Overview

overview

10

Static

static

3

2024-03-09...pt.exe

windows7-x64

10

2024-03-09...pt.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-03-2024 09:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-03-09_658060b052dbf94206ae3b50fc61916a_teslacrypt.exe

  • Size

    255KB

  • MD5

    658060b052dbf94206ae3b50fc61916a

  • SHA1

    ca2d8283531ec56532cdc14b4cb0932f1555c5c7

  • SHA256

    6404bcfac5f3523b2f32b79360567aac98a56420c73341fae74d96b847e2c229

  • SHA512

    4d8fd98691520cd2eacdd3032c461015444d31ccf815c7635ed9ee178743548747523d275088bff613a4552609c199d42602d385721c0158575a8d09f16483c5

  • SSDEEP

    3072:ZLhtgSlZAeKoNhb64VzKHJWpLXOe/TYUAklbIlHE+Emh/KCN2NFtzK2MTRp3r:psHWp9TYURsKjmh/KCN52mX3r

Score
10/10
teslacryptpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\PerfLogs\_ReCoVeRy_+xrubx.txt

Family

teslacrypt

Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 Key , both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1 - http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/278798DFB0B3D6A 2 - http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/278798DFB0B3D6A 3 - http://yyre45dbvn2nhbefbmh.begumvelic.at/278798DFB0B3D6A If for some reasons the addresses are not available, follow these steps: 1 - Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2 - After a successful installation, run the browser 3 - Type in the address bar: xlowfznrg4wf7dli.onion/278798DFB0B3D6A 4 - Follow the instructions on the site IMPORTANT INFORMATION Your personal pages http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/278798DFB0B3D6A http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/278798DFB0B3D6A http://yyre45dbvn2nhbefbmh.begumvelic.at/278798DFB0B3D6A Your personal page Tor-Browser xlowfznrg4wf7dli.ONION/278798DFB0B3D6A
URLs

http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/278798DFB0B3D6A

http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/278798DFB0B3D6A

http://yyre45dbvn2nhbefbmh.begumvelic.at/278798DFB0B3D6A

http://xlowfznrg4wf7dli.ONION/278798DFB0B3D6A

Signatures

  • TeslaCrypt, AlphaCrypt

    Ransomware based on CryptoLocker. Shut down by the developers in 2016.

    ransomwareteslacrypt
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Renames multiple (886) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 6 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 47 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-03-09_658060b052dbf94206ae3b50fc61916a_teslacrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-03-09_658060b052dbf94206ae3b50fc61916a_teslacrypt.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1928
    • C:\Windows\fjtspkftopkf.exe
      C:\Windows\fjtspkftopkf.exe
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:3324
      • C:\Windows\System32\wbem\WMIC.exe
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4912
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE
      2⤵
        PID:5116
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2092
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4488 --field-trial-handle=2432,i,12161922670941700748,3348345705955601576,262144 --variations-seed-version /prefetch:8
      1⤵
        PID:4972

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\PerfLogs\_ReCoVeRy_+xrubx.html
        Filesize

        12KB

        MD5

        9a09e1ba9faff409145e7a447f2ca4cf

        SHA1

        a3f8fb39cad81ff1c93fbbfe874d63d2ec68d828

        SHA256

        9d13c921421bab9b2ca7301a6faee5b6ed9b29f0e413ec082d267e0dd226682c

        SHA512

        c0544b2f970e07e342f755e68e4f0f52907cb6f838355f1f795fe8678f1a97ce2748065a94d9963485845055e45b6a57471dcf593cab18afe13a408e9b664c1a

        Download Submit

      • C:\PerfLogs\_ReCoVeRy_+xrubx.png
        Filesize

        65KB

        MD5

        0b1fcdcbbac3bf2dcb9a56e8bd077f71

        SHA1

        a2f0894517ca81f1ebc1bb14ef5b7901669c598b

        SHA256

        6ca1a4d9d6880c8b9224486b475f6da570fb51a3a9e103f6361efa73791413de

        SHA512

        3b684ecb67e92e449f78a04ce289b6fe483f2a714a4c7269b4f2d4aa768368d9d733299bd62fdc3e9f925f76c512eaf36280cbb224d9c50865685816b60e3741

        Download Submit

      • C:\PerfLogs\_ReCoVeRy_+xrubx.txt
        Filesize

        1KB

        MD5

        572a94de360d8d1574bdfd641b4f646b

        SHA1

        af1f6d9a216b097bd3ade73b15dbc4a7fcd2110b

        SHA256

        4405a890d8d9747e8a73bc56dda823506822ee2fafc330b07590433fe597c125

        SHA512

        29512542064d5bc16eb5f3dd41b315919bd4469650ca1505e7846add68ed3987c1406260431432524f0466fdbfa9f5e101e7934704b834f6556aaf68c8bc1dfb

        Download Submit

      • C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt
        Filesize

        560B

        MD5

        1d503028acee29e19c9184e57e1d0e24

        SHA1

        7e69e9cb1bae93f854ab94e7372b3c30a98e5e69

        SHA256

        4727f85ae917c32787599c39fbf99bf58a06af7cd4cf62562b70f47c6ea63643

        SHA512

        7e1f6eab9bb75c13fe26c5efe734288da5e54339dc16694d467cfff570ac00a8531528c8eed64444a12457dd7b237ab359b0b0525a99780ecefb5b30d89f4d66

        Download Submit

      • C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt
        Filesize

        560B

        MD5

        e81ccaf520171e88df1bd5437ace264c

        SHA1

        44663bf056d8fc16df80dc0b1fa5b26ac914ab60

        SHA256

        416e79ede57481f8fa489517d7e134d3faeac7d77c686357321bec2896bba421

        SHA512

        dee53fe1843ba5285670a525dc80092bf728a47f2250f75e63750279c956a677accbe4774691102755fee26fc5ac94af246d653a17f37ba59529362c52cb35ca

        Download Submit

      • C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt
        Filesize

        416B

        MD5

        29023e6e6f36eff00ee89e2eca52b35d

        SHA1

        b30e36d5d5f79d593dd755b595f42d738c03896a

        SHA256

        99870ffcc48b6642985c7e56557f03bbaf6f71bdc32cb8b741e3be1ec931424c

        SHA512

        ec854f7290079652f29781d297898632e504a43d63d48c92687b15b74d2a19073bc5cf2f8ca8663a12d515d0ed181d351bc98a7555815459059d06795d18b5bd

        Download Submit

      • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133534366667442856.txt
        Filesize

        74KB

        MD5

        2cb8495671918d9b3daf2c5cc7ebf22c

        SHA1

        7d0c3ba5c70a1f3b6cce542a5650a7cd932e7f2c

        SHA256

        b070ee093e63817de078c2158c9206f423c3e0cec7ae56f5054e657e5dad2508

        SHA512

        8a78eabe0019dc1c3542731717fba57feff114351a92a39b349379961b69adde39f8ed5252a56038ba0649b3a9ef6747f80f44ab127d05f0d767862cbdf455fa

        Download Submit

      • C:\Windows\fjtspkftopkf.exe
        Filesize

        255KB

        MD5

        658060b052dbf94206ae3b50fc61916a

        SHA1

        ca2d8283531ec56532cdc14b4cb0932f1555c5c7

        SHA256

        6404bcfac5f3523b2f32b79360567aac98a56420c73341fae74d96b847e2c229

        SHA512

        4d8fd98691520cd2eacdd3032c461015444d31ccf815c7635ed9ee178743548747523d275088bff613a4552609c199d42602d385721c0158575a8d09f16483c5

        Download Submit