teslacrypt | d50b6e077e629c2e0f8bb36e85df27977643a472277f254167aef19f8525fd01

General

Target

VirusShare_52aa7e36c5636d8071e21deac876dcbb.exe
Size

352KB
MD5

52aa7e36c5636d8071e21deac876dcbb
SHA1

52e97285ecdb7de4d7130e68ccd894f228f6090d
SHA256

d50b6e077e629c2e0f8bb36e85df27977643a472277f254167aef19f8525fd01
SHA512

79cbd1bdf4de7a10020442402e837948df5ca99ab6cf5eefa659eccb4f629a7126b3ee2a8fd23fa6fd1fc8b96faa2afca65255639ea7816563cbaa157c521e66
SSDEEP

6144:IMeb/EDtpBx1aRXJub19pf3gOURaJmf+ubexB3wLaYZSzvF:ITb/wtN1aRXJg1f3gO9Jm+u2BgeYkzv

Score

10^/10

teslacrypt defense_evasion execution impact persistence ransomware

Malware Config

Extracted

Path

C:\PerfLogs\_ReCoVeRy_+hwmhd.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 Key , both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1 - http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/9E203A9BA4BBEBE8 2 - http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/9E203A9BA4BBEBE8 3 - http://yyre45dbvn2nhbefbmh.begumvelic.at/9E203A9BA4BBEBE8 If for some reasons the addresses are not available, follow these steps: 1 - Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2 - After a successful installation, run the browser 3 - Type in the address bar: xlowfznrg4wf7dli.onion/9E203A9BA4BBEBE8 4 - Follow the instructions on the site IMPORTANT INFORMATION Your personal pages http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/9E203A9BA4BBEBE8 http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/9E203A9BA4BBEBE8 http://yyre45dbvn2nhbefbmh.begumvelic.at/9E203A9BA4BBEBE8 Your personal page Tor-Browser xlowfznrg4wf7dli.ONION/9E203A9BA4BBEBE8

URLs

http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/9E203A9BA4BBEBE8

http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/9E203A9BA4BBEBE8

http://yyre45dbvn2nhbefbmh.begumvelic.at/9E203A9BA4BBEBE8

http://xlowfznrg4wf7dli.ONION/9E203A9BA4BBEBE8

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (357) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

VirusShare_52aa7e36c5636d8071e21deac876dcbb.exelsrdwmepmkyp.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	VirusShare_52aa7e36c5636d8071e21deac876dcbb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	lsrdwmepmkyp.exe

Executes dropped EXE 1 IoCs

Processes:

lsrdwmepmkyp.exe

pid process

3344 lsrdwmepmkyp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

lsrdwmepmkyp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\auhfyjf = "C:\\Windows\\system32\\CMD.EXE /c start C:\\Windows\\lsrdwmepmkyp.exe"	lsrdwmepmkyp.exe

Drops file in Program Files directory 64 IoCs

Processes:

