3a2b0d7aa2a94d6d537838a2a18fa25890c2df97c7708e895f7c566f7a65ab76

General

Target

3a2b0d7aa2a94d6d537838a2a18fa25890c2df97c7708e895f7c566f7a65ab76.exe
Size

1.1MB
MD5

d6cf5f8289eac27c551334578e6e4d9f
SHA1

25f581c79b08f85ffe729bfec35fdc1ba6ef0add
SHA256

3a2b0d7aa2a94d6d537838a2a18fa25890c2df97c7708e895f7c566f7a65ab76
SHA512

258c276fe07b76e1dd1fea7ad1edef73fe95942ed912b91ef1bae70a8a600f5cdce28ced0d4e124f29068ec51adc2c92dad8455481ce9f55b138e3a8d96d13f9
SSDEEP

24576:CDmzI+4jJk5xYsx+1itfzYpjJU1P2UjStlezy:COIfaxLx+EEC2UVz

Score

10^/10

evasion ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\readme.txt

Ransom Note

~You have been infected with Alphaware~ >>>> Your data has been stolen and encrypted You have 24 hours to send us $300 worth of bitcoin. If you do not pay the Ransom all your files, data, and personal information will released on the dark web. Failure to pay your ransom will also result with ALL of your files being deleted and your pc being wiped. We will also leak your Personal information to multiple discord servers and dox bin. All your information will forever be on the internet for people to download and exploit. >>>> Where do I pay you? Send us 0.01767966 BTC To the bitcoin address: bc1qycxc367zcm5fpw9l9wtktufm38nlcnaumjfqcj >>>> What happens when I pay? When we receive payment we will send you your own personal decrypter to free your files and data. It is impossible to decrypt your files without our help. >>>> You will need to contact us to receive your decrypter Send us an email with proof of payment and we will respond with your decrypter. You can email us @grwxzbny42fnyku4s@proton.me >>>> Who are we? We are Alpha, a group of skilled hackers whos purpose is to take control and power over people.

Emails

@grwxzbny42fnyku4s@proton.me

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

3820 bcdedit.exe
1276 bcdedit.exe
Renames multiple (173) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command-Line Interface
T1059

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

5000 wbadmin.exe
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
ransomware

Processes:

svchost.exe

description ioc process

File renamed C:\Users\Admin\Pictures\GetDisable.png => C:\Users\Admin\Pictures\GetDisable.png.Alphaware svchost.exe

pid	process
3820	bcdedit.exe
1276	bcdedit.exe

pid	process
5000	wbadmin.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\GetDisable.png => C:\Users\Admin\Pictures\GetDisable.png.Alphaware	svchost.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3a2b0d7aa2a94d6d537838a2a18fa25890c2df97c7708e895f7c566f7a65ab76.exesvchost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	3a2b0d7aa2a94d6d537838a2a18fa25890c2df97c7708e895f7c566f7a65ab76.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	svchost.exe

Drops startup file 3 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\readme.txt	svchost.exe

Executes dropped EXE 1 IoCs

Processes:

svchost.exe

pid process

1520 svchost.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1520	svchost.exe

Drops desktop.ini file(s) 33 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Links\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	svchost.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\imloygvti.jpg"	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vds.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

4976 vssadmin.exe
Modifies registry class 1 IoCs

Processes:

svchost.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings svchost.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

3520 NOTEPAD.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

svchost.exe

pid process

1520 svchost.exe

pid	process
4976	vssadmin.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings	svchost.exe

pid	process
3520	NOTEPAD.EXE

pid	process
1520	svchost.exe

Suspicious behavior: EnumeratesProcesses 47 IoCs

Processes:

3a2b0d7aa2a94d6d537838a2a18fa25890c2df97c7708e895f7c566f7a65ab76.exesvchost.exe

pid	process
4292	3a2b0d7aa2a94d6d537838a2a18fa25890c2df97c7708e895f7c566f7a65ab76.exe
4292	3a2b0d7aa2a94d6d537838a2a18fa25890c2df97c7708e895f7c566f7a65ab76.exe
4292	3a2b0d7aa2a94d6d537838a2a18fa25890c2df97c7708e895f7c566f7a65ab76.exe
4292	3a2b0d7aa2a94d6d537838a2a18fa25890c2df97c7708e895f7c566f7a65ab76.exe
4292	3a2b0d7aa2a94d6d537838a2a18fa25890c2df97c7708e895f7c566f7a65ab76.exe
4292	3a2b0d7aa2a94d6d537838a2a18fa25890c2df97c7708e895f7c566f7a65ab76.exe
4292	3a2b0d7aa2a94d6d537838a2a18fa25890c2df97c7708e895f7c566f7a65ab76.exe
4292	3a2b0d7aa2a94d6d537838a2a18fa25890c2df97c7708e895f7c566f7a65ab76.exe
4292	3a2b0d7aa2a94d6d537838a2a18fa25890c2df97c7708e895f7c566f7a65ab76.exe
4292	3a2b0d7aa2a94d6d537838a2a18fa25890c2df97c7708e895f7c566f7a65ab76.exe
4292	3a2b0d7aa2a94d6d537838a2a18fa25890c2df97c7708e895f7c566f7a65ab76.exe
4292	3a2b0d7aa2a94d6d537838a2a18fa25890c2df97c7708e895f7c566f7a65ab76.exe
4292	3a2b0d7aa2a94d6d537838a2a18fa25890c2df97c7708e895f7c566f7a65ab76.exe
4292	3a2b0d7aa2a94d6d537838a2a18fa25890c2df97c7708e895f7c566f7a65ab76.exe
4292	3a2b0d7aa2a94d6d537838a2a18fa25890c2df97c7708e895f7c566f7a65ab76.exe
4292	3a2b0d7aa2a94d6d537838a2a18fa25890c2df97c7708e895f7c566f7a65ab76.exe
4292	3a2b0d7aa2a94d6d537838a2a18fa25890c2df97c7708e895f7c566f7a65ab76.exe
4292	3a2b0d7aa2a94d6d537838a2a18fa25890c2df97c7708e895f7c566f7a65ab76.exe
4292	3a2b0d7aa2a94d6d537838a2a18fa25890c2df97c7708e895f7c566f7a65ab76.exe
4292	3a2b0d7aa2a94d6d537838a2a18fa25890c2df97c7708e895f7c566f7a65ab76.exe
4292	3a2b0d7aa2a94d6d537838a2a18fa25890c2df97c7708e895f7c566f7a65ab76.exe
4292	3a2b0d7aa2a94d6d537838a2a18fa25890c2df97c7708e895f7c566f7a65ab76.exe
4292	3a2b0d7aa2a94d6d537838a2a18fa25890c2df97c7708e895f7c566f7a65ab76.exe
1520	svchost.exe
1520	svchost.exe
1520	svchost.exe
1520	svchost.exe
1520	svchost.exe
1520	svchost.exe
1520	svchost.exe
1520	svchost.exe
1520	svchost.exe
1520	svchost.exe
1520	svchost.exe
1520	svchost.exe
1520	svchost.exe
1520	svchost.exe
1520	svchost.exe
1520	svchost.exe
1520	svchost.exe
1520	svchost.exe
1520	svchost.exe
1520	svchost.exe
1520	svchost.exe
1520	svchost.exe
1520	svchost.exe
1520	svchost.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

Processes:

3a2b0d7aa2a94d6d537838a2a18fa25890c2df97c7708e895f7c566f7a65ab76.exesvchost.exevssvc.exeWMIC.exewbengine.exe

