Analysis
-
max time kernel
12s -
max time network
14s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
22-10-2022 09:47
Static task
static1
Behavioral task
behavioral1
Sample
2625381f7c386a2ca581b1b249bb922bc8aeca37a5d3f8a37b771741ef8fc8e1.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
2625381f7c386a2ca581b1b249bb922bc8aeca37a5d3f8a37b771741ef8fc8e1.exe
Resource
win10v2004-20220901-en
General
-
Target
2625381f7c386a2ca581b1b249bb922bc8aeca37a5d3f8a37b771741ef8fc8e1.exe
-
Size
424KB
-
MD5
74d5c545888561be891363d16ceae294
-
SHA1
127f4c1da282b56c1d5e3f05944315147f024992
-
SHA256
2625381f7c386a2ca581b1b249bb922bc8aeca37a5d3f8a37b771741ef8fc8e1
-
SHA512
2faa671ca7e9e6f458772761146020f834c8dc42af4a30e12fd71cf2106ea23811fa10213d2416a7eb3830db9f85158d12475e5bfc3a7ff278dea8e04cf5d308
-
SSDEEP
6144:C2QDnUrp63iAY4zSDQzxIvT2ok+IQGH02JCIoXbftChXW3AxfulDGgB:CdDUrp61uW0TlLIQGUbNblCJxfS6
Malware Config
Extracted
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\_RECoVERY_+mjsxg.txt
teslacrypt
http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/39949531A6C685B3
http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/39949531A6C685B3
http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/39949531A6C685B3
http://xlowfznrg4wf7dli.ONION/39949531A6C685B3
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 1 IoCs
pid Process 3064 cspmjhaoyeme.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 2625381f7c386a2ca581b1b249bb922bc8aeca37a5d3f8a37b771741ef8fc8e1.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation cspmjhaoyeme.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run cspmjhaoyeme.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\umldolytdiax = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\cspmjhaoyeme.exe\"" cspmjhaoyeme.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\microsoft shared\ink\hr-HR\_RECoVERY_+mjsxg.txt cspmjhaoyeme.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\lt-LT\_RECoVERY_+mjsxg.png cspmjhaoyeme.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\th-TH\_RECoVERY_+mjsxg.png cspmjhaoyeme.exe File opened for modification C:\Program Files\7-Zip\Lang\fr.txt cspmjhaoyeme.exe File opened for modification C:\Program Files\7-Zip\Lang\zh-tw.txt cspmjhaoyeme.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fr-FR\_RECoVERY_+mjsxg.txt cspmjhaoyeme.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\_RECoVERY_+mjsxg.txt cspmjhaoyeme.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\_RECoVERY_+mjsxg.txt cspmjhaoyeme.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\nb-NO\_RECoVERY_+mjsxg.html cspmjhaoyeme.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\_RECoVERY_+mjsxg.png cspmjhaoyeme.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ro-RO\_RECoVERY_+mjsxg.png cspmjhaoyeme.exe File opened for modification C:\Program Files\Common Files\microsoft shared\TextConv\_RECoVERY_+mjsxg.txt cspmjhaoyeme.exe File opened for modification C:\Program Files\CloseMount.odt cspmjhaoyeme.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\et-EE\_RECoVERY_+mjsxg.txt cspmjhaoyeme.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\_RECoVERY_+mjsxg.txt cspmjhaoyeme.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\_RECoVERY_+mjsxg.html cspmjhaoyeme.