General

  • Target

    5719460c6ef7567bb9481de8d0fadd3b54bcf9202ad16279975c5fa99d3c93c8

  • Size

    368KB

  • Sample

    220725-a3sbkafhgm

  • MD5

    65440340932ca8194b58ab27a078d4b5

  • SHA1

    3c8690d9c4b8de49ba2ed4ceae26468a3b4220fe

  • SHA256

    5719460c6ef7567bb9481de8d0fadd3b54bcf9202ad16279975c5fa99d3c93c8

  • SHA512

    23934b41dadc45710bf8c598923c481af643416c0f3cc9e71f7314204fa80bd1a90afe58933911ec03b5cd9cbef93b4328404564a40793de2e75f34c02451410

Malware Config

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-4084403625-2215941253-1760665084-1000\Recovery+fvssi.txt

Ransom Note
__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-4096. More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://prest54538hnksjn4kjfwdbhwere.hotchunman.com/24226F9885EA5C9 2. http://b4youfred5485jgsa3453f.italazudda.com/24226F9885EA5C9 3. http://5rport45vcdef345adfkksawe.bematvocal.at/24226F9885EA5C9 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser and wait for initialization 3. Type in the address bar: fwgrhsao3aoml7ej.onion/24226F9885EA5C9 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://prest54538hnksjn4kjfwdbhwere.hotchunman.com/24226F9885EA5C9 http://b4youfred5485jgsa3453f.italazudda.com/24226F9885EA5C9 http://5rport45vcdef345adfkksawe.bematvocal.at/24226F9885EA5C9 *-*-* Your personal page Tor-Browser: fwgrhsao3aoml7ej.ONION/24226F9885EA5C9 *-*-* Your personal identification ID: 24226F9885EA5C9
URLs

http://prest54538hnksjn4kjfwdbhwere.hotchunman.com/24226F9885EA5C9

http://b4youfred5485jgsa3453f.italazudda.com/24226F9885EA5C9

http://5rport45vcdef345adfkksawe.bematvocal.at/24226F9885EA5C9

http://fwgrhsao3aoml7ej.onion/24226F9885EA5C9

http://fwgrhsao3aoml7ej.ONION/24226F9885EA5C9

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-2660308776-3705150086-26593515-1000\Recovery+jicfx.txt

Ransom Note
__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-4096. More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://prest54538hnksjn4kjfwdbhwere.hotchunman.com/44816F917716EEE 2. http://b4youfred5485jgsa3453f.italazudda.com/44816F917716EEE 3. http://5rport45vcdef345adfkksawe.bematvocal.at/44816F917716EEE If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser and wait for initialization 3. Type in the address bar: fwgrhsao3aoml7ej.onion/44816F917716EEE 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://prest54538hnksjn4kjfwdbhwere.hotchunman.com/44816F917716EEE http://b4youfred5485jgsa3453f.italazudda.com/44816F917716EEE http://5rport45vcdef345adfkksawe.bematvocal.at/44816F917716EEE *-*-* Your personal page Tor-Browser: fwgrhsao3aoml7ej.ONION/44816F917716EEE *-*-* Your personal identification ID: 44816F917716EEE
URLs

http://prest54538hnksjn4kjfwdbhwere.hotchunman.com/44816F917716EEE

http://b4youfred5485jgsa3453f.italazudda.com/44816F917716EEE

http://5rport45vcdef345adfkksawe.bematvocal.at/44816F917716EEE

http://fwgrhsao3aoml7ej.onion/44816F917716EEE

http://fwgrhsao3aoml7ej.ONION/44816F917716EEE

Targets

    • Target

      5719460c6ef7567bb9481de8d0fadd3b54bcf9202ad16279975c5fa99d3c93c8

    • Size

      368KB

    • MD5

      65440340932ca8194b58ab27a078d4b5

    • SHA1

      3c8690d9c4b8de49ba2ed4ceae26468a3b4220fe

    • SHA256

      5719460c6ef7567bb9481de8d0fadd3b54bcf9202ad16279975c5fa99d3c93c8

    • SHA512

      23934b41dadc45710bf8c598923c481af643416c0f3cc9e71f7314204fa80bd1a90afe58933911ec03b5cd9cbef93b4328404564a40793de2e75f34c02451410

    • suricata: ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon

      suricata: ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

File Deletion

1
T1107

Modify Registry

2
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Collection

Data from Local System

1
T1005

Impact

Inhibit System Recovery

1
T1490

Tasks