teslacrypt | 69155f404a1482e4188726cb0f88b6c6fd6ca94d834b31e05f36e88662281e22

General

Target

VirusShare_1a9ab9e924a6856d642bbe88064e4236.exe
Size

418KB
MD5

1a9ab9e924a6856d642bbe88064e4236
SHA1

d9d445e9dcb8694398c7acb33f38d7261c95321c
SHA256

69155f404a1482e4188726cb0f88b6c6fd6ca94d834b31e05f36e88662281e22
SHA512

f41e93d25fe32248f55dbf5c1c721e4af5d2c28531816955094585a00afa94ea2dab0a6e25191abe8896a2185cdbc535d9dcf3beac14b683d05e1c8c7c6f80b2
SSDEEP

6144:/lhEMsxe34/JTpHIOdX2JOVM8aSC4Zl7rOfT+yIaIWk3HtlE0/Ce+Mx62q2jQ1+d:7ssoJhf8JOqQC4/7CfTk/rsh2jQ1T0jv

Score

10^/10

teslacrypt defense_evasion discovery execution impact persistence ransomware

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\_RECoVERY_+hjcmb.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 Key , both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1 - http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/FAA6A892722F429A 2 - http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/FAA6A892722F429A 3 - http://yyre45dbvn2nhbefbmh.begumvelic.at/FAA6A892722F429A If for some reasons the addresses are not available, follow these steps: 1 - Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2 - After a successful installation, run the browser 3 - Type in the address bar: xlowfznrg4wf7dli.onion/FAA6A892722F429A 4 - Follow the instructions on the site IMPORTANT INFORMATION Your personal pages http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/FAA6A892722F429A http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/FAA6A892722F429A http://yyre45dbvn2nhbefbmh.begumvelic.at/FAA6A892722F429A Your personal page Tor-Browser xlowfznrg4wf7dli.ONION/FAA6A892722F429A

URLs

http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/FAA6A892722F429A

http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/FAA6A892722F429A

http://yyre45dbvn2nhbefbmh.begumvelic.at/FAA6A892722F429A

http://xlowfznrg4wf7dli.ONION/FAA6A892722F429A

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (577) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Executes dropped EXE 2 IoCs

Processes:

wrlxfgovuevc.exewrlxfgovuevc.exe

pid process

4492 wrlxfgovuevc.exe
4544 wrlxfgovuevc.exe

pid	process
4492	wrlxfgovuevc.exe
4544	wrlxfgovuevc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

wrlxfgovuevc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Windows\CurrentVersion\Run\ckthanixywyy = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\wrlxfgovuevc.exe\""	wrlxfgovuevc.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Suspicious use of SetThreadContext 2 IoCs

Processes:

VirusShare_1a9ab9e924a6856d642bbe88064e4236.exewrlxfgovuevc.exe

description	pid	process	target process
PID 1628 set thread context of 1536	1628	VirusShare_1a9ab9e924a6856d642bbe88064e4236.exe	VirusShare_1a9ab9e924a6856d642bbe88064e4236.exe
PID 4492 set thread context of 4544	4492	wrlxfgovuevc.exe	wrlxfgovuevc.exe

Drops file in Program Files directory 64 IoCs

Processes:

wrlxfgovuevc.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\System\en-US\_RECoVERY_+hjcmb.png	wrlxfgovuevc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-white_scale-180.png	wrlxfgovuevc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EXPEDITN\_RECoVERY_+hjcmb.txt	wrlxfgovuevc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sv\_RECoVERY_+hjcmb.png	wrlxfgovuevc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\_RECoVERY_+hjcmb.html	wrlxfgovuevc.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\TableTextServiceArray.txt	wrlxfgovuevc.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.People_10.1.10531.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\_RECoVERY_+hjcmb.png	wrlxfgovuevc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009\_RECoVERY_+hjcmb.png	wrlxfgovuevc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Resources\1033\_RECoVERY_+hjcmb.txt	wrlxfgovuevc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cs\_RECoVERY_+hjcmb.png	wrlxfgovuevc.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\StopwatchSmallTile.scale-125.png	wrlxfgovuevc.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\resources.pak	wrlxfgovuevc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\kk\_RECoVERY_+hjcmb.txt	wrlxfgovuevc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Cultures\_RECoVERY_+hjcmb.html	wrlxfgovuevc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\et\LC_MESSAGES\_RECoVERY_+hjcmb.txt	wrlxfgovuevc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\_RECoVERY_+hjcmb.txt	wrlxfgovuevc.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_16.511.8780.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\_RECoVERY_+hjcmb.png	wrlxfgovuevc.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1612.10312.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\InsiderHubLargeTile.scale-125.png	wrlxfgovuevc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\_RECoVERY_+hjcmb.html	wrlxfgovuevc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RIPPLE\_RECoVERY_+hjcmb.png	wrlxfgovuevc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SLATE\_RECoVERY_+hjcmb.html	wrlxfgovuevc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\wa\_RECoVERY_+hjcmb.html	wrlxfgovuevc.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\it-IT\_RECoVERY_+hjcmb.txt	wrlxfgovuevc.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.People_10.1.10531.0_neutral_split.scale-125_8wekyb3d8bbwe\_RECoVERY_+hjcmb.html	wrlxfgovuevc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-white_scale-100.png	wrlxfgovuevc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_100_eeeeee_1x100.png	wrlxfgovuevc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\_RECoVERY_+hjcmb.html	wrlxfgovuevc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\_RECoVERY_+hjcmb.html	wrlxfgovuevc.exe
File opened for modification	C:\Program Files\Windows Security\BrowserCore\_RECoVERY_+hjcmb.html	wrlxfgovuevc.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.People_10.1.10531.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\PeopleSmallTile.scale-125.png	wrlxfgovuevc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-black_scale-140.png	wrlxfgovuevc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CAPSULES\_RECoVERY_+hjcmb.html	wrlxfgovuevc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\_RECoVERY_+hjcmb.png	wrlxfgovuevc.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2017.125.40.0_neutral_split.scale-200_8wekyb3d8bbwe\microsoft.system.package.metadata\_RECoVERY_+hjcmb.txt	wrlxfgovuevc.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\_RECoVERY_+hjcmb.png	wrlxfgovuevc.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\_RECoVERY_+hjcmb.html	wrlxfgovuevc.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCalculator_10.1702.312.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\CalculatorAppList.scale-125.png	wrlxfgovuevc.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\_RECoVERY_+hjcmb.txt	wrlxfgovuevc.exe
File opened for modification	C:\Program Files\7-Zip\Lang\vi.txt	wrlxfgovuevc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ne\_RECoVERY_+hjcmb.txt	wrlxfgovuevc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\an\_RECoVERY_+hjcmb.png	wrlxfgovuevc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ru\_RECoVERY_+hjcmb.png	wrlxfgovuevc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lo\LC_MESSAGES\_RECoVERY_+hjcmb.txt	wrlxfgovuevc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\_RECoVERY_+hjcmb.html	wrlxfgovuevc.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.OneConnect_2.1701.277.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\OneConnectLargeTile.scale-125.png	wrlxfgovuevc.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\images\_RECoVERY_+hjcmb.html	wrlxfgovuevc.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\amd64\_RECoVERY_+hjcmb.txt	wrlxfgovuevc.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.People_10.1.10531.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\PeopleAppStoreLogo.scale-125.png	wrlxfgovuevc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\misc\_RECoVERY_+hjcmb.png	wrlxfgovuevc.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\_RECoVERY_+hjcmb.png	wrlxfgovuevc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\1033\_RECoVERY_+hjcmb.txt	wrlxfgovuevc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECHO\_RECoVERY_+hjcmb.png	wrlxfgovuevc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Web Server Extensions\16\_RECoVERY_+hjcmb.html	wrlxfgovuevc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft.NET\ADOMD.NET\130\_RECoVERY_+hjcmb.html	wrlxfgovuevc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\packetizer\_RECoVERY_+hjcmb.txt	wrlxfgovuevc.exe
File opened for modification	C:\Program Files\Windows Security\BrowserCore\en-US\_RECoVERY_+hjcmb.png	wrlxfgovuevc.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_16.511.8780.0_neutral_split.scale-125_8wekyb3d8bbwe\Lumia.ViewerPlugin\Assets\IconEditRichCapture.scale-125.png	wrlxfgovuevc.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\applet\_RECoVERY_+hjcmb.png	wrlxfgovuevc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\_RECoVERY_+hjcmb.txt	wrlxfgovuevc.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2017.125.40.0_neutral_split.scale-125_8wekyb3d8bbwe\_RECoVERY_+hjcmb.html	wrlxfgovuevc.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1612.10312.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\_RECoVERY_+hjcmb.txt	wrlxfgovuevc.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\sv-SE\_RECoVERY_+hjcmb.png	wrlxfgovuevc.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\_RECoVERY_+hjcmb.txt	wrlxfgovuevc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\vi\_RECoVERY_+hjcmb.png	wrlxfgovuevc.exe

