Overview
overview
10Static
static
7bc41543926...18.zip
windows7-x64
1Documents/...er.exe
windows7-x64
10Documents/...ll.exe
windows7-x64
9Documents/...aw.exe
windows7-x64
10Documents/...ky.exe
windows7-x64
10Documents/...31.exe
windows7-x64
1Documents/...3 .exe
windows7-x64
7Documents/...d9.dll
windows7-x64
10Documents/...63b.gz
windows7-x64
3Documents/...bin.gz
windows7-x64
3Documents/...097.gz
windows7-x64
3fe2e5d0543...L9.rtf
windows7-x64
4Documents/...uy.hta
windows7-x64
10Documents/...st.exe
windows7-x64
7Documents/...39.exe
windows7-x64
6Documents/...5c.exe
windows7-x64
6Documents/...00.exe
windows7-x64
7out.exe
windows7-x64
3Documents/...16.zip
windows7-x64
1Supplement...16.scr
windows7-x64
3Documents/...ZSFwgb
windows7-x64
1Documents/...96.exe
windows7-x64
Documents/...ed.exe
windows7-x64
Documents/...70.exe
windows7-x64
9Documents/...67.exe
windows7-x64
10Documents/...56.exe
windows7-x64
10Documents/...ab.exe
windows7-x64
8Documents/...3a.exe
windows7-x64
8Documents/...73.exe
windows7-x64
8Documents/...ry.zip
windows7-x64
1ed01ebfbc9...aa.exe
windows7-x64
10Documents/...aa.exe
windows7-x64
10Resubmissions
22-08-2024 18:43
240822-xc563asamh 1021-08-2024 17:16
240821-vtjnaathnq 1030-06-2024 00:59
240630-bcjr6svbkk 1020-06-2024 02:02
240620-cf43ysxbnk 1020-06-2024 01:44
240620-b5v1xawemk 1019-06-2024 01:10
240619-bjmseavfmp 1018-06-2024 20:40
240618-zfwsxawdpa 1018-06-2024 13:45
240618-q2vcjawdle 10Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
18-06-2024 20:40
Behavioral task
behavioral1
Sample
bc41543926dda3762ae39e35aba7a813_JaffaCakes118.zip
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Documents/Ransomware.Cerber/cerber.exe
Resource
win7-20231129-en
Behavioral task
behavioral3
Sample
Documents/Ransomware.Cryptowall/cryptowall.exe
Resource
win7-20240611-en
Behavioral task
behavioral4
Sample
Documents/Ransomware.Jigsaw/jigsaw.exe
Resource
win7-20240221-en
Behavioral task
behavioral5
Sample
Documents/Ransomware.Locky/Locky.exe
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
Documents/Ransomware.Mamba/131.exe
Resource
win7-20240419-en
Behavioral task
behavioral7
Sample
Documents/Ransomware.Matsnu/Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe
Resource
win7-20240611-en
Behavioral task
behavioral8
Sample
Documents/Ransomware.Petrwrap/Ransomware.Petrwrap/027cc450ef5f8c5f653329641ec1fed9.dll
Resource
win7-20240508-en
Behavioral task
behavioral9
Sample
Documents/Ransomware.Petrwrap/Ransomware.Petrwrap/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b.gz
Resource
win7-20240508-en
Behavioral task
behavioral10
Sample
Documents/Ransomware.Petrwrap/Ransomware.Petrwrap/ee29b9c01318a1e23836b949942db14d4811246fdae2f41df9f0dcd922c63bc6.bin.gz
Resource
win7-20240611-en
Behavioral task
behavioral11
Sample
Documents/Ransomware.Petrwrap/Ransomware.Petrwrap/fe2e5d0543b4c8769e401ec216d78a5a3547dfd426fd47e097.gz
Resource
win7-20231129-en
Behavioral task
behavioral12
Sample
fe2e5d0543b4c8769e401ec216d78a5a3547dfd426fd47e097df04a5f7d6d206_OFkNP1kKL9.rtf
Resource
win7-20240221-en
Behavioral task
behavioral13
Sample
Documents/Ransomware.Petrwrap/Ransomware.Petrwrap/myguy.hta
Resource
win7-20240508-en
Behavioral task
behavioral14
Sample
Documents/Ransomware.Petrwrap/Ransomware.Petrwrap/svchost.exe
Resource
win7-20240611-en
Behavioral task
behavioral15
Sample
Documents/Ransomware.Petya/Ransomware.Petya/26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739.exe
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
Documents/Ransomware.Petya/Ransomware.Petya/4c1dc737915d76b7ce579abddaba74ead6fdb5b519a1ea45308b8c49b950655c.exe
Resource
win7-20240220-en
Behavioral task
behavioral17
Sample
Documents/Ransomware.Radamant/Ransomware.Radamant/DUMP_00A10000-00A1D000.exe
