Overview

overview

10

Static

static

3

3a2b0d7aa2...76.exe

windows7-x64

10

3a2b0d7aa2...76.exe

windows10-2004-x64

10

Resubmissions

23/05/2023, 08:29

230523-kdl4csfd51 10

22/05/2023, 02:20

230522-csp5kade76 10

22/05/2023, 01:46

230522-b6968agc4z 10

Analysis

  • max time kernel
    503s
  • max time network
    506s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/05/2023, 01:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3a2b0d7aa2a94d6d537838a2a18fa25890c2df97c7708e895f7c566f7a65ab76.exe

  • Size

    1.1MB

  • MD5

    d6cf5f8289eac27c551334578e6e4d9f

  • SHA1

    25f581c79b08f85ffe729bfec35fdc1ba6ef0add

  • SHA256

    3a2b0d7aa2a94d6d537838a2a18fa25890c2df97c7708e895f7c566f7a65ab76

  • SHA512

    258c276fe07b76e1dd1fea7ad1edef73fe95942ed912b91ef1bae70a8a600f5cdce28ced0d4e124f29068ec51adc2c92dad8455481ce9f55b138e3a8d96d13f9

  • SSDEEP

    24576:CDmzI+4jJk5xYsx+1itfzYpjJU1P2UjStlezy:COIfaxLx+EEC2UVz

Score
10/10
evasionransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\readme.txt

Ransom Note
~You have been infected with Alphaware~ >>>> Your data has been stolen and encrypted You have 24 hours to send us $300 worth of bitcoin. If you do not pay the Ransom all your files, data, and personal information will released on the dark web. Failure to pay your ransom will also result with ALL of your files being deleted and your pc being wiped. We will also leak your Personal information to multiple discord servers and dox bin. All your information will forever be on the internet for people to download and exploit. >>>> Where do I pay you? Send us 0.01767966 BTC To the bitcoin address: bc1qycxc367zcm5fpw9l9wtktufm38nlcnaumjfqcj >>>> What happens when I pay? When we receive payment we will send you your own personal decrypter to free your files and data. It is impossible to decrypt your files without our help. >>>> You will need to contact us to receive your decrypter Send us an email with proof of payment and we will respond with your decrypter. You can email us @[email protected] >>>> Who are we? We are Alpha, a group of skilled hackers whos purpose is to take control and power over people.

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Renames multiple (173) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 1 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 33 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 47 IoCs
  • Suspicious use of AdjustPrivilegeToken 50 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\3a2b0d7aa2a94d6d537838a2a18fa25890c2df97c7708e895f7c566f7a65ab76.exe
    "C:\Users\Admin\AppData\Local\Temp\3a2b0d7aa2a94d6d537838a2a18fa25890c2df97c7708e895f7c566f7a65ab76.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4292
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      2⤵
      • Modifies extensions of user files
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Drops desktop.ini file(s)
      • Sets desktop wallpaper using registry
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1520
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3564
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          4⤵
          • Interacts with shadow copies
          PID:4976
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic shadowcopy delete
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:4052
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:916
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} bootstatuspolicy ignoreallfailures
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:3820
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} recoveryenabled no
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:1276
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3300
        • C:\Windows\system32\wbadmin.exe
          wbadmin delete catalog -quiet
          4⤵
          • Deletes backup catalog
          PID:5000
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\readme.txt
        3⤵
        • Opens file in notepad (likely ransom note)
        PID:3520
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1060
  • C:\Windows\system32\wbengine.exe
    "C:\Windows\system32\wbengine.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2712
  • C:\Windows\System32\vdsldr.exe
    C:\Windows\System32\vdsldr.exe -Embedding
    1⤵
      PID:4968
    • C:\Windows\System32\vds.exe
      C:\Windows\System32\vds.exe
      1⤵
      • Checks SCSI registry key(s)
      PID:4892

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\readme.txt
      Filesize

      1KB

      MD5

      ec607b3314664a69da75c6c3578480d5

      SHA1

      71051888da2de56b1014c900fec172c5a4f80ee0

      SHA256

      1f07fbece71d67c140a10aa9993f1d5bba5250f21b7cfafcc39e4ea60689223c

      SHA512

      343075967c4dec8acf245a606b9c8af151f64928a28ca50a525743d5daccf7b6b51b61da56506962a94afb9f6e22bed8ed48aefe7bcc484b8b4f6b86655e0d58

      Download Submit

    • C:\Users\Admin\AppData\Roaming\svchost.exe
      Filesize

      1.1MB

      MD5

      d6cf5f8289eac27c551334578e6e4d9f

      SHA1

      25f581c79b08f85ffe729bfec35fdc1ba6ef0add

      SHA256

      3a2b0d7aa2a94d6d537838a2a18fa25890c2df97c7708e895f7c566f7a65ab76

      SHA512

      258c276fe07b76e1dd1fea7ad1edef73fe95942ed912b91ef1bae70a8a600f5cdce28ced0d4e124f29068ec51adc2c92dad8455481ce9f55b138e3a8d96d13f9

      Download Submit

    • C:\Users\Admin\AppData\Roaming\svchost.exe
      Filesize

      1.1MB

      MD5

      d6cf5f8289eac27c551334578e6e4d9f

      SHA1

      25f581c79b08f85ffe729bfec35fdc1ba6ef0add

      SHA256

      3a2b0d7aa2a94d6d537838a2a18fa25890c2df97c7708e895f7c566f7a65ab76

      SHA512

      258c276fe07b76e1dd1fea7ad1edef73fe95942ed912b91ef1bae70a8a600f5cdce28ced0d4e124f29068ec51adc2c92dad8455481ce9f55b138e3a8d96d13f9

      Download Submit

    • C:\Users\Admin\AppData\Roaming\svchost.exe
      Filesize

      1.1MB

      MD5

      d6cf5f8289eac27c551334578e6e4d9f

      SHA1

      25f581c79b08f85ffe729bfec35fdc1ba6ef0add

      SHA256

      3a2b0d7aa2a94d6d537838a2a18fa25890c2df97c7708e895f7c566f7a65ab76

      SHA512

      258c276fe07b76e1dd1fea7ad1edef73fe95942ed912b91ef1bae70a8a600f5cdce28ced0d4e124f29068ec51adc2c92dad8455481ce9f55b138e3a8d96d13f9

      Download Submit

    • C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\readme.txt
      Filesize

      1KB

      MD5

      ec607b3314664a69da75c6c3578480d5

      SHA1

      71051888da2de56b1014c900fec172c5a4f80ee0

      SHA256

      1f07fbece71d67c140a10aa9993f1d5bba5250f21b7cfafcc39e4ea60689223c

      SHA512

      343075967c4dec8acf245a606b9c8af151f64928a28ca50a525743d5daccf7b6b51b61da56506962a94afb9f6e22bed8ed48aefe7bcc484b8b4f6b86655e0d58

      Download Submit

    • memory/4292-133-0x0000000000BE0000-0x0000000000CF6000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/4292-134-0x000000001B820000-0x000000001B830000-memory.dmp

      Filesize

      64KB

      Download