Analysis
-
max time kernel
177s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
28-11-2022 12:30
Static task
static1
Behavioral task
behavioral1
Sample
ac5c42f77dd51f56be243d86d57427f5078e145746998c8e7f4915660693e417.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
ac5c42f77dd51f56be243d86d57427f5078e145746998c8e7f4915660693e417.exe
Resource
win10v2004-20220812-en
General
-
Target
ac5c42f77dd51f56be243d86d57427f5078e145746998c8e7f4915660693e417.exe
-
Size
337KB
-
MD5
0f3a9ed6fba2a76230339962e6793346
-
SHA1
223426255758ef3f30f29fb813f542cc7fff44ea
-
SHA256
ac5c42f77dd51f56be243d86d57427f5078e145746998c8e7f4915660693e417
-
SHA512
d3c87fcbfcb98ab96b341c7eed041ad234c8155fac24b0c36a5fd6c905d4f1533994269fbd12651e228ae93815bae3e16e200f810412a36ede162caa4e0b9a05
-
SSDEEP
6144:LavYMc7shFjr9N/my+7Kojvkj+/LKgExnj4HDqLCXZtc:LavBc7sLjr9NC7XjD/LKRcDXXE
Malware Config
Extracted
C:\$Recycle.Bin\S-1-5-21-3385717845-2518323428-350143044-1000\_RECoVERY_+nqeqh.txt
teslacrypt
http://yyre45dbvn2nhbefbmh.begumvelic.at/6B41D8B7CAD254A
http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/6B41D8B7CAD254A
http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/6B41D8B7CAD254A
http://xlowfznrg4wf7dli.ONION/6B41D8B7CAD254A
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 1 IoCs
pid Process 764 ssfdxvgpproa.exe -
Deletes itself 1 IoCs
pid Process 1168 cmd.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run ssfdxvgpproa.exe Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\ebldmkiokssp = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\ssfdxvgpproa.exe\"" ssfdxvgpproa.exe -
Drops file in Program Files directory 12 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\Lang\ca.txt ssfdxvgpproa.exe File opened for modification C:\Program Files\7-Zip\History.txt ssfdxvgpproa.exe File opened for modification C:\Program Files\7-Zip\Lang\af.txt ssfdxvgpproa.exe File opened for modification C:\Program Files\7-Zip\Lang\ar.txt ssfdxvgpproa.exe File opened for modification C:\Program Files\7-Zip\Lang\be.txt ssfdxvgpproa.exe File opened for modification C:\Program Files\7-Zip\Lang\bg.txt ssfdxvgpproa.exe File opened for modification C:\Program Files\7-Zip\Lang\br.txt ssfdxvgpproa.exe File opened for modification C:\Program Files\7-Zip\Lang\an.txt ssfdxvgpproa.exe File opened for modification C:\Program Files\7-Zip\Lang\ast.txt ssfdxvgpproa.exe File opened for modification C:\Program Files\7-Zip\Lang\az.txt ssfdxvgpproa.exe File opened for modification C:\Program Files\7-Zip\Lang\ba.txt ssfdxvgpproa.exe File opened for modification C:\Program Files\7-Zip\Lang\bn.txt ssfdxvgpproa.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\ssfdxvgpproa.exe ac5c42f77dd51f56be243d86d57427f5078e145746998c8e7f4915660693e417.exe File opened for modification C:\Windows\ssfdxvgpproa.exe ac5c42f77dd51f56be243d86d57427f5078e145746998c8e7f4915660693e417.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 764 ssfdxvgpproa.exe 764 ssfdxvgpproa.exe 764 ssfdxvgpproa.exe 764 ssfdxvgpproa.exe 764 ssfdxvgpproa.exe 764 ssfdxvgpproa.exe 764 ssfdxvgpproa.exe 764 ssfdxvgpproa.exe 764 ssfdxvgpproa.exe 764 ssfdxvgpproa.exe 764 ssfdxvgpproa.exe 764 ssfdxvgpproa.exe 764 ssfdxvgpproa.exe 764 ssfdxvgpproa.exe 764 ssfdxvgpproa.exe 764 ssfdxvgpproa.exe 764 ssfdxvgpproa.exe 764 ssfdxvgpproa.exe 764 ssfdxvgpproa.exe 764 ssfdxvgpproa.exe 764 ssfdxvgpproa.exe 764 ssfdxvgpproa.exe 764 ssfdxvgpproa.exe 764 ssfdxvgpproa.exe 764 ssfdxvgpproa.exe 764 ssfdxvgpproa.exe 764 ssfdxvgpproa.exe 764 ssfdxvgpproa.exe 764 ssfdxvgpproa.exe 764 ssfdxvgpproa.exe 764 ssfdxvgpproa.exe 764 ssfdxvgpproa.exe 764 ssfdxvgpproa.exe 764 ssfdxvgpproa.exe 764 ssfdxvgpproa.exe 764 ssfdxvgpproa.exe 764 ssfdxvgpproa.exe 764 ssfdxvgpproa.exe 764 ssfdxvgpproa.exe 764 ssfdxvgpproa.exe 764 ssfdxvgpproa.exe 764 ssfdxvgpproa.exe 764 ssfdxvgpproa.exe 764 ssfdxvgpproa.exe 764 ssfdxvgpproa.exe 764 ssfdxvgpproa.exe 764 ssfdxvgpproa.exe 764 ssfdxvgpproa.exe 764 ssfdxvgpproa.exe 764 ssfdxvgpproa.exe 764 ssfdxvgpproa.exe 764 ssfdxvgpproa.exe 764 ssfdxvgpproa.exe 764 ssfdxvgpproa.exe 764 ssfdxvgpproa.exe 764 ssfdxvgpproa.exe 764 ssfdxvgpproa.exe 764 ssfdxvgpproa.exe 764 ssfdxvgpproa.exe 764 ssfdxvgpproa.exe 764 ssfdxvgpproa.exe 764 ssfdxvgpproa.exe 764 ssfdxvgpproa.exe 764 ssfdxvgpproa.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeDebugPrivilege 616 ac5c42f77dd51f56be243d86d57427f5078e145746998c8e7f4915660693e417.exe Token: SeDebugPrivilege 764 ssfdxvgpproa.exe Token: SeIncreaseQuotaPrivilege 1488 WMIC.exe Token: SeSecurityPrivilege 1488 WMIC.exe Token: SeTakeOwnershipPrivilege 1488 WMIC.exe Token: SeLoadDriverPrivilege 1488 WMIC.exe Token: SeSystemProfilePrivilege 1488 WMIC.exe Token: SeSystemtimePrivilege 1488 WMIC.exe Token: SeProfSingleProcessPrivilege 1488 WMIC.exe Token: SeIncBasePriorityPrivilege 1488 WMIC.exe Token: SeCreatePagefilePrivilege 1488 WMIC.exe Token: SeBackupPrivilege 1488 WMIC.exe Token: SeRestorePrivilege 1488 WMIC.exe Token: SeShutdownPrivilege 1488 WMIC.exe Token: SeDebugPrivilege 1488 WMIC.exe Token: SeSystemEnvironmentPrivilege 1488 WMIC.exe Token: SeRemoteShutdownPrivilege 1488 WMIC.exe Token: SeUndockPrivilege 1488 WMIC.exe Token: SeManageVolumePrivilege 1488 WMIC.exe Token: 33 1488 WMIC.exe Token: 34 1488 WMIC.exe Token: 35 1488 WMIC.exe Token: SeIncreaseQuotaPrivilege 1488 WMIC.exe Token: SeSecurityPrivilege 1488 WMIC.exe Token: SeTakeOwnershipPrivilege 1488 WMIC.exe Token: SeLoadDriverPrivilege 1488 WMIC.exe Token: SeSystemProfilePrivilege 1488 WMIC.exe Token: SeSystemtimePrivilege 1488 WMIC.exe Token: SeProfSingleProcessPrivilege 1488 WMIC.exe Token: SeIncBasePriorityPrivilege 1488 WMIC.exe Token: SeCreatePagefilePrivilege 1488 WMIC.exe Token: SeBackupPrivilege 1488 WMIC.exe Token: SeRestorePrivilege 1488 WMIC.exe Token: SeShutdownPrivilege 1488 WMIC.exe Token: SeDebugPrivilege 1488 WMIC.exe Token: SeSystemEnvironmentPrivilege 1488 WMIC.exe Token: SeRemoteShutdownPrivilege 1488 WMIC.exe Token: SeUndockPrivilege 1488 WMIC.exe Token: SeManageVolumePrivilege 1488 WMIC.exe Token: 33 1488 WMIC.exe Token: 34 1488 WMIC.exe Token: 35 1488 WMIC.exe Token: SeBackupPrivilege 1560 vssvc.exe Token: SeRestorePrivilege 1560 vssvc.exe Token: SeAuditPrivilege 1560 vssvc.