Overview

overview

10

Static

static

3

VirusShare...8a.exe

windows7-x64

10

VirusShare...8a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    160s
  • max time network
    166s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-02-2024 19:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    VirusShare_b774e9f49d4aa8a2a009d06a6cdb6f8a.exe

  • Size

    396KB

  • MD5

    b774e9f49d4aa8a2a009d06a6cdb6f8a

  • SHA1

    5eaf1e24c495634ecbf7c81b640d10de8a3399d2

  • SHA256

    d3aef7ccd94c55c75a19d3ac6e31ac4af1cfcdd64e77be9afc4e5c8de9301686

  • SHA512

    b1cdb65dd44aefae7933944a824faac70b1fe68267e245a3a1181deda7b8cb9016e502550cd73974b3fd85756602193d4db8a23e9f3622d0ed5c59a780b1aecf

  • SSDEEP

    6144:CT3WR0F1lDPR+bJnm/jtowhxZWVrfQwBcTMMG26uw6fyQ7Q:CT3MA+bJmy4ZKfQRMh6

Score
10/10
teslacryptpersistenceransomware

Malware Config

Extracted

Path

C:\PerfLogs\Recovery+yveeg.txt

Family

teslacrypt

Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-4096. More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/E55EE562ACB05372 2. http://kkd47eh4hdjshb5t.angortra.at/E55EE562ACB05372 3. http://ytrest84y5i456hghadefdsd.pontogrot.com/E55EE562ACB05372 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/E55EE562ACB05372 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://tt54rfdjhb34rfbnknaerg.milerteddy.com/E55EE562ACB05372 http://kkd47eh4hdjshb5t.angortra.at/E55EE562ACB05372 http://ytrest84y5i456hghadefdsd.pontogrot.com/E55EE562ACB05372 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/E55EE562ACB05372
URLs

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/E55EE562ACB05372

http://kkd47eh4hdjshb5t.angortra.at/E55EE562ACB05372

http://ytrest84y5i456hghadefdsd.pontogrot.com/E55EE562ACB05372

http://xlowfznrg4wf7dli.ONION/E55EE562ACB05372

Signatures

  • TeslaCrypt, AlphaCrypt

    Ransomware based on CryptoLocker. Shut down by the developers in 2016.

    ransomwareteslacrypt
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Renames multiple (538) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\VirusShare_b774e9f49d4aa8a2a009d06a6cdb6f8a.exe
    "C:\Users\Admin\AppData\Local\Temp\VirusShare_b774e9f49d4aa8a2a009d06a6cdb6f8a.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2272
    • C:\Users\Admin\AppData\Local\Temp\VirusShare_b774e9f49d4aa8a2a009d06a6cdb6f8a.exe
      "C:\Users\Admin\AppData\Local\Temp\VirusShare_b774e9f49d4aa8a2a009d06a6cdb6f8a.exe"
      2⤵
      • Checks computer location settings
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1456
      • C:\Windows\tycdmnqirukj.exe
        C:\Windows\tycdmnqirukj.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1600
        • C:\Windows\tycdmnqirukj.exe
          C:\Windows\tycdmnqirukj.exe
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:1676
          • C:\Windows\System32\wbem\WMIC.exe
            "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:4548
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\VIRUSS~1.EXE
        3⤵
          PID:4452

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\PerfLogs\Recovery+yveeg.html
      Filesize

      9KB

      MD5

      9e5fc084456f6379ea1b614a9bb95da9

      SHA1

      bc29babc057d8347805d0c1a9c1fb481be1d086e

      SHA256

      6d1b7a0dca39dd5b08f43fda116dd5c3c8a860a0ed7eca9c4e92b89a99fe3f55

      SHA512

      a52bae017de3b4271fb035720f2d98a35d8c55d91b27bd80c0b3faaf884fb3edf07e08b914df488de7ef6a016aa1419d36a9c76e4e57f49fdd1c66df023c7526

      Download Submit

    • C:\PerfLogs\Recovery+yveeg.png
      Filesize

      63KB

      MD5

      b89fe68f7c635bf379918a25d07cc627

      SHA1

      2005e20bfaccb01d228ddf04abb4ebcb9f928640

      SHA256

      a2756ea4b79ff74d3af07f7331cd8c6bca1b82273dd5147880e654e42ef363df

      SHA512

      fe343522df60b5f47335f4d30932f37893d1c11304785701053a744e7788f7a2effbe7d157fae498ae0edf4329b8550e13f6a1a6301289c67514dd9ddab9e842

      Download Submit

    • C:\PerfLogs\Recovery+yveeg.txt
      Filesize

      1KB

      MD5

      67307f19fad46a318180ac497e63379b

      SHA1

      24c261bffc604b47445f38160261fa427c329f7f

      SHA256

      c6bf1e00ee7610a92d213212b81839eefa50f1b867d4eb8113543a47401c6daa

      SHA512

      f49fab81c85cd3837c7f81d977ad7773a17198bfea306474903587cf0ba3895f4b059081d39243e436825c92128d02f4ad96f85275eb5abbd8ede8ca8471d013

      Download Submit

    • C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt
      Filesize

      560B

      MD5

      6d037df9582ff63ba868e43a6d001066

      SHA1

      0af45dd3d5a66f3782d2db057602c53a5b7c87e6

      SHA256

      cbf544dc376c7c3d2b5d70db39b86bcd07d1b4e86770a4c2cca7ca2d68b1544d

      SHA512

      ca1ae780401254d5454fc6bc3b3ccb1ea3e0c00c2bd56187f43ecc2441cca3268ca4371bc77087696bd36ade784576c6a3619fba0f456ad1622208030ba486e0

      Download Submit

    • C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt
      Filesize

      560B

      MD5

      ff0d966be77d33637ecdb51ba9ea4dd1

      SHA1

      cf34b7f426724720e527b5bc64c4985aaf0d6671

      SHA256

      0c60eaec125c42c59ced621472209477e0dc8143077c22c0c1baca7c560f8d53

      SHA512

      f80f4f2bc2d5c7f162bd97c56e09114ddac8b28c8b18a146776dc2794728bd84dc54d22d40550de8e8a7f1347b7654639fb0ef30ba3f89153b320e4e52b24bad

      Download Submit

    • C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt
      Filesize

      416B

      MD5

      257a583a110e92c0fbf1ef3afd093249

      SHA1

      353ccb34078fd46be5c63552b849711e30739640

      SHA256

      77fdddc013de365434e45628870797e0cb0816c2ed79a3e81bfc65f2ad0586b8

      SHA512

      af064e3d409a6aae24677db5c9baf5203eb62ec24af20bd52678fc007889a77d8946ccbaea290463eb843be3ae6811ba4ac7b8da229a557f23ee38a29a32b921

      Download Submit

    • C:\Windows\tycdmnqirukj.exe
      Filesize

      396KB

      MD5

      b774e9f49d4aa8a2a009d06a6cdb6f8a

      SHA1

      5eaf1e24c495634ecbf7c81b640d10de8a3399d2

      SHA256

      d3aef7ccd94c55c75a19d3ac6e31ac4af1cfcdd64e77be9afc4e5c8de9301686

      SHA512

      b1cdb65dd44aefae7933944a824faac70b1fe68267e245a3a1181deda7b8cb9016e502550cd73974b3fd85756602193d4db8a23e9f3622d0ed5c59a780b1aecf

      Download Submit

    • memory/1456-6-0x0000000000400000-0x0000000000486000-memory.dmp

      Filesize

      536KB

      Download

    • memory/1456-13-0x0000000000400000-0x0000000000486000-memory.dmp

      Filesize

      536KB

      Download

    • memory/1456-5-0x0000000000400000-0x0000000000486000-memory.dmp

      Filesize

      536KB

      Download

    • memory/1456-3-0x0000000000400000-0x0000000000486000-memory.dmp

      Filesize

      536KB

      Download

    • memory/1456-2-0x0000000000400000-0x0000000000486000-memory.dmp

      Filesize

      536KB

      Download

    • memory/1600-12-0x00000000007A0000-0x00000000007A3000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1676-23-0x0000000000400000-0x0000000000486000-memory.dmp

      Filesize

      536KB

      Download

    • memory/1676-316-0x0000000000400000-0x0000000000486000-memory.dmp

      Filesize

      536KB

      Download

    • memory/1676-24-0x0000000000400000-0x0000000000486000-memory.dmp

      Filesize

      536KB

      Download

    • memory/1676-25-0x0000000000400000-0x0000000000486000-memory.dmp

      Filesize

      536KB

      Download

    • memory/1676-20-0x0000000000400000-0x0000000000486000-memory.dmp

      Filesize

      536KB

      Download

    • memory/1676-19-0x0000000000400000-0x0000000000486000-memory.dmp

      Filesize

      536KB

      Download

    • memory/1676-18-0x0000000000400000-0x0000000000486000-memory.dmp

      Filesize

      536KB

      Download

    • memory/1676-57-0x0000000000400000-0x0000000000486000-memory.dmp

      Filesize

      536KB

      Download

    • memory/1676-62-0x0000000000400000-0x0000000000486000-memory.dmp

      Filesize

      536KB

      Download

    • memory/1676-2722-0x0000000000400000-0x0000000000486000-memory.dmp

      Filesize

      536KB

      Download

    • memory/1676-606-0x0000000000400000-0x0000000000486000-memory.dmp

      Filesize

      536KB

      Download

    • memory/1676-918-0x0000000000400000-0x0000000000486000-memory.dmp

      Filesize

      536KB

      Download

    • memory/1676-17-0x0000000000400000-0x0000000000486000-memory.dmp

      Filesize

      536KB

      Download

    • memory/1676-2276-0x0000000000400000-0x0000000000486000-memory.dmp

      Filesize

      536KB

      Download

    • memory/1676-1671-0x0000000000400000-0x0000000000486000-memory.dmp

      Filesize

      536KB

      Download

    • memory/2272-1-0x00000000007E0000-0x00000000007E3000-memory.dmp

      Filesize

      12KB

      Download

    • memory/2272-4-0x00000000007E0000-0x00000000007E3000-memory.dmp

      Filesize

      12KB

      Download

    • memory/2272-0-0x00000000007E0000-0x00000000007E3000-memory.dmp

      Filesize

      12KB

      Download