description	pid	process
Token: SeDebugPrivilege	4292	3a2b0d7aa2a94d6d537838a2a18fa25890c2df97c7708e895f7c566f7a65ab76.exe
Token: SeDebugPrivilege	1520	svchost.exe
Token: SeBackupPrivilege	1060	vssvc.exe
Token: SeRestorePrivilege	1060	vssvc.exe
Token: SeAuditPrivilege	1060	vssvc.exe
Token: SeIncreaseQuotaPrivilege	4052	WMIC.exe
Token: SeSecurityPrivilege	4052	WMIC.exe
Token: SeTakeOwnershipPrivilege	4052	WMIC.exe
Token: SeLoadDriverPrivilege	4052	WMIC.exe
Token: SeSystemProfilePrivilege	4052	WMIC.exe
Token: SeSystemtimePrivilege	4052	WMIC.exe
Token: SeProfSingleProcessPrivilege	4052	WMIC.exe
Token: SeIncBasePriorityPrivilege	4052	WMIC.exe
Token: SeCreatePagefilePrivilege	4052	WMIC.exe
Token: SeBackupPrivilege	4052	WMIC.exe
Token: SeRestorePrivilege	4052	WMIC.exe
Token: SeShutdownPrivilege	4052	WMIC.exe
Token: SeDebugPrivilege	4052	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4052	WMIC.exe
Token: SeRemoteShutdownPrivilege	4052	WMIC.exe
Token: SeUndockPrivilege	4052	WMIC.exe
Token: SeManageVolumePrivilege	4052	WMIC.exe
Token: 33	4052	WMIC.exe
Token: 34	4052	WMIC.exe
Token: 35	4052	WMIC.exe
Token: 36	4052	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4052	WMIC.exe
Token: SeSecurityPrivilege	4052	WMIC.exe
Token: SeTakeOwnershipPrivilege	4052	WMIC.exe
Token: SeLoadDriverPrivilege	4052	WMIC.exe
Token: SeSystemProfilePrivilege	4052	WMIC.exe
Token: SeSystemtimePrivilege	4052	WMIC.exe
Token: SeProfSingleProcessPrivilege	4052	WMIC.exe
Token: SeIncBasePriorityPrivilege	4052	WMIC.exe
Token: SeCreatePagefilePrivilege	4052	WMIC.exe
Token: SeBackupPrivilege	4052	WMIC.exe
Token: SeRestorePrivilege	4052	WMIC.exe
Token: SeShutdownPrivilege	4052	WMIC.exe
Token: SeDebugPrivilege	4052	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4052	WMIC.exe
Token: SeRemoteShutdownPrivilege	4052	WMIC.exe
Token: SeUndockPrivilege	4052	WMIC.exe
Token: SeManageVolumePrivilege	4052	WMIC.exe
Token: 33	4052	WMIC.exe
Token: 34	4052	WMIC.exe
Token: 35	4052	WMIC.exe
Token: 36	4052	WMIC.exe
Token: SeBackupPrivilege	2712	wbengine.exe
Token: SeRestorePrivilege	2712	wbengine.exe
Token: SeSecurityPrivilege	2712	wbengine.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

3a2b0d7aa2a94d6d537838a2a18fa25890c2df97c7708e895f7c566f7a65ab76.exesvchost.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4292 wrote to memory of 1520	4292	3a2b0d7aa2a94d6d537838a2a18fa25890c2df97c7708e895f7c566f7a65ab76.exe	svchost.exe
PID 4292 wrote to memory of 1520	4292	3a2b0d7aa2a94d6d537838a2a18fa25890c2df97c7708e895f7c566f7a65ab76.exe	svchost.exe
PID 1520 wrote to memory of 3564	1520	svchost.exe	cmd.exe
PID 1520 wrote to memory of 3564	1520	svchost.exe	cmd.exe
PID 3564 wrote to memory of 4976	3564	cmd.exe	vssadmin.exe
PID 3564 wrote to memory of 4976	3564	cmd.exe	vssadmin.exe
PID 3564 wrote to memory of 4052	3564	cmd.exe	WMIC.exe
PID 3564 wrote to memory of 4052	3564	cmd.exe	WMIC.exe
PID 1520 wrote to memory of 916	1520	svchost.exe	cmd.exe
PID 1520 wrote to memory of 916	1520	svchost.exe	cmd.exe
PID 916 wrote to memory of 3820	916	cmd.exe	bcdedit.exe
PID 916 wrote to memory of 3820	916	cmd.exe	bcdedit.exe
PID 916 wrote to memory of 1276	916	cmd.exe	bcdedit.exe
PID 916 wrote to memory of 1276	916	cmd.exe	bcdedit.exe
PID 1520 wrote to memory of 3300	1520	svchost.exe	cmd.exe
PID 1520 wrote to memory of 3300	1520	svchost.exe	cmd.exe
PID 3300 wrote to memory of 5000	3300	cmd.exe	wbadmin.exe
PID 3300 wrote to memory of 5000	3300	cmd.exe	wbadmin.exe
PID 1520 wrote to memory of 3520	1520	svchost.exe	NOTEPAD.EXE
PID 1520 wrote to memory of 3520	1520	svchost.exe	NOTEPAD.EXE

