Resubmissions

22-08-2024 18:43

240822-xc563asamh 10

21-08-2024 17:16

240821-vtjnaathnq 10

30-06-2024 00:59

240630-bcjr6svbkk 10

20-06-2024 02:02

240620-cf43ysxbnk 10

20-06-2024 01:44

240620-b5v1xawemk 10

19-06-2024 01:10

240619-bjmseavfmp 10

18-06-2024 20:40

240618-zfwsxawdpa 10

18-06-2024 13:45

240618-q2vcjawdle 10

Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    18-06-2024 20:40

General

  • Target

    Documents/Ransomware.TeslaCrypt/Ransomware.TeslaCrypt/51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe

  • Size

    257KB

  • MD5

    6e080aa085293bb9fbdcc9015337d309

  • SHA1

    51b4ef5dc9d26b7a26e214cee90598631e2eaa67

  • SHA256

    9b462800f1bef019d7ec00098682d3ea7fc60e6721555f616399228e4e3ad122

  • SHA512

    4e173fb5287c7ea8ff116099ec1a0599b37f743f8b798368319b5960af38e742124223dfd209457665b701e9efc6e76071fa2513322b232ac50ddad21fcebe77

  • SSDEEP

    6144:xy+als+0nIycigV5cbEo6dZbBODPIsjQ/UFsYW:xy+aCFnIycigVSbObBODTMUd

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\HELP_RESTORE_FILES.txt

Ransom Note
All your documents, photos, databases and other important files have been encrypted with strongest encryption RSA-2048 key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main encryptor red window, examine it and follow the instructions. Otherwise, it seems that you or your antivirus deleted the encryptor program. Now you have the last chance to decrypt your files. Open http://3kxwjihmkgibht2s.wh47f2as19.com or http://34r6hq26q2h4jkzj.7hwr34n18.com , https://3kxwjihmkgibht2s.s5.tor-gateways.de/ in your browser. They are public gates to the secret server. Copy and paste the following Bitcoin address in the input form on server. Avoid missprints. 15WTmHwHg2SfSiBweYXVWtFvqf224Wtzay Follow the instructions on the server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://34r6hq26q2h4jkzj.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following Bitcoin address in the input form on server. Avoid missprints. 15WTmHwHg2SfSiBweYXVWtFvqf224Wtzay Follow the instructions on the server.
Wallets

15WTmHwHg2SfSiBweYXVWtFvqf224Wtzay

URLs

http://3kxwjihmkgibht2s.wh47f2as19.com

http://34r6hq26q2h4jkzj.7hwr34n18.com

https://3kxwjihmkgibht2s.s5.tor-gateways.de/

http://34r6hq26q2h4jkzj.onion/

Signatures

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Renames multiple (361) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies Control Panel 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.TeslaCrypt\Ransomware.TeslaCrypt\51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe
    "C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.TeslaCrypt\Ransomware.TeslaCrypt\51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2224
    • C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.TeslaCrypt\Ransomware.TeslaCrypt\51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe
      C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.TeslaCrypt\Ransomware.TeslaCrypt\51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe
      2⤵
      • Loads dropped DLL
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1804
      • C:\Users\Admin\AppData\Roaming\sdwfmie.exe
        C:\Users\Admin\AppData\Roaming\sdwfmie.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2552
        • C:\Users\Admin\AppData\Roaming\sdwfmie.exe
          C:\Users\Admin\AppData\Roaming\sdwfmie.exe
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Sets desktop wallpaper using registry
          • Drops file in Program Files directory
          • Modifies Control Panel
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:2676
          • C:\Windows\System32\vssadmin.exe
            "C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet
            5⤵
            • Interacts with shadow copies
            PID:2480
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\DOCUME~1\RANSOM~1.TES\RANSOM~1.TES\51B4EF~1.EXE >> NUL
        3⤵
        • Deletes itself
        PID:2588
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2864

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\HELP_RESTORE_FILES.txt

    Filesize

    1KB

    MD5

    195c33430f947021750315e7f168725e

    SHA1

    ca34c17445fd17ddca87e1f665f76f8e958ac767

    SHA256

    9ae040538fb7553140f7ab9bd118e8f9d4e39d68a53107a14d9285008a1837cf

    SHA512

    e4f8cade15505b90d80a7bc77f92b79a6465cabb3c158d832747a46e8be8b8c164e3a0ddb86150914190bead546ae4ee336c23e8967780dd51aa3c2a922cef0b

  • \Users\Admin\AppData\Roaming\sdwfmie.exe

    Filesize

    257KB

    MD5

    6e080aa085293bb9fbdcc9015337d309

    SHA1

    51b4ef5dc9d26b7a26e214cee90598631e2eaa67

    SHA256

    9b462800f1bef019d7ec00098682d3ea7fc60e6721555f616399228e4e3ad122

    SHA512

    4e173fb5287c7ea8ff116099ec1a0599b37f743f8b798368319b5960af38e742124223dfd209457665b701e9efc6e76071fa2513322b232ac50ddad21fcebe77

  • memory/1804-4-0x0000000000400000-0x0000000000472000-memory.dmp

    Filesize

    456KB

  • memory/1804-21-0x0000000000400000-0x0000000000472000-memory.dmp

    Filesize

    456KB

  • memory/1804-8-0x0000000000400000-0x0000000000472000-memory.dmp

    Filesize

    456KB

  • memory/1804-0-0x0000000000400000-0x0000000000472000-memory.dmp

    Filesize

    456KB

  • memory/1804-2-0x0000000000400000-0x0000000000472000-memory.dmp

    Filesize

    456KB

  • memory/1804-13-0x0000000000400000-0x0000000000472000-memory.dmp

    Filesize

    456KB

  • memory/1804-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/1804-15-0x0000000000400000-0x0000000000472000-memory.dmp

    Filesize

    456KB

  • memory/1804-14-0x0000000000400000-0x0000000000472000-memory.dmp

    Filesize

    456KB

  • memory/1804-6-0x0000000000400000-0x0000000000472000-memory.dmp

    Filesize

    456KB

  • memory/2224-12-0x0000000000400000-0x0000000000447000-memory.dmp

    Filesize

    284KB

  • memory/2552-40-0x0000000000400000-0x0000000000447000-memory.dmp

    Filesize

    284KB

  • memory/2676-41-0x0000000000400000-0x0000000000472000-memory.dmp

    Filesize

    456KB

  • memory/2676-39-0x0000000000400000-0x0000000000472000-memory.dmp

    Filesize

    456KB

  • memory/2676-44-0x0000000000400000-0x0000000000472000-memory.dmp

    Filesize

    456KB

  • memory/2676-45-0x0000000000400000-0x0000000000472000-memory.dmp

    Filesize

    456KB

  • memory/2676-58-0x0000000000400000-0x0000000000472000-memory.dmp

    Filesize

    456KB

  • memory/2676-183-0x0000000000400000-0x0000000000472000-memory.dmp

    Filesize

    456KB

  • memory/2676-2191-0x0000000000400000-0x0000000000472000-memory.dmp

    Filesize

    456KB

  • memory/2676-2198-0x0000000000400000-0x0000000000472000-memory.dmp

    Filesize

    456KB