Analysis
-
max time kernel
125s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
10/06/2024, 11:48
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
VirusShare_a8e0b0186e5159aa8a772e8d4169d3f3.exe
Resource
win7-20240221-en
windows7-x64
21 signatures
150 seconds
Behavioral task
behavioral2
Sample
VirusShare_a8e0b0186e5159aa8a772e8d4169d3f3.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
23 signatures
150 seconds
General
-
Target
VirusShare_a8e0b0186e5159aa8a772e8d4169d3f3.exe
-
Size
356KB
-
MD5
a8e0b0186e5159aa8a772e8d4169d3f3
-
SHA1
7c1f0f6fc4fd2669717e632652ff8a99fb093e69
-
SHA256
1cf433abd42285879b502b2d01958fff3fe4ad687a0e7c1fba243ffbffe7f34e
-
SHA512
01fa49ff7921b380f0390a1ba9c4beff61278685d9caabe188d84977b73fffe7ffe51360677fbaa0319c0e4d4387804c665a7671ad63e4f8a8bc6c8ae0fe55fa
-
SSDEEP
6144:rOWcl+ocAAe1EAnT43osv0pnzKK+PDncAuLELquaWVzsHA93Wo8nswPm22fwh:rFeq0F+PzcOLyWRsHA93/oswe
Malware Config
Extracted
Path
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+bsriw.txt
Family
teslacrypt
Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com
What happened to your files ?
All of your files were protected by a strong encryption with RSA4096
More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)
How did this happen ?
!!! Specially for your PC was generated personal RSA4096 Key , both public and private.
!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.
!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server
What do I do ?
So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.
If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.
For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below:
1 - http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/F34FF5952998CB68
2 - http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/F34FF5952998CB68
3 - http://yyre45dbvn2nhbefbmh.begumvelic.at/F34FF5952998CB68
If for some reasons the addresses are not available, follow these steps:
1 - Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en
2 - After a successful installation, run the browser
3 - Type in the address bar: xlowfznrg4wf7dli.onion/F34FF5952998CB68
4 - Follow the instructions on the site
IMPORTANT INFORMATION
Your personal pages
http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/F34FF5952998CB68
http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/F34FF5952998CB68
http://yyre45dbvn2nhbefbmh.begumvelic.at/F34FF5952998CB68
Your personal page Tor-Browser xlowfznrg4wf7dli.ONION/F34FF5952998CB68
URLs
http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/F34FF5952998CB68
http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/F34FF5952998CB68
http://yyre45dbvn2nhbefbmh.begumvelic.at/F34FF5952998CB68
http://xlowfznrg4wf7dli.ONION/F34FF5952998CB68
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (419) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
pid Process 2952 cmd.exe -
Drops startup file 3 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+bsriw.png orgntvvwpnxi.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+bsriw.txt orgntvvwpnxi.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+bsriw.html orgntvvwpnxi.exe -
Executes dropped EXE 2 IoCs