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\pt-BR\_RECoVERY_+mjsxg.html cspmjhaoyeme.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\hu-HU\_RECoVERY_+mjsxg.html cspmjhaoyeme.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\pt-PT\_RECoVERY_+mjsxg.html cspmjhaoyeme.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\_RECoVERY_+mjsxg.html cspmjhaoyeme.exe File opened for modification C:\Program Files\7-Zip\Lang\af.txt cspmjhaoyeme.exe File opened for modification C:\Program Files\7-Zip\Lang\el.txt cspmjhaoyeme.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\bg-BG\_RECoVERY_+mjsxg.png cspmjhaoyeme.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fi-FI\_RECoVERY_+mjsxg.txt cspmjhaoyeme.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\zh-CN\_RECoVERY_+mjsxg.png cspmjhaoyeme.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\_RECoVERY_+mjsxg.png cspmjhaoyeme.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\el-GR\_RECoVERY_+mjsxg.png cspmjhaoyeme.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ko-KR\_RECoVERY_+mjsxg.html cspmjhaoyeme.exe File opened for modification C:\Program Files\7-Zip\Lang\mng.txt cspmjhaoyeme.exe File opened for modification C:\Program Files\7-Zip\Lang\ne.txt cspmjhaoyeme.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\_RECoVERY_+mjsxg.txt cspmjhaoyeme.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\it-IT\_RECoVERY_+mjsxg.png cspmjhaoyeme.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\_RECoVERY_+mjsxg.txt cspmjhaoyeme.exe File opened for modification C:\Program Files\7-Zip\Lang\et.txt cspmjhaoyeme.exe File opened for modification C:\Program Files\7-Zip\Lang\is.txt cspmjhaoyeme.exe File opened for modification C:\Program Files\7-Zip\Lang\it.txt cspmjhaoyeme.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\pl-PL\_RECoVERY_+mjsxg.png cspmjhaoyeme.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ar-SA\_RECoVERY_+mjsxg.png cspmjhaoyeme.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\nl-NL\_RECoVERY_+mjsxg.png cspmjhaoyeme.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\tr-TR\_RECoVERY_+mjsxg.png cspmjhaoyeme.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\pt-BR\_RECoVERY_+mjsxg.png cspmjhaoyeme.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ro-RO\_RECoVERY_+mjsxg.txt cspmjhaoyeme.exe File opened for modification C:\Program Files\7-Zip\Lang\io.txt cspmjhaoyeme.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\es-ES\_RECoVERY_+mjsxg.png cspmjhaoyeme.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\_RECoVERY_+mjsxg.html cspmjhaoyeme.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\de-DE\_RECoVERY_+mjsxg.txt cspmjhaoyeme.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\_RECoVERY_+mjsxg.png cspmjhaoyeme.exe File opened for modification C:\Program Files\7-Zip\Lang\fa.txt cspmjhaoyeme.exe File opened for modification C:\Program Files\7-Zip\Lang\mng2.txt cspmjhaoyeme.exe File opened for modification C:\Program Files\7-Zip\Lang\ms.txt cspmjhaoyeme.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\en-GB\_RECoVERY_+mjsxg.html cspmjhaoyeme.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\_RECoVERY_+mjsxg.txt cspmjhaoyeme.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\_RECoVERY_+mjsxg.html cspmjhaoyeme.exe File opened for modification C:\Program Files\7-Zip\Lang\fi.txt cspmjhaoyeme.exe File opened for modification C:\Program Files\7-Zip\Lang\sq.txt cspmjhaoyeme.