Analysis
-
max time kernel
146s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
10-06-2024 11:38
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
VirusShare_7bc8e9eb9f3d874764d2658b546abb61.exe
Resource
win7-20240221-en
windows7-x64
21 signatures
150 seconds
Behavioral task
behavioral2
Sample
VirusShare_7bc8e9eb9f3d874764d2658b546abb61.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
23 signatures
150 seconds
General
-
Target
VirusShare_7bc8e9eb9f3d874764d2658b546abb61.exe
-
Size
356KB
-
MD5
7bc8e9eb9f3d874764d2658b546abb61
-
SHA1
40b7e79add5449ac8b11b20ddeb338437a0d17bb
-
SHA256
d7a54e392cc051e8fae6d26431351d405fe9836e9467bde07187a8586e0e4fbb
-
SHA512
2f633cfd7194a11aaa68b7d42a31e95700d908a5af4c40616427d78afd5bebf56f0a9233bcde1cd500540bf5d553e5320aed1876a42dc934d74e1de3f7a7439d
-
SSDEEP
6144:NOWcl+ocAAe1EAnT43osv0pnzKK+PDncAuLELquaWVzsHA93Wo8nswPm22fwh:NFeq0F+PzcOLyWRsHA93/oswe
Malware Config
Extracted
Path
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+drktp.txt
Family
teslacrypt
Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com
What happened to your files ?
All of your files were protected by a strong encryption with RSA4096
More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)
How did this happen ?
!!! Specially for your PC was generated personal RSA4096 Key , both public and private.
!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.
!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server
What do I do ?
So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.
If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.
For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below:
1 - http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/2721871E9DAF9F3B
2 - http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/2721871E9DAF9F3B
3 - http://yyre45dbvn2nhbefbmh.begumvelic.at/2721871E9DAF9F3B
If for some reasons the addresses are not available, follow these steps:
1 - Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en
2 - After a successful installation, run the browser
3 - Type in the address bar: xlowfznrg4wf7dli.onion/2721871E9DAF9F3B
4 - Follow the instructions on the site
IMPORTANT INFORMATION
Your personal pages
http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/2721871E9DAF9F3B
http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/2721871E9DAF9F3B
http://yyre45dbvn2nhbefbmh.begumvelic.at/2721871E9DAF9F3B
Your personal page Tor-Browser xlowfznrg4wf7dli.ONION/2721871E9DAF9F3B
URLs
http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/2721871E9DAF9F3B
http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/2721871E9DAF9F3B
http://yyre45dbvn2nhbefbmh.begumvelic.at/2721871E9DAF9F3B
http://xlowfznrg4wf7dli.ONION/2721871E9DAF9F3B
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (374) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
pid Process 2444 cmd.exe -
Drops startup file 3 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+drktp.html mnuhiljpctap.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+drktp.png mnuhiljpctap.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+drktp.txt mnuhiljpctap.exe -
Executes dropped EXE 2 IoCs
