Analysis
-
max time kernel
153s -
max time network
161s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
12-06-2022 13:27
General
-
Target
202ab1a5c4d7809c216ff364842923ed5b133f652159147396e02c1f7fd06685.exe
-
Size
604KB
-
MD5
0eff9e6701cb10ddc66f3d619dae7a36
-
SHA1
20a506351b97caef312b7f808638623512435c23
-
SHA256
202ab1a5c4d7809c216ff364842923ed5b133f652159147396e02c1f7fd06685
-
SHA512
41bc0934a29ae6f18804006ac9ff264ec1b41edc0bc2b312db4e24f14acd64a3c6f0838406c9d0d1d70ebc8aad7fb0b9a9882401e7e807aec95c999be9923c01
Malware Config
Extracted
C:\$Recycle.Bin\S-1-5-21-2632097139-1792035885-811742494-1000\_H_e_l_p_RECOVER_INSTRUCTIONS+aiq.txt
http://jj4dhbg4d86sdgrsdfzcadc.ziraimshi.com/EAFE5591E4426EFA
http://uu5dbnmsedf4s3jdnfbh34fsdf.parsesun.at/EAFE5591E4426EFA
http://perc54hg47fhnkjnfvcdgvdc.clinkjuno.com/EAFE5591E4426EFA
http://fwgrhsao3aoml7ej.onion/EAFE5591E4426EFA
Signatures
-
suricata: ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon
suricata: ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 5 IoCs
-
Adds policy Run key to start application 2 TTPs 2 IoCs
-
Executes dropped EXE 2 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 38 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\202ab1a5c4d7809c216ff364842923ed5b133f652159147396e02c1f7fd06685.exe"C:\Users\Admin\AppData\Local\Temp\202ab1a5c4d7809c216ff364842923ed5b133f652159147396e02c1f7fd06685.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\202ab1a5c4d7809c216ff364842923ed5b133f652159147396e02c1f7fd06685.exe"C:\Users\Admin\AppData\Local\Temp\202ab1a5c4d7809c216ff364842923ed5b133f652159147396e02c1f7fd06685.exe"2⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\jopqoqn.exeC:\Users\Admin\AppData\Roaming\jopqoqn.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\jopqoqn.exeC:\Users\Admin\AppData\Roaming\jopqoqn.exe4⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe /set {current} bootems off5⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet5⤵
- Interacts with shadow copies
-
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe /set {current} advancedoptions off5⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe /set {current} optionsedit off5⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe /set {current} bootstatuspolicy IgnoreAllFailures5⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe /set {current} recoveryenabled off5⤵
- Modifies boot configuration data using bcdedit
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\202AB1~1.EXE3⤵
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
604KB
MD50eff9e6701cb10ddc66f3d619dae7a36
SHA120a506351b97caef312b7f808638623512435c23
SHA256202ab1a5c4d7809c216ff364842923ed5b133f652159147396e02c1f7fd06685
SHA51241bc0934a29ae6f18804006ac9ff264ec1b41edc0bc2b312db4e24f14acd64a3c6f0838406c9d0d1d70ebc8aad7fb0b9a9882401e7e807aec95c999be9923c01
-
Filesize
604KB
MD50eff9e6701cb10ddc66f3d619dae7a36
SHA120a506351b97caef312b7f808638623512435c23
SHA256202ab1a5c4d7809c216ff364842923ed5b133f652159147396e02c1f7fd06685
SHA51241bc0934a29ae6f18804006ac9ff264ec1b41edc0bc2b312db4e24f14acd64a3c6f0838406c9d0d1d70ebc8aad7fb0b9a9882401e7e807aec95c999be9923c01
-
Filesize
604KB
MD50eff9e6701cb10ddc66f3d619dae7a36
SHA120a506351b97caef312b7f808638623512435c23
SHA256202ab1a5c4d7809c216ff364842923ed5b133f652159147396e02c1f7fd06685
SHA51241bc0934a29ae6f18804006ac9ff264ec1b41edc0bc2b312db4e24f14acd64a3c6f0838406c9d0d1d70ebc8aad7fb0b9a9882401e7e807aec95c999be9923c01
-
-
-
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
-
-
Filesize
12KB
-
Filesize
12KB
-
-
-
-
-