Analysis
-
max time kernel
149s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
28/01/2025, 23:52
General
-
Target
MSUpdate.exe
-
Size
360KB
-
MD5
9ce01dfbf25dfea778e57d8274675d6f
-
SHA1
1bd767beb5bc36b396ca6405748042640ad57526
-
SHA256
5343947829609f69e84fe7e8172c38ee018ede3c9898d4895275f596ac54320d
-
SHA512
d6ba89c1f221a94e3061bc4da896760d99935a7c766b8e4e30146266cf3356acd883835e75dbb86574bc869c83d381c8f63f23392101f6062bba4343af49978b
-
SSDEEP
6144:4qZbqZToxIizLBZ6R56VkGM4ceLJ5vs5JGJceO/QCErIiuNAvwu:4qZb8oR3D6R5QHXZJy/Q50imAvB
Malware Config
Extracted
C:\Program Files\7-Zip\Lang\_RECOVERY_+xysfh.txt
teslacrypt
http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/69FF1965B85F437F
http://tes543berda73i48fsdfsd.keratadze.at/69FF1965B85F437F
http://tt54rfdjhb34rfbnknaerg.milerteddy.com/69FF1965B85F437F
http://xlowfznrg4wf7dli.ONION/69FF1965B85F437F
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Teslacrypt family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (863) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 6 IoCs
-
Executes dropped EXE 1 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 2 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 1 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 25 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\MSUpdate.exe"C:\Users\Admin\AppData\Local\Temp\MSUpdate.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\yxywcdlvmcpe.exeC:\Windows\yxywcdlvmcpe.exe2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT3⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM3⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9e20846f8,0x7ff9e2084708,0x7ff9e20847184⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2192,7097220982305163754,8886798758126816751,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2220 /prefetch:24⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2192,7097220982305163754,8886798758126816751,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:34⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2192,7097220982305163754,8886798758126816751,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2856 /prefetch:84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,7097220982305163754,8886798758126816751,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3192 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,7097220982305163754,8886798758126816751,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2192,7097220982305163754,8886798758126816751,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4860 /prefetch:84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2192,7097220982305163754,8886798758126816751,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4860 /prefetch:84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,7097220982305163754,8886798758126816751,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4964 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,7097220982305163754,8886798758126816751,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4984 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,7097220982305163754,8886798758126816751,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,7097220982305163754,8886798758126816751,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5452 /prefetch:14⤵
-
-
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Windows\YXYWCD~1.EXE3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\MSUpdate.exe2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD5d6377730ed5a65068541a72b23dc5e6d
SHA1c2ae903ec50cada472020647bf14bd1c932e1715
SHA256ee27410f69176d1eabe0b5da6951d532c7951ee0a2417b7348c61fb4b335e9e0
SHA5120e9fcc38e8116d530b5f14150a7b16fdc01ad154f660ae17ab67575f7e907f6006755651eac4f32b1988968ab5081a66409a43dd1e903134fb3c701921458bfe
-
Filesize
62KB
MD51495b337229bf13492b99797b474bf52
SHA1d441770d650b056d06cab821fe01fc6d8a32b172
SHA256bc7ab9f466acebd6a7b15b8793c48777095bf5173ff3b4d516631401e76d103b
SHA5124c3a2624dfd7df002b278d579de38b09ee1250d018484f0f1247f0d43958aa06812094aadd7ecfd39e16b87069880752ac6cd0951c36cb379bba25a542d56f06
-
Filesize
1KB
MD5fde04aa3d3b08764684c5741d40feaee
SHA1108c44870e8887a6ed2671610c26aba4addfb9a0
SHA256f9332da4c2072589becdc864e90e25d10b4ef7e2680099c0bdf9faaccee6644b
SHA512689a78f81d015763b62f2469a622ce6500ad3e84a2772c69b9ac78799004401f8846dc868fd2489497820f71231fc92ecf3f2c0ff4b290b90aee7c436f839a53
-
Filesize
560B
MD513bdd3ac91a12f38eadf02a2224c4e05
SHA1795a19675f1efbe1f75d27af0fded03bd64153aa
SHA256998dbd2bd47bef16bb2929514de1efa0d08830764808e89acf28f46b23876ed5
SHA512c71f2d3a76d6caa554231287f1a02d86fd05f31e04a11b694d7917f09573be2bb9c799ce1b59edb7c59d4d917d0ce2d447e518764500e45a531bdd5e64cc132d
-
Filesize
560B
MD553f7088551c8cafaef02389e040d9974
SHA1cabe490b4e97789583f56f8027f2cf49bf8f650d
SHA2564d51b3289740ec260d92fcb72fe31813da09b98ae3e4bcdfa590a57b0ba34d35
SHA5125fa83b98965def059c2902c22e31180b701b71e572526e2fd6a18f811b6b0a6d1378c5f9be82dbec1bb27afe3ddb631e9f6b2febd2f07652411af12c26bb11fa
-
Filesize
416B
MD54f04e5c85660889480ca0d1303a207ae
SHA11cd060c430badd3e391671caf035b4da6b0737cf
SHA2565c456d2481e90336588d9f7dc81041a71a95ff99b1572c94cb4dad9b86350c19
SHA512b7bb6e473ca19ca22177a8fb45606e43393b4cb94039714b39a681bed64cfba7745d6e5394da2306328285f83b6df72f92aed636b719e5be9bc9da336975efc5
-
Filesize
152B
MD537f660dd4b6ddf23bc37f5c823d1c33a
SHA11c35538aa307a3e09d15519df6ace99674ae428b
SHA2564e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8
SHA512807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d
-
Filesize
152B
MD5d7cb450b1315c63b1d5d89d98ba22da5
SHA1694005cd9e1a4c54e0b83d0598a8a0c089df1556
SHA25638355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031
SHA512df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8
-
Filesize
5KB
MD5f5bf74137cf460620c72d0655b94115d
SHA118f0bac2d4ee54ea8f8cc1d734fcd7bfd0531ba4
SHA2568d8c4d86220f8a0eeeabd6c01d8c605935a201af4c7739af64a0036d992143bb
SHA512e49936d444f797afdfb56b9e37c9ce9b49c569cf257daf8a29d2e0c48f2e58f465e06e5a6a3b030cc26608d33e7a139cf820dba6c6fd98d22db5d660e7e59731
-
Filesize
6KB
MD5a4d44f1ee9e5aa7ef9be5b6cc7e1c997
SHA159faf2c94899bd52fb255268abafc8eb04ad0241
SHA256a39417e0c664e137000a09f7407be2bf3fd16d0e8b79e2e6affc03cabfaaf568
SHA5124a0cbe81c3d94162f9d2c2f7a972e7c622b98d38ffba86fc451d518da99c8a7a12e1ffc6ff918f46a428a72544c02948717927496f5b917a2e5a6caf3f20a48a
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
10KB
MD5b322d455cfd14acbf6915c549f702cca
SHA1ade99d6c9765890352d8f7c97ee5cef73c1772f1
SHA2561087d058766a6aef60a9f02c782f6bd8963c79e05e3bce7d54935ddd5ed2d311
SHA512b530f41a61666a01d5eccdfdd45119d303aa01816fe45e9835ec06ca7ce610b445d3b4a7a84e079a8432eeeb26c5f4f9581bb83cb0f4d9cb1f6d2a75516b6cb7
-
Filesize
77KB
MD5d706e56d1c0fc90e7c34bb227727009f
SHA182bada2e63da5723b13abc229a6696a81b37327a
SHA2565259f8e03d5a6563104e620999c7f6e246ab852d50b364dbec4fa790d0ddbadd
SHA512f61c7934043985131fa4b3561ba6a3ca17762f1e7e2a2bfd5a64b07ce1e8a943d7dd2005afcc210d39a86729b2adb54f83142645726c633c1e7f01bc6d2cc2c7
-
Filesize
47KB
MD53cab405fdf57d96e02310bf3f4ef390f
SHA1142af4b729aa05ecd22b9ab58343baf3655fb55b
SHA256066964166d65c57eea65076e3dcb64013542751f731544dc25b38d20183f9ad9
SHA51269329ad549ce975be905eadd634e873bd24cd1c5355f3b1d543fe6873b1517cf25eb4fffb345316d09a681a6318d30f996efecd7647342afcccc1608a88d6c4e
-
Filesize
74KB
MD5ad9d0729e9505b4a924c53ec24a0f6f8
SHA14e6c554a7f86e78a534b54c6e1f9af88b0490e5a
SHA256c1fee6b2ec9ad41fc691d1fd942351a937e2fdf6ebf6418bd74258b1b1d448de
SHA5124bf20a969ddbdcad03c7b56c4aa468f8141c40f7cb621166c55e3ba3913a9539dea5e9fe09206c9bbe28915ce823c2a044587f9516011c01f4df152822024ab9
-
Filesize
360KB
MD59ce01dfbf25dfea778e57d8274675d6f
SHA11bd767beb5bc36b396ca6405748042640ad57526
SHA2565343947829609f69e84fe7e8172c38ee018ede3c9898d4895275f596ac54320d
SHA512d6ba89c1f221a94e3061bc4da896760d99935a7c766b8e4e30146266cf3356acd883835e75dbb86574bc869c83d381c8f63f23392101f6062bba4343af49978b
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
632KB
-
Filesize
632KB
-
Filesize
632KB
-
Filesize
632KB
-
Filesize
632KB
-
Filesize
532KB
-
Filesize
632KB
-
Filesize
632KB
-
Filesize
632KB
-
Filesize
532KB
