Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
-
submitted
08-04-2023 18:03
General
-
Target
2023-04-07_cb28c211ca8292894f3eef43ce5a6cd4_teslacrypt.exe
-
Size
692KB
-
MD5
cb28c211ca8292894f3eef43ce5a6cd4
-
SHA1
70e0bc5fce5534e6dbe5200d9c965c925b596ee3
-
SHA256
87feca94fc02b098be787060da09fc6f6473221ddf4aaa2f19321db3de256c0d
-
SHA512
b56c612e389f7b58218a2e66a66bddea55425ed5f99a22921e2a16b2a65ca415f0dc39fbe7c88fffe082ab4bc27923dcea652396cc922d06fd82baea76b356bd
-
SSDEEP
3072:UkmGgnjAYn2Fj5ohpzBovjtALLXOixtjOQ0hV09ZIR5YkHk7wELOhr1DwTTRpAe:g6mLD1OQW094YkHk7wsO7wPXAe
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECoVERY_+cldyi.txt
teslacrypt
http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/98A14FEFBC432DA5
http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/98A14FEFBC432DA5
http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/98A14FEFBC432DA5
http://xlowfznrg4wf7dli.ONION/98A14FEFBC432DA5
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 6 IoCs
Ransomware generally changes the extension on encrypted files.
-
Deletes itself 1 IoCs
-
Drops startup file 3 IoCs
-
Executes dropped EXE 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 45 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
-
System policy modification 1 TTPs 2 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2023-04-07_cb28c211ca8292894f3eef43ce5a6cd4_teslacrypt.exe"C:\Users\Admin\AppData\Local\Temp\2023-04-07_cb28c211ca8292894f3eef43ce5a6cd4_teslacrypt.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\armppqjmmuqd.exeC:\Windows\armppqjmmuqd.exe2⤵
- Modifies extensions of user files
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT3⤵
- Opens file in notepad (likely ransom note)
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\2023-0~1.EXE2⤵
- Deletes itself
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD514747eae5e94814a4be9d85621c8bbf1
SHA15fac360c490de25b654e1ad1b5e015aec30c7ce8
SHA2569bcd9f446ffbd18e00c7d4d65d41e21708d5a59196afd0556ae36e0762bd9582
SHA5120790530158ad45ae5a14427cbf03c41d1ba938b5149b2f529e851fb8641553d3298fe4dbbc2a5c3eba23b1601f1329d875201042d0027cca668051504706251d
-
Filesize
65KB
MD5881a74502cf4497d329df56b10d9e71b
SHA1323a7f2d5bde2eba4284aba4662dc33a4a9f1d88
SHA256b6f33f5f7a9e80589ecaf5c4b13698c25e92159246f8a5f418e3ce9a0728673d
SHA51212afdb6c07e6620dd549b00b25ba0c812ce09c6129a1f02cd6716c2562389c91e5850f58defbe60234482673bbb36a13d093b57bd2325b6c11927057f967648c
-
Filesize
1KB
MD5cfc88d8882a80efa7373d19dbefd5977
SHA19ea1d01de4f024c3341b6d66a8b4dd3d828a45a9
SHA25689f69c7557fcdd983b766c89715356e31e99628dbce5285e779cb2e6d0596b5f
SHA51296907559c7e7a5ad8799e182ff2a57fb77e24a85e742142b39ad30ffa2712e73e4cb1906a8a88a17e4e6738f1cd0da40b2e59cebc2854a8745f35b3c9cfc4c1a
-
Filesize
11KB
MD56861cb35c645b9138937388cd79afe6e
SHA1b97c8e14bc8ee6427a176e631681809952c7446a
SHA256bb40c87899c695028d818fa0e6ade9e64934e3a46ea49c5e7a3f5d75562ac785
SHA5124e91fcb45389fe31ca793a14ee9a9955acc32823321152aad1528998670abc683c9ce90d886d4253c41fa49f78b71d39fbb42b4ce3ba37fb4078137dc1c39448
-
Filesize
109KB
MD587e519a88e95c0be64aa315ce9398d27
SHA1d53dc8c80627abb68c57fe867c30ef81b656407c
SHA25611c6a9433ad3aba724d6a2281a43201a84fdaa44f252235ad80fb1a5b1510dce
SHA512584b474d0a4de8cccf4b661a301b70edadfd09f84825f51d5ddb06a9c2ad65a0faf400662c2eb01bb60992ca56c79f1658318c939c8850d7934287943af68496
-
Filesize
173KB
MD5ee45307ef46ab2b1512f86b0efd26c81
SHA1ab4f6fcd1e90d5f420349574d52c935efcbff433
SHA256508d83b8bc59a831a29dfa08e016ce393b8ca47bdf547d583628ef5be6d3bb68
SHA512f964669df5f00d229605e54f7b24e379c83935d94588f1072dbb789c4dc28ec213b976509e67a31fdac6b93e0cd21fc9c62d25d6d722e4381f16e50863857e9c
-
Filesize
692KB
MD5cb28c211ca8292894f3eef43ce5a6cd4
SHA170e0bc5fce5534e6dbe5200d9c965c925b596ee3
SHA25687feca94fc02b098be787060da09fc6f6473221ddf4aaa2f19321db3de256c0d
SHA512b56c612e389f7b58218a2e66a66bddea55425ed5f99a22921e2a16b2a65ca415f0dc39fbe7c88fffe082ab4bc27923dcea652396cc922d06fd82baea76b356bd
-
Filesize
692KB
MD5cb28c211ca8292894f3eef43ce5a6cd4
SHA170e0bc5fce5534e6dbe5200d9c965c925b596ee3
SHA25687feca94fc02b098be787060da09fc6f6473221ddf4aaa2f19321db3de256c0d
SHA512b56c612e389f7b58218a2e66a66bddea55425ed5f99a22921e2a16b2a65ca415f0dc39fbe7c88fffe082ab4bc27923dcea652396cc922d06fd82baea76b356bd
-
Filesize
692KB
MD5cb28c211ca8292894f3eef43ce5a6cd4
SHA170e0bc5fce5534e6dbe5200d9c965c925b596ee3
SHA25687feca94fc02b098be787060da09fc6f6473221ddf4aaa2f19321db3de256c0d
SHA512b56c612e389f7b58218a2e66a66bddea55425ed5f99a22921e2a16b2a65ca415f0dc39fbe7c88fffe082ab4bc27923dcea652396cc922d06fd82baea76b356bd
