Analysis
-
max time kernel
10s -
max time network
14s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
22-10-2022 05:17
Static task
static1
Behavioral task
behavioral1
Sample
35083ac0008be7cd718b766f9e83a44e3beb46ba37a3e9aea287f6c8f990c2b7.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
35083ac0008be7cd718b766f9e83a44e3beb46ba37a3e9aea287f6c8f990c2b7.exe
Resource
win10v2004-20220901-en
General
-
Target
35083ac0008be7cd718b766f9e83a44e3beb46ba37a3e9aea287f6c8f990c2b7.exe
-
Size
424KB
-
MD5
d84846d8ca422c135d1cc96b16b233a2
-
SHA1
627917b87c496908c478d9863aa6cf97a181af0c
-
SHA256
35083ac0008be7cd718b766f9e83a44e3beb46ba37a3e9aea287f6c8f990c2b7
-
SHA512
e178c6c6bea695e0d8654b4eb75c4494babdce64b62b86ff9dcd6554f786c90fed9a5720128eaffe69208097e4435baca0323551c109bc9eb65df9d5f57f76c7
-
SSDEEP
12288:TmJqaEwQLysD/XDz3qzRdW1DzHpblCJxfS6:TgMLyWDbkElOR1
Malware Config
Extracted
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\_RECoVERY_+rxcog.txt
teslacrypt
http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/E7B7FAE1E74F7DA9
http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/E7B7FAE1E74F7DA9
http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/E7B7FAE1E74F7DA9
http://xlowfznrg4wf7dli.ONION/E7B7FAE1E74F7DA9
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 1 IoCs
pid Process 2288 qnhqdiqjkxaw.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 35083ac0008be7cd718b766f9e83a44e3beb46ba37a3e9aea287f6c8f990c2b7.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation qnhqdiqjkxaw.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run qnhqdiqjkxaw.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qjxccexvpnrg = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\qnhqdiqjkxaw.exe\"" qnhqdiqjkxaw.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\Lang\ku.txt qnhqdiqjkxaw.exe File opened for modification C:\Program Files\7-Zip\Lang\ps.txt qnhqdiqjkxaw.exe File opened for modification C:\Program Files\7-Zip\Lang\pt.txt qnhqdiqjkxaw.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fr-CA\_RECoVERY_+rxcog.txt qnhqdiqjkxaw.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\_RECoVERY_+rxcog.txt qnhqdiqjkxaw.exe File opened for modification C:\Program Files\7-Zip\Lang\az.txt qnhqdiqjkxaw.exe File opened for modification C:\Program Files\7-Zip\Lang\kk.txt qnhqdiqjkxaw.exe File opened for modification C:\Program Files\7-Zip\Lang\mn.txt qnhqdiqjkxaw.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\_RECoVERY_+rxcog.txt qnhqdiqjkxaw.exe File opened for modification C:\Program Files\7-Zip\Lang\zh-cn.txt qnhqdiqjkxaw.exe File opened for modification C:\Program Files\7-Zip\Lang\pa-in.txt qnhqdiqjkxaw.exe File opened for modification C:\Program Files\7-Zip\readme.txt qnhqdiqjkxaw.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\_RECoVERY_+rxcog.html qnhqdiqjkxaw.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\et-EE\_RECoVERY_+rxcog.html qnhqdiqjkxaw.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\hr-HR\_RECoVERY_+rxcog.png qnhqdiqjkxaw.exe File opened for modification C:\Program Files\7-Zip\Lang\gu.txt qnhqdiqjkxaw.exe File opened for modification C:\Program Files\Common Files\DESIGNER\_RECoVERY_+rxcog.txt qnhqdiqjkxaw.exe File opened for modification C:\Program Files\7-Zip\Lang\ga.txt qnhqdiqjkxaw.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\_RECoVERY_+rxcog.txt qnhqdiqjkxaw.exe File opened for modification C:\Program Files\7-Zip\Lang\_RECoVERY_+rxcog.txt qnhqdiqjkxaw.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\_RECoVERY_+rxcog.png qnhqdiqjkxaw.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\_RECoVERY_+rxcog.png qnhqdiqjkxaw.exe File opened for modification C:\Program Files\7-Zip\Lang\zh-tw.txt qnhqdiqjkxaw.exe File opened for modification C:\Program Files\7-Zip\Lang\_RECoVERY_+rxcog.html qnhqdiqjkxaw.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\de-DE\_RECoVERY_+rxcog.png qnhqdiqjkxaw.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\lt-LT\_RECoVERY_+rxcog.html qnhqdiqjkxaw.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ja-JP\_RECoVERY_+rxcog.html qnhqdiqjkxaw.exe File opened for modification C:\Program Files\7-Zip\_RECoVERY_+rxcog.html qnhqdiqjkxaw.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\da-DK\_RECoVERY_+rxcog.png qnhqdiqjkxaw.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\da-DK\_RECoVERY_+rxcog.html qnhqdiqjkxaw.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\en-GB\_RECoVERY_+rxcog.html qnhqdiqjkxaw.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\_RECoVERY_+rxcog.txt qnhqdiqjkxaw.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\_RECoVERY_+rxcog.png qnhqdiqjkxaw.exe File opened for modification C:\Program Files\7-Zip\Lang\es.txt qnhqdiqjkxaw.exe File opened for modification C:\Program Files\7-Zip\Lang\hi.txt qnhqdiqjkxaw.exe File opened for modification C:\Program Files\7-Zip\Lang\ky.txt qnhqdiqjkxaw.exe File opened for modification C:\Program Files\7-Zip\Lang\th.txt qnhqdiqjkxaw.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\lt-LT\_RECoVERY_+rxcog.png qnhqdiqjkxaw.exe File opened for modification C:\Program Files\Common Files\DESIGNER\_RECoVERY_+rxcog.png qnhqdiqjkxaw.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\_RECoVERY_+rxcog.png qnhqdiqjkxaw.exe File opened for modification C:\Program Files\7-Zip\Lang\mng.txt qnhqdiqjkxaw.exe File opened for modification C:\Program Files\7-Zip\Lang\ta.txt qnhqdiqjkxaw.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\he-IL\_RECoVERY_+rxcog.txt qnhqdiqjkxaw.exe File opened for modification C:\Program Files\7-Zip\Lang\ca.txt qnhqdiqjkxaw.exe File opened for modification C:\Program Files\7-Zip\Lang\vi.txt qnhqdiqjkxaw.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ar-SA\_RECoVERY_+rxcog.txt qnhqdiqjkxaw.exe File opened for modification C:\Program Files\7-Zip\Lang\et.txt qnhqdiqjkxaw.exe File opened for modification C:\Program Files\7-Zip\Lang\fr.txt qnhqdiqjkxaw.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\it-IT\_RECoVERY_+rxcog.html qnhqdiqjkxaw.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\_RECoVERY_+rxcog.png qnhqdiqjkxaw.exe File opened for modification C:\Program Files\7-Zip\Lang\an.txt qnhqdiqjkxaw.exe File opened for modification C:\Program Files\7-Zip\Lang\ko.txt qnhqdiqjkxaw.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\de-DE\_RECoVERY_+rxcog.html qnhqdiqjkxaw.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\pl-PL\_RECoVERY_+rxcog.txt qnhqdiqjkxaw.exe File opened for modification C:\Program Files\7-Zip\Lang\ro.txt qnhqdiqjkxaw.exe File opened for modification C:\Program Files\7-Zip\Lang\sk.txt qnhqdiqjkxaw.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\_RECoVERY_+rxcog.png qnhqdiqjkxaw.exe File opened for modification C:\Program Files\7-Zip\Lang\id.txt qnhqdiqjkxaw.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\_RECoVERY_+rxcog.html qnhqdiqjkxaw.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\_RECoVERY_+rxcog.txt qnhqdiqjkxaw.exe File opened for modification C:\Program Files\7-Zip\Lang\bg.txt qnhqdiqjkxaw.exe File opened for modification C:\Program Files\7-Zip\Lang\fi.txt qnhqdiqjkxaw.exe File opened for modification C:\Program Files\7-Zip\Lang\it.txt qnhqdiqjkxaw.exe File opened for modification C:\Program Files\7-Zip\License.txt qnhqdiqjkxaw.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\qnhqdiqjkxaw.exe 35083ac0008be7cd718b766f9e83a44e3beb46ba37a3e9aea287f6c8f990c2b7.exe File opened for modification C:\Windows\qnhqdiqjkxaw.exe 35083ac0008be7cd718b766f9e83a44e3beb46ba37a3e9aea287f6c8f990c2b7.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 46 IoCs
pid Process 2288 qnhqdiqjkxaw.exe 2288 qnhqdiqjkxaw.exe 2288 qnhqdiqjkxaw.exe 2288 qnhqdiqjkxaw.exe 2288 qnhqdiqjkxaw.exe 2288 qnhqdiqjkxaw.exe 2288 qnhqdiqjkxaw.exe 2288 qnhqdiqjkxaw.exe 2288 qnhqdiqjkxaw.exe 2288 qnhqdiqjkxaw.exe 2288 qnhqdiqjkxaw.exe 2288 qnhqdiqjkxaw.exe 2288 qnhqdiqjkxaw.exe 2288 qnhqdiqjkxaw.exe 2288 qnhqdiqjkxaw.exe 2288 qnhqdiqjkxaw.exe 2288 qnhqdiqjkxaw.exe 2288 qnhqdiqjkxaw.exe 2288 qnhqdiqjkxaw.exe 2288 qnhqdiqjkxaw.exe 2288 qnhqdiqjkxaw.exe 2288 qnhqdiqjkxaw.exe 2288 qnhqdiqjkxaw.exe 2288 qnhqdiqjkxaw.exe 2288 qnhqdiqjkxaw.exe 2288 qnhqdiqjkxaw.exe 2288 qnhqdiqjkxaw.exe 2288 qnhqdiqjkxaw.exe 2288 qnhqdiqjkxaw.exe 2288 qnhqdiqjkxaw.exe 2288 qnhqdiqjkxaw.exe 2288 qnhqdiqjkxaw.exe 2288 qnhqdiqjkxaw.exe 2288 qnhqdiqjkxaw.exe 2288 qnhqdiqjkxaw.exe 2288 qnhqdiqjkxaw.exe 2288 qnhqdiqjkxaw.exe 2288 qnhqdiqjkxaw.exe 2288 qnhqdiqjkxaw.exe 2288 qnhqdiqjkxaw.exe 2288 qnhqdiqjkxaw.exe 2288 qnhqdiqjkxaw.exe 2288 qnhqdiqjkxaw.exe 2288 qnhqdiqjkxaw.exe 2288 qnhqdiqjkxaw.exe 2288 qnhqdiqjkxaw.exe -
Suspicious use of AdjustPrivilegeToken 47 IoCs
description pid Process Token: SeDebugPrivilege 3444 35083ac0008be7cd718b766f9e83a44e3beb46ba37a3e9aea287f6c8f990c2b7.exe Token: SeDebugPrivilege 2288 qnhqdiqjkxaw.exe Token: SeIncreaseQuotaPrivilege 3596 WMIC.exe Token: SeSecurityPrivilege 3596 WMIC.exe Token: SeTakeOwnershipPrivilege 3596 WMIC.exe Token: SeLoadDriverPrivilege 3596 WMIC.exe Token: SeSystemProfilePrivilege 3596 WMIC.exe Token: SeSystemtimePrivilege 3596 WMIC.exe Token: SeProfSingleProcessPrivilege 3596 WMIC.exe Token: SeIncBasePriorityPrivilege 3596 WMIC.exe Token: SeCreatePagefilePrivilege 3596 WMIC.exe Token: SeBackupPrivilege 3596 WMIC.exe Token: SeRestorePrivilege 3596 WMIC.exe Token: SeShutdownPrivilege 3596 WMIC.exe Token: SeDebugPrivilege 3596 WMIC.exe Token: SeSystemEnvironmentPrivilege 3596 WMIC.exe Token: SeRemoteShutdownPrivilege 3596 WMIC.exe Token: SeUndockPrivilege 3596 WMIC.exe Token: SeManageVolumePrivilege 3596 WMIC.exe Token: 33 3596 WMIC.exe Token: 34 3596 WMIC.exe Token: 35 3596 WMIC.exe Token: 36 3596 WMIC.exe Token: SeIncreaseQuotaPrivilege 3596 WMIC.exe Token: SeSecurityPrivilege 3596 WMIC.exe Token: SeTakeOwnershipPrivilege 3596 WMIC.exe Token: SeLoadDriverPrivilege 3596 WMIC.exe Token: SeSystemProfilePrivilege 3596 WMIC.exe Token: SeSystemtimePrivilege 3596 WMIC.exe Token: SeProfSingleProcessPrivilege 3596 WMIC.exe Token: SeIncBasePriorityPrivilege 3596 WMIC.exe Token: SeCreatePagefilePrivilege 3596 WMIC.exe Token: SeBackupPrivilege 3596 WMIC.exe Token: SeRestorePrivilege 3596 WMIC.exe Token: SeShutdownPrivilege 3596 WMIC.exe Token: SeDebugPrivilege 3596 WMIC.exe Token: SeSystemEnvironmentPrivilege 3596 WMIC.exe Token: SeRemoteShutdownPrivilege 3596 WMIC.exe Token: SeUndockPrivilege 3596 WMIC.exe Token: SeManageVolumePrivilege 3596 WMIC.exe Token: 33 3596 WMIC.exe Token: 34 3596 WMIC.exe Token: 35 3596 WMIC.exe Token: 36 3596 WMIC.exe Token: SeBackupPrivilege 3600 vssvc.exe Token: SeRestorePrivilege 3600 vssvc.exe Token: SeAuditPrivilege 3600 vssvc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3444 wrote to memory of 2288 3444 35083ac0008be7cd718b766f9e83a44e3beb46ba37a3e9aea287f6c8f990c2b7.exe 82 PID 3444 wrote to memory of 2288 3444 35083ac0008be7cd718b766f9e83a44e3beb46ba37a3e9aea287f6c8f990c2b7.exe 82 PID 3444 wrote to memory of 2288 3444 35083ac0008be7cd718b766f9e83a44e3beb46ba37a3e9aea287f6c8f990c2b7.exe 82 PID 3444 wrote to memory of 1100 3444 35083ac0008be7cd718b766f9e83a44e3beb46ba37a3e9aea287f6c8f990c2b7.exe 83 PID 3444 wrote to memory of 1100 3444 35083ac0008be7cd718b766f9e83a44e3beb46ba37a3e9aea287f6c8f990c2b7.exe 83 PID 3444 wrote to memory of 1100 3444 35083ac0008be7cd718b766f9e83a44e3beb46ba37a3e9aea287f6c8f990c2b7.exe 83 PID 2288 wrote to memory of 3596 2288 qnhqdiqjkxaw.exe 85 PID 2288 wrote to memory of 3596 2288 qnhqdiqjkxaw.exe 85 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System qnhqdiqjkxaw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" qnhqdiqjkxaw.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\35083ac0008be7cd718b766f9e83a44e3beb46ba37a3e9aea287f6c8f990c2b7.exe"C:\Users\Admin\AppData\Local\Temp\35083ac0008be7cd718b766f9e83a44e3beb46ba37a3e9aea287f6c8f990c2b7.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3444 -
C:\Windows\qnhqdiqjkxaw.exeC:\Windows\qnhqdiqjkxaw.exe2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2288 -
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3596
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\35083A~1.EXE2⤵PID:1100
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3600
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
424KB
MD5d84846d8ca422c135d1cc96b16b233a2
SHA1627917b87c496908c478d9863aa6cf97a181af0c
SHA25635083ac0008be7cd718b766f9e83a44e3beb46ba37a3e9aea287f6c8f990c2b7
SHA512e178c6c6bea695e0d8654b4eb75c4494babdce64b62b86ff9dcd6554f786c90fed9a5720128eaffe69208097e4435baca0323551c109bc9eb65df9d5f57f76c7
-
Filesize
424KB
MD5d84846d8ca422c135d1cc96b16b233a2
SHA1627917b87c496908c478d9863aa6cf97a181af0c
SHA25635083ac0008be7cd718b766f9e83a44e3beb46ba37a3e9aea287f6c8f990c2b7
SHA512e178c6c6bea695e0d8654b4eb75c4494babdce64b62b86ff9dcd6554f786c90fed9a5720128eaffe69208097e4435baca0323551c109bc9eb65df9d5f57f76c7