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 616 wrote to memory of 764 616 ac5c42f77dd51f56be243d86d57427f5078e145746998c8e7f4915660693e417.exe 28 PID 616 wrote to memory of 764 616 ac5c42f77dd51f56be243d86d57427f5078e145746998c8e7f4915660693e417.exe 28 PID 616 wrote to memory of 764 616 ac5c42f77dd51f56be243d86d57427f5078e145746998c8e7f4915660693e417.exe 28 PID 616 wrote to memory of 764 616 ac5c42f77dd51f56be243d86d57427f5078e145746998c8e7f4915660693e417.exe 28 PID 616 wrote to memory of 1168 616 ac5c42f77dd51f56be243d86d57427f5078e145746998c8e7f4915660693e417.exe 29 PID 616 wrote to memory of 1168 616 ac5c42f77dd51f56be243d86d57427f5078e145746998c8e7f4915660693e417.exe 29 PID 616 wrote to memory of 1168 616 ac5c42f77dd51f56be243d86d57427f5078e145746998c8e7f4915660693e417.exe 29 PID 616 wrote to memory of 1168 616 ac5c42f77dd51f56be243d86d57427f5078e145746998c8e7f4915660693e417.exe 29 PID 764 wrote to memory of 1488 764 ssfdxvgpproa.exe 31 PID 764 wrote to memory of 1488 764 ssfdxvgpproa.exe 31 PID 764 wrote to memory of 1488 764 ssfdxvgpproa.exe 31 PID 764 wrote to memory of 1488 764 ssfdxvgpproa.exe 31 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System ssfdxvgpproa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" ssfdxvgpproa.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ac5c42f77dd51f56be243d86d57427f5078e145746998c8e7f4915660693e417.exe"C:\Users\Admin\AppData\Local\Temp\ac5c42f77dd51f56be243d86d57427f5078e145746998c8e7f4915660693e417.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:616 -
C:\Windows\ssfdxvgpproa.exeC:\Windows\ssfdxvgpproa.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:764 -
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1488
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\AC5C42~1.EXE2⤵
- Deletes itself
PID:1168
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1560
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
337KB
MD50f3a9ed6fba2a76230339962e6793346
SHA1223426255758ef3f30f29fb813f542cc7fff44ea
SHA256ac5c42f77dd51f56be243d86d57427f5078e145746998c8e7f4915660693e417
SHA512d3c87fcbfcb98ab96b341c7eed041ad234c8155fac24b0c36a5fd6c905d4f1533994269fbd12651e228ae93815bae3e16e200f810412a36ede162caa4e0b9a05
-
Filesize
337KB
MD50f3a9ed6fba2a76230339962e6793346
SHA1223426255758ef3f30f29fb813f542cc7fff44ea
SHA256ac5c42f77dd51f56be243d86d57427f5078e145746998c8e7f4915660693e417
SHA512d3c87fcbfcb98ab96b341c7eed041ad234c8155fac24b0c36a5fd6c905d4f1533994269fbd12651e228ae93815bae3e16e200f810412a36ede162caa4e0b9a05