Overview

overview

10

Static

static

3

VirusShare...bb.exe

windows7-x64

10

VirusShare...bb.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    10-06-2024 11:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    VirusShare_52aa7e36c5636d8071e21deac876dcbb.exe

  • Size

    352KB

  • MD5

    52aa7e36c5636d8071e21deac876dcbb

  • SHA1

    52e97285ecdb7de4d7130e68ccd894f228f6090d

  • SHA256

    d50b6e077e629c2e0f8bb36e85df27977643a472277f254167aef19f8525fd01

  • SHA512

    79cbd1bdf4de7a10020442402e837948df5ca99ab6cf5eefa659eccb4f629a7126b3ee2a8fd23fa6fd1fc8b96faa2afca65255639ea7816563cbaa157c521e66

  • SSDEEP

    6144:IMeb/EDtpBx1aRXJub19pf3gOURaJmf+ubexB3wLaYZSzvF:ITb/wtN1aRXJg1f3gO9Jm+u2BgeYkzv

Score
10/10
teslacryptdefense_evasionexecutionimpactpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+ikasw.txt

Family

teslacrypt

Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 Key , both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1 - http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/284EB5CCB71755A3 2 - http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/284EB5CCB71755A3 3 - http://yyre45dbvn2nhbefbmh.begumvelic.at/284EB5CCB71755A3 If for some reasons the addresses are not available, follow these steps: 1 - Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2 - After a successful installation, run the browser 3 - Type in the address bar: xlowfznrg4wf7dli.onion/284EB5CCB71755A3 4 - Follow the instructions on the site IMPORTANT INFORMATION Your personal pages http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/284EB5CCB71755A3 http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/284EB5CCB71755A3 http://yyre45dbvn2nhbefbmh.begumvelic.at/284EB5CCB71755A3 Your personal page Tor-Browser xlowfznrg4wf7dli.ONION/284EB5CCB71755A3
URLs

http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/284EB5CCB71755A3

http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/284EB5CCB71755A3

http://yyre45dbvn2nhbefbmh.begumvelic.at/284EB5CCB71755A3

http://xlowfznrg4wf7dli.ONION/284EB5CCB71755A3

Signatures

  • TeslaCrypt, AlphaCrypt

    Ransomware based on CryptoLocker. Shut down by the developers in 2016.

    ransomwareteslacrypt
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (393) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes itself 1 IoCs
  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
    adwarespyware
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\VirusShare_52aa7e36c5636d8071e21deac876dcbb.exe
    "C:\Users\Admin\AppData\Local\Temp\VirusShare_52aa7e36c5636d8071e21deac876dcbb.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2772
    • C:\Windows\mlyfyqgaiawr.exe
      C:\Windows\mlyfyqgaiawr.exe
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:3012
      • C:\Windows\System32\wbem\WMIC.exe
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2608
      • C:\Windows\SysWOW64\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_ReCoVeRy_.TXT
        3⤵
        • Opens file in notepad (likely ransom note)
        PID:2904
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\_ReCoVeRy_.HTM
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2688
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2688 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2100
      • C:\Windows\System32\wbem\WMIC.exe
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2524
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\MLYFYQ~1.EXE
        3⤵
          PID:1712
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\VIRUSS~1.EXE
        2⤵
        • Deletes itself
        PID:2848
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2364
    • C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
      1⤵
      • Suspicious use of FindShellTrayWindow
      PID:2440

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+ikasw.html
      Filesize

      12KB

      MD5

      f0899e3d94437824c536b88b9caf49fc

      SHA1

      6ed3b3fba7cc01ae9111665a36e1f0978dd93d29

      SHA256

      4c561e5ddabbfadd22ff3875f0a0793e01b04ab9b444abac8ebfff2282314680

      SHA512

      8d65b2d24c1484cc17de73199d59836a97d7899f3d94ee9328a9dd760e9539c66943e9b3da300cfb03d7cb873862d2f425e6dc16bd2eb39ec2b2f16f1cd034dc

      Download Submit

    • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+ikasw.png
      Filesize

      65KB

      MD5

      e951185d09bfa0fdcd16a1591e8dfbb8

      SHA1

      5bd55247b2801a1711e18c4adf7fec134c6e5b44

      SHA256

      85355dd1ded9c620f7a90ce21955a75d5f4f4fbd321fe1a5eceb2de78c1fe90d

      SHA512

      9ed167f60f09da859ecdbd573fbcbd22c52141c95b9e2699870b30e272405d22a730d2b6052a751d2cb30cfe6e8ec28a3b11b43f2fc9b9faac55fd3b1d86ecf0

      Download Submit

    • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+ikasw.txt
      Filesize

      1KB

      MD5

      9b42c3a7bdeb3622006c890d5f35f664

      SHA1

      7067b047ebab0a492e349ed6d4b96559103a484e

      SHA256

      fc56a185c2311102ba0e8f88839c75144018f6fd010689a2f525076fdd4989e2

      SHA512

      b34eaf01a0404cecac928efd5124c8033fde8e6f10be4cb57f14fd1f702d6cacf5ec67a66e6866c80be66b37c49179eee31493dfb61016168f142e170bccc0aa

      Download Submit

    • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt
      Filesize

      11KB

      MD5

      57807c9c65a7a7d461335956f7470766

      SHA1

      ab7c2c4eadcc36610eb90362358f39b8205188f5

      SHA256

      ba6e3b98a92a376ea22734d0f9f85c7e08667549e07ae497f7f2fae2f50a5994

      SHA512

      e359c248f97e94c9edaa3bfdf06351f91b797bc2a9b9daf72f918656d8683a2b283bbad9bc9088c59d71779315aca708f09d90d637a02f7a618cc66c5b9ea1fa

      Download Submit

    • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt
      Filesize

      109KB

      MD5

      184be399756619789f99655be51145a1

      SHA1

      ba7b98aa37a96d5d8bd1cb87b15422498044ebb5

      SHA256

      0cf6cbb49f26246d7defa2d209a19e7e7a011853b9e5da27963bf96cd0bba24c

      SHA512

      fc065f6f7056806347ed55fa30d4790ae36f7b9f9ee66ba35f498cd66db6fedcbee4cc69c1edcf9a52d41ee37ebac4e660b4407047a91021e3754589760f8e86

      Download Submit

    • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt
      Filesize

      173KB

      MD5

      af4969c47bd743f481720553aa98c142

      SHA1

      fc42aaaa350365d41b1125a4488ac6eb5ea42e79

      SHA256

      1ac3d76488af21721cea12125ec1524c504cd76f4fa0466c7e955fb1ee66f526

      SHA512

      d0ca5b5fb9e740b89501eb79c80574969981c740662cd7f05580916fd8aa60bb0f90ffc0bb232081aba642259b73f6f99747c8c2bc6fe8d3c0325a4d406a0892

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      5f39fe4b36e9bfe425e4dc75077ada3a

      SHA1

      38fbf61a00b5ee77683a5f5cc9e14e823d0f7b4e

      SHA256

      08f46f6668a96591ae4efc61fea90b9e0ae0e5899e3a8c662a25c1f37b4a2828

      SHA512

      cd7e6a693b4b9774e3f5a686bc117e9df289b04ac6cecf3b439ff042c624f5b1149e09fa75c1895587dbc2716175d322b596e6d14fecd5259866ee4e33d5f389

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      e15e39d4d1156f750cf8e2eb3a58bae4

      SHA1

      5564314c9d9f4c913c45f1dafa82aa623418fe6c

      SHA256

      68b40acef7e62ab995e241f506cb673722479b701106a0d5e34c30b32fef7860

      SHA512

      0c68da3e8b077b878ff390455ebbc8757f2db00582fac0ca2c5a6801377c890eb377aa5fcc6c78206b28aa67d88748721d1d4dcb2cde8c6bd656b05c007f240f

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      588faefa38c328f7c87b3fc6cf7ddd30

      SHA1

      59dce153c850754c6b52d76c7b55199ad74bc149

      SHA256

      4c6103a49a6f53902df8bea2776d6118190b1cc30b2203c9575e8d278197179e

      SHA512

      fbb769aa026f89317a96847c5006293be4730242afc7da61deaf718c69b5ddc025f6523caf37efddf0bddcc21f415653f61193c127fe2833ed9a1b795c43e811

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      49e47baa8bd75ba36e65bd95dfd373ee

      SHA1

      dbcad76769494381feb0a70bf77c1e1c5f8fba08

      SHA256

      7f9ea39c38670d94be12ccac73d7dcfd9bc3c052055279f9a9cf7ea60d8a03d4

      SHA512

      e6102f80c73e445e38204e5b2bb3e068eb72c2df2f9c171346240416ba5ea7cffc7d315b36a438f53e112f90c0438c21d58f80c496f84a94119893fc9b0a80ab

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      838fa13f09c5896b341f73d632cb108c

      SHA1

      ff31c5f9cabf65d65abac7b9a9e8ece9fcfa9437

      SHA256

      0b6ba25d7419ddf235619a7efec40aa9046d0e040784e80f54192908b33f13d4

      SHA512

      b67fda641a361fad68e992d3af94e383b838880ed56d757a661a625087298f4724267c5492c76be9f7ed17c92d5f3ce19758245e34197aacc114b74631aa4d0f

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      041366f9c86ef3a78498c91ce27b90a0

