Resubmissions

23-05-2023 08:29

230523-kdl4csfd51 10

22-05-2023 02:20

230522-csp5kade76 10

22-05-2023 01:46

230522-b6968agc4z 10

Analysis

  • max time kernel
    415s
  • max time network
    417s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    22-05-2023 01:46

General

  • Target

    3a2b0d7aa2a94d6d537838a2a18fa25890c2df97c7708e895f7c566f7a65ab76.exe

  • Size

    1.1MB

  • MD5

    d6cf5f8289eac27c551334578e6e4d9f

  • SHA1

    25f581c79b08f85ffe729bfec35fdc1ba6ef0add

  • SHA256

    3a2b0d7aa2a94d6d537838a2a18fa25890c2df97c7708e895f7c566f7a65ab76

  • SHA512

    258c276fe07b76e1dd1fea7ad1edef73fe95942ed912b91ef1bae70a8a600f5cdce28ced0d4e124f29068ec51adc2c92dad8455481ce9f55b138e3a8d96d13f9

  • SSDEEP

    24576:CDmzI+4jJk5xYsx+1itfzYpjJU1P2UjStlezy:COIfaxLx+EEC2UVz

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\readme.txt

Ransom Note
~You have been infected with Alphaware~ >>>> Your data has been stolen and encrypted You have 24 hours to send us $300 worth of bitcoin. If you do not pay the Ransom all your files, data, and personal information will released on the dark web. Failure to pay your ransom will also result with ALL of your files being deleted and your pc being wiped. We will also leak your Personal information to multiple discord servers and dox bin. All your information will forever be on the internet for people to download and exploit. >>>> Where do I pay you? Send us 0.01767966 BTC To the bitcoin address: bc1qycxc367zcm5fpw9l9wtktufm38nlcnaumjfqcj >>>> What happens when I pay? When we receive payment we will send you your own personal decrypter to free your files and data. It is impossible to decrypt your files without our help. >>>> You will need to contact us to receive your decrypter Send us an email with proof of payment and we will respond with your decrypter. You can email us @grwxzbny42fnyku4s@proton.me >>>> Who are we? We are Alpha, a group of skilled hackers whos purpose is to take control and power over people.
Emails

@grwxzbny42fnyku4s@proton.me

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
  • Renames multiple (202) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

  • Modifies extensions of user files 7 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 33 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies registry class 3 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\3a2b0d7aa2a94d6d537838a2a18fa25890c2df97c7708e895f7c566f7a65ab76.exe
    "C:\Users\Admin\AppData\Local\Temp\3a2b0d7aa2a94d6d537838a2a18fa25890c2df97c7708e895f7c566f7a65ab76.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1560
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      2⤵
      • Modifies extensions of user files
      • Drops startup file
      • Executes dropped EXE
      • Drops desktop.ini file(s)
      • Sets desktop wallpaper using registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1152
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1856
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          4⤵
          • Interacts with shadow copies
          PID:1344
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic shadowcopy delete
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:736
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:656
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} bootstatuspolicy ignoreallfailures
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:1084
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} recoveryenabled no
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:316
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:396
        • C:\Windows\system32\wbadmin.exe
          wbadmin delete catalog -quiet
          4⤵
          • Deletes backup catalog
          PID:824
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\readme.txt
        3⤵
        • Opens file in notepad (likely ransom note)
        • Suspicious use of FindShellTrayWindow
        PID:896
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1576
  • C:\Windows\system32\wbengine.exe
    "C:\Windows\system32\wbengine.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1048
  • C:\Windows\System32\vdsldr.exe
    C:\Windows\System32\vdsldr.exe -Embedding
    1⤵
      PID:572
    • C:\Windows\System32\vds.exe
      C:\Windows\System32\vds.exe
      1⤵
        PID:2044
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\SplitPublish.pptx.Alphaware
        1⤵
        • Modifies registry class
        PID:736
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Public\Desktop\Firefox.lnk.Alphaware
        1⤵
        • Modifies registry class
        PID:820

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Execution

      Command-Line Interface

      1
      T1059

      Defense Evasion

      File Deletion

      3
      T1107

      Modify Registry

      1
      T1112

      Credential Access

      Credentials in Files

      1
      T1081

      Discovery

      System Information Discovery

      1
      T1082

      Query Registry

      1
      T1012

      Collection

      Data from Local System

      1
      T1005

      Impact

      Inhibit System Recovery

      4
      T1490

      Defacement

      1
      T1491

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\readme.txt
        Filesize

        1KB

        MD5

        ec607b3314664a69da75c6c3578480d5

        SHA1

        71051888da2de56b1014c900fec172c5a4f80ee0

        SHA256

        1f07fbece71d67c140a10aa9993f1d5bba5250f21b7cfafcc39e4ea60689223c

        SHA512

        343075967c4dec8acf245a606b9c8af151f64928a28ca50a525743d5daccf7b6b51b61da56506962a94afb9f6e22bed8ed48aefe7bcc484b8b4f6b86655e0d58

      • C:\Users\Admin\AppData\Roaming\svchost.exe
        Filesize

        1.1MB

        MD5

        d6cf5f8289eac27c551334578e6e4d9f

        SHA1

        25f581c79b08f85ffe729bfec35fdc1ba6ef0add

        SHA256

        3a2b0d7aa2a94d6d537838a2a18fa25890c2df97c7708e895f7c566f7a65ab76

        SHA512

        258c276fe07b76e1dd1fea7ad1edef73fe95942ed912b91ef1bae70a8a600f5cdce28ced0d4e124f29068ec51adc2c92dad8455481ce9f55b138e3a8d96d13f9

      • C:\Users\Admin\AppData\Roaming\svchost.exe
        Filesize

        1.1MB

        MD5

        d6cf5f8289eac27c551334578e6e4d9f

        SHA1

        25f581c79b08f85ffe729bfec35fdc1ba6ef0add

        SHA256

        3a2b0d7aa2a94d6d537838a2a18fa25890c2df97c7708e895f7c566f7a65ab76

        SHA512

        258c276fe07b76e1dd1fea7ad1edef73fe95942ed912b91ef1bae70a8a600f5cdce28ced0d4e124f29068ec51adc2c92dad8455481ce9f55b138e3a8d96d13f9

      • C:\Users\Admin\Downloads\readme.txt
        Filesize

        1KB

        MD5

        ec607b3314664a69da75c6c3578480d5

        SHA1

        71051888da2de56b1014c900fec172c5a4f80ee0

        SHA256

        1f07fbece71d67c140a10aa9993f1d5bba5250f21b7cfafcc39e4ea60689223c

        SHA512

        343075967c4dec8acf245a606b9c8af151f64928a28ca50a525743d5daccf7b6b51b61da56506962a94afb9f6e22bed8ed48aefe7bcc484b8b4f6b86655e0d58

      • \??\PIPE\srvsvc
        MD5

        d41d8cd98f00b204e9800998ecf8427e

        SHA1

        da39a3ee5e6b4b0d3255bfef95601890afd80709

        SHA256

        e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

        SHA512

        cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

      • memory/1152-62-0x0000000000EA0000-0x0000000000FB6000-memory.dmp
        Filesize

        1.1MB

      • memory/1152-114-0x000000001AE50000-0x000000001AED0000-memory.dmp
        Filesize

        512KB

      • memory/1152-518-0x000000001AE50000-0x000000001AED0000-memory.dmp
        Filesize

        512KB

      • memory/1560-54-0x0000000000A00000-0x0000000000B16000-memory.dmp
        Filesize

        1.1MB

      • memory/1560-55-0x0000000000250000-0x0000000000256000-memory.dmp
        Filesize

        24KB

      • memory/1560-57-0x000000001AD90000-0x000000001AE10000-memory.dmp
        Filesize

        512KB