Analysis
-
max time kernel
197s -
max time network
196s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
24-11-2022 02:29
Static task
static1
Behavioral task
behavioral1
Sample
ac1314165b1c5d065bfe19fc4fc9b411b3af9f3a3e74661ada6d53770fc49ee6.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
ac1314165b1c5d065bfe19fc4fc9b411b3af9f3a3e74661ada6d53770fc49ee6.exe
Resource
win10v2004-20221111-en
General
-
Target
ac1314165b1c5d065bfe19fc4fc9b411b3af9f3a3e74661ada6d53770fc49ee6.exe
-
Size
335KB
-
MD5
4bc90d148fe634b9d87bcdb7e67d7f8d
-
SHA1
3e706aaae73d985282d638b03b48be6f8f447981
-
SHA256
ac1314165b1c5d065bfe19fc4fc9b411b3af9f3a3e74661ada6d53770fc49ee6
-
SHA512
a25c43f2096ed8516cc33940723d69e1eb366c030cb1f88823518113a4c39ab9dcbde2168029405dc7208c6ac7c9ae3016871a53c23df2d0d7af64ccacc3e10c
-
SSDEEP
6144:3MlhTEzkFxLyQb7kmp76NYsYRnZa0dIa4Scb0a/8MH9CC4l:3MlhZFxVb7kIfsgxl4Nw+f9Dy
Malware Config
Extracted
C:\$Recycle.Bin\S-1-5-21-3406023954-474543476-3319432036-1000\_RECoVERY_+lcrvi.txt
teslacrypt
http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/C231C5B02BC6A373
http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/C231C5B02BC6A373
http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/C231C5B02BC6A373
http://xlowfznrg4wf7dli.ONION/C231C5B02BC6A373
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 1 IoCs
Processes:
bodqtrebldmk.exepid process 1624 bodqtrebldmk.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 524 cmd.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
bodqtrebldmk.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\qpsxwfveufdw = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\bodqtrebldmk.exe\"" bodqtrebldmk.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run bodqtrebldmk.exe -
Drops file in Program Files directory 21 IoCs
Processes:
bodqtrebldmk.exedescription ioc process File opened for modification C:\Program Files\7-Zip\Lang\cy.txt bodqtrebldmk.exe File opened for modification C:\Program Files\7-Zip\Lang\de.txt bodqtrebldmk.exe File opened for modification C:\Program Files\7-Zip\Lang\bg.txt bodqtrebldmk.exe File opened for modification C:\Program Files\7-Zip\Lang\bn.txt bodqtrebldmk.exe File opened for modification C:\Program Files\7-Zip\Lang\eo.txt bodqtrebldmk.exe File opened for modification C:\Program Files\7-Zip\Lang\az.txt bodqtrebldmk.exe File opened for modification C:\Program Files\7-Zip\Lang\el.txt bodqtrebldmk.exe File opened for modification C:\Program Files\7-Zip\Lang\ba.txt bodqtrebldmk.exe File opened for modification C:\Program Files\7-Zip\Lang\be.txt bodqtrebldmk.exe File opened for modification C:\Program Files\7-Zip\Lang\ca.txt bodqtrebldmk.exe File opened for modification C:\Program Files\7-Zip\Lang\cs.txt bodqtrebldmk.exe File opened for modification C:\Program Files\7-Zip\Lang\da.txt bodqtrebldmk.exe File opened for modification C:\Program Files\7-Zip\Lang\es.txt bodqtrebldmk.exe File opened for modification C:\Program Files\7-Zip\Lang\af.txt bodqtrebldmk.exe File opened for modification C:\Program Files\7-Zip\Lang\ast.txt bodqtrebldmk.exe File opened for modification C:\Program Files\7-Zip\Lang\ar.txt bodqtrebldmk.exe File opened for modification C:\Program Files\7-Zip\Lang\br.txt bodqtrebldmk.exe File opened for modification C:\Program Files\7-Zip\Lang\co.txt bodqtrebldmk.exe File opened for modification C:\Program Files\7-Zip\Lang\et.txt bodqtrebldmk.exe File opened for modification C:\Program Files\7-Zip\History.txt bodqtrebldmk.exe File opened for modification C:\Program Files\7-Zip\Lang\an.txt bodqtrebldmk.exe -
Drops file in Windows directory 2 IoCs
Processes:
ac1314165b1c5d065bfe19fc4fc9b411b3af9f3a3e74661ada6d53770fc49ee6.exedescription ioc process File opened for modification C:\Windows\bodqtrebldmk.exe ac1314165b1c5d065bfe19fc4fc9b411b3af9f3a3e74661ada6d53770fc49ee6.exe File created C:\Windows\bodqtrebldmk.exe ac1314165b1c5d065bfe19fc4fc9b411b3af9f3a3e74661ada6d53770fc49ee6.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
bodqtrebldmk.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 bodqtrebldmk.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e bodqtrebldmk.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e bodqtrebldmk.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
bodqtrebldmk.exepid process 1624 bodqtrebldmk.exe 1624 bodqtrebldmk.exe 1624 bodqtrebldmk.exe 1624 bodqtrebldmk.exe 1624 bodqtrebldmk.exe 1624 bodqtrebldmk.exe 1624 bodqtrebldmk.exe 1624 bodqtrebldmk.exe 1624 bodqtrebldmk.exe 1624 bodqtrebldmk.exe 1624 bodqtrebldmk.exe 1624 bodqtrebldmk.exe 1624 bodqtrebldmk.exe 1624 bodqtrebldmk.exe 1624 bodqtrebldmk.exe 1624 bodqtrebldmk.exe 1624 bodqtrebldmk.exe 1624 bodqtrebldmk.exe 1624 bodqtrebldmk.exe 1624 bodqtrebldmk.exe 1624 bodqtrebldmk.exe 1624 bodqtrebldmk.exe 1624 bodqtrebldmk.exe 1624 bodqtrebldmk.exe 1624 bodqtrebldmk.exe 1624 bodqtrebldmk.exe 1624 bodqtrebldmk.exe 1624 bodqtrebldmk.exe 1624 bodqtrebldmk.exe 1624 bodqtrebldmk.exe 1624 bodqtrebldmk.exe 1624 bodqtrebldmk.exe 1624 bodqtrebldmk.exe 1624 bodqtrebldmk.exe 1624 bodqtrebldmk.exe 1624 bodqtrebldmk.exe 1624 bodqtrebldmk.exe 1624 bodqtrebldmk.exe 1624 bodqtrebldmk.exe 1624 bodqtrebldmk.exe 1624 bodqtrebldmk.exe 1624 bodqtrebldmk.exe 1624 bodqtrebldmk.exe 1624 bodqtrebldmk.exe 1624 bodqtrebldmk.exe 1624 bodqtrebldmk.exe 1624 bodqtrebldmk.exe 1624 bodqtrebldmk.exe 1624 bodqtrebldmk.exe 1624 bodqtrebldmk.exe 1624 bodqtrebldmk.exe 1624 bodqtrebldmk.exe 1624 bodqtrebldmk.exe 1624 bodqtrebldmk.exe 1624 bodqtrebldmk.exe 1624 bodqtrebldmk.exe 1624 bodqtrebldmk.exe 1624 bodqtrebldmk.exe 1624 bodqtrebldmk.exe 1624 bodqtrebldmk.exe 1624 bodqtrebldmk.exe 1624 bodqtrebldmk.exe 1624 bodqtrebldmk.exe 1624 bodqtrebldmk.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
ac1314165b1c5d065bfe19fc4fc9b411b3af9f3a3e74661ada6d53770fc49ee6.exebodqtrebldmk.exeWMIC.exevssvc.exedescription pid process Token: SeDebugPrivilege 2016 ac1314165b1c5d065bfe19fc4fc9b411b3af9f3a3e74661ada6d53770fc49ee6.exe Token: SeDebugPrivilege 1624 bodqtrebldmk.exe Token: SeIncreaseQuotaPrivilege 824 WMIC.exe Token: SeSecurityPrivilege 824 WMIC.exe Token: SeTakeOwnershipPrivilege 824 WMIC.exe Token: SeLoadDriverPrivilege 824 WMIC.exe Token: SeSystemProfilePrivilege 824 WMIC.exe Token: SeSystemtimePrivilege 824 WMIC.exe Token: SeProfSingleProcessPrivilege 824 WMIC.exe Token: SeIncBasePriorityPrivilege 824 WMIC.exe Token: SeCreatePagefilePrivilege 824 WMIC.exe Token: SeBackupPrivilege 824 WMIC.exe Token: SeRestorePrivilege 824 WMIC.exe Token: SeShutdownPrivilege 824 WMIC.exe Token: SeDebugPrivilege 824 WMIC.exe Token: SeSystemEnvironmentPrivilege 824 WMIC.exe Token: SeRemoteShutdownPrivilege 824 WMIC.exe Token: SeUndockPrivilege 824 WMIC.exe Token: SeManageVolumePrivilege 824 WMIC.exe Token: 33 824 WMIC.exe Token: 34 824 WMIC.exe Token: 35 824 WMIC.exe Token: SeIncreaseQuotaPrivilege 824 WMIC.exe Token: SeSecurityPrivilege 824 WMIC.exe Token: SeTakeOwnershipPrivilege 824 WMIC.exe Token: SeLoadDriverPrivilege 824 WMIC.exe Token: SeSystemProfilePrivilege 824 WMIC.exe Token: SeSystemtimePrivilege 