Analysis
-
max time kernel
149s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
10-06-2024 10:24
General
-
Target
VirusShare_09b500283366eafb809963ae3341e9c0.exe
-
Size
336KB
-
MD5
09b500283366eafb809963ae3341e9c0
-
SHA1
628610489c41e78617f4e51d0d0143a07b245f85
-
SHA256
8506824ad4a9aabf540bbf58741412448178b846e540fbbfdf2a4e48acfe46da
-
SHA512
7ecb3ed388e2866cbb0331d50d910ce3810f8b9bc1ece963e2cc67c5eaff017d2109e7ccb9d022b8960f78cca243c36bbdb29e0f78fdfc32a78cf2daea6ea796
-
SSDEEP
6144:r1w0U6D6x4kyjf+g0uc2RTqWmx7Ikw9NShXvSmk2OpXaP/EBySkQ4:ri0Uu6ikyjcuk5y0hXaxpKkB
Malware Config
Extracted
C:\Program Files\7-Zip\Lang\Recovery+oaocn.txt
teslacrypt
http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/FB64F52CF0EB942
http://tes543berda73i48fsdfsd.keratadze.at/FB64F52CF0EB942
http://tt54rfdjhb34rfbnknaerg.milerteddy.com/FB64F52CF0EB942
http://xlowfznrg4wf7dli.ONION/FB64F52CF0EB942
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (880) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 6 IoCs
-
Executes dropped EXE 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 1 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 25 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\VirusShare_09b500283366eafb809963ae3341e9c0.exe"C:\Users\Admin\AppData\Local\Temp\VirusShare_09b500283366eafb809963ae3341e9c0.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\VirusShare_09b500283366eafb809963ae3341e9c0.exe"C:\Users\Admin\AppData\Local\Temp\VirusShare_09b500283366eafb809963ae3341e9c0.exe"2⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\pjjsimvudcyr.exeC:\Windows\pjjsimvudcyr.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\pjjsimvudcyr.exeC:\Windows\pjjsimvudcyr.exe4⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT5⤵
- Opens file in notepad (likely ransom note)
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM5⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcc9c546f8,0x7ffcc9c54708,0x7ffcc9c547186⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2208,13286983057302333930,15112226672407444832,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2220 /prefetch:26⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2208,13286983057302333930,15112226672407444832,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:36⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2208,13286983057302333930,15112226672407444832,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2796 /prefetch:86⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,13286983057302333930,15112226672407444832,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,13286983057302333930,15112226672407444832,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2208,13286983057302333930,15112226672407444832,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5192 /prefetch:86⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2208,13286983057302333930,15112226672407444832,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5192 /prefetch:86⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,13286983057302333930,15112226672407444832,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,13286983057302333930,15112226672407444832,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5308 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,13286983057302333930,15112226672407444832,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4104 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,13286983057302333930,15112226672407444832,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:16⤵
-
-
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Windows\PJJSIM~1.EXE5⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\VIRUSS~1.EXE3⤵
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD58b79c99723d2ee785bbc5106f92f076e
SHA19c7531e100b1cf87f334767f70dfdf91201b4281
SHA256a257125ee2eae4d9304d2681666ed35fd3530999e5d9cb33663eec8abdcff53b
SHA51282886f844273e603ef7313df7996364a2c02ef9df3f65769eb630d2efab31b6e7bbe974f1e9b036096c18d7bae5709bdae0474a6ee427595ae83ab3001fad45f
-
Filesize
62KB
MD5d97ab6613bd0fe6dde96c48d9bee46c3
SHA1b0a6f9c8e077c2dfc4f901c8573dfb7cd7bd7e0a
SHA2566208764fe47159739a48bca2d6bee281334eccb1ce0ee09d517f54c7902959dd
SHA51222c9a401ca01fd942aed6a0f812e7775ae26b4b3b8d62651827b71f39301cc9fe12a4f84c4ea0858b0b23a0f40f84879a15162f16ee345d54a252142c14de239
-
Filesize
1KB
MD509d2e6f67a58efd2a1cf4ee6e293f977
SHA1bb128aecd6af8306ae402c3ece40876f7bd808bf
SHA256e69d6cf8bae319ef372363084015121d85652c8ffc95612a4d9d3c90995e9c08
SHA512b0ceffa4d9e24496e743862c7467dee6175fb3cfa1c84002ff2e5cedf85712196046e3fcc24753e1e810bb457b3d6c7ba0c8e4a8a06156b4fda9313272e026dd
-
Filesize
560B
MD5164590ffc8153bf8c7867849cbf5675c
SHA174875db923a7a6952b1fc326b1c4354bf93555cb
SHA256502e0b635746b32e7f33b33290864178114e240c36802c4c6e5b462399f66934
SHA512c42e0220eb7278b4437e9487616dd032ecf36158ba16518bb054bf4224b4ce71359de3752b246a649d62074e34ece257c08ba64b15453eddfcf9a8bc22918bd7
-
Filesize
560B
MD5077684955e2cf245a44fcef0b9170593
SHA1d6ab0fef578c51576ada925604c555fb33485c06
SHA2564a9618cdee9d672492b520bc9e048dd21709aba95d8d09f3e45ca93d9428855b
SHA5122480a7290675902ad9996befd09fe3105a2afe3733251242b014c806d97cf56d268efc505ee69207c0f9575bef42c19910f2b2c076e11a401a82ae585adcab6f
-
Filesize
416B
MD5d17008778a557d9eaecaf7bfc0c3d7e2
SHA1dd415580374071aafd3b34e85251d8fe019ed3dd
SHA256cd36c36d8a17776818e657730acffa393a9a630f71f10b3dbe60d9816d9d8d91
SHA512a0cbb8dab41699e2d33bfdabfe45bc679776a61d1708a816b256b022ae703a8075a69c5e97dfc1119b51078b57e0e688033eb83e668f6a1e4eaf8d8c54ea74e3
-
Filesize
152B
MD5eaa3db555ab5bc0cb364826204aad3f0
SHA1a4cdfaac8de49e6e6e88b335cfeaa7c9e3c563ca
SHA256ef7baeb1b2ab05ff3c5fbb76c2759db49294654548706c7c8e87f0cde855b86b
SHA512e13981da51b52c15261ecabb98af32f9b920651b46b10ce0cc823c5878b22eb1420258c80deef204070d1e0bdd3a64d875ac2522e3713a3cf11657aa55aeccd4
-
Filesize
152B
MD54b4f91fa1b362ba5341ecb2836438dea
SHA19561f5aabed742404d455da735259a2c6781fa07
SHA256d824b742eace197ddc8b6ed5d918f390fde4b0fbf0e371b8e1f2ed40a3b6455c
SHA512fef22217dcdd8000bc193e25129699d4b8f7a103ca4fe1613baf73ccf67090d9fbae27eb93e4bb8747455853a0a4326f2d0c38df41c8d42351cdcd4132418dac
-
Filesize
6KB
MD56487794b3e220740255635134525bb9d
SHA19a42262da79e22dbec169adbbff57da0f9959390
SHA2569723a1cd9d2459ac65054097005a0f384ec05b4a1549097b4ad0d14d9c8525e0
SHA512fa1d78d98041194be3627fd8f8d1211ec7ba115064a41b7e38bdf569422f8668c377ca283ab1654651867b0b516e1374fd05cae964d6fa2c676b17915827deb6
-
Filesize
5KB
MD52cd41db03a9502ae7f233ed3c377f00e
SHA1eb4d1b2565620e91d31a4f0137fc7f0238f79a2b
SHA256e62308e5dc780fcc7eff4f251f1ea76940bc719562659ae99153befa1c914fd2
SHA5122037db9c7e1078902bc31e5e693a86a08cd10f46ebd363bfa74370332225713e98f2b5aa56bc6ce9dbdbce159783418fa316fa0ef85e2895bd30cc06e43106c6
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
11KB
MD57b15fd47d7c8b93e21354882999d6b96
SHA166b9d3ba41e9d4070af071dd1d2a52a1754b58de
SHA25650862c298a6977f35c0e9ce6aea343c28be50a31997d65263909185ae8d69104
SHA5125ef53962deb3d10935e44d73f5bfe2ba8bb80e902e7e7d5cfeff712d94ddbfa7542302addd3e5563da39baaa1a8eaeea140b0a50728512dcd7bcb035004da1d5
-
Filesize
47KB
MD5f88c5f48302a88b25920fd5721a99258
SHA1810ebf175cf2e9fdb19d1f5a97ca34eacf0350bb
SHA256bbacfe69c5ed0db8acffcfb6de4b05ac1082506e28f2362c8e316e6d8966b2e3
SHA5124f0954cb7da60f30cb2b37c15d65e01d31b765864695074794eae40d6fca090e18d91697425757702e6ae6f8a987f95756b37e5aac762054f37ee19589de0b19
-
Filesize
75KB
MD50e0f03b5d8db48503518ee75de6ce3d6
SHA1b841fc23b6c53db6e79337ab9d13ec7b896e8a69
SHA2563279ada4a641760484fb9bf56d43e6a1c37236559ed8099ac8cdc04483b1e4bc
SHA512fa024d49635ae1948b42bb47f3acfd4d9299fd2fed96e0ad65d28e410dfa689692ea3a8786610a15ca65fbd7dcff34dd1e29bce7c201e08948c6e260b570dab8
-
Filesize
336KB
MD509b500283366eafb809963ae3341e9c0
SHA1628610489c41e78617f4e51d0d0143a07b245f85
SHA2568506824ad4a9aabf540bbf58741412448178b846e540fbbfdf2a4e48acfe46da
SHA5127ecb3ed388e2866cbb0331d50d910ce3810f8b9bc1ece963e2cc67c5eaff017d2109e7ccb9d022b8960f78cca243c36bbdb29e0f78fdfc32a78cf2daea6ea796
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
3.3MB
-
Filesize
12KB
-
Filesize
12KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
