Analysis

  • max time kernel
    122s
  • max time network
    142s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    29-12-2023 02:05

General

  • Target

    9ce01dfbf25dfea778e57d8274675d6f.exe

  • Size

    360KB

  • MD5

    9ce01dfbf25dfea778e57d8274675d6f

  • SHA1

    1bd767beb5bc36b396ca6405748042640ad57526

  • SHA256

    5343947829609f69e84fe7e8172c38ee018ede3c9898d4895275f596ac54320d

  • SHA512

    d6ba89c1f221a94e3061bc4da896760d99935a7c766b8e4e30146266cf3356acd883835e75dbb86574bc869c83d381c8f63f23392101f6062bba4343af49978b

  • SSDEEP

    6144:4qZbqZToxIizLBZ6R56VkGM4ceLJ5vs5JGJceO/QCErIiuNAvwu:4qZb8oR3D6R5QHXZJy/Q50imAvB

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECOVERY_+lmvcq.txt

Family

teslacrypt

Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with AES More information about the encryption keys using AES can be found here: http://en.wikipedia.org/wiki/AES How did this happen ? !!! Specially for your PC was generated personal AES KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/E4BD5B3CC627D8D 2. http://tes543berda73i48fsdfsd.keratadze.at/E4BD5B3CC627D8D 3. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/E4BD5B3CC627D8D If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/E4BD5B3CC627D8D 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/E4BD5B3CC627D8D http://tes543berda73i48fsdfsd.keratadze.at/E4BD5B3CC627D8D http://tt54rfdjhb34rfbnknaerg.milerteddy.com/E4BD5B3CC627D8D *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/E4BD5B3CC627D8D
URLs

http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/E4BD5B3CC627D8D

http://tes543berda73i48fsdfsd.keratadze.at/E4BD5B3CC627D8D

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/E4BD5B3CC627D8D

http://xlowfznrg4wf7dli.ONION/E4BD5B3CC627D8D

Signatures

  • TeslaCrypt, AlphaCrypt

    Ransomware based on CryptoLocker. Shut down by the developers in 2016.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Renames multiple (411) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Deletes itself 1 IoCs
  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 38 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs
  • System policy modification 1 TTPs 2 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\9ce01dfbf25dfea778e57d8274675d6f.exe
    "C:\Users\Admin\AppData\Local\Temp\9ce01dfbf25dfea778e57d8274675d6f.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2364
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\9CE01D~1.EXE
      2⤵
      • Deletes itself
      PID:2420
    • C:\Windows\bkonjrvmguxq.exe
      C:\Windows\bkonjrvmguxq.exe
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2880
      • C:\Windows\System32\wbem\WMIC.exe
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2648
      • C:\Windows\System32\wbem\WMIC.exe
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:748
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1320
      • C:\Windows\SysWOW64\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
        3⤵
        • Opens file in notepad (likely ransom note)
        PID:112
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\BKONJR~1.EXE
        3⤵
          PID:1120
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2672
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1320 CREDAT:275457 /prefetch:2
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:616
    • C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
      1⤵
      • Suspicious use of FindShellTrayWindow
      PID:1288

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECOVERY_+lmvcq.html

      Filesize

      11KB

      MD5

      6a5147c6e2bcbdd2ea10ae22b244f045

      SHA1

      95b57342159d1099f7478c50fa126aa07f1da216

      SHA256

      0fce7c1572ddc18180b0fefbcf7259151937ece06e6ef5e99a20d02abd34d20c

      SHA512

      419708fc2085c895910a78013722ff138db6bea41af60a0f7cdbfa7843256764c3ee3f7a8204b7c0e9ac5c5e976a91a0ff30950d285c0ea30f59536a521caf02

    • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECOVERY_+lmvcq.png

      Filesize

      62KB

      MD5

      b7d9f78a9d9fbe9e03f628ac145fe458

      SHA1

      e33420ffc670fa106168afac371b759873e29706

      SHA256

      37b6ee9f2de3a8e88252525332734332a49a88d3066be4effb79e780015bc151

      SHA512

      14742e18c8379aedf0af32517194e95ab6e27d6642d187ec972ff6feffcf5478c633f8ef4a779e0b6c72fbe0c0a3e530372b6fcb5df7723fed9c8534d59dd9b2

    • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECOVERY_+lmvcq.txt

      Filesize

      1KB

      MD5

      71da64de59f6d31bdce0f149ed326c9a

      SHA1

      739ccae911112c1eae17e32fafe324a56b072927

      SHA256

      5a11cdc19ce40ad0cbf6cd847c779c6a77ea37c349683280cbdbd95c433168a0

      SHA512

      6d8063003499c324bbf87c6e8278fc333efd7b4ffb3bf622e282863a6827c1b7aac832a7abdf65ee3a71fd7174a0768289b35f1c70db3c20d5161fd21d79b430

    • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

      Filesize

      11KB

      MD5

      c05bf0a45ea1bd5849bacaddb37ffec8

      SHA1

      7d4aebf9d42333b2238fd33eac2b09a2ca99762b

      SHA256

      7885798d4fcc4d9830953f92f3b808ae5d1abfe9a3a1da2a9db436d932522815

      SHA512

      bd68f417de0bb5b97cc978f0b143f13e1b13117e9b53b9923bed6a5dcf1314e0eaf4e546ba120277000506b34d44857b4004e6885c9d8cfa43ec90963907e249

    • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

      Filesize

      109KB

      MD5

      61ca283cf1905a727c1e2d51a35f1e88

      SHA1

      1331a7d468a7a1b8e87653e6bd9bb9af750a0760

      SHA256

      ac7c1f6966bd7b929d4d7c397425e840d9541c28a523c4c326d8c2b2b7b70076

      SHA512

      69599649f0870920183913726b117ebfaf025ad533009b056a1453e36b01ab92a9cc5afbf845715f3a1ef674754cf3e294e081519cc8d37a2bef3900203b5781

    • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

      Filesize

      140KB

      MD5

      216cbb0c124d6f5c3551a41935effe37

      SHA1

      0e5dd322b124739135dc97e1a4987a12bb7353bc

      SHA256

      9f1f218b3e4b5babd1acfca62c6484a62fdb8375afbd77da3a7489308f1f4291

      SHA512

      3a728826361e500941eccec6cbd853a4aa1538bd520a07c23e1026fd0ad70ecf5434b9c78bd68a17a8f523b425ca7947f26735de35619ab227ffa0c7cfb3c59c

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      344B

      MD5

      4cfccac9c7a6f39f3f547a911db5ee99

      SHA1

      811d39e5673e056be6c0322111486d791119ca0b

      SHA256

      d501edbf642ddc65b5031fe7acae6c3502f546bb9eecba255be4e0e7924f73f1

      SHA512

      601cb4f03f3260ac7161ba8c1b6bc4cd8e1a1fb574a4a5c89d5f976cb2dec5282a88c669c424fcfe86e60ed8c74256cad5b516598b54bfb9205dab40883db4d0

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      344B

      MD5

      651e298e7196cae94b4c09638a9194ed

      SHA1

      e2ad57379621b8dd22981aa949eb5151b070d1a6

      SHA256

      70cf12fa193d0d911b9df3e3089340e3b346138e6dd7aca4ad0f8e299a8da12a

      SHA512

      b3b37c24ac50fc3f4d53517064b33a69af11a0c0a9fd837bde3828052142cbcb689c757493c546495a7680ee6ebdffda67bff144ee265c20caaef3c0117b6cbf

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      344B

      MD5

      1bed9b66b6e525fb82252ad1981f4396

      SHA1

      a7dad3b07c87724232a69624e610d1f291d5b05e

      SHA256

      12cccbccbc6e8bcf41750bd3fa90d89d030a9606377f8d88f0cd43d4eee10d33

      SHA512

      c742f819d3bd8867570aab6e643dfc8ceef6efe943ed7b04704d64886bab51bbcd7916291c606bbf6322fada209d7655ea748d209ffb87c9035ee18e1d3b6385

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      344B

      MD5

      3a2b85a8adae87cb2d8dc322f23f7ae7

      SHA1

      d11afeed17c1607571fac76dab411de90fda0728

      SHA256

      09e3ca9e7ca4735fb5d43a1cd804cd26b8eb683bd7e3e0ab50c21491a9b87846

      SHA512

      c7f1847236f8fe2f56ac0eb8733d30860cd979b09e42406faeec0390ea34257ac3e4319fdbe115cf83f5b910e5e7ad586017de7e22bf73ca7edb647ef8a2601d

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      344B

      MD5

      7a92c085c7dc40935d122d05062b24ce

      SHA1

      49bdbb511f0084e6017b2f87e0de8d29af14062e

      SHA256

      8279f62fb10c537341094f9a9c1a26f21c693684609f0bd887d82148c2791ad3

      SHA512

      1ef0918d6b1451d4884264d0f9413c8173acc5bc8a17881ea6dde0990acef6104438ae5dad645c28dcd681a7ea00b14ad9cad897d84a217bbd66a1f28ee7fbf6

    • C:\Windows\bkonjrvmguxq.exe

      Filesize

      93KB

      MD5

      3f654b994e9e92f412f47abfddd9f935

      SHA1

      95c68b423bee4b51ea55b6efc23d0c58658cd400

      SHA256

      8a344e0ba8a70d7f3b33a109615d4fd982a3ea127ce07711600f043a5ad1f7f7

      SHA512

      268b160e82669046cfe2f4274e6d2e0853e4e56add16b13c8f079a2e40ec0ba9583d04758c377195e80549c0c8225a8d5e6617b7039ab45878c2cab40d106047

    • C:\Windows\bkonjrvmguxq.exe

      Filesize

      92KB

      MD5

      d181ae93b56c9fdee21edbf4083b12d0

      SHA1

      1f4710f5d613e3a4726796d77d3e0fa5cc2e10a5

      SHA256

      8dffb59b022d096d9af71406420b59ce0dd051ccef454f1026effcc750e12aac

      SHA512

      4c25013b16f57b97a6933a9f340b2b3b5d5bf5c478f24aec2efe69f69e7fdff2ef51a4f0d6809619de991017b7f94baeb4c2640f26c8900a1fe5d465ba472e60

    • C:\Windows\bkonjrvmguxq.exe

      Filesize

      98KB

      MD5

      eff6b2a264f4d6c8c7d933dcae2a7f4c

      SHA1

      679e02f29178fc1e94655245abe2f22d5f0a1cdb

      SHA256

      ef40909e4ecd991c0bcce59f899be3ef78b17a1278de391c72cc77cd850d6bd5

      SHA512

      032309153126f67f93a73ea0334b71478c0f0195e5d4385f9a541bbcf3f15f017e908a60313d7c4f7c91e2c9bc77e88d38901891e2724632322c97606c00ab06

    • memory/1288-5926-0x00000000001A0000-0x00000000001A2000-memory.dmp

      Filesize

      8KB

    • memory/1288-6515-0x0000000000230000-0x0000000000231000-memory.dmp

      Filesize

      4KB

    • memory/1288-5927-0x0000000000230000-0x0000000000231000-memory.dmp

      Filesize

      4KB

    • memory/2364-0-0x0000000000270000-0x00000000002F5000-memory.dmp

      Filesize

      532KB

    • memory/2364-11-0x0000000000400000-0x000000000049E000-memory.dmp

      Filesize

      632KB

    • memory/2364-12-0x0000000000270000-0x00000000002F5000-memory.dmp

      Filesize

      532KB

    • memory/2364-1-0x0000000000400000-0x000000000049E000-memory.dmp

      Filesize

      632KB

    • memory/2880-5918-0x00000000002C0000-0x0000000000345000-memory.dmp

      Filesize

      532KB

    • memory/2880-5529-0x0000000000400000-0x000000000049E000-memory.dmp

      Filesize

      632KB

    • memory/2880-5924-0x0000000002ED0000-0x0000000002ED2000-memory.dmp

      Filesize

      8KB

    • memory/2880-5929-0x0000000000400000-0x000000000049E000-memory.dmp

      Filesize

      632KB

    • memory/2880-2345-0x0000000000400000-0x000000000049E000-memory.dmp

      Filesize

      632KB

    • memory/2880-13-0x0000000000400000-0x000000000049E000-memory.dmp

      Filesize

      632KB

    • memory/2880-14-0x00000000002C0000-0x0000000000345000-memory.dmp

      Filesize

      532KB