Analysis
-
max time kernel
17s -
max time network
28s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
22-10-2022 05:20
Static task
static1
Behavioral task
behavioral1
Sample
3a417657bd1cbf0989c45b86f9c21b839e396ce7766771bedc4b77b83ecd313f.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
3a417657bd1cbf0989c45b86f9c21b839e396ce7766771bedc4b77b83ecd313f.exe
Resource
win10v2004-20220901-en
General
-
Target
3a417657bd1cbf0989c45b86f9c21b839e396ce7766771bedc4b77b83ecd313f.exe
-
Size
352KB
-
MD5
19f576ab9aac3ea1285e1670b1e3b2b1
-
SHA1
dc54ed445f74b2a40c2abb4c8d6d6aeef56aeb3b
-
SHA256
3a417657bd1cbf0989c45b86f9c21b839e396ce7766771bedc4b77b83ecd313f
-
SHA512
14095ad6edb0afd32c26a7f72404232e75c48afaecefb7507d0567479c67f4fc6c74a9a4d31827faf83c4b5968ae69e7bb0c6effe263779c13b630b4caf89edd
-
SSDEEP
6144:tWi+KRsvG89EXczNPhONmTnzcRhjgdJyTyT9tgfuKKeK8dGyvF:tEKb8NPENmjgRhjWJyTyBtgGT6Rv
Malware Config
Extracted
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\_ReCoVeRy_+tdrtx.txt
teslacrypt
http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/723BA5C86EF0E8
http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/723BA5C86EF0E8
http://yyre45dbvn2nhbefbmh.begumvelic.at/723BA5C86EF0E8
http://xlowfznrg4wf7dli.ONION/723BA5C86EF0E8
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 1 IoCs
pid Process 4752 orfknrcjkwgv.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 3a417657bd1cbf0989c45b86f9c21b839e396ce7766771bedc4b77b83ecd313f.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation orfknrcjkwgv.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\djivrlh = "C:\\Windows\\system32\\CMD.EXE /c start C:\\Windows\\orfknrcjkwgv.exe" orfknrcjkwgv.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\WINDOWS\CurrentVersion\RUN orfknrcjkwgv.exe -
Drops file in Program Files directory 13 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\Lang\ba.txt orfknrcjkwgv.exe File opened for modification C:\Program Files\7-Zip\Lang\be.txt orfknrcjkwgv.exe File opened for modification C:\Program Files\7-Zip\Lang\bg.txt orfknrcjkwgv.exe File opened for modification C:\Program Files\7-Zip\Lang\bn.txt orfknrcjkwgv.exe File opened for modification C:\Program Files\7-Zip\Lang\br.txt orfknrcjkwgv.exe File opened for modification C:\Program Files\7-Zip\History.txt orfknrcjkwgv.exe File opened for modification C:\Program Files\7-Zip\Lang\an.txt orfknrcjkwgv.exe File opened for modification C:\Program Files\7-Zip\Lang\ast.txt orfknrcjkwgv.exe File opened for modification C:\Program Files\7-Zip\Lang\ca.txt orfknrcjkwgv.exe File opened for modification C:\Program Files\7-Zip\Lang\co.txt orfknrcjkwgv.exe File opened for modification C:\Program Files\7-Zip\Lang\af.txt orfknrcjkwgv.exe File opened for modification C:\Program Files\7-Zip\Lang\ar.txt orfknrcjkwgv.exe File opened for modification C:\Program Files\7-Zip\Lang\az.txt orfknrcjkwgv.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\orfknrcjkwgv.exe 3a417657bd1cbf0989c45b86f9c21b839e396ce7766771bedc4b77b83ecd313f.exe File opened for modification C:\Windows\orfknrcjkwgv.exe 3a417657bd1cbf0989c45b86f9c21b839e396ce7766771bedc4b77b83ecd313f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 42 IoCs
pid Process 4752 orfknrcjkwgv.exe 4752 orfknrcjkwgv.exe 4752 orfknrcjkwgv.exe 4752 orfknrcjkwgv.exe 4752 orfknrcjkwgv.exe 4752 orfknrcjkwgv.exe 4752 orfknrcjkwgv.exe 4752 orfknrcjkwgv.exe 4752 orfknrcjkwgv.exe 4752 orfknrcjkwgv.exe 4752 orfknrcjkwgv.exe 4752 orfknrcjkwgv.exe 4752 orfknrcjkwgv.exe 4752 orfknrcjkwgv.exe 4752 orfknrcjkwgv.exe 4752 orfknrcjkwgv.exe 4752 orfknrcjkwgv.exe 4752 orfknrcjkwgv.exe 4752 orfknrcjkwgv.exe 4752 orfknrcjkwgv.exe 4752 orfknrcjkwgv.exe 4752 orfknrcjkwgv.exe 4752 orfknrcjkwgv.exe 4752 orfknrcjkwgv.exe 4752 orfknrcjkwgv.exe 4752 orfknrcjkwgv.exe 4752 orfknrcjkwgv.exe 4752 orfknrcjkwgv.exe 4752 orfknrcjkwgv.exe 4752 orfknrcjkwgv.exe 4752 orfknrcjkwgv.exe 4752 orfknrcjkwgv.exe 4752 orfknrcjkwgv.exe 4752 orfknrcjkwgv.exe 4752 orfknrcjkwgv.exe 4752 orfknrcjkwgv.exe 4752 orfknrcjkwgv.exe 4752 orfknrcjkwgv.exe 4752 orfknrcjkwgv.exe 4752 orfknrcjkwgv.exe 4752 orfknrcjkwgv.exe 4752 orfknrcjkwgv.exe -
Suspicious use of AdjustPrivilegeToken 47 IoCs
description pid Process Token: SeDebugPrivilege 2820 3a417657bd1cbf0989c45b86f9c21b839e396ce7766771bedc4b77b83ecd313f.exe Token: SeDebugPrivilege 4752 orfknrcjkwgv.exe Token: SeIncreaseQuotaPrivilege 2796 WMIC.exe Token: SeSecurityPrivilege 2796 WMIC.exe Token: SeTakeOwnershipPrivilege 2796 WMIC.exe Token: SeLoadDriverPrivilege 2796 WMIC.exe Token: SeSystemProfilePrivilege 2796 WMIC.exe Token: SeSystemtimePrivilege 2796 WMIC.exe Token: SeProfSingleProcessPrivilege 2796 WMIC.exe Token: SeIncBasePriorityPrivilege 2796 WMIC.exe Token: SeCreatePagefilePrivilege 2796 WMIC.exe Token: SeBackupPrivilege 2796 WMIC.exe Token: SeRestorePrivilege 2796 WMIC.exe Token: SeShutdownPrivilege 2796 WMIC.exe Token: SeDebugPrivilege 2796 WMIC.exe Token: SeSystemEnvironmentPrivilege 2796 WMIC.exe Token: SeRemoteShutdownPrivilege 2796 WMIC.exe Token: SeUndockPrivilege 2796 WMIC.exe Token: SeManageVolumePrivilege 2796 WMIC.exe Token: 33 2796 WMIC.exe Token: 34 2796 WMIC.exe Token: 35 2796 WMIC.exe Token: 36 2796 WMIC.exe Token: SeIncreaseQuotaPrivilege 2796 WMIC.exe Token: SeSecurityPrivilege 2796 WMIC.exe Token: SeTakeOwnershipPrivilege 2796 WMIC.exe Token: SeLoadDriverPrivilege 2796 WMIC.exe Token: SeSystemProfilePrivilege 2796 WMIC.exe Token: SeSystemtimePrivilege 2796 WMIC.exe Token: SeProfSingleProcessPrivilege 2796 WMIC.exe Token: SeIncBasePriorityPrivilege 2796 WMIC.exe Token: SeCreatePagefilePrivilege 2796 WMIC.exe Token: SeBackupPrivilege 2796 WMIC.exe Token: SeRestorePrivilege 2796 WMIC.exe Token: SeShutdownPrivilege 2796 WMIC.exe Token: SeDebugPrivilege 2796 WMIC.exe Token: SeSystemEnvironmentPrivilege 2796 WMIC.exe Token: SeRemoteShutdownPrivilege 2796 WMIC.exe Token: SeUndockPrivilege 2796 WMIC.exe Token: SeManageVolumePrivilege 2796 WMIC.exe Token: 33 2796 WMIC.exe Token: 34 2796 WMIC.exe Token: 35 2796 WMIC.exe Token: 36 2796 WMIC.exe Token: SeBackupPrivilege 2480 vssvc.exe Token: SeRestorePrivilege 2480 vssvc.exe Token: SeAuditPrivilege 2480 vssvc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2820 wrote to memory of 4752 2820 3a417657bd1cbf0989c45b86f9c21b839e396ce7766771bedc4b77b83ecd313f.exe 83 PID 2820 wrote to memory of 4752 2820 3a417657bd1cbf0989c45b86f9c21b839e396ce7766771bedc4b77b83ecd313f.exe 83 PID 2820 wrote to memory of 4752 2820 3a417657bd1cbf0989c45b86f9c21b839e396ce7766771bedc4b77b83ecd313f.exe 83 PID 2820 wrote to memory of 4404 2820 3a417657bd1cbf0989c45b86f9c21b839e396ce7766771bedc4b77b83ecd313f.exe 84 PID 2820 wrote to memory of 4404 2820 3a417657bd1cbf0989c45b86f9c21b839e396ce7766771bedc4b77b83ecd313f.exe 84 PID 2820 wrote to memory of 4404 2820 3a417657bd1cbf0989c45b86f9c21b839e396ce7766771bedc4b77b83ecd313f.exe 84 PID 4752 wrote to memory of 2796 4752 orfknrcjkwgv.exe 89 PID 4752 wrote to memory of 2796 4752 orfknrcjkwgv.exe 89 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System orfknrcjkwgv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" orfknrcjkwgv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3a417657bd1cbf0989c45b86f9c21b839e396ce7766771bedc4b77b83ecd313f.exe"C:\Users\Admin\AppData\Local\Temp\3a417657bd1cbf0989c45b86f9c21b839e396ce7766771bedc4b77b83ecd313f.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\orfknrcjkwgv.exeC:\Windows\orfknrcjkwgv.exe2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4752 -
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2796
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\3A4176~1.EXE2⤵PID:4404
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2480
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
352KB
MD519f576ab9aac3ea1285e1670b1e3b2b1
SHA1dc54ed445f74b2a40c2abb4c8d6d6aeef56aeb3b
SHA2563a417657bd1cbf0989c45b86f9c21b839e396ce7766771bedc4b77b83ecd313f
SHA51214095ad6edb0afd32c26a7f72404232e75c48afaecefb7507d0567479c67f4fc6c74a9a4d31827faf83c4b5968ae69e7bb0c6effe263779c13b630b4caf89edd
-
Filesize
352KB
MD519f576ab9aac3ea1285e1670b1e3b2b1
SHA1dc54ed445f74b2a40c2abb4c8d6d6aeef56aeb3b
SHA2563a417657bd1cbf0989c45b86f9c21b839e396ce7766771bedc4b77b83ecd313f
SHA51214095ad6edb0afd32c26a7f72404232e75c48afaecefb7507d0567479c67f4fc6c74a9a4d31827faf83c4b5968ae69e7bb0c6effe263779c13b630b4caf89edd