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\en-GB\_RECoVERY_+mjsxg.txt cspmjhaoyeme.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\da-DK\_RECoVERY_+mjsxg.html cspmjhaoyeme.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\sv-SE\_RECoVERY_+mjsxg.png cspmjhaoyeme.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\_RECoVERY_+mjsxg.txt cspmjhaoyeme.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\pl-PL\_RECoVERY_+mjsxg.txt cspmjhaoyeme.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\_RECoVERY_+mjsxg.txt cspmjhaoyeme.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\_RECoVERY_+mjsxg.html cspmjhaoyeme.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\_RECoVERY_+mjsxg.png cspmjhaoyeme.exe File opened for modification C:\Program Files\7-Zip\Lang\fur.txt cspmjhaoyeme.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\cspmjhaoyeme.exe 2625381f7c386a2ca581b1b249bb922bc8aeca37a5d3f8a37b771741ef8fc8e1.exe File opened for modification C:\Windows\cspmjhaoyeme.exe 2625381f7c386a2ca581b1b249bb922bc8aeca37a5d3f8a37b771741ef8fc8e1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 52 IoCs
pid Process 3064 cspmjhaoyeme.exe 3064 cspmjhaoyeme.exe 3064 cspmjhaoyeme.exe 3064 cspmjhaoyeme.exe 3064 cspmjhaoyeme.exe 3064 cspmjhaoyeme.exe 3064 cspmjhaoyeme.exe 3064 cspmjhaoyeme.exe 3064 cspmjhaoyeme.exe 3064 cspmjhaoyeme.exe 3064 cspmjhaoyeme.exe 3064 cspmjhaoyeme.exe 3064 cspmjhaoyeme.exe 3064 cspmjhaoyeme.exe 3064 cspmjhaoyeme.exe 3064 cspmjhaoyeme.exe 3064 cspmjhaoyeme.exe 3064 cspmjhaoyeme.exe 3064 cspmjhaoyeme.exe 3064 cspmjhaoyeme.exe 3064 cspmjhaoyeme.exe 3064 cspmjhaoyeme.exe 3064 cspmjhaoyeme.exe 3064 cspmjhaoyeme.exe 3064 cspmjhaoyeme.exe 3064 cspmjhaoyeme.exe 3064 cspmjhaoyeme.exe 3064 cspmjhaoyeme.exe 3064 cspmjhaoyeme.exe 3064 cspmjhaoyeme.exe 3064 cspmjhaoyeme.exe 3064 cspmjhaoyeme.exe 3064 cspmjhaoyeme.exe 3064 cspmjhaoyeme.exe 3064 cspmjhaoyeme.exe 3064 cspmjhaoyeme.exe 3064 cspmjhaoyeme.exe 3064 cspmjhaoyeme.exe 3064 cspmjhaoyeme.exe 3064 cspmjhaoyeme.exe 3064 cspmjhaoyeme.exe 3064 cspmjhaoyeme.exe 3064 cspmjhaoyeme.exe 3064 cspmjhaoyeme.exe 3064 cspmjhaoyeme.exe 3064 cspmjhaoyeme.exe 3064 cspmjhaoyeme.exe 3064 cspmjhaoyeme.exe 3064 cspmjhaoyeme.exe 3064 cspmjhaoyeme.exe 3064 cspmjhaoyeme.exe 3064 cspmjhaoyeme.exe -
Suspicious use of AdjustPrivilegeToken 47 IoCs
description pid Process Token: SeDebugPrivilege 1604 2625381f7c386a2ca581b1b249bb922bc8aeca37a5d3f8a37b771741ef8fc8e1.exe Token: SeDebugPrivilege 3064 cspmjhaoyeme.exe Token: SeIncreaseQuotaPrivilege 2056 WMIC.exe Token: SeSecurityPrivilege 2056 WMIC.exe Token: SeTakeOwnershipPrivilege 2056 WMIC.exe Token: SeLoadDriverPrivilege 2056 WMIC.exe Token: SeSystemProfilePrivilege 2056 WMIC.exe Token: SeSystemtimePrivilege 2056 WMIC.exe Token: SeProfSingleProcessPrivilege 2056 WMIC.exe Token: SeIncBasePriorityPrivilege 2056 WMIC.exe Token: SeCreatePagefilePrivilege 2056 WMIC.exe Token: SeBackupPrivilege 2056 WMIC.exe Token: SeRestorePrivilege 2056 WMIC.exe Token: SeShutdownPrivilege 2056 WMIC.exe Token: SeDebugPrivilege 2056 WMIC.exe Token: SeSystemEnvironmentPrivilege 2056 WMIC.exe Token: SeRemoteShutdownPrivilege 2056 WMIC.exe Token: SeUndockPrivilege 2056 WMIC.exe Token: SeManageVolumePrivilege 2056 WMIC.exe Token: 33 2056 WMIC.exe Token: 34 2056 WMIC.exe Token: 35 2056 WMIC.exe Token: 36 2056 WMIC.exe Token: SeIncreaseQuotaPrivilege 2056 WMIC.exe Token: SeSecurityPrivilege 2056 WMIC.exe Token: SeTakeOwnershipPrivilege 2056 WMIC.exe Token: SeLoadDriverPrivilege 2056 WMIC.exe Token: SeSystemProfilePrivilege 2056 WMIC.exe Token: SeSystemtimePrivilege 2056 WMIC.exe Token: SeProfSingleProcessPrivilege 2056 WMIC.exe Token: SeIncBasePriorityPrivilege 2056 WMIC.exe Token: SeCreatePagefilePrivilege 2056 WMIC.exe Token: SeBackupPrivilege 2056 WMIC.exe Token: SeRestorePrivilege 2056 WMIC.exe Token: SeShutdownPrivilege 2056 WMIC.exe Token: SeDebugPrivilege 2056 WMIC.exe Token: SeSystemEnvironmentPrivilege 2056 WMIC.exe Token: SeRemoteShutdownPrivilege 2056 WMIC.exe Token: SeUndockPrivilege 2056 WMIC.exe Token: SeManageVolumePrivilege 2056 WMIC.exe Token: 33 2056 WMIC.exe Token: 34 2056 WMIC.exe Token: 35 2056 WMIC.exe Token: 36 2056 WMIC.exe Token: SeBackupPrivilege 1276 vssvc.exe Token: SeRestorePrivilege 1276 vssvc.exe Token: SeAuditPrivilege 1276 vssvc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1604 wrote to memory of 3064 1604 2625381f7c386a2ca581b1b249bb922bc8aeca37a5d3f8a37b771741ef8fc8e1.exe 82 PID 1604 wrote to memory of 3064 1604 2625381f7c386a2ca581b1b249bb922bc8aeca37a5d3f8a37b771741ef8fc8e1.exe 82 PID 1604 wrote to memory of 3064 1604 2625381f7c386a2ca581b1b249bb922bc8aeca37a5d3f8a37b771741ef8fc8e1.exe 82 PID 1604 wrote to memory of 4584 1604 2625381f7c386a2ca581b1b249bb922bc8aeca37a5d3f8a37b771741ef8fc8e1.exe 83 PID 1604 wrote to memory of 4584 1604 2625381f7c386a2ca581b1b249bb922bc8aeca37a5d3f8a37b771741ef8fc8e1.exe 83 PID 1604 wrote to memory of 4584 1604 2625381f7c386a2ca581b1b249bb922bc8aeca37a5d3f8a37b771741ef8fc8e1.exe 83 PID 3064 wrote to memory of 2056 3064 cspmjhaoyeme.exe 85 PID 3064 wrote to memory of 2056 3064 cspmjhaoyeme.exe 85 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" cspmjhaoyeme.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cspmjhaoyeme.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2625381f7c386a2ca581b1b249bb922bc8aeca37a5d3f8a37b771741ef8fc8e1.exe"C:\Users\Admin\AppData\Local\Temp\2625381f7c386a2ca581b1b249bb922bc8aeca37a5d3f8a37b771741ef8fc8e1.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1604 -
C:\Windows\cspmjhaoyeme.exeC:\Windows\cspmjhaoyeme.exe2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3064 -
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2056
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\262538~1.EXE2⤵PID:4584
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1276
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
424KB
MD574d5c545888561be891363d16ceae294
SHA1127f4c1da282b56c1d5e3f05944315147f024992
SHA2562625381f7c386a2ca581b1b249bb922bc8aeca37a5d3f8a37b771741ef8fc8e1
SHA5122faa671ca7e9e6f458772761146020f834c8dc42af4a30e12fd71cf2106ea23811fa10213d2416a7eb3830db9f85158d12475e5bfc3a7ff278dea8e04cf5d308
-
Filesize
424KB
MD574d5c545888561be891363d16ceae294
SHA1127f4c1da282b56c1d5e3f05944315147f024992
SHA2562625381f7c386a2ca581b1b249bb922bc8aeca37a5d3f8a37b771741ef8fc8e1
SHA5122faa671ca7e9e6f458772761146020f834c8dc42af4a30e12fd71cf2106ea23811fa10213d2416a7eb3830db9f85158d12475e5bfc3a7ff278dea8e04cf5d308