Analysis
-
max time kernel
151s -
max time network
131s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
08-11-2022 02:14
Static task
static1
Behavioral task
behavioral1
Sample
aa84b63461017011dfc0d585660e548d21e98840aaf48a487c0fc884a1b677f2.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
aa84b63461017011dfc0d585660e548d21e98840aaf48a487c0fc884a1b677f2.exe
Resource
win10v2004-20220812-en
General
-
Target
aa84b63461017011dfc0d585660e548d21e98840aaf48a487c0fc884a1b677f2.exe
-
Size
252KB
-
MD5
5049b9f88f0817e6de0ff42ad195f085
-
SHA1
2a4075d7da5eb3cef6cd7a0ca27f7eb7e652d2cd
-
SHA256
aa84b63461017011dfc0d585660e548d21e98840aaf48a487c0fc884a1b677f2
-
SHA512
5cec52be80a5385c34865e4dd89c22c112c088b6b6a5fb9d17ebf226d23709cf6f18750945a876306468dc704a725462e6d35a9ca1eaf421f912857f7984c64c
-
SSDEEP
6144:N4GdVmoxZi7SVeEiDmC9WRkdnUGO354aFF0grPTmc0Nt/e1bPMmK:NLZ+eHC9KkhUGg42FpTUhe1w
Malware Config
Extracted
C:\$Recycle.Bin\S-1-5-21-3845472200-3839195424-595303356-1000\_RECOVERY_+cpefk.txt
teslacrypt
http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/CBF4C758F6142AA
http://tes543berda73i48fsdfsd.keratadze.at/CBF4C758F6142AA
http://tt54rfdjhb34rfbnknaerg.milerteddy.com/CBF4C758F6142AA
http://xlowfznrg4wf7dli.ONION/CBF4C758F6142AA
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 1 IoCs
pid Process 1124 csaoiydiydwl.exe -
Deletes itself 1 IoCs
pid Process 2012 cmd.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\gvmbvoinjefv = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\csaoiydiydwl.exe\"" csaoiydiydwl.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run csaoiydiydwl.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationLeft_ButtonGraphic.png csaoiydiydwl.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationUp_ButtonGraphic.png csaoiydiydwl.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Title_Page_Ref_PAL.wmv csaoiydiydwl.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationRight_ButtonGraphic.png csaoiydiydwl.exe File opened for modification C:\Program Files\Common Files\System\ja-JP\_RECOVERY_+cpefk.txt csaoiydiydwl.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\_RECOVERY_+cpefk.txt csaoiydiydwl.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationLeft_SelectionSubpicture.png csaoiydiydwl.exe File opened for modification C:\Program Files\7-Zip\Lang\uk.txt csaoiydiydwl.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.jpg csaoiydiydwl.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\TravelIntroToMain_PAL.wmv csaoiydiydwl.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\_RECOVERY_+cpefk.txt csaoiydiydwl.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Notes_btn-back-static.png csaoiydiydwl.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\reflect.png csaoiydiydwl.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\btn-next-static.png csaoiydiydwl.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\_RECOVERY_+cpefk.html csaoiydiydwl.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\_RECOVERY_+cpefk.html csaoiydiydwl.exe File opened for modification C:\Program Files\Common Files\System\ado\_RECOVERY_+cpefk.png csaoiydiydwl.exe File opened for modification C:\Program Files\Common Files\System\msadc\ja-JP\_RECOVERY_+cpefk.html csaoiydiydwl.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\mainimage-mask.png csaoiydiydwl.exe File opened for modification C:\Program Files\7-Zip\Lang\nn.txt csaoiydiydwl.