Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
-
submitted
10-06-2024 11:37
General
-
Target
VirusShare_58999b891c115ca4cd983c9675724890.exe
-
Size
376KB
-
MD5
58999b891c115ca4cd983c9675724890
-
SHA1
8157379d1d1a40de5dfd00ea70c2cacc6b5d2f5e
-
SHA256
ae50c1a234d07eb39859cf7aea9361d9b54397d477866ae38bb61ad904298315
-
SHA512
6773b60e8ad7e940724daf5aa81cd1c08c113b4087c6ff69b21a12fd3c684e441007ab2968780ad5c0425a45ee1b2f3b8f486cc832415ce21f75da0b65e522ed
-
SSDEEP
6144:ue3rNhMeYq4CGRTs4kadSoKVStcmTVn57CpSCwsUbg62oXd:uY5hMfqwTsTKcmTV5kINEx+d
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+sokdh.txt
teslacrypt
http://tt54rfdjhb34rfbnknaerg.milerteddy.com/9DE9F4265976D689
http://kkd47eh4hdjshb5t.angortra.at/9DE9F4265976D689
http://ytrest84y5i456hghadefdsd.pontogrot.com/9DE9F4265976D689
http://xlowfznrg4wf7dli.ONION/9DE9F4265976D689
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (426) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
-
Drops startup file 3 IoCs
-
Executes dropped EXE 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Internet Explorer settings 1 TTPs 34 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 42 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 50 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\VirusShare_58999b891c115ca4cd983c9675724890.exe"C:\Users\Admin\AppData\Local\Temp\VirusShare_58999b891c115ca4cd983c9675724890.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\VirusShare_58999b891c115ca4cd983c9675724890.exe"C:\Users\Admin\AppData\Local\Temp\VirusShare_58999b891c115ca4cd983c9675724890.exe"2⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\fttokwwcmjmp.exeC:\Windows\fttokwwcmjmp.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\fttokwwcmjmp.exeC:\Windows\fttokwwcmjmp.exe4⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT5⤵
- Opens file in notepad (likely ransom note)
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2124 CREDAT:275457 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\VIRUSS~1.EXE3⤵
- Deletes itself
-
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD51cbf5b3b2316e3dbcd1022b59fd3af74
SHA16bef5f7104433b9d463e5f3f5db1f41ff3eb64c2
SHA25690f834ab6f164714cc33abd97637dfc5421e895f765d036fe65180870db3989b
SHA5123c1e41fb8e13bde3e99a64427a1256d0a0e9bf54953935d4fa41adfdd32bfbb20f31bd3e7659fbb01f5d18599f9c27065e289d35a2c9c1ee1e6f312d4aeac3b1
-
Filesize
63KB
MD5d96eccfd5b93f940255675c632657391
SHA170dd0f6b29cf1fa14b08fcc97e71be5e0209ca26
SHA256d7d5fb85c2977fbda38227bf42c4d631bd247bbd5d70eef9c9e712b8efceca24
SHA5122491240000ee385cb261347fd30191fc703919653092153af11117df22afb405a19eb45f231005ef0fdf1fc6f9c28694960a9349258c8be049681fb79c22971f
-
Filesize
1KB
MD5207828465c7ad77ca44a13ac27fd1b8f
SHA15e2997a9d7eeaffbf4c99df186e9717d14766970
SHA256fffeb6bc8b8057da286291c9bf2dc2aca31a0ec2b2ef741970b5f3fdd6d3a6fa
SHA512b470d3b7459248d091beaea60823ee306d8de7b1b5f3be962d0d03d11ff2fe509787ed0ed3f1362ce4aeba6e98bf9cbad3677a8432a7ee92f6b0bc4acaec328c
-
Filesize
11KB
MD594f541d622c730ba073e66295ce06cd5
SHA16155a98c32a4079d15bb6956d2c20c8a1bc1f529
SHA2560937bc352babbd29a157fb0a54dd74ce6d15c0cc3d1f00eb7533689e7d650a6f
SHA5123a44504d46302965b6023d0d58202f8605c86552259434a36a76e63565a440c01e2bcc5320d488758a58714da4ff7c7e647d42403da5c9db774a0371aab9126d
-
Filesize
109KB
MD53fc4a97f4c26f0c7753c3d35c93d08a2
SHA1494bc7245d6b5c7db197576ff1745de6b136a7d7
SHA2566d505cb800abbada3d6a7dc39580a238c8d41731ab8e685e562e32480b16168a
SHA5127611811818e866cf51772e12109b79b22c9f3f951256648c72f42cd3c3ecedab73756ce14a6ece759b1ca62fb9623a5f1660cc4a7b1206d2faa9ba4d3ffbab21
-
Filesize
173KB
MD56467fca6edea8cad3497abc09667ad8b
SHA11116720d6f1d626fd2cb3be565d01e07412311c2
SHA256097909fd2ff391d50c1737a2a8d20a944f6b44cebd51807c726ca6b8fb831ef1
SHA512ededa7b46d5f08ea3afacf5215dd074bd4874417ff602ec10251f418ce8422f80f63278a97ca4d638d978aef25e73ec645b15e63e5b6331293831d41753e0f45
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
342B
MD58a9a35cfdb8213bfaee09499669c70ef
SHA13ce66012def7ab6e33a32f0733c33f35628e3198
SHA256ff33b72b130f10c90058af466b2b1156dc607e1aa8bdf48e923addc3e08e9d3b
SHA51214f687d91f9194124109921fee0bd23e3d648a217713a640ec2b64faab2c29e6c552da2a9ef7e412308cd102536fbf7bc494bd4159ab9f3b9a52732ace9e6994
-
Filesize
342B
MD504a25188d6b4feb14251964cea766352
SHA146788aa232d8a2859d7c319cd06684b22900907b
SHA2562cbd507d633c54cd0d5c38a60d0c2255b0a3a13fc11ac013458ae2dbd76a8af4
SHA512b1fa69d75b108a568971278b939a3540bb24e985948d92ea2822d05d1b15449b1c06c3b3ae70849e713426d5d93aa5e13fb9001d09e6b57bfec5e7c41a10effa
-
Filesize
342B
MD5dcfae418b97834a17dbaa8e7422a9f86
SHA18715d4231fa4b4a68b9e3085a083e8b2245c34a0
SHA25691326c70eb838c7834a371d834cdc9c825ef707b5534ba09ddef5accf7d0f1bf
SHA512bf638c36e9c2b57584650d0754e5604a2071792ae99c276df30760a8e5aaefc1e740fa344728f0dae9e46e379f78a47eea096acfdaa895df899d5fe7d21e6352
-
Filesize
342B
MD5bf608c45954d795c0d7daaf55b285f6a
SHA12671fa12827f4813f4061273a3285c0e6e767ddc
SHA25686d4847c13f9eb91509929f9db0b871537ff223b47451eb43620d8a08e192361
SHA5123d3756702bcb6b5fba1f389051e728583f547f7ed71cbbd18ec6c02d95246569ccae7d5832356e739101410c8f8ce5ed3c7b05656981bd844dfd49760e0dfc1c
-
Filesize
342B
MD56e7a796b3ad8f81b8b764f5438c7a058
SHA1362633d4675645945cb23c3f5f4364b4bbb5652f
SHA256c3a569090177fd27814f0538a10a8a435157f1c37089e283fff68d751634c60d
SHA512eff21fba59535d6d8bace4207dd917e5504a86e9e9e7388385c8697cff95dcda621ca6d40530c504ede721e92828464aedd48f6962b5394ff05acb3aeefb6d59
-
Filesize
342B
MD500ed036631075141c5ca0eedf1f5e4f3
SHA171ac8f300f92853fc295fe71e53e6dc18266f161
SHA2561c03eff55a8008ec0bd85cea06f6d91caff9adb1651b8cdc245c131341e836bb
SHA512a24fd5873d66eefa09219c10714e5850e1bfc5c358f24db67459c0e0e57b156b9ffe7ab1508e84a4820da1f36db9fc897e50f79ba93b26813c4aba8dc3eb9487
-
Filesize
342B
MD587ff26d62ade0dca8f78d634e5b94aad
SHA1fa2f86e687c4c42097e122b597ae398364a93b04
SHA2562db4031a8e07df54ac7bb0dabaeab2f77d88ece8f27a128bdbaa2b8fff3c6635
SHA512bdd8e225ebc40038e3391eb559198f956e7eba701c05074ffe0e708c5ca41b9269127c88bfab4c4285701385405747d60c660d4161e58f9b34bb24defc9fe340
-
Filesize
342B
MD531a9dcb568d459f35567fc06e98f7ddf
SHA1ecf583901cddbb486fdcf48fee7935d6c955033f
SHA256b3eeac7a13199d07d372830660d5a8734292e63ad68fb4d0e8e75a7088cbe30d
SHA5124ee1217ba45bb81227da3bc9c9ff0c7eac6ef39e83d8e6a56bf678e481bf122ab95b9a12121f4282456cb4ff6a3e4fa8d37c2a37b704a2ae213d70568e9c32d7
-
Filesize
342B
MD5b864060abcd197399fa7ba901cdf5e41
SHA128c0a70cc7974d166e2157591f839078c1fc12ae
SHA25676f60ffb5d7ba4c7dd125df995a0219158b2a4830b1ec3158e941420b2e763d4
SHA512e272cdb3a3974805ea3d96edf4f8678567d294ef2df3981adb0b0d5223219d43a4771c3522f3371d7154e8882af723bafb1482f5a6dff0497a70782bcdc12e10
-
Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
376KB
MD558999b891c115ca4cd983c9675724890
SHA18157379d1d1a40de5dfd00ea70c2cacc6b5d2f5e
SHA256ae50c1a234d07eb39859cf7aea9361d9b54397d477866ae38bb61ad904298315
SHA5126773b60e8ad7e940724daf5aa81cd1c08c113b4087c6ff69b21a12fd3c684e441007ab2968780ad5c0425a45ee1b2f3b8f486cc832415ce21f75da0b65e522ed
-
Filesize
12KB
-
Filesize
12KB
-
Filesize
12KB
-
Filesize
1.9MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
8KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
