Overview

overview

10

Static

static

3

demo_teslacrypt.exe

windows7-x64

10

demo_teslacrypt.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    110s
  • max time network
    109s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231020-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-11-2023 00:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    demo_teslacrypt.exe

  • Size

    360KB

  • MD5

    9ce01dfbf25dfea778e57d8274675d6f

  • SHA1

    1bd767beb5bc36b396ca6405748042640ad57526

  • SHA256

    5343947829609f69e84fe7e8172c38ee018ede3c9898d4895275f596ac54320d

  • SHA512

    d6ba89c1f221a94e3061bc4da896760d99935a7c766b8e4e30146266cf3356acd883835e75dbb86574bc869c83d381c8f63f23392101f6062bba4343af49978b

  • SSDEEP

    6144:4qZbqZToxIizLBZ6R56VkGM4ceLJ5vs5JGJceO/QCErIiuNAvwu:4qZb8oR3D6R5QHXZJy/Q50imAvB

Score
10/10
teslacryptpersistenceransomware

Malware Config

Extracted

Path

C:\PerfLogs\_RECOVERY_+guaky.txt

Family

teslacrypt

Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with AES More information about the encryption keys using AES can be found here: http://en.wikipedia.org/wiki/AES How did this happen ? !!! Specially for your PC was generated personal AES KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/19CBA521B9D2F2F3 2. http://tes543berda73i48fsdfsd.keratadze.at/19CBA521B9D2F2F3 3. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/19CBA521B9D2F2F3 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/19CBA521B9D2F2F3 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/19CBA521B9D2F2F3 http://tes543berda73i48fsdfsd.keratadze.at/19CBA521B9D2F2F3 http://tt54rfdjhb34rfbnknaerg.milerteddy.com/19CBA521B9D2F2F3 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/19CBA521B9D2F2F3
URLs

http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/19CBA521B9D2F2F3

http://tes543berda73i48fsdfsd.keratadze.at/19CBA521B9D2F2F3

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/19CBA521B9D2F2F3

http://xlowfznrg4wf7dli.ONION/19CBA521B9D2F2F3

Signatures

  • TeslaCrypt, AlphaCrypt

    Ransomware based on CryptoLocker. Shut down by the developers in 2016.

    ransomwareteslacrypt
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Renames multiple (201) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 47 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\demo_teslacrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\demo_teslacrypt.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3544
    • C:\Windows\ygrlglrryyoj.exe
      C:\Windows\ygrlglrryyoj.exe
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:4052
      • C:\Windows\System32\wbem\WMIC.exe
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1776
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\DEMO_T~1.EXE
      2⤵
        PID:1620
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2520

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\PerfLogs\_RECOVERY_+guaky.html
      Filesize

      11KB

      MD5

      9bacfb75fc95290adeda6e3993ede32a

      SHA1

      8f1a9aec23a3bf7aea9a94b28a5ee3f085f80be8

      SHA256

      63af6e74227e440a1955b2ad0605de977e84211ff025328458bf2827a818eb5a

      SHA512

      90516d61be7829b2428e8d4519796e156101dd27ed2166a04c2ab663e0673320ad480833d4d8a6e0b4aae82016e56bd8ff90b5f336476c1f166ff998699a175e

      Download Submit

    • C:\PerfLogs\_RECOVERY_+guaky.png
      Filesize

      62KB

      MD5

      126ca09218666b756f42f0cdc9f32fed

      SHA1

      1d6530f8c4d4218c04dd65ad6a88a587ba4f5481

      SHA256

      f76303d0cb4ef9fc0ebe65769c717119976ebb33362b9a2bb3d943b2892fd9cc

      SHA512

      f68caabf61cddc6a4b532db18dfacd442563f4a06b9a09143ad0b1ce16398b53029166f696eb827d7527c3ecc1f8e5b3b04876885ef773d88071cc56783cbf02

      Download Submit

    • C:\PerfLogs\_RECOVERY_+guaky.txt
      Filesize

      1KB

      MD5

      7fe6097a41c3ae9a2e1de1f136bf8a27

      SHA1

      9a12195645da7cb6c83107899c8caa48e6926dcb

      SHA256

      b6bc17e6ad8ce395d0f0ed9d0e25eff8725374cf101757ae209d6c75164d1135

      SHA512

      a944136c6b26454376e40f36bf70a1799e4c8fafcd7b1e78b9daa4864947df785b799e301da99aa7a0fc2f5c9e7f82dfaf43f681f06c8256bf3fce4daa5494bc

      Download Submit

    • C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt
      Filesize

      560B

      MD5

      5488642ab2b84709aca560aa4dc970e5

      SHA1

      f0d4af459372423e39ae96ac577d14fbad5ea341

      SHA256

      24b52d4365c3ce162ecd8e8fae6ddfa3635ce7e79a54886bfa4a11ae7feda986

      SHA512

      164922d88bfb84e196284ad83021afe6063a5585da3a1ab996c6e884f94baa788840b96380527fad58a05cfda3b0e7dc535bd2c0fcb8a8a7aa9d367b6c3dfa54

      Download Submit

    • C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt
      Filesize

      560B

      MD5

      8853fb82b167ef2fb98c1515ad98130d

      SHA1

      f70160a9448bb3b9d5cdc8c70203e6f71351977c

      SHA256

      5bf679da7f33ff86b8e1e56d0836942b87120177dea97ef4c622e214412a281e

      SHA512

      6b2ecb0af7281327eef7d0809ce0eb0ba587f2dbb4e20abf088c7780a1c65e4a02806a210aebd45c5205a4cff7b39e7e05a709edda228e556d6d1f4e023a51c8

      Download Submit

    • C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt
      Filesize

      416B

      MD5

      947070215b45ad7a0038ed2e55706903

      SHA1

      6b109224feba5e5ef10d8f65426625faa47adcf2

      SHA256

      256b0a231e8d27aa6ca1ba4d1065188c3be3b0905da4f70db03d99fb994b2ebf

      SHA512

      32bf5fe8c6c3cfbb3e710a3e16c1266f3c942752a7a7783b394ece465915ac0a7a1b5aae8f41089dff4564c469be4afed176909c0259dda280aa79cc83af9533

      Download Submit

    • C:\Windows\ygrlglrryyoj.exe
      Filesize

      360KB

      MD5

      9ce01dfbf25dfea778e57d8274675d6f

      SHA1

      1bd767beb5bc36b396ca6405748042640ad57526

      SHA256

      5343947829609f69e84fe7e8172c38ee018ede3c9898d4895275f596ac54320d

      SHA512

      d6ba89c1f221a94e3061bc4da896760d99935a7c766b8e4e30146266cf3356acd883835e75dbb86574bc869c83d381c8f63f23392101f6062bba4343af49978b

      Download Submit

    • C:\Windows\ygrlglrryyoj.exe
      Filesize

      360KB

      MD5

      9ce01dfbf25dfea778e57d8274675d6f

      SHA1

      1bd767beb5bc36b396ca6405748042640ad57526

      SHA256

      5343947829609f69e84fe7e8172c38ee018ede3c9898d4895275f596ac54320d

      SHA512

      d6ba89c1f221a94e3061bc4da896760d99935a7c766b8e4e30146266cf3356acd883835e75dbb86574bc869c83d381c8f63f23392101f6062bba4343af49978b

      Download Submit

    • memory/3544-13-0x0000000000400000-0x000000000049E000-memory.dmp

      Filesize

      632KB

      Download

    • memory/3544-14-0x00000000022C0000-0x0000000002345000-memory.dmp

      Filesize

      532KB

      Download

    • memory/3544-0-0x00000000022C0000-0x0000000002345000-memory.dmp

      Filesize

      532KB

      Download

    • memory/3544-1-0x0000000000400000-0x000000000049E000-memory.dmp

      Filesize

      632KB

      Download

    • memory/4052-16-0x0000000002120000-0x00000000021A5000-memory.dmp

      Filesize

      532KB

      Download

    • memory/4052-15-0x0000000000400000-0x000000000049E000-memory.dmp

      Filesize

      632KB

      Download

    • memory/4052-557-0x0000000000400000-0x000000000049E000-memory.dmp

      Filesize

      632KB

      Download

    • memory/4052-767-0x0000000000400000-0x000000000049E000-memory.dmp

      Filesize

      632KB

      Download

    • memory/4052-802-0x0000000000400000-0x000000000049E000-memory.dmp

      Filesize

      632KB

      Download

    • memory/4052-814-0x0000000000400000-0x000000000049E000-memory.dmp

      Filesize

      632KB

      Download

    • memory/4052-9-0x0000000002120000-0x00000000021A5000-memory.dmp

      Filesize

      532KB

      Download

    • memory/4052-1015-0x0000000000400000-0x000000000049E000-memory.dmp

      Filesize

      632KB

      Download

    • memory/4052-1053-0x0000000000400000-0x000000000049E000-memory.dmp

      Filesize

      632KB

      Download