Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-1703_x64 -
resource
win10-20230831-en -
resource tags
-
submitted
05-09-2023 09:36
General
-
Target
suspect_file_2.exe
-
Size
360KB
-
MD5
9ce01dfbf25dfea778e57d8274675d6f
-
SHA1
1bd767beb5bc36b396ca6405748042640ad57526
-
SHA256
5343947829609f69e84fe7e8172c38ee018ede3c9898d4895275f596ac54320d
-
SHA512
d6ba89c1f221a94e3061bc4da896760d99935a7c766b8e4e30146266cf3356acd883835e75dbb86574bc869c83d381c8f63f23392101f6062bba4343af49978b
-
SSDEEP
6144:4qZbqZToxIizLBZ6R56VkGM4ceLJ5vs5JGJceO/QCErIiuNAvwu:4qZb8oR3D6R5QHXZJy/Q50imAvB
Malware Config
Extracted
C:\PerfLogs\_RECOVERY_+sqemx.txt
teslacrypt
http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/EFA6EE942A4F3F4B
http://tes543berda73i48fsdfsd.keratadze.at/EFA6EE942A4F3F4B
http://tt54rfdjhb34rfbnknaerg.milerteddy.com/EFA6EE942A4F3F4B
http://xlowfznrg4wf7dli.ONION/EFA6EE942A4F3F4B
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (883) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 6 IoCs
-
Executes dropped EXE 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Internet Explorer settings 1 TTPs 3 IoCs
-
Modifies registry class 64 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 19 IoCs
-
System policy modification 1 TTPs 2 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\suspect_file_2.exe"C:\Users\Admin\AppData\Local\Temp\suspect_file_2.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\nbbkdkvlcafl.exeC:\Windows\nbbkdkvlcafl.exe2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT3⤵
- Opens file in notepad (likely ransom note)
-
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\SUSPEC~1.EXE2⤵
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD5092693e2494176eb033815de999d7eac
SHA1aecc51236f08b10ec55005fba4e0989a503c1042
SHA2563d7b6bf66480a0f34a7d0635a5b555206ec64a838ff2e767e214a2252c75b944
SHA512c28c5a2beb5490f9a707e70e08ba09ccc68245c1b2add301c86ac31160953dfa93730054b3d6f7725818363abc627bbf6f0a2675836de92d845909fbbad1e399
-
Filesize
62KB
MD5d67e2bffb2b3799e019d35d8e2a2337b
SHA1efcc9ea317383f138e04fe31d767c50f210e063a
SHA256514aa12a44524e177681f3bd53ac75f48e943af79a0d643b477132a31ab5a37f
SHA512a25b1943c107d3796232414123f9896865ec3d387e4fb734c6db98fc232d8627070679d5e8f8fe5900e2d01a2881ad7f215d8de59d97934d83a905e1a9dd4e57
-
Filesize
1KB
MD5f0e6d1fad778b28cac4cdf003da5392b
SHA1edf73fcb57e770dafb06ef881ebd438f8c639480
SHA256c02beef44d3831bb70eb4aaf75499a344c47623488a1f57dc74d1b681184ad66
SHA512b1062f15d3cfb5ed5619f67d53b21212218671a52fa4874416fcbbf71226732dfe479c179a5b392e68a0b8f39b74e71e89036c4692032ec2bbf0a7f50e7abe15
-
Filesize
11KB
MD578d1f94c5a7f1b000cdbe3ba8bf9d590
SHA13ac4c0b77d6305493a99ff36fca1bbe12d227ea8
SHA2562ca10c21dc96bccf2bfabaa6a3d80e704066b5e52ce38f641a31f74d3a13c690
SHA51238b96878c50bbdd82293deb7c2505192dd216f324fd1635eb8488ae3673cb6eb10e2518b3ce67811eacfc8764835bc7d1c81a023f8cc59b4d01ba356a7a5826d
-
Filesize
107KB
MD5a6a43116c09c4ac59d580f5ca2b9aee8
SHA1aacc2e6c31aaf190e7686d482e1e73519dc6d091
SHA2563a3e407c920cc4646f050b22a12324ea3dadca2331a9125ec17eadc47294dc98
SHA512e34f8f2dc32c537180e94c4f95bae896463cae10f11258142121016781b578939514885fe40ba4fbe79e553374623f924583f1987ecc4cb80a017012f4b032ee
-
Filesize
173KB
MD501b87d595762f19af990395536148bb9
SHA13c931dff3fadda83fbcd12e331c00215ca692b5a
SHA25675f881c6797501865a3303b46a6b0d06505894f1713ba4babbf446ea16de819d
SHA5126f6d0254dc3864fadc8c17e629210e04eac7f08424692bec5b68b20ed2502be8dfca1013ac79e7f8e534c3149925a5f31180a360b957242ed251c68ab37a1d7f
-
Filesize
416B
MD5aca7774691269d7f02dc7f4cb7454fe8
SHA1c476b39a70dbf80a1ae4723de06e5225c272dfb8
SHA256c09a0e587bebac218ec3b647d2ff2bc2a40a8c0da17db261dd61d5e2f270a8cc
SHA5128e65600d6fb6f096786720ae83f1b2c95e89b2dcac57bb80e64f71bf090044859621f8aa176ae51f1598faad9ba4b2f60665f4af14427968e329b80c63748a33
-
Filesize
4KB
MD524be8a92460b5b7a555b1da559296958
SHA194147054e8a04e82fea1c185af30c7c90b194064
SHA25677a3cfe6b7eb676af438d5de88c7efcb6abcc494e0b65da90201969e6d79b2a3
SHA512ed8ef0453e050392c430fdcf556249f679570c130decd18057e077471a45ab0bc0fba513cb2d4d1c61f3d1935318113b3733dec2bc7828a169b18a1081e609a0
-
Filesize
342B
MD5e1f00148e4fe1ea7163406848a49dcbe
SHA1a7b499816560c2e8f8f1a898d74f1e045b6437f8
SHA256cda0f1e6d723a541e01b073ed0ee18a68051f645d49c1d167745030b11e3b429
SHA5126db928a67380d0a48e8c004e632e72821a873d26f9a7f86bc5ffda3321c3fe3f0299714e6d3f417ece337dfd6032d0627c6ad107d410c9d8afa3395d85d8a221
-
Filesize
74KB
MD5d4fc49dc14f63895d997fa4940f24378
SHA13efb1437a7c5e46034147cbbc8db017c69d02c31
SHA256853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1
SHA512cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a
-
Filesize
15KB
MD5f68b7443797ad3eb20677d5c3a5ce254
SHA1d35f1307f72e301cec6b97dc57201fa0aff49fbb
SHA2564f4e5a57fa1bb13c738dbdf0b3a47a8c3c25010eec2bc83ea548f900a04f7832
SHA51237e042b2c36d5766241c6f97b8d1e73440fa9e5d69f86361169b7d279542d66dc6473190ae033173789fbafa8f6e472a8cf19326c538c2b6896ee8b138e0d1b5
-
Filesize
58KB
MD533c767981b548cd67f5a1aa6c041f453
SHA112aca00bbc3c3bec1c0ea7224a5a860e4ffc87d7
SHA25646c2670f8b282ba836295ab671ecd927cb8e8c6024b68e83888e9e9c92c28cc2
SHA5126809f153580e104d5fc5054d14258247a774d521c29582cd049204fa2d124e80b2c1411f7e422ffc8aae258ac84638516748bf3d1bee881e86243275a21d023b
-
Filesize
91KB
MD5751230d580291e05c7ccaf8aab88bb4f
SHA1307db7a14a1cdf80b6e8cd3f8a1e584b97c9bcb8
SHA256763bd4b6711969d9bff4cf0ed67e64170e5c0f281a51cd5a2914228d43090633
SHA512deedcbbc14154da755e2d743a58e21771e37df8b45c1cf074f622e2fad41666c203bcc8cea69bf540d05718e97a36d59ba60206b72b8d5a10ff37f470b9a88e1
-
Filesize
11KB
MD5092693e2494176eb033815de999d7eac
SHA1aecc51236f08b10ec55005fba4e0989a503c1042
SHA2563d7b6bf66480a0f34a7d0635a5b555206ec64a838ff2e767e214a2252c75b944
SHA512c28c5a2beb5490f9a707e70e08ba09ccc68245c1b2add301c86ac31160953dfa93730054b3d6f7725818363abc627bbf6f0a2675836de92d845909fbbad1e399
-
Filesize
1KB
MD5f0e6d1fad778b28cac4cdf003da5392b
SHA1edf73fcb57e770dafb06ef881ebd438f8c639480
SHA256c02beef44d3831bb70eb4aaf75499a344c47623488a1f57dc74d1b681184ad66
SHA512b1062f15d3cfb5ed5619f67d53b21212218671a52fa4874416fcbbf71226732dfe479c179a5b392e68a0b8f39b74e71e89036c4692032ec2bbf0a7f50e7abe15
-
Filesize
360KB
MD59ce01dfbf25dfea778e57d8274675d6f
SHA11bd767beb5bc36b396ca6405748042640ad57526
SHA2565343947829609f69e84fe7e8172c38ee018ede3c9898d4895275f596ac54320d
SHA512d6ba89c1f221a94e3061bc4da896760d99935a7c766b8e4e30146266cf3356acd883835e75dbb86574bc869c83d381c8f63f23392101f6062bba4343af49978b
-
Filesize
360KB
MD59ce01dfbf25dfea778e57d8274675d6f
SHA11bd767beb5bc36b396ca6405748042640ad57526
SHA2565343947829609f69e84fe7e8172c38ee018ede3c9898d4895275f596ac54320d
SHA512d6ba89c1f221a94e3061bc4da896760d99935a7c766b8e4e30146266cf3356acd883835e75dbb86574bc869c83d381c8f63f23392101f6062bba4343af49978b
-
Filesize
64KB
-
Filesize
8KB
-
Filesize
64KB
-
Filesize
632KB
-
Filesize
632KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
632KB
-
Filesize
632KB
-
Filesize
632KB
-
Filesize
632KB
-
Filesize
632KB
-
Filesize
632KB
-
Filesize
632KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
632KB
-
Filesize
632KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