lsrdwmepmkyp.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\zh-TW\_ReCoVeRy_+hwmhd.png	lsrdwmepmkyp.exe
File opened for modification	C:\Program Files\dotnet\swidtag\_ReCoVeRy_+hwmhd.png	lsrdwmepmkyp.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jmc.txt	lsrdwmepmkyp.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\_ReCoVeRy_+hwmhd.png	lsrdwmepmkyp.exe
File opened for modification	C:\Program Files\dotnet\_ReCoVeRy_+hwmhd.html	lsrdwmepmkyp.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\cmm\_ReCoVeRy_+hwmhd.txt	lsrdwmepmkyp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\_ReCoVeRy_+hwmhd.txt	lsrdwmepmkyp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\_ReCoVeRy_+hwmhd.png	lsrdwmepmkyp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\el\_ReCoVeRy_+hwmhd.txt	lsrdwmepmkyp.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	lsrdwmepmkyp.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\_ReCoVeRy_+hwmhd.html	lsrdwmepmkyp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\de\_ReCoVeRy_+hwmhd.png	lsrdwmepmkyp.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\fr-FR\_ReCoVeRy_+hwmhd.png	lsrdwmepmkyp.exe
File opened for modification	C:\Program Files\Google\Chrome\_ReCoVeRy_+hwmhd.html	lsrdwmepmkyp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Library\_ReCoVeRy_+hwmhd.png	lsrdwmepmkyp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\kk\_ReCoVeRy_+hwmhd.png	lsrdwmepmkyp.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\_ReCoVeRy_+hwmhd.png	lsrdwmepmkyp.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\legal\jdk\_ReCoVeRy_+hwmhd.txt	lsrdwmepmkyp.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\_ReCoVeRy_+hwmhd.html	lsrdwmepmkyp.exe
File opened for modification	C:\Program Files\MeasureStop.crw	lsrdwmepmkyp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009\_ReCoVeRy_+hwmhd.png	lsrdwmepmkyp.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\_ReCoVeRy_+hwmhd.html	lsrdwmepmkyp.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\_ReCoVeRy_+hwmhd.txt	lsrdwmepmkyp.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\lv.pak	lsrdwmepmkyp.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\legal\_ReCoVeRy_+hwmhd.html	lsrdwmepmkyp.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\limited\_ReCoVeRy_+hwmhd.txt	lsrdwmepmkyp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.scale-140.png	lsrdwmepmkyp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\da\_ReCoVeRy_+hwmhd.txt	lsrdwmepmkyp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\el\_ReCoVeRy_+hwmhd.html	lsrdwmepmkyp.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\sl-SI\_ReCoVeRy_+hwmhd.html	lsrdwmepmkyp.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\en-US\_ReCoVeRy_+hwmhd.html	lsrdwmepmkyp.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\_ReCoVeRy_+hwmhd.txt	lsrdwmepmkyp.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\_ReCoVeRy_+hwmhd.png	lsrdwmepmkyp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office15\_ReCoVeRy_+hwmhd.html	lsrdwmepmkyp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ar\_ReCoVeRy_+hwmhd.png	lsrdwmepmkyp.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ro.txt	lsrdwmepmkyp.exe
File opened for modification	C:\Program Files\Common Files\System\de-DE\_ReCoVeRy_+hwmhd.png	lsrdwmepmkyp.exe
File opened for modification	C:\Program Files\Google\_ReCoVeRy_+hwmhd.txt	lsrdwmepmkyp.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\legal\_ReCoVeRy_+hwmhd.txt	lsrdwmepmkyp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.scale-80.png	lsrdwmepmkyp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\_ReCoVeRy_+hwmhd.html	lsrdwmepmkyp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\_ReCoVeRy_+hwmhd.png	lsrdwmepmkyp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.scale-80.png	lsrdwmepmkyp.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cs.txt	lsrdwmepmkyp.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Triedit\_ReCoVeRy_+hwmhd.html	lsrdwmepmkyp.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ar.pak	lsrdwmepmkyp.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\sw.pak	lsrdwmepmkyp.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\_ReCoVeRy_+hwmhd.txt	lsrdwmepmkyp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.scale-80.png	lsrdwmepmkyp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ca\_ReCoVeRy_+hwmhd.txt	lsrdwmepmkyp.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\zh-TW.pak	lsrdwmepmkyp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Library\SOLVER\_ReCoVeRy_+hwmhd.png	lsrdwmepmkyp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\gl\_ReCoVeRy_+hwmhd.txt	lsrdwmepmkyp.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\_ReCoVeRy_+hwmhd.png	lsrdwmepmkyp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ja\_ReCoVeRy_+hwmhd.txt	lsrdwmepmkyp.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\lv-LV\_ReCoVeRy_+hwmhd.txt	lsrdwmepmkyp.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\_ReCoVeRy_+hwmhd.txt	lsrdwmepmkyp.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\TextConv\en-US\_ReCoVeRy_+hwmhd.txt	lsrdwmepmkyp.exe
File opened for modification	C:\Program Files\Common Files\System\ado\_ReCoVeRy_+hwmhd.html	lsrdwmepmkyp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Document Parts\1033\16\_ReCoVeRy_+hwmhd.html	lsrdwmepmkyp.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ro-RO\_ReCoVeRy_+hwmhd.html	lsrdwmepmkyp.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\THIRDPARTYLICENSEREADME.txt	lsrdwmepmkyp.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\plugin2\_ReCoVeRy_+hwmhd.txt	lsrdwmepmkyp.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.scale-100.png	lsrdwmepmkyp.exe

Drops file in Windows directory 2 IoCs

Processes:

