10-2004-x64

1

TeleportUl...er.exe

windows7-x64

1

TeleportUl...er.exe

windows10-2004-x64

1

TeleportUl...ra.exe

windows7-x64

1

TeleportUl...ra.exe

windows10-2004-x64

1

TeleportUl...le.exe

windows7-x64

7

TeleportUl...le.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    79s
  • max time network
    49s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    05-10-2022 09:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    TeleportUltraPortable/TeleportUltraPortable.exe

  • Size

    96KB

  • MD5

    3d1b86d1f80616df78a68a95eccb6876

  • SHA1

    40ed9ad9e3d48e5bb507ba01875b37121b52f90d

  • SHA256

    8bf5dd090561f0d5c293bc630066d8d37cacec6d16e288b92dfdd2496b61b51d

  • SHA512

    f3bbeddb0bcb4cb6f1ab6fbbb4256e84a05c35b1435c7f2ff7c8b144e62cf9696ee24725a362079797fcc726afa3057459d9214407a085231bc3a49cc774799d

  • SSDEEP

    1536:1VdePelp2Xy+tuQOzOYE5aXPnh8IqQF8gDe/fYJfvHfAkQHCxn:OweqOYEUXPnhhqc6XCvhQHCxn

Score
7/10

Malware Config

Signatures

  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\TeleportUltraPortable\TeleportUltraPortable.exe
    "C:\Users\Admin\AppData\Local\Temp\TeleportUltraPortable\TeleportUltraPortable.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1696
    • C:\Users\Admin\AppData\Local\Temp\TeleportUltraPortable\App\Teleport Ultra\ultra.exe
      "C:\Users\Admin\AppData\Local\Temp\TeleportUltraPortable\App\Teleport Ultra\ultra.exe"
      2⤵
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      PID:1680

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\nso66A.tmp\FindProcDLL.dll
    Filesize

    27KB

    MD5

    6f73b00aef6c49eac62128ef3eca677e

    SHA1

    1b6aff67d570e5ee61af2376247590eb49b728a1

    SHA256

    6eb09ce25c7fc62e44dc2f71761c6d60dd4b2d0c7d15e9651980525103aac0a9

    SHA512

    678fc4bf7d345eeb99a3420ec7d0071eaba302845e93b48527d9a2a9c406709cc44ec74d6a889e25a8351a463803f8713a833df3a1707a5ad50db05240a32938

    Download Submit
  • \Users\Admin\AppData\Local\Temp\nso66A.tmp\registry.dll
    Filesize

    29KB

    MD5

    2880bf3bbbc8dcaeb4367df8a30f01a8

    SHA1

    cb5c65eae4ae923514a67c95ada2d33b0c3f2118

    SHA256

    acb79c55b3b9c460d032a6f3aaf6c642bf8c1d450e23279d091cc0c6ca510973

    SHA512

    ca978702ce7aa04f8d9781a819a57974f9627e969138e23e81e0792ff8356037c300bb27a37a9b5c756220a7788a583c8e40cc23125bcbe48849561b159c4fa3

    Download Submit
  • memory/1680-57-0x0000000000000000-mapping.dmp
    Download
  • memory/1696-54-0x00000000766D1000-0x00000000766D3000-memory.dmp
    Filesize

    8KB

    Download