Resubmissions

22-08-2024 18:43

240822-xc563asamh 10

21-08-2024 17:16

240821-vtjnaathnq 10

30-06-2024 00:59

240630-bcjr6svbkk 10

20-06-2024 02:02

240620-cf43ysxbnk 10

20-06-2024 01:44

240620-b5v1xawemk 10

19-06-2024 01:10

240619-bjmseavfmp 10

18-06-2024 20:40

240618-zfwsxawdpa 10

18-06-2024 13:45

240618-q2vcjawdle 10

Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    18-06-2024 20:40

General

  • Target

    Documents/Ransomware.TeslaCrypt/Ransomware.TeslaCrypt/E906FA3D51E86A61741B3499145A114E9BFB7C56.exe

  • Size

    261KB

  • MD5

    6d3d62a4cff19b4f2cc7ce9027c33be8

  • SHA1

    e906fa3d51e86a61741b3499145a114e9bfb7c56

  • SHA256

    afaba2400552c7032a5c4c6e6151df374d0e98dc67204066281e30e6699dbd18

  • SHA512

    973643639cb02491b86d5b264ee8118a67d8a83453307aea95de2f4c6aa55819d37730c41dc3338116ebe86f9a4f2bba7d9537ea744ae08b9755f05c15153fad

  • SSDEEP

    6144:93g0BQG+aZiycigV5bbEo6dZbBODPIsjQ/UFsYWo:93g0OGjZiycigVRbObBODTMUdj

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\HELP_RESTORE_FILES.txt

Ransom Note
All your documents, photos, databases and other important files have been encrypted with strongest encryption RSA-2048 key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main encryptor red window, examine it and follow the instructions. Otherwise, it seems that you or your antivirus deleted the encryptor program. Now you have the last chance to decrypt your files. Open http://3kxwjihmkgibht2s.wh47f2as19.com or http://34r6hq26q2h4jkzj.7hwr34n18.com , https://3kxwjihmkgibht2s.s5.tor-gateways.de/ in your browser. They are public gates to the secret server. Copy and paste the following Bitcoin address in the input form on server. Avoid missprints. 1EJDnpvVn8EYET3S9AFgvtEZPHwi9zh17c Follow the instructions on the server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://34r6hq26q2h4jkzj.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following Bitcoin address in the input form on server. Avoid missprints. 1EJDnpvVn8EYET3S9AFgvtEZPHwi9zh17c Follow the instructions on the server.
Wallets

1EJDnpvVn8EYET3S9AFgvtEZPHwi9zh17c

URLs

http://3kxwjihmkgibht2s.wh47f2as19.com

http://34r6hq26q2h4jkzj.7hwr34n18.com

https://3kxwjihmkgibht2s.s5.tor-gateways.de/

http://34r6hq26q2h4jkzj.onion/

Signatures

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Renames multiple (381) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies Control Panel 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.TeslaCrypt\Ransomware.TeslaCrypt\E906FA3D51E86A61741B3499145A114E9BFB7C56.exe
    "C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.TeslaCrypt\Ransomware.TeslaCrypt\E906FA3D51E86A61741B3499145A114E9BFB7C56.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2212
    • C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.TeslaCrypt\Ransomware.TeslaCrypt\E906FA3D51E86A61741B3499145A114E9BFB7C56.exe
      C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.TeslaCrypt\Ransomware.TeslaCrypt\E906FA3D51E86A61741B3499145A114E9BFB7C56.exe
      2⤵
      • Loads dropped DLL
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2132
      • C:\Users\Admin\AppData\Roaming\dimuynl.exe
        C:\Users\Admin\AppData\Roaming\dimuynl.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:3000
        • C:\Users\Admin\AppData\Roaming\dimuynl.exe
          C:\Users\Admin\AppData\Roaming\dimuynl.exe
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Sets desktop wallpaper using registry
          • Drops file in Program Files directory
          • Modifies Control Panel
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:2160
          • C:\Windows\System32\vssadmin.exe
            "C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet
            5⤵
            • Interacts with shadow copies
            PID:1152
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\DOCUME~1\RANSOM~1.TES\RANSOM~1.TES\E906FA~1.EXE >> NUL
        3⤵
        • Deletes itself
        PID:3048
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1880

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\HELP_RESTORE_FILES.txt

    Filesize

    1KB

    MD5

    4b7238424e6df455ec3187d702d3dcf9

    SHA1

    0fd7b20026591148d088f590f605b70e7c5f9a8d

    SHA256

    54396bdb4acf1226a9257e6a51ced61547a85a7257b024a91b7e4bad4dfd8497

    SHA512

    016ddf27f7e39629868be3fef624f62f065be9ba3a24085edd2c510e762cb0c2b2ef17fda06efa13f838a6cdd2d5c786699e9665ad8f25425468d3bc67150e4f

  • \Users\Admin\AppData\Roaming\dimuynl.exe

    Filesize

    261KB

    MD5

    6d3d62a4cff19b4f2cc7ce9027c33be8

    SHA1

    e906fa3d51e86a61741b3499145a114e9bfb7c56

    SHA256

    afaba2400552c7032a5c4c6e6151df374d0e98dc67204066281e30e6699dbd18

    SHA512

    973643639cb02491b86d5b264ee8118a67d8a83453307aea95de2f4c6aa55819d37730c41dc3338116ebe86f9a4f2bba7d9537ea744ae08b9755f05c15153fad

  • memory/2132-23-0x0000000000400000-0x0000000000472000-memory.dmp

    Filesize

    456KB

  • memory/2132-15-0x0000000000400000-0x0000000000472000-memory.dmp

    Filesize

    456KB

  • memory/2132-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2132-8-0x0000000000400000-0x0000000000472000-memory.dmp

    Filesize

    456KB

  • memory/2132-6-0x0000000000400000-0x0000000000472000-memory.dmp

    Filesize

    456KB

  • memory/2132-4-0x0000000000400000-0x0000000000472000-memory.dmp

    Filesize

    456KB

  • memory/2132-2-0x0000000000400000-0x0000000000472000-memory.dmp

    Filesize

    456KB

  • memory/2132-14-0x0000000000400000-0x0000000000472000-memory.dmp

    Filesize

    456KB

  • memory/2132-0-0x0000000000400000-0x0000000000472000-memory.dmp

    Filesize

    456KB

  • memory/2132-11-0x0000000000400000-0x0000000000472000-memory.dmp

    Filesize

    456KB

  • memory/2160-42-0x0000000000400000-0x0000000000472000-memory.dmp

    Filesize

    456KB

  • memory/2160-43-0x0000000000400000-0x0000000000472000-memory.dmp

    Filesize

    456KB

  • memory/2160-45-0x0000000000400000-0x0000000000472000-memory.dmp

    Filesize

    456KB

  • memory/2160-47-0x0000000000400000-0x0000000000472000-memory.dmp

    Filesize

    456KB

  • memory/2160-66-0x0000000000400000-0x0000000000472000-memory.dmp

    Filesize

    456KB

  • memory/2160-195-0x0000000000400000-0x0000000000472000-memory.dmp

    Filesize

    456KB

  • memory/2160-2233-0x0000000000400000-0x0000000000472000-memory.dmp

    Filesize

    456KB

  • memory/2160-2240-0x0000000000400000-0x0000000000472000-memory.dmp

    Filesize

    456KB

  • memory/2212-12-0x0000000000400000-0x0000000000448000-memory.dmp

    Filesize

    288KB

  • memory/3000-39-0x0000000000400000-0x0000000000448000-memory.dmp

    Filesize

    288KB