3dc6902dc87d976787bdf0878e7174ec526df613645d3f275e0216d05cf2d217

Analysis

max time kernel
102s
max time network
94s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
21-12-2024 17:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3dc6902dc87d976787bdf0878e7174ec526df613645d3f275e0216d05cf2d217.exe
Size

603KB
MD5

eb13533a89da9762d93de5d54966df5f
SHA1

c0d2cef9149395218eb3a91afe6cbbdbf0181c65
SHA256

3dc6902dc87d976787bdf0878e7174ec526df613645d3f275e0216d05cf2d217
SHA512

30c2bab2b0729bdc54797421c5e1611a2ff842a29815d3cf4da320efcc61c50a266f78a97df53a0f0a7c297393ab460b9795e9bc63f5c80cc2f31d75e6cda5fa
SSDEEP

12288:GBgmEvHIqBTQtTdfYBgfS/fIPgA3EFIpGXfQcytS2nF6hBq:GBgmEvHIq1J03EFEG9H2nEq

Score

10^/10

ransomware spyware stealer

Malware Config

Extracted

Path

C:\#HowToRecover.txt

Ransom Note

Your Files Have Been Encrypted! Attention! All your important files have been stolen and encrypted by our advanced attack. Without our special decryption software, theres no way to recover your data! Your ID: [ 35AEE360 ] To restore your files, reach out to us at: [email protected] You can also contact us via Telegram: @adm_helproot Failing to act may result in sensitive company data being leaked or sold. Do NOT use third-party tools, as they may permanently damage your files. Why Trust Us? Before making any payment, you can send us few files for free decryption test. Our business relies on fulfilling our promises. How to Buy Bitcoin? You can purchase Bitcoin to pay the ransom using these trusted platforms: https://www.kraken.com/learn/buy-bitcoin-btc https://www.coinbase.com/en-gb/how-to-buy/bitcoin https://paxful.com

Emails

[email protected]

