Overview

overview

10

Static

static

3

3a2b0d7aa2...76.exe

windows7-x64

10

3a2b0d7aa2...76.exe

windows10-2004-x64

10

Resubmissions

23/05/2023, 08:29

230523-kdl4csfd51 10

22/05/2023, 02:20

230522-csp5kade76 10

22/05/2023, 01:46

230522-b6968agc4z 10

Analysis

  • max time kernel
    368s
  • max time network
    334s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    22/05/2023, 02:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3a2b0d7aa2a94d6d537838a2a18fa25890c2df97c7708e895f7c566f7a65ab76.exe

  • Size

    1.1MB

  • MD5

    d6cf5f8289eac27c551334578e6e4d9f

  • SHA1

    25f581c79b08f85ffe729bfec35fdc1ba6ef0add

  • SHA256

    3a2b0d7aa2a94d6d537838a2a18fa25890c2df97c7708e895f7c566f7a65ab76

  • SHA512

    258c276fe07b76e1dd1fea7ad1edef73fe95942ed912b91ef1bae70a8a600f5cdce28ced0d4e124f29068ec51adc2c92dad8455481ce9f55b138e3a8d96d13f9

  • SSDEEP

    24576:CDmzI+4jJk5xYsx+1itfzYpjJU1P2UjStlezy:COIfaxLx+EEC2UVz

Score
10/10
evasionransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\readme.txt

Ransom Note
~You have been infected with Alphaware~ >>>> Your data has been stolen and encrypted You have 24 hours to send us $300 worth of bitcoin. If you do not pay the Ransom all your files, data, and personal information will released on the dark web. Failure to pay your ransom will also result with ALL of your files being deleted and your pc being wiped. We will also leak your Personal information to multiple discord servers and dox bin. All your information will forever be on the internet for people to download and exploit. >>>> Where do I pay you? Send us 0.01767966 BTC To the bitcoin address: bc1qycxc367zcm5fpw9l9wtktufm38nlcnaumjfqcj >>>> What happens when I pay? When we receive payment we will send you your own personal decrypter to free your files and data. It is impossible to decrypt your files without our help. >>>> You will need to contact us to receive your decrypter Send us an email with proof of payment and we will respond with your decrypter. You can email us @[email protected] >>>> Who are we? We are Alpha, a group of skilled hackers whos purpose is to take control and power over people.

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Renames multiple (197) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 2 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Drops startup file 3 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 33 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 53 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\3a2b0d7aa2a94d6d537838a2a18fa25890c2df97c7708e895f7c566f7a65ab76.exe
    "C:\Users\Admin\AppData\Local\Temp\3a2b0d7aa2a94d6d537838a2a18fa25890c2df97c7708e895f7c566f7a65ab76.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:744
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      2⤵
      • Modifies extensions of user files
      • Drops startup file
      • Executes dropped EXE
      • Drops desktop.ini file(s)
      • Sets desktop wallpaper using registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1648
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1936
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          4⤵
          • Interacts with shadow copies
          PID:968
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic shadowcopy delete
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:544
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1000
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} bootstatuspolicy ignoreallfailures
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:1988
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} recoveryenabled no
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:1488
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1196
        • C:\Windows\system32\wbadmin.exe
          wbadmin delete catalog -quiet
          4⤵
          • Deletes backup catalog
          PID:1372
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\readme.txt
        3⤵
        • Opens file in notepad (likely ransom note)
        • Suspicious use of FindShellTrayWindow
        PID:1840
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:428
  • C:\Windows\system32\wbengine.exe
    "C:\Windows\system32\wbengine.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:800
  • C:\Windows\System32\vdsldr.exe
    C:\Windows\System32\vdsldr.exe -Embedding
    1⤵
      PID:1668
    • C:\Windows\System32\vds.exe
      C:\Windows\System32\vds.exe
      1⤵
        PID:1404
      • C:\Windows\system32\AUDIODG.EXE
        C:\Windows\system32\AUDIODG.EXE 0x304
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:564
      • C:\Users\Admin\AppData\Roaming\svchost.exe
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1308

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\readme.txt
        Filesize

        1KB

        MD5

        ec607b3314664a69da75c6c3578480d5

        SHA1

        71051888da2de56b1014c900fec172c5a4f80ee0

        SHA256

        1f07fbece71d67c140a10aa9993f1d5bba5250f21b7cfafcc39e4ea60689223c

        SHA512

        343075967c4dec8acf245a606b9c8af151f64928a28ca50a525743d5daccf7b6b51b61da56506962a94afb9f6e22bed8ed48aefe7bcc484b8b4f6b86655e0d58

        Download Submit

      • C:\Users\Admin\AppData\Roaming\svchost.exe
        Filesize

        1.1MB

        MD5

        d6cf5f8289eac27c551334578e6e4d9f

        SHA1

        25f581c79b08f85ffe729bfec35fdc1ba6ef0add

        SHA256

        3a2b0d7aa2a94d6d537838a2a18fa25890c2df97c7708e895f7c566f7a65ab76

        SHA512

        258c276fe07b76e1dd1fea7ad1edef73fe95942ed912b91ef1bae70a8a600f5cdce28ced0d4e124f29068ec51adc2c92dad8455481ce9f55b138e3a8d96d13f9

        Download Submit

      • C:\Users\Admin\AppData\Roaming\svchost.exe
        Filesize

        1.1MB

        MD5

        d6cf5f8289eac27c551334578e6e4d9f

        SHA1

        25f581c79b08f85ffe729bfec35fdc1ba6ef0add

        SHA256

        3a2b0d7aa2a94d6d537838a2a18fa25890c2df97c7708e895f7c566f7a65ab76

        SHA512

        258c276fe07b76e1dd1fea7ad1edef73fe95942ed912b91ef1bae70a8a600f5cdce28ced0d4e124f29068ec51adc2c92dad8455481ce9f55b138e3a8d96d13f9

        Download Submit

      • C:\Users\Admin\AppData\Roaming\svchost.exe
        Filesize

        1.1MB

        MD5

        d6cf5f8289eac27c551334578e6e4d9f

        SHA1

        25f581c79b08f85ffe729bfec35fdc1ba6ef0add

        SHA256

        3a2b0d7aa2a94d6d537838a2a18fa25890c2df97c7708e895f7c566f7a65ab76

        SHA512

        258c276fe07b76e1dd1fea7ad1edef73fe95942ed912b91ef1bae70a8a600f5cdce28ced0d4e124f29068ec51adc2c92dad8455481ce9f55b138e3a8d96d13f9

        Download Submit

      • C:\Users\Admin\Downloads\readme.txt
        Filesize

        1KB

        MD5

        ec607b3314664a69da75c6c3578480d5

        SHA1

        71051888da2de56b1014c900fec172c5a4f80ee0

        SHA256

        1f07fbece71d67c140a10aa9993f1d5bba5250f21b7cfafcc39e4ea60689223c

        SHA512

        343075967c4dec8acf245a606b9c8af151f64928a28ca50a525743d5daccf7b6b51b61da56506962a94afb9f6e22bed8ed48aefe7bcc484b8b4f6b86655e0d58

        Download Submit

      • memory/744-54-0x0000000000BB0000-0x0000000000CC6000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/744-55-0x00000000002D0000-0x00000000002D6000-memory.dmp

        Filesize

        24KB

        Download

      • memory/744-56-0x000000001B1C0000-0x000000001B240000-memory.dmp

        Filesize

        512KB

        Download

      • memory/1648-62-0x00000000012D0000-0x00000000013E6000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/1648-77-0x000000001AF40000-0x000000001AFC0000-memory.dmp

        Filesize

        512KB

        Download

      • memory/1648-510-0x000000001AF40000-0x000000001AFC0000-memory.dmp

        Filesize

        512KB

        Download