General

  • Target

    1ad471585dfd2b3c05b3926e211b18b6e64d8ff1f753025c0d70ae213289ac8c.sample

  • Size

    392KB

  • Sample

    210726-f5pslcp1wa

  • MD5

    280d48953880c4a27df69957916f718f

  • SHA1

    0c4696c6094b0d1ae5ef08d054c1cf3f09d059be

  • SHA256

    1ad471585dfd2b3c05b3926e211b18b6e64d8ff1f753025c0d70ae213289ac8c

  • SHA512

    2eb5596ef8d5c6f1e345903bf3188432f42dcc26d0d520b0a501d6125bb638f638de20dd0f0fd341a5127a460381c0e2a3252792eb7da8357b7280d3f1578e27

Malware Config

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-2455352368-1077083310-2879168483-1000\RECOVERnymxm.txt

Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com What's the matter with your files? Your data was secured using a strong encryption with RSA4096. Use the link down below to find additional information on the encryption keys using RSA4096:https://en.wikipedia.org/wiki/RSA_(cryptosystem) What exactly that means? It means that on a structural level your files have been transformed. You won't be able to use, read, see or work with them anymore. In other words they are useless, however, there is a possibility to restore them with our help. What exactly happened to your files? *** Two personal RSA4096 keys were generated for your PC/Laptop; one key is public, another key is private. *** All your data and files were encrypted by the means of the public key, which you received over the web. *** In order to decrypt your data and gain access to your computer you need a private key and a decryption software, which can be found on one of our secret servers. What should you do next? There are several options for you to consider: 1. You can wait for a while until the price of a private key will raise, so you will have to pay twice as much to access your files or 2. You can start getting BitCoins right now and get access to your data quite fast. In case you have valuable files, we advise you to act fast as there is no other option rather than paying in order to get back your data. In order to obtain specific instructions, please access your personal homepage by choosing one of the few addresses down below: http://kkr4hbwdklf234bfl84uoqleflqwrfqwuelfh.brazabaya.com/52BCE19BBC9CCDA4 http://974gfbjhb23hbfkyfaby3byqlyuebvly5q254y.mendilobo.com/52BCE19BBC9CCDA4 http://a64gfdsjhb4htbiwaysbdvukyft5q.zobodine.at/52BCE19BBC9CCDA4 If you can't access your personal homepage or the addresses are not working, complete the following steps: 1. Download TOR Browser - http://www.torproject.org/projects/torbrowser.html.en 2. Install TOR Browser 3. Open TOR Browser 4. Insert the following link in the address bar: k7tlx3ghr3m4n2tu.onion/52BCE19BBC9CCDA4 5. Follow the steps on your screen IMPORTANT INFORMATION Your personal homepages: http://kkr4hbwdklf234bfl84uoqleflqwrfqwuelfh.brazabaya.com/52BCE19BBC9CCDA4 http://974gfbjhb23hbfkyfaby3byqlyuebvly5q254y.mendilobo.com/52BCE19BBC9CCDA4 http://a64gfdsjhb4htbiwaysbdvukyft5q.zobodine.at/52BCE19BBC9CCDA4 Your personal page Tor-Browser k7tlx3ghr3m4n2tu.onion/52BCE19BBC9CCDA4 Your personal identification ID: 52BCE19BBC9CCDA4
URLs

http://kkr4hbwdklf234bfl84uoqleflqwrfqwuelfh.brazabaya.com/52BCE19BBC9CCDA4

http://974gfbjhb23hbfkyfaby3byqlyuebvly5q254y.mendilobo.com/52BCE19BBC9CCDA4

http://a64gfdsjhb4htbiwaysbdvukyft5q.zobodine.at/52BCE19BBC9CCDA4

http://k7tlx3ghr3m4n2tu.onion/52BCE19BBC9CCDA4

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-1594587808-2047097707-2163810515-1000\RECOVERcrmnn.txt

Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com What's the matter with your files? Your data was secured using a strong encryption with RSA4096. Use the link down below to find additional information on the encryption keys using RSA4096:https://en.wikipedia.org/wiki/RSA_(cryptosystem) What exactly that means? It means that on a structural level your files have been transformed. You won't be able to use, read, see or work with them anymore. In other words they are useless, however, there is a possibility to restore them with our help. What exactly happened to your files? *** Two personal RSA4096 keys were generated for your PC/Laptop; one key is public, another key is private. *** All your data and files were encrypted by the means of the public key, which you received over the web. *** In order to decrypt your data and gain access to your computer you need a private key and a decryption software, which can be found on one of our secret servers. What should you do next? There are several options for you to consider: 1. You can wait for a while until the price of a private key will raise, so you will have to pay twice as much to access your files or 2. You can start getting BitCoins right now and get access to your data quite fast. In case you have valuable files, we advise you to act fast as there is no other option rather than paying in order to get back your data. In order to obtain specific instructions, please access your personal homepage by choosing one of the few addresses down below: http://kkr4hbwdklf234bfl84uoqleflqwrfqwuelfh.brazabaya.com/645FC398B211489F http://974gfbjhb23hbfkyfaby3byqlyuebvly5q254y.mendilobo.com/645FC398B211489F http://a64gfdsjhb4htbiwaysbdvukyft5q.zobodine.at/645FC398B211489F If you can't access your personal homepage or the addresses are not working, complete the following steps: 1. Download TOR Browser - http://www.torproject.org/projects/torbrowser.html.en 2. Install TOR Browser 3. Open TOR Browser 4. Insert the following link in the address bar: k7tlx3ghr3m4n2tu.onion/645FC398B211489F 5. Follow the steps on your screen IMPORTANT INFORMATION Your personal homepages: http://kkr4hbwdklf234bfl84uoqleflqwrfqwuelfh.brazabaya.com/645FC398B211489F http://974gfbjhb23hbfkyfaby3byqlyuebvly5q254y.mendilobo.com/645FC398B211489F http://a64gfdsjhb4htbiwaysbdvukyft5q.zobodine.at/645FC398B211489F Your personal page Tor-Browser k7tlx3ghr3m4n2tu.onion/645FC398B211489F Your personal identification ID: 645FC398B211489F
URLs

http://kkr4hbwdklf234bfl84uoqleflqwrfqwuelfh.brazabaya.com/645FC398B211489F

http://974gfbjhb23hbfkyfaby3byqlyuebvly5q254y.mendilobo.com/645FC398B211489F

http://a64gfdsjhb4htbiwaysbdvukyft5q.zobodine.at/645FC398B211489F

http://k7tlx3ghr3m4n2tu.onion/645FC398B211489F

Targets

    • Target

      1ad471585dfd2b3c05b3926e211b18b6e64d8ff1f753025c0d70ae213289ac8c.sample

    • Size

      392KB

    • MD5

      280d48953880c4a27df69957916f718f

    • SHA1

      0c4696c6094b0d1ae5ef08d054c1cf3f09d059be

    • SHA256

      1ad471585dfd2b3c05b3926e211b18b6e64d8ff1f753025c0d70ae213289ac8c

    • SHA512

      2eb5596ef8d5c6f1e345903bf3188432f42dcc26d0d520b0a501d6125bb638f638de20dd0f0fd341a5127a460381c0e2a3252792eb7da8357b7280d3f1578e27

    • suricata: ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Executes dropped EXE

    • Deletes itself

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

File Deletion

2
T1107

Modify Registry

2
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

System Information Discovery

1
T1082

Collection

Data from Local System

1
T1005

Impact

Inhibit System Recovery

2
T1490

Tasks