Drops file in Windows directory 2 IoCs

Processes:

VirusShare_1a9ab9e924a6856d642bbe88064e4236.exe

description	ioc	process
File created	C:\Windows\wrlxfgovuevc.exe	VirusShare_1a9ab9e924a6856d642bbe88064e4236.exe
File opened for modification	C:\Windows\wrlxfgovuevc.exe	VirusShare_1a9ab9e924a6856d642bbe88064e4236.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

VirusShare_1a9ab9e924a6856d642bbe88064e4236.exewrlxfgovuevc.execmd.exewrlxfgovuevc.exeVirusShare_1a9ab9e924a6856d642bbe88064e4236.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VirusShare_1a9ab9e924a6856d642bbe88064e4236.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wrlxfgovuevc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wrlxfgovuevc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VirusShare_1a9ab9e924a6856d642bbe88064e4236.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

wrlxfgovuevc.exe

pid	process
4544	wrlxfgovuevc.exe
4544	wrlxfgovuevc.exe
4544	wrlxfgovuevc.exe
4544	wrlxfgovuevc.exe
4544	wrlxfgovuevc.exe
4544	wrlxfgovuevc.exe
4544	wrlxfgovuevc.exe
4544	wrlxfgovuevc.exe
4544	wrlxfgovuevc.exe
4544	wrlxfgovuevc.exe
4544	wrlxfgovuevc.exe
4544	wrlxfgovuevc.exe
4544	wrlxfgovuevc.exe
4544	wrlxfgovuevc.exe
4544	wrlxfgovuevc.exe
4544	wrlxfgovuevc.exe
4544	wrlxfgovuevc.exe
4544	wrlxfgovuevc.exe
4544	wrlxfgovuevc.exe
4544	wrlxfgovuevc.exe
4544	wrlxfgovuevc.exe
4544	wrlxfgovuevc.exe
4544	wrlxfgovuevc.exe
4544	wrlxfgovuevc.exe
4544	wrlxfgovuevc.exe
4544	wrlxfgovuevc.exe
4544	wrlxfgovuevc.exe
4544	wrlxfgovuevc.exe
4544	wrlxfgovuevc.exe
4544	wrlxfgovuevc.exe
4544	wrlxfgovuevc.exe
4544	wrlxfgovuevc.exe
4544	wrlxfgovuevc.exe
4544	wrlxfgovuevc.exe
4544	wrlxfgovuevc.exe
4544	wrlxfgovuevc.exe
4544	wrlxfgovuevc.exe
4544	wrlxfgovuevc.exe
4544	wrlxfgovuevc.exe
4544	wrlxfgovuevc.exe
4544	wrlxfgovuevc.exe
4544	wrlxfgovuevc.exe
4544	wrlxfgovuevc.exe
4544	wrlxfgovuevc.exe
4544	wrlxfgovuevc.exe
4544	wrlxfgovuevc.exe
4544	wrlxfgovuevc.exe
4544	wrlxfgovuevc.exe
4544	wrlxfgovuevc.exe
4544	wrlxfgovuevc.exe
4544	wrlxfgovuevc.exe
4544	wrlxfgovuevc.exe
4544	wrlxfgovuevc.exe
4544	wrlxfgovuevc.exe
4544	wrlxfgovuevc.exe
4544	wrlxfgovuevc.exe
4544	wrlxfgovuevc.exe
4544	wrlxfgovuevc.exe
4544	wrlxfgovuevc.exe
4544	wrlxfgovuevc.exe
4544	wrlxfgovuevc.exe
4544	wrlxfgovuevc.exe
4544	wrlxfgovuevc.exe
4544	wrlxfgovuevc.exe

Suspicious use of AdjustPrivilegeToken 47 IoCs

Processes:

VirusShare_1a9ab9e924a6856d642bbe88064e4236.exewrlxfgovuevc.exeWMIC.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	1536	VirusShare_1a9ab9e924a6856d642bbe88064e4236.exe
Token: SeDebugPrivilege	4544	wrlxfgovuevc.exe
Token: SeIncreaseQuotaPrivilege	4936	WMIC.exe
Token: SeSecurityPrivilege	4936	WMIC.exe
Token: SeTakeOwnershipPrivilege	4936	WMIC.exe
Token: SeLoadDriverPrivilege	4936	WMIC.exe
Token: SeSystemProfilePrivilege	4936	WMIC.exe
Token: SeSystemtimePrivilege	4936	WMIC.exe
Token: SeProfSingleProcessPrivilege	4936	WMIC.exe
Token: SeIncBasePriorityPrivilege	4936	WMIC.exe
Token: SeCreatePagefilePrivilege	4936	WMIC.exe
Token: SeBackupPrivilege	4936	WMIC.exe
Token: SeRestorePrivilege	4936	WMIC.exe
Token: SeShutdownPrivilege	4936	WMIC.exe
Token: SeDebugPrivilege	4936	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4936	WMIC.exe
Token: SeRemoteShutdownPrivilege	4936	WMIC.exe
Token: SeUndockPrivilege	4936	WMIC.exe
Token: SeManageVolumePrivilege	4936	WMIC.exe
Token: 33	4936	WMIC.exe
Token: 34	4936	WMIC.exe
Token: 35	4936	WMIC.exe
Token: 36	4936	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4936	WMIC.exe
Token: SeSecurityPrivilege	4936	WMIC.exe
Token: SeTakeOwnershipPrivilege	4936	WMIC.exe
Token: SeLoadDriverPrivilege	4936	WMIC.exe
Token: SeSystemProfilePrivilege	4936	WMIC.exe
Token: SeSystemtimePrivilege	4936	WMIC.exe
Token: SeProfSingleProcessPrivilege	4936	WMIC.exe
Token: SeIncBasePriorityPrivilege	4936	WMIC.exe
Token: SeCreatePagefilePrivilege	4936	WMIC.exe
Token: SeBackupPrivilege	4936	WMIC.exe
Token: SeRestorePrivilege	4936	WMIC.exe
Token: SeShutdownPrivilege	4936	WMIC.exe
Token: SeDebugPrivilege	4936	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4936	WMIC.exe
Token: SeRemoteShutdownPrivilege	4936	WMIC.exe
Token: SeUndockPrivilege	4936	WMIC.exe
Token: SeManageVolumePrivilege	4936	WMIC.exe
Token: 33	4936	WMIC.exe
Token: 34	4936	WMIC.exe
Token: 35	4936	WMIC.exe
Token: 36	4936	WMIC.exe
Token: SeBackupPrivilege	3488	vssvc.exe
Token: SeRestorePrivilege	3488	vssvc.exe
Token: SeAuditPrivilege	3488	vssvc.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

VirusShare_1a9ab9e924a6856d642bbe88064e4236.exeVirusShare_1a9ab9e924a6856d642bbe88064e4236.exewrlxfgovuevc.exewrlxfgovuevc.exe

description	pid	process	target process
PID 1628 wrote to memory of 1536	1628	VirusShare_1a9ab9e924a6856d642bbe88064e4236.exe	VirusShare_1a9ab9e924a6856d642bbe88064e4236.exe
PID 1628 wrote to memory of 1536	1628	VirusShare_1a9ab9e924a6856d642bbe88064e4236.exe	VirusShare_1a9ab9e924a6856d642bbe88064e4236.exe
PID 1628 wrote to memory of 1536	1628	VirusShare_1a9ab9e924a6856d642bbe88064e4236.exe	VirusShare_1a9ab9e924a6856d642bbe88064e4236.exe
PID 1628 wrote to memory of 1536	1628	VirusShare_1a9ab9e924a6856d642bbe88064e4236.exe	VirusShare_1a9ab9e924a6856d642bbe88064e4236.exe
PID 1628 wrote to memory of 1536	1628	VirusShare_1a9ab9e924a6856d642bbe88064e4236.exe	VirusShare_1a9ab9e924a6856d642bbe88064e4236.exe
PID 1628 wrote to memory of 1536	1628	VirusShare_1a9ab9e924a6856d642bbe88064e4236.exe	VirusShare_1a9ab9e924a6856d642bbe88064e4236.exe
PID 1628 wrote to memory of 1536	1628	VirusShare_1a9ab9e924a6856d642bbe88064e4236.exe	VirusShare_1a9ab9e924a6856d642bbe88064e4236.exe
PID 1628 wrote to memory of 1536	1628	VirusShare_1a9ab9e924a6856d642bbe88064e4236.exe	VirusShare_1a9ab9e924a6856d642bbe88064e4236.exe
PID 1628 wrote to memory of 1536	1628	VirusShare_1a9ab9e924a6856d642bbe88064e4236.exe	VirusShare_1a9ab9e924a6856d642bbe88064e4236.exe
PID 1536 wrote to memory of 4492	1536	VirusShare_1a9ab9e924a6856d642bbe88064e4236.exe	wrlxfgovuevc.exe
PID 1536 wrote to memory of 4492	1536	VirusShare_1a9ab9e924a6856d642bbe88064e4236.exe	wrlxfgovuevc.exe
PID 1536 wrote to memory of 4492	1536	VirusShare_1a9ab9e924a6856d642bbe88064e4236.exe	wrlxfgovuevc.exe
PID 1536 wrote to memory of 2060	1536	VirusShare_1a9ab9e924a6856d642bbe88064e4236.exe	cmd.exe
PID 1536 wrote to memory of 2060	1536	VirusShare_1a9ab9e924a6856d642bbe88064e4236.exe	cmd.exe
PID 1536 wrote to memory of 2060	1536	VirusShare_1a9ab9e924a6856d642bbe88064e4236.exe	cmd.exe
PID 4492 wrote to memory of 4544	4492	wrlxfgovuevc.exe	wrlxfgovuevc.exe
PID 4492 wrote to memory of 4544	4492	wrlxfgovuevc.exe	wrlxfgovuevc.exe
PID 4492 wrote to memory of 4544	4492	wrlxfgovuevc.exe	wrlxfgovuevc.exe
PID 4492 wrote to memory of 4544	4492	wrlxfgovuevc.exe	wrlxfgovuevc.exe
PID 4492 wrote to memory of 4544	4492	wrlxfgovuevc.exe	wrlxfgovuevc.exe
PID 4492 wrote to memory of 4544	4492	wrlxfgovuevc.exe	wrlxfgovuevc.exe
PID 4492 wrote to memory of 4544	4492	wrlxfgovuevc.exe	wrlxfgovuevc.exe
PID 4492 wrote to memory of 4544	4492	wrlxfgovuevc.exe	wrlxfgovuevc.exe
PID 4492 wrote to memory of 4544	4492	wrlxfgovuevc.exe	wrlxfgovuevc.exe
PID 4544 wrote to memory of 4936	4544	wrlxfgovuevc.exe	WMIC.exe
PID 4544 wrote to memory of 4936	4544	wrlxfgovuevc.exe	WMIC.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

wrlxfgovuevc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	wrlxfgovuevc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	wrlxfgovuevc.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\VirusShare_1a9ab9e924a6856d642bbe88064e4236.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_1a9ab9e924a6856d642bbe88064e4236.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1628
- C:\Users\Admin\AppData\Local\Temp\VirusShare_1a9ab9e924a6856d642bbe88064e4236.exe
  "C:\Users\Admin\AppData\Local\Temp\VirusShare_1a9ab9e924a6856d642bbe88064e4236.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1536
- - C:\Windows\wrlxfgovuevc.exe
    C:\Windows\wrlxfgovuevc.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4492
  - - C:\Windows\wrlxfgovuevc.exe
      C:\Windows\wrlxfgovuevc.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:4544
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4936
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\VIRUSS~1.EXE
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2060

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

1

T1047

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Indicator Removal

2

T1070

File Deletion

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

1

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\_RECoVERY_+hjcmb.html

Filesize
12KB

MD5
3b8d097c3942e8b6c24455fab3e2830f

SHA1
dec7b1646e71c2b3bd4aa9b69503bf6dc8d2079d

SHA256
d4929abec94a5231a03b276e827a01c2c52c188128b73be4a8562fcff2db0150

SHA512
bc0451990d69ce69e57a4c29228723cfe7b39b9ed2fa62b8f43c168a0da30981501f4264bb4a9fbb690b78931b441e173242ccaf65223354d03353c24fdcc830

Download Submit
C:\Program Files\7-Zip\Lang\_RECoVERY_+hjcmb.png

Filesize
64KB

MD5
f1e41f6dcb3a176a9f1ade0db6b5e545

SHA1
8c32350b8d6ed2354c83bb1b9b5abafe166039a6

SHA256
6640b5415f482ecde1124730c5d81d954dafe5f6b3d605721f38230a9fe12611

SHA512
825ace4d7d59573a6e7424d000ab6c423db3c77870ce5ce229cc516ff079e05de6b1ee7083be45ea82d6b80f694ccc2e22eabf9f99c093d16faf42fc7cdac6ff

Download Submit
C:\Program Files\7-Zip\Lang\_RECoVERY_+hjcmb.txt

Filesize
1KB

MD5
5374a61d9891790d9986c292adae6c9d

SHA1
002fb33f7ef0f484508276227ca2cec7e0a19046

SHA256
dc872b2bff87af735ef28007e923db47c9b4e7840a23823a2ffb6037c6c87bb9

SHA512
1a4d1bf378769494f41310413fa776faac98eb4bd3d85143b330e9bd1214d777d3799df2a5c5124153f47406a8ba0ef685c89bc61a851f591cbb3814c046134a

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
560B

MD5
48d461611b9312014c7753b8f79f2d8b

SHA1
3bef7a85366f55a9ad9e767748533d4a06ad9e34

SHA256
4874df208b33eddbe9967625cc75ff9961419e357a8619f2f41b75f86ab3d1ed

SHA512
f2b06cc51e1d0272674c5178f574cf2d266d4eb7906dc01afb35bb04fbd52f756674db299bda0dda017b2245a6bbaa68e8cdbce8b7ff6e801f4e0b8c2f8485b8

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
560B

MD5
00ddb6ce3c85b3c46b65515f7544e5b1

SHA1
42d3239df856e3d335e91480b6f28edf278244a7

SHA256
b65fe2d1a5f49e27d202aeff36c915c95e6b70a93936d4728247128d66a594d6

SHA512
d76efa589dee41e7ff0f8676a64efc9403ea3f20547ea2d61a310b54d12f803a02df051847ddd058ca846519237fe0a59e93fcde0dd84e392b91b35279c30124

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
416B

MD5
563f13fa4eb5cad91c7c011b37727361

SHA1
ddcb4cb2ba109c65731d376a3af889abc1e6f9bd

SHA256
d5f8ccc3271616579b3dd19511301e86b45f01f1f00d56dc536af4df54f492ed

SHA512
03ab4360f6702d4cb220618173107dd4ef0364bcd05d6402d4c09e264dd8715f72f70aac8e0664c96d6d5f7c6215e4725fa21cfffa5d457b6eaab9566c61c482

Download Submit
C:\Windows\wrlxfgovuevc.exe

Filesize
418KB

MD5
1a9ab9e924a6856d642bbe88064e4236

SHA1
d9d445e9dcb8694398c7acb33f38d7261c95321c

SHA256
69155f404a1482e4188726cb0f88b6c6fd6ca94d834b31e05f36e88662281e22

SHA512
f41e93d25fe32248f55dbf5c1c721e4af5d2c28531816955094585a00afa94ea2dab0a6e25191abe8896a2185cdbc535d9dcf3beac14b683d05e1c8c7c6f80b2

Download Submit
memory/1536-4-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1536-15-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1536-6-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1536-3-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1536-2-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1628-5-0x00000000001E0000-0x00000000001E4000-memory.dmp

Filesize
16KB

Download
memory/1628-0-0x00000000001E0000-0x00000000001E4000-memory.dmp

Filesize
16KB

Download
memory/1628-1-0x00000000001E0000-0x00000000001E4000-memory.dmp

Filesize
16KB

Download
memory/4492-12-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/4544-23-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4544-105-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4544-25-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4544-21-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4544-585-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4544-586-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4544-668-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4544-20-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4544-18-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4544-19-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4544-1362-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4544-2466-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4544-3343-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads