Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
04-04-2024 03:22
General
-
Target
220518-1mgg8seec9.exe
-
Size
360KB
-
MD5
9ce01dfbf25dfea778e57d8274675d6f
-
SHA1
1bd767beb5bc36b396ca6405748042640ad57526
-
SHA256
5343947829609f69e84fe7e8172c38ee018ede3c9898d4895275f596ac54320d
-
SHA512
d6ba89c1f221a94e3061bc4da896760d99935a7c766b8e4e30146266cf3356acd883835e75dbb86574bc869c83d381c8f63f23392101f6062bba4343af49978b
-
SSDEEP
6144:4qZbqZToxIizLBZ6R56VkGM4ceLJ5vs5JGJceO/QCErIiuNAvwu:4qZb8oR3D6R5QHXZJy/Q50imAvB
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECOVERY_+fklnh.txt
teslacrypt
http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/A5A3E62527059DA
http://tes543berda73i48fsdfsd.keratadze.at/A5A3E62527059DA
http://tt54rfdjhb34rfbnknaerg.milerteddy.com/A5A3E62527059DA
http://xlowfznrg4wf7dli.ONION/A5A3E62527059DA
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (285) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 45 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
-
System policy modification 1 TTPs 2 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\220518-1mgg8seec9.exe"C:\Users\Admin\AppData\Local\Temp\220518-1mgg8seec9.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\uwjbkwlsmhtn.exeC:\Windows\uwjbkwlsmhtn.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\220518~1.EXE2⤵
- Deletes itself
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD559ee090340894603c62889dbf42c320e
SHA156a0a286629efa772c7e6fc09d6c38e5ff3d9ec0
SHA2562c1833e690d391e5f731a73070209b68531a89992b77faf0c09f5f4885923564
SHA51281d317f1f80a56227d7a78c20d3d1681f294a67bd0c743dcfbd2e8cc42a6bf6cba7797fb9b324077bc2c234abc83dd8ec40ecb86f640299fccdc3d32f76c8742
-
Filesize
62KB
MD5c2d6a8b47c331787ae10d730c2bc9ebb
SHA13927f1e29deccff936c6d7fdb4af495408564315
SHA25634ca67015ffa6c4947fae5dc4192c68a60a93919ab31ea81e7b961f91c7bc528
SHA5123abf5cbc68476a7917abcde480d8daafc7e6607ac78093445dabceb9030616618d52e5dc58b59d23932e053b50f18aacd47575545b2537a28fb364d5afe81dc9
-
Filesize
1KB
MD5f989b67b38ff30c098ee34c6416a2fa2
SHA1dac231748b835b386cd52dda937a112ebec5b2cd
SHA256bc20506693865ee12b29babc47c68f89cb12db7b5112dfab94f608fe3a5c32d4
SHA5120ae6eb075800cff6182abafd772e4e2e1f2969afc52d9ed3c8f89eb1774696769f1ac0041f22c3685cfedec0ec131e532622ca38fd7b39f5e8555933aca65569
-
Filesize
11KB
MD549f542445e13a509a44bc1d39c940212
SHA1cdb8afff0f3118f344fecae71a865f2c83c6b924
SHA256f88451d3c41722a759df668ee70c0df366ad8c462b970de8a3bce5eae272e08d
SHA51223e5f90230f2261dcb7bfbc07a3cf7c1cb63b699411dc6d410b7abc7449e615d5447be584694fc5f6c15d2e18222cd30a95c10ff8dc4e2928b8543c2b5d94d25
-
Filesize
109KB
MD59486e338e767b8d39de0a7412f422dcf
SHA1d920a79cb283dbae7fadb48f70e03d9847720a3c
SHA2563aabfa988ab6e9111f9a37045b70ab3d64bae662ba489a6a6edf92f3c03cc209
SHA512b2095a945dd3438e91903eae666c6e50483f33a0c6e2a4db8ee7a04d8d07afd05c17ad5be0763561186119dc2bfb4c215d4157fefea33c499b6d870de18c40c8
-
Filesize
173KB
MD527013592f027794903669278dc6ea371
SHA17afbffcfb4c2ff69183d8c9f6e7aafc3c87a8ef1
SHA2563900aec353b9e1c9bce53265a40dc9f1f726187892a2d4cb2dd2b08546d182aa
SHA512976d0ba0c3ccb419e3f290d49fc7c6670fbb4b2495a8ec143c9531cf521944ba63d93caa6e0382830e3e0c79b317de3f99127bcafb09efe3cf7658194d2fa401
-
Filesize
360KB
MD59ce01dfbf25dfea778e57d8274675d6f
SHA11bd767beb5bc36b396ca6405748042640ad57526
SHA2565343947829609f69e84fe7e8172c38ee018ede3c9898d4895275f596ac54320d
SHA512d6ba89c1f221a94e3061bc4da896760d99935a7c766b8e4e30146266cf3356acd883835e75dbb86574bc869c83d381c8f63f23392101f6062bba4343af49978b
-
Filesize
532KB
-
Filesize
632KB
-
Filesize
632KB
-
Filesize
532KB
-
Filesize
632KB
-
Filesize
632KB
-
Filesize
632KB
-
Filesize
632KB
-
Filesize
632KB
-
Filesize
632KB
-
Filesize
632KB
-
Filesize
532KB
-
Filesize
632KB
-
Filesize
632KB
-
Filesize
632KB
-
Filesize
532KB
-
Filesize
632KB
-
Filesize
632KB
