Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-12-2023 02:05

General

  • Target

    9ce01dfbf25dfea778e57d8274675d6f.exe

  • Size

    360KB

  • MD5

    9ce01dfbf25dfea778e57d8274675d6f

  • SHA1

    1bd767beb5bc36b396ca6405748042640ad57526

  • SHA256

    5343947829609f69e84fe7e8172c38ee018ede3c9898d4895275f596ac54320d

  • SHA512

    d6ba89c1f221a94e3061bc4da896760d99935a7c766b8e4e30146266cf3356acd883835e75dbb86574bc869c83d381c8f63f23392101f6062bba4343af49978b

  • SSDEEP

    6144:4qZbqZToxIizLBZ6R56VkGM4ceLJ5vs5JGJceO/QCErIiuNAvwu:4qZb8oR3D6R5QHXZJy/Q50imAvB

Malware Config

Extracted

Path

C:\PerfLogs\_RECOVERY_+jxvtu.txt

Family

teslacrypt

Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with AES More information about the encryption keys using AES can be found here: http://en.wikipedia.org/wiki/AES How did this happen ? !!! Specially for your PC was generated personal AES KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/11BDC7714099EF7C 2. http://tes543berda73i48fsdfsd.keratadze.at/11BDC7714099EF7C 3. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/11BDC7714099EF7C If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/11BDC7714099EF7C 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/11BDC7714099EF7C http://tes543berda73i48fsdfsd.keratadze.at/11BDC7714099EF7C http://tt54rfdjhb34rfbnknaerg.milerteddy.com/11BDC7714099EF7C *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/11BDC7714099EF7C
URLs

http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/11BDC7714099EF7C

http://tes543berda73i48fsdfsd.keratadze.at/11BDC7714099EF7C

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/11BDC7714099EF7C

http://xlowfznrg4wf7dli.ONION/11BDC7714099EF7C

Signatures

  • TeslaCrypt, AlphaCrypt

    Ransomware based on CryptoLocker. Shut down by the developers in 2016.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Renames multiple (885) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 6 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 2 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\9ce01dfbf25dfea778e57d8274675d6f.exe
    "C:\Users\Admin\AppData\Local\Temp\9ce01dfbf25dfea778e57d8274675d6f.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1336
    • C:\Windows\blwopxrmbnsx.exe
      C:\Windows\blwopxrmbnsx.exe
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Program Files directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:5856
      • C:\Windows\System32\wbem\WMIC.exe
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4632
      • C:\Windows\SysWOW64\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
        3⤵
        • Opens file in notepad (likely ransom note)
        PID:5948
      • C:\Windows\System32\wbem\WMIC.exe
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:5316
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM
        3⤵
        • Enumerates system info in registry
        • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:5360
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2004,468651237557083553,4801418522189337858,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3
          4⤵
            PID:3020
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2004,468651237557083553,4801418522189337858,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2016 /prefetch:2
            4⤵
              PID:5388
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2004,468651237557083553,4801418522189337858,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2424 /prefetch:8
              4⤵
                PID:560
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,468651237557083553,4801418522189337858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3136 /prefetch:1
                4⤵
                  PID:2432
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,468651237557083553,4801418522189337858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3120 /prefetch:1
                  4⤵
                    PID:2748
                  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2004,468651237557083553,4801418522189337858,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5200 /prefetch:8
                    4⤵
                      PID:3832
                    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2004,468651237557083553,4801418522189337858,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5200 /prefetch:8
                      4⤵
                        PID:4120
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,468651237557083553,4801418522189337858,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5240 /prefetch:1
                        4⤵
                          PID:5772
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,468651237557083553,4801418522189337858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4084 /prefetch:1
                          4⤵
                            PID:4640
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,468651237557083553,4801418522189337858,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:1
                            4⤵
                              PID:5520
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,468651237557083553,4801418522189337858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:1
                              4⤵
                                PID:304
                            • C:\Windows\SysWOW64\cmd.exe
                              "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\BLWOPX~1.EXE
                              3⤵
                                PID:5460
                            • C:\Windows\SysWOW64\cmd.exe
                              "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\9CE01D~1.EXE
                              2⤵
                                PID:5012
                            • C:\Windows\system32\vssvc.exe
                              C:\Windows\system32\vssvc.exe
                              1⤵
                              • Suspicious use of AdjustPrivilegeToken
                              PID:3756
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa6ed746f8,0x7ffa6ed74708,0x7ffa6ed74718
                              1⤵
                                PID:4352
                              • C:\Windows\System32\CompPkgSrv.exe
                                C:\Windows\System32\CompPkgSrv.exe -Embedding
                                1⤵
                                  PID:2552
                                • C:\Windows\System32\CompPkgSrv.exe
                                  C:\Windows\System32\CompPkgSrv.exe -Embedding
                                  1⤵
                                    PID:4676

                                  Network

                                  MITRE ATT&CK Enterprise v15

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

                                    Filesize

                                    560B

                                    MD5

                                    a175bacabbb58bdd2ee8b9e0c51d4719

                                    SHA1

                                    ef4bb7f490bbfe0479afb80a8b3421e7da3168fa

                                    SHA256

                                    56edbbfd263ddecf7fdb48696bf0a10de304c59ce6c6a00263aeb189ba0a85bf

                                    SHA512

                                    b03dedcea99123ba7e877119c0ac15e5e0d9e217fd92801c64bad18d0d92ecd4add7cad7b4953029ff37d5591570c45629147af53aedd5c12a10ee22bfdc0567

                                  • C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

                                    Filesize

                                    560B

                                    MD5

                                    d39811c5c164a2ef92e934c07177f981

                                    SHA1

                                    45165c24aabb1bf7d9decf0c33c7643a1bd1a564

                                    SHA256

                                    c90cb6a35da8e2290122839a33ad8127bab3a0433b3dabcb72810f2d53a89e52

                                    SHA512

                                    cc502cd7451c62466ca51c1e4944b08fd3ef11d2bc7ce10a786aa31b29765708f1006d0ad0a043ce453e8f767ad217b8a9aecf6b71ff8db1fee26002be798aa7

                                  • C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

                                    Filesize

                                    416B

                                    MD5

                                    1b370db94bed271918e4041a87b0f63b

                                    SHA1

                                    853d0b7614f1929faaa1fe58243b4d4ee58a2a65

                                    SHA256

                                    66df2e534eae652c300c34ba78c5d7a5d733b9e2f7aa29ec467f490ecc476eff

                                    SHA512

                                    3c138535d267012e6bccbfae45476d9eca0ec6248d8f66083ae53203ab5c90118a198de859b0be878d347e984518fccba336ea3f8ec7e2ffbcadaee60262dcda

                                  • C:\Windows\blwopxrmbnsx.exe

                                    Filesize

                                    360KB

                                    MD5

                                    9ce01dfbf25dfea778e57d8274675d6f

                                    SHA1

                                    1bd767beb5bc36b396ca6405748042640ad57526

                                    SHA256

                                    5343947829609f69e84fe7e8172c38ee018ede3c9898d4895275f596ac54320d

                                    SHA512

                                    d6ba89c1f221a94e3061bc4da896760d99935a7c766b8e4e30146266cf3356acd883835e75dbb86574bc869c83d381c8f63f23392101f6062bba4343af49978b

                                  • memory/1336-0-0x0000000002270000-0x00000000022F5000-memory.dmp

                                    Filesize

                                    532KB

                                  • memory/1336-9-0x0000000000400000-0x000000000049E000-memory.dmp

                                    Filesize

                                    632KB

                                  • memory/1336-1-0x0000000000400000-0x000000000049E000-memory.dmp

                                    Filesize

                                    632KB

                                  • memory/1336-12-0x0000000002270000-0x00000000022F5000-memory.dmp

                                    Filesize

                                    532KB

                                  • memory/5856-11-0x0000000002120000-0x00000000021A5000-memory.dmp

                                    Filesize

                                    532KB

                                  • memory/5856-2520-0x0000000000400000-0x000000000049E000-memory.dmp

                                    Filesize

                                    632KB

                                  • memory/5856-5273-0x0000000000400000-0x000000000049E000-memory.dmp

                                    Filesize

                                    632KB

                                  • memory/5856-6198-0x0000000002120000-0x00000000021A5000-memory.dmp

                                    Filesize

                                    532KB

                                  • memory/5856-8658-0x0000000000400000-0x000000000049E000-memory.dmp

                                    Filesize

                                    632KB

                                  • memory/5856-10364-0x0000000000400000-0x000000000049E000-memory.dmp

                                    Filesize

                                    632KB

                                  • memory/5856-10419-0x0000000000400000-0x000000000049E000-memory.dmp

                                    Filesize

                                    632KB

                                  • memory/5856-10435-0x0000000000400000-0x000000000049E000-memory.dmp

                                    Filesize

                                    632KB