Analysis
-
max time kernel
16s -
max time network
21s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
22-10-2022 05:32
Static task
static1
Behavioral task
behavioral1
Sample
583431576fc175e19758774ec8b2893431aafe9a58c025406f22281b60f1aef0.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
583431576fc175e19758774ec8b2893431aafe9a58c025406f22281b60f1aef0.exe
Resource
win10v2004-20220812-en
General
-
Target
583431576fc175e19758774ec8b2893431aafe9a58c025406f22281b60f1aef0.exe
-
Size
424KB
-
MD5
c6665caa8d5455b1643bc72fe55b0ade
-
SHA1
eac5cb2ca1661c2f282393d0cdc52d8bfc1dea42
-
SHA256
583431576fc175e19758774ec8b2893431aafe9a58c025406f22281b60f1aef0
-
SHA512
921412255db2b5b5a076f773468f63c56411f06bb249121160e8695ea9bbc75714e2034a14d79275cb024d18708f7ebf5aad69d780b831384d2cb603fed7255c
-
SSDEEP
12288:eL2WjWgDhrhjxaRaDz7z4HMLzskGWoXblCJxfS6:eDXpVx7f7dLoMorOR1
Malware Config
Extracted
C:\$Recycle.Bin\S-1-5-21-2891029575-1462575-1165213807-1000\_RECoVERY_+wfjdo.txt
teslacrypt
http://yyre45dbvn2nhbefbmh.begumvelic.at/2781496C72F8D7FF
http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/2781496C72F8D7FF
http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/2781496C72F8D7FF
http://xlowfznrg4wf7dli.ONION/2781496C72F8D7FF
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 1 IoCs
pid Process 4932 dvievtcblpfs.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 583431576fc175e19758774ec8b2893431aafe9a58c025406f22281b60f1aef0.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation dvievtcblpfs.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run dvievtcblpfs.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\udfvfesckpxb = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\dvievtcblpfs.exe\"" dvievtcblpfs.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\Lang\an.txt dvievtcblpfs.exe File opened for modification C:\Program Files\7-Zip\History.txt dvievtcblpfs.exe File opened for modification C:\Program Files\7-Zip\Lang\af.txt dvievtcblpfs.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\dvievtcblpfs.exe 583431576fc175e19758774ec8b2893431aafe9a58c025406f22281b60f1aef0.exe File opened for modification C:\Windows\dvievtcblpfs.exe 583431576fc175e19758774ec8b2893431aafe9a58c025406f22281b60f1aef0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 4932 dvievtcblpfs.exe 4932 dvievtcblpfs.exe 4932 dvievtcblpfs.exe 4932 dvievtcblpfs.exe 4932 dvievtcblpfs.exe 4932 dvievtcblpfs.exe 4932 dvievtcblpfs.exe 4932 dvievtcblpfs.exe 4932 dvievtcblpfs.exe 4932 dvievtcblpfs.exe 4932 dvievtcblpfs.exe 4932 dvievtcblpfs.exe 4932 dvievtcblpfs.exe 4932 dvievtcblpfs.exe 4932 dvievtcblpfs.exe 4932 dvievtcblpfs.exe 4932 dvievtcblpfs.exe 4932 dvievtcblpfs.exe 4932 dvievtcblpfs.exe 4932 dvievtcblpfs.exe -
Suspicious use of AdjustPrivilegeToken 47 IoCs
description pid Process Token: SeDebugPrivilege 1044 583431576fc175e19758774ec8b2893431aafe9a58c025406f22281b60f1aef0.exe Token: SeDebugPrivilege 4932 dvievtcblpfs.exe Token: SeIncreaseQuotaPrivilege 2084 WMIC.exe Token: SeSecurityPrivilege 2084 WMIC.exe Token: SeTakeOwnershipPrivilege 2084 WMIC.exe Token: SeLoadDriverPrivilege 2084 WMIC.exe Token: SeSystemProfilePrivilege 2084 WMIC.exe Token: SeSystemtimePrivilege 2084 WMIC.exe Token: SeProfSingleProcessPrivilege 2084 WMIC.exe Token: SeIncBasePriorityPrivilege 2084 WMIC.exe Token: SeCreatePagefilePrivilege 2084 WMIC.exe Token: SeBackupPrivilege 2084 WMIC.exe Token: SeRestorePrivilege 2084 WMIC.exe Token: SeShutdownPrivilege 2084 WMIC.exe Token: SeDebugPrivilege 2084 WMIC.exe Token: SeSystemEnvironmentPrivilege 2084 WMIC.exe Token: SeRemoteShutdownPrivilege 2084 WMIC.exe Token: SeUndockPrivilege 2084 WMIC.exe Token: SeManageVolumePrivilege 2084 WMIC.exe Token: 33 2084 WMIC.exe Token: 34 2084 WMIC.exe Token: 35 2084 WMIC.exe Token: 36 2084 WMIC.exe Token: SeIncreaseQuotaPrivilege 2084 WMIC.exe Token: SeSecurityPrivilege 2084 WMIC.exe Token: SeTakeOwnershipPrivilege 2084 WMIC.exe Token: SeLoadDriverPrivilege 2084 WMIC.exe Token: SeSystemProfilePrivilege 2084 WMIC.exe Token: SeSystemtimePrivilege 2084 WMIC.exe Token: SeProfSingleProcessPrivilege 2084 WMIC.exe Token: SeIncBasePriorityPrivilege 2084 WMIC.exe Token: SeCreatePagefilePrivilege 2084 WMIC.exe Token: SeBackupPrivilege 2084 WMIC.exe Token: SeRestorePrivilege 2084 WMIC.exe Token: SeShutdownPrivilege 2084 WMIC.exe Token: SeDebugPrivilege 2084 WMIC.exe Token: SeSystemEnvironmentPrivilege 2084 WMIC.exe Token: SeRemoteShutdownPrivilege 2084 WMIC.exe Token: SeUndockPrivilege 2084 WMIC.exe Token: SeManageVolumePrivilege 2084 WMIC.exe Token: 33 2084 WMIC.exe Token: 34 2084 WMIC.exe Token: 35 2084 WMIC.exe Token: 36 2084 WMIC.exe Token: SeBackupPrivilege 4684 vssvc.exe Token: SeRestorePrivilege 4684 vssvc.exe Token: SeAuditPrivilege 4684 vssvc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1044 wrote to memory of 4932 1044 583431576fc175e19758774ec8b2893431aafe9a58c025406f22281b60f1aef0.exe 82 PID 1044 wrote to memory of 4932 1044 583431576fc175e19758774ec8b2893431aafe9a58c025406f22281b60f1aef0.exe 82 PID 1044 wrote to memory of 4932 1044 583431576fc175e19758774ec8b2893431aafe9a58c025406f22281b60f1aef0.exe 82 PID 1044 wrote to memory of 4196 1044 583431576fc175e19758774ec8b2893431aafe9a58c025406f22281b60f1aef0.exe 83 PID 1044 wrote to memory of 4196 1044 583431576fc175e19758774ec8b2893431aafe9a58c025406f22281b60f1aef0.exe 83 PID 1044 wrote to memory of 4196 1044 583431576fc175e19758774ec8b2893431aafe9a58c025406f22281b60f1aef0.exe 83 PID 4932 wrote to memory of 2084 4932 dvievtcblpfs.exe 85 PID 4932 wrote to memory of 2084 4932 dvievtcblpfs.exe 85 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System dvievtcblpfs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" dvievtcblpfs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\583431576fc175e19758774ec8b2893431aafe9a58c025406f22281b60f1aef0.exe"C:\Users\Admin\AppData\Local\Temp\583431576fc175e19758774ec8b2893431aafe9a58c025406f22281b60f1aef0.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Windows\dvievtcblpfs.exeC:\Windows\dvievtcblpfs.exe2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4932 -
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2084
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\583431~1.EXE2⤵PID:4196
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4684
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
424KB
MD5c6665caa8d5455b1643bc72fe55b0ade
SHA1eac5cb2ca1661c2f282393d0cdc52d8bfc1dea42
SHA256583431576fc175e19758774ec8b2893431aafe9a58c025406f22281b60f1aef0
SHA512921412255db2b5b5a076f773468f63c56411f06bb249121160e8695ea9bbc75714e2034a14d79275cb024d18708f7ebf5aad69d780b831384d2cb603fed7255c
-
Filesize
424KB
MD5c6665caa8d5455b1643bc72fe55b0ade
SHA1eac5cb2ca1661c2f282393d0cdc52d8bfc1dea42
SHA256583431576fc175e19758774ec8b2893431aafe9a58c025406f22281b60f1aef0
SHA512921412255db2b5b5a076f773468f63c56411f06bb249121160e8695ea9bbc75714e2034a14d79275cb024d18708f7ebf5aad69d780b831384d2cb603fed7255c