teslacrypt | 4e7ebafd70b51016204a8352a383a06f10d54f43a9b351ae693037dd33807078

Analysis

max time kernel
155s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
16-12-2023 05:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2023-12-12_e7269b14789d8e615e42e3b62d59be36_teslacrypt.exe
Size

256KB
MD5

e7269b14789d8e615e42e3b62d59be36
SHA1

4051f1f1ef40cfe440b280495dafd37dc2332bb9
SHA256

4e7ebafd70b51016204a8352a383a06f10d54f43a9b351ae693037dd33807078
SHA512

2a4f771ab747492af6c21a83ec40e36439c804c1885ccea3e3d9c69c20fa82f48e3f73b4fd34d0d8114c88851d295631131a3e059569bcecdd8972ebff50a12a
SSDEEP

3072:sP36YQgDABWbDFp7yz5dwjtYjt+XOCGNjYQMhLwZil6hdZrz5eLbJnCgo5QTRpA:IZKjjtxVYQuwFhdZrz5eXC5aXA

Score

10^/10

teslacrypt persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\PerfLogs\_RECOVERY_+txpyd.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with AES More information about the encryption keys using AES can be found here: http://en.wikipedia.org/wiki/AES How did this happen ? !!! Specially for your PC was generated personal AES KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/AAF81CBB392E8D1 2. http://tes543berda73i48fsdfsd.keratadze.at/AAF81CBB392E8D1 3. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/AAF81CBB392E8D1 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/AAF81CBB392E8D1 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/AAF81CBB392E8D1 http://tes543berda73i48fsdfsd.keratadze.at/AAF81CBB392E8D1 http://tt54rfdjhb34rfbnknaerg.milerteddy.com/AAF81CBB392E8D1 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/AAF81CBB392E8D1

URLs

http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/AAF81CBB392E8D1

http://tes543berda73i48fsdfsd.keratadze.at/AAF81CBB392E8D1

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/AAF81CBB392E8D1

http://xlowfznrg4wf7dli.ONION/AAF81CBB392E8D1

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (855) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2023-12-12_e7269b14789d8e615e42e3b62d59be36_teslacrypt.execuifokyfntre.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	2023-12-12_e7269b14789d8e615e42e3b62d59be36_teslacrypt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	cuifokyfntre.exe

Drops startup file 6 IoCs

Processes:

cuifokyfntre.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECOVERY_+txpyd.html	cuifokyfntre.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECOVERY_+txpyd.png	cuifokyfntre.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECOVERY_+txpyd.txt	cuifokyfntre.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECOVERY_+txpyd.html	cuifokyfntre.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECOVERY_+txpyd.png	cuifokyfntre.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECOVERY_+txpyd.txt	cuifokyfntre.exe

Executes dropped EXE 1 IoCs

Processes:

cuifokyfntre.exe

pid process

1376 cuifokyfntre.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

cuifokyfntre.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uskwcplywmjx = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\cuifokyfntre.exe\""	cuifokyfntre.exe

Drops file in Program Files directory 64 IoCs

Processes:

cuifokyfntre.exe

description	ioc	process
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\_RECOVERY_+txpyd.txt	cuifokyfntre.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000050\_RECOVERY_+txpyd.png	cuifokyfntre.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-96_altform-unplated.png	cuifokyfntre.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\_RECOVERY_+txpyd.html	cuifokyfntre.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\hu-HU\_RECOVERY_+txpyd.html	cuifokyfntre.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-36_altform-lightunplated.png	cuifokyfntre.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\FlagToastQuickAction.scale-80.png	cuifokyfntre.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\_RECOVERY_+txpyd.html	cuifokyfntre.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-32.png	cuifokyfntre.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Images\Ratings\_RECOVERY_+txpyd.png	cuifokyfntre.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-32_altform-lightunplated.png	cuifokyfntre.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\notificationsUI\fabric.min.css	cuifokyfntre.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.scale-140.png	cuifokyfntre.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-48_contrast-black.png	cuifokyfntre.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Archive.zip	cuifokyfntre.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeWideTile.scale-125.png	cuifokyfntre.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeBadge.scale-200.png	cuifokyfntre.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubStoreLogo.scale-200.png	cuifokyfntre.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\AppIcon.targetsize-96_altform-unplated_contrast-black.png	cuifokyfntre.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\win32\_RECOVERY_+txpyd.html	cuifokyfntre.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\sk\_RECOVERY_+txpyd.txt	cuifokyfntre.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\OrientationControlOuterCircle.png	cuifokyfntre.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\_RECOVERY_+txpyd.html	cuifokyfntre.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\_RECOVERY_+txpyd.html	cuifokyfntre.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\pref\_RECOVERY_+txpyd.png	cuifokyfntre.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\Classic\Spider.Wide.png	cuifokyfntre.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-125_8wekyb3d8bbwe\_RECOVERY_+txpyd.png	cuifokyfntre.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-60_altform-unplated.png	cuifokyfntre.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\_RECOVERY_+txpyd.html	cuifokyfntre.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\_RECOVERY_+txpyd.html	cuifokyfntre.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptySearch-Dark.scale-125.png	cuifokyfntre.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\_RECOVERY_+txpyd.txt	cuifokyfntre.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-125_8wekyb3d8bbwe\_RECOVERY_+txpyd.html	cuifokyfntre.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\_RECOVERY_+txpyd.png	cuifokyfntre.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\QUERIES\_RECOVERY_+txpyd.txt	cuifokyfntre.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECLIPSE\THMBNAIL.PNG	cuifokyfntre.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailBadge.scale-400.png	cuifokyfntre.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-black\_RECOVERY_+txpyd.txt	cuifokyfntre.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\VideoFrameExtractor\Views\_RECOVERY_+txpyd.png	cuifokyfntre.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarSmallTile.scale-400.png	cuifokyfntre.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-white\LargeTile.scale-200.png	cuifokyfntre.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_targetsize-16_altform-unplated.png	cuifokyfntre.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.AnalysisServices.SPClient.Interfaces\_RECOVERY_+txpyd.html	cuifokyfntre.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-16_altform-lightunplated.png	cuifokyfntre.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\_RECOVERY_+txpyd.txt	cuifokyfntre.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\legal\_RECOVERY_+txpyd.png	cuifokyfntre.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ko\_RECOVERY_+txpyd.png	cuifokyfntre.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\_RECOVERY_+txpyd.html	cuifokyfntre.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ext.txt	cuifokyfntre.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionGroupWideTile.scale-400.png	cuifokyfntre.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Store.Purchase\Resources\_RECOVERY_+txpyd.txt	cuifokyfntre.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Diagnostics\_RECOVERY_+txpyd.txt	cuifokyfntre.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Viewpoints\_RECOVERY_+txpyd.png	cuifokyfntre.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubSplashScreen.scale-100_contrast-high.png	cuifokyfntre.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\el-GR\_RECOVERY_+txpyd.png	cuifokyfntre.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_DogNose.png	cuifokyfntre.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-20_altform-unplated_contrast-black.png	cuifokyfntre.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-addtotable.png	cuifokyfntre.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\Timer3Sec.targetsize-16.png	cuifokyfntre.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-black\SmallTile.scale-125.png	cuifokyfntre.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Services.Store.Engagement_10.0.18101.0_x86__8wekyb3d8bbwe\microsoft.system.package.metadata\_RECOVERY_+txpyd.png	cuifokyfntre.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\notetagsUI\_RECOVERY_+txpyd.png	cuifokyfntre.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\smsconnect\_RECOVERY_+txpyd.png	cuifokyfntre.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\SplashScreen.scale-125.png	cuifokyfntre.exe

Drops file in Windows directory 2 IoCs

Processes:

2023-12-12_e7269b14789d8e615e42e3b62d59be36_teslacrypt.exe

description	ioc	process
File created	C:\Windows\cuifokyfntre.exe	2023-12-12_e7269b14789d8e615e42e3b62d59be36_teslacrypt.exe
File opened for modification	C:\Windows\cuifokyfntre.exe	2023-12-12_e7269b14789d8e615e42e3b62d59be36_teslacrypt.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

cuifokyfntre.exe

pid	process
1376	cuifokyfntre.exe
1376	cuifokyfntre.exe
1376	cuifokyfntre.exe
1376	cuifokyfntre.exe
1376	cuifokyfntre.exe
1376	cuifokyfntre.exe
1376	cuifokyfntre.exe
1376	cuifokyfntre.exe
1376	cuifokyfntre.exe
1376	cuifokyfntre.exe
1376	cuifokyfntre.exe
1376	cuifokyfntre.exe
1376	cuifokyfntre.exe
1376	cuifokyfntre.exe
1376	cuifokyfntre.exe
1376	cuifokyfntre.exe
1376	cuifokyfntre.exe
1376	cuifokyfntre.exe
1376	cuifokyfntre.exe
1376	cuifokyfntre.exe
1376	cuifokyfntre.exe
1376	cuifokyfntre.exe
1376	cuifokyfntre.exe
1376	cuifokyfntre.exe
1376	cuifokyfntre.exe
1376	cuifokyfntre.exe
1376	cuifokyfntre.exe
1376	cuifokyfntre.exe
1376	cuifokyfntre.exe
1376	cuifokyfntre.exe
1376	cuifokyfntre.exe
1376	cuifokyfntre.exe
1376	cuifokyfntre.exe
1376	cuifokyfntre.exe
1376	cuifokyfntre.exe
1376	cuifokyfntre.exe
1376	cuifokyfntre.exe
1376	cuifokyfntre.exe
1376	cuifokyfntre.exe
1376	cuifokyfntre.exe
1376	cuifokyfntre.exe
1376	cuifokyfntre.exe
1376	cuifokyfntre.exe
1376	cuifokyfntre.exe
1376	cuifokyfntre.exe
1376	cuifokyfntre.exe
1376	cuifokyfntre.exe
1376	cuifokyfntre.exe
1376	cuifokyfntre.exe
1376	cuifokyfntre.exe
1376	cuifokyfntre.exe
1376	cuifokyfntre.exe
1376	cuifokyfntre.exe
1376	cuifokyfntre.exe
1376	cuifokyfntre.exe
1376	cuifokyfntre.exe
1376	cuifokyfntre.exe
1376	cuifokyfntre.exe
1376	cuifokyfntre.exe
1376	cuifokyfntre.exe
1376	cuifokyfntre.exe
1376	cuifokyfntre.exe
1376	cuifokyfntre.exe
1376	cuifokyfntre.exe

Suspicious use of AdjustPrivilegeToken 47 IoCs

Processes:

2023-12-12_e7269b14789d8e615e42e3b62d59be36_teslacrypt.execuifokyfntre.exeWMIC.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	1820	2023-12-12_e7269b14789d8e615e42e3b62d59be36_teslacrypt.exe
Token: SeDebugPrivilege	1376	cuifokyfntre.exe
Token: SeIncreaseQuotaPrivilege	2124	WMIC.exe
Token: SeSecurityPrivilege	2124	WMIC.exe
Token: SeTakeOwnershipPrivilege	2124	WMIC.exe
Token: SeLoadDriverPrivilege	2124	WMIC.exe
Token: SeSystemProfilePrivilege	2124	WMIC.exe
Token: SeSystemtimePrivilege	2124	WMIC.exe
Token: SeProfSingleProcessPrivilege	2124	WMIC.exe
Token: SeIncBasePriorityPrivilege	2124	WMIC.exe
Token: SeCreatePagefilePrivilege	2124	WMIC.exe
Token: SeBackupPrivilege	2124	WMIC.exe
Token: SeRestorePrivilege	2124	WMIC.exe
Token: SeShutdownPrivilege	2124	WMIC.exe
Token: SeDebugPrivilege	2124	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2124	WMIC.exe
Token: SeRemoteShutdownPrivilege	2124	WMIC.exe
Token: SeUndockPrivilege	2124	WMIC.exe
Token: SeManageVolumePrivilege	2124	WMIC.exe
Token: 33	2124	WMIC.exe
Token: 34	2124	WMIC.exe
Token: 35	2124	WMIC.exe
Token: 36	2124	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2124	WMIC.exe
Token: SeSecurityPrivilege	2124	WMIC.exe
Token: SeTakeOwnershipPrivilege	2124	WMIC.exe
Token: SeLoadDriverPrivilege	2124	WMIC.exe
Token: SeSystemProfilePrivilege	2124	WMIC.exe
Token: SeSystemtimePrivilege	2124	WMIC.exe
Token: SeProfSingleProcessPrivilege	2124	WMIC.exe
Token: SeIncBasePriorityPrivilege	2124	WMIC.exe
Token: SeCreatePagefilePrivilege	2124	WMIC.exe
Token: SeBackupPrivilege	2124	WMIC.exe
Token: SeRestorePrivilege	2124	WMIC.exe
Token: SeShutdownPrivilege	2124	WMIC.exe
Token: SeDebugPrivilege	2124	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2124	WMIC.exe
Token: SeRemoteShutdownPrivilege	2124	WMIC.exe
Token: SeUndockPrivilege	2124	WMIC.exe
Token: SeManageVolumePrivilege	2124	WMIC.exe
Token: 33	2124	WMIC.exe
Token: 34	2124	WMIC.exe
Token: 35	2124	WMIC.exe
Token: 36	2124	WMIC.exe
Token: SeBackupPrivilege	5044	vssvc.exe
Token: SeRestorePrivilege	5044	vssvc.exe
Token: SeAuditPrivilege	5044	vssvc.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

2023-12-12_e7269b14789d8e615e42e3b62d59be36_teslacrypt.execuifokyfntre.exe

description	pid	process	target process
PID 1820 wrote to memory of 1376	1820	2023-12-12_e7269b14789d8e615e42e3b62d59be36_teslacrypt.exe	cuifokyfntre.exe
PID 1820 wrote to memory of 1376	1820	2023-12-12_e7269b14789d8e615e42e3b62d59be36_teslacrypt.exe	cuifokyfntre.exe
PID 1820 wrote to memory of 1376	1820	2023-12-12_e7269b14789d8e615e42e3b62d59be36_teslacrypt.exe	cuifokyfntre.exe
PID 1376 wrote to memory of 2124	1376	cuifokyfntre.exe	WMIC.exe
PID 1376 wrote to memory of 2124	1376	cuifokyfntre.exe	WMIC.exe
PID 1820 wrote to memory of 1064	1820	2023-12-12_e7269b14789d8e615e42e3b62d59be36_teslacrypt.exe	cmd.exe
PID 1820 wrote to memory of 1064	1820	2023-12-12_e7269b14789d8e615e42e3b62d59be36_teslacrypt.exe	cmd.exe
PID 1820 wrote to memory of 1064	1820	2023-12-12_e7269b14789d8e615e42e3b62d59be36_teslacrypt.exe	cmd.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

cuifokyfntre.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	cuifokyfntre.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cuifokyfntre.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2023-12-12_e7269b14789d8e615e42e3b62d59be36_teslacrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2023-12-12_e7269b14789d8e615e42e3b62d59be36_teslacrypt.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1820
- C:\Windows\cuifokyfntre.exe
  C:\Windows\cuifokyfntre.exe
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1376
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2124
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\2023-1~1.EXE
  2⤵
  PID:1064

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\_RECOVERY_+txpyd.html

Filesize
11KB

MD5
466f453d858dffb9d65898828a1cc04e

SHA1
012d26bd97fda306b7585a507df448156a921abd

SHA256
66b39b692f9abd7e95ae4aebc56f6e16653186ffa3ef7398c1aff838ef8d57e1

SHA512
5d0979a19032c4499e94dfff6cc689cde0154e8af6d83eced767d67a659ccd0073fc8ed28c17593176d84f231d7cf90de6aea9c0bf395b1422f41f30317c5542

Download Submit
C:\PerfLogs\_RECOVERY_+txpyd.png

Filesize
62KB

MD5
9eb53d8e246b542b3c329822c2d547bc

SHA1
3806595510c77f9b24b55b11eb1e29582e4b767b

SHA256
6be9915808793c3b828bafc86ce9acfdb2d9b038d6da3cce2d9b2733a6ff8ad8

SHA512
963de7d25edd40099fd8e2662b823c630e8763de82b05d2ac1cd8a21517991b5984c29c9f8720ccbd7ffc4878632c7587eb410a05c8452fb02dc8a7068fdd858

