teslacrypt | 49e7123bc10323f2d784f09586174e3fa9fd1a5e078f35d916165602ef34f2b0

Analysis

max time kernel
138s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
16-09-2024 16:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-16_d338855d06c451c8357f4fbf61790f43_teslacrypt.exe
Size

251KB
MD5

d338855d06c451c8357f4fbf61790f43
SHA1

41a3c753fc279c41814f758d34d99f3caabb40b1
SHA256

49e7123bc10323f2d784f09586174e3fa9fd1a5e078f35d916165602ef34f2b0
SHA512

fb41c9cde3ca237a8ca755ce895fccf704b7e8c2fcf1151fd24391494c0c8fb44a9018d1499085ca4ca399c3bcd9c87f7dc0b7e39a892dcab59137d4c0af5203
SSDEEP

3072:q346YQgDABWbDF5LizpJo7VQjI+XOCGdYQchceAMbZadZh6qO/1yL1qTC1TRpA:O+KTjIRdYQuAQGh6qO/iXA

Score

10^/10

teslacrypt defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\_RECoVERY_+gvbir.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 Key , both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1 - http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/CECA1BBCA894D45 2 - http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/CECA1BBCA894D45 3 - http://yyre45dbvn2nhbefbmh.begumvelic.at/CECA1BBCA894D45 If for some reasons the addresses are not available, follow these steps: 1 - Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2 - After a successful installation, run the browser 3 - Type in the address bar: xlowfznrg4wf7dli.onion/CECA1BBCA894D45 4 - Follow the instructions on the site IMPORTANT INFORMATION Your personal pages http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/CECA1BBCA894D45 http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/CECA1BBCA894D45 http://yyre45dbvn2nhbefbmh.begumvelic.at/CECA1BBCA894D45 Your personal page Tor-Browser xlowfznrg4wf7dli.ONION/CECA1BBCA894D45

URLs

http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/CECA1BBCA894D45

http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/CECA1BBCA894D45

http://yyre45dbvn2nhbefbmh.begumvelic.at/CECA1BBCA894D45

http://xlowfznrg4wf7dli.ONION/CECA1BBCA894D45

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (899) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2024-09-16_d338855d06c451c8357f4fbf61790f43_teslacrypt.exewxsxnedxfidy.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	2024-09-16_d338855d06c451c8357f4fbf61790f43_teslacrypt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	wxsxnedxfidy.exe

Drops startup file 6 IoCs

Processes:

wxsxnedxfidy.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+gvbir.txt	wxsxnedxfidy.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+gvbir.html	wxsxnedxfidy.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+gvbir.png	wxsxnedxfidy.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+gvbir.txt	wxsxnedxfidy.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+gvbir.html	wxsxnedxfidy.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+gvbir.png	wxsxnedxfidy.exe

Executes dropped EXE 1 IoCs

Processes:

wxsxnedxfidy.exe

pid process

3312 wxsxnedxfidy.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

wxsxnedxfidy.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dbavrudlydhf = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\wxsxnedxfidy.exe\""	wxsxnedxfidy.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in Program Files directory 64 IoCs

Processes:

wxsxnedxfidy.exe

description	ioc	process
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-125_8wekyb3d8bbwe\_RECoVERY_+gvbir.txt	wxsxnedxfidy.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\TagAlbumDefinitions\_RECoVERY_+gvbir.html	wxsxnedxfidy.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_targetsize-48_altform-unplated.png	wxsxnedxfidy.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\es-ES\_RECoVERY_+gvbir.txt	wxsxnedxfidy.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ta.txt	wxsxnedxfidy.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-white\WideTile.scale-125.png	wxsxnedxfidy.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\MedTile.scale-200_contrast-black.png	wxsxnedxfidy.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeLargeTile.scale-200.png	wxsxnedxfidy.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-GB\_RECoVERY_+gvbir.png	wxsxnedxfidy.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\_RECoVERY_+gvbir.txt	wxsxnedxfidy.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\_RECoVERY_+gvbir.txt	wxsxnedxfidy.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\FetchingMail-Dark.scale-125.png	wxsxnedxfidy.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft.NET\ADOMD.NET\_RECoVERY_+gvbir.txt	wxsxnedxfidy.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraWideTile.contrast-black_scale-100.png	wxsxnedxfidy.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Microsoft.UI.Xaml\_RECoVERY_+gvbir.png	wxsxnedxfidy.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-24_contrast-white.png	wxsxnedxfidy.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\misc\_RECoVERY_+gvbir.png	wxsxnedxfidy.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\_RECoVERY_+gvbir.png	wxsxnedxfidy.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.scale-150.png	wxsxnedxfidy.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\JumpListNotesList.png	wxsxnedxfidy.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\offlineUtilities.js	wxsxnedxfidy.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Yahoo-Light.scale-400.png	wxsxnedxfidy.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_2019.19071.19011.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\_RECoVERY_+gvbir.html	wxsxnedxfidy.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-16_contrast-white.png	wxsxnedxfidy.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ro-RO\View3d\_RECoVERY_+gvbir.html	wxsxnedxfidy.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Exchange.scale-200.png	wxsxnedxfidy.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\_RECoVERY_+gvbir.png	wxsxnedxfidy.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\_RECoVERY_+gvbir.txt	wxsxnedxfidy.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\tt\LC_MESSAGES\_RECoVERY_+gvbir.html	wxsxnedxfidy.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\_RECoVERY_+gvbir.txt	wxsxnedxfidy.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-96_altform-unplated_contrast-black.png	wxsxnedxfidy.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-64.png	wxsxnedxfidy.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubSplashWideTile.scale-200.png	wxsxnedxfidy.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_split.scale-200_8wekyb3d8bbwe\Win10\MicrosoftSolitaireLargeTile.scale-200.jpg	wxsxnedxfidy.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\MixedRealityPortalSplashScreen.scale-125_contrast-black.png	wxsxnedxfidy.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\PeopleWideTile.scale-100.png	wxsxnedxfidy.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-40_contrast-white.png	wxsxnedxfidy.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\nn\_RECoVERY_+gvbir.png	wxsxnedxfidy.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-24_altform-unplated.png	wxsxnedxfidy.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\snooze.png	wxsxnedxfidy.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.513.0_neutral_~_8wekyb3d8bbwe\_RECoVERY_+gvbir.png	wxsxnedxfidy.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-36_altform-unplated.png	wxsxnedxfidy.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarSmallTile.scale-125.png	wxsxnedxfidy.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\_RECoVERY_+gvbir.txt	wxsxnedxfidy.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ar\_RECoVERY_+gvbir.html	wxsxnedxfidy.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\mk-MK\_RECoVERY_+gvbir.png	wxsxnedxfidy.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-256_altform-unplated_contrast-black.png	wxsxnedxfidy.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-32_altform-lightunplated.png	wxsxnedxfidy.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Place\_RECoVERY_+gvbir.txt	wxsxnedxfidy.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\BadgeLogo.scale-100_contrast-white.png	wxsxnedxfidy.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SONORA\THMBNAIL.PNG	wxsxnedxfidy.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\WATER\_RECoVERY_+gvbir.txt	wxsxnedxfidy.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\155.png	wxsxnedxfidy.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\164.png	wxsxnedxfidy.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteAppList.targetsize-16.png	wxsxnedxfidy.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Configuration\_RECoVERY_+gvbir.html	wxsxnedxfidy.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeBadge.scale-100.png	wxsxnedxfidy.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\Ratings\Yelp2.scale-200.png	wxsxnedxfidy.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\FileExtension.targetsize-256.png	wxsxnedxfidy.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\_RECoVERY_+gvbir.txt	wxsxnedxfidy.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Date.targetsize-24_contrast-black.png	wxsxnedxfidy.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\StartScreen\Tips_Image.png	wxsxnedxfidy.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\SlowMotionEditor\_RECoVERY_+gvbir.txt	wxsxnedxfidy.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-black_scale-100.png	wxsxnedxfidy.exe

Drops file in Windows directory 2 IoCs

Processes:

2024-09-16_d338855d06c451c8357f4fbf61790f43_teslacrypt.exe

description	ioc	process
File created	C:\Windows\wxsxnedxfidy.exe	2024-09-16_d338855d06c451c8357f4fbf61790f43_teslacrypt.exe
File opened for modification	C:\Windows\wxsxnedxfidy.exe	2024-09-16_d338855d06c451c8357f4fbf61790f43_teslacrypt.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

2024-09-16_d338855d06c451c8357f4fbf61790f43_teslacrypt.exewxsxnedxfidy.execmd.exeNOTEPAD.EXEcmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-16_d338855d06c451c8357f4fbf61790f43_teslacrypt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wxsxnedxfidy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 1 IoCs

Processes:

wxsxnedxfidy.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings wxsxnedxfidy.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

512 NOTEPAD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	wxsxnedxfidy.exe

pid	process
512	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

wxsxnedxfidy.exe

pid	process
3312	wxsxnedxfidy.exe
3312	wxsxnedxfidy.exe
3312	wxsxnedxfidy.exe
3312	wxsxnedxfidy.exe
3312	wxsxnedxfidy.exe
3312	wxsxnedxfidy.exe
3312	wxsxnedxfidy.exe
3312	wxsxnedxfidy.exe
3312	wxsxnedxfidy.exe
3312	wxsxnedxfidy.exe
3312	wxsxnedxfidy.exe
3312	wxsxnedxfidy.exe
3312	wxsxnedxfidy.exe
3312	wxsxnedxfidy.exe
3312	wxsxnedxfidy.exe
3312	wxsxnedxfidy.exe
3312	wxsxnedxfidy.exe
3312	wxsxnedxfidy.exe
3312	wxsxnedxfidy.exe
3312	wxsxnedxfidy.exe
3312	wxsxnedxfidy.exe
3312	wxsxnedxfidy.exe
3312	wxsxnedxfidy.exe
3312	wxsxnedxfidy.exe
3312	wxsxnedxfidy.exe
3312	wxsxnedxfidy.exe
3312	wxsxnedxfidy.exe
3312	wxsxnedxfidy.exe
3312	wxsxnedxfidy.exe
3312	wxsxnedxfidy.exe
3312	wxsxnedxfidy.exe
3312	wxsxnedxfidy.exe
3312	wxsxnedxfidy.exe
3312	wxsxnedxfidy.exe
3312	wxsxnedxfidy.exe
3312	wxsxnedxfidy.exe
3312	wxsxnedxfidy.exe
3312	wxsxnedxfidy.exe
3312	wxsxnedxfidy.exe
3312	wxsxnedxfidy.exe
3312	wxsxnedxfidy.exe
3312	wxsxnedxfidy.exe
3312	wxsxnedxfidy.exe
3312	wxsxnedxfidy.exe
3312	wxsxnedxfidy.exe
3312	wxsxnedxfidy.exe
3312	wxsxnedxfidy.exe
3312	wxsxnedxfidy.exe
3312	wxsxnedxfidy.exe
3312	wxsxnedxfidy.exe
3312	wxsxnedxfidy.exe
3312	wxsxnedxfidy.exe
3312	wxsxnedxfidy.exe
3312	wxsxnedxfidy.exe
3312	wxsxnedxfidy.exe
3312	wxsxnedxfidy.exe
3312	wxsxnedxfidy.exe
3312	wxsxnedxfidy.exe
3312	wxsxnedxfidy.exe
3312	wxsxnedxfidy.exe
3312	wxsxnedxfidy.exe
3312	wxsxnedxfidy.exe
3312	wxsxnedxfidy.exe
3312	wxsxnedxfidy.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-09-16_d338855d06c451c8357f4fbf61790f43_teslacrypt.exewxsxnedxfidy.exeWMIC.exevssvc.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	2060	2024-09-16_d338855d06c451c8357f4fbf61790f43_teslacrypt.exe
Token: SeDebugPrivilege	3312	wxsxnedxfidy.exe
Token: SeIncreaseQuotaPrivilege	5072	WMIC.exe
Token: SeSecurityPrivilege	5072	WMIC.exe
Token: SeTakeOwnershipPrivilege	5072	WMIC.exe
Token: SeLoadDriverPrivilege	5072	WMIC.exe
Token: SeSystemProfilePrivilege	5072	WMIC.exe
Token: SeSystemtimePrivilege	5072	WMIC.exe
Token: SeProfSingleProcessPrivilege	5072	WMIC.exe
Token: SeIncBasePriorityPrivilege	5072	WMIC.exe
Token: SeCreatePagefilePrivilege	5072	WMIC.exe
Token: SeBackupPrivilege	5072	WMIC.exe
Token: SeRestorePrivilege	5072	WMIC.exe
Token: SeShutdownPrivilege	5072	WMIC.exe
Token: SeDebugPrivilege	5072	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5072	WMIC.exe
Token: SeRemoteShutdownPrivilege	5072	WMIC.exe
Token: SeUndockPrivilege	5072	WMIC.exe
Token: SeManageVolumePrivilege	5072	WMIC.exe
Token: 33	5072	WMIC.exe
Token: 34	5072	WMIC.exe
Token: 35	5072	WMIC.exe
Token: 36	5072	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5072	WMIC.exe
Token: SeSecurityPrivilege	5072	WMIC.exe
Token: SeTakeOwnershipPrivilege	5072	WMIC.exe
Token: SeLoadDriverPrivilege	5072	WMIC.exe
Token: SeSystemProfilePrivilege	5072	WMIC.exe
Token: SeSystemtimePrivilege	5072	WMIC.exe
Token: SeProfSingleProcessPrivilege	5072	WMIC.exe
Token: SeIncBasePriorityPrivilege	5072	WMIC.exe
Token: SeCreatePagefilePrivilege	5072	WMIC.exe
Token: SeBackupPrivilege	5072	WMIC.exe
Token: SeRestorePrivilege	5072	WMIC.exe
Token: SeShutdownPrivilege	5072	WMIC.exe
Token: SeDebugPrivilege	5072	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5072	WMIC.exe
Token: SeRemoteShutdownPrivilege	5072	WMIC.exe
Token: SeUndockPrivilege	5072	WMIC.exe
Token: SeManageVolumePrivilege	5072	WMIC.exe
Token: 33	5072	WMIC.exe
Token: 34	5072	WMIC.exe
Token: 35	5072	WMIC.exe
Token: 36	5072	WMIC.exe
Token: SeBackupPrivilege	3352	vssvc.exe
Token: SeRestorePrivilege	3352	vssvc.exe
Token: SeAuditPrivilege	3352	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2728	WMIC.exe
Token: SeSecurityPrivilege	2728	WMIC.exe
Token: SeTakeOwnershipPrivilege	2728	WMIC.exe
Token: SeLoadDriverPrivilege	2728	WMIC.exe
Token: SeSystemProfilePrivilege	2728	WMIC.exe
Token: SeSystemtimePrivilege	2728	WMIC.exe
Token: SeProfSingleProcessPrivilege	2728	WMIC.exe
Token: SeIncBasePriorityPrivilege	2728	WMIC.exe
Token: SeCreatePagefilePrivilege	2728	WMIC.exe
Token: SeBackupPrivilege	2728	WMIC.exe
Token: SeRestorePrivilege	2728	WMIC.exe
Token: SeShutdownPrivilege	2728	WMIC.exe
Token: SeDebugPrivilege	2728	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2728	WMIC.exe
Token: SeRemoteShutdownPrivilege	2728	WMIC.exe
Token: SeUndockPrivilege	2728	WMIC.exe
Token: SeManageVolumePrivilege	2728	WMIC.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

2024-09-16_d338855d06c451c8357f4fbf61790f43_teslacrypt.exewxsxnedxfidy.exe

description	pid	process	target process
PID 2060 wrote to memory of 3312	2060	2024-09-16_d338855d06c451c8357f4fbf61790f43_teslacrypt.exe	wxsxnedxfidy.exe
PID 2060 wrote to memory of 3312	2060	2024-09-16_d338855d06c451c8357f4fbf61790f43_teslacrypt.exe	wxsxnedxfidy.exe
PID 2060 wrote to memory of 3312	2060	2024-09-16_d338855d06c451c8357f4fbf61790f43_teslacrypt.exe	wxsxnedxfidy.exe
PID 2060 wrote to memory of 4036	2060	2024-09-16_d338855d06c451c8357f4fbf61790f43_teslacrypt.exe	cmd.exe
PID 2060 wrote to memory of 4036	2060	2024-09-16_d338855d06c451c8357f4fbf61790f43_teslacrypt.exe	cmd.exe
PID 2060 wrote to memory of 4036	2060	2024-09-16_d338855d06c451c8357f4fbf61790f43_teslacrypt.exe	cmd.exe
PID 3312 wrote to memory of 5072	3312	wxsxnedxfidy.exe	WMIC.exe
PID 3312 wrote to memory of 5072	3312	wxsxnedxfidy.exe	WMIC.exe
PID 3312 wrote to memory of 512	3312	wxsxnedxfidy.exe	NOTEPAD.EXE
PID 3312 wrote to memory of 512	3312	wxsxnedxfidy.exe	NOTEPAD.EXE
PID 3312 wrote to memory of 512	3312	wxsxnedxfidy.exe	NOTEPAD.EXE
PID 3312 wrote to memory of 1528	3312	wxsxnedxfidy.exe	msedge.exe
PID 3312 wrote to memory of 1528	3312	wxsxnedxfidy.exe	msedge.exe
PID 3312 wrote to memory of 2728	3312	wxsxnedxfidy.exe	WMIC.exe
PID 3312 wrote to memory of 2728	3312	wxsxnedxfidy.exe	WMIC.exe
PID 3312 wrote to memory of 1516	3312	wxsxnedxfidy.exe	cmd.exe
PID 3312 wrote to memory of 1516	3312	wxsxnedxfidy.exe	cmd.exe
PID 3312 wrote to memory of 1516	3312	wxsxnedxfidy.exe	cmd.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