pid Process 2620 orgntvvwpnxi.exe 2896 orgntvvwpnxi.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\hxafmry = "C:\\Windows\\system32\\CMD.EXE /c start C:\\Windows\\orgntvvwpnxi.exe" orgntvvwpnxi.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2124 set thread context of 2696 2124 VirusShare_a8e0b0186e5159aa8a772e8d4169d3f3.exe 28 PID 2620 set thread context of 2896 2620 orgntvvwpnxi.exe 34 -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\Lang\ms.txt orgntvvwpnxi.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Postage_SelectionSubpicture.png orgntvvwpnxi.exe File opened for modification C:\Program Files\Java\jre7\lib\security\_ReCoVeRy_+bsriw.html orgntvvwpnxi.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ckb\_ReCoVeRy_+bsriw.html orgntvvwpnxi.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\_ReCoVeRy_+bsriw.txt orgntvvwpnxi.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\circleround_videoinset.png orgntvvwpnxi.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\GoldRing.png orgntvvwpnxi.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\16_9-frame-image-inset.png orgntvvwpnxi.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\_ReCoVeRy_+bsriw.txt orgntvvwpnxi.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\css\settings.css orgntvvwpnxi.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\_ReCoVeRy_+bsriw.html orgntvvwpnxi.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\_ReCoVeRy_+bsriw.html orgntvvwpnxi.exe File opened for modification C:\Program Files\Windows Photo Viewer\ja-JP\_ReCoVeRy_+bsriw.html orgntvvwpnxi.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\js\_ReCoVeRy_+bsriw.txt orgntvvwpnxi.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\_ReCoVeRy_+bsriw.txt orgntvvwpnxi.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\_ReCoVeRy_+bsriw.txt orgntvvwpnxi.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\css\clock.css orgntvvwpnxi.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\_ReCoVeRy_+bsriw.html orgntvvwpnxi.exe File opened for modification C:\Program Files\Common Files\System\msadc\en-US\_ReCoVeRy_+bsriw.html orgntvvwpnxi.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\or\LC_MESSAGES\_ReCoVeRy_+bsriw.txt orgntvvwpnxi.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\or\_ReCoVeRy_+bsriw.png orgntvvwpnxi.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\vi\LC_MESSAGES\_ReCoVeRy_+bsriw.txt orgntvvwpnxi.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\_ReCoVeRy_+bsriw.html orgntvvwpnxi.exe File opened for modification C:\Program Files\Windows Media Player\Icons\_ReCoVeRy_+bsriw.png orgntvvwpnxi.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\js\_ReCoVeRy_+bsriw.txt orgntvvwpnxi.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\fr-FR\_ReCoVeRy_+bsriw.txt orgntvvwpnxi.exe File opened for modification C:\Program Files\Microsoft Games\More Games\es-ES\_ReCoVeRy_+bsriw.txt orgntvvwpnxi.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\cgg\LC_MESSAGES\_ReCoVeRy_+bsriw.png orgntvvwpnxi.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\js\_ReCoVeRy_+bsriw.png orgntvvwpnxi.exe File opened for modification C:\Program Files\Google\Chrome\Application\_ReCoVeRy_+bsriw.txt orgntvvwpnxi.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\_ReCoVeRy_+bsriw.png orgntvvwpnxi.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ug\_ReCoVeRy_+bsriw.txt orgntvvwpnxi.exe File opened for modification C:\Program Files\Windows NT\TableTextService\it-IT\_ReCoVeRy_+bsriw.png orgntvvwpnxi.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\shuffle_down.png orgntvvwpnxi.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\play_down.png orgntvvwpnxi.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\pt_BR\LC_MESSAGES\_ReCoVeRy_+bsriw.txt orgntvvwpnxi.