Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/01/2025, 09:59
Static task
static1
Behavioral task
behavioral1
Sample
lighthouse_teslacrypt_ransomware.mp4
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
lighthouse_teslacrypt_ransomware.mp4
Resource
win10v2004-20241007-en
General
-
Target
lighthouse_teslacrypt_ransomware.mp4
-
Size
3.1MB
-
MD5
577c4a77455c945bf638349a16aa9b47
-
SHA1
ff9139369ebf187e64c86348132dfb5f20bd4ac9
-
SHA256
c7503cdbc638d4886e9b06942b9afc345f041663734963b49fb25e1577287c46
-
SHA512
64a5510ca8c19915c9a88a524ca12731d2cb7b672d84f9db58c0aac7e39e1d89cf50981078dbcb905fd75f259124b9aee055e2d6fc95387023345c770313283c
-
SSDEEP
49152:pHZUdEm4AOcOgifdrIstug5mBdNUQIAfe3o7DDeh+HAjADJEsgBUEG5o5OpaRWC3:pHZA74A9UfOCmHIRoDeCJDGVBvG5o5O0
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECOVERY_+kbhmr.txt
teslacrypt
http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/2D153632C1DC9A15
http://tes543berda73i48fsdfsd.keratadze.at/2D153632C1DC9A15
http://tt54rfdjhb34rfbnknaerg.milerteddy.com/2D153632C1DC9A15
http://xlowfznrg4wf7dli.ONION/2D153632C1DC9A15
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Teslacrypt family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (423) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops startup file 6 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECOVERY_+kbhmr.html gkxrvniwwmhb.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECOVERY_+kbhmr.png gkxrvniwwmhb.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECOVERY_+kbhmr.txt gkxrvniwwmhb.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECOVERY_+kbhmr.html gkxrvniwwmhb.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECOVERY_+kbhmr.png gkxrvniwwmhb.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECOVERY_+kbhmr.txt gkxrvniwwmhb.exe -
Executes dropped EXE 2 IoCs
pid Process 1636 ransomware.exe 1272 gkxrvniwwmhb.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\ibqeatrlnidb = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\gkxrvniwwmhb.exe\"" gkxrvniwwmhb.exe -
pid Process 1768 certutil.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\_RECOVERY_+kbhmr.png gkxrvniwwmhb.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\pt_PT\LC_MESSAGES\_RECOVERY_+kbhmr.txt gkxrvniwwmhb.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\js\_RECOVERY_+kbhmr.txt gkxrvniwwmhb.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\_RECOVERY_+kbhmr.txt gkxrvniwwmhb.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\_RECOVERY_+kbhmr.png gkxrvniwwmhb.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToScenesBackground.wmv gkxrvniwwmhb.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\sr\LC_MESSAGES\_RECOVERY_+kbhmr.txt gkxrvniwwmhb.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationRight_ButtonGraphic.png gkxrvniwwmhb.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\gu.pak gkxrvniwwmhb.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\_RECOVERY_+kbhmr.html gkxrvniwwmhb.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\js\_RECOVERY_+kbhmr.txt gkxrvniwwmhb.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\icon.png gkxrvniwwmhb.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\_RECOVERY_+kbhmr.png gkxrvniwwmhb.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\si\_RECOVERY_+kbhmr.txt gkxrvniwwmhb.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\_RECOVERY_+kbhmr.txt gkxrvniwwmhb.exe File opened for modification C:\Program Files\Windows Sidebar\Shared Gadgets\_RECOVERY_+kbhmr.txt gkxrvniwwmhb.exe File opened for modification C:\Program Files\Common Files\Services\_RECOVERY_+kbhmr.html gkxrvniwwmhb.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Spades\de-DE\_RECOVERY_+kbhmr.png gkxrvniwwmhb.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\images\buttons.png gkxrvniwwmhb.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\_RECOVERY_+kbhmr.txt gkxrvniwwmhb.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\redStateIcon.png gkxrvniwwmhb.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\_RECOVERY_+kbhmr.txt gkxrvniwwmhb.exe File opened for modification C:\Program Files\Microsoft Games\Minesweeper\de-DE\_RECOVERY_+kbhmr.txt gkxrvniwwmhb.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_output\_RECOVERY_+kbhmr.txt gkxrvniwwmhb.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\_RECOVERY_+kbhmr.png gkxrvniwwmhb.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Psychedelic.jpg gkxrvniwwmhb.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\ja-JP\_RECOVERY_+kbhmr.png gkxrvniwwmhb.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\mn\_RECOVERY_+kbhmr.png gkxrvniwwmhb.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\intf\_RECOVERY_+kbhmr.html gkxrvniwwmhb.exe File opened for modification C:\Program Files\Windows Photo Viewer\ja-JP\_RECOVERY_+kbhmr.html gkxrvniwwmhb.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\_RECOVERY_+kbhmr.txt gkxrvniwwmhb.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\_RECOVERY_+kbhmr.png gkxrvniwwmhb.exe File opened for modification C:\Program Files\Common Files\System\ado\en-US\_RECOVERY_+kbhmr.txt gkxrvniwwmhb.exe File opened for modification C:\Program Files\Microsoft Games\Minesweeper\en-US\_RECOVERY_+kbhmr.png gkxrvniwwmhb.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\_RECOVERY_+kbhmr.html gkxrvniwwmhb.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\11.png gkxrvniwwmhb.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\_RECOVERY_+kbhmr.txt gkxrvniwwmhb.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\resources.pak gkxrvniwwmhb.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\si\_RECOVERY_+kbhmr.png gkxrvniwwmhb.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\_RECOVERY_+kbhmr.txt gkxrvniwwmhb.exe File opened for modification C:\Program Files\Common Files\System\ja-JP\_RECOVERY_+kbhmr.html gkxrvniwwmhb.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationRight_ButtonGraphic.png gkxrvniwwmhb.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7.png gkxrvniwwmhb.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\oc\LC_MESSAGES\_RECOVERY_+kbhmr.png gkxrvniwwmhb.exe File opened for modification C:\Program Files\7-Zip\Lang\_RECOVERY_+kbhmr.png gkxrvniwwmhb.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\_RECOVERY_+kbhmr.html gkxrvniwwmhb.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\TravelIntroToMainMask_PAL.wmv gkxrvniwwmhb.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\btn-back-static.png gkxrvniwwmhb.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\mainscroll.png gkxrvniwwmhb.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\Gadget_Star_Half.png gkxrvniwwmhb.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\FlickAnimation.avi gkxrvniwwmhb.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\_RECOVERY_+kbhmr.txt gkxrvniwwmhb.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\css\_RECOVERY_+kbhmr.png gkxrvniwwmhb.exe File opened for modification C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\_RECOVERY_+kbhmr.png gkxrvniwwmhb.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\nl\_RECOVERY_+kbhmr.html gkxrvniwwmhb.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\css\_RECOVERY_+kbhmr.html gkxrvniwwmhb.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_cloudy.png gkxrvniwwmhb.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\_RECOVERY_+kbhmr.txt gkxrvniwwmhb.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\Logo.png gkxrvniwwmhb.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\_RECOVERY_+kbhmr.html gkxrvniwwmhb.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\_RECOVERY_+kbhmr.txt gkxrvniwwmhb.exe File opened for modification C:\Program Files\Microsoft Games\Chess\es-ES\_RECOVERY_+kbhmr.png gkxrvniwwmhb.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\mn\LC_MESSAGES\_RECOVERY_+kbhmr.txt gkxrvniwwmhb.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\mr\_RECOVERY_+kbhmr.txt gkxrvniwwmhb.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\gkxrvniwwmhb.exe ransomware.exe File opened for modification C:\Windows\gkxrvniwwmhb.exe ransomware.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DllHost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ransomware.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gkxrvniwwmhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NOTEPAD.EXE -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B0B7BA31-CDA7-11EF-8287-5EE01BAFE073} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE -
Opens file in notepad (likely ransom note) 2 IoCs
pid Process 2628 NOTEPAD.EXE 908 NOTEPAD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2112 vlc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1272 gkxrvniwwmhb.exe 1272 gkxrvniwwmhb.exe 1272 gkxrvniwwmhb.exe 1272 gkxrvniwwmhb.exe 1272 gkxrvniwwmhb.exe 1272 gkxrvniwwmhb.exe 1272 gkxrvniwwmhb.exe 1272 gkxrvniwwmhb.exe 1272 gkxrvniwwmhb.exe 1272 gkxrvniwwmhb.exe 1272 gkxrvniwwmhb.exe 1272 gkxrvniwwmhb.exe 1272 gkxrvniwwmhb.exe 1272 gkxrvniwwmhb.exe 1272 gkxrvniwwmhb.exe 1272 gkxrvniwwmhb.exe 1272 gkxrvniwwmhb.exe 1272 gkxrvniwwmhb.exe 1272 gkxrvniwwmhb.exe 1272 gkxrvniwwmhb.exe 1272 gkxrvniwwmhb.exe 1272 gkxrvniwwmhb.exe 1272 gkxrvniwwmhb.exe 1272 gkxrvniwwmhb.exe 1272 gkxrvniwwmhb.exe 1272 gkxrvniwwmhb.exe 1272 gkxrvniwwmhb.exe 1272 gkxrvniwwmhb.exe 1272 gkxrvniwwmhb.exe 1272 gkxrvniwwmhb.exe 1272 gkxrvniwwmhb.exe 1272 gkxrvniwwmhb.exe 1272 gkxrvniwwmhb.exe 1272 gkxrvniwwmhb.exe 1272 gkxrvniwwmhb.exe 1272 gkxrvniwwmhb.exe 1272 gkxrvniwwmhb.exe 1272 gkxrvniwwmhb.exe 1272 gkxrvniwwmhb.exe 1272 gkxrvniwwmhb.exe 1272 gkxrvniwwmhb.exe 1272 gkxrvniwwmhb.exe 1272 gkxrvniwwmhb.exe 1272 gkxrvniwwmhb.exe 1272 gkxrvniwwmhb.exe 1272 gkxrvniwwmhb.exe 1272 gkxrvniwwmhb.exe 1272 gkxrvniwwmhb.exe 1272 gkxrvniwwmhb.exe 1272 gkxrvniwwmhb.exe 1272 gkxrvniwwmhb.exe 1272 gkxrvniwwmhb.exe 1272 gkxrvniwwmhb.exe 1272 gkxrvniwwmhb.exe 1272 gkxrvniwwmhb.exe 1272 gkxrvniwwmhb.exe 1272 gkxrvniwwmhb.exe 1272 gkxrvniwwmhb.exe 1272 gkxrvniwwmhb.exe 1272 gkxrvniwwmhb.exe 1272 gkxrvniwwmhb.exe 1272 gkxrvniwwmhb.exe 1272 gkxrvniwwmhb.exe 1272 gkxrvniwwmhb.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2112 vlc.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1272 gkxrvniwwmhb.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: 33 2112 vlc.exe Token: SeIncBasePriorityPrivilege 2112 vlc.exe Token: SeDebugPrivilege 1636 ransomware.exe Token: SeDebugPrivilege 1272 gkxrvniwwmhb.exe Token: SeIncreaseQuotaPrivilege 2964 WMIC.exe Token: SeSecurityPrivilege 2964 WMIC.exe Token: SeTakeOwnershipPrivilege 2964 WMIC.exe Token: SeLoadDriverPrivilege 2964 WMIC.exe Token: SeSystemProfilePrivilege 2964 WMIC.exe Token: SeSystemtimePrivilege 2964 WMIC.exe Token: SeProfSingleProcessPrivilege 2964 WMIC.exe Token: SeIncBasePriorityPrivilege 2964 WMIC.exe Token: SeCreatePagefilePrivilege 2964 WMIC.exe Token: SeBackupPrivilege 2964 WMIC.exe Token: SeRestorePrivilege 2964 WMIC.exe Token: SeShutdownPrivilege 2964 WMIC.exe Token: SeDebugPrivilege 2964 WMIC.exe Token: SeSystemEnvironmentPrivilege 2964 WMIC.exe Token: SeRemoteShutdownPrivilege 2964 WMIC.exe Token: SeUndockPrivilege 2964 WMIC.exe Token: SeManageVolumePrivilege 2964 WMIC.exe Token: 33 2964 WMIC.exe Token: 34 2964 WMIC.exe Token: 35 2964 WMIC.exe Token: SeIncreaseQuotaPrivilege 2964 WMIC.exe Token: SeSecurityPrivilege 2964 WMIC.exe Token: SeTakeOwnershipPrivilege 2964 WMIC.exe Token: SeLoadDriverPrivilege 2964 WMIC.exe Token: SeSystemProfilePrivilege 2964 WMIC.exe Token: SeSystemtimePrivilege 2964 WMIC.exe Token: SeProfSingleProcessPrivilege 2964 WMIC.exe Token: SeIncBasePriorityPrivilege 2964 WMIC.exe Token: SeCreatePagefilePrivilege 2964 WMIC.exe Token: SeBackupPrivilege 2964 WMIC.exe Token: SeRestorePrivilege 2964 WMIC.exe Token: SeShutdownPrivilege 2964 WMIC.exe Token: SeDebugPrivilege 2964 WMIC.exe Token: SeSystemEnvironmentPrivilege 2964 WMIC.exe Token: SeRemoteShutdownPrivilege 2964 WMIC.exe Token: SeUndockPrivilege 2964 WMIC.exe Token: SeManageVolumePrivilege 2964 WMIC.exe Token: 33 2964 WMIC.exe Token: 34 2964 WMIC.exe Token: 35 2964 WMIC.exe Token: SeBackupPrivilege 2760 vssvc.exe Token: SeRestorePrivilege 2760 vssvc.exe Token: SeAuditPrivilege 2760 vssvc.exe Token: SeShutdownPrivilege 1332 chrome.exe -
Suspicious use of FindShellTrayWindow 30 IoCs
pid Process 2112 vlc.exe 2112 vlc.exe 2112 vlc.exe 2112 vlc.exe 2112 vlc.exe 2112 vlc.exe 2112 vlc.exe 2112 vlc.exe 2112 vlc.exe 2112 vlc.exe 2112 vlc.exe 2112 vlc.exe 2112 vlc.exe 2112 vlc.exe 2112 vlc.exe 2112 vlc.exe 2112 vlc.exe 2112 vlc.exe 2112 vlc.exe 2112 vlc.exe 2112 vlc.exe 2112 vlc.exe 2112 vlc.exe 2112 vlc.exe 2112 vlc.exe 2112 vlc.exe 2112 vlc.exe 2112 vlc.exe 2112 vlc.exe 2112 vlc.exe -
Suspicious use of SendNotifyMessage 10 IoCs
pid Process 2112 vlc.exe 2112 vlc.exe 2112 vlc.exe 2112 vlc.exe 2112 vlc.exe 2112 vlc.exe 2112 vlc.exe 2112 vlc.exe 2112 vlc.exe 2112 vlc.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2112 vlc.exe 1744 iexplore.exe 1744 iexplore.exe -
Suspicious use of WriteProcessMemory 34 IoCs
description pid Process procid_target PID 1544 wrote to memory of 1768 1544 cmd.exe 34 PID 1544 wrote to memory of 1768 1544 cmd.exe 34 PID 1544 wrote to memory of 1768 1544 cmd.exe 34 PID 1636 wrote to memory of 1272 1636 ransomware.exe 37 PID 1636 wrote to memory of 1272 1636 ransomware.exe 37 PID 1636 wrote to memory of 1272 1636 ransomware.exe 37 PID 1636 wrote to memory of 1272 1636 ransomware.exe 37 PID 1636 wrote to memory of 884 1636 ransomware.exe 38 PID 1636 wrote to memory of 884 1636 ransomware.exe 38 PID 1636 wrote to memory of 884 1636 ransomware.exe 38 PID 1636 wrote to memory of 884 1636 ransomware.exe 38 PID 1272 wrote to memory of 2964 1272 gkxrvniwwmhb.exe 40 PID 1272 wrote to memory of 2964 1272 gkxrvniwwmhb.exe 40 PID 1272 wrote to memory of 2964 1272 gkxrvniwwmhb.exe 40 PID 1272 wrote to memory of 2964 1272 gkxrvniwwmhb.exe 40 PID 1204 wrote to memory of 1332 1204 chrome.exe 50 PID 1204 wrote to memory of 1332 1204 chrome.exe 50 PID 1204 wrote to memory of 1332 1204 chrome.exe 50 PID 1272 wrote to memory of 2628 1272 gkxrvniwwmhb.exe 54 PID 1272 wrote to memory of 2628 1272 gkxrvniwwmhb.exe 54 PID 1272 wrote to memory of 2628 1272 gkxrvniwwmhb.exe 54 PID 1272 wrote to memory of 2628 1272 gkxrvniwwmhb.exe 54 PID 1272 wrote to memory of 1744 1272 gkxrvniwwmhb.exe 55 PID 1272 wrote to memory of 1744 1272 gkxrvniwwmhb.exe 55 PID 1272 wrote to memory of 1744 1272 gkxrvniwwmhb.exe 55 PID 1272 wrote to memory of 1744 1272 gkxrvniwwmhb.exe 55 PID 1744 wrote to memory of 1408 1744 iexplore.exe 57 PID 1744 wrote to memory of 1408 1744 iexplore.exe 57 PID 1744 wrote to memory of 1408 1744 iexplore.exe 57 PID 1744 wrote to memory of 1408 1744 iexplore.exe 57 PID 1272 wrote to memory of 1568 1272 gkxrvniwwmhb.exe 58 PID 1272 wrote to memory of 1568 1272 gkxrvniwwmhb.exe 58 PID 1272 wrote to memory of 1568 1272 gkxrvniwwmhb.exe 58 PID 1272 wrote to memory of 1568 1272 gkxrvniwwmhb.exe 58 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gkxrvniwwmhb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" gkxrvniwwmhb.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\lighthouse_teslacrypt_ransomware.mp4"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2112
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Windows\system32\certutil.execertutil -decode lighthouse_teslacrypt_ransomware.mp4 ransomware.exe2⤵
- Deobfuscate/Decode Files or Information
PID:1768
-
-
C:\Users\Admin\AppData\Local\Temp\ransomware.exe"C:\Users\Admin\AppData\Local\Temp\ransomware.exe"1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\gkxrvniwwmhb.exeC:\Windows\gkxrvniwwmhb.exe2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1272 -
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2964
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT3⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
PID:2628
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1744 CREDAT:275457 /prefetch:24⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
PID:1408
-
-
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive3⤵PID:1568
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\RANSOM~1.EXE2⤵
- System Location Discovery: System Language Discovery
PID:884
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2760
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef4c39758,0x7fef4c39768,0x7fef4c397782⤵
- Suspicious use of AdjustPrivilegeToken
PID:1332
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\jusched.log1⤵
- Opens file in notepad (likely ransom note)
PID:908
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- System Location Discovery: System Language Discovery
PID:1608
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Deobfuscate/Decode Files or Information
1Indicator Removal
2File Deletion
2Modify Registry
3Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD5b70b5e8ef0ddc6871bb74e14b48f9103
SHA12d2ebd2de8a4567747e031042a1b828c8acb2491
SHA256c8f129824d7d65e00315b96b483c17de426568227a17d926f98f093d61e16f24
SHA5121a00f27c9ad59d84f611ce6a69c4e7ec9cd4cc22ca470c24acd2c138ef84ccb06339df136fe4bbcc71fd60b321413c64666d73ddd1d9d922af305ea9645c0fad
-
Filesize
62KB
MD5374578870a017489a1812785ac8593f6
SHA18b4adcba2feca1607fb70b0f52dba0f9a8d52fed
SHA256495ebc482f5baa27645efff5d8baf8441db7ca2af0f4e531ff1d63414067ea16
SHA512c3de4700ad6c5280dbc8e7331408f0c787cb59ff820b5ff79f0f7d86d9b6406f3f3c82074545083ca31551ce026a583d59f8640f822ee4e0573674c8560f406a
-
Filesize
1KB
MD5d99d4031c82813f9ea660db89d012de8
SHA11d8925232f0fa712ebef215bc8ed925e68a526b0
SHA256d2e6ccc2b9578be0dc7404641341ed53f33a481b7f14c74f49a220abd487a70e
SHA512c0d5f10f04935c8d84457850360e0174fff7870ec5d266abcc3274be5a3728179efa2bcdcebd4cd4ed022a7ff66b8a9d5e837c596e38f2cd5b1dcbeb01cfc316
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt
Filesize11KB
MD5f0cb0847c9f7250d86a52fb5d17ebd1b
SHA15c1dbb0c530f4087356dba12110a0a9b37a2a1bb
SHA25686d62f46fd7c9bb35a4eb2ff980b3e9b0d40afcbdfef180c9ec759bc4e0186ab
SHA512d03c2c49b4bb87c09e2ca3c034ffaa836663d63d9e0e74bc91dcac8ae342f6de9ab4ed641e2675ba27d2d055ae6d66210415292e8f263bdab8f6db5e5435280d
-
Filesize
109KB
MD5ef13eab8436545de6c87accdc719bb5c
SHA111a20c6228746704b76bbd5f32eda17683bf1ed9
SHA256dd98a957e21b55b2ca8159c12bea39a8697dd0d0eabcb288b28607111d55366e
SHA5127d69e92c10c1d24720a746ad2172f5d0dce27e48ae196e1f7cd6fcb06600ce1ef41e7773b1860d61ee90bc83389741810cf2d52312cc01140e09fa25a7debfbb
-
Filesize
173KB
MD5ecd245f7e4cb0bd65c6ff08a5bdc127c
SHA1aad8f27c72264d1bfef0289db85edbd68466b325
SHA25618be83e7e5344adffef6059071a63aca3832d64a468930c5567e19448ba4b479
SHA5124b865bea3b262427ee79894616c6ec8b03fdff134c6056c455900d42021af1eddb3bf1a9849cb1cba68d17a5aaedce4b7e68003d403db3cdd6973ebfaf08f51f
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\reports\14c94bed-1f43-4a48-8b04-fc6c35f3598d.dmp
Filesize163KB
MD5d1223564d9754037caa23570ccf76c5e
SHA10c7cb100880a5711a2e38e4cf44bc3b02dbf3d97
SHA256b8f50a40958de12170ca8577b9429982cbbfbfb239203f9cb7212d39b35d99a7
SHA51289f5a8e373731decb0197bc0510b2c4ce491dafd7da6a5f8a5e870c8f42a1b4f458161a99834d7454884fdebfe015df37620ff4f0c254f1c9335f38d649b8625
-
Filesize
40B
MD544691fdf709576c5467bd86b9d95cecb
SHA19c0e49c662f20cdd89217f1bb4b4ba701e659697
SHA256bbeef7deae86cbdb634c26982101647e319bb03dce941d124f0ab0edc8a76de9
SHA512e52fb7f7091ed7a21944c629081fa5069f47fc076911101e20fdcc183c35b7b460fbbfac56f1f91052b1d35a35e66ce2dafce70349ed34ca6f16ba1e1f1fabdf
-
Filesize
316KB
MD51f9d9c8b17bc4e6ab42217e4ca879273
SHA1ebbaefabffef6eac50f8c52c84a51cb7442ecaea
SHA256c2f389b2ee29d7b7d23ba7f1d248b0e9fc9d8c8a60e77cd75b6bd8dd2b38db00
SHA5129ff77d473a0cbaee33d576aea49cfde04946353c2334d18587ee732c90eb656eef35485996934385b32f94729999c6f2bf83ae572541f4adb56f4659cc9c848e