      SHA1

      c4839b58b3ba8e7fe206ba0e2c4538333eb87bf5

      SHA256

      2d9023ed529771f087ce4fd01b7129f958156e0e5e026091ac9f0eef8152886b

      SHA512

      4c62ed976f0c0488b617b34d2867bec2cfdf865df74dc539bf9d83ff6f05a003e2af962d1ecba3a9107c7e28954bfd5782ea99e1923419f9bad1ffa5ebf92643

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      70b8718667690b2caade599ce9b1d528

      SHA1

      d4b090d8ef02fec435ccb34734fb99f271c6c9c9

      SHA256

      3c99996554ff80d5c2d242e1d4d8dde4e97598c98440330f830f03bea03f8d86

      SHA512

      96093f160405db353dc1bf6fc3b00f34275e26d639e3520972de1089cf6435366073595ac3deb43244ada98c677de0eaabaf0bd384fd38d85e065c923ddb38e3

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      fa2df340a5392a851e4dad57b29efb9b

      SHA1

      5fbe9ba7a36992a4e96ea2b06f9a1ce9544178d0

      SHA256

      c8ae2712484b277e549f88c831b7a09f4b7c3601dd74dd06551c4487370d00ea

      SHA512

      92f364d4a431e0dba9007981913058ad4f421780d0214038f39420aa464e9a9dbe9a0800af9c8c8627d0499ca40096703748a0f3d5aa9b91baddf4aa2c4b627c

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      81a71924ac71ed5b2eeb5f78bcec5ae3

      SHA1

      ad9923021d60b4d71f0b27aba165ab767c4c722a

      SHA256

      50fdb1537a608104f5da823d31d34ac9a0b69d7187ad529065b2eb0ddbbacf7a

      SHA512

      d42801c6dcba64aac0130f553567607721bfd76a43a5e43aac9af115e6f5654d8092bb1914af111e50a7700b217f374086754af791f6e87e32c2dd23b78e9315

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Cab743.tmp
      Filesize

      65KB

      MD5

      ac05d27423a85adc1622c714f2cb6184

      SHA1

      b0fe2b1abddb97837ea0195be70ab2ff14d43198

      SHA256

      c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

      SHA512

      6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Cab811.tmp
      Filesize

      70KB

      MD5

      49aebf8cbd62d92ac215b2923fb1b9f5

      SHA1

      1723be06719828dda65ad804298d0431f6aff976

      SHA256

      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

      SHA512

      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Tar836.tmp
      Filesize

      181KB

      MD5

      4ea6026cf93ec6338144661bf1202cd1

      SHA1

      a1dec9044f750ad887935a01430bf49322fbdcb7

      SHA256

      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

      SHA512

      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

      Download Submit

    • C:\Windows\mlyfyqgaiawr.exe
      Filesize

      352KB

      MD5

      52aa7e36c5636d8071e21deac876dcbb

      SHA1

      52e97285ecdb7de4d7130e68ccd894f228f6090d

      SHA256

      d50b6e077e629c2e0f8bb36e85df27977643a472277f254167aef19f8525fd01

      SHA512

      79cbd1bdf4de7a10020442402e837948df5ca99ab6cf5eefa659eccb4f629a7126b3ee2a8fd23fa6fd1fc8b96faa2afca65255639ea7816563cbaa157c521e66

      Download Submit

    • memory/2440-5845-0x0000000000160000-0x0000000000162000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2772-0-0x0000000000700000-0x0000000000786000-memory.dmp

      Filesize

      536KB

      Download

    • memory/2772-2-0x0000000000400000-0x000000000049C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/2772-12-0x0000000000700000-0x0000000000786000-memory.dmp

      Filesize

      536KB

      Download

    • memory/2772-11-0x0000000000400000-0x000000000049C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/3012-5844-0x00000000028D0000-0x00000000028D2000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3012-14-0x0000000000400000-0x000000000049C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/3012-1393-0x0000000000400000-0x000000000049C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/3012-5847-0x0000000000400000-0x000000000049C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/3012-817-0x0000000000710000-0x0000000000796000-memory.dmp

      Filesize

      536KB

      Download

    • memory/3012-723-0x0000000000400000-0x000000000049C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/3012-358-0x0000000000400000-0x000000000049C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/3012-2214-0x0000000000400000-0x000000000049C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/3012-13-0x0000000000710000-0x0000000000796000-memory.dmp

      Filesize

      536KB

      Download

    • memory/3012-3125-0x0000000000400000-0x000000000049C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/3012-5791-0x0000000000400000-0x000000000049C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/3012-4969-0x0000000000400000-0x000000000049C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/3012-4052-0x0000000000400000-0x000000000049C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/3012-6331-0x0000000000400000-0x000000000049C000-memory.dmp

      Filesize

      624KB

      Download