Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
10/06/2024, 10:23
General
-
Target
VirusShare_0633631727771a19c3593b678268e8f9.exe
-
Size
276KB
-
MD5
0633631727771a19c3593b678268e8f9
-
SHA1
2c8af799af11e03abc5face54f3943c2b3071203
-
SHA256
dd754c7e866babc27f01d9e9b3bbac680dcc3e83b8a748d39e026b871052b527
-
SHA512
f705f51b7f49f51a13c4509909b80e7eaeecf2914867b41f42dd13f655ad1e815355366cb05b9a6093c1887dae569f204b9ca7ad5761a3f1952b3cbc9b31645b
-
SSDEEP
6144:wL+ROMHXZ99JX2WngMNSYZh1r0CLf2dWsLf2EUOH9:wQ7J9PgMN7LsqEUO
Malware Config
Extracted
C:\Program Files\7-Zip\Lang\_ReCoVeRy_+kiuqh.txt
teslacrypt
http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/E751D88A4353D3A6
http://gfkuwflbhsjdabnu4nfukerfqwlfwr4rw.ringbalor.com/E751D88A4353D3A6
http://oehknf74ohqlfnpq9rhfgcq93g.hateflux.com/E751D88A4353D3A6
http://xlowfznrg4wf7dli.ONION/E751D88A4353D3A6
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (867) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 6 IoCs
-
Executes dropped EXE 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 1 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 25 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\VirusShare_0633631727771a19c3593b678268e8f9.exe"C:\Users\Admin\AppData\Local\Temp\VirusShare_0633631727771a19c3593b678268e8f9.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\VirusShare_0633631727771a19c3593b678268e8f9.exe"C:\Users\Admin\AppData\Local\Temp\VirusShare_0633631727771a19c3593b678268e8f9.exe"2⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\xaukbhvmvfan.exeC:\Windows\xaukbhvmvfan.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\xaukbhvmvfan.exeC:\Windows\xaukbhvmvfan.exe4⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_ReCoVeRy_.TXT5⤵
- Opens file in notepad (likely ransom note)
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\_ReCoVeRy_.HTM5⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbce6f46f8,0x7ffbce6f4708,0x7ffbce6f47186⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,15372878034694645776,14154857247865671368,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:26⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,15372878034694645776,14154857247865671368,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:36⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,15372878034694645776,14154857247865671368,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2236 /prefetch:86⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,15372878034694645776,14154857247865671368,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3104 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,15372878034694645776,14154857247865671368,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3116 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,15372878034694645776,14154857247865671368,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 /prefetch:86⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,15372878034694645776,14154857247865671368,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 /prefetch:86⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,15372878034694645776,14154857247865671368,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,15372878034694645776,14154857247865671368,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5240 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,15372878034694645776,14154857247865671368,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3460 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,15372878034694645776,14154857247865671368,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3720 /prefetch:16⤵
-
-
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Windows\XAUKBH~1.EXE5⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\VIRUSS~1.EXE3⤵
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD5152c9c281f678503ffc0024d03911f82
SHA1082f847d0bfd85be3841293173dcee20d2981b44
SHA256b091f451e236e8e03095aef6b4299515f34b1e9cdb30bf9c177546d0df79423f
SHA5125f411964853ae91c37372d14922176d6ede7d8724f36671c3d1f5de52750a7054bcf73b75db1adaf05e9f7e70bbf96a6ad14f18594dc3d81b988658a4bed422b
-
Filesize
65KB
MD5c84fe868abf3541c4d5af2332df5fb71
SHA11fbbdad1cf1027dabc2cb665062683b20d041fcd
SHA256d0699c2d797be413fa38e55588466c641b5ce831e3f52be73dbb686638afe0a2
SHA5125616fcc2f49c43d0235421b26745c12ba3f37c976af2b93de23e42deac62a369faa1c5123ffd0e3bb2ab9980b1192419cf8554945c2b257becafd8e34ee9d3a0
-
Filesize
1KB
MD5e2752a7e7a8830ee7918dd4eecef4aac
SHA11377fdf5978a4a1ae7fbe7ca7aa53de4a74f9735
SHA256adbd81a7f55d8c0b18fc12d7669aa5297b5f28f6fdd1576114f41e0f855aa2f2
SHA512ee705ab8ad9a7b40f2f5eb13b486a3e444d05f7ea9ed9f04af155bfd0b4c9fc4bf96dafc506ce737344a600200ad32b4e56c7b50586b4544d33d2737df06628a
-
Filesize
560B
MD579d153990bab2b719c30967106fb79b2
SHA1828bec6d6dd8ce7d5ce60c591abf6057bc2c476f
SHA256967341c187a2c660a6d086e51d41d99e0cb4786923a9c13b5f375359f69575cf
SHA51232354b729f2cf2fd8d631ec191acc825092f118980dc9349deb0caf94b4c2f7bc34c99cd01268f036ba842b3c222555cce0d4866057f5a6fafcb58b5fe8a1cf4
-
Filesize
560B
MD5f9e8405172823301bf18be86e82a90cc
SHA14777966cdad5fab856399f283b59fac26bf9856e
SHA256b1222f12a82336f579e3a62229bc368b30549ddfa440e998a81de2ffec17726d
SHA512f7b8ed0150ff3effb26a8a26db754564b29eb23f354c98db2868410712b5a106b6d2753399bdf913b3fe9591be8a9799db44e82c7f7b275a878d184c88783ce3
-
Filesize
416B
MD58ad5dcbd1909625e70225a9c94779d15
SHA19d81feb8969183a262d4bf292b12d4b5474f7401
SHA2568510f6a0e077107ad6cdf4a898488bb3d85f71a75b7845f5db55c8b37ce7709a
SHA5120430ce640f3c5479ddae93937d5f00be9fb05fcf1bc090d62de69e857a816190907f461512c2137f2e5f789cbb11104aaf622d4ea4661c54be687b87496eb739
-
Filesize
152B
MD54dc6fc5e708279a3310fe55d9c44743d
SHA1a42e8bdf9d1c25ef3e223d59f6b1d16b095f46d2
SHA256a1c5f48659d4b3af960971b3a0f433a95fee5bfafe5680a34110c68b342377d8
SHA5125874b2310187f242b852fa6dcded244cc860abb2be4f6f5a6a1db8322e12e1fef8f825edc0aae75adbb7284a2cd64730650d0643b1e2bb7ead9350e50e1d8c13
-
Filesize
152B
MD5c9c4c494f8fba32d95ba2125f00586a3
SHA18a600205528aef7953144f1cf6f7a5115e3611de
SHA256a0ca609205813c307df9122c0c5b0967c5472755700f615b0033129cf7d6b35b
SHA5129d30cea6cfc259e97b0305f8b5cd19774044fb78feedfcef2014b2947f2e6a101273bc4ad30db9cc1724e62eb441266d7df376e28ac58693f128b9cce2c7d20d
-
Filesize
5KB
MD574ce9f2e360ffa43acb78da176673d19
SHA127fdba92be41448c03ffdca153679d0ef164adb2
SHA25653449c30b304dbea8416ff1045aa975ad821961d638538b87398823722535e83
SHA5127dd66549b8741b3bbb3a5d2b0fa83d902127f8cb058580a6be1b964cd80aab1ff251d6141eef14e7a1e042ae87ea7e71a8fc3cebedc8a5302970e06e0195c41d
-
Filesize
6KB
MD5ea1a17fd12799c277486aeffaf149d28
SHA15609c97abf1436f5b1362cfbe9eff08fe3097bff
SHA256e72cbe5a85a38a44f532f1b1bbee2ecdfed5878de6f550343dbaa8cb4856eaa9
SHA512604ec48e748874a4ddc391d7d03b8dd060645a2b0bcddaddc8c06de3b81864b933928429da8d5932c64150c1f95c323da73541e5376e05b9fa178505e0df01ee
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
10KB
MD59aab464b1bd8ef9bdd138b3ec30b5514
SHA1a788080f2b1641e915e8c9318738efa4958434d2
SHA256d56d4c41dfb3bf7c8807871cce931069e4c5adb4fba3389a8d427deb2f1ec23e
SHA512f2507220f4ba0cde18a04fca48cf92411ebb1a2b5ba703a4ce8c997436d8c9a78ca7a323e0f49ddad084f2e3feb2ca2b847f9be3326bf6e230a979319aff0ded
-
Filesize
75KB
MD5663dca385278c5691fe54692607f9251
SHA16eeef13583082ab331acecba8decbccf9ec16bcb
SHA256f8a7ff372b4742b8bad6704a315451d4cee41542cf8dd50a89b77791a640985a
SHA512450461867263c3ff7d88b4fe3ec716bf8cc99329778bfcc5335ca58b6daf2e78d3efcbba22d2bbe2144920f27ef1acd205003bc4b2727e51c1f29f989daa0f39
-
Filesize
276KB
MD50633631727771a19c3593b678268e8f9
SHA12c8af799af11e03abc5face54f3943c2b3071203
SHA256dd754c7e866babc27f01d9e9b3bbac680dcc3e83b8a748d39e026b871052b527
SHA512f705f51b7f49f51a13c4509909b80e7eaeecf2914867b41f42dd13f655ad1e815355366cb05b9a6093c1887dae569f204b9ca7ad5761a3f1952b3cbc9b31645b
-
Filesize
20KB
-
Filesize
20KB
-
Filesize
20KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
812KB
