General
-
Target
5719460c6ef7567bb9481de8d0fadd3b54bcf9202ad16279975c5fa99d3c93c8
-
Size
368KB
-
Sample
220725-a3sbkafhgm
-
MD5
65440340932ca8194b58ab27a078d4b5
-
SHA1
3c8690d9c4b8de49ba2ed4ceae26468a3b4220fe
-
SHA256
5719460c6ef7567bb9481de8d0fadd3b54bcf9202ad16279975c5fa99d3c93c8
-
SHA512
23934b41dadc45710bf8c598923c481af643416c0f3cc9e71f7314204fa80bd1a90afe58933911ec03b5cd9cbef93b4328404564a40793de2e75f34c02451410
Static task
static1
Behavioral task
behavioral1
Sample
5719460c6ef7567bb9481de8d0fadd3b54bcf9202ad16279975c5fa99d3c93c8.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
5719460c6ef7567bb9481de8d0fadd3b54bcf9202ad16279975c5fa99d3c93c8.exe
Resource
win10v2004-20220721-en
Malware Config
Extracted
C:\$Recycle.Bin\S-1-5-21-4084403625-2215941253-1760665084-1000\Recovery+fvssi.txt
http://prest54538hnksjn4kjfwdbhwere.hotchunman.com/24226F9885EA5C9
http://b4youfred5485jgsa3453f.italazudda.com/24226F9885EA5C9
http://5rport45vcdef345adfkksawe.bematvocal.at/24226F9885EA5C9
http://fwgrhsao3aoml7ej.onion/24226F9885EA5C9
http://fwgrhsao3aoml7ej.ONION/24226F9885EA5C9
Extracted
C:\$Recycle.Bin\S-1-5-21-2660308776-3705150086-26593515-1000\Recovery+jicfx.txt
http://prest54538hnksjn4kjfwdbhwere.hotchunman.com/44816F917716EEE
http://b4youfred5485jgsa3453f.italazudda.com/44816F917716EEE
http://5rport45vcdef345adfkksawe.bematvocal.at/44816F917716EEE
http://fwgrhsao3aoml7ej.onion/44816F917716EEE
http://fwgrhsao3aoml7ej.ONION/44816F917716EEE
Targets
-
-
Target
5719460c6ef7567bb9481de8d0fadd3b54bcf9202ad16279975c5fa99d3c93c8
-
Size
368KB
-
MD5
65440340932ca8194b58ab27a078d4b5
-
SHA1
3c8690d9c4b8de49ba2ed4ceae26468a3b4220fe
-
SHA256
5719460c6ef7567bb9481de8d0fadd3b54bcf9202ad16279975c5fa99d3c93c8
-
SHA512
23934b41dadc45710bf8c598923c481af643416c0f3cc9e71f7314204fa80bd1a90afe58933911ec03b5cd9cbef93b4328404564a40793de2e75f34c02451410
Score10/10-
suricata: ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon
suricata: ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon
-
Executes dropped EXE
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Drops startup file
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-