teslacrypt | 24da2b7c562c96e5774cb08b6b9017e08d0e5c7032dedb32046153efccba46ea

Analysis

max time kernel
120s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
02-12-2024 17:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

24da2b7c562c96e5774cb08b6b9017e08d0e5c7032dedb32046153efccba46ea.exe
Size

376KB
MD5

058acf9829eff85a0f5ede3d9e12add0
SHA1

58a3463d7059b578a54c90f7919e27d9caaba9b1
SHA256

24da2b7c562c96e5774cb08b6b9017e08d0e5c7032dedb32046153efccba46ea
SHA512

1a8f25d02333debc3ec85b11ed089642581fb519d8cf73931a78f392e30b67c678492e1606b33d9e28aafad14c2e12a4ed3c8f16329ad21de0f6fedf946636d7
SSDEEP

6144:J+lMnaN9yLmfyoZjcbxstF8cIxnTYI4LVmKJ7t2AQeRiX:8TN9xyomFstF8conTCLVzTZRiX

Score

10^/10

teslacrypt defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\Recovery+hwoqq.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-4096. More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/4CD17DEE62C27F2D 2. http://tes543berda73i48fsdfsd.keratadze.at/4CD17DEE62C27F2D 3. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/4CD17DEE62C27F2D If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/4CD17DEE62C27F2D 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/4CD17DEE62C27F2D http://tes543berda73i48fsdfsd.keratadze.at/4CD17DEE62C27F2D http://tt54rfdjhb34rfbnknaerg.milerteddy.com/4CD17DEE62C27F2D *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/4CD17DEE62C27F2D

URLs

http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/4CD17DEE62C27F2D

http://tes543berda73i48fsdfsd.keratadze.at/4CD17DEE62C27F2D

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/4CD17DEE62C27F2D

http://xlowfznrg4wf7dli.ONION/4CD17DEE62C27F2D

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Teslacrypt family
teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (866) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	enomeroabynk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	24da2b7c562c96e5774cb08b6b9017e08d0e5c7032dedb32046153efccba46ea.exe

Drops startup file 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+hwoqq.html	enomeroabynk.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+hwoqq.png	enomeroabynk.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+hwoqq.txt	enomeroabynk.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+hwoqq.html	enomeroabynk.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+hwoqq.png	enomeroabynk.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+hwoqq.txt	enomeroabynk.exe

Executes dropped EXE 2 IoCs

pid	Process
544	enomeroabynk.exe
1168	enomeroabynk.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\erexlxxgkgrn = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\enomeroabynk.exe\""	enomeroabynk.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3124 set thread context of 916	3124	24da2b7c562c96e5774cb08b6b9017e08d0e5c7032dedb32046153efccba46ea.exe	90
PID 544 set thread context of 1168	544	enomeroabynk.exe	95

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\GenericMailSmallTile.scale-125.png	enomeroabynk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-36_altform-unplated_contrast-black.png	enomeroabynk.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\Recovery+hwoqq.html	enomeroabynk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-32_contrast-black.png	enomeroabynk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\StoreLogo.scale-100_contrast-white.png	enomeroabynk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\Recovery+hwoqq.png	enomeroabynk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\FileExtension.targetsize-32.png	enomeroabynk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNotebookWideTile.scale-400.png	enomeroabynk.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SLATE\Recovery+hwoqq.html	enomeroabynk.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\contrast-white\MedTile.scale-125_contrast-white.png	enomeroabynk.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GamesXboxHubSplashScreen.scale-125_contrast-white.png	enomeroabynk.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\MarkAsReadToastQuickAction.scale-80.png	enomeroabynk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\Recovery+hwoqq.html	enomeroabynk.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.scale-140.png	enomeroabynk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Microsoft.Msn.Controls\Recovery+hwoqq.html	enomeroabynk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-80_contrast-black.png	enomeroabynk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MixedRealityPortalAppList.targetsize-30_altform-unplated.png	enomeroabynk.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarSmallTile.scale-200.png	enomeroabynk.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\Recovery+hwoqq.txt	enomeroabynk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Images\contrast-standard\Recovery+hwoqq.html	enomeroabynk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Lighting\Light\Default.png	enomeroabynk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-black\LargeTile.scale-100.png	enomeroabynk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Dtmf_8.m4a	enomeroabynk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-80.png	enomeroabynk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\AppxMetadata\Recovery+hwoqq.png	enomeroabynk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\SplashScreen.scale-125.png	enomeroabynk.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-48.png	enomeroabynk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\Recovery+hwoqq.html	enomeroabynk.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\Recovery+hwoqq.png	enomeroabynk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Weather_LogoSmall.targetsize-24_altform-unplated.png	enomeroabynk.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-GoogleCloudCacheMini.scale-200.png	enomeroabynk.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailWideTile.scale-125.png	enomeroabynk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\Recovery+hwoqq.html	enomeroabynk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lo\LC_MESSAGES\Recovery+hwoqq.html	enomeroabynk.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-125_kzf8qxf38zg5c\Recovery+hwoqq.html	enomeroabynk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-48_altform-lightunplated.png	enomeroabynk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_12.50.6001.0_x64__8wekyb3d8bbwe\AppxMetadata\Recovery+hwoqq.txt	enomeroabynk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-30_altform-lightunplated.png	enomeroabynk.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\Recovery+hwoqq.png	enomeroabynk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ko\LC_MESSAGES\Recovery+hwoqq.html	enomeroabynk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\PeopleAppAssets\Videos\people_fre_motionAsset_p1.mp4	enomeroabynk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_targetsize-16.png	enomeroabynk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\subscription_intro\multiple-plans.png	enomeroabynk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AlarmsWideTile.contrast-black_scale-100.png	enomeroabynk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_2019.716.2316.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\Recovery+hwoqq.txt	enomeroabynk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-black\SmallTile.scale-200.png	enomeroabynk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\AppxMetadata\Recovery+hwoqq.txt	enomeroabynk.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	enomeroabynk.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\AppList.scale-125_contrast-white.png	enomeroabynk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GetStartedWideTile.scale-200_contrast-black.png	enomeroabynk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_In_App_Notification.m4a	enomeroabynk.exe
File opened for modification	C:\Program Files\Google\Recovery+hwoqq.png	enomeroabynk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\security\Recovery+hwoqq.png	enomeroabynk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.NET.Native.Framework.2.2_2.2.27405.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\Autogen\Recovery+hwoqq.txt	enomeroabynk.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\bg1a_thumb.png	enomeroabynk.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeLargeTile.scale-150.png	enomeroabynk.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-60.png	enomeroabynk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\ThankYou\Recovery+hwoqq.html	enomeroabynk.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECLIPSE\Recovery+hwoqq.png	enomeroabynk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\AppIcon.scale-400.png	enomeroabynk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageLargeTile.scale-125_contrast-black.png	enomeroabynk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Services.Store.Engagement_10.0.18101.0_x86__8wekyb3d8bbwe\microsoft.system.package.metadata\Recovery+hwoqq.png	enomeroabynk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-100_kzf8qxf38zg5c\microsoft.system.package.metadata\Recovery+hwoqq.png	enomeroabynk.exe
File opened for modification	C:\Program Files\Windows Multimedia Platform\Recovery+hwoqq.png	enomeroabynk.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\enomeroabynk.exe	24da2b7c562c96e5774cb08b6b9017e08d0e5c7032dedb32046153efccba46ea.exe
File opened for modification	C:\Windows\enomeroabynk.exe	24da2b7c562c96e5774cb08b6b9017e08d0e5c7032dedb32046153efccba46ea.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	24da2b7c562c96e5774cb08b6b9017e08d0e5c7032dedb32046153efccba46ea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	24da2b7c562c96e5774cb08b6b9017e08d0e5c7032dedb32046153efccba46ea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	enomeroabynk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	enomeroabynk.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4188	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1168	enomeroabynk.exe
1168	enomeroabynk.exe
1168	enomeroabynk.exe
1168	enomeroabynk.exe
1168	enomeroabynk.exe
1168	enomeroabynk.exe
1168	enomeroabynk.exe
1168	enomeroabynk.exe
1168	enomeroabynk.exe
1168	enomeroabynk.exe
1168	enomeroabynk.exe
1168	enomeroabynk.exe
1168	enomeroabynk.exe
1168	enomeroabynk.exe
1168	enomeroabynk.exe
1168	enomeroabynk.exe
1168	enomeroabynk.exe
1168	enomeroabynk.exe
1168	enomeroabynk.exe
1168	enomeroabynk.exe
1168	enomeroabynk.exe
1168	enomeroabynk.exe
1168	enomeroabynk.exe
1168	enomeroabynk.exe
1168	enomeroabynk.exe
1168	enomeroabynk.exe
1168	enomeroabynk.exe
1168	enomeroabynk.exe
1168	enomeroabynk.exe
1168	enomeroabynk.exe
1168	enomeroabynk.exe
1168	enomeroabynk.exe
1168	enomeroabynk.exe
1168	enomeroabynk.exe
1168	enomeroabynk.exe
1168	enomeroabynk.exe
1168	enomeroabynk.exe
1168	enomeroabynk.exe
1168	enomeroabynk.exe
1168	enomeroabynk.exe
1168	enomeroabynk.exe
1168	enomeroabynk.exe
1168	enomeroabynk.exe
1168	enomeroabynk.exe
1168	enomeroabynk.exe
1168	enomeroabynk.exe
1168	enomeroabynk.exe
1168	enomeroabynk.exe
1168	enomeroabynk.exe
1168	enomeroabynk.exe
1168	enomeroabynk.exe
1168	enomeroabynk.exe
1168	enomeroabynk.exe
1168	enomeroabynk.exe
1168	enomeroabynk.exe
1168	enomeroabynk.exe
1168	enomeroabynk.exe
1168	enomeroabynk.exe
1168	enomeroabynk.exe
1168	enomeroabynk.exe
1168	enomeroabynk.exe
1168	enomeroabynk.exe
1168	enomeroabynk.exe
1168	enomeroabynk.exe

Suspicious use of AdjustPrivilegeToken 47 IoCs

description	pid	Process
Token: SeDebugPrivilege	916	24da2b7c562c96e5774cb08b6b9017e08d0e5c7032dedb32046153efccba46ea.exe
Token: SeDebugPrivilege	1168	enomeroabynk.exe
Token: SeIncreaseQuotaPrivilege	2560	WMIC.exe
Token: SeSecurityPrivilege	2560	WMIC.exe
Token: SeTakeOwnershipPrivilege	2560	WMIC.exe
Token: SeLoadDriverPrivilege	2560	WMIC.exe
Token: SeSystemProfilePrivilege	2560	WMIC.exe
Token: SeSystemtimePrivilege	2560	WMIC.exe
Token: SeProfSingleProcessPrivilege	2560	WMIC.exe
Token: SeIncBasePriorityPrivilege	2560	WMIC.exe
Token: SeCreatePagefilePrivilege	2560	WMIC.exe
Token: SeBackupPrivilege	2560	WMIC.exe
Token: SeRestorePrivilege	2560	WMIC.exe
Token: SeShutdownPrivilege	2560	WMIC.exe
Token: SeDebugPrivilege	2560	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2560	WMIC.exe
Token: SeRemoteShutdownPrivilege	2560	WMIC.exe
Token: SeUndockPrivilege	2560	WMIC.exe
Token: SeManageVolumePrivilege	2560	WMIC.exe
Token: 33	2560	WMIC.exe
Token: 34	2560	WMIC.exe
Token: 35	2560	WMIC.exe
Token: 36	2560	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2560	WMIC.exe
Token: SeSecurityPrivilege	2560	WMIC.exe
Token: SeTakeOwnershipPrivilege	2560	WMIC.exe
Token: SeLoadDriverPrivilege	2560	WMIC.exe
Token: SeSystemProfilePrivilege	2560	WMIC.exe
Token: SeSystemtimePrivilege	2560	WMIC.exe
Token: SeProfSingleProcessPrivilege	2560	WMIC.exe
Token: SeIncBasePriorityPrivilege	2560	WMIC.exe
Token: SeCreatePagefilePrivilege	2560	WMIC.exe
Token: SeBackupPrivilege	2560	WMIC.exe
Token: SeRestorePrivilege	2560	WMIC.exe
Token: SeShutdownPrivilege	2560	WMIC.exe
Token: SeDebugPrivilege	2560	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2560	WMIC.exe
Token: SeRemoteShutdownPrivilege	2560	WMIC.exe
Token: SeUndockPrivilege	2560	WMIC.exe
Token: SeManageVolumePrivilege	2560	WMIC.exe
Token: 33	2560	WMIC.exe
Token: 34	2560	WMIC.exe
Token: 35	2560	WMIC.exe
Token: 36	2560	WMIC.exe
Token: SeBackupPrivilege	3268	vssvc.exe
Token: SeRestorePrivilege	3268	vssvc.exe
Token: SeAuditPrivilege	3268	vssvc.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 3124 wrote to memory of 916	3124	24da2b7c562c96e5774cb08b6b9017e08d0e5c7032dedb32046153efccba46ea.exe	90
PID 3124 wrote to memory of 916	3124	24da2b7c562c96e5774cb08b6b9017e08d0e5c7032dedb32046153efccba46ea.exe	90
PID 3124 wrote to memory of 916	3124	24da2b7c562c96e5774cb08b6b9017e08d0e5c7032dedb32046153efccba46ea.exe	90
PID 3124 wrote to memory of 916	3124	24da2b7c562c96e5774cb08b6b9017e08d0e5c7032dedb32046153efccba46ea.exe	90
PID 3124 wrote to memory of 916	3124	24da2b7c562c96e5774cb08b6b9017e08d0e5c7032dedb32046153efccba46ea.exe	90
PID 3124 wrote to memory of 916	3124	24da2b7c562c96e5774cb08b6b9017e08d0e5c7032dedb32046153efccba46ea.exe	90
PID 3124 wrote to memory of 916	3124	24da2b7c562c96e5774cb08b6b9017e08d0e5c7032dedb32046153efccba46ea.exe	90
PID 3124 wrote to memory of 916	3124	24da2b7c562c96e5774cb08b6b9017e08d0e5c7032dedb32046153efccba46ea.exe	90
PID 3124 wrote to memory of 916	3124	24da2b7c562c96e5774cb08b6b9017e08d0e5c7032dedb32046153efccba46ea.exe	90
PID 3124 wrote to memory of 916	3124	24da2b7c562c96e5774cb08b6b9017e08d0e5c7032dedb32046153efccba46ea.exe	90
PID 916 wrote to memory of 544	916	24da2b7c562c96e5774cb08b6b9017e08d0e5c7032dedb32046153efccba46ea.exe	91
PID 916 wrote to memory of 544	916	24da2b7c562c96e5774cb08b6b9017e08d0e5c7032dedb32046153efccba46ea.exe	91
PID 916 wrote to memory of 544	916	24da2b7c562c96e5774cb08b6b9017e08d0e5c7032dedb32046153efccba46ea.exe	91
PID 916 wrote to memory of 1844	916	24da2b7c562c96e5774cb08b6b9017e08d0e5c7032dedb32046153efccba46ea.exe	92
PID 916 wrote to memory of 1844	916	24da2b7c562c96e5774cb08b6b9017e08d0e5c7032dedb32046153efccba46ea.exe	92
PID 916 wrote to memory of 1844	916	24da2b7c562c96e5774cb08b6b9017e08d0e5c7032dedb32046153efccba46ea.exe	92
PID 544 wrote to memory of 1168	544	enomeroabynk.exe	95
PID 544 wrote to memory of 1168	544	enomeroabynk.exe	95
PID 544 wrote to memory of 1168	544	enomeroabynk.exe	95
PID 544 wrote to memory of 1168	544	enomeroabynk.exe	95
PID 544 wrote to memory of 1168	544	enomeroabynk.exe	95
PID 544 wrote to memory of 1168	544	enomeroabynk.exe	95
PID 544 wrote to memory of 1168	544	enomeroabynk.exe	95
PID 544 wrote to memory of 1168	544	enomeroabynk.exe	95
PID 544 wrote to memory of 1168	544	enomeroabynk.exe	95
PID 544 wrote to memory of 1168	544	enomeroabynk.exe	95
PID 1168 wrote to memory of 2560	1168	enomeroabynk.exe	96
PID 1168 wrote to memory of 2560	1168	enomeroabynk.exe	96

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	enomeroabynk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	enomeroabynk.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\24da2b7c562c96e5774cb08b6b9017e08d0e5c7032dedb32046153efccba46ea.exe
"C:\Users\Admin\AppData\Local\Temp\24da2b7c562c96e5774cb08b6b9017e08d0e5c7032dedb32046153efccba46ea.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3124
- C:\Users\Admin\AppData\Local\Temp\24da2b7c562c96e5774cb08b6b9017e08d0e5c7032dedb32046153efccba46ea.exe
  "C:\Users\Admin\AppData\Local\Temp\24da2b7c562c96e5774cb08b6b9017e08d0e5c7032dedb32046153efccba46ea.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:916
- - C:\Windows\enomeroabynk.exe
    C:\Windows\enomeroabynk.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:544
  - - C:\Windows\enomeroabynk.exe
      C:\Windows\enomeroabynk.exe
      4⤵
      Checks computer location settings
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1168
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2560
    - - C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
        5⤵
        Opens file in notepad (likely ransom note)
        
        PID:4188
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM
        5⤵
        
        PID:5104
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc7f5e46f8,0x7ffc7f5e4708,0x7ffc7f5e4718
        6⤵
        
        PID:936
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\24DA2B~1.EXE
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1844

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\Recovery+hwoqq.html

Filesize
11KB

MD5
fa83d17e04a9fdee1616cfa39192cc40

SHA1
413db78bf4db207d002eaf130406f9df2a22e901

SHA256
9051aaa3c1cd97d9405d3f83f870f46d867c8fbc484b3c640943e15fa68a0899

SHA512
7074ba5b2eca0e6995273670cf35cd690fccfd7cb7d9a5dd499eff9c813a073626c952e7768c43a824e2bb4cf6b1e286acb39f04f191322f68d42c46bbb01d10

Download Submit
C:\Program Files\7-Zip\Lang\Recovery+hwoqq.png

Filesize
63KB

MD5
995085ebe074bffc6e583be503305395

SHA1
9b0af807bcff86a724564666177eabd94de8435f

SHA256
b51d5b195ecb75f47752c383c87212dd15b76765c8cc5311f1f72dae2f87820b

SHA512
4b9cae8aaf1a6e289e54c6a87acf1251820c5ae7cbe3e35120ccbed3aab924eec1bfd4eb11cb5f51573fcb9ccb0c0266aeb39956ad66925ec1b452b5a8962aad

Download Submit
C:\Program Files\7-Zip\Lang\Recovery+hwoqq.txt

Filesize
1KB

MD5
4910d902e762955ba710b778749bcead

SHA1
40f3077ac70188a451225ecf5525ae92a715272f

SHA256
b84b5b5e9aa49d4b87ca593c6308c1ea8b2c2e6dcfc697b93eaeaaa7566d9392

SHA512
2b478f8e6f238288d3d5715020fdb85071f91eba5e6c690905ddc845d20c6bdf9a3bf79f70b525b1aacdb67103f906f8167dd43cd4dc48064f8a84fddb2ca4b2

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
560B

MD5
870966237162ee4495f415b747f9ef7a

SHA1
549a897fb4b4140913af58941ac7a1ea5cab64d6

SHA256
2e448310c8f7082f08d9ed2914b888911bc545147a36e73f0956ef64528a9c14

SHA512
c93b992c51e93c00e2398ce2449505ed89d390761056a7e4e73cb1b4405540143671e5417b91621de27591111364699cdbba8dfec3a3c4a69d064c7cfba56e95

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
560B

MD5
ecaefeadae4aa15757c9f4a24b1ef606

SHA1
eaaf7f0c1bc8305d770c459fefa8cf5a241632cc

SHA256
9266330b9d7a913ada9157fe78ad828df2340ef409f1d2090003da8e9b496241

SHA512
91b99f35fcc57340f840684880f049dcd946ca342058c8c086aa00ceb37f141ed01c30bbdf86f4963aa5a38c401b64f827a00ec10cce57a2c57e481bded1cfc2

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
416B

MD5
6b2bc9bc77ef597d1489e4a9f0e14dfa

SHA1
7172766f3e2ec9db771ec47286eced61c08c5c11

SHA256
92403ff3bb612dd569b59128e33d5cd8bba593cbde7b61854f3f7e243a04ef8b

SHA512
08915a86c19d1578f3af825eaf19a6bb613bdb4146d248635514606e72a886a5d51baa7af17a205cc147bcbca326ca5ae9de346167a197005388b45f7b5a3826

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727662717143618.txt

Filesize
77KB

MD5
4ffa43700849ae9c258f3e1e5e953fc6

SHA1
db3efeb9972a0699a6c97b4ccf062a8816d8bb7e

SHA256
59c3b70a6ebda769a3ad2c7065e4acb850342fb8b6e724808959640e997691af

SHA512
cb60792f4152c2aadbcddfa5aec2093e389af128c476a898e5dbd8f61fa0a22146685579d037c5c861df1f77fa8836379f9e0e7ab0cda78904835ac8ac4ad50b

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727663983438946.txt

Filesize
47KB

MD5
5b9fe8df55cad2c1d2ed600361ed8797

SHA1
299bc1045ac726ac727ae57853cc3c34c46099b8

SHA256
545ce2171988ae479d99bee9f9457b313d46fd63fbca625ddca6fbe5af48df80

SHA512
6a539f1adbd2b8f65dd7b0a6465144623eb2adde1cc9514416d74d88459b803aa98c2fb98bd9d817b4141ff90ea53f5c960405c1b0db87d67b2f11646e756c8a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727671578469739.txt

Filesize
74KB

MD5
58ff4cd30a4a34a8e5bcf4d69a80e6af

SHA1
38f28844e1b96ef6154c56a544c2d7993aaa4442

SHA256
1ee8bfbaf573843b20813f4078b04e0ced0fb161735748a7f86ac5b2317f724b

SHA512
ae189207f3bd6889d924b1e0ef0d856fd01984da4d68563ae4730bae0228219465dcdbc70720442260293e5bf10c109962dd5a141583a4d2b4902c9bf1ebc62a

Download Submit
C:\Windows\enomeroabynk.exe

Filesize
376KB

MD5
058acf9829eff85a0f5ede3d9e12add0

SHA1
58a3463d7059b578a54c90f7919e27d9caaba9b1

SHA256
24da2b7c562c96e5774cb08b6b9017e08d0e5c7032dedb32046153efccba46ea

SHA512
1a8f25d02333debc3ec85b11ed089642581fb519d8cf73931a78f392e30b67c678492e1606b33d9e28aafad14c2e12a4ed3c8f16329ad21de0f6fedf946636d7

Download Submit
memory/544-12-0x0000000000400000-0x00000000008A8000-memory.dmp

Filesize
4.7MB

Download
memory/916-13-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/916-2-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/916-3-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/916-5-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/916-6-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1168-17-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1168-3895-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1168-10521-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1168-428-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1168-24-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1168-23-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1168-10513-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1168-1993-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1168-1994-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1168-18-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1168-6715-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1168-20-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1168-19-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1168-10512-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1168-9412-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3124-1-0x0000000002690000-0x0000000002693000-memory.dmp

Filesize
12KB

Download
memory/3124-4-0x0000000002690000-0x0000000002693000-memory.dmp

Filesize
12KB

Download
memory/3124-0-0x0000000002690000-0x0000000002693000-memory.dmp

Filesize
12KB

Download