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\3a2b0d7aa2a94d6d537838a2a18fa25890c2df97c7708e895f7c566f7a65ab76.exe
"C:\Users\Admin\AppData\Local\Temp\3a2b0d7aa2a94d6d537838a2a18fa25890c2df97c7708e895f7c566f7a65ab76.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4292

C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
2⤵
- Modifies extensions of user files
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1520

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
3⤵
- Suspicious use of WriteProcessMemory
PID:3564

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:4976

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4052

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
3⤵
- Suspicious use of WriteProcessMemory
PID:916

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
4⤵
- Modifies boot configuration data using bcdedit
PID:3820

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
4⤵
- Modifies boot configuration data using bcdedit
PID:1276

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
3⤵
- Suspicious use of WriteProcessMemory
PID:3300

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
4⤵
- Deletes backup catalog
PID:5000

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\readme.txt
3⤵
- Opens file in notepad (likely ransom note)
PID:3520

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1060

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2712

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:4968

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:4892

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

File Deletion

3

T1107

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

3

T1012

System Information Discovery

3

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

4

T1490

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\readme.txt
Filesize
1KB

MD5
ec607b3314664a69da75c6c3578480d5

SHA1
71051888da2de56b1014c900fec172c5a4f80ee0

SHA256
1f07fbece71d67c140a10aa9993f1d5bba5250f21b7cfafcc39e4ea60689223c

SHA512
343075967c4dec8acf245a606b9c8af151f64928a28ca50a525743d5daccf7b6b51b61da56506962a94afb9f6e22bed8ed48aefe7bcc484b8b4f6b86655e0d58

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
Filesize
1.1MB

MD5
d6cf5f8289eac27c551334578e6e4d9f

SHA1
25f581c79b08f85ffe729bfec35fdc1ba6ef0add

SHA256
3a2b0d7aa2a94d6d537838a2a18fa25890c2df97c7708e895f7c566f7a65ab76

SHA512
258c276fe07b76e1dd1fea7ad1edef73fe95942ed912b91ef1bae70a8a600f5cdce28ced0d4e124f29068ec51adc2c92dad8455481ce9f55b138e3a8d96d13f9

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
Filesize
1.1MB

MD5
d6cf5f8289eac27c551334578e6e4d9f

SHA1
25f581c79b08f85ffe729bfec35fdc1ba6ef0add

SHA256
3a2b0d7aa2a94d6d537838a2a18fa25890c2df97c7708e895f7c566f7a65ab76

SHA512
258c276fe07b76e1dd1fea7ad1edef73fe95942ed912b91ef1bae70a8a600f5cdce28ced0d4e124f29068ec51adc2c92dad8455481ce9f55b138e3a8d96d13f9

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
Filesize
1.1MB

MD5
d6cf5f8289eac27c551334578e6e4d9f

SHA1
25f581c79b08f85ffe729bfec35fdc1ba6ef0add

SHA256
3a2b0d7aa2a94d6d537838a2a18fa25890c2df97c7708e895f7c566f7a65ab76

SHA512
258c276fe07b76e1dd1fea7ad1edef73fe95942ed912b91ef1bae70a8a600f5cdce28ced0d4e124f29068ec51adc2c92dad8455481ce9f55b138e3a8d96d13f9

Download Submit
C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\readme.txt
Filesize
1KB

MD5
ec607b3314664a69da75c6c3578480d5

SHA1
71051888da2de56b1014c900fec172c5a4f80ee0

SHA256
1f07fbece71d67c140a10aa9993f1d5bba5250f21b7cfafcc39e4ea60689223c

SHA512
343075967c4dec8acf245a606b9c8af151f64928a28ca50a525743d5daccf7b6b51b61da56506962a94afb9f6e22bed8ed48aefe7bcc484b8b4f6b86655e0d58

Download Submit
memory/4292-133-0x0000000000BE0000-0x0000000000CF6000-memory.dmp

Filesize
1.1MB

Download
memory/4292-134-0x000000001B820000-0x000000001B830000-memory.dmp

Filesize
64KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads