Analysis
-
max time kernel
141s -
max time network
190s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
26-07-2021 13:00
General
-
Target
e272f32a45aa342b823aaf26687357f45f39d4f836d3529169340e4893c08c37.sample.exe
-
Size
348KB
-
MD5
d0d3086cd72eb31385bf6406042cc404
-
SHA1
11f9bb5c17fe32b48d44575a29e94dd082d38483
-
SHA256
e272f32a45aa342b823aaf26687357f45f39d4f836d3529169340e4893c08c37
-
SHA512
153dce24258abfc3440208b100c26a847c2396fe7893844ba8d8e66659e4cd567d2ab8ac9d9d19e7cdc80b6dc89080b1966bf5f2d82ef76bfc814902beae071e
Malware Config
Extracted
C:\$Recycle.Bin\S-1-5-21-2513283230-931923277-594887482-1000\how_recover+ndo.txt
http://vr6g2curb2kcidou.encpayment23.com/1B6F7FE222C32030
http://vr6g2curb2kcidou.expay34.com/1B6F7FE222C32030
http://psbc532jm8c.hsh73cu37n1.net/1B6F7FE222C32030
https://vr6g2curb2kcidou.onion.to/1B6F7FE222C32030
http://vr6g2curb2kcidou.onion/1B6F7FE222C32030
Extracted
C:\Users\Admin\Desktop\Howto_RESTORE_FILES.html
http://vr6g2curb2kcidou.onion/1B6F7FE222C32030
http://vr6g2curb2kcidou.encpayment23.com/1B6F7FE222C32030
http://vr6g2curb2kcidou.expay34.com/1B6F7FE222C32030
http://psbc532jm8c.hsh73cu37n1.net/1B6F7FE222C32030
https://vr6g2curb2kcidou.onion.to/1B6F7FE222C32030
Signatures
-
suricata: ET MALWARE AlphaCrypt CnC Beacon 5
-
suricata: ET MALWARE AlphaCrypt CnC Beacon 6
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 5 IoCs
-
Executes dropped EXE 2 IoCs
-
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
-
Deletes itself 1 IoCs
-
Drops startup file 2 IoCs
-
Loads dropped DLL 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Modifies Internet Explorer settings 1 TTPs 36 IoCs
-
Modifies system certificate store 2 TTPs 5 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\e272f32a45aa342b823aaf26687357f45f39d4f836d3529169340e4893c08c37.sample.exe"C:\Users\Admin\AppData\Local\Temp\e272f32a45aa342b823aaf26687357f45f39d4f836d3529169340e4893c08c37.sample.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e272f32a45aa342b823aaf26687357f45f39d4f836d3529169340e4893c08c37.sample.exe"C:\Users\Admin\AppData\Local\Temp\e272f32a45aa342b823aaf26687357f45f39d4f836d3529169340e4893c08c37.sample.exe"2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\daixqacroic.exeC:\Users\Admin\AppData\Roaming\daixqacroic.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\daixqacroic.exeC:\Users\Admin\AppData\Roaming\daixqacroic.exe4⤵
- Executes dropped EXE
- Modifies extensions of user files
- Drops startup file
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set {current} bootems off5⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet5⤵
- Interacts with shadow copies
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set {current} advancedoptions off5⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set {current} optionsedit off5⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set {current} bootstatuspolicy IgnoreAllFailures5⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set {current} recoveryenabled off5⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Howto_RESTORE_FILES.txt5⤵
- Opens file in notepad (likely ransom note)
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\Howto_RESTORE_FILES.html5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:744 CREDAT:275457 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet5⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Roaming\DAIXQA~1.EXE5⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\E272F3~1.EXE3⤵
- Deletes itself
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015MD5
2902de11e30dcc620b184e3bb0f0c1cb
SHA15d11d14a2558801a2688dc2d6dfad39ac294f222
SHA256e6a7f1f8810e46a736e80ee5ac6187690f28f4d5d35d130d410e20084b2c1544
SHA512efd415cde25b827ac2a7ca4d6486ce3a43cdcc1c31d3a94fd7944681aa3e83a4966625bf2e6770581c4b59d05e35ff9318d9adaddade9070f131076892af2fa0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357MD5
a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015MD5
d30330823d44aab84b5be0230da445f7
SHA1c37dae721f260a30cca6d1c1c1b8b7818283bc62
SHA2563c749684734a2243786c0963b4ed815e828d67cfdbe0285744a5b39ddc15a553
SHA512801ba071cf5a59ed76af2d7250db9f9ba4ef4de6a40bfa8885efd2e7d0801f2f16970b2529a78372dc0082f008e1d396d370c947fd82dca93393534c5d8498a6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357MD5
9ac36b50cf31c43c90275c13ec71dfe7
SHA155399deb7a7a9991b1ab7f016c01447b8226739b
SHA25663237685a49ced73f6d1008db1f801317d9756b9568e7df8022a652166919357
SHA5127de1a30cf4fdce8b7e6b422833831f3804dd23cd4e15acf17ab08b803fbed72821a067346e25e02f24269618ea42fa32cb4ca6848fb57aa6712a1c2d0f09c546
-
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\how_recover+ndo.htmlMD5
9a2dce2db3da74baccffca3c963a0e3f
SHA1a12c03535ecfb8b0857cb000711f789b238b61f6
SHA2565a555c2413b4c2b9304f22e3569d089caf04ab58e6268439f48a88ff865662c1
SHA512b6371e8a5ad95b88aa2ba4360d248c7250199959f203748833b46b6ea39d8f5c2bc9fb7fa3fbe3c31eb970ca8b079b0759d6886b5c191ad9b1b6d4ca49416812
-
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\how_recover+ndo.txtMD5
0e9ec414f0f038bc74a2cc0e524ce151
SHA166992fdf0229e7d6dc879c252c829c4bae6f59d5
SHA2567d47e0da4de3ba8b0c2177e9d2935149fb56afbc5b7525633f89530ce4486b68
SHA512d5587fed0bf908eb88f73b3e00b2d58d153e19cad25e8043e98cb2f016f7bc90e28597fc9a3fac338cfe580e36a3653800ae6366b8483c90ab75a67825e34fd9
-
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\how_recover+ndo.htmlMD5
9a2dce2db3da74baccffca3c963a0e3f
SHA1a12c03535ecfb8b0857cb000711f789b238b61f6
SHA2565a555c2413b4c2b9304f22e3569d089caf04ab58e6268439f48a88ff865662c1
SHA512b6371e8a5ad95b88aa2ba4360d248c7250199959f203748833b46b6ea39d8f5c2bc9fb7fa3fbe3c31eb970ca8b079b0759d6886b5c191ad9b1b6d4ca49416812
-
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\how_recover+ndo.txtMD5
0e9ec414f0f038bc74a2cc0e524ce151
SHA166992fdf0229e7d6dc879c252c829c4bae6f59d5
SHA2567d47e0da4de3ba8b0c2177e9d2935149fb56afbc5b7525633f89530ce4486b68
SHA512d5587fed0bf908eb88f73b3e00b2d58d153e19cad25e8043e98cb2f016f7bc90e28597fc9a3fac338cfe580e36a3653800ae6366b8483c90ab75a67825e34fd9
-
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\how_recover+ndo.htmlMD5
9a2dce2db3da74baccffca3c963a0e3f
SHA1a12c03535ecfb8b0857cb000711f789b238b61f6
SHA2565a555c2413b4c2b9304f22e3569d089caf04ab58e6268439f48a88ff865662c1
SHA512b6371e8a5ad95b88aa2ba4360d248c7250199959f203748833b46b6ea39d8f5c2bc9fb7fa3fbe3c31eb970ca8b079b0759d6886b5c191ad9b1b6d4ca49416812
-
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\how_recover+ndo.txtMD5
0e9ec414f0f038bc74a2cc0e524ce151
SHA166992fdf0229e7d6dc879c252c829c4bae6f59d5
SHA2567d47e0da4de3ba8b0c2177e9d2935149fb56afbc5b7525633f89530ce4486b68
SHA512d5587fed0bf908eb88f73b3e00b2d58d153e19cad25e8043e98cb2f016f7bc90e28597fc9a3fac338cfe580e36a3653800ae6366b8483c90ab75a67825e34fd9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\F1PJG6WB.txtMD5
2480235b2e897c0478817789ae86540b
SHA1a39b748db846cdf9349171a1a8a7de4f47b5e419
SHA2567fcbd7b2935089400cb7526ae35b8118b5e263371de1fa13256546dd972201e7
SHA51296e817db44eed9a137cff0a1ba99ab013e3f20d967ec1b580b689abafb879efd402e431a141de9fe7f227b4894fb3b77ab7eb1a95e4bf18ee1cfea4de8b45c96
-
C:\Users\Admin\AppData\Roaming\daixqacroic.exeMD5
d0d3086cd72eb31385bf6406042cc404
SHA111f9bb5c17fe32b48d44575a29e94dd082d38483
SHA256e272f32a45aa342b823aaf26687357f45f39d4f836d3529169340e4893c08c37
SHA512153dce24258abfc3440208b100c26a847c2396fe7893844ba8d8e66659e4cd567d2ab8ac9d9d19e7cdc80b6dc89080b1966bf5f2d82ef76bfc814902beae071e
-
C:\Users\Admin\AppData\Roaming\daixqacroic.exeMD5
d0d3086cd72eb31385bf6406042cc404
SHA111f9bb5c17fe32b48d44575a29e94dd082d38483
SHA256e272f32a45aa342b823aaf26687357f45f39d4f836d3529169340e4893c08c37
SHA512153dce24258abfc3440208b100c26a847c2396fe7893844ba8d8e66659e4cd567d2ab8ac9d9d19e7cdc80b6dc89080b1966bf5f2d82ef76bfc814902beae071e
-
C:\Users\Admin\AppData\Roaming\daixqacroic.exeMD5
d0d3086cd72eb31385bf6406042cc404
SHA111f9bb5c17fe32b48d44575a29e94dd082d38483
SHA256e272f32a45aa342b823aaf26687357f45f39d4f836d3529169340e4893c08c37
SHA512153dce24258abfc3440208b100c26a847c2396fe7893844ba8d8e66659e4cd567d2ab8ac9d9d19e7cdc80b6dc89080b1966bf5f2d82ef76bfc814902beae071e
-
C:\Users\Admin\Desktop\Howto_RESTORE_FILES.bmpMD5
2fa01c9d90881df6193e15b28c4656fc
SHA1d69fc28400175ce679f0f8704fe4256863d6fea8
SHA25628e7f0465a3d05b42bc33b5fb4da53ef338b46b33d14a3098ef4249d6e28690f
SHA51286de590bc87c99e62ca1ed75c923c2de39d9356346f5f9626fa9c6648920753b551c272143183fe62824a8019fa1e6bf72983399a0cd5a6d0ca4ee1777771b0c
-
C:\Users\Admin\Desktop\Howto_RESTORE_FILES.htmlMD5
9a2dce2db3da74baccffca3c963a0e3f
SHA1a12c03535ecfb8b0857cb000711f789b238b61f6
SHA2565a555c2413b4c2b9304f22e3569d089caf04ab58e6268439f48a88ff865662c1
SHA512b6371e8a5ad95b88aa2ba4360d248c7250199959f203748833b46b6ea39d8f5c2bc9fb7fa3fbe3c31eb970ca8b079b0759d6886b5c191ad9b1b6d4ca49416812
-
C:\Users\Admin\Desktop\Howto_RESTORE_FILES.txtMD5
0e9ec414f0f038bc74a2cc0e524ce151
SHA166992fdf0229e7d6dc879c252c829c4bae6f59d5
SHA2567d47e0da4de3ba8b0c2177e9d2935149fb56afbc5b7525633f89530ce4486b68
SHA512d5587fed0bf908eb88f73b3e00b2d58d153e19cad25e8043e98cb2f016f7bc90e28597fc9a3fac338cfe580e36a3653800ae6366b8483c90ab75a67825e34fd9
-
\Users\Admin\AppData\Roaming\daixqacroic.exeMD5
d0d3086cd72eb31385bf6406042cc404
SHA111f9bb5c17fe32b48d44575a29e94dd082d38483
SHA256e272f32a45aa342b823aaf26687357f45f39d4f836d3529169340e4893c08c37
SHA512153dce24258abfc3440208b100c26a847c2396fe7893844ba8d8e66659e4cd567d2ab8ac9d9d19e7cdc80b6dc89080b1966bf5f2d82ef76bfc814902beae071e
-
\Users\Admin\AppData\Roaming\daixqacroic.exeMD5
d0d3086cd72eb31385bf6406042cc404
SHA111f9bb5c17fe32b48d44575a29e94dd082d38483
SHA256e272f32a45aa342b823aaf26687357f45f39d4f836d3529169340e4893c08c37
SHA512153dce24258abfc3440208b100c26a847c2396fe7893844ba8d8e66659e4cd567d2ab8ac9d9d19e7cdc80b6dc89080b1966bf5f2d82ef76bfc814902beae071e
-
memory/212-82-0x0000000000000000-mapping.dmp
-
memory/268-67-0x0000000000000000-mapping.dmp
-
memory/336-77-0x0000000000000000-mapping.dmp
-
memory/552-76-0x0000000000000000-mapping.dmp
-
memory/744-84-0x0000000000000000-mapping.dmp
-
memory/864-81-0x0000000000000000-mapping.dmp
-
memory/1076-78-0x0000000000000000-mapping.dmp
-
memory/1156-69-0x0000000000000000-mapping.dmp
-
memory/1196-89-0x0000000000000000-mapping.dmp
-
memory/1228-87-0x0000000000000000-mapping.dmp
-
memory/1256-93-0x0000000000000000-mapping.dmp
-
memory/1532-63-0x00000000752B1000-0x00000000752B3000-memory.dmpFilesize
8KB
-
memory/1532-64-0x0000000000400000-0x0000000000485000-memory.dmpFilesize
532KB
-
memory/1532-62-0x0000000000409350-mapping.dmp
-
memory/1532-61-0x0000000000400000-0x0000000000485000-memory.dmpFilesize
532KB
-
memory/1640-88-0x00000000001A0000-0x00000000001A2000-memory.dmpFilesize
8KB
-
memory/1640-90-0x0000000000220000-0x0000000000221000-memory.dmpFilesize
4KB
-
memory/1840-75-0x0000000000400000-0x0000000000485000-memory.dmpFilesize
532KB
-
memory/1840-72-0x0000000000409350-mapping.dmp
-
memory/1856-60-0x00000000003C0000-0x00000000003C3000-memory.dmpFilesize
12KB
-
memory/1856-80-0x0000000000000000-mapping.dmp
-
memory/1956-79-0x0000000000000000-mapping.dmp
