017fc503201a751b0d56c1501195e0ce3b82231713215b5c18249692c095121c | Triage

Submit
Reports

Overview

overview

Static

static

017fc50320...1c.exe

windows7_x64

017fc50320...1c.exe

windows10-2004_x64

9

Sharing

General

Target

017fc503201a751b0d56c1501195e0ce3b82231713215b5c18249692c095121c
Size

440KB
Sample

220523-x5lccsgbdr
MD5

2eff5c3106eada77b48bd3a785355d99
SHA1

559dcd0897ae7575c18cba483d5c57062c071c5f
SHA256

017fc503201a751b0d56c1501195e0ce3b82231713215b5c18249692c095121c
SHA512

dc61ca7354f98a1c53c3dd47cf13579187c8a4e3d0172f657c612fbf2c25aaaf2570ff057a03a78be7222d72b8a2bfdc0f0e703696d9ce7dd010ff0b89a96f94

Score

10^/10

evasion persistence ransomware suricata

Static task

static1

Behavioral task

behavioral1

Sample

017fc503201a751b0d56c1501195e0ce3b82231713215b5c18249692c095121c.exe

Resource

win7-20220414-en

evasion persistence ransomware suricata

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

017fc503201a751b0d56c1501195e0ce3b82231713215b5c18249692c095121c.exe

Resource

win10v2004-20220414-en

evasion persistence ransomware

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Targets

- Target
  
  017fc503201a751b0d56c1501195e0ce3b82231713215b5c18249692c095121c
- Size
  
  440KB
- MD5
  
  2eff5c3106eada77b48bd3a785355d99
- SHA1
  
  559dcd0897ae7575c18cba483d5c57062c071c5f
- SHA256
  
  017fc503201a751b0d56c1501195e0ce3b82231713215b5c18249692c095121c
- SHA512
  
  dc61ca7354f98a1c53c3dd47cf13579187c8a4e3d0172f657c612fbf2c25aaaf2570ff057a03a78be7222d72b8a2bfdc0f0e703696d9ce7dd010ff0b89a96f94
Score

10^/10

evasion persistence ransomware suricata
- suricata: ET MALWARE AlphaCrypt CnC Beacon 5
  suricata: ET MALWARE AlphaCrypt CnC Beacon 5
  suricata
- suricata: ET MALWARE AlphaCrypt CnC Beacon 6
  suricata: ET MALWARE AlphaCrypt CnC Beacon 6
  suricata
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

File Deletion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

Tasks

static1

behavioral1

evasionpersistenceransomwaresuricata

behavioral2

evasionpersistenceransomware

© 2018-2024

Terms | Privacy