pid Process 2072 mnuhiljpctap.exe 1732 mnuhiljpctap.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\mpdlblr = "C:\\Windows\\system32\\CMD.EXE /c start C:\\Windows\\mnuhiljpctap.exe" mnuhiljpctap.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 856 set thread context of 2664 856 VirusShare_7bc8e9eb9f3d874764d2658b546abb61.exe 30 PID 2072 set thread context of 1732 2072 mnuhiljpctap.exe 34 -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\css\flyout.css mnuhiljpctap.exe File opened for modification C:\Program Files\Common Files\_ReCoVeRy_+drktp.png mnuhiljpctap.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Title_Page_Ref_PAL.wmv mnuhiljpctap.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\_ReCoVeRy_+drktp.png mnuhiljpctap.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\sr\_ReCoVeRy_+drktp.html mnuhiljpctap.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\tr\LC_MESSAGES\_ReCoVeRy_+drktp.png mnuhiljpctap.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\_ReCoVeRy_+drktp.txt mnuhiljpctap.exe File opened for modification C:\Program Files\Windows NT\TableTextService\fr-FR\_ReCoVeRy_+drktp.png mnuhiljpctap.exe File opened for modification C:\Program Files\Windows NT\_ReCoVeRy_+drktp.txt mnuhiljpctap.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\_ReCoVeRy_+drktp.png mnuhiljpctap.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bNext-hot.png mnuhiljpctap.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\js\_ReCoVeRy_+drktp.html mnuhiljpctap.exe File opened for modification C:\Program Files\Common Files\System\ja-JP\_ReCoVeRy_+drktp.txt mnuhiljpctap.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationRight_SelectionSubpicture.png mnuhiljpctap.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationLeft_SelectionSubpicture.png mnuhiljpctap.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\_ReCoVeRy_+drktp.txt mnuhiljpctap.exe File opened for modification C:\Program Files\Windows Journal\ja-JP\_ReCoVeRy_+drktp.png mnuhiljpctap.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\css\_ReCoVeRy_+drktp.html mnuhiljpctap.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\css\_ReCoVeRy_+drktp.txt mnuhiljpctap.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\_ReCoVeRy_+drktp.txt mnuhiljpctap.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\js\settings.js mnuhiljpctap.exe File opened for modification C:\Program Files\Common Files\SpeechEngines\_ReCoVeRy_+drktp.html mnuhiljpctap.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\_ReCoVeRy_+drktp.txt mnuhiljpctap.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\css\_ReCoVeRy_+drktp.png mnuhiljpctap.exe File opened for modification C:\Program Files\CompleteSend.pptx mnuhiljpctap.exe File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\de-DE\_ReCoVeRy_+drktp.png mnuhiljpctap.exe File opened for modification C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\es-ES\_ReCoVeRy_+drktp.png mnuhiljpctap.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToScenesBackground.wmv mnuhiljpctap.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\de-DE\_ReCoVeRy_+drktp.txt mnuhiljpctap.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ta\_ReCoVeRy_+drktp.png mnuhiljpctap.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\fr-FR\_ReCoVeRy_+drktp.txt mnuhiljpctap.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\css\_ReCoVeRy_+drktp.txt mnuhiljpctap.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\in_sidebar\_ReCoVeRy_+drktp.png mnuhiljpctap.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\_ReCoVeRy_+drktp.txt mnuhiljpctap.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\_ReCoVeRy_+drktp.png mnuhiljpctap.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\_ReCoVeRy_+drktp.txt mnuhiljpctap.exe File opened for modification C:\Program Files\Common Files\System\ado\ja-JP\_ReCoVeRy_+drktp.html mnuhiljpctap.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Scene_loop.wmv mnuhiljpctap.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\tl\_ReCoVeRy_+drktp.html mnuhiljpctap.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\js\RSSFeeds.js mnuhiljpctap.exe File opened for modification C:\Program Files\7-Zip\Lang\hu.txt mnuhiljpctap.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\_ReCoVeRy_+drktp.txt mnuhiljpctap.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\VERSION.txt mnuhiljpctap.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_box_left.png mnuhiljpctap.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\css\_ReCoVeRy_+drktp.txt mnuhiljpctap.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\square_h.png mnuhiljpctap.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_foggy.png mnuhiljpctap.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\_ReCoVeRy_+drktp.png mnuhiljpctap.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\_ReCoVeRy_+drktp.txt mnuhiljpctap.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\en_GB\_ReCoVeRy_+drktp.png mnuhiljpctap.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\meta\art\_ReCoVeRy_+drktp.png mnuhiljpctap.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\_ReCoVeRy_+drktp.txt mnuhiljpctap.exe File opened for modification C:\Program Files\Java\jre7\lib\fonts\_ReCoVeRy_+drktp.txt mnuhiljpctap.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\fr\LC_MESSAGES\_ReCoVeRy_+drktp.html mnuhiljpctap.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\_ReCoVeRy_+drktp.png mnuhiljpctap.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\meta\art\_ReCoVeRy_+drktp.txt mnuhiljpctap.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\css\slideShow.css mnuhiljpctap.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\km\_ReCoVeRy_+drktp.png mnuhiljpctap.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\_ReCoVeRy_+drktp.txt mnuhiljpctap.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationUp_ButtonGraphic.png mnuhiljpctap.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\bs\LC_MESSAGES\_ReCoVeRy_+drktp.txt mnuhiljpctap.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\js\_ReCoVeRy_+drktp.txt mnuhiljpctap.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\css\_ReCoVeRy_+drktp.png mnuhiljpctap.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_ReCoVeRy_+drktp.html mnuhiljpctap.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\mnuhiljpctap.exe VirusShare_7bc8e9eb9f3d874764d2658b546abb61.exe File opened for modification C:\Windows\mnuhiljpctap.exe VirusShare_7bc8e9eb9f3d874764d2658b546abb61.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{53939611-271E-11EF-9FA2-EA483E0BCDAF} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 2676 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1732 mnuhiljpctap.exe 1732 mnuhiljpctap.exe 1732 mnuhiljpctap.exe 1732 mnuhiljpctap.exe 1732 mnuhiljpctap.exe 1732 mnuhiljpctap.exe 1732 mnuhiljpctap.exe 1732 mnuhiljpctap.exe 1732 mnuhiljpctap.exe 1732 mnuhiljpctap.exe 1732 mnuhiljpctap.exe 1732 mnuhiljpctap.exe 1732 mnuhiljpctap.exe 1732 mnuhiljpctap.exe 1732 mnuhiljpctap.exe 1732 mnuhiljpctap.exe 1732 mnuhiljpctap.exe 1732 mnuhiljpctap.exe 1732 mnuhiljpctap.exe 1732 mnuhiljpctap.exe 1732 mnuhiljpctap.exe 1732 mnuhiljpctap.exe 1732 mnuhiljpctap.exe 1732 mnuhiljpctap.exe 1732 mnuhiljpctap.exe 1732 mnuhiljpctap.exe 1732 mnuhiljpctap.exe 1732 mnuhiljpctap.exe 1732 mnuhiljpctap.exe 1732 mnuhiljpctap.exe 1732 mnuhiljpctap.exe 1732 mnuhiljpctap.exe 1732 mnuhiljpctap.exe 1732 mnuhiljpctap.exe 1732 mnuhiljpctap.exe 1732 mnuhiljpctap.exe 1732 mnuhiljpctap.exe 1732 mnuhiljpctap.exe 1732 mnuhiljpctap.exe 1732 mnuhiljpctap.exe 1732 mnuhiljpctap.exe 1732 mnuhiljpctap.exe 1732 mnuhiljpctap.exe 1732 mnuhiljpctap.exe 1732 mnuhiljpctap.exe 1732 mnuhiljpctap.exe 1732 mnuhiljpctap.exe 1732 mnuhiljpctap.exe 1732 mnuhiljpctap.exe 1732 mnuhiljpctap.exe 1732 mnuhiljpctap.exe 1732 mnuhiljpctap.exe 1732 mnuhiljpctap.exe 1732 mnuhiljpctap.exe 1732 mnuhiljpctap.exe 1732 mnuhiljpctap.exe 1732 mnuhiljpctap.exe 1732 mnuhiljpctap.exe 1732 mnuhiljpctap.exe 1732 mnuhiljpctap.exe 1732 mnuhiljpctap.exe 1732 mnuhiljpctap.exe 1732 mnuhiljpctap.exe 1732 mnuhiljpctap.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2664 VirusShare_7bc8e9eb9f3d874764d2658b546abb61.exe Token: SeDebugPrivilege 1732 mnuhiljpctap.exe Token: SeIncreaseQuotaPrivilege 2036 WMIC.exe Token: SeSecurityPrivilege 2036 WMIC.exe Token: SeTakeOwnershipPrivilege 2036 WMIC.exe Token: SeLoadDriverPrivilege 2036 WMIC.exe Token: SeSystemProfilePrivilege 2036 WMIC.exe Token: SeSystemtimePrivilege 2036 WMIC.exe Token: SeProfSingleProcessPrivilege 2036 WMIC.exe Token: SeIncBasePriorityPrivilege 2036 WMIC.exe Token: SeCreatePagefilePrivilege 2036 WMIC.exe Token: SeBackupPrivilege 2036 WMIC.exe Token: SeRestorePrivilege 2036 WMIC.exe Token: SeShutdownPrivilege 2036 WMIC.exe Token: SeDebugPrivilege 2036 WMIC.exe Token: SeSystemEnvironmentPrivilege 2036 WMIC.exe Token: SeRemoteShutdownPrivilege 2036 WMIC.exe Token: SeUndockPrivilege 2036 WMIC.exe Token: SeManageVolumePrivilege 2036 WMIC.exe Token: 33 2036 WMIC.exe Token: 34 2036 WMIC.exe Token: 35 2036 WMIC.exe Token: SeIncreaseQuotaPrivilege 2036 WMIC.exe Token: SeSecurityPrivilege 2036 WMIC.exe Token: SeTakeOwnershipPrivilege 2036 WMIC.exe Token: SeLoadDriverPrivilege 2036 WMIC.exe Token: SeSystemProfilePrivilege 2036 WMIC.exe Token: SeSystemtimePrivilege 2036 WMIC.exe Token: SeProfSingleProcessPrivilege 2036 WMIC.exe Token: SeIncBasePriorityPrivilege 2036 WMIC.exe Token: SeCreatePagefilePrivilege 2036 WMIC.exe Token: SeBackupPrivilege 2036 WMIC.exe Token: SeRestorePrivilege 2036 WMIC.exe Token: SeShutdownPrivilege 2036 WMIC.exe Token: SeDebugPrivilege 2036 WMIC.exe Token: SeSystemEnvironmentPrivilege 2036 WMIC.exe Token: SeRemoteShutdownPrivilege 2036 WMIC.exe Token: SeUndockPrivilege 2036 WMIC.exe Token: SeManageVolumePrivilege 2036 WMIC.exe Token: 33 2036 WMIC.exe Token: 34 2036 WMIC.exe Token: 35 2036 WMIC.exe Token: SeBackupPrivilege 808 vssvc.exe Token: SeRestorePrivilege 808 vssvc.exe Token: SeAuditPrivilege 808 vssvc.exe Token: SeIncreaseQuotaPrivilege 2084 WMIC.exe Token: SeSecurityPrivilege 2084 WMIC.exe Token: SeTakeOwnershipPrivilege 2084 WMIC.exe Token: SeLoadDriverPrivilege 2084 WMIC.exe Token: SeSystemProfilePrivilege 2084 WMIC.exe Token: SeSystemtimePrivilege 2084 WMIC.exe Token: SeProfSingleProcessPrivilege 2084 WMIC.exe Token: SeIncBasePriorityPrivilege 2084 WMIC.exe Token: SeCreatePagefilePrivilege 2084 WMIC.exe Token: SeBackupPrivilege 2084 WMIC.exe Token: SeRestorePrivilege 2084 WMIC.exe Token: SeShutdownPrivilege 2084 WMIC.exe Token: SeDebugPrivilege 2084 WMIC.exe Token: SeSystemEnvironmentPrivilege 2084 WMIC.exe Token: SeRemoteShutdownPrivilege 2084 WMIC.exe Token: SeUndockPrivilege 2084 WMIC.exe Token: SeManageVolumePrivilege 2084 WMIC.exe Token: 33 2084 WMIC.exe Token: 34 2084 WMIC.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1804 iexplore.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 1804 iexplore.exe 1804 iexplore.exe 2176 IEXPLORE.EXE 2176 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 50 IoCs
description pid Process procid_target PID 856 wrote to memory of 2664 856 VirusShare_7bc8e9eb9f3d874764d2658b546abb61.exe 30 PID 856 wrote to memory of 2664 856 VirusShare_7bc8e9eb9f3d874764d2658b546abb61.exe 30 PID 856 wrote to memory of 2664 856 VirusShare_7bc8e9eb9f3d874764d2658b546abb61.exe 30 PID 856 wrote to memory of 2664 856 VirusShare_7bc8e9eb9f3d874764d2658b546abb61.exe 30 PID 856 wrote to memory of 2664 856 VirusShare_7bc8e9eb9f3d874764d2658b546abb61.exe 30 PID 856 wrote to memory of 2664 856 VirusShare_7bc8e9eb9f3d874764d2658b546abb61.exe 30 PID 856 wrote to memory of 2664 856 VirusShare_7bc8e9eb9f3d874764d2658b546abb61.exe 30 PID 856 wrote to memory of 2664 856 VirusShare_7bc8e9eb9f3d874764d2658b546abb61.exe 30 PID 856 wrote to memory of 2664 856 VirusShare_7bc8e9eb9f3d874764d2658b546abb61.exe 30 PID 856 wrote to memory of 2664 856 VirusShare_7bc8e9eb9f3d874764d2658b546abb61.exe 30 PID 856 wrote to memory of 2664 856 VirusShare_7bc8e9eb9f3d874764d2658b546abb61.exe 30 PID 2664 wrote to memory of 2072 2664 VirusShare_7bc8e9eb9f3d874764d2658b546abb61.exe 31 PID 2664 wrote to memory of 2072 2664 VirusShare_7bc8e9eb9f3d874764d2658b546abb61.exe 31 PID 2664 wrote to memory of 2072 2664 VirusShare_7bc8e9eb9f3d874764d2658b546abb61.exe 31 PID 2664 wrote to memory of 2072 2664 VirusShare_7bc8e9eb9f3d874764d2658b546abb61.exe 31 PID 2664 wrote to memory of 2444 2664 VirusShare_7bc8e9eb9f3d874764d2658b546abb61.exe 32 PID 2664 wrote to memory of 2444 2664 VirusShare_7bc8e9eb9f3d874764d2658b546abb61.exe 32 PID 2664 wrote to memory of 2444 2664 VirusShare_7bc8e9eb9f3d874764d2658b546abb61.exe 32 PID 2664 wrote to memory of 2444 2664 VirusShare_7bc8e9eb9f3d874764d2658b546abb61.exe 32 PID 2072 wrote to memory of 1732 2072 mnuhiljpctap.exe 34 PID 2072 wrote to memory of 1732 2072 mnuhiljpctap.exe 34 PID 2072 wrote to memory of 1732 2072 mnuhiljpctap.exe 34 PID 2072 wrote to memory of 1732 2072 mnuhiljpctap.exe 34 PID 2072 wrote to memory of 1732 2072 mnuhiljpctap.exe 34 PID 2072 wrote to memory of 1732 2072 mnuhiljpctap.exe 34 PID 2072 wrote to memory of 1732 2072 mnuhiljpctap.exe 34 PID 2072 wrote to memory of 1732 2072 mnuhiljpctap.exe 34 PID 2072 wrote to memory of 1732 2072 mnuhiljpctap.exe 34 PID 2072 wrote to memory of 1732 2072 mnuhiljpctap.exe 34 PID 2072 wrote to memory of 1732 2072 mnuhiljpctap.exe 34 PID 1732 wrote to memory of 2036 1732 mnuhiljpctap.exe 35 PID 1732 wrote to memory of 2036 1732 mnuhiljpctap.exe 35 PID 1732 wrote to memory of 2036 1732 mnuhiljpctap.exe 35 PID 1732 wrote to memory of 2036 1732 mnuhiljpctap.exe 35 PID 1732 wrote to memory of 2676 1732 mnuhiljpctap.exe 43 PID 1732 wrote to memory of 2676 1732 mnuhiljpctap.exe 43 PID 1732 wrote to memory of 2676 1732 mnuhiljpctap.exe 43 PID 1732 wrote to memory of 2676 1732 mnuhiljpctap.exe 43 PID 1732 wrote to memory of 1804 1732 mnuhiljpctap.exe 44 PID 1732 wrote to memory of 1804 1732 mnuhiljpctap.exe 44 PID 1732 wrote to memory of 1804 1732 mnuhiljpctap.exe 44 PID 1732 wrote to memory of 1804 1732 mnuhiljpctap.exe 44 PID 1804 wrote to memory of 2176 1804 iexplore.exe 46 PID 1804 wrote to memory of 2176 1804 iexplore.exe 46 PID 1804 wrote to memory of 2176 1804 iexplore.exe 46 PID 1804 wrote to memory of 2176 1804 iexplore.exe 46 PID 1732 wrote to memory of 2084 1732 mnuhiljpctap.exe 47 PID 1732 wrote to memory of 2084 1732 mnuhiljpctap.exe 47 PID 1732 wrote to memory of 2084 1732 mnuhiljpctap.exe 47 PID 1732 wrote to memory of 2084 1732 mnuhiljpctap.exe 47 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System mnuhiljpctap.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" mnuhiljpctap.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\VirusShare_7bc8e9eb9f3d874764d2658b546abb61.exe"C:\Users\Admin\AppData\Local\Temp\VirusShare_7bc8e9eb9f3d874764d2658b546abb61.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Users\Admin\AppData\Local\Temp\VirusShare_7bc8e9eb9f3d874764d2658b546abb61.exe"C:\Users\Admin\AppData\Local\Temp\VirusShare_7bc8e9eb9f3d874764d2658b546abb61.exe"2⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\mnuhiljpctap.exeC:\Windows\mnuhiljpctap.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\mnuhiljpctap.exeC:\Windows\mnuhiljpctap.exe4⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1732 -
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2036
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_ReCoVeRy_.TXT5⤵
- Opens file in notepad (likely ransom note)
PID:2676
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\_ReCoVeRy_.HTM5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1804 CREDAT:275457 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2176
-
-
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2084
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Windows\MNUHIL~1.EXE5⤵PID:2512
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\VIRUSS~1.EXE3⤵
- Deletes itself
PID:2444
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:808
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵PID:2096
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12KB
MD5399228815bfaca67f985f4e46614c0a1
SHA19256494e98de6d7857796d530b5e66290b5f65ce
SHA256bf187bd8023250b364c362761a21271433224d839b6e84fd7e033bcb97f1a5cf
SHA5121515df5cdac4b7e481dcb8ad36e852957bbc8c56898816ed6a82daf3bf2d98697d20272eaa5c2abc8cd726960cf34e872575e66fecff7afd681213a707029e5e
-
Filesize
64KB
MD5a2e4aba0ee9eb09364a5009e9a237ccc
SHA12fdd60827a4da1859c64717a6cc002bcb593cbe2
SHA256a9d34c8ea70e1b2e6949a734b7b67628d6f91355a1cd38b6a68a2395f7549e9c
SHA512ca436075d8a05b8d4df0c0d5b6c5bedaeb203de8ea81dd8eb93ab50891c049fa5738da23e20de87a52f081540b31955c92ff478927460edffab2ca46c8dd2183
-
Filesize
1KB
MD5675184fce783f30e10aa5f1c02f86737
SHA196ddd532e4ef8798e9241fd60b2b561e13843dc7
SHA2561b320954d45a60b31e20bfb48b140fea996d1434447f190505e2fb65cfc92ea4
SHA512e7bf336c669661da017aea1a4c583f5601b45b1ce44a66b0dac606320f6a0cedb8ce855b50ddf3f7378d444afe592468627c42ec593f793e400d5ec132058970
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt
Filesize11KB
MD54a035a796af123cf39388d731a0b6315
SHA19baa736b64f630fe0efc26c31753461c2bff2ba4
SHA256c4e0e17ebf5b57f11204bc7f43e70a740d8f5700a644e2dd9268547007f28ac2
SHA512d8e2c3d3c0a13956b66e77facd97437f9dffbdba377813eb798a20efa6aa139e67db67ad0b29ae7d880bbb17de8b8a823746852baf75b8cda9048b0a233c52c4
-
Filesize
109KB
MD5ac69bbf0dfeacfe418fadf4712c65462
SHA1bb8720e247c1f11ddd93a39353f26b4ce7b87f30
SHA25652ad88d3bb855cd0e94a81f5623e75eaae0e1a9437ddc8932b13f6aa8fa390ba
SHA51239e6a1db16ac369b5e7101d77632337ba598f273ec75af688e13fb6eea2bda52bf58f8bb680dcae2c0e0b9c8f3f6480adf134d74608259dfdb40d9d822602379
-
Filesize
173KB
MD560ec9819b47ec9f6fe088a0f06268359
SHA1cbafc113ea834bd110530fa6f879a1eb6d5e7202
SHA2566d6b7befcc1372e1994c6961986d7ae1c0cc06c47f9dd7f940d414d5162d27b6
SHA512876fccc4c52f26e35bee6822fef3895b33db3335942869898743141bfd2107720da7fb2d97a0f9cb29373a10e4e3d11c693e3ee71580d790e6cfc12e56195670
-
Filesize
356KB
MD57bc8e9eb9f3d874764d2658b546abb61
SHA140b7e79add5449ac8b11b20ddeb338437a0d17bb
SHA256d7a54e392cc051e8fae6d26431351d405fe9836e9467bde07187a8586e0e4fbb
SHA5122f633cfd7194a11aaa68b7d42a31e95700d908a5af4c40616427d78afd5bebf56f0a9233bcde1cd500540bf5d553e5320aed1876a42dc934d74e1de3f7a7439d