Download Submit
C:\PerfLogs\_RECOVERY_+txpyd.txt

Filesize
1KB

MD5
d3a5a7bc593cd0795786980194a39c86

SHA1
cd3a454188941527733e3c3ae9306a911d0745c2

SHA256
21347b7a3aed1507f51eff15a3fa749e6a74c683c0cd13b4509b41184424540c

SHA512
c5b91eaa28fe5cad7177a3105b54290bdfb19ff6b2de0f1dcc5623a898f044b61c6f597b2dfe7f6ad9f2f8cf4a512c08f1502f540c51a2e60ae31859145a7d11

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
560B

MD5
81e94b555d7a207c91e283b4dd8ef005

SHA1
580d3d0d8b2e09428f4e2daf38679fb091ed3b6d

SHA256
62b1efc63544a8f2e88cf79dc16d29c82bbe599702a8e7f3280aa670d8791200

SHA512
6d570242afbda732a5b7372dd9dbccefba16b2c3a61ca0cb9eae97f29d001ca77b89eb495b06fddb9eb901aba7e26aac927f802a520176c6cc7a7cec33a1002c

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
560B

MD5
accfb22be87a1ffac436fa4e00fecd18

SHA1
90ba45df215a8e98163b31d9b6af1f1ae8f366b3

SHA256
ea72b13cd9dbd3622ceb252375ea84c14183a636085991d89a2c1e46eb480041

SHA512
7375c3e9977012af32962ce641426e3670a35c674dd4637792714c29feae26c97919befc22ba3edfe8763ff51f49dcba65aaeec2f872684eff9724e8a64d1a76

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
416B

MD5
e9481e95f378a1ce29cced408b998370

SHA1
81fdde7e1a68a0158c2109d58b01c9b3aa549e13

SHA256
4fec3e460799456cfb15667b6c63b59ffeb64d08a23f60fa1884b7f2b25cedce

SHA512
06a89244c6c537a53559f1781e24fb11125a99a4e92601f28b6157fb2f40c3e854794676c4f33da3ea2dd7ce26e68805a88e52755e935505dafc0c00b15dd262

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{805a0ef4-cd53-4028-a476-8d6a1fb45b91}\0.0.filtertrie.intermediate.txt

Filesize
28KB

MD5
fd0f9a2b218162ecf410eda4ee4323f5

SHA1
b1d7ab2f0d4dbf3638530f38aba6a45988dab0ca

SHA256
40e6c204c79170caa60ab2369e030b76bbdcb27669487afa8042bb47c8ba5f40

SHA512
4f175d0bef63985b59f29cda6d082bea2ec330d88afd7aec5843baaea440b347bf1f6cc4466b2e6f39b0a11b7158bb307894b01e11d84ecd46d4096e25a3ee60

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133471064528924950.txt

Filesize
47KB

MD5
e8156d92ceae1514be99c999039d8327

SHA1
fbfde40116839aa59f6634d6f3fa6e806045fcf6

SHA256
5897d6f213e9ca2b4da85a77e7572301d1a59f041120073bd0f860579a196e7f

SHA512
550d766f2b92792bb0a66f8780722269a628cb92423a272d04679f02c568d6577af370e7b2858f8359b6af0a6c0f77e785f4c54861b0b9c817595cfbd387552b

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133471093443064509.txt

Filesize
74KB

MD5
29b463b4bd5dcbfce5ab948a60185c1c

SHA1
2a4347517badc5caefb08cebfcc93d8b62d567a3

SHA256
bb232b102e09fc9711304df2b03f082d78cdd004aed4ad7219f329b9dd46b655

SHA512
a209c679d1e2769f41506df135cf071c045ab135da1120bcb640b97afebbb1b8c69979a42634d264135aed44ebefaaa82c85c514a6f7ae0dc5ab60d9c364e584

Download Submit
C:\Windows\cuifokyfntre.exe

Filesize
256KB

MD5
e7269b14789d8e615e42e3b62d59be36

SHA1
4051f1f1ef40cfe440b280495dafd37dc2332bb9

SHA256
4e7ebafd70b51016204a8352a383a06f10d54f43a9b351ae693037dd33807078

SHA512
2a4f771ab747492af6c21a83ec40e36439c804c1885ccea3e3d9c69c20fa82f48e3f73b4fd34d0d8114c88851d295631131a3e059569bcecdd8972ebff50a12a

Download Submit