wxsxnedxfidy.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	wxsxnedxfidy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	wxsxnedxfidy.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-09-16_d338855d06c451c8357f4fbf61790f43_teslacrypt.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-16_d338855d06c451c8357f4fbf61790f43_teslacrypt.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Windows\wxsxnedxfidy.exe
  C:\Windows\wxsxnedxfidy.exe
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3312
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5072
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
    3⤵
    - System Location Discovery: System Language Discovery
    - Opens file in notepad (likely ransom note)
    PID:512
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM
    3⤵
    PID:1528
- - C:\Windows\System32\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2728
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\WXSXNE~1.EXE
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1516
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4036

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3352

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4328,i,16316361669272684588,6171287487746154806,262144 --variations-seed-version --mojo-platform-channel-handle=4336 /prefetch:8
1⤵
PID:1092

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=4104,i,16316361669272684588,6171287487746154806,262144 --variations-seed-version --mojo-platform-channel-handle=3844 /prefetch:1
1⤵
PID:1424

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=4424,i,16316361669272684588,6171287487746154806,262144 --variations-seed-version --mojo-platform-channel-handle=3804 /prefetch:1
1⤵
PID:4804

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=5448,i,16316361669272684588,6171287487746154806,262144 --variations-seed-version --mojo-platform-channel-handle=5460 /prefetch:8
1⤵
PID:300

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --field-trial-handle=5428,i,16316361669272684588,6171287487746154806,262144 --variations-seed-version --mojo-platform-channel-handle=5500 /prefetch:8
1⤵
PID:3008

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --field-trial-handle=5948,i,16316361669272684588,6171287487746154806,262144 --variations-seed-version --mojo-platform-channel-handle=5836 /prefetch:8
1⤵
PID:3180

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=5908,i,16316361669272684588,6171287487746154806,262144 --variations-seed-version --mojo-platform-channel-handle=5780 /prefetch:8
1⤵
PID:1020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\_RECoVERY_+gvbir.html

Filesize
12KB

MD5
7eee63f93054c51cf0767ce9585b7990

SHA1
c31b8db4993556d3d9f8e5bd412f697645fbff00

SHA256
d2c5f1ee4e8e4fa0c1478b5ea3f85980d62b53bff7a28bce16d2e0d73f307623

SHA512
5859fd392a4447eeea543382319c8432afe80eb09d294b89190620b787e8778848a48db5561d525e29dd65f24ae9f5fd9898d8edab12c0c79308e6c9c545af1d

Download Submit
C:\Program Files\7-Zip\Lang\_RECoVERY_+gvbir.png

Filesize
64KB

MD5
955ef3628cacbff8cf51f2e3ca1385aa

SHA1
7a061dfec3fd52b0b2e63fb397987222434538e6

SHA256
ceb35aa43be796a4b93ac6b2115f87c79ca95824d8292b78c9d616da7178ae0b

SHA512
dfbcb94696403405cf5d729253fa3aa2b0b01b8a7d6579c4b5a2747ce92b021dd2b55586f8fef55cc93267e8891cbb4f1e529b453296ec2f7abb1f7d9127ae32

Download Submit
C:\Program Files\7-Zip\Lang\_RECoVERY_+gvbir.txt

Filesize
1KB

MD5
1b0f813a627836084f29cb26854b80c7

SHA1
1ca2e4d75a7811ea08d8938eef3d459b9c7afedb

SHA256
4ca674208ad262e2c7e397f0365fe123dc6af79d17d702a1c4a50f67d6c798a8

SHA512
d079fc51f2f31c2485f51e6d2ae60fa453d49b889e1c349a75f151b8dfca590f311ffef8be199adf231808aff2ff23e0b027ab6967bcf683b7cc076d08fae97a

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
560B

MD5
fa12e7d4c9854f1f2591a84fa357017f

SHA1
0c632bac78b3252dde724dfa24551e7f4dd8d09d

SHA256
2cdbaa660627f055855fd049502569bcff4ce1974c507e26f970cb2155dfe345

SHA512
c4cdb3139e9670ec7b5bf6eb9693a3dad717d3c9f95cc903c63289d2e605a3e72970089a7da4a7023a18dfcb56f278fa873a2e50348d46641761830890c5230d

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
560B

MD5
e9b7affb47a1ce25ad27b8890b0e9981

SHA1
ead795cbd55b82be0b986714958d8d5ddf3d9aa8

SHA256
b8eb3648493a2c9cbc86e81990b57c0b986056a16077f6eb42d0f04e7f9a0588

SHA512
d366420d49d954731e22d94869d9372094f13f9d8ee94a40eed2f74c9b66aaf9e162ac7e723ec6f2d93781ef12cab9ec86bd13b553374fb4b3dbfde3d6a202e2

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
416B

MD5
57465918d6c32ef2a9dcfb7258ea6052

SHA1
6ebe3fa61b0927a3e4bbe3d5617e5fd00512f2b2

SHA256
7b88b17fad16bd5730b6f8b3cb945f7554a62db05b1a97711c4a9c3b9d7eace4

SHA512
785c6300a52eccb4946994e2d08820f9361559c1910d5a3aa49ae66742c813e604599046ddfbeb1c79c07ad56a78df60ecfce6777310c9cc18d4170e7c305a91

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133670754420482328.txt

Filesize
77KB

MD5
fe834e7beac3e2da053f382990902b4e

SHA1
4a983c962e2fdbc6872829425e994fb2af58021e

SHA256
95e939a766b5b4b209565ad97a231e32ac7a4874f8cccd373dd4c04cb111cacc

SHA512
6269718656692463e2c1cdfd32bfc3574c3c9a3a9f3d21695f6b49b525f073160c339df34587fbe55e2660a4963f4d0b73a0d9a5369c2421cc4d73126dfc335e

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133670756582511987.txt

Filesize
48KB

MD5
b1b141829133f23fdfbee36a6a3ffc5e

SHA1
05f1194573e4468efd95affa72eadf9a73ae78aa

SHA256
d1075d2ff4074362b7a61b0e9bf98e2f89c3196ec327fc8c960641e51a683cc4

SHA512
79620ed0f41bc362fdc31ce3d260693ec196a94bfe23be07f0925094fa9568da1f7e8e0aa3decf1a2e9fe4832edea065b5d656f212eb8ca5b49dcee5a3a7d3e0

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133670765474574461.txt

Filesize
75KB

MD5
1fb07f1d7670854892521224afafb3f2

SHA1
3e434eb9d6b59cd994d6f323c3c8859362d55eef

SHA256
6966afe44fc931b81ce76d832242ca4634a361c1e1f746568b36aa4aabe6ad65

SHA512
c6c53c6d919362f08a41611b7526b18ab214142d35a23ac1f10236ab16ffe102ceadbbe0c9c3df264f44da74e6706c72cda2528c7754a8da8637543942190514

Download Submit
C:\Windows\wxsxnedxfidy.exe

Filesize
251KB

MD5
d338855d06c451c8357f4fbf61790f43

SHA1
41a3c753fc279c41814f758d34d99f3caabb40b1

SHA256
49e7123bc10323f2d784f09586174e3fa9fd1a5e078f35d916165602ef34f2b0

SHA512
fb41c9cde3ca237a8ca755ce895fccf704b7e8c2fcf1151fd24391494c0c8fb44a9018d1499085ca4ca399c3bcd9c87f7dc0b7e39a892dcab59137d4c0af5203

Download Submit