Analysis

  • max time kernel
    177s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    28-11-2022 12:30

General

  • Target

    ac5c42f77dd51f56be243d86d57427f5078e145746998c8e7f4915660693e417.exe

  • Size

    337KB

  • MD5

    0f3a9ed6fba2a76230339962e6793346

  • SHA1

    223426255758ef3f30f29fb813f542cc7fff44ea

  • SHA256

    ac5c42f77dd51f56be243d86d57427f5078e145746998c8e7f4915660693e417

  • SHA512

    d3c87fcbfcb98ab96b341c7eed041ad234c8155fac24b0c36a5fd6c905d4f1533994269fbd12651e228ae93815bae3e16e200f810412a36ede162caa4e0b9a05

  • SSDEEP

    6144:LavYMc7shFjr9N/my+7Kojvkj+/LKgExnj4HDqLCXZtc:LavBc7sLjr9NC7XjD/LKRcDXXE

Malware Config

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-3385717845-2518323428-350143044-1000\_RECoVERY_+nqeqh.txt

Family

teslacrypt

Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with AES More information about the encryption keys using AES can be found here: http://en.wikipedia.org/wiki/AES How did this happen ? !!! Specially for your PC was generated personal AES KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://yyre45dbvn2nhbefbmh.begumvelic.at/6B41D8B7CAD254A 2. http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/6B41D8B7CAD254A 3. http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/6B41D8B7CAD254A If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/6B41D8B7CAD254A 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://yyre45dbvn2nhbefbmh.begumvelic.at/6B41D8B7CAD254A http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/6B41D8B7CAD254A http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/6B41D8B7CAD254A *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/6B41D8B7CAD254A
URLs

http://yyre45dbvn2nhbefbmh.begumvelic.at/6B41D8B7CAD254A

http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/6B41D8B7CAD254A

http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/6B41D8B7CAD254A

http://xlowfznrg4wf7dli.ONION/6B41D8B7CAD254A

Signatures

  • TeslaCrypt, AlphaCrypt

    Ransomware based on CryptoLocker. Shut down by the developers in 2016.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Executes dropped EXE 1 IoCs
  • Deletes itself 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in Program Files directory 12 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 45 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • System policy modification 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ac5c42f77dd51f56be243d86d57427f5078e145746998c8e7f4915660693e417.exe
    "C:\Users\Admin\AppData\Local\Temp\ac5c42f77dd51f56be243d86d57427f5078e145746998c8e7f4915660693e417.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:616
    • C:\Windows\ssfdxvgpproa.exe
      C:\Windows\ssfdxvgpproa.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:764
      • C:\Windows\System32\wbem\WMIC.exe
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1488
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\AC5C42~1.EXE
      2⤵
      • Deletes itself
      PID:1168
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1560

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\ssfdxvgpproa.exe

    Filesize

    337KB

    MD5

    0f3a9ed6fba2a76230339962e6793346

    SHA1

    223426255758ef3f30f29fb813f542cc7fff44ea

    SHA256

    ac5c42f77dd51f56be243d86d57427f5078e145746998c8e7f4915660693e417

    SHA512

    d3c87fcbfcb98ab96b341c7eed041ad234c8155fac24b0c36a5fd6c905d4f1533994269fbd12651e228ae93815bae3e16e200f810412a36ede162caa4e0b9a05

  • C:\Windows\ssfdxvgpproa.exe

    Filesize

    337KB

    MD5

    0f3a9ed6fba2a76230339962e6793346

    SHA1

    223426255758ef3f30f29fb813f542cc7fff44ea

    SHA256

    ac5c42f77dd51f56be243d86d57427f5078e145746998c8e7f4915660693e417

    SHA512

    d3c87fcbfcb98ab96b341c7eed041ad234c8155fac24b0c36a5fd6c905d4f1533994269fbd12651e228ae93815bae3e16e200f810412a36ede162caa4e0b9a05

  • memory/616-54-0x0000000075931000-0x0000000075933000-memory.dmp

    Filesize

    8KB

  • memory/616-55-0x0000000000330000-0x000000000035E000-memory.dmp

    Filesize

    184KB

  • memory/616-56-0x0000000000400000-0x00000000004A9000-memory.dmp

    Filesize

    676KB

  • memory/616-57-0x0000000000400000-0x00000000004A9000-memory.dmp

    Filesize

    676KB

  • memory/616-64-0x0000000000400000-0x00000000004A9000-memory.dmp

    Filesize

    676KB

  • memory/764-61-0x0000000000400000-0x00000000004A9000-memory.dmp

    Filesize

    676KB

  • memory/764-65-0x0000000000400000-0x00000000004A9000-memory.dmp

    Filesize

    676KB