Analysis
-
max time kernel
119s -
max time network
114s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
02-12-2024 10:33
General
-
Target
d9279ba3dbcbeefbba19f47f801c114edfd7a4532959b519cc00b24dc54a5ee8N.exe
-
Size
352KB
-
MD5
b0c00390c9aebb41cfce74f7415bf210
-
SHA1
62f3f37691303aed6a645631439dcc5c51c6e38d
-
SHA256
d9279ba3dbcbeefbba19f47f801c114edfd7a4532959b519cc00b24dc54a5ee8
-
SHA512
0c199aec76be1fc318214c4fee5ef38773cd11d469c9221ddcd86c61c53d176b3a8b2d1cbbdd0c86f482be7c8d250bf9fd8e544c3995f96cc8472eb67aff6ee7
-
SSDEEP
6144:QMeb/EDtpBx1aRXJub19pf3gOURaJmf+ubexB3wLaYZSzvF:QTb/wtN1aRXJg1f3gO9Jm+u2BgeYkzv
Malware Config
Extracted
C:\Program Files\7-Zip\Lang\_ReCoVeRy_+upaue.txt
teslacrypt
http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/C9EE3066B43A890
http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/C9EE3066B43A890
http://yyre45dbvn2nhbefbmh.begumvelic.at/C9EE3066B43A890
http://xlowfznrg4wf7dli.ONION/C9EE3066B43A890
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Teslacrypt family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (870) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 6 IoCs
-
Executes dropped EXE 1 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 2 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 1 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 25 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\d9279ba3dbcbeefbba19f47f801c114edfd7a4532959b519cc00b24dc54a5ee8N.exe"C:\Users\Admin\AppData\Local\Temp\d9279ba3dbcbeefbba19f47f801c114edfd7a4532959b519cc00b24dc54a5ee8N.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\wrhsmclstyyv.exeC:\Windows\wrhsmclstyyv.exe2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_ReCoVeRy_.TXT3⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\_ReCoVeRy_.HTM3⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc7edb46f8,0x7ffc7edb4708,0x7ffc7edb47184⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,16213424124615799820,982853436084760238,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:24⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,16213424124615799820,982853436084760238,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 /prefetch:34⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,16213424124615799820,982853436084760238,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2660 /prefetch:84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,16213424124615799820,982853436084760238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,16213424124615799820,982853436084760238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,16213424124615799820,982853436084760238,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5248 /prefetch:84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,16213424124615799820,982853436084760238,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5248 /prefetch:84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,16213424124615799820,982853436084760238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5084 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,16213424124615799820,982853436084760238,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4784 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,16213424124615799820,982853436084760238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,16213424124615799820,982853436084760238,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5728 /prefetch:14⤵
-
-
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Windows\WRHSMC~1.EXE3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\D9279B~1.EXE2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12KB
MD5558ff476c85efbfba24efbfb45d5cd59
SHA13d5ace5bd2415122d95bb2c59682c8251b895c0b
SHA256dbbf9c868b1d182a3cbf5d18011c100a2a42545024d6d743fc48cb287fdc1ff3
SHA512f1565a5811c97a2f1822051a0214306e2ccd3687ee72dad289b6c68c1c227943bd80cd3528ff8c74ba9208c40013b89d1408f66170ec9fe16f95d295581e4b7e
-
Filesize
65KB
MD51ca1ca0f302519b37932b71f3674a15b
SHA1cb3b22583ced2e0a6bad0557a92f90993a4fe452
SHA25645a3f835cdc0ca6346b8e78bedad50da35fc7c897a5a6ee853459e0fc84382a4
