Overview

overview

10

Static

static

3

VirusShare...49.exe

windows7-x64

10

VirusShare...49.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    150s
  • max time network
    156s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    10-06-2024 11:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    VirusShare_5092d1d7abb882028147df297432ca49.exe

  • Size

    381KB

  • MD5

    5092d1d7abb882028147df297432ca49

  • SHA1

    101d56d520a89ac973099959a317a790d7b75130

  • SHA256

    3fb80b937831aca246d838a129d4e094b8de7fc513fe14f311e1bbaf67cb8a99

  • SHA512

    aec9a4a561978251bc537675fad16818522c6cd6b8f6e5700f96ded4d0c2ba4bd50c5efc8ec5e2ab30fe56f5209e21f1af16f4fb7b599db8184266e474b7a898

  • SSDEEP

    6144:bU+DRYgAOEYI146+ziWRKrY7350PeR21AG+KpAy:l9YgaTl+ziTrY7pAxdpAy

Score
10/10
teslacryptdefense_evasionexecutionimpactpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECOVERY_+utaqn.txt

Family

teslacrypt

Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with AES More information about the encryption keys using AES can be found here: http://en.wikipedia.org/wiki/AES How did this happen ? !!! Specially for your PC was generated personal AES KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/6AA7C2BEEF34AD47 2. http://tes543berda73i48fsdfsd.keratadze.at/6AA7C2BEEF34AD47 3. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/6AA7C2BEEF34AD47 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/6AA7C2BEEF34AD47 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/6AA7C2BEEF34AD47 http://tes543berda73i48fsdfsd.keratadze.at/6AA7C2BEEF34AD47 http://tt54rfdjhb34rfbnknaerg.milerteddy.com/6AA7C2BEEF34AD47 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/6AA7C2BEEF34AD47
URLs

http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/6AA7C2BEEF34AD47

http://tes543berda73i48fsdfsd.keratadze.at/6AA7C2BEEF34AD47

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/6AA7C2BEEF34AD47

http://xlowfznrg4wf7dli.ONION/6AA7C2BEEF34AD47

Signatures

  • TeslaCrypt, AlphaCrypt

    Ransomware based on CryptoLocker. Shut down by the developers in 2016.

    ransomwareteslacrypt
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (386) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes itself 1 IoCs
  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
    adwarespyware
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\VirusShare_5092d1d7abb882028147df297432ca49.exe
    "C:\Users\Admin\AppData\Local\Temp\VirusShare_5092d1d7abb882028147df297432ca49.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1308
    • C:\Windows\xpkcnkuwfvsg.exe
      C:\Windows\xpkcnkuwfvsg.exe
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2608
      • C:\Windows\System32\wbem\WMIC.exe
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2932
      • C:\Windows\SysWOW64\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
        3⤵
        • Opens file in notepad (likely ransom note)
        PID:832
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1756
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1756 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2452
      • C:\Windows\System32\wbem\WMIC.exe
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2004
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\XPKCNK~1.EXE
        3⤵
          PID:1484
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\VIRUSS~1.EXE
        2⤵
        • Deletes itself
        PID:2532
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2496
    • C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
      1⤵
      • Suspicious use of FindShellTrayWindow
      PID:2800

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECOVERY_+utaqn.html
      Filesize

      11KB

      MD5

      31f644301123115dab19c74bbe31e293

      SHA1

      536a5f3f37e211f80ba69692ae61b7e2d58d6ac6

      SHA256

      5f2d97c2509acaa584fc16176d5353f39365bc4c5df9fe4e18eb72f1b75c7229

      SHA512

      f184135b0b6dac755c3d7abd570f6e94dc9d7180109d44b24842fe5db0ba10c74381ec5018b94c1ec6f489cc6f82134e390befce23631eb130d4682a2446bcaa

      Download Submit

    • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECOVERY_+utaqn.png
      Filesize

      62KB

      MD5

      4a74971f244b2f65f5ab29d47aea41ff

      SHA1

      8f3da3da5d24ce53c75dc8274f4fedd6dfeaea43

      SHA256

      ce52b47230488754b91a8a6537d5458f175941629929502a37d520814cd1d089

      SHA512

      3454bebf9d7cdbc1f8cdfd35399768677cc620215866c9dd173c3360880f3c21bd129aed3981adb72c0202314aeda4fe70d77f9343d06d4dc0682fccd9ff14ff

      Download Submit

    • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECOVERY_+utaqn.txt
      Filesize

      1KB

      MD5

      44d4f08b21dee0603391723b45f14a6c

      SHA1

      2d334728f53c653b5573a13e190182aed17ba912

      SHA256

      f68694440cc35cba7368aef86edab6d0476297e1e510d7c9aa86031210f7af68

      SHA512

      737ad3443d362e1dd1c5547a7510c9b266ce0c64daa1b61655b869fdb5ae59635adb004ff3b13134dbf5ecd3b93f30e51ba293f28dfb7d11185c473682335a34

      Download Submit

    • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt
      Filesize

      11KB

      MD5

      dc5348c9d16278dd5e70eed64eb2ca62

      SHA1

      8b29809c03784aa825992a3958ec85608a4ca5ec

      SHA256

      4a767f3c763bb10b6c0184f2989b6f621c473068be1955d978c1b933da509fe5

      SHA512

      1e149ea6fdc19253c0d9be637fc531dcfb1e5f67f17624b7b3ce42636a7767a16fe4133ba8144a01edc24f955a230ce4acac1bd85700f041ba87598dc8a0e0cc

      Download Submit

    • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt
      Filesize

      109KB

      MD5

      5d137964b1f0a9bcc2e3e31c3a78874c

      SHA1

      0cc7083baf0a7a7b6401699c9f548a4db6495acf

      SHA256

      6518bfd93ef383bc335ae6620ddd3c061ef24278a8b79a7ecb77011263a2167c

      SHA512

      c2bd3e8013be68bb79caf97d4c0805be1662556a0b626fb6b6c29293c20928f8013d1fa996d82f253c8d3be7954963b5d3839de8a5738fdaf496e53e19524ca6

      Download Submit

    • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt
      Filesize

      173KB

      MD5

      c02871ed542f3fbe123dac2d4e72571c

      SHA1

      e6d7831af5d7c4abc8424809652ad6611113fc24

      SHA256

      02bb81ef6f6786b40c017f2df36bdac1f38ca03618536a376424817730c639d0

      SHA512

      030b8256154638857c1a42414c0e500a104f524579c0cf7a9596f903a5e4018575f04affd0bcf87a1294119ce452302fd1c710b3d7e85a206bcbc35f0a9df514

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
      Filesize

      70KB

      MD5

      49aebf8cbd62d92ac215b2923fb1b9f5

      SHA1

      1723be06719828dda65ad804298d0431f6aff976

      SHA256

      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

      SHA512

      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      3379c25a53ea0a48d11dab4b5d1d9182

      SHA1

      22294af80d02358823c5bff108176e6c876daa95

      SHA256

      474c8f03342568cb27ef88a617cebea5eb923259061a53e82629ba2234685985

      SHA512

      41b2bf22e165d25e4ad3b878f97ce30f22972c22db2de4bdaaaaf9770f657bc36432f58d2063ecf398f554f1b3794bbc8cb2e720cf2fe4f4c636714747fb148c

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      1ee3eb9489a36be12fc5ec31d331e5fd

      SHA1

      c1620c6d94008cc21d5e8d7486a9a31cc8e2aecd

      SHA256

      589de6b7610d9ee372b76f5609efd4a6cedfb9f1393e5ae4deb938c9a672693b

      SHA512

      04ea97e34c40595a254c7ee5acad90fe83089687fc970976fb7757451ca8922ae84563129c3208b9dee80586ea9d3942ff9fb05eaf17e657343f4e77f39c467f

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      6428da4d5a8f54b12a4f2ccb3cc439cf

      SHA1

      4590604cd83e10d4539d76adff8232db6555b4b4

      SHA256

      1fd65731d6ffa64acad233aaee773efb9307ed2eccc98925caa125e64ee0265f

      SHA512

      adda9bced17c589607cdfbb3667f2de47c8c03c35043b12abb864f2ee225e9fd682e7370512b260acbe41d0708494b47607f07940432ca85604a7725e5a74600

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      85a816c147076baa3e266c95015007c4

      SHA1

      b79978fc09af7ea2c9a0f44b98516771e9127269

      SHA256

      f2e1bcf9802c6d1ccc0610b3ac7fe739a0a21d9544a18febbc117345f6eaf7d0

      SHA512

      b468ed42faee1adf4db7db4780d95dc6c9681b72639337921fa9cc269eaef329f5927c93995bcfebf9cf7c9ad1f4cb76f582d74d315ab055640a91716292e665

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      1ecd8e91dcc12a729eafda2f8fde99c3

      SHA1

      c24948e7dee5182698a94fa0c86fe1ed5968c182

      SHA256

      46131b856694e4eb80e4af69cf01bc4879a02a100e846409c3f5f3bc02963dda

      SHA512

      5d92bb7bce77f423c546c04a1196a589e3d57ce66e32df0ffb94e896bddef7963c12c0ae8d1389d89fd39b6487c83b784aed996f180804accd88a3a1aefdd8d0

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      fd918ac568515097f2321d018ff07351

      SHA1

      c4440dacb76ad02deae1cc8dfa81d212b6a8efec

      SHA256

      a04116f38a495964955c340380c6e9f5745ebf6716db8916fd4bb614b67f34ad

      SHA512

      f4dd73f3e6059685dbaafa25ad7ca4de82ea2a6b414d840bf09f46512e6389dc20a9a40e11e381796c7103e512b9361ad00fad5e97391e6886bf361db7848310

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      8a3e7b26ca64473bc3cb9a063326e35e

      SHA1

      44b8b444157b0af5ae804e820370acd3f14a9f7d

      SHA256

      82f058c0e70dab30ca5c63b96c9eb71eb3e076487198a323e8172ca5b4280aa6

      SHA512

      c7de6edc65bafce2c900b7c04a98c23280699dc0b577b339c03d59c3ffbc4c6f3de134cabce5a0ec15eecd354fe79a8c42055d213d6b7bdd4e046cf8823194c3

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      212e3375ad299b1880211d2bf7ce6d10

      SHA1

      cedde9891910931fa7f2299d3cce424f264f87e3

      SHA256

      f789611b599858cad34b57029e716256f4b23224f6480fc0d1f10cc269f065b7

      SHA512

      c1ecc7ae3c3a58201af67004601f7bf387c68e1bcae852fe4e929d32c4dca914374f690296f9da43d9b74929b41f78cc945df46765d2359bc958c04a613ba382

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      a2b49b75a6e343938cd291f10b97be17

      SHA1

      0d3ef4d135c822db01de7596421f9b6ab57ac51e

      SHA256

      aafc40d0e2851ab0ed0761b26524a0820089421863bfd29b9835d1cb51ea7360

      SHA512

      bcbb40a941e98e6799bb992c72ebf5c1be85fdc6b7a7a33615610c4923feccdf34f561f16afceae84e4d75bd1778cc175131df23dcc8effc417e3ba76c4a9214

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      fa944a91656feccbe57f83b668080aff

      SHA1

      612ff51728e3470a1eb3e5aa5c336c823ed57d65

      SHA256

      ce7efeb2490be7f429ab6980a360aeecc585b00f3ab7ccf7080d1752fb137367

      SHA512

      6a09104292b9f2040b64e46ffe45bd8aa882e237920cd351562da8c306ffb7a60eea3518e6d9dc164060d1482f3dd418ec6fae042e2f74dc9abc597851a4b6d6

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\CabEC15.tmp
      Filesize

      65KB

      MD5

      ac05d27423a85adc1622c714f2cb6184

      SHA1

      b0fe2b1abddb97837ea0195be70ab2ff14d43198

      SHA256

      c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

      SHA512

      6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\TarED46.tmp
      Filesize

      181KB

      MD5

      4ea6026cf93ec6338144661bf1202cd1

      SHA1

      a1dec9044f750ad887935a01430bf49322fbdcb7

      SHA256

      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

      SHA512

      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

      Download Submit

    • C:\Windows\xpkcnkuwfvsg.exe
      Filesize

      381KB

      MD5

      5092d1d7abb882028147df297432ca49

      SHA1

      101d56d520a89ac973099959a317a790d7b75130

      SHA256

      3fb80b937831aca246d838a129d4e094b8de7fc513fe14f311e1bbaf67cb8a99

      SHA512

      aec9a4a561978251bc537675fad16818522c6cd6b8f6e5700f96ded4d0c2ba4bd50c5efc8ec5e2ab30fe56f5209e21f1af16f4fb7b599db8184266e474b7a898

      Download Submit

    • memory/1308-8-0x0000000000400000-0x00000000004B5000-memory.dmp

      Filesize

      724KB

      Download

    • memory/1308-2-0x0000000000400000-0x0000000000485000-memory.dmp

      Filesize

      532KB

      Download

    • memory/1308-9-0x0000000000400000-0x0000000000485000-memory.dmp

      Filesize

      532KB

      Download

    • memory/1308-0-0x00000000004C0000-0x00000000004EE000-memory.dmp

      Filesize

      184KB

      Download

    • memory/1308-1-0x0000000000230000-0x0000000000231000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2608-4109-0x0000000000400000-0x00000000004B5000-memory.dmp

      Filesize

      724KB

      Download

    • memory/2608-6306-0x0000000000400000-0x00000000004B5000-memory.dmp

      Filesize

      724KB

      Download

    • memory/2608-2419-0x0000000000400000-0x00000000004B5000-memory.dmp

      Filesize

      724KB

      Download

    • memory/2608-5092-0x0000000000400000-0x00000000004B5000-memory.dmp

      Filesize

      724KB

      Download

    • memory/2608-389-0x0000000000400000-0x00000000004B5000-memory.dmp

      Filesize

      724KB

      Download

    • memory/2608-5816-0x0000000001DF0000-0x0000000001DF2000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2608-11-0x0000000000400000-0x00000000004B5000-memory.dmp

      Filesize

      724KB

      Download

    • memory/2608-5810-0x0000000000400000-0x00000000004B5000-memory.dmp

      Filesize

      724KB

      Download

    • memory/2608-1261-0x0000000000400000-0x00000000004B5000-memory.dmp

      Filesize

      724KB

      Download

    • memory/2608-6203-0x0000000000400000-0x00000000004B5000-memory.dmp

      Filesize

      724KB

      Download

    • memory/2608-3420-0x0000000000400000-0x00000000004B5000-memory.dmp

      Filesize

      724KB

      Download

    • memory/2608-10-0x0000000000400000-0x00000000004B5000-memory.dmp

      Filesize

      724KB

      Download

    • memory/2608-820-0x0000000000400000-0x00000000004B5000-memory.dmp

      Filesize

      724KB

      Download

    • memory/2608-722-0x0000000000400000-0x00000000004B5000-memory.dmp

      Filesize

      724KB

      Download

    • memory/2800-5817-0x0000000000160000-0x0000000000162000-memory.dmp

      Filesize

      8KB

      Download