teslacrypt | a45bd6e5fec24298c6453c29f5046fe9346366da194da4fc26935c5482c58734

General

Target

VirusShare_1d46f87737ca1591b52ef272100ccab2.exe
Size

352KB
MD5

1d46f87737ca1591b52ef272100ccab2
SHA1

e0a0f3c73c3829a71eaf2444d9e71977227a8799
SHA256

a45bd6e5fec24298c6453c29f5046fe9346366da194da4fc26935c5482c58734
SHA512

f5de0eaa8e55d07772f8faa0664ddc10378a630050ca8afbb0c855e066d585459b2fd59d6a3b06f466a0bbd99c2f5f5a5c2c8d52df6a0117f07ff6334a5aa332
SSDEEP

6144:QMeb/EDtpBx1aRXJub19pf3gOURaJmf+ubexB3wLaYZSzvF:QTb/wtN1aRXJg1f3gO9Jm+u2BgeYkzv

Score

10^/10

teslacrypt defense_evasion execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\_ReCoVeRy_+itefd.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 Key , both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1 - http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/4E20DE77FD92121A 2 - http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/4E20DE77FD92121A 3 - http://yyre45dbvn2nhbefbmh.begumvelic.at/4E20DE77FD92121A If for some reasons the addresses are not available, follow these steps: 1 - Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2 - After a successful installation, run the browser 3 - Type in the address bar: xlowfznrg4wf7dli.onion/4E20DE77FD92121A 4 - Follow the instructions on the site IMPORTANT INFORMATION Your personal pages http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/4E20DE77FD92121A http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/4E20DE77FD92121A http://yyre45dbvn2nhbefbmh.begumvelic.at/4E20DE77FD92121A Your personal page Tor-Browser xlowfznrg4wf7dli.ONION/4E20DE77FD92121A

URLs

http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/4E20DE77FD92121A

http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/4E20DE77FD92121A

http://yyre45dbvn2nhbefbmh.begumvelic.at/4E20DE77FD92121A

http://xlowfznrg4wf7dli.ONION/4E20DE77FD92121A

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (879) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

uiiecmtbsmkp.exeVirusShare_1d46f87737ca1591b52ef272100ccab2.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	uiiecmtbsmkp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	VirusShare_1d46f87737ca1591b52ef272100ccab2.exe

Drops startup file 6 IoCs

Processes:

uiiecmtbsmkp.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+itefd.html	uiiecmtbsmkp.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+itefd.png	uiiecmtbsmkp.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+itefd.txt	uiiecmtbsmkp.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+itefd.html	uiiecmtbsmkp.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+itefd.png	uiiecmtbsmkp.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+itefd.txt	uiiecmtbsmkp.exe

Executes dropped EXE 1 IoCs

Processes:

uiiecmtbsmkp.exe

pid process

3324 uiiecmtbsmkp.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

uiiecmtbsmkp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\auxnwcn = "C:\\Windows\\system32\\CMD.EXE /c start C:\\Windows\\uiiecmtbsmkp.exe"	uiiecmtbsmkp.exe

Drops file in Program Files directory 64 IoCs

Processes:

uiiecmtbsmkp.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SKY\_ReCoVeRy_+itefd.txt	uiiecmtbsmkp.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Transit\contrast-black\WideTile.scale-125.png	uiiecmtbsmkp.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\GenericMailWideTile.scale-125.png	uiiecmtbsmkp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Microsoft.UI.Xaml\_ReCoVeRy_+itefd.png	uiiecmtbsmkp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Web Server Extensions\_ReCoVeRy_+itefd.html	uiiecmtbsmkp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteMediumTile.scale-100.png	uiiecmtbsmkp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_2020.1906.55.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\_ReCoVeRy_+itefd.png	uiiecmtbsmkp.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptySearch-Dark.scale-150.png	uiiecmtbsmkp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\VideoFrameExtractor\Views\_ReCoVeRy_+itefd.txt	uiiecmtbsmkp.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-30.png	uiiecmtbsmkp.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\_ReCoVeRy_+itefd.txt	uiiecmtbsmkp.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lt\LC_MESSAGES\_ReCoVeRy_+itefd.html	uiiecmtbsmkp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_split.scale-200_8wekyb3d8bbwe\_ReCoVeRy_+itefd.html	uiiecmtbsmkp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\PeopleMedTile.scale-100.png	uiiecmtbsmkp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactNative\Tracing\_ReCoVeRy_+itefd.txt	uiiecmtbsmkp.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\bg7.jpg	uiiecmtbsmkp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Resources\_ReCoVeRy_+itefd.png	uiiecmtbsmkp.exe
File opened for modification	C:\Program Files\Reference Assemblies\_ReCoVeRy_+itefd.txt	uiiecmtbsmkp.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_scale-200.png	uiiecmtbsmkp.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\AttachmentPlaceholder-Light.png	uiiecmtbsmkp.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Exchange.scale-300.png	uiiecmtbsmkp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-36_altform-unplated_contrast-white.png	uiiecmtbsmkp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedMedTile.scale-100_contrast-white.png	uiiecmtbsmkp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\AppxMetadata\_ReCoVeRy_+itefd.png	uiiecmtbsmkp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\AppIcon.targetsize-24_contrast-white.png	uiiecmtbsmkp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-36.png	uiiecmtbsmkp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\System\_ReCoVeRy_+itefd.png	uiiecmtbsmkp.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\_ReCoVeRy_+itefd.png	uiiecmtbsmkp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Configuration\_ReCoVeRy_+itefd.txt	uiiecmtbsmkp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.UI.Xaml.2.0_2.1810.18004.0_x64__8wekyb3d8bbwe\logo.png	uiiecmtbsmkp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\OfflinePages\Scripts\Me\MeControl\offline\en-US\_ReCoVeRy_+itefd.txt	uiiecmtbsmkp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\de-DE\View3d\_ReCoVeRy_+itefd.png	uiiecmtbsmkp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\uz-Latn-UZ\View3d\_ReCoVeRy_+itefd.txt	uiiecmtbsmkp.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\_ReCoVeRy_+itefd.html	uiiecmtbsmkp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Dial\RotateVertically.png	uiiecmtbsmkp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-60.png	uiiecmtbsmkp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\hand.png	uiiecmtbsmkp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-black\_ReCoVeRy_+itefd.txt	uiiecmtbsmkp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\loc\_ReCoVeRy_+itefd.html	uiiecmtbsmkp.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\si\_ReCoVeRy_+itefd.html	uiiecmtbsmkp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Microsoft.Advertising\_ReCoVeRy_+itefd.png	uiiecmtbsmkp.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-60.png	uiiecmtbsmkp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\177.png	uiiecmtbsmkp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\AppxMetadata\_ReCoVeRy_+itefd.html	uiiecmtbsmkp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\_ReCoVeRy_+itefd.txt	uiiecmtbsmkp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\_ReCoVeRy_+itefd.html	uiiecmtbsmkp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\HoloAssets\_ReCoVeRy_+itefd.txt	uiiecmtbsmkp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-72.png	uiiecmtbsmkp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.scale-200_contrast-white.png	uiiecmtbsmkp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-64_altform-unplated.png	uiiecmtbsmkp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Wood.jpg	uiiecmtbsmkp.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\iadata\_ReCoVeRy_+itefd.txt	uiiecmtbsmkp.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailMediumTile.scale-150.png	uiiecmtbsmkp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_2019.19071.19011.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\_ReCoVeRy_+itefd.txt	uiiecmtbsmkp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\AXIS\THMBNAIL.PNG	uiiecmtbsmkp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_2019.716.2316.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\_ReCoVeRy_+itefd.html	uiiecmtbsmkp.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\_ReCoVeRy_+itefd.html	uiiecmtbsmkp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-80_altform-lightunplated.png	uiiecmtbsmkp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\HelpAndFeedback\BlogThumbnail.png	uiiecmtbsmkp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.NET.Native.Framework.1.7_1.7.25531.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_ReCoVeRy_+itefd.png	uiiecmtbsmkp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_targetsize-20_altform-unplated.png	uiiecmtbsmkp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-black_targetsize-64.png	uiiecmtbsmkp.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-white\LargeTile.scale-125.png	uiiecmtbsmkp.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.NET.Native.Framework.2.2_2.2.27405.0_x64__8wekyb3d8bbwe\logo.png	uiiecmtbsmkp.exe

Drops file in Windows directory 2 IoCs

Processes:

VirusShare_1d46f87737ca1591b52ef272100ccab2.exe

description	ioc	process
File created	C:\Windows\uiiecmtbsmkp.exe	VirusShare_1d46f87737ca1591b52ef272100ccab2.exe
File opened for modification	C:\Windows\uiiecmtbsmkp.exe	VirusShare_1d46f87737ca1591b52ef272100ccab2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

uiiecmtbsmkp.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings uiiecmtbsmkp.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

4832 NOTEPAD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	uiiecmtbsmkp.exe

pid	process
4832	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

uiiecmtbsmkp.exe

pid	process
3324	uiiecmtbsmkp.exe
3324	uiiecmtbsmkp.exe
3324	uiiecmtbsmkp.exe
3324	uiiecmtbsmkp.exe
3324	uiiecmtbsmkp.exe
3324	uiiecmtbsmkp.exe
3324	uiiecmtbsmkp.exe
3324	uiiecmtbsmkp.exe
3324	uiiecmtbsmkp.exe
3324	uiiecmtbsmkp.exe
3324	uiiecmtbsmkp.exe
3324	uiiecmtbsmkp.exe
3324	uiiecmtbsmkp.exe
3324	uiiecmtbsmkp.exe
3324	uiiecmtbsmkp.exe
3324	uiiecmtbsmkp.exe
3324	uiiecmtbsmkp.exe
3324	uiiecmtbsmkp.exe
3324	uiiecmtbsmkp.exe
3324	uiiecmtbsmkp.exe
3324	uiiecmtbsmkp.exe
3324	uiiecmtbsmkp.exe
3324	uiiecmtbsmkp.exe
3324	uiiecmtbsmkp.exe
3324	uiiecmtbsmkp.exe
3324	uiiecmtbsmkp.exe
3324	uiiecmtbsmkp.exe
3324	uiiecmtbsmkp.exe
3324	uiiecmtbsmkp.exe
3324	uiiecmtbsmkp.exe
3324	uiiecmtbsmkp.exe
3324	uiiecmtbsmkp.exe
3324	uiiecmtbsmkp.exe
3324	uiiecmtbsmkp.exe
3324	uiiecmtbsmkp.exe
3324	uiiecmtbsmkp.exe
3324	uiiecmtbsmkp.exe
3324	uiiecmtbsmkp.exe
3324	uiiecmtbsmkp.exe
3324	uiiecmtbsmkp.exe
3324	uiiecmtbsmkp.exe
3324	uiiecmtbsmkp.exe
3324	uiiecmtbsmkp.exe
3324	uiiecmtbsmkp.exe
3324	uiiecmtbsmkp.exe
3324	uiiecmtbsmkp.exe
3324	uiiecmtbsmkp.exe
3324	uiiecmtbsmkp.exe
3324	uiiecmtbsmkp.exe
3324	uiiecmtbsmkp.exe
3324	uiiecmtbsmkp.exe
3324	uiiecmtbsmkp.exe
3324	uiiecmtbsmkp.exe
3324	uiiecmtbsmkp.exe
3324	uiiecmtbsmkp.exe
3324	uiiecmtbsmkp.exe
3324	uiiecmtbsmkp.exe
3324	uiiecmtbsmkp.exe
3324	uiiecmtbsmkp.exe
3324	uiiecmtbsmkp.exe
3324	uiiecmtbsmkp.exe
3324	uiiecmtbsmkp.exe
3324	uiiecmtbsmkp.exe
3324	uiiecmtbsmkp.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

VirusShare_1d46f87737ca1591b52ef272100ccab2.exeuiiecmtbsmkp.exeWMIC.exevssvc.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	4372	VirusShare_1d46f87737ca1591b52ef272100ccab2.exe
Token: SeDebugPrivilege	3324	uiiecmtbsmkp.exe
Token: SeIncreaseQuotaPrivilege	3944	WMIC.exe
Token: SeSecurityPrivilege	3944	WMIC.exe
Token: SeTakeOwnershipPrivilege	3944	WMIC.exe
Token: SeLoadDriverPrivilege	3944	WMIC.exe
Token: SeSystemProfilePrivilege	3944	WMIC.exe
Token: SeSystemtimePrivilege	3944	WMIC.exe
Token: SeProfSingleProcessPrivilege	3944	WMIC.exe
Token: SeIncBasePriorityPrivilege	3944	WMIC.exe
Token: SeCreatePagefilePrivilege	3944	WMIC.exe
Token: SeBackupPrivilege	3944	WMIC.exe
Token: SeRestorePrivilege	3944	WMIC.exe
Token: SeShutdownPrivilege	3944	WMIC.exe
Token: SeDebugPrivilege	3944	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3944	WMIC.exe
Token: SeRemoteShutdownPrivilege	3944	WMIC.exe
Token: SeUndockPrivilege	3944	WMIC.exe
Token: SeManageVolumePrivilege	3944	WMIC.exe
Token: 33	3944	WMIC.exe
Token: 34	3944	WMIC.exe
Token: 35	3944	WMIC.exe
Token: 36	3944	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3944	WMIC.exe
Token: SeSecurityPrivilege	3944	WMIC.exe
Token: SeTakeOwnershipPrivilege	3944	WMIC.exe
Token: SeLoadDriverPrivilege	3944	WMIC.exe
Token: SeSystemProfilePrivilege	3944	WMIC.exe
Token: SeSystemtimePrivilege	3944	WMIC.exe
Token: SeProfSingleProcessPrivilege	3944	WMIC.exe
Token: SeIncBasePriorityPrivilege	3944	WMIC.exe
Token: SeCreatePagefilePrivilege	3944	WMIC.exe
Token: SeBackupPrivilege	3944	WMIC.exe
Token: SeRestorePrivilege	3944	WMIC.exe
Token: SeShutdownPrivilege	3944	WMIC.exe
Token: SeDebugPrivilege	3944	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3944	WMIC.exe
Token: SeRemoteShutdownPrivilege	3944	WMIC.exe
Token: SeUndockPrivilege	3944	WMIC.exe
Token: SeManageVolumePrivilege	3944	WMIC.exe
Token: 33	3944	WMIC.exe
Token: 34	3944	WMIC.exe
Token: 35	3944	WMIC.exe
Token: 36	3944	WMIC.exe
Token: SeBackupPrivilege	4100	vssvc.exe
Token: SeRestorePrivilege	4100	vssvc.exe
Token: SeAuditPrivilege	4100	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1780	WMIC.exe
Token: SeSecurityPrivilege	1780	WMIC.exe
Token: SeTakeOwnershipPrivilege	1780	WMIC.exe
Token: SeLoadDriverPrivilege	1780	WMIC.exe
Token: SeSystemProfilePrivilege	1780	WMIC.exe
Token: SeSystemtimePrivilege	1780	WMIC.exe
Token: SeProfSingleProcessPrivilege	1780	WMIC.exe
Token: SeIncBasePriorityPrivilege	1780	WMIC.exe
Token: SeCreatePagefilePrivilege	1780	WMIC.exe
Token: SeBackupPrivilege	1780	WMIC.exe
Token: SeRestorePrivilege	1780	WMIC.exe
Token: SeShutdownPrivilege	1780	WMIC.exe
Token: SeDebugPrivilege	1780	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1780	WMIC.exe
Token: SeRemoteShutdownPrivilege	1780	WMIC.exe
Token: SeUndockPrivilege	1780	WMIC.exe
Token: SeManageVolumePrivilege	1780	WMIC.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

VirusShare_1d46f87737ca1591b52ef272100ccab2.exeuiiecmtbsmkp.exe

description	pid	process	target process
PID 4372 wrote to memory of 3324	4372	VirusShare_1d46f87737ca1591b52ef272100ccab2.exe	uiiecmtbsmkp.exe
PID 4372 wrote to memory of 3324	4372	VirusShare_1d46f87737ca1591b52ef272100ccab2.exe	uiiecmtbsmkp.exe
PID 4372 wrote to memory of 3324	4372	VirusShare_1d46f87737ca1591b52ef272100ccab2.exe	uiiecmtbsmkp.exe
PID 4372 wrote to memory of 2256	4372	VirusShare_1d46f87737ca1591b52ef272100ccab2.exe	cmd.exe
PID 4372 wrote to memory of 2256	4372	VirusShare_1d46f87737ca1591b52ef272100ccab2.exe	cmd.exe
PID 4372 wrote to memory of 2256	4372	VirusShare_1d46f87737ca1591b52ef272100ccab2.exe	cmd.exe
PID 3324 wrote to memory of 3944	3324	uiiecmtbsmkp.exe	WMIC.exe
PID 3324 wrote to memory of 3944	3324	uiiecmtbsmkp.exe	WMIC.exe
PID 3324 wrote to memory of 4832	3324	uiiecmtbsmkp.exe	NOTEPAD.EXE
PID 3324 wrote to memory of 4832	3324	uiiecmtbsmkp.exe	NOTEPAD.EXE
PID 3324 wrote to memory of 4832	3324	uiiecmtbsmkp.exe	NOTEPAD.EXE
PID 3324 wrote to memory of 452	3324	uiiecmtbsmkp.exe	msedge.exe
PID 3324 wrote to memory of 452	3324	uiiecmtbsmkp.exe	msedge.exe
PID 3324 wrote to memory of 1780	3324	uiiecmtbsmkp.exe	WMIC.exe
PID 3324 wrote to memory of 1780	3324	uiiecmtbsmkp.exe	WMIC.exe
PID 3324 wrote to memory of 1428	3324	uiiecmtbsmkp.exe	cmd.exe
PID 3324 wrote to memory of 1428	3324	uiiecmtbsmkp.exe	cmd.exe
PID 3324 wrote to memory of 1428	3324	uiiecmtbsmkp.exe	cmd.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

uiiecmtbsmkp.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	uiiecmtbsmkp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	uiiecmtbsmkp.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\VirusShare_1d46f87737ca1591b52ef272100ccab2.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_1d46f87737ca1591b52ef272100ccab2.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4372
- C:\Windows\uiiecmtbsmkp.exe
  C:\Windows\uiiecmtbsmkp.exe
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3324
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3944
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_ReCoVeRy_.TXT
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:4832
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\_ReCoVeRy_.HTM
    3⤵
    PID:452
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1780
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\UIIECM~1.EXE
    3⤵
    PID:1428
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\VIRUSS~1.EXE
  2⤵
  PID:2256

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4404,i,1697479186275492802,18058102846092193784,262144 --variations-seed-version --mojo-platform-channel-handle=4368 /prefetch:8
1⤵
PID:548

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --field-trial-handle=3556,i,1697479186275492802,18058102846092193784,262144 --variations-seed-version --mojo-platform-channel-handle=3144 /prefetch:1
1⤵
PID:1224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --field-trial-handle=4104,i,1697479186275492802,18058102846092193784,262144 --variations-seed-version --mojo-platform-channel-handle=4056 /prefetch:1
1⤵
PID:3780

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --field-trial-handle=5216,i,1697479186275492802,18058102846092193784,262144 --variations-seed-version --mojo-platform-channel-handle=5236 /prefetch:1
1⤵
PID:5108

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=5264,i,1697479186275492802,18058102846092193784,262144 --variations-seed-version --mojo-platform-channel-handle=5440 /prefetch:8
1⤵
PID:2028

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --field-trial-handle=5384,i,1697479186275492802,18058102846092193784,262144 --variations-seed-version --mojo-platform-channel-handle=5604 /prefetch:8
1⤵
PID:3648

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=5220,i,1697479186275492802,18058102846092193784,262144 --variations-seed-version --mojo-platform-channel-handle=5912 /prefetch:1
1⤵
PID:4892

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --field-trial-handle=5620,i,1697479186275492802,18058102846092193784,262144 --variations-seed-version --mojo-platform-channel-handle=5760 /prefetch:8
1⤵
PID:5116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

1

T1047

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Indicator Removal

1

T1070

File Deletion

Modify Registry

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

1

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\_ReCoVeRy_+itefd.html

Filesize
12KB

MD5
efb21d06116accb4b6c7cf2b6c6730ee

SHA1
eb4d95f5cf1c3fb65adbadaadd96941ae72efc58

SHA256
95a0d4344b460a4d7d4726781e0fef4faa1fcb3f1d78f200ec800346dccbdd35

SHA512
5c83eb0b8936005eab9a091b7c4b36c576b1168c4da2e6179a150dac55dd0e393abb60b9bbce8257ec47b48c6697607044f83e87e85a30ae98e6d77eecb1a485

Download Submit
C:\Program Files\7-Zip\Lang\_ReCoVeRy_+itefd.png

Filesize
64KB

MD5
e9b5dfc916d74d8a0f21bb96271ca6a1

SHA1
0650da2ff5ee196c237460a7e1dfd51551f908fc

SHA256
a3ead9e0e088000f3002acbde0bec02febe8ba9f50e07a5f6fb3ff1bfcacd626

SHA512
600da4e4285fce76fe8e2f71e8ee5a5c01dfc0317d7306a6f99551aaf3585843362b31fee4dfa240fc4da98eba9d5f0a84478e9f5b48db4b84875dafd24961fe

Download Submit
C:\Program Files\7-Zip\Lang\_ReCoVeRy_+itefd.txt

Filesize
1KB

MD5
2f04ecca71be3bbc02bd05acee6425d4

SHA1
4e6326367cd075c994b6aca369db5aa3d309284f

SHA256
5dfe5bf1a9cb384ff704cba94eee73fde55f9b1880e21f4872166d164167f594

SHA512
d115950feee5effa93e240193ddde7c200ed048ddf575ecaf26bd87ce8c4dce39b61e70f46ff0956d9285d7872091df66fe0449479daea6760029d868a9194eb

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
560B

MD5
0912ce30149cc6343685849b169f2f57

SHA1
1ea96df1e0846d43e46232a535700696177e78ab

SHA256
9851b5e527d8343894517d1b3c4db00522d3e63a2ca46583c91751f3f9235c62

SHA512
cfeabfec901e8a1af3031e7e65c7c17aac8bfaec97527141f3d94ddb45733b20aea8c79727b107f6636a32dcd9fdf845c08254cf705f21596886b1113a842805

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
560B

MD5
e2dd04f71ea5ee124be38c27a9fc496b

SHA1
5bbacc8d4b467ebce30e8b59bc0bf9a4d4b8778a

SHA256
550c65e8f4871fa269c03a2a44698ef44b0141d9f49fad59c9463ee1ec6666b7

SHA512
7a880c24f31c0cda8293c4d9404c2b032840b0082b6628508f4993a3254a5db04484b72907cc7ee32670668d8071768a5d463bb8fc7259e883e59fea8d8ad876

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
416B

MD5
34050b057839f0c640760ecc3d39e624

SHA1
24cba42875814281f6e56fe87dcd010ae56ec21e

SHA256
97fda63241d5bf89988e6fb18719c34833de1b7f058ace97be24a5a2a4a6f055

SHA512
6291e09e1a3c25472fab418b54754c87be3f146adcc0361db9c7f06fc6055c642561e454c78f080512a7c97c82e046dfd0a3eeca750352d99287108d629cd479

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133596449549740872.txt

Filesize
75KB

MD5
f7767ac5cc2e078569a30121e4ea438b

SHA1
6d02043cd0516c1b6299d556daac2063251586b2

SHA256
88f78d9137315c632251cf52ec2d750bd253583ec8737e3c8e57780e64d85dfb

SHA512
57a88b404cb211e94d853427a01bf8ad2e1b3e3a0a849755cb549e18b634d1703a5b6e9a65df0aa4c59116934405880961e9462324e44f063d4c4ee74d92b3fe

Download Submit
C:\Windows\uiiecmtbsmkp.exe

Filesize
352KB

MD5
1d46f87737ca1591b52ef272100ccab2

SHA1
e0a0f3c73c3829a71eaf2444d9e71977227a8799

SHA256
a45bd6e5fec24298c6453c29f5046fe9346366da194da4fc26935c5482c58734

SHA512
f5de0eaa8e55d07772f8faa0664ddc10378a630050ca8afbb0c855e066d585459b2fd59d6a3b06f466a0bbd99c2f5f5a5c2c8d52df6a0117f07ff6334a5aa332

Download Submit
memory/3324-11-0x0000000002140000-0x00000000021C6000-memory.dmp

Filesize
536KB

Download
memory/3324-663-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/3324-3822-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/3324-4372-0x0000000002140000-0x00000000021C6000-memory.dmp

Filesize
536KB

Download
memory/3324-7061-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/3324-10501-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/3324-10869-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/3324-10877-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/4372-1-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/4372-10-0x0000000002110000-0x0000000002196000-memory.dmp

Filesize
536KB

Download
memory/4372-9-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/4372-0-0x0000000002110000-0x0000000002196000-memory.dmp

Filesize
536KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads