Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
10-06-2024 11:18
General
-
Target
VirusShare_3b240ca653bd5467b19e195889c07c6e.exe
-
Size
369KB
-
MD5
3b240ca653bd5467b19e195889c07c6e
-
SHA1
bfb732fd34099fb9f4467cfab185a4bf3bb28e95
-
SHA256
62aaa2a24236be5ae371e5851370f24e6261025cf4bf539b7c40bdefc6ad07e6
-
SHA512
32242830aaf7fee32d16e86da4d602640fd360f24ae309bc5391c130ca384b951ac97f9ecc1f596bd7c7b3933c589dbd87ee872b4dfd8cda62835143e04e0296
-
SSDEEP
6144:fo07Ev9jgh+J0J+l/moekR1MlvlMa0FIe03ncsCMYZx/FqDN6TETpspvQrMX1r9:ftQVG+JIe/mGzMNlMVFC3Xi/YwOi
Malware Config
Extracted
C:\Program Files\7-Zip\Lang\_RECOVERY_+nyglg.txt
teslacrypt
http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/C4B7A89301E5B2B
http://tes543berda73i48fsdfsd.keratadze.at/C4B7A89301E5B2B
http://tt54rfdjhb34rfbnknaerg.milerteddy.com/C4B7A89301E5B2B
http://xlowfznrg4wf7dli.ONION/C4B7A89301E5B2B
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (871) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 6 IoCs
-
Executes dropped EXE 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 1 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 25 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\VirusShare_3b240ca653bd5467b19e195889c07c6e.exe"C:\Users\Admin\AppData\Local\Temp\VirusShare_3b240ca653bd5467b19e195889c07c6e.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\VirusShare_3b240ca653bd5467b19e195889c07c6e.exe"C:\Users\Admin\AppData\Local\Temp\VirusShare_3b240ca653bd5467b19e195889c07c6e.exe"2⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\gnvbbkdkvlca.exeC:\Windows\gnvbbkdkvlca.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\gnvbbkdkvlca.exeC:\Windows\gnvbbkdkvlca.exe4⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT5⤵
- Opens file in notepad (likely ransom note)
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM5⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffa9de146f8,0x7ffa9de14708,0x7ffa9de147186⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,10702979059079112997,2029538212866686102,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:26⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,10702979059079112997,2029538212866686102,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:36⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,10702979059079112997,2029538212866686102,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2656 /prefetch:86⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,10702979059079112997,2029538212866686102,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3188 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,10702979059079112997,2029538212866686102,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,10702979059079112997,2029538212866686102,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4760 /prefetch:86⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,10702979059079112997,2029538212866686102,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4760 /prefetch:86⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,10702979059079112997,2029538212866686102,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4112 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,10702979059079112997,2029538212866686102,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,10702979059079112997,2029538212866686102,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,10702979059079112997,2029538212866686102,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3964 /prefetch:16⤵
-
-
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Windows\GNVBBK~1.EXE5⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\VIRUSS~1.EXE3⤵
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD5bb5a9448e177bb23e05aa6f660277362
SHA1d4a4da3b0991f0951d16b32c2ccb151788b0e7e8
SHA256e83f54dbdc151484ba7ff361bc4f24a7f0f1981c0e8e1a16dc76e99fc25c80ad
SHA512e19813c7347f495323865b0716971334cba8590eceb9791fef160ec2d3f95068ff7d57efebd1faf0429bd3a46acc4f9c2451f074c45c0e5d9729540925a6b796
-
Filesize
63KB
MD5fe67b93621ed142669db51abaeeb63d4
SHA1220f93312f6d0830803ae1c9a7f4e5d534bab99f
SHA25671f2a014d51d62ca0e3c250d64afb6f28f7bb3eafcd9ade0295a046a41d6d660
SHA512acc277dcb13d4ea0f1005a1889b95d3c8da19cf711f8296b3f441f3a71e455422ee8dd8e731a6b09d71188e1688a9614a18e8f711206c62c9eb4c217d21ef300
-
Filesize
1KB
MD593935d13c8562a444c2aec15ddd2e4c5
SHA1d986488ca91aa47a39405c9b22cf52ccce30976b
SHA256caf616392229c519f5e1fe9ae4827fb7b888cbb0fb1a4cd4843b672f37cca611
SHA5126623a8d4300fe4536729da38af081be1812d9d63185cb5f3b13e78c9961ae2d314734a105efb5e63d97b7000bd0ccc18412495129e843bf13b82a4f7d58e71f1
-
Filesize
560B
MD5ffb7117cc81a00f5d903f7ff58880258
SHA14ea02607d80d1eb8550c9bc2eae6fc1737023312
SHA256e7122161f77a842a952d4852cfb9e5b3a62c7958dbef041d23873094a0eea352
SHA512136007e2dae389a2b42deeaa4fafb718046417666284a2da7fb436ff6593d1bb31a925b344244a990aa305a677576521fe362c618e87a77c79ee7398b8faaa4d
-
Filesize
560B
MD5dc66b38c299c3c4dfd5bbd948f368a77
SHA1bf22655443b678b83d407ed18038b457a1c10977
SHA256fb6a7c5092773a58da2971d25a2484e0c6538bf040749b77a8c0bcdba2da73de
SHA512a604d8e58ee23f2e6a54ef55307806f91412e7d0ec995a2fe35c881bdceba8590ebd07af99ed0ecb348cee86abd9fc89d1a3d51b84aa0d83533ccf92726ba50f
-
Filesize
416B
MD54f145a404160d59af6d77662451671b4
SHA10bf3e878455e9a71492d936a4404dd6f548d8987
SHA256b144325dd8096c6e8651343a120e29daf4ced12b2b1782f5aa8e735db906c39d
SHA512846cfb9a2abf7037f7b76ec48c08136e239d01ddcfe89ac82590eba8671ca7e413463b5310879715844006fd73e50e9bc656845a51509422d9ab27860217a716
-
Filesize
152B
MD54dc6fc5e708279a3310fe55d9c44743d
SHA1a42e8bdf9d1c25ef3e223d59f6b1d16b095f46d2
SHA256a1c5f48659d4b3af960971b3a0f433a95fee5bfafe5680a34110c68b342377d8
SHA5125874b2310187f242b852fa6dcded244cc860abb2be4f6f5a6a1db8322e12e1fef8f825edc0aae75adbb7284a2cd64730650d0643b1e2bb7ead9350e50e1d8c13
-
Filesize
152B
MD5c9c4c494f8fba32d95ba2125f00586a3
SHA18a600205528aef7953144f1cf6f7a5115e3611de
SHA256a0ca609205813c307df9122c0c5b0967c5472755700f615b0033129cf7d6b35b
SHA5129d30cea6cfc259e97b0305f8b5cd19774044fb78feedfcef2014b2947f2e6a101273bc4ad30db9cc1724e62eb441266d7df376e28ac58693f128b9cce2c7d20d
-
Filesize
6KB
MD580c0e7c7126f824c6f66af2def910c69
SHA14a49e4b7b8d83c283d57cc1ea21020b7b9f25e4f
SHA256fd6a2d2a2e9afd3de81c2a7b4afc719c06e935948dc981dfa66684774749f4d5
SHA512a312e3d9af4887f758a05b2c00442cb4f2e8cb659830683ca32dc5e9c3d919b5b33cecc9a50535a7b664fc3f7fbedbb0d06e2760af2bd660fa5e959cc552e462
-
Filesize
5KB
MD5ec2fc0d10ddce87ea3e937e2e64323f3
SHA106665626801812d667fb7cd3789e940ecaa1faa9
SHA2566bcbfd4e6cee8a804e63241dbc55f5e13d76bc6dab967f1ac864a40fe8b118ab
SHA512405443e941bc787a29d9a52d4656231795028b8b7bc63408c2cbf6d9efa0992781f93e467aa6d14ab7f5521735967181dbdaad4768f70501cbbb170e9bfcc9d5
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
10KB
MD53d1ffd95c7592767ef8f3d36b1a37845
SHA1ce0ff16120fdda8c0c88bb266e883c7cd4cdfe7b
SHA256ab8ba81e332716983c8d26854c525c810febcc0fef6ee8d2fd0d3e7038f6fc51
SHA51218ec350de1dd792fff5a6c4f56a83336b0ec6aaeb3e5dd3b66cbc90b981f51bb6d3e3c52639bda800e5cceeddc383c08bfd262684ecb93c72cce6b371c960d86
-
Filesize
75KB
MD5165e238435ef6dd5c26c8883907e4210
SHA16c89d84029ac8d56b1b02d91b06009e855f27604
SHA25680f18e2f5f73340a1624f47655112ff60369ce12f36399fcaf2f1f473abb7707
SHA512c58904afed2cdb2982798cc915afd7eabd806298684186449dbdb42072dfda37459d8938964fe012f1856eacbb865b8fb1e254788b1bca85cdfd91a88cebbcdd
-
Filesize
369KB
MD53b240ca653bd5467b19e195889c07c6e
SHA1bfb732fd34099fb9f4467cfab185a4bf3bb28e95
SHA25662aaa2a24236be5ae371e5851370f24e6261025cf4bf539b7c40bdefc6ad07e6
SHA51232242830aaf7fee32d16e86da4d602640fd360f24ae309bc5391c130ca384b951ac97f9ecc1f596bd7c7b3933c589dbd87ee872b4dfd8cda62835143e04e0296
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
12KB
-
Filesize
12KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
1.3MB
