General
-
Target
ad5efdc0944721558138fff89226d5d196943e9fea82fb8c46317eca7826540b
-
Size
344KB
-
Sample
221128-dkz58sae62
-
MD5
65578198c7650a31d2786eee5d56a3a5
-
SHA1
c528bb0d3eabe054928f08606a2de3113f4e23bb
-
SHA256
ad5efdc0944721558138fff89226d5d196943e9fea82fb8c46317eca7826540b
-
SHA512
fd2660e75d33d7c67c3f6124c48b540b8f95c27acb0bc892274f3388f60d9827c6b601ab9229094be244f185b8f084c24abda3cab8e93e50aa54c99adfa6cadd
-
SSDEEP
6144:bWYMMr+8TAO1tgMfekvcIAM+Zpdk0C6+r47ywV8V0CHqqR9:bWOAO1tZ/vcpM+ZLk0itOiqqf
Static task
static1
Behavioral task
behavioral1
Sample
ad5efdc0944721558138fff89226d5d196943e9fea82fb8c46317eca7826540b.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
ad5efdc0944721558138fff89226d5d196943e9fea82fb8c46317eca7826540b.exe
Resource
win10v2004-20220901-en
Malware Config
Extracted
C:\$Recycle.Bin\S-1-5-21-3385717845-2518323428-350143044-1000\how_recover+kyb.txt
http://alcov44uvcwkrend.paybtc798.com/8F866EB1CB7C607D
http://alcov44uvcwkrend.btcpay435.com/8F866EB1CB7C607D
https://alcov44uvcwkrend.onion.to/8F866EB1CB7C607D
http://alcov44uvcwkrend.onion/8F866EB1CB7C607D
Extracted
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\how_recover+beu.txt
http://alcov44uvcwkrend.paybtc798.com/CD23C08221B4814
http://alcov44uvcwkrend.btcpay435.com/CD23C08221B4814
https://alcov44uvcwkrend.onion.to/CD23C08221B4814
http://alcov44uvcwkrend.onion/CD23C08221B4814
Extracted
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\how_recover+beu.html
http://alcov44uvcwkrend.onion/CD23C08221B4814
http://alcov44uvcwkrend.paybtc798.com/CD23C08221B4814
http://alcov44uvcwkrend.btcpay435.com/CD23C08221B4814
https://alcov44uvcwkrend.onion.to/CD23C08221B4814
Targets
-
-
Target
ad5efdc0944721558138fff89226d5d196943e9fea82fb8c46317eca7826540b
-
Size
344KB
-
MD5
65578198c7650a31d2786eee5d56a3a5
-
SHA1
c528bb0d3eabe054928f08606a2de3113f4e23bb
-
SHA256
ad5efdc0944721558138fff89226d5d196943e9fea82fb8c46317eca7826540b
-
SHA512
fd2660e75d33d7c67c3f6124c48b540b8f95c27acb0bc892274f3388f60d9827c6b601ab9229094be244f185b8f084c24abda3cab8e93e50aa54c99adfa6cadd
-
SSDEEP
6144:bWYMMr+8TAO1tgMfekvcIAM+Zpdk0C6+r47ywV8V0CHqqR9:bWOAO1tZ/vcpM+ZLk0itOiqqf
Score10/10-
Modifies boot configuration data using bcdedit
-
Executes dropped EXE
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Drops startup file
-
Loads dropped DLL
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-