General
-
Target
e272f32a45aa342b823aaf26687357f45f39d4f836d3529169340e4893c08c37.sample
-
Size
348KB
-
Sample
210726-pl51whz5gn
-
MD5
d0d3086cd72eb31385bf6406042cc404
-
SHA1
11f9bb5c17fe32b48d44575a29e94dd082d38483
-
SHA256
e272f32a45aa342b823aaf26687357f45f39d4f836d3529169340e4893c08c37
-
SHA512
153dce24258abfc3440208b100c26a847c2396fe7893844ba8d8e66659e4cd567d2ab8ac9d9d19e7cdc80b6dc89080b1966bf5f2d82ef76bfc814902beae071e
Static task
static1
Behavioral task
behavioral1
Sample
e272f32a45aa342b823aaf26687357f45f39d4f836d3529169340e4893c08c37.sample.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
e272f32a45aa342b823aaf26687357f45f39d4f836d3529169340e4893c08c37.sample.exe
Resource
win10v20210410
Malware Config
Extracted
C:\$Recycle.Bin\S-1-5-21-2513283230-931923277-594887482-1000\how_recover+ndo.txt
http://vr6g2curb2kcidou.encpayment23.com/1B6F7FE222C32030
http://vr6g2curb2kcidou.expay34.com/1B6F7FE222C32030
http://psbc532jm8c.hsh73cu37n1.net/1B6F7FE222C32030
https://vr6g2curb2kcidou.onion.to/1B6F7FE222C32030
http://vr6g2curb2kcidou.onion/1B6F7FE222C32030
Extracted
C:\Users\Admin\Desktop\Howto_RESTORE_FILES.html
http://vr6g2curb2kcidou.onion/1B6F7FE222C32030
http://vr6g2curb2kcidou.encpayment23.com/1B6F7FE222C32030
http://vr6g2curb2kcidou.expay34.com/1B6F7FE222C32030
http://psbc532jm8c.hsh73cu37n1.net/1B6F7FE222C32030
https://vr6g2curb2kcidou.onion.to/1B6F7FE222C32030
Extracted
C:\$Recycle.Bin\S-1-5-21-3686645723-710336880-414668232-1000\how_recover+lhf.txt
http://vr6g2curb2kcidou.encpayment23.com/8DB09D80909DABC
http://vr6g2curb2kcidou.expay34.com/8DB09D80909DABC
http://psbc532jm8c.hsh73cu37n1.net/8DB09D80909DABC
https://vr6g2curb2kcidou.onion.to/8DB09D80909DABC
http://vr6g2curb2kcidou.onion/8DB09D80909DABC
Extracted
C:\Users\Admin\Desktop\Howto_RESTORE_FILES.html
http://vr6g2curb2kcidou.onion/8DB09D80909DABC
http://vr6g2curb2kcidou.encpayment23.com/8DB09D80909DABC
http://vr6g2curb2kcidou.expay34.com/8DB09D80909DABC
http://psbc532jm8c.hsh73cu37n1.net/8DB09D80909DABC
https://vr6g2curb2kcidou.onion.to/8DB09D80909DABC
Targets
-
-
Target
e272f32a45aa342b823aaf26687357f45f39d4f836d3529169340e4893c08c37.sample
-
Size
348KB
-
MD5
d0d3086cd72eb31385bf6406042cc404
-
SHA1
11f9bb5c17fe32b48d44575a29e94dd082d38483
-
SHA256
e272f32a45aa342b823aaf26687357f45f39d4f836d3529169340e4893c08c37
-
SHA512
153dce24258abfc3440208b100c26a847c2396fe7893844ba8d8e66659e4cd567d2ab8ac9d9d19e7cdc80b6dc89080b1966bf5f2d82ef76bfc814902beae071e
-
suricata: ET MALWARE AlphaCrypt CnC Beacon 5
-
suricata: ET MALWARE AlphaCrypt CnC Beacon 6
-
Modifies boot configuration data using bcdedit
-
Executes dropped EXE
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Drops startup file
-
Loads dropped DLL
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-