Analysis
-
max time kernel
125s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
10-06-2024 11:48
General
-
Target
VirusShare_a8e0b0186e5159aa8a772e8d4169d3f3.exe
-
Size
356KB
-
MD5
a8e0b0186e5159aa8a772e8d4169d3f3
-
SHA1
7c1f0f6fc4fd2669717e632652ff8a99fb093e69
-
SHA256
1cf433abd42285879b502b2d01958fff3fe4ad687a0e7c1fba243ffbffe7f34e
-
SHA512
01fa49ff7921b380f0390a1ba9c4beff61278685d9caabe188d84977b73fffe7ffe51360677fbaa0319c0e4d4387804c665a7671ad63e4f8a8bc6c8ae0fe55fa
-
SSDEEP
6144:rOWcl+ocAAe1EAnT43osv0pnzKK+PDncAuLELquaWVzsHA93Wo8nswPm22fwh:rFeq0F+PzcOLyWRsHA93/oswe
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+bsriw.txt
teslacrypt
http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/F34FF5952998CB68
http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/F34FF5952998CB68
http://yyre45dbvn2nhbefbmh.begumvelic.at/F34FF5952998CB68
http://xlowfznrg4wf7dli.ONION/F34FF5952998CB68
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (419) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
-
Drops startup file 3 IoCs
-
Executes dropped EXE 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Internet Explorer settings 1 TTPs 34 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 54 IoCs
-
System policy modification 1 TTPs 2 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\VirusShare_a8e0b0186e5159aa8a772e8d4169d3f3.exe"C:\Users\Admin\AppData\Local\Temp\VirusShare_a8e0b0186e5159aa8a772e8d4169d3f3.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\VirusShare_a8e0b0186e5159aa8a772e8d4169d3f3.exe"C:\Users\Admin\AppData\Local\Temp\VirusShare_a8e0b0186e5159aa8a772e8d4169d3f3.exe"2⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\orgntvvwpnxi.exeC:\Windows\orgntvvwpnxi.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\orgntvvwpnxi.exeC:\Windows\orgntvvwpnxi.exe4⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_ReCoVeRy_.TXT5⤵
- Opens file in notepad (likely ransom note)
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\_ReCoVeRy_.HTM5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2468 CREDAT:275457 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Windows\ORGNTV~1.EXE5⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\VIRUSS~1.EXE3⤵
- Deletes itself
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12KB
MD52b9f74bf71c30656e396207dc4c46be8
SHA12a3ed5b2fcf814e300233012589b1a94c7f7ed76
SHA256c0ddf5e4f4420a792779f8e4f4b35c5b2fd921bc0ca4b87b9822b192bab9213a
SHA5124f34285ba64cc10d9118c4fb1cf789760a91b60d33582753fcff9e8a32d9af2754a81a7a80e4f2182352b35e0f77e5adc2ec5f1144f37fc5a8a12fcf95375903
-
Filesize
64KB
MD527cbaddbb76c3b7a7ade7f74eaffc880
SHA1d4bb70e79412fd0cbbf467022de39f032b3841ce
SHA256178f9bfba27ae41feeec2f6866f46a63176c8ce16412f4456605a56541af652f
SHA512282047fe44d9221aab9ba7003f35a9dfb0d2d0a34963a0e303b6edabed714696ddbaa3e685a891ff1c4ada5308dcc2b07e07e2f3599b0606b01f293c88f82327
-
Filesize
1KB
MD5a150219ff752029c2bb2154b12392b58
SHA12277aa81f0f3b4bdee6ae3b3b5538f8d483b7bfc
SHA256ac7a353d743c3d0791459b046dfd9481196f9b22112bee50df142745fed904df
SHA51282d021765fdf694c7959bdac7f1e6802c6603039a1ff3baaf4f02597926886455b813c4de3b26695db1e52e80f02cdb9e89dda9765f6cd936e97d036bc6cd579
-
Filesize
11KB
MD5d169d20b24035e1dbed31f4ba78a219a
SHA1d7e59c42ff60111689b0483f88c4a076ee0fe388
SHA256e3d1c8c05e0d54d544a23e5ca52b23d830629265cf75421d1bf4dcb4e7e87432
SHA5129c6ca576b914a9fdfc6fef630ce635d21ed225050d1b891d66e01bd96bbcf598160373280615bcf8e57984be8631ff3ac262720f3c96625e1eb89aed20e90a8a
-
Filesize
109KB
MD592837aaae7924d102ba2500cc4e9112a
SHA1a1703c7611169c72164b59aac82304ce796112c9
SHA2566549e8a4c7cc7f1dd8f66672ccf20f83f6d009b2d22daef0d4bd10e864a984d5
SHA512193ce5c308241aa74fc59e76d1be0ada94981a4575f122e3e7b572c450d39486dbbb76e8e528bdb35835f263819949c31d99354b6364a1bc0759875e3987e0a7
-
Filesize
173KB
MD5531fef986ed5652ce7d171a86ccf7a57
SHA19e34527ce94bab531a4f1302bd1ce1664c3db6e6
SHA25656294f6fa449dc38dac574bf4b9caa1f680b92421b70e68ec80a467a69611497
SHA512974e292b655995f75c6b814f95b4d7ed0c6bdc67b4f8861bd872b5b8f58d1e89d21bbb6d1b6abc3b4977eef48bef5051282b6620ac823f228298276ee08adcae
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
342B
MD5226cf12e956dff77574dd6b708e6c4ce
SHA182e02c36f6c6c62e736fbc681b0ce4b8e5a1bf5b
SHA256125eb7050e5930fdaa3c1e12d41f1386384b33725648ca6b8fb87b49c026a077
SHA5126ef3e1d22a02670e0b6daf0ed6fd6f4222c7ca4812c84880a364316be6297971289806109887af357e8401bd429663bf341307e2d6a7a39726c39a38f2030cc4
-
Filesize
342B
MD5f7cb2ad6fac19d01866e193d2abf4a6c
SHA1e06b650d16ae4788ead57043e929f20cf1336fb8
SHA2566868ba7155554bf1bbd9ccb8b7b25a35121511f6f6bc526cab8a4a3a2faec0a2
SHA512bdc5a553a141e4118c344dd13faa35676cb05795801b07479c3656aadbb40fd58faea24970c4cce6a730f044b8216bcffeb36cb3766a92f6d39e2ee9daccd691
-
Filesize
342B
MD5127084e49b19d7bcfb8c78fcda3985ec
SHA11190e4baf1a4beb3f84dc1fa44f032d03e70040a
SHA256d1d9a30d9aa366727b1c6a634165671474eaf4b69c366fa2191b2a3c48ece12f
SHA512392e454add4e55257c14d042d1e3867c5980aed04b810283eada80200328247c290bb35531c86ba8aab46b3211629ea04f6bbb660fc29914d2704a0e90b83c49
-
Filesize
342B
MD56de88ec45c9d1351259ea41d25c265c7
SHA1bbf3219a0bbf1cdbd6ed1acb53e0fef51f24940b
SHA256e6d55993f7feb70fd84623bf012c773813c9ab1a7892e685635db283e69b80e0
SHA512b60a92a712cf2521aa3af06e600f3d105860f611f4ee9ad94e87f3316a75f23741ab99fb3d79d3ae2a458365c0ce6524cbf87668c67e8a3b8fe2347098b361e6
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
356KB
MD5a8e0b0186e5159aa8a772e8d4169d3f3
SHA17c1f0f6fc4fd2669717e632652ff8a99fb093e69
SHA2561cf433abd42285879b502b2d01958fff3fe4ad687a0e7c1fba243ffbffe7f34e
SHA51201fa49ff7921b380f0390a1ba9c4beff61278685d9caabe188d84977b73fffe7ffe51360677fbaa0319c0e4d4387804c665a7671ad63e4f8a8bc6c8ae0fe55fa
-
Filesize
16KB
-
Filesize
16KB
-
Filesize
16KB
-
Filesize
8KB
-
Filesize
892KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
4KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
8KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
