General
-
Target
56be13d8c1180b19cf050f76b6c58fa148d73d8cc0de9bb924f52248ed7ebf3e
-
Size
604KB
-
Sample
220725-b9xejaaacq
-
MD5
4b3972256cca6a6a124ef3b246b5783a
-
SHA1
a2d6ae5829004b08f7b31b91ea74538de8bc51cd
-
SHA256
56be13d8c1180b19cf050f76b6c58fa148d73d8cc0de9bb924f52248ed7ebf3e
-
SHA512
6cee5f0c521c9391fffefeebae6dce9b6a782d8f512ced3f07f4d076e75012c8e33a19be608bb02fba038175d7c7c79b4ed62b409a7591c47891b7902c96d15f
Static task
static1
Behavioral task
behavioral1
Sample
56be13d8c1180b19cf050f76b6c58fa148d73d8cc0de9bb924f52248ed7ebf3e.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
56be13d8c1180b19cf050f76b6c58fa148d73d8cc0de9bb924f52248ed7ebf3e.exe
Resource
win10v2004-20220721-en
Malware Config
Extracted
C:\$Recycle.Bin\S-1-5-21-3762437355-3468409815-1164039494-1000\RECOVER+gankh.TXT
http://akdfrefdkm45tf33fsdfsdf.yamenswash.com/498512E771D348F2
http://p4fhmjnsdfbm4w4fdsc.avowvoice.com/498512E771D348F2
http://nn54djhfnrnm4dnjnerfsd.replylaten.at/498512E771D348F2
http://fwgrhsao3aoml7ej.onion/498512E771D348F2
Extracted
C:\$Recycle.Bin\S-1-5-21-2660308776-3705150086-26593515-1000\RECOVER+kjybu.TXT
http://akdfrefdkm45tf33fsdfsdf.yamenswash.com/A0E9F531FFFD7231
http://p4fhmjnsdfbm4w4fdsc.avowvoice.com/A0E9F531FFFD7231
http://nn54djhfnrnm4dnjnerfsd.replylaten.at/A0E9F531FFFD7231
http://fwgrhsao3aoml7ej.onion/A0E9F531FFFD7231
Targets
-
-
Target
56be13d8c1180b19cf050f76b6c58fa148d73d8cc0de9bb924f52248ed7ebf3e
-
Size
604KB
-
MD5
4b3972256cca6a6a124ef3b246b5783a
-
SHA1
a2d6ae5829004b08f7b31b91ea74538de8bc51cd
-
SHA256
56be13d8c1180b19cf050f76b6c58fa148d73d8cc0de9bb924f52248ed7ebf3e
-
SHA512
6cee5f0c521c9391fffefeebae6dce9b6a782d8f512ced3f07f4d076e75012c8e33a19be608bb02fba038175d7c7c79b4ed62b409a7591c47891b7902c96d15f
Score10/10-
suricata: ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon
suricata: ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-