Analysis
-
max time kernel
151s -
max time network
165s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
04-12-2022 04:48
Static task
static1
Behavioral task
behavioral1
Sample
b00dc1034c1f339db2c4c1a06cad84cc0d3e8f850897fee570bb8cc0df905958.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
b00dc1034c1f339db2c4c1a06cad84cc0d3e8f850897fee570bb8cc0df905958.exe
Resource
win10v2004-20221111-en
General
-
Target
b00dc1034c1f339db2c4c1a06cad84cc0d3e8f850897fee570bb8cc0df905958.exe
-
Size
418KB
-
MD5
7dc17ca28cd045e5b4ecc6324a0eeb7b
-
SHA1
80f82d076016d07cb68822bb81291b2f17990a4f
-
SHA256
b00dc1034c1f339db2c4c1a06cad84cc0d3e8f850897fee570bb8cc0df905958
-
SHA512
e544c5e95461f2f0cf34283e84451214de2fa07e25d60e7a492e06333f5b58a2952f8dc9854df5c9878e759a49f83a5ce71280893a8b24a91f4441c79c2ccd69
-
SSDEEP
12288:1UbjpvVw7FlRNCq/knSujQRlBlDeK0k9p:6bdVMhS0nltp
Malware Config
Extracted
C:\$Recycle.Bin\S-1-5-21-3845472200-3839195424-595303356-1000\_RECoVERY_+xhsgl.txt
teslacrypt
http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/4D8B1C9195D4ED0
http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/4D8B1C9195D4ED0
http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/4D8B1C9195D4ED0
http://xlowfznrg4wf7dli.ONION/4D8B1C9195D4ED0
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
pid Process 1984 pgfgvkvhphqq.exe 1756 pgfgvkvhphqq.exe -
Deletes itself 1 IoCs
pid Process 1692 cmd.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run pgfgvkvhphqq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\fftwyrorgbsa = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\pgfgvkvhphqq.exe\"" pgfgvkvhphqq.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1664 set thread context of 1040 1664 b00dc1034c1f339db2c4c1a06cad84cc0d3e8f850897fee570bb8cc0df905958.exe 28 PID 1984 set thread context of 1756 1984 pgfgvkvhphqq.exe 32 -
Drops file in Program Files directory 2 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\History.txt pgfgvkvhphqq.exe File opened for modification C:\Program Files\7-Zip\Lang\af.txt pgfgvkvhphqq.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\pgfgvkvhphqq.exe b00dc1034c1f339db2c4c1a06cad84cc0d3e8f850897fee570bb8cc0df905958.exe File opened for modification C:\Windows\pgfgvkvhphqq.exe b00dc1034c1f339db2c4c1a06cad84cc0d3e8f850897fee570bb8cc0df905958.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 1756 pgfgvkvhphqq.exe 1756 pgfgvkvhphqq.exe 1756 pgfgvkvhphqq.exe 1756 pgfgvkvhphqq.exe 1756 pgfgvkvhphqq.exe 1756 pgfgvkvhphqq.exe 1756 pgfgvkvhphqq.exe 1756 pgfgvkvhphqq.exe 1756 pgfgvkvhphqq.exe 1756 pgfgvkvhphqq.exe 1756 pgfgvkvhphqq.exe 1756 pgfgvkvhphqq.exe 1756 pgfgvkvhphqq.exe 1756 pgfgvkvhphqq.exe 1756 pgfgvkvhphqq.exe 1756 pgfgvkvhphqq.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeDebugPrivilege 1040 b00dc1034c1f339db2c4c1a06cad84cc0d3e8f850897fee570bb8cc0df905958.exe Token: SeDebugPrivilege 1756 pgfgvkvhphqq.exe Token: SeIncreaseQuotaPrivilege 1920 WMIC.exe Token: SeSecurityPrivilege 1920 WMIC.exe Token: SeTakeOwnershipPrivilege 1920 WMIC.exe Token: SeLoadDriverPrivilege 1920 WMIC.exe Token: SeSystemProfilePrivilege 1920 WMIC.exe Token: SeSystemtimePrivilege 1920 WMIC.exe Token: SeProfSingleProcessPrivilege 1920 WMIC.exe Token: SeIncBasePriorityPrivilege 1920 WMIC.exe Token: SeCreatePagefilePrivilege 1920 WMIC.exe Token: SeBackupPrivilege 1920 WMIC.exe Token: SeRestorePrivilege 1920 WMIC.exe Token: SeShutdownPrivilege 1920 WMIC.exe Token: SeDebugPrivilege 1920 WMIC.exe Token: SeSystemEnvironmentPrivilege 1920 WMIC.exe Token: SeRemoteShutdownPrivilege 1920 WMIC.exe Token: SeUndockPrivilege 1920 WMIC.exe Token: SeManageVolumePrivilege 1920 WMIC.exe Token: 33 1920 WMIC.exe Token: 34 1920 WMIC.exe Token: 35 1920 WMIC.exe Token: SeIncreaseQuotaPrivilege 1920 WMIC.exe Token: SeSecurityPrivilege 1920 WMIC.exe Token: SeTakeOwnershipPrivilege 1920 WMIC.exe Token: SeLoadDriverPrivilege 1920 WMIC.exe Token: SeSystemProfilePrivilege 1920 WMIC.exe Token: SeSystemtimePrivilege 1920 WMIC.exe Token: SeProfSingleProcessPrivilege 1920 WMIC.exe Token: SeIncBasePriorityPrivilege 1920 WMIC.exe Token: SeCreatePagefilePrivilege 1920 WMIC.exe Token: SeBackupPrivilege 1920 WMIC.exe Token: SeRestorePrivilege 1920 WMIC.exe Token: SeShutdownPrivilege 1920 WMIC.exe Token: SeDebugPrivilege 1920 WMIC.exe Token: SeSystemEnvironmentPrivilege 1920 WMIC.exe Token: SeRemoteShutdownPrivilege 1920 WMIC.exe Token: SeUndockPrivilege 1920 WMIC.exe Token: SeManageVolumePrivilege 1920 WMIC.exe Token: 33 1920 WMIC.exe Token: 34 1920 WMIC.exe Token: 35 1920 WMIC.exe Token: SeBackupPrivilege 752 vssvc.exe Token: SeRestorePrivilege 752 vssvc.exe Token: SeAuditPrivilege 752 vssvc.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 1664 wrote to memory of 1040 1664 b00dc1034c1f339db2c4c1a06cad84cc0d3e8f850897fee570bb8cc0df905958.exe 28 PID 1664 wrote to memory of 1040 1664 b00dc1034c1f339db2c4c1a06cad84cc0d3e8f850897fee570bb8cc0df905958.exe 28 PID 1664 wrote to memory of 1040 1664 b00dc1034c1f339db2c4c1a06cad84cc0d3e8f850897fee570bb8cc0df905958.exe 28 PID 1664 wrote to memory of 1040 1664 b00dc1034c1f339db2c4c1a06cad84cc0d3e8f850897fee570bb8cc0df905958.exe 28 PID 1664 wrote to memory of 1040 1664 b00dc1034c1f339db2c4c1a06cad84cc0d3e8f850897fee570bb8cc0df905958.exe 28 PID 1664 wrote to memory of 1040 1664 b00dc1034c1f339db2c4c1a06cad84cc0d3e8f850897fee570bb8cc0df905958.exe 28 PID 1664 wrote to memory of 1040 1664 b00dc1034c1f339db2c4c1a06cad84cc0d3e8f850897fee570bb8cc0df905958.exe 28 PID 1664 wrote to memory of 1040 1664 b00dc1034c1f339db2c4c1a06cad84cc0d3e8f850897fee570bb8cc0df905958.exe 28 PID 1664 wrote to memory of 1040 1664 b00dc1034c1f339db2c4c1a06cad84cc0d3e8f850897fee570bb8cc0df905958.exe 28 PID 1664 wrote to memory of 1040 1664 b00dc1034c1f339db2c4c1a06cad84cc0d3e8f850897fee570bb8cc0df905958.exe 28 PID 1040 wrote to memory of 1984 1040 b00dc1034c1f339db2c4c1a06cad84cc0d3e8f850897fee570bb8cc0df905958.exe 29 PID 1040 wrote to memory of 1984 1040 b00dc1034c1f339db2c4c1a06cad84cc0d3e8f850897fee570bb8cc0df905958.exe 29 PID 1040 wrote to memory of 1984 1040 b00dc1034c1f339db2c4c1a06cad84cc0d3e8f850897fee570bb8cc0df905958.exe 29 PID 1040 wrote to memory of 1984 1040 b00dc1034c1f339db2c4c1a06cad84cc0d3e8f850897fee570bb8cc0df905958.exe 29 PID 1040 wrote to memory of 1692 1040 b00dc1034c1f339db2c4c1a06cad84cc0d3e8f850897fee570bb8cc0df905958.exe 30 PID 1040 wrote to memory of 1692 1040 b00dc1034c1f339db2c4c1a06cad84cc0d3e8f850897fee570bb8cc0df905958.exe 30 PID 1040 wrote to memory of 1692 1040 b00dc1034c1f339db2c4c1a06cad84cc0d3e8f850897fee570bb8cc0df905958.exe 30 PID 1040 wrote to memory of 1692 1040 b00dc1034c1f339db2c4c1a06cad84cc0d3e8f850897fee570bb8cc0df905958.exe 30 PID 1984 wrote to memory of 1756 1984 pgfgvkvhphqq.exe 32 PID 1984 wrote to memory of 1756 1984 pgfgvkvhphqq.exe 32 PID 1984 wrote to memory of 1756 1984 pgfgvkvhphqq.exe 32 PID 1984 wrote to memory of 1756 1984 pgfgvkvhphqq.exe 32 PID 1984 wrote to memory of 1756 1984 pgfgvkvhphqq.exe 32 PID 1984 wrote to memory of 1756 1984 pgfgvkvhphqq.exe 32 PID 1984 wrote to memory of 1756 1984 pgfgvkvhphqq.exe 32 PID 1984 wrote to memory of 1756 1984 pgfgvkvhphqq.exe 32 PID 1984 wrote to memory of 1756 1984 pgfgvkvhphqq.exe 32 PID 1984 wrote to memory of 1756 1984 pgfgvkvhphqq.exe 32 PID 1756 wrote to memory of 1920 1756 pgfgvkvhphqq.exe 33 PID 1756 wrote to memory of 1920 1756 pgfgvkvhphqq.exe 33 PID 1756 wrote to memory of 1920 1756 pgfgvkvhphqq.exe 33 PID 1756 wrote to memory of 1920 1756 pgfgvkvhphqq.exe 33 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" pgfgvkvhphqq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System pgfgvkvhphqq.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b00dc1034c1f339db2c4c1a06cad84cc0d3e8f850897fee570bb8cc0df905958.exe"C:\Users\Admin\AppData\Local\Temp\b00dc1034c1f339db2c4c1a06cad84cc0d3e8f850897fee570bb8cc0df905958.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Users\Admin\AppData\Local\Temp\b00dc1034c1f339db2c4c1a06cad84cc0d3e8f850897fee570bb8cc0df905958.exe"C:\Users\Admin\AppData\Local\Temp\b00dc1034c1f339db2c4c1a06cad84cc0d3e8f850897fee570bb8cc0df905958.exe"2⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\Windows\pgfgvkvhphqq.exeC:\Windows\pgfgvkvhphqq.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\pgfgvkvhphqq.exeC:\Windows\pgfgvkvhphqq.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1756 -
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1920
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\B00DC1~1.EXE3⤵
- Deletes itself
PID:1692
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:752
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
418KB
MD57dc17ca28cd045e5b4ecc6324a0eeb7b
SHA180f82d076016d07cb68822bb81291b2f17990a4f
SHA256b00dc1034c1f339db2c4c1a06cad84cc0d3e8f850897fee570bb8cc0df905958
SHA512e544c5e95461f2f0cf34283e84451214de2fa07e25d60e7a492e06333f5b58a2952f8dc9854df5c9878e759a49f83a5ce71280893a8b24a91f4441c79c2ccd69
-
Filesize
418KB
MD57dc17ca28cd045e5b4ecc6324a0eeb7b
SHA180f82d076016d07cb68822bb81291b2f17990a4f
SHA256b00dc1034c1f339db2c4c1a06cad84cc0d3e8f850897fee570bb8cc0df905958
SHA512e544c5e95461f2f0cf34283e84451214de2fa07e25d60e7a492e06333f5b58a2952f8dc9854df5c9878e759a49f83a5ce71280893a8b24a91f4441c79c2ccd69
-
Filesize
418KB
MD57dc17ca28cd045e5b4ecc6324a0eeb7b
SHA180f82d076016d07cb68822bb81291b2f17990a4f
SHA256b00dc1034c1f339db2c4c1a06cad84cc0d3e8f850897fee570bb8cc0df905958
SHA512e544c5e95461f2f0cf34283e84451214de2fa07e25d60e7a492e06333f5b58a2952f8dc9854df5c9878e759a49f83a5ce71280893a8b24a91f4441c79c2ccd69