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\_RECOVERY_+cpefk.txt csaoiydiydwl.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\_RECOVERY_+cpefk.html csaoiydiydwl.exe File opened for modification C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\es-ES\_RECOVERY_+cpefk.txt csaoiydiydwl.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\_RECOVERY_+cpefk.txt csaoiydiydwl.exe File opened for modification C:\Program Files\Common Files\System\_RECOVERY_+cpefk.html csaoiydiydwl.exe File opened for modification C:\Program Files\DVD Maker\it-IT\_RECOVERY_+cpefk.png csaoiydiydwl.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\decorative_rule.png csaoiydiydwl.exe File opened for modification C:\Program Files\7-Zip\Lang\ast.txt csaoiydiydwl.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\VSTO\_RECOVERY_+cpefk.html csaoiydiydwl.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\nav_rightarrow.png csaoiydiydwl.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\720x480icongraphic.png csaoiydiydwl.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\es-ES\_RECOVERY_+cpefk.txt csaoiydiydwl.exe File opened for modification C:\Program Files\7-Zip\Lang\an.txt csaoiydiydwl.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\_RECOVERY_+cpefk.png csaoiydiydwl.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToNotesBackground_PAL.wmv csaoiydiydwl.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\PreviousMenuButtonIcon.png csaoiydiydwl.exe File opened for modification C:\Program Files\Common Files\System\ado\ja-JP\_RECOVERY_+cpefk.html csaoiydiydwl.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\btn-previous-static.png csaoiydiydwl.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationUp_SelectionSubpicture.png csaoiydiydwl.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\button-highlight.png csaoiydiydwl.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\photoedge_videoinset.png csaoiydiydwl.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\_RECOVERY_+cpefk.html csaoiydiydwl.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\_RECOVERY_+cpefk.html csaoiydiydwl.exe File opened for modification C:\Program Files\Common Files\System\msadc\en-US\_RECOVERY_+cpefk.png csaoiydiydwl.exe File opened for modification C:\Program Files\Common Files\System\msadc\it-IT\_RECOVERY_+cpefk.png csaoiydiydwl.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\photoedge_buttongraphic.png csaoiydiydwl.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\btn-back-static.png csaoiydiydwl.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\_RECOVERY_+cpefk.png csaoiydiydwl.exe File opened for modification C:\Program Files\Common Files\SpeechEngines\_RECOVERY_+cpefk.png csaoiydiydwl.exe File opened for modification C:\Program Files\DVD Maker\it-IT\_RECOVERY_+cpefk.txt csaoiydiydwl.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\ParentMenuButtonIconSubpict.png csaoiydiydwl.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\_RECOVERY_+cpefk.txt csaoiydiydwl.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_notes-txt-background.png csaoiydiydwl.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\_RECOVERY_+cpefk.png csaoiydiydwl.exe File opened for modification C:\Program Files\Common Files\Services\_RECOVERY_+cpefk.txt csaoiydiydwl.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\nav_leftarrow.png csaoiydiydwl.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\whitemenu.png csaoiydiydwl.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationRight_SelectionSubpicture.png csaoiydiydwl.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\15x15dot.png csaoiydiydwl.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\_RECOVERY_+cpefk.html csaoiydiydwl.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\_RECOVERY_+cpefk.txt csaoiydiydwl.exe File opened for modification C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\it-IT\_RECOVERY_+cpefk.png csaoiydiydwl.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Heart_VideoInset.png csaoiydiydwl.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\de.pak csaoiydiydwl.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\csaoiydiydwl.exe aa84b63461017011dfc0d585660e548d21e98840aaf48a487c0fc884a1b677f2.exe File opened for modification C:\Windows\csaoiydiydwl.exe aa84b63461017011dfc0d585660e548d21e98840aaf48a487c0fc884a1b677f2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1124 csaoiydiydwl.exe 1124 csaoiydiydwl.exe 1124 csaoiydiydwl.exe 1124 csaoiydiydwl.exe 1124 csaoiydiydwl.exe 1124 csaoiydiydwl.exe 1124 csaoiydiydwl.exe 1124 csaoiydiydwl.exe 1124 csaoiydiydwl.exe 1124 csaoiydiydwl.exe 1124 csaoiydiydwl.exe 1124 csaoiydiydwl.exe 1124 csaoiydiydwl.exe 1124 csaoiydiydwl.exe 1124 csaoiydiydwl.exe 1124 csaoiydiydwl.exe 1124 csaoiydiydwl.exe 1124 csaoiydiydwl.exe 1124 csaoiydiydwl.exe 1124 csaoiydiydwl.exe 1124 csaoiydiydwl.exe 1124 csaoiydiydwl.exe 1124 csaoiydiydwl.exe 1124 csaoiydiydwl.exe 1124 csaoiydiydwl.exe 1124 csaoiydiydwl.exe 1124 csaoiydiydwl.exe 1124 csaoiydiydwl.exe 1124 csaoiydiydwl.exe 1124 csaoiydiydwl.exe 1124 csaoiydiydwl.exe 1124 csaoiydiydwl.exe 1124 csaoiydiydwl.exe 1124 csaoiydiydwl.exe 1124 csaoiydiydwl.exe 1124 csaoiydiydwl.exe 1124 csaoiydiydwl.exe 1124 csaoiydiydwl.exe 1124 csaoiydiydwl.exe 1124 csaoiydiydwl.exe 1124 csaoiydiydwl.exe 1124 csaoiydiydwl.exe 1124 csaoiydiydwl.exe 1124 csaoiydiydwl.exe 1124 csaoiydiydwl.exe 1124 csaoiydiydwl.exe 1124 csaoiydiydwl.exe 1124 csaoiydiydwl.exe 1124 csaoiydiydwl.exe 1124 csaoiydiydwl.exe 1124 csaoiydiydwl.exe 1124 csaoiydiydwl.exe 1124 csaoiydiydwl.exe 1124 csaoiydiydwl.exe 1124 csaoiydiydwl.exe 1124 csaoiydiydwl.exe 1124 csaoiydiydwl.exe 1124 csaoiydiydwl.exe 1124 csaoiydiydwl.exe 1124 csaoiydiydwl.exe 1124 csaoiydiydwl.exe 1124 csaoiydiydwl.exe 1124 csaoiydiydwl.exe 1124 csaoiydiydwl.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeDebugPrivilege 1620 aa84b63461017011dfc0d585660e548d21e98840aaf48a487c0fc884a1b677f2.exe Token: SeDebugPrivilege 1124 csaoiydiydwl.exe Token: SeIncreaseQuotaPrivilege 1892 WMIC.exe Token: SeSecurityPrivilege 1892 WMIC.exe Token: SeTakeOwnershipPrivilege 1892 WMIC.exe Token: SeLoadDriverPrivilege 1892 WMIC.exe Token: SeSystemProfilePrivilege 1892 WMIC.exe Token: SeSystemtimePrivilege 1892 WMIC.exe Token: SeProfSingleProcessPrivilege 1892 WMIC.exe Token: SeIncBasePriorityPrivilege 1892 WMIC.exe Token: SeCreatePagefilePrivilege 1892 WMIC.exe Token: SeBackupPrivilege 1892 WMIC.exe Token: SeRestorePrivilege 1892 WMIC.exe Token: SeShutdownPrivilege 1892 WMIC.exe Token: SeDebugPrivilege 1892 WMIC.exe Token: SeSystemEnvironmentPrivilege 1892 WMIC.exe Token: SeRemoteShutdownPrivilege 1892 WMIC.exe Token: SeUndockPrivilege 1892 WMIC.exe Token: SeManageVolumePrivilege 1892 WMIC.exe Token: 33 1892 WMIC.exe Token: 34 1892 WMIC.exe Token: 35 1892 WMIC.exe Token: SeIncreaseQuotaPrivilege 1892 WMIC.exe Token: SeSecurityPrivilege 1892 WMIC.exe Token: SeTakeOwnershipPrivilege 1892 WMIC.exe Token: SeLoadDriverPrivilege 1892 WMIC.exe Token: SeSystemProfilePrivilege 1892 WMIC.exe Token: SeSystemtimePrivilege 1892 WMIC.exe Token: SeProfSingleProcessPrivilege 1892 WMIC.exe Token: SeIncBasePriorityPrivilege 1892 WMIC.exe Token: SeCreatePagefilePrivilege 1892 WMIC.exe Token: SeBackupPrivilege 1892 WMIC.exe Token: SeRestorePrivilege 1892 WMIC.exe Token: SeShutdownPrivilege 1892 WMIC.exe Token: SeDebugPrivilege 1892 WMIC.exe Token: SeSystemEnvironmentPrivilege 1892 WMIC.exe Token: SeRemoteShutdownPrivilege 1892 WMIC.exe Token: SeUndockPrivilege 1892 WMIC.exe Token: SeManageVolumePrivilege 1892 WMIC.exe Token: 33 1892 WMIC.exe Token: 34 1892 WMIC.exe Token: 35 1892 WMIC.exe Token: SeBackupPrivilege 1232 vssvc.exe Token: SeRestorePrivilege 1232 vssvc.exe Token: SeAuditPrivilege 1232 vssvc.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1620 wrote to memory of 1124 1620 aa84b63461017011dfc0d585660e548d21e98840aaf48a487c0fc884a1b677f2.exe 27 PID 1620 wrote to memory of 1124 1620 aa84b63461017011dfc0d585660e548d21e98840aaf48a487c0fc884a1b677f2.exe 27 PID 1620 wrote to memory of 1124 1620 aa84b63461017011dfc0d585660e548d21e98840aaf48a487c0fc884a1b677f2.exe 27 PID 1620 wrote to memory of 1124 1620 aa84b63461017011dfc0d585660e548d21e98840aaf48a487c0fc884a1b677f2.exe 27 PID 1620 wrote to memory of 2012 1620 aa84b63461017011dfc0d585660e548d21e98840aaf48a487c0fc884a1b677f2.exe 28 PID 1620 wrote to memory of 2012 1620 aa84b63461017011dfc0d585660e548d21e98840aaf48a487c0fc884a1b677f2.exe 28 PID 1620 wrote to memory of 2012 1620 aa84b63461017011dfc0d585660e548d21e98840aaf48a487c0fc884a1b677f2.exe 28 PID 1620 wrote to memory of 2012 1620 aa84b63461017011dfc0d585660e548d21e98840aaf48a487c0fc884a1b677f2.exe 28 PID 1124 wrote to memory of 1892 1124 csaoiydiydwl.exe 30 PID 1124 wrote to memory of 1892 1124 csaoiydiydwl.exe 30 PID 1124 wrote to memory of 1892 1124 csaoiydiydwl.exe 30 PID 1124 wrote to memory of 1892 1124 csaoiydiydwl.exe 30 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System csaoiydiydwl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" csaoiydiydwl.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\aa84b63461017011dfc0d585660e548d21e98840aaf48a487c0fc884a1b677f2.exe"C:\Users\Admin\AppData\Local\Temp\aa84b63461017011dfc0d585660e548d21e98840aaf48a487c0fc884a1b677f2.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\csaoiydiydwl.exeC:\Windows\csaoiydiydwl.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1124 -
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1892
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\AA84B6~1.EXE2⤵
- Deletes itself
PID:2012
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1232
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
252KB
MD55049b9f88f0817e6de0ff42ad195f085
SHA12a4075d7da5eb3cef6cd7a0ca27f7eb7e652d2cd
SHA256aa84b63461017011dfc0d585660e548d21e98840aaf48a487c0fc884a1b677f2
SHA5125cec52be80a5385c34865e4dd89c22c112c088b6b6a5fb9d17ebf226d23709cf6f18750945a876306468dc704a725462e6d35a9ca1eaf421f912857f7984c64c
-
Filesize
252KB
MD55049b9f88f0817e6de0ff42ad195f085
SHA12a4075d7da5eb3cef6cd7a0ca27f7eb7e652d2cd
SHA256aa84b63461017011dfc0d585660e548d21e98840aaf48a487c0fc884a1b677f2
SHA5125cec52be80a5385c34865e4dd89c22c112c088b6b6a5fb9d17ebf226d23709cf6f18750945a876306468dc704a725462e6d35a9ca1eaf421f912857f7984c64c