Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
08-04-2023 18:03
General
-
Target
2023-04-07_cb28c211ca8292894f3eef43ce5a6cd4_teslacrypt.exe
-
Size
692KB
-
MD5
cb28c211ca8292894f3eef43ce5a6cd4
-
SHA1
70e0bc5fce5534e6dbe5200d9c965c925b596ee3
-
SHA256
87feca94fc02b098be787060da09fc6f6473221ddf4aaa2f19321db3de256c0d
-
SHA512
b56c612e389f7b58218a2e66a66bddea55425ed5f99a22921e2a16b2a65ca415f0dc39fbe7c88fffe082ab4bc27923dcea652396cc922d06fd82baea76b356bd
-
SSDEEP
3072:UkmGgnjAYn2Fj5ohpzBovjtALLXOixtjOQ0hV09ZIR5YkHk7wELOhr1DwTTRpAe:g6mLD1OQW094YkHk7wsO7wPXAe
Malware Config
Extracted
C:\PerfLogs\_RECoVERY_+xcdby.txt
teslacrypt
http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/E04AB970D8936378
http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/E04AB970D8936378
http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/E04AB970D8936378
http://xlowfznrg4wf7dli.ONION/E04AB970D8936378
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 47 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
-
System policy modification 1 TTPs 2 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2023-04-07_cb28c211ca8292894f3eef43ce5a6cd4_teslacrypt.exe"C:\Users\Admin\AppData\Local\Temp\2023-04-07_cb28c211ca8292894f3eef43ce5a6cd4_teslacrypt.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\aefwgnypnqcg.exeC:\Windows\aefwgnypnqcg.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\2023-0~1.EXE2⤵
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD5f2d25772c460d01feda13233ea12fc04
SHA16d70d2ea12a6e7707d558f8a4a2c798b1e0b6218
SHA256aab3f1fb3960c17498f6483b2562a661882f09fdc61be8f97218fe7f3571cd77
SHA51255fe4d0cddb2e305adbb63cb4c90c40437ebb4f5d4bee13dbbf8f40412a67d043166835134858b94672b190598b0ac69115ccd73f5e047a3c6c73c7a73fceedc
-
Filesize
65KB
MD5f53b237b6417f7e9d6fb55022f80ce89
SHA1432f646eb5d1b233f64bd31209b72e84b8a2aefb
SHA256d1d21b1aa69430edadefde8798521258b85282fefa4546f83d42331b1f57e2d7
SHA512cc91e82cbaac18ea004de4b9a5c2a0ca02f668a4fb96a44d41f5e09e8cca7650d988be31d2f5e627fb4ae819cb6cf485da70ef41038c1d166950954c6f56a04f
-
Filesize
1KB
MD5cb067cb841d8885869529c54219d92e3
SHA103a3f05ab8cbe612a1237f783bdd6f866240b7e7
SHA25679052a300a4442f244209c82ff6e5a1f09c9d595d11e0a843aa7dea099850783
SHA51247d81739f722a1abab4cc8b0154b9bca3706d0cb08c8f448ae688c16d735bc97f443e44f4dbc74a3c003d2efdebffb0f7c47ece7fc8b9875168efcc50dfa94c8
-
Filesize
11KB
MD5984dc97a629f49afd69acadf944f5af1
SHA1f133ef2e7d7486b312ed38e24c1759217fe93df2
SHA256bd8ecc210f14a135e84254ff7536f5151805bfa8cf608f4d07020979c498defd
SHA512f209abecb609b1f364a56951699e2195cbf80b46f99ecb66d65650a6c86df66820d24769ef1c84f717bb15b01e6c1ac916c7df7ffa704cea64871359bc5e21cb
-
Filesize
107KB
MD50905a974b6e66645002c46aafd5638dd
SHA13a19f730f1bf7928289d8350585e23b11ad2c3c4
SHA25678fd1948d908ded9633adf36fffe8316c07f91e3e4612eeb3bde43234d5aeea2
SHA5120d59b2fbf4c2f4af8f9fd80faf1071b62368076b96d91c01840b4c08e534dabe172bbdf0128f42962d547d54e90bf5f382f46c0bb635f2cbe2074d5bdc9cd700
-
Filesize
173KB
MD5035dfaeba9e40507d6908dc8bb242517
SHA10ce7e77522161f418e8fe019508024334749fadd
SHA256cb4329470648ed04f0758e7211e5c31383bb58d1c05e46888d6866c4d210ac7f
SHA5125f5bc8e6504b0bda2e638fca3746ed9b92a6b1c95c2d814461f969ab245ec26bb29e3ba4ac3a16a3c0738cf3599df91a0bb21cf77271d19ce4cb29ea615bc1db
-
Filesize
416B
MD5784361a804e945580cd6b3abad49c2ec
SHA17c9ade01f624063a6c9933bc797db3742e8cdaed
SHA2561643683227f9a725b7a4fb0a6c6435014e353cdf14d01b79d983b8574717a49f
SHA5129fea876fd9def6b763e94aa05d30446b834a469d966ec6925fe0b26fe6b1423d5bff96c34ce19c2b439ae2aef541723e99162649be9ec07aebccbc2a49820af2
-
Filesize
692KB
MD5cb28c211ca8292894f3eef43ce5a6cd4
SHA170e0bc5fce5534e6dbe5200d9c965c925b596ee3
SHA25687feca94fc02b098be787060da09fc6f6473221ddf4aaa2f19321db3de256c0d
SHA512b56c612e389f7b58218a2e66a66bddea55425ed5f99a22921e2a16b2a65ca415f0dc39fbe7c88fffe082ab4bc27923dcea652396cc922d06fd82baea76b356bd
-
Filesize
692KB
MD5cb28c211ca8292894f3eef43ce5a6cd4
SHA170e0bc5fce5534e6dbe5200d9c965c925b596ee3
SHA25687feca94fc02b098be787060da09fc6f6473221ddf4aaa2f19321db3de256c0d
SHA512b56c612e389f7b58218a2e66a66bddea55425ed5f99a22921e2a16b2a65ca415f0dc39fbe7c88fffe082ab4bc27923dcea652396cc922d06fd82baea76b356bd