SHA5126ed4a3e9239b0c31247e4a227ba1bf157261d8da4678a4bcf003637b5f64cf97814042dd8c4270c9972f0d0ba05c7264c2604aa5b4eb8fef7d78c472240e54ab
-
Filesize
1KB
MD52aa7f88409c820271bcab6bb88ea0a4a
SHA1e95f49265c9fd0296ec695bcd4c3bbe49bf4c8d0
SHA2564cc41494585d455acfbf252d452a1d2a0c41fa3c22a6beaceb9858ee08dd63e9
SHA512dc3015603e28527b7b7ae5bd7efaf494c1cf5d917e517ea1d4eb43766f04cd4ea6df124313db04c941720742a23612456d7637c7aaea22797a979394b47d34ef
-
Filesize
560B
MD5e54bf8487eb3d48d7eb698130e576ff6
SHA13cdfc9451c6b92c2ce72d6012dfde231acc1eef2
SHA256f9b377ae33eda64f6d3f3cf34df1c846ab5c7a3217e75aaf0223bb72e00b0621
SHA512d4e23928ca51522b592b0a12548f97696f0640e2eca0184fa978c462a3478c56b21d88fac6cdf9d668c0b8fadc5654467dcc2c910ad4a2ca71fb94e177568439
-
Filesize
560B
MD5c01317ea90708d83d5a38b7e7d764fdf
SHA176a84234ed60ceea44865b93ad24c35547bbb3eb
SHA256dd3aafa17c2d0454d609d23194d16378d83510420059800de907070966323c6a
SHA512d7af3aa9d5c3fb4366d7c8483a52c942e6925a14b173ee1735bedbeb0eb979a479e135b418b878d0a3b91f1592312080f0eb607f6e85cf2495c99fffbcefe568
-
Filesize
416B
MD5313510889d18cc5c5a2556b8c454575c
SHA14f637531c4fb54a2c12bce638ef330fa873934b0
SHA25647c06d532faca282d8de09f63285d8d17ec45d9c74bfd59f41871943b6fa1895
SHA512f8f92aafea3f7dbb46b7deb5e93c0765ae90d9465fdfc1f5068168c1c2d453eeb0515411ea2c2fac8f0144ca20fc0ba40e1976bcca5e49d48731e48016ca2a22
-
Filesize
152B
MD537f660dd4b6ddf23bc37f5c823d1c33a
SHA11c35538aa307a3e09d15519df6ace99674ae428b
SHA2564e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8
SHA512807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d
-
Filesize
152B
MD5d7cb450b1315c63b1d5d89d98ba22da5
SHA1694005cd9e1a4c54e0b83d0598a8a0c089df1556
SHA25638355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031
SHA512df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8
-
Filesize
6KB
MD5305364c405591cb7ce5d0e8a541988c8
SHA1ff52ea6c9f4513141334cfaa6202c87c83a1b016
SHA256560626d559ae20d5ca90429fbd45c75ab9eb4fe15451e0bd470e958337c73fbb
SHA51279f48704bc049783d30a374306c28c69fc46e3e9b082d8dfbd9079212530f91b313fb3a632590dbefbf5737d9b7bdd01201d27f98634d5bd24f41dec78c03c74
-
Filesize
5KB
MD5ebde656077ae87d764fbf6b5fc719846
SHA1d6c3c9169e9b155083646cb5717304a24b113625
SHA256b72a55eaef59c0a84dc1d99188f25d7e80dbb91113ef4b1aa466f59a9e3cdc73
SHA512800f44360562b975354638e733010aaad52368a1d26845dbd0b871eb473f3aef9a5aef188d7da81c34e4a859530e4ce4360442ee56e58482687dd45ea6faf6a8
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD51863bb637bbdf0ab88d58a0d16e908a2
SHA18d41cd1cbb0652b1b38b8fdcce0c1f71de370531
SHA256e3f73dffd6f83551182a5bbce6ef90243945eccc5fd0c3660c95b8430ee5e78e
SHA512428c8a33f03d5ce4f299a64d2500e58d297b15b8a35eee004f837b36b5ce780ec7e2ab3c639bacc734b7c5f2d869e5627c95d3cf5cdfab7228e0c98c000830cd
-
Filesize
77KB
MD53b86bd59d28c709392595aea67e612f7
SHA1c22ae8d911edf131993791e0c174d630d2656489
SHA25682f969017001e484cc674984deab046b5e134456c422b60bb9dc9e91d34c40da
SHA5128b5bbdb9c118bd1256795e31ae245726bf1ba632dd6a68f4359114d757fc89c1bc4ba37fc09943e6c12ad95dbb52ea5a8e94c6d7876e945c170f0b77efff07f3
-
Filesize
47KB
MD57a959955d1c0280a20e5cee46258684c
SHA12a6d14b409ef51b7530f68eb745cf55aaa724d43
SHA256488d02417ffcb12ba8f950ac2ef00fb2c3f5ef8dd37f7e872ec3eed39ef9f783
SHA512a394629373d8e1cec2ada34db6d16aaa3d55449076716ae4dff9fb9ac55784c07e72081da07e6de17af8709a27cfa92599759dc1751c20985a70e5936901e258
-
Filesize
74KB
MD5c8b26642aab68b9dcb38f2c745d9ca84
SHA1d5758ba3dc2cb6aa568475b984f4737439584f57
SHA2565c2b8d36af873829f3f9ae7fdb3ce7fa2a904703c8787d2b53138ea3d32a3f3d
SHA512895532b87b58f590313afafb286f7b57eb74a127f2ef7747feffe77e59043f78ba9c0b54e41a5e48f8741bd1b1050a334aac510e4473ab5c273790464f60e1c0
-
Filesize
352KB
MD5b0c00390c9aebb41cfce74f7415bf210
SHA162f3f37691303aed6a645631439dcc5c51c6e38d
SHA256d9279ba3dbcbeefbba19f47f801c114edfd7a4532959b519cc00b24dc54a5ee8
SHA5120c199aec76be1fc318214c4fee5ef38773cd11d469c9221ddcd86c61c53d176b3a8b2d1cbbdd0c86f482be7c8d250bf9fd8e544c3995f96cc8472eb67aff6ee7
-
Filesize
624KB
-
Filesize
536KB
-
Filesize
624KB
-
Filesize
536KB
-
Filesize
624KB
-
Filesize
624KB
-
Filesize
624KB
-
Filesize
624KB
-
Filesize
624KB
-
Filesize
624KB
-
Filesize
536KB
-
Filesize
536KB
