Analysis
-
max time kernel
10s -
max time network
13s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
22-10-2022 06:10
Static task
static1
Behavioral task
behavioral1
Sample
c25d9f0022af773f3be74d32ae7a5bd541441a698f1e52ec355468fe40ccecd3.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
c25d9f0022af773f3be74d32ae7a5bd541441a698f1e52ec355468fe40ccecd3.exe
Resource
win10v2004-20220901-en
General
-
Target
c25d9f0022af773f3be74d32ae7a5bd541441a698f1e52ec355468fe40ccecd3.exe
-
Size
424KB
-
MD5
3d8c71de5e7c266362fbb2d1af145c63
-
SHA1
153332bb8a81a6e796847b205f38cbb2da69b710
-
SHA256
c25d9f0022af773f3be74d32ae7a5bd541441a698f1e52ec355468fe40ccecd3
-
SHA512
7a34d2d72d2b390d18f45eb8cbbf2daa67ba2470397f714dbc0e5f680bcb32a9b65fb81103a859a7378a97e30acfa134990467f3a35d95e8a2699ee0eb044f7d
-
SSDEEP
6144:zwLTYUfBg4Xu/6M8ijCVJLjg3KOQWREfxn9C2hMYhE03moXbftChXW3AxfulDGgB:zglK4XuiQaYR+n9CuLhEknblCJxfS6
Malware Config
Extracted
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\_RECoVERY_+dfyjj.txt
teslacrypt
http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/A2E1497BB516713
http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/A2E1497BB516713
http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/A2E1497BB516713
http://xlowfznrg4wf7dli.ONION/A2E1497BB516713
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 1 IoCs
pid Process 2608 hjjweavxodyq.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation c25d9f0022af773f3be74d32ae7a5bd541441a698f1e52ec355468fe40ccecd3.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation hjjweavxodyq.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run hjjweavxodyq.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ogowjemgduxj = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\hjjweavxodyq.exe\"" hjjweavxodyq.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\Lang\ka.txt hjjweavxodyq.exe File opened for modification C:\Program Files\7-Zip\Lang\pt.txt hjjweavxodyq.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fi-FI\_RECoVERY_+dfyjj.txt hjjweavxodyq.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\_RECoVERY_+dfyjj.html hjjweavxodyq.exe File opened for modification C:\Program Files\7-Zip\Lang\da.txt hjjweavxodyq.exe File opened for modification C:\Program Files\7-Zip\Lang\ko.txt hjjweavxodyq.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\de-DE\_RECoVERY_+dfyjj.html hjjweavxodyq.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\en-US\_RECoVERY_+dfyjj.png hjjweavxodyq.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\et-EE\_RECoVERY_+dfyjj.txt hjjweavxodyq.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\_RECoVERY_+dfyjj.html hjjweavxodyq.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\_RECoVERY_+dfyjj.png hjjweavxodyq.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\_RECoVERY_+dfyjj.png hjjweavxodyq.exe File opened for modification C:\Program Files\7-Zip\Lang\et.txt hjjweavxodyq.exe File opened for modification C:\Program Files\7-Zip\Lang\mk.txt hjjweavxodyq.exe File opened for modification C:\Program Files\7-Zip\Lang\uz.txt hjjweavxodyq.exe File opened for modification C:\Program Files\7-Zip\Lang\_RECoVERY_+dfyjj.html hjjweavxodyq.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\_RECoVERY_+dfyjj.html hjjweavxodyq.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\et-EE\_RECoVERY_+dfyjj.html hjjweavxodyq.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\_RECoVERY_+dfyjj.txt hjjweavxodyq.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\_RECoVERY_+dfyjj.html hjjweavxodyq.exe File opened for modification C:\Program Files\7-Zip\Lang\eo.txt hjjweavxodyq.exe File opened for modification C:\Program Files\7-Zip\Lang\mng2.txt hjjweavxodyq.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\_RECoVERY_+dfyjj.txt hjjweavxodyq.exe File opened for modification C:\Program Files\7-Zip\Lang\ar.txt hjjweavxodyq.exe File opened for modification C:\Program Files\7-Zip\Lang\tt.txt hjjweavxodyq.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\_RECoVERY_+dfyjj.png hjjweavxodyq.exe File opened for modification C:\Program Files\7-Zip\Lang\ku.txt hjjweavxodyq.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\de-DE\_RECoVERY_+dfyjj.txt hjjweavxodyq.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\en-US\_RECoVERY_+dfyjj.txt hjjweavxodyq.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fr-FR\_RECoVERY_+dfyjj.txt hjjweavxodyq.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\_RECoVERY_+dfyjj.html hjjweavxodyq.exe File opened for modification C:\Program Files\7-Zip\Lang\sq.txt hjjweavxodyq.exe File opened for modification C:\Program Files\7-Zip\Lang\mng.txt hjjweavxodyq.exe File opened for modification C:\Program Files\7-Zip\Lang\zh-cn.txt hjjweavxodyq.exe File opened for modification C:\Program Files\7-Zip\Lang\hu.txt hjjweavxodyq.exe File opened for modification C:\Program Files\7-Zip\Lang\th.txt hjjweavxodyq.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\da-DK\_RECoVERY_+dfyjj.html hjjweavxodyq.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\es-MX\_RECoVERY_+dfyjj.png hjjweavxodyq.exe File opened for modification C:\Program Files\7-Zip\Lang\kaa.txt hjjweavxodyq.exe File opened for modification C:\Program Files\7-Zip\Lang\es.txt hjjweavxodyq.exe File opened for modification C:\Program Files\7-Zip\Lang\vi.txt hjjweavxodyq.exe File opened for modification C:\Program Files\7-Zip\Lang\_RECoVERY_+dfyjj.png hjjweavxodyq.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\el-GR\_RECoVERY_+dfyjj.txt hjjweavxodyq.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\el-GR\_RECoVERY_+dfyjj.html hjjweavxodyq.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\es-ES\_RECoVERY_+dfyjj.png hjjweavxodyq.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fr-FR\_RECoVERY_+dfyjj.html hjjweavxodyq.exe File opened for modification C:\Program Files\7-Zip\Lang\br.txt hjjweavxodyq.exe File opened for modification C:\Program Files\7-Zip\Lang\pa-in.txt hjjweavxodyq.exe File opened for modification C:\Program Files\7-Zip\Lang\ro.txt hjjweavxodyq.exe File opened for modification C:\Program Files\7-Zip\Lang\zh-tw.txt hjjweavxodyq.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\_RECoVERY_+dfyjj.png hjjweavxodyq.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\_RECoVERY_+dfyjj.png hjjweavxodyq.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\_RECoVERY_+dfyjj.txt hjjweavxodyq.exe File opened for modification C:\Program Files\7-Zip\Lang\lt.txt hjjweavxodyq.exe File opened for modification C:\Program Files\7-Zip\Lang\sr-spl.txt hjjweavxodyq.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\_RECoVERY_+dfyjj.txt hjjweavxodyq.exe File opened for modification C:\Program Files\7-Zip\Lang\fy.txt hjjweavxodyq.exe File opened for modification C:\Program Files\7-Zip\Lang\io.txt hjjweavxodyq.exe File opened for modification C:\Program Files\7-Zip\Lang\pl.txt hjjweavxodyq.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\bg-BG\_RECoVERY_+dfyjj.txt hjjweavxodyq.exe File opened for modification C:\Program Files\7-Zip\Lang\gl.txt hjjweavxodyq.exe File opened for modification C:\Program Files\7-Zip\Lang\ext.txt hjjweavxodyq.exe File opened for modification C:\Program Files\7-Zip\Lang\it.txt hjjweavxodyq.exe File opened for modification C:\Program Files\7-Zip\Lang\sv.txt hjjweavxodyq.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\hjjweavxodyq.exe c25d9f0022af773f3be74d32ae7a5bd541441a698f1e52ec355468fe40ccecd3.exe File opened for modification C:\Windows\hjjweavxodyq.exe c25d9f0022af773f3be74d32ae7a5bd541441a698f1e52ec355468fe40ccecd3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 52 IoCs
pid Process 2608 hjjweavxodyq.exe 2608 hjjweavxodyq.exe 2608 hjjweavxodyq.exe 2608 hjjweavxodyq.exe 2608 hjjweavxodyq.exe 2608 hjjweavxodyq.exe 2608 hjjweavxodyq.exe 2608 hjjweavxodyq.exe 2608 hjjweavxodyq.exe 2608 hjjweavxodyq.exe 2608 hjjweavxodyq.exe 2608 hjjweavxodyq.exe 2608 hjjweavxodyq.exe 2608 hjjweavxodyq.exe 2608 hjjweavxodyq.exe 2608 hjjweavxodyq.exe 2608 hjjweavxodyq.exe 2608 hjjweavxodyq.exe 2608 hjjweavxodyq.exe 2608 hjjweavxodyq.exe 2608 hjjweavxodyq.exe 2608 hjjweavxodyq.exe 2608 hjjweavxodyq.exe 2608 hjjweavxodyq.exe 2608 hjjweavxodyq.exe 2608 hjjweavxodyq.exe 2608 hjjweavxodyq.exe 2608 hjjweavxodyq.exe 2608 hjjweavxodyq.exe 2608 hjjweavxodyq.exe 2608 hjjweavxodyq.exe 2608 hjjweavxodyq.exe 2608 hjjweavxodyq.exe 2608 hjjweavxodyq.exe 2608 hjjweavxodyq.exe 2608 hjjweavxodyq.exe 2608 hjjweavxodyq.exe 2608 hjjweavxodyq.exe 2608 hjjweavxodyq.exe 2608 hjjweavxodyq.exe 2608 hjjweavxodyq.exe 2608 hjjweavxodyq.exe 2608 hjjweavxodyq.exe 2608 hjjweavxodyq.exe 2608 hjjweavxodyq.exe 2608 hjjweavxodyq.exe 2608 hjjweavxodyq.exe 2608 hjjweavxodyq.exe 2608 hjjweavxodyq.exe 2608 hjjweavxodyq.exe 2608 hjjweavxodyq.exe 2608 hjjweavxodyq.exe -
Suspicious use of AdjustPrivilegeToken 47 IoCs
description pid Process Token: SeDebugPrivilege 4012 c25d9f0022af773f3be74d32ae7a5bd541441a698f1e52ec355468fe40ccecd3.exe Token: SeDebugPrivilege 2608 hjjweavxodyq.exe Token: SeIncreaseQuotaPrivilege 3788 WMIC.exe Token: SeSecurityPrivilege 3788 WMIC.exe Token: SeTakeOwnershipPrivilege 3788 WMIC.exe Token: SeLoadDriverPrivilege 3788 WMIC.exe Token: SeSystemProfilePrivilege 3788 WMIC.exe Token: SeSystemtimePrivilege 3788 WMIC.exe Token: SeProfSingleProcessPrivilege 3788 WMIC.exe Token: SeIncBasePriorityPrivilege 3788 WMIC.exe Token: SeCreatePagefilePrivilege 3788 WMIC.exe Token: SeBackupPrivilege 3788 WMIC.exe Token: SeRestorePrivilege 3788 WMIC.exe Token: SeShutdownPrivilege 3788 WMIC.exe Token: SeDebugPrivilege 3788 WMIC.exe Token: SeSystemEnvironmentPrivilege 3788 WMIC.exe Token: SeRemoteShutdownPrivilege 3788 WMIC.exe Token: SeUndockPrivilege 3788 WMIC.exe Token: SeManageVolumePrivilege 3788 WMIC.exe Token: 33 3788 WMIC.exe Token: 34 3788 WMIC.exe Token: 35 3788 WMIC.exe Token: 36 3788 WMIC.exe Token: SeIncreaseQuotaPrivilege 3788 WMIC.exe Token: SeSecurityPrivilege 3788 WMIC.exe Token: SeTakeOwnershipPrivilege 3788 WMIC.exe Token: SeLoadDriverPrivilege 3788 WMIC.exe Token: SeSystemProfilePrivilege 3788 WMIC.exe Token: SeSystemtimePrivilege 3788 WMIC.exe Token: SeProfSingleProcessPrivilege 3788 WMIC.exe Token: SeIncBasePriorityPrivilege 3788 WMIC.exe Token: SeCreatePagefilePrivilege 3788 WMIC.exe Token: SeBackupPrivilege 3788 WMIC.exe Token: SeRestorePrivilege 3788 WMIC.exe Token: SeShutdownPrivilege 3788 WMIC.exe Token: SeDebugPrivilege 3788 WMIC.exe Token: SeSystemEnvironmentPrivilege 3788 WMIC.exe Token: SeRemoteShutdownPrivilege 3788 WMIC.exe Token: SeUndockPrivilege 3788 WMIC.exe Token: SeManageVolumePrivilege 3788 WMIC.exe Token: 33 3788 WMIC.exe Token: 34 3788 WMIC.exe Token: 35 3788 WMIC.exe Token: 36 3788 WMIC.exe Token: SeBackupPrivilege 5084 vssvc.exe Token: SeRestorePrivilege 5084 vssvc.exe Token: SeAuditPrivilege 5084 vssvc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4012 wrote to memory of 2608 4012 c25d9f0022af773f3be74d32ae7a5bd541441a698f1e52ec355468fe40ccecd3.exe 83 PID 4012 wrote to memory of 2608 4012 c25d9f0022af773f3be74d32ae7a5bd541441a698f1e52ec355468fe40ccecd3.exe 83 PID 4012 wrote to memory of 2608 4012 c25d9f0022af773f3be74d32ae7a5bd541441a698f1e52ec355468fe40ccecd3.exe 83 PID 4012 wrote to memory of 3380 4012 c25d9f0022af773f3be74d32ae7a5bd541441a698f1e52ec355468fe40ccecd3.exe 84 PID 4012 wrote to memory of 3380 4012 c25d9f0022af773f3be74d32ae7a5bd541441a698f1e52ec355468fe40ccecd3.exe 84 PID 4012 wrote to memory of 3380 4012 c25d9f0022af773f3be74d32ae7a5bd541441a698f1e52ec355468fe40ccecd3.exe 84 PID 2608 wrote to memory of 3788 2608 hjjweavxodyq.exe 86 PID 2608 wrote to memory of 3788 2608 hjjweavxodyq.exe 86 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System hjjweavxodyq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" hjjweavxodyq.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c25d9f0022af773f3be74d32ae7a5bd541441a698f1e52ec355468fe40ccecd3.exe"C:\Users\Admin\AppData\Local\Temp\c25d9f0022af773f3be74d32ae7a5bd541441a698f1e52ec355468fe40ccecd3.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4012 -
C:\Windows\hjjweavxodyq.exeC:\Windows\hjjweavxodyq.exe2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2608 -
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3788
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\C25D9F~1.EXE2⤵PID:3380
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5084
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
424KB
MD53d8c71de5e7c266362fbb2d1af145c63
SHA1153332bb8a81a6e796847b205f38cbb2da69b710
SHA256c25d9f0022af773f3be74d32ae7a5bd541441a698f1e52ec355468fe40ccecd3
SHA5127a34d2d72d2b390d18f45eb8cbbf2daa67ba2470397f714dbc0e5f680bcb32a9b65fb81103a859a7378a97e30acfa134990467f3a35d95e8a2699ee0eb044f7d
-
Filesize
424KB
MD53d8c71de5e7c266362fbb2d1af145c63
SHA1153332bb8a81a6e796847b205f38cbb2da69b710
SHA256c25d9f0022af773f3be74d32ae7a5bd541441a698f1e52ec355468fe40ccecd3
SHA5127a34d2d72d2b390d18f45eb8cbbf2daa67ba2470397f714dbc0e5f680bcb32a9b65fb81103a859a7378a97e30acfa134990467f3a35d95e8a2699ee0eb044f7d