3a2b0d7aa2a94d6d537838a2a18fa25890c2df97c7708e895f7c566f7a65ab76

Resubmissions

23/05/2023, 08:29

230523-kdl4csfd51 10

22/05/2023, 02:20

230522-csp5kade76 10

22/05/2023, 01:46

230522-b6968agc4z 10

Analysis

max time kernel
415s
max time network
417s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
22/05/2023, 01:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a2b0d7aa2a94d6d537838a2a18fa25890c2df97c7708e895f7c566f7a65ab76.exe
Size

1.1MB
MD5

d6cf5f8289eac27c551334578e6e4d9f
SHA1

25f581c79b08f85ffe729bfec35fdc1ba6ef0add
SHA256

3a2b0d7aa2a94d6d537838a2a18fa25890c2df97c7708e895f7c566f7a65ab76
SHA512

258c276fe07b76e1dd1fea7ad1edef73fe95942ed912b91ef1bae70a8a600f5cdce28ced0d4e124f29068ec51adc2c92dad8455481ce9f55b138e3a8d96d13f9
SSDEEP

24576:CDmzI+4jJk5xYsx+1itfzYpjJU1P2UjStlezy:COIfaxLx+EEC2UVz

Score

10^/10

evasion ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\readme.txt

Ransom Note

~You have been infected with Alphaware~ >>>> Your data has been stolen and encrypted You have 24 hours to send us $300 worth of bitcoin. If you do not pay the Ransom all your files, data, and personal information will released on the dark web. Failure to pay your ransom will also result with ALL of your files being deleted and your pc being wiped. We will also leak your Personal information to multiple discord servers and dox bin. All your information will forever be on the internet for people to download and exploit. >>>> Where do I pay you? Send us 0.01767966 BTC To the bitcoin address: bc1qycxc367zcm5fpw9l9wtktufm38nlcnaumjfqcj >>>> What happens when I pay? When we receive payment we will send you your own personal decrypter to free your files and data. It is impossible to decrypt your files without our help. >>>> You will need to contact us to receive your decrypter Send us an email with proof of payment and we will respond with your decrypter. You can email us @[email protected] >>>> Who are we? We are Alpha, a group of skilled hackers whos purpose is to take control and power over people.

Emails

@[email protected]

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
1084	bcdedit.exe
316	bcdedit.exe

Renames multiple (202) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes backup catalog 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command-Line Interface

