General
-
Target
c5dccb1aec2c6493cdd02d9571df26c995de9934394ffbad030667e34b099e71.sample
-
Size
252KB
-
Sample
210726-795cpmnzbn
-
MD5
056fa68a3a2b65e4677f685746283209
-
SHA1
991f7fa89b13f94a5de106950c14a2f0321069f6
-
SHA256
c5dccb1aec2c6493cdd02d9571df26c995de9934394ffbad030667e34b099e71
-
SHA512
cca455cacc8bedb3766762327b3b7e640386d16470a538335f119dda3369a7e1963561ea7a9fd112327a0a5ccbeb464ac2f7ab274fbc968dec159a6270ac2061
Static task
static1
Behavioral task
behavioral1
Sample
c5dccb1aec2c6493cdd02d9571df26c995de9934394ffbad030667e34b099e71.sample.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
c5dccb1aec2c6493cdd02d9571df26c995de9934394ffbad030667e34b099e71.sample.exe
Resource
win10v20210410
Malware Config
Extracted
C:\$Recycle.Bin\S-1-5-21-2513283230-931923277-594887482-1000\how_recover+gap.txt
http://vr6g2curb2kcidou.encpayment23.com/AD7D2BC4DB652761
http://vr6g2curb2kcidou.expay34.com/AD7D2BC4DB652761
http://psbc532jm8c.hsh73cu37n1.net/AD7D2BC4DB652761
https://vr6g2curb2kcidou.onion.to/AD7D2BC4DB652761
http://vr6g2curb2kcidou.onion/AD7D2BC4DB652761
Extracted
C:\Users\Admin\Desktop\Howto_RESTORE_FILES.html
http://vr6g2curb2kcidou.onion/AD7D2BC4DB652761
http://vr6g2curb2kcidou.encpayment23.com/AD7D2BC4DB652761
http://vr6g2curb2kcidou.expay34.com/AD7D2BC4DB652761
http://psbc532jm8c.hsh73cu37n1.net/AD7D2BC4DB652761
https://vr6g2curb2kcidou.onion.to/AD7D2BC4DB652761
Extracted
C:\$Recycle.Bin\S-1-5-21-3686645723-710336880-414668232-1000\how_recover+fch.txt
http://vr6g2curb2kcidou.encpayment23.com/AC80C2916097D79
http://vr6g2curb2kcidou.expay34.com/AC80C2916097D79
http://psbc532jm8c.hsh73cu37n1.net/AC80C2916097D79
https://vr6g2curb2kcidou.onion.to/AC80C2916097D79
http://vr6g2curb2kcidou.onion/AC80C2916097D79
Extracted
C:\Users\Admin\Desktop\Howto_RESTORE_FILES.html
http://vr6g2curb2kcidou.onion/AC80C2916097D79
http://vr6g2curb2kcidou.encpayment23.com/AC80C2916097D79
http://vr6g2curb2kcidou.expay34.com/AC80C2916097D79
http://psbc532jm8c.hsh73cu37n1.net/AC80C2916097D79
https://vr6g2curb2kcidou.onion.to/AC80C2916097D79
Targets
-
-
Target
c5dccb1aec2c6493cdd02d9571df26c995de9934394ffbad030667e34b099e71.sample
-
Size
252KB
-
MD5
056fa68a3a2b65e4677f685746283209
-
SHA1
991f7fa89b13f94a5de106950c14a2f0321069f6
-
SHA256
c5dccb1aec2c6493cdd02d9571df26c995de9934394ffbad030667e34b099e71
-
SHA512
cca455cacc8bedb3766762327b3b7e640386d16470a538335f119dda3369a7e1963561ea7a9fd112327a0a5ccbeb464ac2f7ab274fbc968dec159a6270ac2061
-
suricata: ET MALWARE AlphaCrypt CnC Beacon 5
-
suricata: ET MALWARE AlphaCrypt CnC Beacon 6
-
Modifies boot configuration data using bcdedit
-
Executes dropped EXE
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Drops startup file
-
Loads dropped DLL
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-