Analysis
-
max time kernel
148s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
18/01/2025, 23:08
General
-
Target
3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe
-
Size
371KB
-
MD5
76b0182e3dc2f368facd1446a78d2ae0
-
SHA1
6e6f6df8ef1a845e335995fbfa48dab3526cea29
-
SHA256
3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f
-
SHA512
e301da3a0a9d211c239675c78f727ccc73e633fcd223b3cd26ba486f1fd3ffb8e2acb021b6596460a4660c2eac647f213212b989d33687cb45fcdfef2648d03a
-
SSDEEP
6144:QtttRvGxiRcePUSrcTQ+Yd6v6AlYhZ+ddp5GuZEE86Yrp0eWIxQO6kUUecBlzJbu:EttRveivPrcqd26A+hcdp5GYEE8D3WIe
Malware Config
Extracted
C:\Program Files\7-Zip\Lang\_RECoVERY_+uangc.txt
teslacrypt
http://yyre45dbvn2nhbefbmh.begumvelic.at/FEBFC37BC65753C3
http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/FEBFC37BC65753C3
http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/FEBFC37BC65753C3
http://xlowfznrg4wf7dli.ONION/FEBFC37BC65753C3
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Teslacrypt family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (869) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 6 IoCs
-
Executes dropped EXE 2 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 2 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 1 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 25 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe"C:\Users\Admin\AppData\Local\Temp\3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe"C:\Users\Admin\AppData\Local\Temp\3aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f.exe"2⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\mqfqclwegnom.exeC:\Windows\mqfqclwegnom.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\mqfqclwegnom.exeC:\Windows\mqfqclwegnom.exe4⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT5⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM5⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffeb9b146f8,0x7ffeb9b14708,0x7ffeb9b147186⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,16445084501642346230,6882706656221184063,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:26⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,16445084501642346230,6882706656221184063,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:36⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,16445084501642346230,6882706656221184063,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2716 /prefetch:86⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,16445084501642346230,6882706656221184063,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,16445084501642346230,6882706656221184063,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,16445084501642346230,6882706656221184063,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5248 /prefetch:86⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,16445084501642346230,6882706656221184063,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5248 /prefetch:86⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,16445084501642346230,6882706656221184063,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,16445084501642346230,6882706656221184063,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,16445084501642346230,6882706656221184063,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3460 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,16445084501642346230,6882706656221184063,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:16⤵
-
-
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Windows\MQFQCL~1.EXE5⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\3AA3EE~1.EXE3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9KB
MD505d77e54a1571b42539ef97cda213742
SHA199766833dda1220f4aa1789cfad4b976fc5de97f
SHA2565cd1e34379331f9c32ae13ab3ac71851ecbbe4227de8687003c8be1224b5eca3
SHA512984d87ebd6a605df11e0b0ca52cc9ab3d1106976d64c52c0a7d8fd6e1a2b3e4320534fbf0e4e163d2d45290458421bd1fb1193cd09cafaee8ca52e5b5a4e684a
-
Filesize
63KB
MD5d949ebe0b29eaf708c9d938cc822a493
SHA18b7459054658c63bff7fa0c6b0a49f37b25b9d85
SHA256fc11cdda1070e43cc05582ce14013412b12944f781afe408f73e8a9c6e21ec54
SHA512b82eff9ce00b4795fb41b229520b8e6f3251c1d3b6f61246f42ac2f1191d74f3334183c3bdeeda0605e2753d7089381a9150c47d636494543df9b7c472d227c1
-
Filesize
1KB
MD5af824c96f3a52fb28202b68e4f188eba
SHA169fae9d9ffe0541c58a13b06396a98fe981676ac
SHA2564e57543bb1f63e9a6b61745aaba8abd193025db28747753b62dc1b337d87d36d
SHA51270a8ac1697158125361a42c0c137b19aed239ba9c5620ec2854727285d7dbe5faa4ec1ccb0a966a6259b3be8175ae80c81015cdcddf3999a26456888ae6096de
-
Filesize
560B
MD55e907d2993f30ce9abdf6494edaa13cf
SHA19c5bf1c091135e0e849b437944e9aa9f5ac5c414
SHA2565a61ff2a33758e5d395be953dacb7724314051c56ab7d1eb013b5a6e955a1864
SHA512c203f9fc9e64e1c89f08cdf116584aba10e45e7762de8264b94675bd752feb5005ff02f8531cb13c538886d25d3bcc0e1574f1f6433a9a8386631696136fe3d6
-
Filesize
560B
MD510385de3d57b197f50fd8a56b7f453c8
SHA1a43566044f688c25daba10fd729b466b5ea42fd0
SHA2561ea42b3029dff87370f6264c1faa746bf0f6a8c400f05a82acdb8f757a58608d
SHA512183c7c15fc5d29ca343cc0286b70a92915a6033ab7efee177537741b53b607aebaa50c68111d7fa2acd296291dd891b2f9e83914b83a30d25799eac095fd5b15
-
Filesize
416B
MD5e580f1808aa099371e50bf6270f054cb
SHA136185fd3b24477bf7cde529a0b764993a442f161
SHA2566ddf6199f67a73932f676116e637e22ee36ab22d0c057979c0f9784ccf2fdbfc
SHA512470ca0536bef4920dbf4b88b1b7c8fb53e6736e724f59d0fc6689cd59cb2d4597e8a4e0023cc3f615145de7d14fde6579bd088d70891ef8bbb2a364f312809d8
-
Filesize
152B
MD536988ca14952e1848e81a959880ea217
SHA1a0482ef725657760502c2d1a5abe0bb37aebaadb
SHA256d7e96088b37cec1bde202ae8ec2d2f3c3aafc368b6ebd91b3e2985846facf2e6
SHA512d04b2f5afec92eb3d9f9cdc148a3eddd1b615e0dfb270566a7969576f50881d1f8572bccb8b9fd7993724bdfe36fc7633a33381d43e0b96c4e9bbd53fc010173
-
Filesize
152B
MD5fab8d8d865e33fe195732aa7dcb91c30
SHA12637e832f38acc70af3e511f5eba80fbd7461f2c
SHA2561b034ffe38e534e2b7a21be7c1f207ff84a1d5f3893207d0b4bb1a509b4185ea
SHA51239a3d43ef7e28fea2cb247a5d09576a4904a43680db8c32139f22a03d80f6ede98708a2452f3f82232b868501340f79c0b3f810f597bcaf5267c3ccfb1704b43
-
Filesize
5KB
MD5331ea3189495200d7dfdbc4450fc60ce
SHA1b7483ecfd9fcc8ad4150328fe327d948a669099b
SHA25636ca6869219c5026748f7a454c9c7ad5345978f9d2b92a402c91dbacbd831aed
SHA5127b85c13e97821c85a8680718103fae8d3d1a45b1df56a546ac7247d4674efc4c3628ebf89a8a46bba0f7effa32697b747e45ae6a7e7af389943f0e5eb42e0475
-
Filesize
6KB
MD5e2ada8b54849a4a145689ce206ce63be
SHA12540c7895e5c92ed8cf2e67aacd0ff0cbdfb7c98
SHA25656d294d00e91c93e0c2bbf96d837933dfbff0a1b017b519d0a813791e5a30e54
SHA512eef1c8346d121f0be94d8807bebc69a3315e089a4d598d17c08a5cbeaccae1488e696b7a0e94c7881317fdff834865c2e03906d3917652476ead30a63f76a9f6
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
10KB
MD5ff71b5c2e4a1c4acb7d61ae0e795fa47
SHA1d2ae4befb022f7a852e822850489112f6ddc0ee7
SHA2563ea8fcfd12bedfad13dd5ec207168de355323f6af444ae6283c2c15c475536cd
SHA512268f308d450c28ff8bebfdce01e991ad58eb88623f5f2038ebcefc143527981d19b09fea3a02f7bd987501dbf364b20f1d2e87b816666c1a47c5074ae0391d67
-
Filesize
77KB
MD51ae6736ed2671b317f27bd7dcd75bd7c
SHA184310fc1120bfbfe0e508689e7f2c48075c2a572
SHA2566e0ad91ad26a92af5d2ba1b1087ab7c7a443a27c818f6d5c2b25b84c02b7be28
SHA512f268a0c564332c80ce8e85d2aff1f1f9309c1f7933087144a7f17da3e6be1f28f123cd7a43342b0f8f9bbec010c23cb0126b8dcbcbc960ba38da59b488eabc45
-
Filesize
47KB
MD546f0cd9796d51f6f9f735b8e53826922
SHA1450331631cbec7aacf329facc0af7edbffb95f09
SHA25679d2aaf69e8f2be4360b2b7cf9300e124fe71fde43cd6201574808cfce56ce28
SHA512d5f46d57f29951add194105af0942ab87fb9dfa821e829957872da8173ebe41214f3a1f7dae4e8ceaa22266f1134d767c7ecd5a67a75fb303d0210815355c29e
-
Filesize
74KB
MD578c90621b8dfb530fc3bf2a3601599bb
SHA175658829e52320fd11860dbd54a39395ffe4857f
SHA2560e83d529c3dba1aff5c51d43e6e0e5a580b93e753f4b54e6e605d8abafe48959
SHA512fc01731cf288dec3e52a31b60d1b588afc2a6a87a2c75d6eccb78a677394fd055a2e6fbdb94dbe62f00c5fc23ee12a8e3e14fe9b550f8d535fa5992b9937614e
-
Filesize
371KB
MD576b0182e3dc2f368facd1446a78d2ae0
SHA16e6f6df8ef1a845e335995fbfa48dab3526cea29
SHA2563aa3ee4e65a05b7fbc0141f0d509328090bc8080449183b4ee48d79ee3e6fa3f
SHA512e301da3a0a9d211c239675c78f727ccc73e633fcd223b3cd26ba486f1fd3ffb8e2acb021b6596460a4660c2eac647f213212b989d33687cb45fcdfef2648d03a
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
1.4MB
-
Filesize
12KB
-
Filesize
12KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
