Overview

overview

10

Static

static

43c4d8f694...7b.exe

windows7_x64

10

43c4d8f694...7b.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    154s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    07-07-2022 21:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    43c4d8f6942c51587508802dc4a3336de1ae902abb8380a7aeb9b8945ee65c7b.exe

  • Size

    410KB

  • MD5

    56815047f7f330dcb598899915d6606e

  • SHA1

    8f20faecf7448606c2601bc03f94a6ed4d7c960b

  • SHA256

    43c4d8f6942c51587508802dc4a3336de1ae902abb8380a7aeb9b8945ee65c7b

  • SHA512

    fbc69c4cb808840209bec0ac52cf29e0442fc80c72dea460ced3dc0ef6e035fef7da9dbd21b8fd1ebebfdf43b02184c65ee73995473fc075bb6ad2de113fba03

Score
10/10
ransomwaresuricata

Malware Config

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-1809750270-3141839489-3074374771-1000\RECOVERgmtxs.txt

Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com What's the matter with your files? Your data was secured using a strong encryption with RSA4096. Use the link down below to find additional information on the encryption keys using RSA4096:https://en.wikipedia.org/wiki/RSA_(cryptosystem) What exactly that means? It means that on a structural level your files have been transformed. You won't be able to use, read, see or work with them anymore. In other words they are useless, however, there is a possibility to restore them with our help. What exactly happened to your files? *** Two personal RSA4096 keys were generated for your PC/Laptop; one key is public, another key is private. *** All your data and files were encrypted by the means of the public key, which you received over the web. *** In order to decrypt your data and gain access to your computer you need a private key and a decryption software, which can be found on one of our secret servers. What should you do next? There are several options for you to consider: 1. You can wait for a while until the price of a private key will raise, so you will have to pay twice as much to access your files or 2. You can start getting BitCoins right now and get access to your data quite fast. In case you have valuable files, we advise you to act fast as there is no other option rather than paying in order to get back your data. In order to obtain specific instructions, please access your personal homepage by choosing one of the few addresses down below: http://kkr4hbwdklf234bfl84uoqleflqwrfqwuelfh.brazabaya.com/C438AF99CDA8E12A http://974gfbjhb23hbfkyfaby3byqlyuebvly5q254y.mendilobo.com/C438AF99CDA8E12A http://a64gfdsjhb4htbiwaysbdvukyft5q.zobodine.at/C438AF99CDA8E12A If you can't access your personal homepage or the addresses are not working, complete the following steps: 1. Download TOR Browser - http://www.torproject.org/projects/torbrowser.html.en 2. Install TOR Browser 3. Open TOR Browser 4. Insert the following link in the address bar: k7tlx3ghr3m4n2tu.onion/C438AF99CDA8E12A 5. Follow the steps on your screen IMPORTANT INFORMATION Your personal homepages: http://kkr4hbwdklf234bfl84uoqleflqwrfqwuelfh.brazabaya.com/C438AF99CDA8E12A http://974gfbjhb23hbfkyfaby3byqlyuebvly5q254y.mendilobo.com/C438AF99CDA8E12A http://a64gfdsjhb4htbiwaysbdvukyft5q.zobodine.at/C438AF99CDA8E12A Your personal page Tor-Browser k7tlx3ghr3m4n2tu.onion/C438AF99CDA8E12A Your personal identification ID: C438AF99CDA8E12A
URLs

http://kkr4hbwdklf234bfl84uoqleflqwrfqwuelfh.brazabaya.com/C438AF99CDA8E12A

http://974gfbjhb23hbfkyfaby3byqlyuebvly5q254y.mendilobo.com/C438AF99CDA8E12A

http://a64gfdsjhb4htbiwaysbdvukyft5q.zobodine.at/C438AF99CDA8E12A

http://k7tlx3ghr3m4n2tu.onion/C438AF99CDA8E12A

Signatures

  • suricata: ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon

    suricata: ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon

    suricata
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies data under HKEY_USERS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\43c4d8f6942c51587508802dc4a3336de1ae902abb8380a7aeb9b8945ee65c7b.exe
    "C:\Users\Admin\AppData\Local\Temp\43c4d8f6942c51587508802dc4a3336de1ae902abb8380a7aeb9b8945ee65c7b.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:988
    • C:\Users\Admin\AppData\Local\Temp\43c4d8f6942c51587508802dc4a3336de1ae902abb8380a7aeb9b8945ee65c7b.exe
      "C:\Users\Admin\AppData\Local\Temp\43c4d8f6942c51587508802dc4a3336de1ae902abb8380a7aeb9b8945ee65c7b.exe"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:812
      • C:\Users\Admin\Documents\esbsqx.exe
        C:\Users\Admin\Documents\esbsqx.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:3880
        • C:\Users\Admin\Documents\esbsqx.exe
          C:\Users\Admin\Documents\esbsqx.exe
          4⤵
          • Executes dropped EXE
          • Checks computer location settings
          • Drops file in Program Files directory
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:940
          • C:\Windows\System32\vssadmin.exe
            "C:\Windows\System32\vssadmin.exe" Delete Shadows /All /Quiet
            5⤵
            • Interacts with shadow copies
            PID:2548
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\sgmxb.bat
            5⤵
              PID:1720
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\43C4D8~1.EXE >> NUL
          3⤵
            PID:3696
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3700

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\Documents\esbsqx.exe
        Filesize

        410KB

        MD5

        56815047f7f330dcb598899915d6606e

        SHA1

        8f20faecf7448606c2601bc03f94a6ed4d7c960b

        SHA256

        43c4d8f6942c51587508802dc4a3336de1ae902abb8380a7aeb9b8945ee65c7b

        SHA512

        fbc69c4cb808840209bec0ac52cf29e0442fc80c72dea460ced3dc0ef6e035fef7da9dbd21b8fd1ebebfdf43b02184c65ee73995473fc075bb6ad2de113fba03

        Download Submit

      • C:\Users\Admin\Documents\esbsqx.exe
        Filesize

        410KB

        MD5

        56815047f7f330dcb598899915d6606e

        SHA1

        8f20faecf7448606c2601bc03f94a6ed4d7c960b

        SHA256

        43c4d8f6942c51587508802dc4a3336de1ae902abb8380a7aeb9b8945ee65c7b

        SHA512

        fbc69c4cb808840209bec0ac52cf29e0442fc80c72dea460ced3dc0ef6e035fef7da9dbd21b8fd1ebebfdf43b02184c65ee73995473fc075bb6ad2de113fba03

        Download Submit

      • C:\Users\Admin\Documents\esbsqx.exe
        Filesize

        410KB

        MD5

        56815047f7f330dcb598899915d6606e

        SHA1

        8f20faecf7448606c2601bc03f94a6ed4d7c960b

        SHA256

        43c4d8f6942c51587508802dc4a3336de1ae902abb8380a7aeb9b8945ee65c7b

        SHA512

        fbc69c4cb808840209bec0ac52cf29e0442fc80c72dea460ced3dc0ef6e035fef7da9dbd21b8fd1ebebfdf43b02184c65ee73995473fc075bb6ad2de113fba03

        Download Submit

      • memory/812-133-0x0000000000400000-0x000000000047E000-memory.dmp

        Filesize

        504KB

        Download

      • memory/812-135-0x0000000000400000-0x000000000047E000-memory.dmp

        Filesize

        504KB

        Download

      • memory/812-143-0x0000000000400000-0x000000000047E000-memory.dmp

        Filesize

        504KB

        Download

      • memory/812-136-0x0000000000400000-0x000000000047E000-memory.dmp

        Filesize

        504KB

        Download

      • memory/812-137-0x0000000000400000-0x000000000047E000-memory.dmp

        Filesize

        504KB

        Download

      • memory/812-142-0x0000000074240000-0x0000000074279000-memory.dmp

        Filesize

        228KB

        Download

      • memory/940-147-0x0000000000400000-0x000000000047E000-memory.dmp

        Filesize

        504KB

        Download

      • memory/940-148-0x0000000000400000-0x000000000047E000-memory.dmp

        Filesize

        504KB

        Download

      • memory/940-151-0x0000000000400000-0x000000000047E000-memory.dmp

        Filesize

        504KB

        Download

      • memory/940-152-0x0000000074270000-0x00000000742A9000-memory.dmp

        Filesize

        228KB

        Download

      • memory/940-153-0x0000000000400000-0x000000000047E000-memory.dmp

        Filesize

        504KB

        Download

      • memory/988-134-0x0000000000610000-0x0000000000616000-memory.dmp

        Filesize

        24KB

        Download

      • memory/988-130-0x0000000000610000-0x0000000000616000-memory.dmp

        Filesize

        24KB

        Download

      • memory/988-131-0x0000000000610000-0x0000000000616000-memory.dmp

        Filesize

        24KB

        Download