Analysis
-
max time kernel
121s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
18/01/2025, 23:08
General
-
Target
3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe
-
Size
371KB
-
MD5
76b0182e3dc2f368facd1446a78d2ae0
-
SHA1
6e6f6df8ef1a845e335995fbfa48dab3526cea29
-
SHA256
3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f
-
SHA512
e301da3a0a9d211c239675c78f727ccc73e633fcd223b3cd26ba486f1fd3ffb8e2acb021b6596460a4660c2eac647f213212b989d33687cb45fcdfef2648d03a
-
SSDEEP
6144:QtttRvGxiRcePUSrcTQ+Yd6v6AlYhZ+ddp5GuZEE86Yrp0eWIxQO6kUUecBlzJbu:EttRveivPrcqd26A+hcdp5GYEE8D3WIe
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECoVERY_+gjvix.txt
teslacrypt
http://yyre45dbvn2nhbefbmh.begumvelic.at/F97D7F90599446A
http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/F97D7F90599446A
http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/F97D7F90599446A
http://xlowfznrg4wf7dli.ONION/F97D7F90599446A
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Teslacrypt family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (438) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
-
Drops startup file 6 IoCs
-
Executes dropped EXE 2 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies Internet Explorer settings 1 TTPs 34 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 52 IoCs
-
System policy modification 1 TTPs 2 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe"C:\Users\Admin\AppData\Local\Temp\3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe"C:\Users\Admin\AppData\Local\Temp\3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\shtjtucrlkrj.exeC:\Windows\shtjtucrlkrj.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\shtjtucrlkrj.exeC:\Windows\shtjtucrlkrj.exe4⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT5⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1312 CREDAT:275457 /prefetch:26⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Windows\SHTJTU~1.EXE5⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\3AA3EE~1.EXE3⤵
- Deletes itself
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9KB
MD52f35ec797f6345b3a1d8372d7fd1860d
SHA151b1ca7c6f4002a77013443b16b58fb95ad6ac9d
SHA2564d46dbfcf61de65aed9bfbc43a46bb801e7758bcf9abee46765c1b53e6db3204
SHA512eac71e4ed0fbc08d04618116aaea19f89bb55804f920e68687c35ed8825d08b1517e67f23ed88707639356be5b7caef51ec3d56fb78d5e8242587d7365b660e9
-
Filesize
63KB
MD5c3fae2129a3d48d937819bf4ac31237d
SHA1d7e780d0b5ff491215e78432eb85a8a783499762
SHA256d07cdddcb6870f1c2f466fb77f1bff7f340d8e267f99566c97eaf232be8c32c3
SHA51205eacffab8eb821267432e74db5d0d8f9e9e7d17dc966cba9b387dd5dfcbe45b855048b6dd848d3232c957aa4df1366ee87f3e58a14022008d6e23d18e2833de
-
Filesize
1KB
MD56cf443e8212057fa54289f7d6dcb65b5
SHA10d3db1460bad132b1220e52a252fbbd12487a4d1
SHA256fc856dd24ddf4fbf459c6da49dc92ccdf56362fde9d6af3eb66e82d440200548
SHA5126a590a95c21ab902a4f7b247885e6fc028b0eccc4e63524f3a44bcba38140ecbecc517325398bda43bc4ac0c5f744b02d8391d367628015d9fb33546046643de
-
Filesize
11KB
MD5eb267c05ec37eb9025c40062ccaedc68
SHA15f3db4418dca30ae74d21bec49d4e7fe74add63b
SHA256a87482eeda88919cf474ada9c45759de6a649cab6ab5ed0472fd587cbd181f45
SHA512b5853a53c0073cd830eef6347cc7f2f1e65ec9252acf1b77a66db79349a7ac6f3eb848d63e8186bfbad7a8922feffb15d46d71b8763d53213490fb66ef8f61df
-
Filesize
109KB
MD578c60438ccaa47501435eca11eb29ba7
SHA11223c0692a042b5031a214d362a2f77dfdf240e4
SHA256f9cb0b56d3c40dd9be0219142c88ffe90a0345fda23c4ed6d80f9a3d16cbf06f
SHA512f8691f83e46e4fcaae44e07915858a240505f948e793ca1d281eb610696c63ef2a134e96077e1b656ba023b0e64de7fb2196daab37a7e0439bbc3b009a8422cb
-
Filesize
173KB
MD50ebae12b0dcb6db99c42a62bba07ceae
SHA18e86f841e7e1108e74eb52150e408f8ee65e597d
SHA256894e65a590251cf3f193051a6c22e835491c851dda23630dc8b9a2232dcd9f5f
SHA512ae332a3c11c642e9804502403030aba1bfc5a28f1504d2904de73433c52a0c56bfde7a31c9b213d34eb9a277c20da53e73cfd18f7520db61218059c8044c33c4
-
Filesize
342B
MD5e48087a2737ad065ef8c342b977d6c6f
SHA16c020f3ea9044d10de09d386daace92667a0fece
SHA256cf37c85ea937c1a65178a88c7ea70687cb906d3a42592945e0f5b6c545d9ff5b
SHA5128c589f80fca0cb689bdbc14abc229fa406330875694baad4658545df2a1e17b4d64779b698cbf81ada063f2d4b2b65280677ec7afa597c7a1e97833481863fb6
-
Filesize
342B
MD52d64083a474ea0c4d169a0f2392c7a1b
SHA18fc8d326fd3465aab92df443c495ff889c06d983
SHA256671068e25ec1cc91339e928ec11728ee0673befacdbebf304d262f7caf6a5da1
SHA512805fcfc88dde8d90d5165763a60e5be5c841895090e907129b991b05587e672427af2158445c302d1dc151c8b05d6f48cb93d42765a098d919036ff7c00f0549
-
Filesize
342B
MD5e38a66e01b13c5568b1251846a36edd4
SHA134f0d671fa66ef8501218ec63bc557ceb13de281
SHA2560b9e5a2a0342c4c8ec4eb41f24f501bb96088bdc1e23e5823dae4d27a1cdbfe9
SHA512b1b152f11be7423092dfc7261fed11445423ee77ebdd6a2bc0b2e27e7692cdbcfbeab697372d5be4e54d1226f5bd2333889974434056051ccee51c1a09f3ade6
-
Filesize
342B
MD5c79eb57967ba356719cc0fc56bb04a72
SHA1c1db6698e45445c5b986cd87e10f8d6a538f1e19
SHA25609e50321c99524c2e3120514e06316662234737ce63740d4d7d99d943d774d11
SHA5126f8fb6657f7b5b267273edf21cc8740d53cf08daab722531534d2f0016acbe5c650e85d7fdf13aefb57964f955da19ee8cb6307f9a6d359f1cc8829b0134fc2f
-
Filesize
342B
MD5129e4f339d65f870eadac774a5a38b55
SHA152572f74e841d23376a0d91b11fb66a6b14b52e2
SHA2565cb473bf1389b81a54a2ce921a9435441f4c52d1fea9ad9f3e01fe70f57f5c2b
SHA512fc65c6c50483379113a5f559c2753b1ddd8f25ae0b9498b894566918e44fd8b8788efe9e24cad86d005e9be2e69f16adcd5b7c1f137875fd947b44f8b68b1bf6
-
Filesize
342B
MD5615577917b538f1e20f603a0232a0b40
SHA124f3f0927b949c9255f41bea2b6845d224f14869
SHA25636d831172b8c8ee86d0afc3dc6c4579cbd7427c9b0d38662a119dd13252e8f00
SHA5121628aa0d8e9388dcec01d0fc5c68a049ae4e91b6e6d0563f2fbbbd7ffde60f95b941f6fb24f2daa6aee762152fd88e7f3f8f120f81a70122975799531057e5f2
-
Filesize
342B
MD537cb0e44b0d3bc2e49565dabc378a73f
SHA1095ea0d9434ab15d27d66949ca3699bbed92e34a
SHA256571c02013b32f9c01e2c7865a1a54403aacf13ad481baafbc8e9feee3e0aed22
SHA512f9918b639c7fed383b66e42b1fe7c67d8fa2c7664d7595872d2ac80ab56f6ccd56f27754e43921c43f1583d79e7b38938b2216885b877578a3549dfc949be6ce
-
Filesize
342B
MD51fdd3f9338b0bf126a603fc790255b4d
SHA1d82eaf84323f3d2ed699702c7ce0ab62e4eeaf62
SHA2568579077c3f119866e00a5b05bd2efe5df0f3f58194b673e4809058d5a59b0b0f
SHA5128f3a492c19b6e1d1beaf98a6ecbc5824128056804180ebc68375295746cacaa8d201c976deb369f42490db8879b61d501d0c13adffe1b2cf57cd380cffbeb79a
-
Filesize
342B
MD5c0e8c2ceb172b48d3f4821b8cc7887a5
SHA1bb69b1332806c34cc51c08d3497492496b090996
SHA256e2d74bfd2c61b1dee14396e7077f7c8022befc1f584acb856b29ff73caf4eed9
SHA51280734fc177405563a1949af62119cbd8184360bd91ce8ef5cc37f21db86c8750bcb6edb5d7a2710ba3b3e401701e3867dcc685a11582e1c039ef27a442983d68
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
371KB
MD576b0182e3dc2f368facd1446a78d2ae0
SHA16e6f6df8ef1a845e335995fbfa48dab3526cea29
SHA2563aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f
SHA512e301da3a0a9d211c239675c78f727ccc73e633fcd223b3cd26ba486f1fd3ffb8e2acb021b6596460a4660c2eac647f213212b989d33687cb45fcdfef2648d03a
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
8KB
-
Filesize
532KB
-
Filesize
8KB
-
Filesize
12KB
-
Filesize
12KB
-
Filesize
1.4MB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
4KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