Resource
win7-20240419-en
Behavioral task
behavioral18
Sample
out.exe
Resource
win7-20240611-en
Behavioral task
behavioral19
Sample
Documents/Ransomware.Radamant/Ransomware.Radamant/Supplementary Agreement 26_01_2016.zip
Resource
win7-20240508-en
Behavioral task
behavioral20
Sample
Supplementary Agreement 26_01_2016.scr
Resource
win7-20240611-en
Behavioral task
behavioral21
Sample
Documents/Ransomware.Rex/WTEpZSFwgb
Resource
win7-20240221-en
Behavioral task
behavioral22
Sample
Documents/Ransomware.Satana/Ransomware.Satana/683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe
Resource
win7-20240508-en
Behavioral task
behavioral23
Sample
Documents/Ransomware.Satana/Ransomware.Satana/unpacked.exe
Resource
win7-20240611-en
Behavioral task
behavioral24
Sample
Documents/Ransomware.TeslaCrypt/Ransomware.TeslaCrypt/3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370.exe
Resource
win7-20240508-en
Behavioral task
behavioral25
Sample
Documents/Ransomware.TeslaCrypt/Ransomware.TeslaCrypt/51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe
Resource
win7-20240221-en
Behavioral task
behavioral26
Sample
Documents/Ransomware.TeslaCrypt/Ransomware.TeslaCrypt/E906FA3D51E86A61741B3499145A114E9BFB7C56.exe
Resource
win7-20231129-en
Behavioral task
behavioral27
Sample
Documents/Ransomware.Vipasana/Ransomware.Vipasana/0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
Resource
win7-20240220-en
Behavioral task
behavioral28
Sample
Documents/Ransomware.Vipasana/Ransomware.Vipasana/c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a.exe
Resource
win7-20240419-en
Behavioral task
behavioral29
Sample
Documents/Ransomware.Vipasana/Ransomware.Vipasana/e49778d20a2f9b1f8b00ddd24b6bcee81af381ed02cfe0a3c9ab3111cda5f573.exe
Resource
win7-20240611-en
Behavioral task
behavioral30
Sample
Documents/Ransomware.WannaCry/Ransomware.WannaCry.zip
Resource
win7-20240508-en
Behavioral task
behavioral31
Sample
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Resource
win7-20240611-en
Behavioral task
behavioral32
Sample
Documents/Ransomware.WannaCry/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Resource
win7-20240508-en
General
-
Target
Documents/Ransomware.TeslaCrypt/Ransomware.TeslaCrypt/E906FA3D51E86A61741B3499145A114E9BFB7C56.exe
-
Size
261KB
-
MD5
6d3d62a4cff19b4f2cc7ce9027c33be8
-
SHA1
e906fa3d51e86a61741b3499145a114e9bfb7c56
-
SHA256
afaba2400552c7032a5c4c6e6151df374d0e98dc67204066281e30e6699dbd18
-
SHA512
973643639cb02491b86d5b264ee8118a67d8a83453307aea95de2f4c6aa55819d37730c41dc3338116ebe86f9a4f2bba7d9537ea744ae08b9755f05c15153fad
-
SSDEEP
6144:93g0BQG+aZiycigV5bbEo6dZbBODPIsjQ/UFsYWo:93g0OGjZiycigVRbObBODTMUdj
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\HELP_RESTORE_FILES.txt
1EJDnpvVn8EYET3S9AFgvtEZPHwi9zh17c
http://3kxwjihmkgibht2s.wh47f2as19.com
http://34r6hq26q2h4jkzj.7hwr34n18.com
https://3kxwjihmkgibht2s.s5.tor-gateways.de/
http://34r6hq26q2h4jkzj.onion/
Signatures
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (381) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
pid Process 3048 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 3000 dimuynl.exe 2160 dimuynl.exe -
Loads dropped DLL 3 IoCs
pid Process 2132 E906FA3D51E86A61741B3499145A114E9BFB7C56.exe 3000 dimuynl.exe 2160 dimuynl.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msconfig = "C:\\Users\\Admin\\AppData\\Roaming\\dimuynl.exe" dimuynl.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 3 ipinfo.io -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\HELP_RESTORE_FILES.bmp" dimuynl.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2212 set thread context of 2132 2212 E906FA3D51E86A61741B3499145A114E9BFB7C56.exe 28 PID 3000 set thread context of 2160 3000 dimuynl.exe 31 -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Microsoft Games\Multiplayer\Checkers\HELP_RESTORE_FILES.txt dimuynl.exe File created C:\Program Files\VideoLAN\VLC\plugins\stream_filter\HELP_RESTORE_FILES.txt dimuynl.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\40.png dimuynl.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\HELP_RESTORE_FILES.txt dimuynl.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\sw.pak dimuynl.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\HELP_RESTORE_FILES.txt dimuynl.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\HELP_RESTORE_FILES.txt dimuynl.exe File created C:\Program Files\Microsoft Games\Multiplayer\Backgammon\de-DE\HELP_RESTORE_FILES.txt dimuynl.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\css\flyout.css dimuynl.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SceneButtonInset_Alpha2.png dimuynl.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ru.pak dimuynl.exe File created C:\Program Files\Microsoft Games\Multiplayer\Checkers\it-IT\HELP_RESTORE_FILES.txt dimuynl.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_divider.png dimuynl.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\js\init.js dimuynl.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\alertIcon.png dimuynl.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-highlight.png dimuynl.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\HELP_RESTORE_FILES.txt dimuynl.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\en-US.pak dimuynl.exe File created C:\Program Files\Microsoft Games\SpiderSolitaire\ja-JP\HELP_RESTORE_FILES.txt dimuynl.exe File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\HELP_RESTORE_FILES.txt dimuynl.exe File created C:\Program Files\VideoLAN\VLC\locale\hu\HELP_RESTORE_FILES.txt dimuynl.exe File created C:\Program Files\VideoLAN\VLC\locale\lv\LC_MESSAGES\HELP_RESTORE_FILES.txt dimuynl.exe File created C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\HELP_RESTORE_FILES.txt dimuynl.exe File created C:\Program Files\VideoLAN\VLC\locale\zu\HELP_RESTORE_FILES.txt dimuynl.exe File created C:\Program Files\VideoLAN\VLC\locale\HELP_RESTORE_FILES.txt dimuynl.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Postage_SelectionSubpicture.png dimuynl.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\sl.pak dimuynl.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\HELP_RESTORE_FILES.txt dimuynl.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\HELP_RESTORE_FILES.txt dimuynl.exe File created C:\Program Files\Microsoft Games\Chess\en-US\HELP_RESTORE_FILES.txt dimuynl.exe File created C:\Program Files\Java\HELP_RESTORE_FILES.txt dimuynl.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bg-dock.png dimuynl.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\css\settings.css dimuynl.exe File created C:\Program Files\7-Zip\HELP_RESTORE_FILES.txt dimuynl.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\HELP_RESTORE_FILES.txt dimuynl.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.jpg dimuynl.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\gu.pak dimuynl.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\HELP_RESTORE_FILES.txt dimuynl.exe File opened for modification C:\Program Files\Mozilla Firefox\installation_telemetry.json dimuynl.exe File created C:\Program Files\Windows Photo Viewer\it-IT\HELP_RESTORE_FILES.txt dimuynl.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\next_hov.png dimuynl.exe File created C:\Program Files\Microsoft Games\Mahjong\de-DE\HELP_RESTORE_FILES.txt dimuynl.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\HELP_RESTORE_FILES.txt dimuynl.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\HELP_RESTORE_FILES.txt dimuynl.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\js\settings.js dimuynl.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_up.png dimuynl.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\hint_up.png dimuynl.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SceneButtonSubpicture.png dimuynl.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\logo.png dimuynl.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_blue_sun.png dimuynl.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\1047x576_91n92.png dimuynl.exe File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\js\HELP_RESTORE_FILES.txt dimuynl.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\flyout_background.png dimuynl.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\HELP_RESTORE_FILES.txt dimuynl.exe File created C:\Program Files\Java\jre7\bin\plugin2\HELP_RESTORE_FILES.txt dimuynl.exe File created C:\Program Files\Microsoft Games\Multiplayer\Spades\es-ES\HELP_RESTORE_FILES.txt dimuynl.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\HELP_RESTORE_FILES.txt dimuynl.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\e4-dark_preferencestyle.css dimuynl.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bg-desk.png dimuynl.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\play_down.png dimuynl.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_VideoInset.png dimuynl.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\HELP_RESTORE_FILES.txt dimuynl.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrome.7z dimuynl.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\js\settings.js dimuynl.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1152 vssadmin.exe -
Modifies Control Panel 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\WallpaperStyle = "0" dimuynl.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\TileWallpaper = "0" dimuynl.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2160 dimuynl.exe 2160 dimuynl.exe 2160 dimuynl.exe 2160 dimuynl.exe 2160 dimuynl.exe 2160 dimuynl.exe 2160 dimuynl.exe 2160 dimuynl.exe 2160 dimuynl.exe 2160 dimuynl.exe 2160 dimuynl.exe 2160 dimuynl.exe 2160 dimuynl.exe 2160 dimuynl.exe 2160 dimuynl.exe 2160 dimuynl.exe 2160 dimuynl.exe 2160 dimuynl.exe 2160 dimuynl.exe 2160 dimuynl.exe 2160 dimuynl.exe 2160 dimuynl.exe 2160 dimuynl.exe 2160 dimuynl.exe 2160 dimuynl.exe 2160 dimuynl.exe 2160 dimuynl.exe 2160 dimuynl.exe 2160 dimuynl.exe 2160 dimuynl.exe 2160 dimuynl.exe 2160 dimuynl.exe 2160 dimuynl.exe 2160 dimuynl.exe 2160 dimuynl.exe 2160 dimuynl.exe 2160 dimuynl.exe 2160 dimuynl.exe 2160 dimuynl.exe 2160 dimuynl.exe 2160 dimuynl.exe 2160 dimuynl.exe 2160 dimuynl.exe 2160 dimuynl.exe 2160 dimuynl.exe 2160 dimuynl.exe 2160 dimuynl.exe 2160 dimuynl.exe 2160 dimuynl.exe 2160 dimuynl.exe 2160 dimuynl.exe 2160 dimuynl.exe 2160 dimuynl.exe 2160 dimuynl.exe 2160 dimuynl.exe 2160 dimuynl.exe 2160 dimuynl.exe 2160 dimuynl.exe 2160 dimuynl.exe 2160 dimuynl.exe 2160 dimuynl.exe 2160 dimuynl.exe 2160 dimuynl.exe 2160 dimuynl.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 2132 E906FA3D51E86A61741B3499145A114E9BFB7C56.exe Token: SeDebugPrivilege 2160 dimuynl.exe Token: SeBackupPrivilege 1880 vssvc.exe Token: SeRestorePrivilege 1880 vssvc.exe Token: SeAuditPrivilege 1880 vssvc.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2160 dimuynl.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 2212 wrote to memory of 2132 2212 E906FA3D51E86A61741B3499145A114E9BFB7C56.exe 28 PID 2212 wrote to memory of 2132 2212 E906FA3D51E86A61741B3499145A114E9BFB7C56.exe 28 PID 2212 wrote to memory of 2132 2212 E906FA3D51E86A61741B3499145A114E9BFB7C56.exe 28 PID 2212 wrote to memory of 2132 2212 E906FA3D51E86A61741B3499145A114E9BFB7C56.exe 28 PID 2212 wrote to memory of 2132 2212 E906FA3D51E86A61741B3499145A114E9BFB7C56.exe 28 PID 2212 wrote to memory of 2132 2212 E906FA3D51E86A61741B3499145A114E9BFB7C56.exe 28 PID 2212 wrote to memory of 2132 2212 E906FA3D51E86A61741B3499145A114E9BFB7C56.exe 28 PID 2212 wrote to memory of 2132 2212 E906FA3D51E86A61741B3499145A114E9BFB7C56.exe 28 PID 2212 wrote to memory of 2132 2212 E906FA3D51E86A61741B3499145A114E9BFB7C56.exe 28 PID 2212 wrote to memory of 2132 2212 E906FA3D51E86A61741B3499145A114E9BFB7C56.exe 28 PID 2132 wrote to memory of 3000 2132 E906FA3D51E86A61741B3499145A114E9BFB7C56.exe 29 PID 2132 wrote to memory of 3000 2132 E906FA3D51E86A61741B3499145A114E9BFB7C56.exe 29 PID 2132 wrote to memory of 3000 2132 E906FA3D51E86A61741B3499145A114E9BFB7C56.exe 29 PID 2132 wrote to memory of 3000 2132 E906FA3D51E86A61741B3499145A114E9BFB7C56.exe 29 PID 2132 wrote to memory of 3048 2132 E906FA3D51E86A61741B3499145A114E9BFB7C56.exe 30 PID 2132 wrote to memory of 3048 2132 E906FA3D51E86A61741B3499145A114E9BFB7C56.exe 30 PID 2132 wrote to memory of 3048 2132 E906FA3D51E86A61741B3499145A114E9BFB7C56.exe 30 PID 2132 wrote to memory of 3048 2132 E906FA3D51E86A61741B3499145A114E9BFB7C56.exe 30 PID 3000 wrote to memory of 2160 3000 dimuynl.exe 31 PID 3000 wrote to memory of 2160 3000 dimuynl.exe 31 PID 3000 wrote to memory of 2160 3000 dimuynl.exe 31 PID 3000 wrote to memory of 2160 3000 dimuynl.exe 31 PID 3000 wrote to memory of 2160 3000 dimuynl.exe 31 PID 3000 wrote to memory of 2160 3000 dimuynl.exe 31 PID 3000 wrote to memory of 2160 3000 dimuynl.exe 31 PID 3000 wrote to memory of 2160 3000 dimuynl.exe 31 PID 3000 wrote to memory of 2160 3000 dimuynl.exe 31 PID 3000 wrote to memory of 2160 3000 dimuynl.exe 31 PID 2160 wrote to memory of 1152 2160 dimuynl.exe 33 PID 2160 wrote to memory of 1152 2160 dimuynl.exe 33 PID 2160 wrote to memory of 1152 2160 dimuynl.exe 33 PID 2160 wrote to memory of 1152 2160 dimuynl.exe 33 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.TeslaCrypt\Ransomware.TeslaCrypt\E906FA3D51E86A61741B3499145A114E9BFB7C56.exe"C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.TeslaCrypt\Ransomware.TeslaCrypt\E906FA3D51E86A61741B3499145A114E9BFB7C56.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.TeslaCrypt\Ransomware.TeslaCrypt\E906FA3D51E86A61741B3499145A114E9BFB7C56.exeC:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.TeslaCrypt\Ransomware.TeslaCrypt\E906FA3D51E86A61741B3499145A114E9BFB7C56.exe2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Users\Admin\AppData\Roaming\dimuynl.exeC:\Users\Admin\AppData\Roaming\dimuynl.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Users\Admin\AppData\Roaming\dimuynl.exeC:\Users\Admin\AppData\Roaming\dimuynl.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet5⤵
- Interacts with shadow copies
PID:1152
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\DOCUME~1\RANSOM~1.TES\RANSOM~1.TES\E906FA~1.EXE >> NUL3⤵
- Deletes itself
PID:3048
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1880
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD54b7238424e6df455ec3187d702d3dcf9
SHA10fd7b20026591148d088f590f605b70e7c5f9a8d
SHA25654396bdb4acf1226a9257e6a51ced61547a85a7257b024a91b7e4bad4dfd8497
SHA512016ddf27f7e39629868be3fef624f62f065be9ba3a24085edd2c510e762cb0c2b2ef17fda06efa13f838a6cdd2d5c786699e9665ad8f25425468d3bc67150e4f
-
Filesize
261KB
MD56d3d62a4cff19b4f2cc7ce9027c33be8
SHA1e906fa3d51e86a61741b3499145a114e9bfb7c56
SHA256afaba2400552c7032a5c4c6e6151df374d0e98dc67204066281e30e6699dbd18
SHA512973643639cb02491b86d5b264ee8118a67d8a83453307aea95de2f4c6aa55819d37730c41dc3338116ebe86f9a4f2bba7d9537ea744ae08b9755f05c15153fad