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\tl\_ReCoVeRy_+bsriw.png orgntvvwpnxi.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\hint_up.png orgntvvwpnxi.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\_ReCoVeRy_+bsriw.png orgntvvwpnxi.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\_ReCoVeRy_+bsriw.png orgntvvwpnxi.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ko.pak orgntvvwpnxi.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\_ReCoVeRy_+bsriw.png orgntvvwpnxi.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\_ReCoVeRy_+bsriw.txt orgntvvwpnxi.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\fy\LC_MESSAGES\_ReCoVeRy_+bsriw.html orgntvvwpnxi.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\_ReCoVeRy_+bsriw.html orgntvvwpnxi.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Triedit\_ReCoVeRy_+bsriw.png orgntvvwpnxi.exe File opened for modification C:\Program Files\Windows Defender\es-ES\_ReCoVeRy_+bsriw.html orgntvvwpnxi.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\15.png orgntvvwpnxi.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\vistabg.png orgntvvwpnxi.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationLeft_ButtonGraphic.png orgntvvwpnxi.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ga\LC_MESSAGES\_ReCoVeRy_+bsriw.png orgntvvwpnxi.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\css\_ReCoVeRy_+bsriw.html orgntvvwpnxi.exe File opened for modification C:\Program Files\7-Zip\Lang\tk.txt orgntvvwpnxi.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrome.7z orgntvvwpnxi.exe File opened for modification C:\Program Files\Microsoft Games\Minesweeper\en-US\_ReCoVeRy_+bsriw.html orgntvvwpnxi.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\hu\_ReCoVeRy_+bsriw.png orgntvvwpnxi.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\button_left_mouseout.png orgntvvwpnxi.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\btn-previous-static.png orgntvvwpnxi.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\_ReCoVeRy_+bsriw.html orgntvvwpnxi.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\css\_ReCoVeRy_+bsriw.png orgntvvwpnxi.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\js\_ReCoVeRy_+bsriw.png orgntvvwpnxi.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\js\_ReCoVeRy_+bsriw.txt orgntvvwpnxi.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\pause_down.png orgntvvwpnxi.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\be\_ReCoVeRy_+bsriw.html orgntvvwpnxi.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\orgntvvwpnxi.exe VirusShare_a8e0b0186e5159aa8a772e8d4169d3f3.exe File created C:\Windows\orgntvvwpnxi.exe VirusShare_a8e0b0186e5159aa8a772e8d4169d3f3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000bf4f90f6d5b6248a3f5e87e34300db600000000020000000000106600000001000020000000b1abdba8fcc93f703b9eefdcd638070f9eb41c3a4a00e7ebe9e217ba4b2b361f000000000e8000000002000020000000272cf54f680cbf105b69f300f5cbda91cac594c0824d721ca281a3d12b243a81200000005c6ec327386d4d11f294312eb83d6476823797d5b8e29183f35695e4394e01cc40000000bd5ee2e906a6ca3cd49504ddb6a3508982eb7b5fb815aef742f52d41f77e2e5f2a6b479cd15399e0f95d46bc4efc192d54e1b90a2f6528dceb84e7613a2286f2 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 101e116b2cbbda01 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000bf4f90f6d5b6248a3f5e87e34300db6000000000200000000001066000000010000200000006fc9409bfe6cb8e673bde68623f33b0ed468dbbeb4b2bc7810e616f044951d98000000000e800000000200002000000064c590577ef0dda5d8eb912f8ec43f0b714fc53487782015ae2b2083bbbc06169000000015718cd387684653351605f0fe3d47a3e1b7fe64a46cacf293fe87be118456d532141289e469cd90ec050c0cd507127462900ca2ef0b13a06ccf37f6c2991f62f65716f2562aee19b3b788ac6781cad460562b6f4815b982bbc15107ee1bfb4c72b9a9c3239d06efa235f35adcf18bcc34b3f376f6c569441318d12bae43cb0a9cc088fcc2a70c758764908206e20f7740000000c4d8f514cd4abdac1bf06d3ed46a1acbef8fc3b68045b1c96323a417f02a0eff7e38e64b416abde428147639ff2b4ee64da0716fb22f9aaa612f8fe6bce8467f iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{969BF781-271F-11EF-A5A1-E299A69EE862} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" iexplore.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 2568 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2896 orgntvvwpnxi.exe 2896 orgntvvwpnxi.exe 2896 orgntvvwpnxi.exe 2896 orgntvvwpnxi.exe 2896 orgntvvwpnxi.exe 2896 orgntvvwpnxi.exe 2896 orgntvvwpnxi.exe 2896 orgntvvwpnxi.exe 2896 orgntvvwpnxi.exe 2896 orgntvvwpnxi.exe 2896 orgntvvwpnxi.exe 2896 orgntvvwpnxi.exe 2896 orgntvvwpnxi.exe 2896 orgntvvwpnxi.exe 2896 orgntvvwpnxi.exe 2896 orgntvvwpnxi.exe 2896 orgntvvwpnxi.exe 2896 orgntvvwpnxi.exe 2896 orgntvvwpnxi.exe 2896 orgntvvwpnxi.exe 2896 orgntvvwpnxi.exe 2896 orgntvvwpnxi.exe 2896 orgntvvwpnxi.exe 2896 orgntvvwpnxi.exe 2896 orgntvvwpnxi.exe 2896 orgntvvwpnxi.exe 2896 orgntvvwpnxi.exe 2896 orgntvvwpnxi.exe 2896 orgntvvwpnxi.exe 2896 orgntvvwpnxi.exe 2896 orgntvvwpnxi.exe 2896 orgntvvwpnxi.exe 2896 orgntvvwpnxi.exe 2896 orgntvvwpnxi.exe 2896 orgntvvwpnxi.exe 2896 orgntvvwpnxi.exe 2896 orgntvvwpnxi.exe 2896 orgntvvwpnxi.exe 2896 orgntvvwpnxi.exe 2896 orgntvvwpnxi.exe 2896 orgntvvwpnxi.exe 2896 orgntvvwpnxi.exe 2896 orgntvvwpnxi.exe 2896 orgntvvwpnxi.exe 2896 orgntvvwpnxi.exe 2896 orgntvvwpnxi.exe 2896 orgntvvwpnxi.exe 2896 orgntvvwpnxi.exe 2896 orgntvvwpnxi.exe 2896 orgntvvwpnxi.exe 2896 orgntvvwpnxi.exe 2896 orgntvvwpnxi.exe 2896 orgntvvwpnxi.exe 2896 orgntvvwpnxi.exe 2896 orgntvvwpnxi.exe 2896 orgntvvwpnxi.exe 2896 orgntvvwpnxi.exe 2896 orgntvvwpnxi.exe 2896 orgntvvwpnxi.exe 2896 orgntvvwpnxi.exe 2896 orgntvvwpnxi.exe 2896 orgntvvwpnxi.exe 2896 orgntvvwpnxi.exe 2896 orgntvvwpnxi.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2696 VirusShare_a8e0b0186e5159aa8a772e8d4169d3f3.exe Token: SeDebugPrivilege 2896 orgntvvwpnxi.exe Token: SeIncreaseQuotaPrivilege 2392 WMIC.exe Token: SeSecurityPrivilege 2392 WMIC.exe Token: SeTakeOwnershipPrivilege 2392 WMIC.exe Token: SeLoadDriverPrivilege 2392 WMIC.exe Token: SeSystemProfilePrivilege 2392 WMIC.exe Token: SeSystemtimePrivilege 2392 WMIC.exe Token: SeProfSingleProcessPrivilege 2392 WMIC.exe Token: SeIncBasePriorityPrivilege 2392 WMIC.exe Token: SeCreatePagefilePrivilege 2392 WMIC.exe Token: SeBackupPrivilege 2392 WMIC.exe Token: SeRestorePrivilege 2392 WMIC.exe Token: SeShutdownPrivilege 2392 WMIC.exe Token: SeDebugPrivilege 2392 WMIC.exe Token: SeSystemEnvironmentPrivilege 2392 WMIC.exe Token: SeRemoteShutdownPrivilege 2392 WMIC.exe Token: SeUndockPrivilege 2392 WMIC.exe Token: SeManageVolumePrivilege 2392 WMIC.exe Token: 33 2392 WMIC.exe Token: 34 2392 WMIC.exe Token: 35 2392 WMIC.exe Token: SeIncreaseQuotaPrivilege 2392 WMIC.exe Token: SeSecurityPrivilege 2392 WMIC.exe Token: SeTakeOwnershipPrivilege 2392 WMIC.exe Token: SeLoadDriverPrivilege 2392 WMIC.exe Token: SeSystemProfilePrivilege 2392 WMIC.exe Token: SeSystemtimePrivilege 2392 WMIC.exe Token: SeProfSingleProcessPrivilege 2392 WMIC.exe Token: SeIncBasePriorityPrivilege 2392 WMIC.exe Token: SeCreatePagefilePrivilege 2392 WMIC.exe Token: SeBackupPrivilege 2392 WMIC.exe Token: SeRestorePrivilege 2392 WMIC.exe Token: SeShutdownPrivilege 2392 WMIC.exe Token: SeDebugPrivilege 2392 WMIC.exe Token: SeSystemEnvironmentPrivilege 2392 WMIC.exe Token: SeRemoteShutdownPrivilege 2392 WMIC.exe Token: SeUndockPrivilege 2392 WMIC.exe Token: SeManageVolumePrivilege 2392 WMIC.exe Token: 33 2392 WMIC.exe Token: 34 2392 WMIC.exe Token: 35 2392 WMIC.exe Token: SeBackupPrivilege 2108 vssvc.exe Token: SeRestorePrivilege 2108 vssvc.exe Token: SeAuditPrivilege 2108 vssvc.exe Token: SeIncreaseQuotaPrivilege 2760 WMIC.exe Token: SeSecurityPrivilege 2760 WMIC.exe Token: SeTakeOwnershipPrivilege 2760 WMIC.exe Token: SeLoadDriverPrivilege 2760 WMIC.exe Token: SeSystemProfilePrivilege 2760 WMIC.exe Token: SeSystemtimePrivilege 2760 WMIC.exe Token: SeProfSingleProcessPrivilege 2760 WMIC.exe Token: SeIncBasePriorityPrivilege 2760 WMIC.exe Token: SeCreatePagefilePrivilege 2760 WMIC.exe Token: SeBackupPrivilege 2760 WMIC.exe Token: SeRestorePrivilege 2760 WMIC.exe Token: SeShutdownPrivilege 2760 WMIC.exe Token: SeDebugPrivilege 2760 WMIC.exe Token: SeSystemEnvironmentPrivilege 2760 WMIC.exe Token: SeRemoteShutdownPrivilege 2760 WMIC.exe Token: SeUndockPrivilege 2760 WMIC.exe Token: SeManageVolumePrivilege 2760 WMIC.exe Token: 33 2760 WMIC.exe Token: 34 2760 WMIC.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2468 iexplore.exe 2560 DllHost.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2468 iexplore.exe 2468 iexplore.exe 2732 IEXPLORE.EXE 2732 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 54 IoCs
description pid Process procid_target PID 2124 wrote to memory of 2696 2124 VirusShare_a8e0b0186e5159aa8a772e8d4169d3f3.exe 28 PID 2124 wrote to memory of 2696 2124 VirusShare_a8e0b0186e5159aa8a772e8d4169d3f3.exe 28 PID 2124 wrote to memory of 2696 2124 VirusShare_a8e0b0186e5159aa8a772e8d4169d3f3.exe 28 PID 2124 wrote to memory of 2696 2124 VirusShare_a8e0b0186e5159aa8a772e8d4169d3f3.exe 28 PID 2124 wrote to memory of 2696 2124 VirusShare_a8e0b0186e5159aa8a772e8d4169d3f3.exe 28 PID 2124 wrote to memory of 2696 2124 VirusShare_a8e0b0186e5159aa8a772e8d4169d3f3.exe 28 PID 2124 wrote to memory of 2696 2124 VirusShare_a8e0b0186e5159aa8a772e8d4169d3f3.exe 28 PID 2124 wrote to memory of 2696 2124 VirusShare_a8e0b0186e5159aa8a772e8d4169d3f3.exe 28 PID 2124 wrote to memory of 2696 2124 VirusShare_a8e0b0186e5159aa8a772e8d4169d3f3.exe 28 PID 2124 wrote to memory of 2696 2124 VirusShare_a8e0b0186e5159aa8a772e8d4169d3f3.exe 28 PID 2124 wrote to memory of 2696 2124 VirusShare_a8e0b0186e5159aa8a772e8d4169d3f3.exe 28 PID 2696 wrote to memory of 2620 2696 VirusShare_a8e0b0186e5159aa8a772e8d4169d3f3.exe 29 PID 2696 wrote to memory of 2620 2696 VirusShare_a8e0b0186e5159aa8a772e8d4169d3f3.exe 29 PID 2696 wrote to memory of 2620 2696 VirusShare_a8e0b0186e5159aa8a772e8d4169d3f3.exe 29 PID 2696 wrote to memory of 2620 2696 VirusShare_a8e0b0186e5159aa8a772e8d4169d3f3.exe 29 PID 2696 wrote to memory of 2952 2696 VirusShare_a8e0b0186e5159aa8a772e8d4169d3f3.exe 30 PID 2696 wrote to memory of 2952 2696 VirusShare_a8e0b0186e5159aa8a772e8d4169d3f3.exe 30 PID 2696 wrote to memory of 2952 2696 VirusShare_a8e0b0186e5159aa8a772e8d4169d3f3.exe 30 PID 2696 wrote to memory of 2952 2696 VirusShare_a8e0b0186e5159aa8a772e8d4169d3f3.exe 30 PID 2620 wrote to memory of 2896 2620 orgntvvwpnxi.exe 34 PID 2620 wrote to memory of 2896 2620 orgntvvwpnxi.exe 34 PID 2620 wrote to memory of 2896 2620 orgntvvwpnxi.exe 34 PID 2620 wrote to memory of 2896 2620 orgntvvwpnxi.exe 34 PID 2620 wrote to memory of 2896 2620 orgntvvwpnxi.exe 34 PID 2620 wrote to memory of 2896 2620 orgntvvwpnxi.exe 34 PID 2620 wrote to memory of 2896 2620 orgntvvwpnxi.exe 34 PID 2620 wrote to memory of 2896 2620 orgntvvwpnxi.exe 34 PID 2620 wrote to memory of 2896 2620 orgntvvwpnxi.exe 34 PID 2620 wrote to memory of 2896 2620 orgntvvwpnxi.exe 34 PID 2620 wrote to memory of 2896 2620 orgntvvwpnxi.exe 34 PID 2896 wrote to memory of 2392 2896 orgntvvwpnxi.exe 35 PID 2896 wrote to memory of 2392 2896 orgntvvwpnxi.exe 35 PID 2896 wrote to memory of 2392 2896 orgntvvwpnxi.exe 35 PID 2896 wrote to memory of 2392 2896 orgntvvwpnxi.exe 35 PID 2896 wrote to memory of 2568 2896 orgntvvwpnxi.exe 43 PID 2896 wrote to memory of 2568 2896 orgntvvwpnxi.exe 43 PID 2896 wrote to memory of 2568 2896 orgntvvwpnxi.exe 43 PID 2896 wrote to memory of 2568 2896 orgntvvwpnxi.exe 43 PID 2896 wrote to memory of 2468 2896 orgntvvwpnxi.exe 44 PID 2896 wrote to memory of 2468 2896 orgntvvwpnxi.exe 44 PID 2896 wrote to memory of 2468 2896 orgntvvwpnxi.exe 44 PID 2896 wrote to memory of 2468 2896 orgntvvwpnxi.exe 44 PID 2468 wrote to memory of 2732 2468 iexplore.exe 46 PID 2468 wrote to memory of 2732 2468 iexplore.exe 46 PID 2468 wrote to memory of 2732 2468 iexplore.exe 46 PID 2468 wrote to memory of 2732 2468 iexplore.exe 46 PID 2896 wrote to memory of 2760 2896 orgntvvwpnxi.exe 47 PID 2896 wrote to memory of 2760 2896 orgntvvwpnxi.exe 47 PID 2896 wrote to memory of 2760 2896 orgntvvwpnxi.exe 47 PID 2896 wrote to memory of 2760 2896 orgntvvwpnxi.exe 47 PID 2896 wrote to memory of 1984 2896 orgntvvwpnxi.exe 50 PID 2896 wrote to memory of 1984 2896 orgntvvwpnxi.exe 50 PID 2896 wrote to memory of 1984 2896 orgntvvwpnxi.exe 50 PID 2896 wrote to memory of 1984 2896 orgntvvwpnxi.exe 50 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System orgntvvwpnxi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" orgntvvwpnxi.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\VirusShare_a8e0b0186e5159aa8a772e8d4169d3f3.exe"C:\Users\Admin\AppData\Local\Temp\VirusShare_a8e0b0186e5159aa8a772e8d4169d3f3.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Users\Admin\AppData\Local\Temp\VirusShare_a8e0b0186e5159aa8a772e8d4169d3f3.exe"C:\Users\Admin\AppData\Local\Temp\VirusShare_a8e0b0186e5159aa8a772e8d4169d3f3.exe"2⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\orgntvvwpnxi.exeC:\Windows\orgntvvwpnxi.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\orgntvvwpnxi.exeC:\Windows\orgntvvwpnxi.exe4⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2896 -
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2392
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_ReCoVeRy_.TXT5⤵
- Opens file in notepad (likely ransom note)
PID:2568
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\_ReCoVeRy_.HTM5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2468 CREDAT:275457 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2732
-
-
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2760
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Windows\ORGNTV~1.EXE5⤵PID:1984
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\VIRUSS~1.EXE3⤵
- Deletes itself
PID:2952
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2108
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
PID:2560
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12KB
MD52b9f74bf71c30656e396207dc4c46be8
SHA12a3ed5b2fcf814e300233012589b1a94c7f7ed76
SHA256c0ddf5e4f4420a792779f8e4f4b35c5b2fd921bc0ca4b87b9822b192bab9213a
SHA5124f34285ba64cc10d9118c4fb1cf789760a91b60d33582753fcff9e8a32d9af2754a81a7a80e4f2182352b35e0f77e5adc2ec5f1144f37fc5a8a12fcf95375903
-
Filesize
64KB
MD527cbaddbb76c3b7a7ade7f74eaffc880
SHA1d4bb70e79412fd0cbbf467022de39f032b3841ce
SHA256178f9bfba27ae41feeec2f6866f46a63176c8ce16412f4456605a56541af652f
SHA512282047fe44d9221aab9ba7003f35a9dfb0d2d0a34963a0e303b6edabed714696ddbaa3e685a891ff1c4ada5308dcc2b07e07e2f3599b0606b01f293c88f82327
-
Filesize
1KB
MD5a150219ff752029c2bb2154b12392b58
SHA12277aa81f0f3b4bdee6ae3b3b5538f8d483b7bfc
SHA256ac7a353d743c3d0791459b046dfd9481196f9b22112bee50df142745fed904df
SHA51282d021765fdf694c7959bdac7f1e6802c6603039a1ff3baaf4f02597926886455b813c4de3b26695db1e52e80f02cdb9e89dda9765f6cd936e97d036bc6cd579
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt
Filesize11KB
MD5d169d20b24035e1dbed31f4ba78a219a
SHA1d7e59c42ff60111689b0483f88c4a076ee0fe388
SHA256e3d1c8c05e0d54d544a23e5ca52b23d830629265cf75421d1bf4dcb4e7e87432
SHA5129c6ca576b914a9fdfc6fef630ce635d21ed225050d1b891d66e01bd96bbcf598160373280615bcf8e57984be8631ff3ac262720f3c96625e1eb89aed20e90a8a
-
Filesize
109KB
MD592837aaae7924d102ba2500cc4e9112a
SHA1a1703c7611169c72164b59aac82304ce796112c9
SHA2566549e8a4c7cc7f1dd8f66672ccf20f83f6d009b2d22daef0d4bd10e864a984d5
SHA512193ce5c308241aa74fc59e76d1be0ada94981a4575f122e3e7b572c450d39486dbbb76e8e528bdb35835f263819949c31d99354b6364a1bc0759875e3987e0a7
-
Filesize
173KB
MD5531fef986ed5652ce7d171a86ccf7a57
SHA19e34527ce94bab531a4f1302bd1ce1664c3db6e6
SHA25656294f6fa449dc38dac574bf4b9caa1f680b92421b70e68ec80a467a69611497
SHA512974e292b655995f75c6b814f95b4d7ed0c6bdc67b4f8861bd872b5b8f58d1e89d21bbb6d1b6abc3b4977eef48bef5051282b6620ac823f228298276ee08adcae
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5226cf12e956dff77574dd6b708e6c4ce
SHA182e02c36f6c6c62e736fbc681b0ce4b8e5a1bf5b
SHA256125eb7050e5930fdaa3c1e12d41f1386384b33725648ca6b8fb87b49c026a077
SHA5126ef3e1d22a02670e0b6daf0ed6fd6f4222c7ca4812c84880a364316be6297971289806109887af357e8401bd429663bf341307e2d6a7a39726c39a38f2030cc4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f7cb2ad6fac19d01866e193d2abf4a6c
SHA1e06b650d16ae4788ead57043e929f20cf1336fb8
SHA2566868ba7155554bf1bbd9ccb8b7b25a35121511f6f6bc526cab8a4a3a2faec0a2
SHA512bdc5a553a141e4118c344dd13faa35676cb05795801b07479c3656aadbb40fd58faea24970c4cce6a730f044b8216bcffeb36cb3766a92f6d39e2ee9daccd691
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5127084e49b19d7bcfb8c78fcda3985ec
SHA11190e4baf1a4beb3f84dc1fa44f032d03e70040a
SHA256d1d9a30d9aa366727b1c6a634165671474eaf4b69c366fa2191b2a3c48ece12f
SHA512392e454add4e55257c14d042d1e3867c5980aed04b810283eada80200328247c290bb35531c86ba8aab46b3211629ea04f6bbb660fc29914d2704a0e90b83c49
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56de88ec45c9d1351259ea41d25c265c7
SHA1bbf3219a0bbf1cdbd6ed1acb53e0fef51f24940b
SHA256e6d55993f7feb70fd84623bf012c773813c9ab1a7892e685635db283e69b80e0
SHA512b60a92a712cf2521aa3af06e600f3d105860f611f4ee9ad94e87f3316a75f23741ab99fb3d79d3ae2a458365c0ce6524cbf87668c67e8a3b8fe2347098b361e6
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
356KB
MD5a8e0b0186e5159aa8a772e8d4169d3f3
SHA17c1f0f6fc4fd2669717e632652ff8a99fb093e69
SHA2561cf433abd42285879b502b2d01958fff3fe4ad687a0e7c1fba243ffbffe7f34e
SHA51201fa49ff7921b380f0390a1ba9c4beff61278685d9caabe188d84977b73fffe7ffe51360677fbaa0319c0e4d4387804c665a7671ad63e4f8a8bc6c8ae0fe55fa
