Overview
overview
10Static
static
7bc41543926...18.zip
windows7-x64
1Documents/...er.exe
windows7-x64
10Documents/...ll.exe
windows7-x64
9Documents/...aw.exe
windows7-x64
10Documents/...ky.exe
windows7-x64
10Documents/...31.exe
windows7-x64
1Documents/...3 .exe
windows7-x64
7Documents/...d9.dll
windows7-x64
10Documents/...63b.gz
windows7-x64
3Documents/...bin.gz
windows7-x64
3Documents/...097.gz
windows7-x64
3fe2e5d0543...L9.rtf
windows7-x64
4Documents/...uy.hta
windows7-x64
10Documents/...st.exe
windows7-x64
7Documents/...39.exe
windows7-x64
6Documents/...5c.exe
windows7-x64
6Documents/...00.exe
windows7-x64
7out.exe
windows7-x64
3Documents/...16.zip
windows7-x64
1Supplement...16.scr
windows7-x64
3Documents/...ZSFwgb
windows7-x64
1Documents/...96.exe
windows7-x64
Documents/...ed.exe
windows7-x64
Documents/...70.exe
windows7-x64
9Documents/...67.exe
windows7-x64
10Documents/...56.exe
windows7-x64
10Documents/...ab.exe
windows7-x64
8Documents/...3a.exe
windows7-x64
8Documents/...73.exe
windows7-x64
8Documents/...ry.zip
windows7-x64
1ed01ebfbc9...aa.exe
windows7-x64
10Documents/...aa.exe
windows7-x64
10Resubmissions
22-08-2024 18:43
240822-xc563asamh 1021-08-2024 17:16
240821-vtjnaathnq 1030-06-2024 00:59
240630-bcjr6svbkk 1020-06-2024 02:02
240620-cf43ysxbnk 1020-06-2024 01:44
240620-b5v1xawemk 1019-06-2024 01:10
240619-bjmseavfmp 1018-06-2024 20:40
240618-zfwsxawdpa 1018-06-2024 13:45
240618-q2vcjawdle 10Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
18-06-2024 20:40
Behavioral task
behavioral1
Sample
bc41543926dda3762ae39e35aba7a813_JaffaCakes118.zip
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Documents/Ransomware.Cerber/cerber.exe
Resource
win7-20231129-en
Behavioral task
behavioral3
Sample
Documents/Ransomware.Cryptowall/cryptowall.exe
Resource
win7-20240611-en
Behavioral task
behavioral4
Sample
Documents/Ransomware.Jigsaw/jigsaw.exe
Resource
win7-20240221-en
Behavioral task
behavioral5
Sample
Documents/Ransomware.Locky/Locky.exe
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
Documents/Ransomware.Mamba/131.exe
Resource
win7-20240419-en
Behavioral task
behavioral7
Sample
Documents/Ransomware.Matsnu/Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe
Resource
win7-20240611-en
Behavioral task
behavioral8
Sample
Documents/Ransomware.Petrwrap/Ransomware.Petrwrap/027cc450ef5f8c5f653329641ec1fed9.dll
Resource
win7-20240508-en
Behavioral task
behavioral9
Sample
Documents/Ransomware.Petrwrap/Ransomware.Petrwrap/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b.gz
Resource
win7-20240508-en
Behavioral task
behavioral10
Sample
Documents/Ransomware.Petrwrap/Ransomware.Petrwrap/ee29b9c01318a1e23836b949942db14d4811246fdae2f41df9f0dcd922c63bc6.bin.gz
Resource
win7-20240611-en
Behavioral task
behavioral11
Sample
Documents/Ransomware.Petrwrap/Ransomware.Petrwrap/fe2e5d0543b4c8769e401ec216d78a5a3547dfd426fd47e097.gz
Resource
win7-20231129-en
Behavioral task
behavioral12
Sample
fe2e5d0543b4c8769e401ec216d78a5a3547dfd426fd47e097df04a5f7d6d206_OFkNP1kKL9.rtf
Resource
win7-20240221-en
Behavioral task
behavioral13
Sample
Documents/Ransomware.Petrwrap/Ransomware.Petrwrap/myguy.hta
Resource
win7-20240508-en
Behavioral task
behavioral14
Sample
Documents/Ransomware.Petrwrap/Ransomware.Petrwrap/svchost.exe
Resource
win7-20240611-en
Behavioral task
behavioral15
Sample
Documents/Ransomware.Petya/Ransomware.Petya/26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739.exe
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
Documents/Ransomware.Petya/Ransomware.Petya/4c1dc737915d76b7ce579abddaba74ead6fdb5b519a1ea45308b8c49b950655c.exe
Resource
win7-20240220-en
Behavioral task
behavioral17
Sample
Documents/Ransomware.Radamant/Ransomware.Radamant/DUMP_00A10000-00A1D000.exe
Resource
win7-20240419-en
Behavioral task
behavioral18
Sample
out.exe
Resource
win7-20240611-en
Behavioral task
behavioral19
Sample
Documents/Ransomware.Radamant/Ransomware.Radamant/Supplementary Agreement 26_01_2016.zip
Resource
win7-20240508-en
Behavioral task
behavioral20
Sample
Supplementary Agreement 26_01_2016.scr
Resource
win7-20240611-en
Behavioral task
behavioral21
Sample
Documents/Ransomware.Rex/WTEpZSFwgb
Resource
win7-20240221-en
Behavioral task
behavioral22
Sample
Documents/Ransomware.Satana/Ransomware.Satana/683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe
Resource
win7-20240508-en
Behavioral task
behavioral23
Sample
Documents/Ransomware.Satana/Ransomware.Satana/unpacked.exe
Resource
win7-20240611-en
Behavioral task
behavioral24
Sample
Documents/Ransomware.TeslaCrypt/Ransomware.TeslaCrypt/3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370.exe
Resource
win7-20240508-en
Behavioral task
behavioral25
Sample
Documents/Ransomware.TeslaCrypt/Ransomware.TeslaCrypt/51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe
Resource
win7-20240221-en
Behavioral task
behavioral26
Sample
Documents/Ransomware.TeslaCrypt/Ransomware.TeslaCrypt/E906FA3D51E86A61741B3499145A114E9BFB7C56.exe
Resource
win7-20231129-en
Behavioral task
behavioral27
Sample
Documents/Ransomware.Vipasana/Ransomware.Vipasana/0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
Resource
win7-20240220-en
Behavioral task
behavioral28
Sample
Documents/Ransomware.Vipasana/Ransomware.Vipasana/c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe
Resource
win7-20240419-en
Behavioral task
behavioral29
Sample
Documents/Ransomware.Vipasana/Ransomware.Vipasana/e49778d20a2f9b1f8b00ddd24b6bcee81af381ed02cfe0a3c9ab3111cda5f573.exe
Resource
win7-20240611-en
Behavioral task
behavioral30
Sample
Documents/Ransomware.WannaCry/Ransomware.WannaCry.zip
Resource
win7-20240508-en
Behavioral task
behavioral31
Sample
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Resource
win7-20240611-en
Behavioral task
behavioral32
Sample
Documents/Ransomware.WannaCry/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Resource
win7-20240508-en
General
-
Target
Documents/Ransomware.TeslaCrypt/Ransomware.TeslaCrypt/51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe
-
Size
257KB
-
MD5
6e080aa085293bb9fbdcc9015337d309
-
SHA1
51b4ef5dc9d26b7a26e214cee90598631e2eaa67
-
SHA256
9b462800f1bef019d7ec00098682d3ea7fc60e6721555f616399228e4e3ad122
-
SHA512
4e173fb5287c7ea8ff116099ec1a0599b37f743f8b798368319b5960af38e742124223dfd209457665b701e9efc6e76071fa2513322b232ac50ddad21fcebe77
-
SSDEEP
6144:xy+als+0nIycigV5cbEo6dZbBODPIsjQ/UFsYW:xy+aCFnIycigVSbObBODTMUd
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\HELP_RESTORE_FILES.txt
15WTmHwHg2SfSiBweYXVWtFvqf224Wtzay
http://3kxwjihmkgibht2s.wh47f2as19.com
http://34r6hq26q2h4jkzj.7hwr34n18.com
https://3kxwjihmkgibht2s.s5.tor-gateways.de/
http://34r6hq26q2h4jkzj.onion/
Signatures
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (361) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
pid Process 2588 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2552 sdwfmie.exe 2676 sdwfmie.exe -
Loads dropped DLL 3 IoCs
pid Process 1804 51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe 2552 sdwfmie.exe 2676 sdwfmie.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msconfig = "C:\\Users\\Admin\\AppData\\Roaming\\sdwfmie.exe" sdwfmie.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 2 ipinfo.io -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\HELP_RESTORE_FILES.bmp" sdwfmie.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2224 set thread context of 1804 2224 51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe 28 PID 2552 set thread context of 2676 2552 sdwfmie.exe 32 -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\he.pak sdwfmie.exe File created C:\Program Files\Windows Media Player\Network Sharing\HELP_RESTORE_FILES.txt sdwfmie.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_single.png sdwfmie.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\js\cpu.js sdwfmie.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\shuffle_down.png sdwfmie.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\css\settings.css sdwfmie.exe File created C:\Program Files\Windows NT\Accessories\fr-FR\HELP_RESTORE_FILES.txt sdwfmie.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\HELP_RESTORE_FILES.txt sdwfmie.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationRight_SelectionSubpicture.png sdwfmie.exe File opened for modification C:\Program Files\Windows Media Player\Media Renderer\DMR_120.png sdwfmie.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\19.png sdwfmie.exe File created C:\Program Files\Microsoft Games\More Games\ja-JP\HELP_RESTORE_FILES.txt sdwfmie.exe File created C:\Program Files\VideoLAN\VLC\locale\be\HELP_RESTORE_FILES.txt sdwfmie.exe File created C:\Program Files\Windows Journal\de-DE\HELP_RESTORE_FILES.txt sdwfmie.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\et.pak sdwfmie.exe File created C:\Program Files\Java\HELP_RESTORE_FILES.txt sdwfmie.exe File created C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\HELP_RESTORE_FILES.txt sdwfmie.exe File created C:\Program Files\VideoLAN\VLC\locale\cs\HELP_RESTORE_FILES.txt sdwfmie.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\bear_formatted_rgb6.wmv sdwfmie.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Title_content-background.png sdwfmie.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationUp_ButtonGraphic.png sdwfmie.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsNotesBackground_PAL.wmv sdwfmie.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\16_9-frame-highlight.png sdwfmie.exe File created C:\Program Files\VideoLAN\VLC\locale\ca\HELP_RESTORE_FILES.txt sdwfmie.exe File created C:\Program Files\VideoLAN\VLC\locale\ckb\LC_MESSAGES\HELP_RESTORE_FILES.txt sdwfmie.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\css\flyout.css sdwfmie.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\navSubpicture.png sdwfmie.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Page_PAL.wmv sdwfmie.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationUp_ButtonGraphic.png sdwfmie.exe File created C:\Program Files\VideoLAN\VLC\locale\br\HELP_RESTORE_FILES.txt sdwfmie.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bg-desk.png sdwfmie.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_rainy.png sdwfmie.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationRight_SelectionSubpicture.png sdwfmie.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\weather.js sdwfmie.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\nb.pak sdwfmie.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\hint_down.png sdwfmie.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waxing-gibbous_partly-cloudy.png sdwfmie.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_SelectionSubpictureB.png sdwfmie.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css\blafdoc.css sdwfmie.exe File created C:\Program Files\Microsoft Office\HELP_RESTORE_FILES.txt sdwfmie.exe File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\js\HELP_RESTORE_FILES.txt sdwfmie.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\localizedStrings.js sdwfmie.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\HELP_RESTORE_FILES.txt sdwfmie.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_LOOP_BG.wmv sdwfmie.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\highlight.png sdwfmie.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationRight_ButtonGraphic.png sdwfmie.exe File created C:\Program Files\Microsoft Games\Chess\de-DE\HELP_RESTORE_FILES.txt sdwfmie.exe File created C:\Program Files\Windows Journal\es-ES\HELP_RESTORE_FILES.txt sdwfmie.exe File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\css\HELP_RESTORE_FILES.txt sdwfmie.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\am.pak sdwfmie.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\HELP_RESTORE_FILES.txt sdwfmie.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\drag.png sdwfmie.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waning-crescent.png sdwfmie.exe File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\HELP_RESTORE_FILES.txt sdwfmie.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\rollinghills.png sdwfmie.exe File created C:\Program Files\VideoLAN\VLC\locale\zu\LC_MESSAGES\HELP_RESTORE_FILES.txt sdwfmie.exe File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\HELP_RESTORE_FILES.txt sdwfmie.exe File created C:\Program Files\Common Files\System\Ole DB\fr-FR\HELP_RESTORE_FILES.txt sdwfmie.exe File created C:\Program Files\VideoLAN\VLC\locale\af\HELP_RESTORE_FILES.txt sdwfmie.exe File created C:\Program Files\VideoLAN\VLC\lua\http\js\HELP_RESTORE_FILES.txt sdwfmie.exe File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\HELP_RESTORE_FILES.txt sdwfmie.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\HELP_RESTORE_FILES.txt sdwfmie.exe File created C:\Program Files\Java\jdk1.7.0_80\bin\HELP_RESTORE_FILES.txt sdwfmie.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\HELP_RESTORE_FILES.txt sdwfmie.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2480 vssadmin.exe -
Modifies Control Panel 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Desktop\WallpaperStyle = "0" sdwfmie.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Desktop\TileWallpaper = "0" sdwfmie.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2676 sdwfmie.exe 2676 sdwfmie.exe 2676 sdwfmie.exe 2676 sdwfmie.exe 2676 sdwfmie.exe 2676 sdwfmie.exe 2676 sdwfmie.exe 2676 sdwfmie.exe 2676 sdwfmie.exe 2676 sdwfmie.exe 2676 sdwfmie.exe 2676 sdwfmie.exe 2676 sdwfmie.exe 2676 sdwfmie.exe 2676 sdwfmie.exe 2676 sdwfmie.exe 2676 sdwfmie.exe 2676 sdwfmie.exe 2676 sdwfmie.exe 2676 sdwfmie.exe 2676 sdwfmie.exe 2676 sdwfmie.exe 2676 sdwfmie.exe 2676 sdwfmie.exe 2676 sdwfmie.exe 2676 sdwfmie.exe 2676 sdwfmie.exe 2676 sdwfmie.exe 2676 sdwfmie.exe 2676 sdwfmie.exe 2676 sdwfmie.exe 2676 sdwfmie.exe 2676 sdwfmie.exe 2676 sdwfmie.exe 2676 sdwfmie.exe 2676 sdwfmie.exe 2676 sdwfmie.exe 2676 sdwfmie.exe 2676 sdwfmie.exe 2676 sdwfmie.exe 2676 sdwfmie.exe 2676 sdwfmie.exe 2676 sdwfmie.exe 2676 sdwfmie.exe 2676 sdwfmie.exe 2676 sdwfmie.exe 2676 sdwfmie.exe 2676 sdwfmie.exe 2676 sdwfmie.exe 2676 sdwfmie.exe 2676 sdwfmie.exe 2676 sdwfmie.exe 2676 sdwfmie.exe 2676 sdwfmie.exe 2676 sdwfmie.exe 2676 sdwfmie.exe 2676 sdwfmie.exe 2676 sdwfmie.exe 2676 sdwfmie.exe 2676 sdwfmie.exe 2676 sdwfmie.exe 2676 sdwfmie.exe 2676 sdwfmie.exe 2676 sdwfmie.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 1804 51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe Token: SeDebugPrivilege 2676 sdwfmie.exe Token: SeBackupPrivilege 2864 vssvc.exe Token: SeRestorePrivilege 2864 vssvc.exe Token: SeAuditPrivilege 2864 vssvc.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2676 sdwfmie.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 2224 wrote to memory of 1804 2224 51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe 28 PID 2224 wrote to memory of 1804 2224 51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe 28 PID 2224 wrote to memory of 1804 2224 51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe 28 PID 2224 wrote to memory of 1804 2224 51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe 28 PID 2224 wrote to memory of 1804 2224 51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe 28 PID 2224 wrote to memory of 1804 2224 51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe 28 PID 2224 wrote to memory of 1804 2224 51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe 28 PID 2224 wrote to memory of 1804 2224 51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe 28 PID 2224 wrote to memory of 1804 2224 51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe 28 PID 2224 wrote to memory of 1804 2224 51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe 28 PID 1804 wrote to memory of 2552 1804 51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe 29 PID 1804 wrote to memory of 2552 1804 51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe 29 PID 1804 wrote to memory of 2552 1804 51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe 29 PID 1804 wrote to memory of 2552 1804 51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe 29 PID 1804 wrote to memory of 2588 1804 51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe 30 PID 1804 wrote to memory of 2588 1804 51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe 30 PID 1804 wrote to memory of 2588 1804 51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe 30 PID 1804 wrote to memory of 2588 1804 51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe 30 PID 2552 wrote to memory of 2676 2552 sdwfmie.exe 32 PID 2552 wrote to memory of 2676 2552 sdwfmie.exe 32 PID 2552 wrote to memory of 2676 2552 sdwfmie.exe 32 PID 2552 wrote to memory of 2676 2552 sdwfmie.exe 32 PID 2552 wrote to memory of 2676 2552 sdwfmie.exe 32 PID 2552 wrote to memory of 2676 2552 sdwfmie.exe 32 PID 2552 wrote to memory of 2676 2552 sdwfmie.exe 32 PID 2552 wrote to memory of 2676 2552 sdwfmie.exe 32 PID 2552 wrote to memory of 2676 2552 sdwfmie.exe 32 PID 2552 wrote to memory of 2676 2552 sdwfmie.exe 32 PID 2676 wrote to memory of 2480 2676 sdwfmie.exe 33 PID 2676 wrote to memory of 2480 2676 sdwfmie.exe 33 PID 2676 wrote to memory of 2480 2676 sdwfmie.exe 33 PID 2676 wrote to memory of 2480 2676 sdwfmie.exe 33 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.TeslaCrypt\Ransomware.TeslaCrypt\51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe"C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.TeslaCrypt\Ransomware.TeslaCrypt\51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.TeslaCrypt\Ransomware.TeslaCrypt\51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exeC:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.TeslaCrypt\Ransomware.TeslaCrypt\51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Users\Admin\AppData\Roaming\sdwfmie.exeC:\Users\Admin\AppData\Roaming\sdwfmie.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Users\Admin\AppData\Roaming\sdwfmie.exeC:\Users\Admin\AppData\Roaming\sdwfmie.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet5⤵
- Interacts with shadow copies
PID:2480
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\DOCUME~1\RANSOM~1.TES\RANSOM~1.TES\51B4EF~1.EXE >> NUL3⤵
- Deletes itself
PID:2588
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2864
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5195c33430f947021750315e7f168725e
SHA1ca34c17445fd17ddca87e1f665f76f8e958ac767
SHA2569ae040538fb7553140f7ab9bd118e8f9d4e39d68a53107a14d9285008a1837cf
SHA512e4f8cade15505b90d80a7bc77f92b79a6465cabb3c158d832747a46e8be8b8c164e3a0ddb86150914190bead546ae4ee336c23e8967780dd51aa3c2a922cef0b
-
Filesize
257KB
MD56e080aa085293bb9fbdcc9015337d309
SHA151b4ef5dc9d26b7a26e214cee90598631e2eaa67
SHA2569b462800f1bef019d7ec00098682d3ea7fc60e6721555f616399228e4e3ad122
SHA5124e173fb5287c7ea8ff116099ec1a0599b37f743f8b798368319b5960af38e742124223dfd209457665b701e9efc6e76071fa2513322b232ac50ddad21fcebe77