824 WMIC.exe Token: SeProfSingleProcessPrivilege 824 WMIC.exe Token: SeIncBasePriorityPrivilege 824 WMIC.exe Token: SeCreatePagefilePrivilege 824 WMIC.exe Token: SeBackupPrivilege 824 WMIC.exe Token: SeRestorePrivilege 824 WMIC.exe Token: SeShutdownPrivilege 824 WMIC.exe Token: SeDebugPrivilege 824 WMIC.exe Token: SeSystemEnvironmentPrivilege 824 WMIC.exe Token: SeRemoteShutdownPrivilege 824 WMIC.exe Token: SeUndockPrivilege 824 WMIC.exe Token: SeManageVolumePrivilege 824 WMIC.exe Token: 33 824 WMIC.exe Token: 34 824 WMIC.exe Token: 35 824 WMIC.exe Token: SeBackupPrivilege 540 vssvc.exe Token: SeRestorePrivilege 540 vssvc.exe Token: SeAuditPrivilege 540 vssvc.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
ac1314165b1c5d065bfe19fc4fc9b411b3af9f3a3e74661ada6d53770fc49ee6.exebodqtrebldmk.exedescription pid process target process PID 2016 wrote to memory of 1624 2016 ac1314165b1c5d065bfe19fc4fc9b411b3af9f3a3e74661ada6d53770fc49ee6.exe bodqtrebldmk.exe PID 2016 wrote to memory of 1624 2016 ac1314165b1c5d065bfe19fc4fc9b411b3af9f3a3e74661ada6d53770fc49ee6.exe bodqtrebldmk.exe PID 2016 wrote to memory of 1624 2016 ac1314165b1c5d065bfe19fc4fc9b411b3af9f3a3e74661ada6d53770fc49ee6.exe bodqtrebldmk.exe PID 2016 wrote to memory of 1624 2016 ac1314165b1c5d065bfe19fc4fc9b411b3af9f3a3e74661ada6d53770fc49ee6.exe bodqtrebldmk.exe PID 2016 wrote to memory of 524 2016 ac1314165b1c5d065bfe19fc4fc9b411b3af9f3a3e74661ada6d53770fc49ee6.exe cmd.exe PID 2016 wrote to memory of 524 2016 ac1314165b1c5d065bfe19fc4fc9b411b3af9f3a3e74661ada6d53770fc49ee6.exe cmd.exe PID 2016 wrote to memory of 524 2016 ac1314165b1c5d065bfe19fc4fc9b411b3af9f3a3e74661ada6d53770fc49ee6.exe cmd.exe PID 2016 wrote to memory of 524 2016 ac1314165b1c5d065bfe19fc4fc9b411b3af9f3a3e74661ada6d53770fc49ee6.exe cmd.exe PID 1624 wrote to memory of 824 1624 bodqtrebldmk.exe WMIC.exe PID 1624 wrote to memory of 824 1624 bodqtrebldmk.exe WMIC.exe PID 1624 wrote to memory of 824 1624 bodqtrebldmk.exe WMIC.exe PID 1624 wrote to memory of 824 1624 bodqtrebldmk.exe WMIC.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
bodqtrebldmk.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" bodqtrebldmk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bodqtrebldmk.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ac1314165b1c5d065bfe19fc4fc9b411b3af9f3a3e74661ada6d53770fc49ee6.exe"C:\Users\Admin\AppData\Local\Temp\ac1314165b1c5d065bfe19fc4fc9b411b3af9f3a3e74661ada6d53770fc49ee6.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\bodqtrebldmk.exeC:\Windows\bodqtrebldmk.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1624 -
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive3⤵
- Suspicious use of AdjustPrivilegeToken
PID:824 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\AC1314~1.EXE2⤵
- Deletes itself
PID:524
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:540
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
335KB
MD54bc90d148fe634b9d87bcdb7e67d7f8d
SHA13e706aaae73d985282d638b03b48be6f8f447981
SHA256ac1314165b1c5d065bfe19fc4fc9b411b3af9f3a3e74661ada6d53770fc49ee6
SHA512a25c43f2096ed8516cc33940723d69e1eb366c030cb1f88823518113a4c39ab9dcbde2168029405dc7208c6ac7c9ae3016871a53c23df2d0d7af64ccacc3e10c
-
Filesize
335KB
MD54bc90d148fe634b9d87bcdb7e67d7f8d
SHA13e706aaae73d985282d638b03b48be6f8f447981
SHA256ac1314165b1c5d065bfe19fc4fc9b411b3af9f3a3e74661ada6d53770fc49ee6
SHA512a25c43f2096ed8516cc33940723d69e1eb366c030cb1f88823518113a4c39ab9dcbde2168029405dc7208c6ac7c9ae3016871a53c23df2d0d7af64ccacc3e10c