General
-
Target
5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b
-
Size
416KB
-
Sample
220725-fgnzxafecn
-
MD5
121e0d2c092d76e599e925f0b96746a3
-
SHA1
6b0311750c7e712b4de156dda496bb88705c8e1b
-
SHA256
5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b
-
SHA512
b9fd5ceb2b8ef2375dbd6698fa12e98e8ce184801dcbfa7bcf9196aaf91ac875b3b8972f686801c9988d543d423adbd46bd8a6dd616238db47aeb9a96ba324a4
Static task
static1
Behavioral task
behavioral1
Sample
5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe
Resource
win10v2004-20220721-en
Malware Config
Extracted
C:\$Recycle.Bin\S-1-5-21-4084403625-2215941253-1760665084-1000\Recovery+oetxw.txt
http://p57gest54celltraf743knjf.mottesapo.com/BF6A638F93F05150
http://k4restportgonst34d23r.oftpony.at/BF6A638F93F05150
http://rr7mdgjbjhbefvkhbashrg.ginnypecht.com/BF6A638F93F05150
http://fwgrhsao3aoml7ej.onion/BF6A638F93F05150
http://fwgrhsao3aoml7ej.ONION/BF6A638F93F05150
Extracted
C:\$Recycle.Bin\S-1-5-21-1101907861-274115917-2188613224-1000\Recovery+aqsdn.txt
http://p57gest54celltraf743knjf.mottesapo.com/9DBF1B10D7701699
http://k4restportgonst34d23r.oftpony.at/9DBF1B10D7701699
http://rr7mdgjbjhbefvkhbashrg.ginnypecht.com/9DBF1B10D7701699
http://fwgrhsao3aoml7ej.onion/9DBF1B10D7701699
http://fwgrhsao3aoml7ej.ONION/9DBF1B10D7701699
Targets
-
-
Target
5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b
-
Size
416KB
-
MD5
121e0d2c092d76e599e925f0b96746a3
-
SHA1
6b0311750c7e712b4de156dda496bb88705c8e1b
-
SHA256
5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b
-
SHA512
b9fd5ceb2b8ef2375dbd6698fa12e98e8ce184801dcbfa7bcf9196aaf91ac875b3b8972f686801c9988d543d423adbd46bd8a6dd616238db47aeb9a96ba324a4
Score10/10-
suricata: ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon
suricata: ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon
-
Executes dropped EXE
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Drops startup file
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-