General
-
Target
ac6f4894fd8fa229c83018fb7959ed9f10f17bc758e2807656524d0fa5060a40.sample
-
Size
300KB
-
Sample
210726-an625yxyvn
-
MD5
beb272ed6ca4bb3559758c8c6426eade
-
SHA1
836654dee6d0d60b6e0e1483d05e0bf29c0f97a7
-
SHA256
ac6f4894fd8fa229c83018fb7959ed9f10f17bc758e2807656524d0fa5060a40
-
SHA512
960bb6d3352bd7ce68f0963829a0df136ba6f94f1b9881e76ed7f21a9dd79f4b508ced38980ecaeddf5b9fae08b0b5ac2318ddda82f9abf3c9c96b77a06a4a0f
Static task
static1
Behavioral task
behavioral1
Sample
ac6f4894fd8fa229c83018fb7959ed9f10f17bc758e2807656524d0fa5060a40.sample.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
ac6f4894fd8fa229c83018fb7959ed9f10f17bc758e2807656524d0fa5060a40.sample.exe
Resource
win10v20210408
Malware Config
Extracted
C:\$Recycle.Bin\S-1-5-21-2513283230-931923277-594887482-1000\how_recover+jus.txt
http://idjsnfnkwjefnsdf.likinrealm.com/4328D51234EE2BBC
http://krfdnhfnsai3d.abeleros.com/4328D51234EE2BBC
https://4nauizsaaopuj3qj.onion.to/4328D51234EE2BBC
https://4nauizsaaopuj3qj.tor2web.org/4328D51234EE2BBC
https://4nauizsaaopuj3qj.onion.cab/4328D51234EE2BBC
http://4nauizsaaopuj3qj.onion/4328D51234EE2BBC
Extracted
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\how_recover+jus.html
http://4nauizsaaopuj3qj.onion/4328D51234EE2BBC
http://idjsnfnkwjefnsdf.likinrealm.com/4328D51234EE2BBC
http://krfdnhfnsai3d.abeleros.com/4328D51234EE2BBC
https://4nauizsaaopuj3qj.onion.to/4328D51234EE2BBC
Extracted
C:\$Recycle.Bin\S-1-5-21-1594587808-2047097707-2163810515-1000\how_recover+ksk.txt
http://idjsnfnkwjefnsdf.likinrealm.com/2654F9FABF5E1A61
http://krfdnhfnsai3d.abeleros.com/2654F9FABF5E1A61
https://4nauizsaaopuj3qj.onion.to/2654F9FABF5E1A61
https://4nauizsaaopuj3qj.tor2web.org/2654F9FABF5E1A61
https://4nauizsaaopuj3qj.onion.cab/2654F9FABF5E1A61
http://4nauizsaaopuj3qj.onion/2654F9FABF5E1A61
Targets
-
-
Target
ac6f4894fd8fa229c83018fb7959ed9f10f17bc758e2807656524d0fa5060a40.sample
-
Size
300KB
-
MD5
beb272ed6ca4bb3559758c8c6426eade
-
SHA1
836654dee6d0d60b6e0e1483d05e0bf29c0f97a7
-
SHA256
ac6f4894fd8fa229c83018fb7959ed9f10f17bc758e2807656524d0fa5060a40
-
SHA512
960bb6d3352bd7ce68f0963829a0df136ba6f94f1b9881e76ed7f21a9dd79f4b508ced38980ecaeddf5b9fae08b0b5ac2318ddda82f9abf3c9c96b77a06a4a0f
Score10/10-
suricata: ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon
-
suricata: ET MALWARE HTTP POST to WP Theme Directory Without Referer
-
Executes dropped EXE
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Drops startup file
-
Loads dropped DLL
-
Adds Run key to start application
-