T1059

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
824	wbadmin.exe

Modifies extensions of user files 7 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\CheckpointShow.raw => C:\Users\Admin\Pictures\CheckpointShow.raw.Alphaware	svchost.exe
File renamed	C:\Users\Admin\Pictures\CheckpointWait.png => C:\Users\Admin\Pictures\CheckpointWait.png.Alphaware	svchost.exe
File renamed	C:\Users\Admin\Pictures\ConvertFromRename.png => C:\Users\Admin\Pictures\ConvertFromRename.png.Alphaware	svchost.exe
File renamed	C:\Users\Admin\Pictures\GrantComplete.raw => C:\Users\Admin\Pictures\GrantComplete.raw.Alphaware	svchost.exe
File renamed	C:\Users\Admin\Pictures\InstallEdit.raw => C:\Users\Admin\Pictures\InstallEdit.raw.Alphaware	svchost.exe
File renamed	C:\Users\Admin\Pictures\PublishGrant.tif => C:\Users\Admin\Pictures\PublishGrant.tif.Alphaware	svchost.exe
File renamed	C:\Users\Admin\Pictures\SplitEdit.raw => C:\Users\Admin\Pictures\SplitEdit.raw.Alphaware	svchost.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\readme.txt	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
1152	svchost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 33 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	svchost.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fjsnk6mcy.jpg"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\My Wallpaper.jpg"	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1344	vssadmin.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_Classes\Local Settings	rundll32.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
896	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1152	svchost.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1560	3a2b0d7aa2a94d6d537838a2a18fa25890c2df97c7708e895f7c566f7a65ab76.exe
1152	svchost.exe
1152	svchost.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeDebugPrivilege	1560	3a2b0d7aa2a94d6d537838a2a18fa25890c2df97c7708e895f7c566f7a65ab76.exe
Token: SeDebugPrivilege	1152	svchost.exe
Token: SeBackupPrivilege	1576	vssvc.exe
Token: SeRestorePrivilege	1576	vssvc.exe
Token: SeAuditPrivilege	1576	vssvc.exe
Token: SeIncreaseQuotaPrivilege	736	WMIC.exe
Token: SeSecurityPrivilege	736	WMIC.exe
Token: SeTakeOwnershipPrivilege	736	WMIC.exe
Token: SeLoadDriverPrivilege	736	WMIC.exe
Token: SeSystemProfilePrivilege	736	WMIC.exe
Token: SeSystemtimePrivilege	736	WMIC.exe
Token: SeProfSingleProcessPrivilege	736	WMIC.exe
Token: SeIncBasePriorityPrivilege	736	WMIC.exe
Token: SeCreatePagefilePrivilege	736	WMIC.exe
Token: SeBackupPrivilege	736	WMIC.exe
Token: SeRestorePrivilege	736	WMIC.exe
Token: SeShutdownPrivilege	736	WMIC.exe
Token: SeDebugPrivilege	736	WMIC.exe
Token: SeSystemEnvironmentPrivilege	736	WMIC.exe
Token: SeRemoteShutdownPrivilege	736	WMIC.exe
Token: SeUndockPrivilege	736	WMIC.exe
Token: SeManageVolumePrivilege	736	WMIC.exe
Token: 33	736	WMIC.exe
Token: 34	736	WMIC.exe
Token: 35	736	WMIC.exe
Token: SeIncreaseQuotaPrivilege	736	WMIC.exe
Token: SeSecurityPrivilege	736	WMIC.exe
Token: SeTakeOwnershipPrivilege	736	WMIC.exe
Token: SeLoadDriverPrivilege	736	WMIC.exe
Token: SeSystemProfilePrivilege	736	WMIC.exe
Token: SeSystemtimePrivilege	736	WMIC.exe
Token: SeProfSingleProcessPrivilege	736	WMIC.exe
Token: SeIncBasePriorityPrivilege	736	WMIC.exe
Token: SeCreatePagefilePrivilege	736	WMIC.exe
Token: SeBackupPrivilege	736	WMIC.exe
Token: SeRestorePrivilege	736	WMIC.exe
Token: SeShutdownPrivilege	736	WMIC.exe
Token: SeDebugPrivilege	736	WMIC.exe
Token: SeSystemEnvironmentPrivilege	736	WMIC.exe
Token: SeRemoteShutdownPrivilege	736	WMIC.exe
Token: SeUndockPrivilege	736	WMIC.exe
Token: SeManageVolumePrivilege	736	WMIC.exe
Token: 33	736	WMIC.exe
Token: 34	736	WMIC.exe
Token: 35	736	WMIC.exe
Token: SeBackupPrivilege	1048	wbengine.exe
Token: SeRestorePrivilege	1048	wbengine.exe
Token: SeSecurityPrivilege	1048	wbengine.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
896	NOTEPAD.EXE

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 1560 wrote to memory of 1152	1560	3a2b0d7aa2a94d6d537838a2a18fa25890c2df97c7708e895f7c566f7a65ab76.exe	28
PID 1560 wrote to memory of 1152	1560	3a2b0d7aa2a94d6d537838a2a18fa25890c2df97c7708e895f7c566f7a65ab76.exe	28
PID 1560 wrote to memory of 1152	1560	3a2b0d7aa2a94d6d537838a2a18fa25890c2df97c7708e895f7c566f7a65ab76.exe	28
PID 1152 wrote to memory of 1856	1152	svchost.exe	30
PID 1152 wrote to memory of 1856	1152	svchost.exe	30
PID 1152 wrote to memory of 1856	1152	svchost.exe	30
PID 1856 wrote to memory of 1344	1856	cmd.exe	32
PID 1856 wrote to memory of 1344	1856	cmd.exe	32
PID 1856 wrote to memory of 1344	1856	cmd.exe	32
PID 1856 wrote to memory of 736	1856	cmd.exe	36
PID 1856 wrote to memory of 736	1856	cmd.exe	36
PID 1856 wrote to memory of 736	1856	cmd.exe	36
PID 1152 wrote to memory of 656	1152	svchost.exe	38
PID 1152 wrote to memory of 656	1152	svchost.exe	38
PID 1152 wrote to memory of 656	1152	svchost.exe	38
PID 656 wrote to memory of 1084	656	cmd.exe	40
PID 656 wrote to memory of 1084	656	cmd.exe	40
PID 656 wrote to memory of 1084	656	cmd.exe	40
PID 656 wrote to memory of 316	656	cmd.exe	41
PID 656 wrote to memory of 316	656	cmd.exe	41
PID 656 wrote to memory of 316	656	cmd.exe	41
PID 1152 wrote to memory of 396	1152	svchost.exe	42
PID 1152 wrote to memory of 396	1152	svchost.exe	42
PID 1152 wrote to memory of 396	1152	svchost.exe	42
PID 396 wrote to memory of 824	396	cmd.exe	44
PID 396 wrote to memory of 824	396	cmd.exe	44
PID 396 wrote to memory of 824	396	cmd.exe	44
PID 1152 wrote to memory of 896	1152	svchost.exe	48
PID 1152 wrote to memory of 896	1152	svchost.exe	48
PID 1152 wrote to memory of 896	1152	svchost.exe	48

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\3a2b0d7aa2a94d6d537838a2a18fa25890c2df97c7708e895f7c566f7a65ab76.exe
"C:\Users\Admin\AppData\Local\Temp\3a2b0d7aa2a94d6d537838a2a18fa25890c2df97c7708e895f7c566f7a65ab76.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1560
- C:\Users\Admin\AppData\Roaming\svchost.exe
  "C:\Users\Admin\AppData\Roaming\svchost.exe"
  2⤵
  - Modifies extensions of user files
  - Drops startup file
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Sets desktop wallpaper using registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1152
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1856
  - - C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:1344
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:736
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:656
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} bootstatuspolicy ignoreallfailures
      4⤵
      Modifies boot configuration data using bcdedit
      PID:1084
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} recoveryenabled no
      4⤵
      Modifies boot configuration data using bcdedit
      PID:316
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:396
  - - C:\Windows\system32\wbadmin.exe
      wbadmin delete catalog -quiet
      4⤵
      Deletes backup catalog
      PID:824
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\readme.txt
    3⤵
    - Opens file in notepad (likely ransom note)
    - Suspicious use of FindShellTrayWindow
    PID:896

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1576

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1048

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:572

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:2044

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\SplitPublish.pptx.Alphaware
1⤵
- Modifies registry class
PID:736

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Public\Desktop\Firefox.lnk.Alphaware
1⤵
- Modifies registry class
PID:820

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\readme.txt

Filesize
1KB

MD5
ec607b3314664a69da75c6c3578480d5

SHA1
71051888da2de56b1014c900fec172c5a4f80ee0

SHA256
1f07fbece71d67c140a10aa9993f1d5bba5250f21b7cfafcc39e4ea60689223c

SHA512
343075967c4dec8acf245a606b9c8af151f64928a28ca50a525743d5daccf7b6b51b61da56506962a94afb9f6e22bed8ed48aefe7bcc484b8b4f6b86655e0d58

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
1.1MB

MD5
d6cf5f8289eac27c551334578e6e4d9f

SHA1
25f581c79b08f85ffe729bfec35fdc1ba6ef0add

SHA256
3a2b0d7aa2a94d6d537838a2a18fa25890c2df97c7708e895f7c566f7a65ab76

SHA512
258c276fe07b76e1dd1fea7ad1edef73fe95942ed912b91ef1bae70a8a600f5cdce28ced0d4e124f29068ec51adc2c92dad8455481ce9f55b138e3a8d96d13f9

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
1.1MB

MD5
d6cf5f8289eac27c551334578e6e4d9f

SHA1
25f581c79b08f85ffe729bfec35fdc1ba6ef0add

SHA256
3a2b0d7aa2a94d6d537838a2a18fa25890c2df97c7708e895f7c566f7a65ab76

SHA512
258c276fe07b76e1dd1fea7ad1edef73fe95942ed912b91ef1bae70a8a600f5cdce28ced0d4e124f29068ec51adc2c92dad8455481ce9f55b138e3a8d96d13f9

Download Submit
C:\Users\Admin\Downloads\readme.txt

Filesize
1KB

MD5
ec607b3314664a69da75c6c3578480d5

SHA1
71051888da2de56b1014c900fec172c5a4f80ee0

SHA256
1f07fbece71d67c140a10aa9993f1d5bba5250f21b7cfafcc39e4ea60689223c

SHA512
343075967c4dec8acf245a606b9c8af151f64928a28ca50a525743d5daccf7b6b51b61da56506962a94afb9f6e22bed8ed48aefe7bcc484b8b4f6b86655e0d58

Download Submit
memory/1152-62-0x0000000000EA0000-0x0000000000FB6000-memory.dmp

Filesize
1.1MB

Download
memory/1152-114-0x000000001AE50000-0x000000001AED0000-memory.dmp

Filesize
512KB

Download
memory/1152-518-0x000000001AE50000-0x000000001AED0000-memory.dmp

Filesize
512KB

Download
memory/1560-54-0x0000000000A00000-0x0000000000B16000-memory.dmp

Filesize
1.1MB

Download
memory/1560-55-0x0000000000250000-0x0000000000256000-memory.dmp

Filesize
24KB

Download
memory/1560-57-0x000000001AD90000-0x000000001AE10000-memory.dmp

Filesize
512KB

Download