Overview

overview

10

Static

static

3

VirusShare...5c.exe

windows7-x64

10

VirusShare...5c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    136s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    10-06-2024 11:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    VirusShare_a5eb9cf3b138e8466071ec20a6722b5c.exe

  • Size

    336KB

  • MD5

    a5eb9cf3b138e8466071ec20a6722b5c

  • SHA1

    5b8db28fdc2e40fd67b3de164eb9d904122e5cef

  • SHA256

    ea7be43ae12bab3a5c3e00a568f3b3564c9225a056960048eda72f9f8f9f690e

  • SHA512

    499af2dfd9997cd737ebdd758d7c84e36084d5db5cf1f2eb032fd496b549e808303eb73275e9ddf378e966972c1ddbab03174ba5b9b97fd4c75c2ba1e5d14a24

  • SSDEEP

    6144:81w0U6D6x4kyjf+g0uc2RTqWmx7Ikw9NShXvSmk2OpXaP/EBySkQ4:8i0Uu6ikyjcuk5y0hXaxpKkB

Score
10/10
teslacryptdefense_evasionexecutionimpactpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+ohmmo.txt

Family

teslacrypt

Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with AES More information about the encryption keys using AES can be found here: http://en.wikipedia.org/wiki/AES How did this happen ? !!! Specially for your PC was generated personal AES KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/64E65EAB38EE1FE3 2. http://tes543berda73i48fsdfsd.keratadze.at/64E65EAB38EE1FE3 3. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/64E65EAB38EE1FE3 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/64E65EAB38EE1FE3 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/64E65EAB38EE1FE3 http://tes543berda73i48fsdfsd.keratadze.at/64E65EAB38EE1FE3 http://tt54rfdjhb34rfbnknaerg.milerteddy.com/64E65EAB38EE1FE3 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/64E65EAB38EE1FE3
URLs

http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/64E65EAB38EE1FE3

http://tes543berda73i48fsdfsd.keratadze.at/64E65EAB38EE1FE3

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/64E65EAB38EE1FE3

http://xlowfznrg4wf7dli.ONION/64E65EAB38EE1FE3

Signatures

  • TeslaCrypt, AlphaCrypt

    Ransomware based on CryptoLocker. Shut down by the developers in 2016.

    ransomwareteslacrypt
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (419) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes itself 1 IoCs
  • Drops startup file 3 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
    adwarespyware
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 52 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\VirusShare_a5eb9cf3b138e8466071ec20a6722b5c.exe
    "C:\Users\Admin\AppData\Local\Temp\VirusShare_a5eb9cf3b138e8466071ec20a6722b5c.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1660
    • C:\Users\Admin\AppData\Local\Temp\VirusShare_a5eb9cf3b138e8466071ec20a6722b5c.exe
      "C:\Users\Admin\AppData\Local\Temp\VirusShare_a5eb9cf3b138e8466071ec20a6722b5c.exe"
      2⤵
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1664
      • C:\Windows\pnxiwcsktuxo.exe
        C:\Windows\pnxiwcsktuxo.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2680
        • C:\Windows\pnxiwcsktuxo.exe
          C:\Windows\pnxiwcsktuxo.exe
          4⤵
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:1740
          • C:\Windows\System32\wbem\WMIC.exe
            "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:296
          • C:\Windows\SysWOW64\NOTEPAD.EXE
            "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
            5⤵
            • Opens file in notepad (likely ransom note)
            PID:3016
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1204
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1204 CREDAT:275457 /prefetch:2
              6⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:876
          • C:\Windows\System32\wbem\WMIC.exe
            "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2232
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\PNXIWC~1.EXE
            5⤵
              PID:2860
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\VIRUSS~1.EXE
          3⤵
          • Deletes itself
          PID:2888
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2852
    • C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
      1⤵
      • Suspicious use of FindShellTrayWindow
      PID:2016

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+ohmmo.html
      Filesize

      11KB

      MD5

      bf5f4a12712d68e360db27839d6c6888

      SHA1

      5a0367288c87c4cd802a6106cc845e3497b5c762

      SHA256

      5a8d43fd8366f85e6549dbaafcdc0857990e787c4c3043ee4166e4b469fae554

      SHA512

      8854706e478ecf246bccd63682853a0aa04aedc2dc6e20476deec45e0796ab0876f7f0b9b481b657581558b0f1e8443f99c92c455a1707c1ecf2d08997b927ff

      Download Submit

    • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+ohmmo.png
      Filesize

      62KB

      MD5

      c0c6ecb974dea3719e54347fbac49e36

      SHA1

      327fea1d93e7d8b0b35bc99ffcc56875ed8a89dd

      SHA256

      9166e42c799f9803bd68a8ad332f942f453a55331be929a7fb8c07f19219bfac

      SHA512

      566998cebae3803b099dd4bb46d4c74068e471a6fdf86a121217f0711b547bba4d0aeb1a05574110043f0bc5be7e71036f0d8726a977de4159cd57486312b70a

      Download Submit

    • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+ohmmo.txt
      Filesize

      1KB

      MD5

      7215225cfb7afc317a9301da5d58e6b2

      SHA1

      6a42c011508db197218126e4cafc33892c11755d

      SHA256

      c4062ef03274c8956c61c75d77ca3b91d250cfd700109ca5c9144b2d50080282

      SHA512

      289278aaf7544162a086645c5c5420ae55d5c618dd15b52af8ce4c914921444f17bda2a3007249c54f2acfdeb4894da24117e0a870e3c7156741eebdafd8f554

      Download Submit

    • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt
      Filesize

      11KB

      MD5

      cef0ce4d612c3a266c2135f69cd86fa2

      SHA1

      bd4a60457332009a9227651d201e9322efd2ea12

      SHA256

      cf47ce6d42c8d2dc037236f7512d0f627f689ff0442aecdc7a67b0caca57f7a4

      SHA512

      728f609ba6231ae1f98c1fc76785cc5df8172334b8d7c57b0aac6ebf83bf57add028c78cf2113b2c38425066d13b8fa66ac512ff44a911e19d23e459d8c73f16

      Download Submit

    • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt
      Filesize

      109KB

      MD5

      841d5907704ee6b9fce9d45865baf5ce

      SHA1

      6bff822283d615798a9e862184f87fe4de66da26

      SHA256

      52f093b5a8df03b6a4b089a591be5878e9e21c57a0ee31422785c879018e69bc

      SHA512

      1f363ee0df236b4622f8152a0bc01acc2259a8cb6f4526fcf8923c57871f3185c6dd155388f32d96fe7764181797fcd4b1b8c8548daef6f003ded150f1b73341

      Download Submit

    • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt
      Filesize

      173KB

      MD5

      7989de6b23db4151b8356f5fd19d8a55

      SHA1

      96fcf51baf7ce40c4ed09fa37bf72dc79bca3dcb

      SHA256

      b83e934ebfedb0f2c3cb8b9ef96b737df8c95059bcea11a2e87c1f5f9b00491e

      SHA512

      bdf29684cf8d1986e7fed1cf541bf3c1c676481e540b7e020455413b19ce6424c6b109d3c6ced422e5e3fd6b1c65095cb8dd07ff6065cd5a3d09abe81bf42e64

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
      Filesize

      70KB

      MD5

      49aebf8cbd62d92ac215b2923fb1b9f5

      SHA1

      1723be06719828dda65ad804298d0431f6aff976

      SHA256

      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

      SHA512

      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      ecc8a0cf696cdfa7fe4ac673c9d2bacf

      SHA1

      e8911b6cba84b3ac8b00d43a7462a6bc02882735

      SHA256

      0c060dae769e24383a2d971656a5ddb51aa47b47d02850b5c58ca81d1f391cf6

      SHA512

      72993b2c0ccda87df364aef61a55b0fa6cfc22041d947ea84168eb6921d1af799a7375fe81b9cf04fc7094ed939572e6d1deb0cce466adc1df682f933720c7f9

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      b446865dc536d8c4e37b562b24518b95

      SHA1

      26f7a8b9ea63e62e84bcc86e088f8a23738955fb

      SHA256

      35d0a0824e122ea7b792c5d4131c87b7eb4fc25a188d1dfe68f53071c7d83424

      SHA512

      cc9a1bf2bfa628bea17be0f4130f707dbd83bab0cf1b9fd0304004eb432fdad8c0e1d79bd7bbafba9cc4f33ce09b04519b0b14ee5c752528cde1b0a188f48048

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      657c1c56779cf272d742e3e200c51e94

      SHA1

      2939042a01d917d713fa8b7293be8b753492c76d

      SHA256

      47db1174fca917b7c1d8ecd9a6d37a56a862c11f8488697b31db7d49b726559c

      SHA512

      0e9c3f325b58b7d133907aac8bf21066824b91a4199eb3085acbb2aec38a32493265f42c6da9b06c18f82db23ec21a546e8cd268a0885429f2fbf754e8bfe168

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      5b34958c6541107bc032e011a6f7995d

      SHA1

      a52862502814f28eb9f5a18cf66c54baef5cd296

      SHA256

      9cf1e25e660b62ad1eb55d703dbd3e6da36be1846b80ad1e93b605895811665a

      SHA512

      77c31934639773189c9127448e2cc98125f43951415f4d1370032723544ef7cc2dbe487da1c302753b4328cc90c8ae3deadf225d56628e6f4caea275ffad6a97

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      fdaaa8ea2495b2532903dcc04c5ec149

      SHA1

      17121fcf59a49c824aa93c7cdfe518937ca2faad

      SHA256

      f480883ae929806001a2c595b9254c64761abddd5e3384d4e30a85775fe6d7f7

      SHA512

      27cc7dd6e61e4c4453746ac0e1e3e5a6c9e03d82ab571269da879281ab2e9acfa175f413641dccf9d6f3b0ea032111f3d96bc2f53714fc2b06ca37b20fc888f6

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      11565d59a997a73d0379441be6dd8765

      SHA1

      3d26f7fe409be6c232e0dbdc4c620d839461a3b5

      SHA256

      412feef5112c8b242e2211fc3cf9ed4fc4d425941cea04a0c54b5d1623f65e7f

      SHA512

      f0a45edfeb7ce9570f74725da7eb7b1fb1a687ad5139b46eb3199e314220d9816ef1fa071f62247bb6bd1dc9f1f54dc6f03ebc37cadeadbfc67c08f6f5c9f70a

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      0460a867ac10439af7b4036e6b8c6f48

      SHA1

      19f17c55a8c5d05a0e53ebcfcc1b6bf429f9b3e5

      SHA256

      c37cba5cddd86839a95fe4ce81a20a917b174e69a10620102c74b2ece4f72988

      SHA512

      75b6b314a0c601599a054dee6c6646f213140b5cbbc0b40d493d265237f573ce27689beedf30af76e23561c3451178415d51db26f1c8b9795875f43a2be2ea24

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Cab84EC.tmp
      Filesize

      68KB

      MD5

      29f65ba8e88c063813cc50a4ea544e93

      SHA1

      05a7040d5c127e68c25d81cc51271ffb8bef3568

      SHA256

      1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

      SHA512

      e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Tar856F.tmp
      Filesize

      181KB

      MD5

      4ea6026cf93ec6338144661bf1202cd1

      SHA1

      a1dec9044f750ad887935a01430bf49322fbdcb7

      SHA256

      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

      SHA512

      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

      Download Submit

    • C:\Windows\pnxiwcsktuxo.exe
      Filesize

      336KB

      MD5

      a5eb9cf3b138e8466071ec20a6722b5c

      SHA1

      5b8db28fdc2e40fd67b3de164eb9d904122e5cef

      SHA256

      ea7be43ae12bab3a5c3e00a568f3b3564c9225a056960048eda72f9f8f9f690e

      SHA512

      499af2dfd9997cd737ebdd758d7c84e36084d5db5cf1f2eb032fd496b549e808303eb73275e9ddf378e966972c1ddbab03174ba5b9b97fd4c75c2ba1e5d14a24

      Download Submit

    • memory/1660-0-0x0000000000260000-0x0000000000263000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1660-15-0x0000000000260000-0x0000000000263000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1664-13-0x0000000000400000-0x0000000000485000-memory.dmp

      Filesize

      532KB

      Download

    • memory/1664-1-0x0000000000400000-0x0000000000485000-memory.dmp

      Filesize

      532KB

      Download

    • memory/1664-5-0x0000000000400000-0x0000000000485000-memory.dmp

      Filesize

      532KB

      Download

    • memory/1664-17-0x0000000000400000-0x0000000000485000-memory.dmp

      Filesize

      532KB

      Download

    • memory/1664-7-0x0000000000400000-0x0000000000485000-memory.dmp

      Filesize

      532KB

      Download

    • memory/1664-28-0x0000000000400000-0x0000000000485000-memory.dmp

      Filesize

      532KB

      Download

    • memory/1664-16-0x0000000000400000-0x0000000000485000-memory.dmp

      Filesize

      532KB

      Download

    • memory/1664-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1664-9-0x0000000000400000-0x0000000000485000-memory.dmp

      Filesize

      532KB

      Download

    • memory/1664-3-0x0000000000400000-0x0000000000485000-memory.dmp

      Filesize

      532KB

      Download

    • memory/1740-45-0x0000000000400000-0x0000000000485000-memory.dmp

      Filesize

      532KB

      Download

    • memory/1740-5254-0x0000000000400000-0x0000000000485000-memory.dmp

      Filesize

      532KB

      Download

    • memory/1740-6434-0x0000000000400000-0x0000000000485000-memory.dmp

      Filesize

      532KB

      Download

    • memory/1740-46-0x0000000000400000-0x0000000000485000-memory.dmp

      Filesize

      532KB

      Download

    • memory/1740-520-0x0000000000400000-0x0000000000485000-memory.dmp

      Filesize

      532KB

      Download

    • memory/1740-6062-0x00000000044B0000-0x00000000044B2000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1740-6056-0x0000000000400000-0x0000000000485000-memory.dmp

      Filesize

      532KB

      Download

    • memory/1740-6065-0x0000000000400000-0x0000000000485000-memory.dmp

      Filesize

      532KB

      Download

    • memory/1740-2213-0x0000000000400000-0x0000000000485000-memory.dmp

      Filesize

      532KB

      Download

    • memory/1740-51-0x0000000000400000-0x0000000000485000-memory.dmp

      Filesize

      532KB

      Download

    • memory/1740-47-0x0000000000400000-0x0000000000485000-memory.dmp

      Filesize

      532KB

      Download

    • memory/1740-50-0x0000000000400000-0x0000000000485000-memory.dmp

      Filesize

      532KB

      Download

    • memory/1740-6437-0x0000000000400000-0x0000000000485000-memory.dmp

      Filesize

      532KB

      Download

    • memory/1740-6066-0x0000000000400000-0x0000000000485000-memory.dmp

      Filesize

      532KB

      Download

    • memory/2016-6063-0x00000000001A0000-0x00000000001A2000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2680-26-0x0000000000400000-0x0000000000748000-memory.dmp

      Filesize

      3.3MB

      Download