VirusShare_52aa7e36c5636d8071e21deac876dcbb.exe

description	ioc	process
File created	C:\Windows\lsrdwmepmkyp.exe	VirusShare_52aa7e36c5636d8071e21deac876dcbb.exe
File opened for modification	C:\Windows\lsrdwmepmkyp.exe	VirusShare_52aa7e36c5636d8071e21deac876dcbb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

lsrdwmepmkyp.exe

pid	process
3344	lsrdwmepmkyp.exe
3344	lsrdwmepmkyp.exe
3344	lsrdwmepmkyp.exe
3344	lsrdwmepmkyp.exe
3344	lsrdwmepmkyp.exe
3344	lsrdwmepmkyp.exe
3344	lsrdwmepmkyp.exe
3344	lsrdwmepmkyp.exe
3344	lsrdwmepmkyp.exe
3344	lsrdwmepmkyp.exe
3344	lsrdwmepmkyp.exe
3344	lsrdwmepmkyp.exe
3344	lsrdwmepmkyp.exe
3344	lsrdwmepmkyp.exe
3344	lsrdwmepmkyp.exe
3344	lsrdwmepmkyp.exe
3344	lsrdwmepmkyp.exe
3344	lsrdwmepmkyp.exe
3344	lsrdwmepmkyp.exe
3344	lsrdwmepmkyp.exe
3344	lsrdwmepmkyp.exe
3344	lsrdwmepmkyp.exe
3344	lsrdwmepmkyp.exe
3344	lsrdwmepmkyp.exe
3344	lsrdwmepmkyp.exe
3344	lsrdwmepmkyp.exe
3344	lsrdwmepmkyp.exe
3344	lsrdwmepmkyp.exe
3344	lsrdwmepmkyp.exe
3344	lsrdwmepmkyp.exe
3344	lsrdwmepmkyp.exe
3344	lsrdwmepmkyp.exe
3344	lsrdwmepmkyp.exe
3344	lsrdwmepmkyp.exe
3344	lsrdwmepmkyp.exe
3344	lsrdwmepmkyp.exe
3344	lsrdwmepmkyp.exe
3344	lsrdwmepmkyp.exe
3344	lsrdwmepmkyp.exe
3344	lsrdwmepmkyp.exe
3344	lsrdwmepmkyp.exe
3344	lsrdwmepmkyp.exe
3344	lsrdwmepmkyp.exe
3344	lsrdwmepmkyp.exe
3344	lsrdwmepmkyp.exe
3344	lsrdwmepmkyp.exe
3344	lsrdwmepmkyp.exe
3344	lsrdwmepmkyp.exe
3344	lsrdwmepmkyp.exe
3344	lsrdwmepmkyp.exe
3344	lsrdwmepmkyp.exe
3344	lsrdwmepmkyp.exe
3344	lsrdwmepmkyp.exe
3344	lsrdwmepmkyp.exe
3344	lsrdwmepmkyp.exe
3344	lsrdwmepmkyp.exe
3344	lsrdwmepmkyp.exe
3344	lsrdwmepmkyp.exe
3344	lsrdwmepmkyp.exe
3344	lsrdwmepmkyp.exe
3344	lsrdwmepmkyp.exe
3344	lsrdwmepmkyp.exe
3344	lsrdwmepmkyp.exe
3344	lsrdwmepmkyp.exe

Suspicious use of AdjustPrivilegeToken 47 IoCs

Processes:

VirusShare_52aa7e36c5636d8071e21deac876dcbb.exelsrdwmepmkyp.exeWMIC.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	1260	VirusShare_52aa7e36c5636d8071e21deac876dcbb.exe
Token: SeDebugPrivilege	3344	lsrdwmepmkyp.exe
Token: SeIncreaseQuotaPrivilege	4496	WMIC.exe
Token: SeSecurityPrivilege	4496	WMIC.exe
Token: SeTakeOwnershipPrivilege	4496	WMIC.exe
Token: SeLoadDriverPrivilege	4496	WMIC.exe
Token: SeSystemProfilePrivilege	4496	WMIC.exe
Token: SeSystemtimePrivilege	4496	WMIC.exe
Token: SeProfSingleProcessPrivilege	4496	WMIC.exe
Token: SeIncBasePriorityPrivilege	4496	WMIC.exe
Token: SeCreatePagefilePrivilege	4496	WMIC.exe
Token: SeBackupPrivilege	4496	WMIC.exe
Token: SeRestorePrivilege	4496	WMIC.exe
Token: SeShutdownPrivilege	4496	WMIC.exe
Token: SeDebugPrivilege	4496	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4496	WMIC.exe
Token: SeRemoteShutdownPrivilege	4496	WMIC.exe
Token: SeUndockPrivilege	4496	WMIC.exe
Token: SeManageVolumePrivilege	4496	WMIC.exe
Token: 33	4496	WMIC.exe
Token: 34	4496	WMIC.exe
Token: 35	4496	WMIC.exe
Token: 36	4496	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4496	WMIC.exe
Token: SeSecurityPrivilege	4496	WMIC.exe
Token: SeTakeOwnershipPrivilege	4496	WMIC.exe
Token: SeLoadDriverPrivilege	4496	WMIC.exe
Token: SeSystemProfilePrivilege	4496	WMIC.exe
Token: SeSystemtimePrivilege	4496	WMIC.exe
Token: SeProfSingleProcessPrivilege	4496	WMIC.exe
Token: SeIncBasePriorityPrivilege	4496	WMIC.exe
Token: SeCreatePagefilePrivilege	4496	WMIC.exe
Token: SeBackupPrivilege	4496	WMIC.exe
Token: SeRestorePrivilege	4496	WMIC.exe
Token: SeShutdownPrivilege	4496	WMIC.exe
Token: SeDebugPrivilege	4496	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4496	WMIC.exe
Token: SeRemoteShutdownPrivilege	4496	WMIC.exe
Token: SeUndockPrivilege	4496	WMIC.exe
Token: SeManageVolumePrivilege	4496	WMIC.exe
Token: 33	4496	WMIC.exe
Token: 34	4496	WMIC.exe
Token: 35	4496	WMIC.exe
Token: 36	4496	WMIC.exe
Token: SeBackupPrivilege	3200	vssvc.exe
Token: SeRestorePrivilege	3200	vssvc.exe
Token: SeAuditPrivilege	3200	vssvc.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

VirusShare_52aa7e36c5636d8071e21deac876dcbb.exelsrdwmepmkyp.exe

description	pid	process	target process
PID 1260 wrote to memory of 3344	1260	VirusShare_52aa7e36c5636d8071e21deac876dcbb.exe	lsrdwmepmkyp.exe
PID 1260 wrote to memory of 3344	1260	VirusShare_52aa7e36c5636d8071e21deac876dcbb.exe	lsrdwmepmkyp.exe
PID 1260 wrote to memory of 3344	1260	VirusShare_52aa7e36c5636d8071e21deac876dcbb.exe	lsrdwmepmkyp.exe
PID 3344 wrote to memory of 4496	3344	lsrdwmepmkyp.exe	WMIC.exe
PID 3344 wrote to memory of 4496	3344	lsrdwmepmkyp.exe	WMIC.exe
PID 1260 wrote to memory of 4912	1260	VirusShare_52aa7e36c5636d8071e21deac876dcbb.exe	cmd.exe
PID 1260 wrote to memory of 4912	1260	VirusShare_52aa7e36c5636d8071e21deac876dcbb.exe	cmd.exe
PID 1260 wrote to memory of 4912	1260	VirusShare_52aa7e36c5636d8071e21deac876dcbb.exe	cmd.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

lsrdwmepmkyp.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	lsrdwmepmkyp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	lsrdwmepmkyp.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\VirusShare_52aa7e36c5636d8071e21deac876dcbb.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_52aa7e36c5636d8071e21deac876dcbb.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1260
- C:\Windows\lsrdwmepmkyp.exe
  C:\Windows\lsrdwmepmkyp.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3344
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4496
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\VIRUSS~1.EXE
  2⤵
  PID:4912

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3200

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3692 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
1⤵
PID:4012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

1

T1047

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Indicator Removal

1

T1070

File Deletion

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

1

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\_ReCoVeRy_+hwmhd.html

Filesize
12KB

MD5
c9cea2a516e55f12807009487fe4c9ba

SHA1
b89589729c348adeaf2a5dd00b1c43da962a6528

SHA256
76f0f87121cb1fa80cfa2444b7939bf826c6a32d38944b60a53c030ef2ab25d6

SHA512
f37b802730e1e0ea99ceecc24548cc840fd3823b547a5fe0491b5318c484297ebdca43cd0230c8668a4df39a0eca6435cc7e35846435008e070ce252e3530962

Download Submit
C:\PerfLogs\_ReCoVeRy_+hwmhd.png

Filesize
64KB

MD5
53a0751bcf1e4a80ff9feff5c78f6f14

SHA1
8c01f77cd8c25fd63d6dd85c1fb882a570af3c78

SHA256
c4643ae265ee9331ea173aaee984ac897c22befb2bb9ae55b9147f8c0b572471

SHA512
265f4da17fbdcbb863c3461d3054eba0c99c28c8697ec0cff28586874cde54a36938d12fb776e759edac63d434ab6722b39662304db4e3ef5c756e7b1c61b4dc

Download Submit
C:\PerfLogs\_ReCoVeRy_+hwmhd.txt

Filesize
1KB

MD5
bf88a1c060259fdac93fa9fd12d2d9ce

SHA1
8764e81738af79bf4e53acb7023e6af58226c266

SHA256
23a220555e8a044bf740914780da56fd28a3afece21b57a91049326fae6de3d8

SHA512
c1b574b618d91509ceeff7ad5778a350eca6eb71959c0c28fe2cc7fd373e79cbdad89be38295b775f9903171d4581f9c9881e4969565288fee628626adc116e7

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
560B

MD5
582ccd956cc2627cd9dba5826e6f9e0c

SHA1
080e29eaaa53e6e9d6e9149bf28a5ef7fa757402

SHA256
2477631369a5147e0137ed986df1cbcd53597c959219ebb0c64d4493909c4ce5

SHA512
40bf6b4630b33e633a3422fde88d640644e631c17b7445ba3195699ca1794f7ae8c6ad10bc034a187458d41ab838cb541bbbfd74c2f16186214c4873f9fa8efe

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
560B

MD5
9b7f6b0edde031f4fb44c1cb29d6b189

SHA1
0f7ee0fe1d04f6197712cf2306a81e4f58a786c4

SHA256
4f09eb30fa71c8147df267037cff6e4e783af07bd2c45e4d78eeecedc4d41ac5

SHA512
2d1a002f398c2a5380ad02ca84daf726ec973d8df671ea697c9da7acc9b2579d1183f37ac83f99bb48fb34480ea5a9d5d5f5b0fbd9e7fa3ee083f602cfc16fde

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
416B

MD5
0770baebcbf4bc6f082a907195bc58e0

SHA1
d0fc028ebe02bc3e3649581ef49d58e92c20e28b

SHA256
3a8b3a66e557781c29c0e0edb98239561794ec3906e42393d495503c6d5a19e1

SHA512
d73153d41ac1d1cda10ebd262a7d3040cc2a72de1c1ccbb78c20af7cb6ee9216182ed0edf2f4abf15dbf4ed2e0ba96411ad560dab6cb3cddfe6d5ac883dd686e

Download Submit
C:\Windows\lsrdwmepmkyp.exe

Filesize
352KB

MD5
52aa7e36c5636d8071e21deac876dcbb

SHA1
52e97285ecdb7de4d7130e68ccd894f228f6090d

SHA256
d50b6e077e629c2e0f8bb36e85df27977643a472277f254167aef19f8525fd01

SHA512
79cbd1bdf4de7a10020442402e837948df5ca99ab6cf5eefa659eccb4f629a7126b3ee2a8fd23fa6fd1fc8b96faa2afca65255639ea7816563cbaa157c521e66

Download Submit
memory/1260-15-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/1260-9-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/1260-0-0x0000000002240000-0x00000000022C6000-memory.dmp

Filesize
536KB

Download
memory/1260-1-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/1260-16-0x0000000002240000-0x00000000022C6000-memory.dmp

Filesize
536KB

Download
memory/3344-508-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/3344-845-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/3344-13-0x0000000002140000-0x00000000021C6000-memory.dmp

Filesize
536KB

Download
memory/3344-604-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/3344-1009-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/3344-97-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/3344-1103-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/3344-1163-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/3344-1291-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/3344-1347-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/3344-1541-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads