Overview

overview

10

Static

static

3

2b67837484...c1.exe

windows7-x64

10

2b67837484...c1.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    140s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    24-04-2024 14:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2b67837484b900f7505d0189a2c5106d8aff81584f99ecaaf7c9ba1c374d59c1.exe

  • Size

    366KB

  • MD5

    7ed0e30f6e18ef637b3e64065d7a76bd

  • SHA1

    c95232e6dc6413fe1967bf5e280fbfbaf6080016

  • SHA256

    2b67837484b900f7505d0189a2c5106d8aff81584f99ecaaf7c9ba1c374d59c1

  • SHA512

    626a5fc54c4cbf9c747ca9cad6f544dd963153d87fdc1c28e57d7fed3d98f17c17ddf030a2f61a86ebe9528fdc5916acb54e8495df40786484a73ac36821572c

  • SSDEEP

    6144:Rul3J09D8rPjOXGzsbH9+ZbO9qX+6xSwEFjrEmXo0ptTla7RfkjCmu7:Rulo8rsHcZZJxSnrEAaZkjCmu7

Score
10/10
teslacryptpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECoVERY_+vtdcy.txt

Family

teslacrypt

Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 Key , both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1 - http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/F91E67D5D968BC8A 2 - http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/F91E67D5D968BC8A 3 - http://yyre45dbvn2nhbefbmh.begumvelic.at/F91E67D5D968BC8A If for some reasons the addresses are not available, follow these steps: 1 - Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2 - After a successful installation, run the browser 3 - Type in the address bar: xlowfznrg4wf7dli.onion/F91E67D5D968BC8A 4 - Follow the instructions on the site IMPORTANT INFORMATION Your personal pages http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/F91E67D5D968BC8A http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/F91E67D5D968BC8A http://yyre45dbvn2nhbefbmh.begumvelic.at/F91E67D5D968BC8A Your personal page Tor-Browser xlowfznrg4wf7dli.ONION/F91E67D5D968BC8A
URLs

http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/F91E67D5D968BC8A

http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/F91E67D5D968BC8A

http://yyre45dbvn2nhbefbmh.begumvelic.at/F91E67D5D968BC8A

http://xlowfznrg4wf7dli.ONION/F91E67D5D968BC8A

Signatures

  • TeslaCrypt, AlphaCrypt

    Ransomware based on CryptoLocker. Shut down by the developers in 2016.

    ransomwareteslacrypt
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Renames multiple (408) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes itself 1 IoCs
  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
    adwarespyware
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\2b67837484b900f7505d0189a2c5106d8aff81584f99ecaaf7c9ba1c374d59c1.exe
    "C:\Users\Admin\AppData\Local\Temp\2b67837484b900f7505d0189a2c5106d8aff81584f99ecaaf7c9ba1c374d59c1.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2884
    • C:\Windows\cqffxneddfxq.exe
      C:\Windows\cqffxneddfxq.exe
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2904
      • C:\Windows\System32\wbem\WMIC.exe
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2688
      • C:\Windows\SysWOW64\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
        3⤵
        • Opens file in notepad (likely ransom note)
        PID:2732
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2568
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2568 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1528
      • C:\Windows\System32\wbem\WMIC.exe
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1696
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\CQFFXN~1.EXE
        3⤵
          PID:1508
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\2B6783~1.EXE
        2⤵
        • Deletes itself
        PID:2152
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2452
    • C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
      1⤵
      • Suspicious use of FindShellTrayWindow
      PID:2520

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECoVERY_+vtdcy.html
      Filesize

      12KB

      MD5

      80fc13c8fbbb3cd900550549c702fc5e

      SHA1

      d0300e0f048e049a43c93ae7e1c4ed7b26f1346f

      SHA256

      3c05b66cc1bf7afb15fa5409f7ef6e826ccc6ce4131626f99b4f346587221c27

      SHA512

      07eaf73325c71ef47acaf7a2d287d8f0f69fc0ceb48265062f8d7561d2360347a23b61d438c5e782c8225d58de45d4dfe303fc2b5f10a563e84787433b516198

      Download Submit

    • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECoVERY_+vtdcy.png
      Filesize

      65KB

      MD5

      b145319fab087ce71d4c2a82a450d5a0

      SHA1

      da95267388e6a7b05a0e902e0a5771f2ca26f99d

      SHA256

      62f8720381a1f2ff07b10614253962749fca47b26cc8cab7176d8dc2c798fd08

      SHA512

      ecca90bc5e7d631059b0106a74be814921bc6b6a84c2d204478a465a331f9047018bcca41469061266aac912b5b4770a699070972434a9008aba50eb08324fd7

      Download Submit

    • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECoVERY_+vtdcy.txt
      Filesize

      1KB

      MD5

      2abd0489d791162c23766f2d0de2d7c4

      SHA1

      71f46aaf380e4f3a346c3d81fd8e533008cfb44c

      SHA256

      39ed4aca1a7c2fa73614466e728a3565226e7b6710d8c965ebbc94813f912e6a

      SHA512

      d5d88a485b641a3dca905bd91a881efcd483f95d172d04a51ab509a56d1f4ec296e0f0faf4f7251202b9a6e3d42bae79befa54363ac5bfc2536f281f00c3f0e5

      Download Submit

    • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt
      Filesize

      11KB

      MD5

      a91b2b6e43da9d8791b15ab3804d9edf

      SHA1

      1978f06f974a20cac1a72ff520ed1bd703139f0a

      SHA256

      6e28d8c7a0d8ffc72069b65777b3f646aa9b2d339746e6d6b996c0d18026fff8

      SHA512

      c2ac26a01c0cd7a4bdf71b7bb39633fc5c48feabbfbefde34dede414044194a40228c58f5373cabefcfde3ae9d7241b17ec5109f8770ce6a46c20e6b9a9f5dab

      Download Submit

    • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt
      Filesize

      109KB

      MD5

      6df75a2ed61adb15fbe3eb4e3369c75e

      SHA1

      d72c4b98085b0344f757a1fbbdc039bb90edb546

      SHA256

      e384b8af0424822021f3c01015ab23f61d257effc8b9c3c31cd7cac157ef4ccc

      SHA512

      11fd12386456743bf43461201dae2f4a4d5a9bd1d77d9038e70068ff88d9e057faf30605cadcf5ed1cf790164ba213a2f97d4a00b38d7291d57d920e47281b29

      Download Submit

    • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt
      Filesize

      173KB

      MD5

      eb20653be2ea24e5d4b3761abed9d141

      SHA1

      d5dcb459c70cc9b8e504872ff0d53ffa687d48a3

      SHA256

      bb90cfb5f49692076cb2f9d0acc9bbaf5c0849b5c804c5e8f4c13b20bffc9b11

      SHA512

      f29d0781edcce21dbf7a07faee4538785ced71fb8e85b90c36d5c0962676694e3499be58a1e66e41ca6593f20e4ded3313c60103b231b3cca38182ca445867cb

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
      Filesize

      68KB

      MD5

      29f65ba8e88c063813cc50a4ea544e93

      SHA1

      05a7040d5c127e68c25d81cc51271ffb8bef3568

      SHA256

      1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

      SHA512

      e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Cab897E.tmp
      Filesize

      65KB

      MD5

      ac05d27423a85adc1622c714f2cb6184

      SHA1

      b0fe2b1abddb97837ea0195be70ab2ff14d43198

      SHA256

      c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

      SHA512

      6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Tar8E93.tmp
      Filesize

      177KB

      MD5

      435a9ac180383f9fa094131b173a2f7b

      SHA1

      76944ea657a9db94f9a4bef38f88c46ed4166983

      SHA256

      67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

      SHA512

      1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

      Download Submit

    • C:\Windows\cqffxneddfxq.exe
      Filesize

      366KB

      MD5

      7ed0e30f6e18ef637b3e64065d7a76bd

      SHA1

      c95232e6dc6413fe1967bf5e280fbfbaf6080016

      SHA256

      2b67837484b900f7505d0189a2c5106d8aff81584f99ecaaf7c9ba1c374d59c1

      SHA512

      626a5fc54c4cbf9c747ca9cad6f544dd963153d87fdc1c28e57d7fed3d98f17c17ddf030a2f61a86ebe9528fdc5916acb54e8495df40786484a73ac36821572c

      Download Submit

    • memory/2520-5956-0x00000000003A0000-0x00000000003A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2520-5955-0x0000000000170000-0x0000000000172000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2520-6444-0x00000000003A0000-0x00000000003A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2884-2-0x00000000003E0000-0x00000000003E1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2884-9-0x0000000002530000-0x00000000025E2000-memory.dmp

      Filesize

      712KB

      Download

    • memory/2884-12-0x0000000000400000-0x00000000004B2000-memory.dmp

      Filesize

      712KB

      Download

    • memory/2884-1-0x0000000000330000-0x000000000035F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/2884-3-0x0000000000400000-0x00000000004B2000-memory.dmp

      Filesize

      712KB

      Download

    • memory/2884-0-0x0000000000400000-0x00000000004B2000-memory.dmp

      Filesize

      712KB

      Download

    • memory/2904-2571-0x0000000000400000-0x00000000004B2000-memory.dmp

      Filesize

      712KB

      Download

    • memory/2904-5954-0x00000000032D0000-0x00000000032D2000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2904-5585-0x0000000000400000-0x00000000004B2000-memory.dmp

      Filesize

      712KB

      Download

    • memory/2904-5596-0x0000000000400000-0x00000000004B2000-memory.dmp

      Filesize

      712KB

      Download

    • memory/2904-5593-0x0000000000400000-0x00000000004B2000-memory.dmp

      Filesize

      712KB

      Download

    • memory/2904-6002-0x0000000000400000-0x00000000004B2000-memory.dmp

      Filesize

      712KB

      Download

    • memory/2904-10-0x0000000000400000-0x00000000004B2000-memory.dmp

      Filesize

      712KB

      Download

    • memory/2904-6323-0x0000000000400000-0x00000000004B2000-memory.dmp

      Filesize

      712KB

      Download

    • memory/2904-11-0x0000000000400000-0x00000000004B2000-memory.dmp

      Filesize

      712KB

      Download