Overview
overview
7Static
static
3TeleportUl...al.pdf
windows7-x64
1TeleportUl...al.pdf
windows10-2004-x64
1TeleportUl...er.exe
windows7-x64
1TeleportUl...er.exe
windows10-2004-x64
1TeleportUl...ra.exe
windows7-x64
1TeleportUl...ra.exe
windows10-2004-x64
1TeleportUl...le.exe
windows7-x64
7TeleportUl...le.exe
windows10-2004-x64
7Analysis
-
max time kernel
79s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
05-10-2022 09:15
Behavioral task
behavioral1
Sample
TeleportUltraPortable/App/Teleport Ultra/manual.pdf
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
TeleportUltraPortable/App/Teleport Ultra/manual.pdf
Resource
win10v2004-20220812-en
Behavioral task
behavioral3
Sample
TeleportUltraPortable/App/Teleport Ultra/scheduler.exe
Resource
win7-20220812-en
Behavioral task
behavioral4
Sample
TeleportUltraPortable/App/Teleport Ultra/scheduler.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral5
Sample
TeleportUltraPortable/App/Teleport Ultra/ultra.exe
Resource
win7-20220812-en
Behavioral task
behavioral6
Sample
TeleportUltraPortable/App/Teleport Ultra/ultra.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral7
Sample
TeleportUltraPortable/TeleportUltraPortable.exe
Resource
win7-20220901-en
Behavioral task
behavioral8
Sample
TeleportUltraPortable/TeleportUltraPortable.exe
Resource
win10v2004-20220812-en
General
-
Target
TeleportUltraPortable/TeleportUltraPortable.exe
-
Size
96KB
-
MD5
3d1b86d1f80616df78a68a95eccb6876
-
SHA1
40ed9ad9e3d48e5bb507ba01875b37121b52f90d
-
SHA256
8bf5dd090561f0d5c293bc630066d8d37cacec6d16e288b92dfdd2496b61b51d
-
SHA512
f3bbeddb0bcb4cb6f1ab6fbbb4256e84a05c35b1435c7f2ff7c8b144e62cf9696ee24725a362079797fcc726afa3057459d9214407a085231bc3a49cc774799d
-
SSDEEP
1536:1VdePelp2Xy+tuQOzOYE5aXPnh8IqQF8gDe/fYJfvHfAkQHCxn:OweqOYEUXPnhhqc6XCvhQHCxn
Malware Config
Signatures
-
Loads dropped DLL 2 IoCs
Processes:
TeleportUltraPortable.exepid process 1696 TeleportUltraPortable.exe 1696 TeleportUltraPortable.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 10 IoCs
Processes:
ultra.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Once ultra.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ultra.Document ultra.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ultra.Document\shell ultra.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.tpu\ = "ultra.Document" ultra.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Once\Twice = "1664961316" ultra.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ultra.Document\ = "Teleport Ultra Project" ultra.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ultra.Document\shell\open\command ultra.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ultra.Document\shell\open ultra.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ultra.Document\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TELEPO~1\\App\\TELEPO~1\\ultra.exe \"%1\"" ultra.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.tpu ultra.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
TeleportUltraPortable.exepid process 1696 TeleportUltraPortable.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
ultra.exepid process 1680 ultra.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
ultra.exepid process 1680 ultra.exe 1680 ultra.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
TeleportUltraPortable.exedescription pid process target process PID 1696 wrote to memory of 1680 1696 TeleportUltraPortable.exe ultra.exe PID 1696 wrote to memory of 1680 1696 TeleportUltraPortable.exe ultra.exe PID 1696 wrote to memory of 1680 1696 TeleportUltraPortable.exe ultra.exe PID 1696 wrote to memory of 1680 1696 TeleportUltraPortable.exe ultra.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\TeleportUltraPortable\TeleportUltraPortable.exe"C:\Users\Admin\AppData\Local\Temp\TeleportUltraPortable\TeleportUltraPortable.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\TeleportUltraPortable\App\Teleport Ultra\ultra.exe"C:\Users\Admin\AppData\Local\Temp\TeleportUltraPortable\App\Teleport Ultra\ultra.exe"2⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nso66A.tmp\FindProcDLL.dllFilesize
27KB
MD56f73b00aef6c49eac62128ef3eca677e
SHA11b6aff67d570e5ee61af2376247590eb49b728a1
SHA2566eb09ce25c7fc62e44dc2f71761c6d60dd4b2d0c7d15e9651980525103aac0a9
SHA512678fc4bf7d345eeb99a3420ec7d0071eaba302845e93b48527d9a2a9c406709cc44ec74d6a889e25a8351a463803f8713a833df3a1707a5ad50db05240a32938
-
\Users\Admin\AppData\Local\Temp\nso66A.tmp\registry.dllFilesize
29KB
MD52880bf3bbbc8dcaeb4367df8a30f01a8
SHA1cb5c65eae4ae923514a67c95ada2d33b0c3f2118
SHA256acb79c55b3b9c460d032a6f3aaf6c642bf8c1d450e23279d091cc0c6ca510973
SHA512ca978702ce7aa04f8d9781a819a57974f9627e969138e23e81e0792ff8356037c300bb27a37a9b5c756220a7788a583c8e40cc23125bcbe48849561b159c4fa3
-
memory/1680-57-0x0000000000000000-mapping.dmp
-
memory/1696-54-0x00000000766D1000-0x00000000766D3000-memory.dmpFilesize
8KB