URLs

https://paxful.com

Signatures

Renames multiple (6372) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Control Panel\Desktop\Wallpaper = "C:\\background.bmp"	3dc6902dc87d976787bdf0878e7174ec526df613645d3f275e0216d05cf2d217.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\file_icons.png	3dc6902dc87d976787bdf0878e7174ec526df613645d3f275e0216d05cf2d217.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.2103.1172.0_x64__8wekyb3d8bbwe\Assets\contrast-black\FeedbackHubSplashScreen.scale-200_altform-colorful.png	3dc6902dc87d976787bdf0878e7174ec526df613645d3f275e0216d05cf2d217.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\Images\StoreLogo.scale-150_contrast-black.png	3dc6902dc87d976787bdf0878e7174ec526df613645d3f275e0216d05cf2d217.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files-select\js\plugin.js	3dc6902dc87d976787bdf0878e7174ec526df613645d3f275e0216d05cf2d217.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Ion Boardroom.thmx	3dc6902dc87d976787bdf0878e7174ec526df613645d3f275e0216d05cf2d217.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GamingApp_2105.900.24.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Xbox_LargeTile.scale-125_contrast-white.png	3dc6902dc87d976787bdf0878e7174ec526df613645d3f275e0216d05cf2d217.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\it-it\#HowToRecover.txt	3dc6902dc87d976787bdf0878e7174ec526df613645d3f275e0216d05cf2d217.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\css\main.css	3dc6902dc87d976787bdf0878e7174ec526df613645d3f275e0216d05cf2d217.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_2.2106.2807.0_x64__8wekyb3d8bbwe\AppxSignature.p7x	3dc6902dc87d976787bdf0878e7174ec526df613645d3f275e0216d05cf2d217.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.2008.32311.0_x64__8wekyb3d8bbwe\Assets\GetHelpAppList.targetsize-30_altform-unplated.png	3dc6902dc87d976787bdf0878e7174ec526df613645d3f275e0216d05cf2d217.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_4.0.2.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml	3dc6902dc87d976787bdf0878e7174ec526df613645d3f275e0216d05cf2d217.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\Images\LockScreenLogo.scale-125_contrast-black.png	3dc6902dc87d976787bdf0878e7174ec526df613645d3f275e0216d05cf2d217.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\eu-es\ui-strings.js	3dc6902dc87d976787bdf0878e7174ec526df613645d3f275e0216d05cf2d217.exe
File opened for modification	C:\Program Files\dotnet\ThirdPartyNotices.txt	3dc6902dc87d976787bdf0878e7174ec526df613645d3f275e0216d05cf2d217.exe
File opened for modification	C:\Program Files\Java\jre-1.8\legal\jdk\xerces.md	3dc6902dc87d976787bdf0878e7174ec526df613645d3f275e0216d05cf2d217.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1909.12456.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.targetsize-60_altform-unplated.png	3dc6902dc87d976787bdf0878e7174ec526df613645d3f275e0216d05cf2d217.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\zh-cn\#HowToRecover.txt	3dc6902dc87d976787bdf0878e7174ec526df613645d3f275e0216d05cf2d217.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\themes\dark\#HowToRecover.txt	3dc6902dc87d976787bdf0878e7174ec526df613645d3f275e0216d05cf2d217.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\fullscreen-exit-hover.svg	3dc6902dc87d976787bdf0878e7174ec526df613645d3f275e0216d05cf2d217.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp5-ppd.xrm-ms	3dc6902dc87d976787bdf0878e7174ec526df613645d3f275e0216d05cf2d217.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.41182.0_x64__8wekyb3d8bbwe\Assets\SplashScreen.scale-200.png	3dc6902dc87d976787bdf0878e7174ec526df613645d3f275e0216d05cf2d217.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe\GameBar.winmd	3dc6902dc87d976787bdf0878e7174ec526df613645d3f275e0216d05cf2d217.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\s_agreement_filetype.svg	3dc6902dc87d976787bdf0878e7174ec526df613645d3f275e0216d05cf2d217.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\tr-tr\ui-strings.js	3dc6902dc87d976787bdf0878e7174ec526df613645d3f275e0216d05cf2d217.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_1.0.65.0_x64__8wekyb3d8bbwe\Images\contrast-white\PowerAutomateAppIcon.altform-lightunplated_targetsize-24.png	3dc6902dc87d976787bdf0878e7174ec526df613645d3f275e0216d05cf2d217.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.32731.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-24_altform-unplated_contrast-black.png	3dc6902dc87d976787bdf0878e7174ec526df613645d3f275e0216d05cf2d217.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\bg5_thumb.png	3dc6902dc87d976787bdf0878e7174ec526df613645d3f275e0216d05cf2d217.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\utilities\lib-amd\IComponentAs.js	3dc6902dc87d976787bdf0878e7174ec526df613645d3f275e0216d05cf2d217.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\es-es\#HowToRecover.txt	3dc6902dc87d976787bdf0878e7174ec526df613645d3f275e0216d05cf2d217.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\root\ui-strings.js	3dc6902dc87d976787bdf0878e7174ec526df613645d3f275e0216d05cf2d217.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CAPSULES\CAPSULES.INF	3dc6902dc87d976787bdf0878e7174ec526df613645d3f275e0216d05cf2d217.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.40978.0_x64__8wekyb3d8bbwe\Assets\WideTile.scale-125.png	3dc6902dc87d976787bdf0878e7174ec526df613645d3f275e0216d05cf2d217.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_1.0.36.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AlarmsAppList.scale-100_contrast-white.png	3dc6902dc87d976787bdf0878e7174ec526df613645d3f275e0216d05cf2d217.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-96.png	3dc6902dc87d976787bdf0878e7174ec526df613645d3f275e0216d05cf2d217.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_1.0.38.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\VoiceRecorderStoreLogo.scale-125.png	3dc6902dc87d976787bdf0878e7174ec526df613645d3f275e0216d05cf2d217.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-commonjs\Shimmer.js	3dc6902dc87d976787bdf0878e7174ec526df613645d3f275e0216d05cf2d217.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\utilities\lib-commonjs\warn.js	3dc6902dc87d976787bdf0878e7174ec526df613645d3f275e0216d05cf2d217.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.21012.10511.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SplashScreen.scale-125.png	3dc6902dc87d976787bdf0878e7174ec526df613645d3f275e0216d05cf2d217.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-72.png	3dc6902dc87d976787bdf0878e7174ec526df613645d3f275e0216d05cf2d217.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\en-US.pak	3dc6902dc87d976787bdf0878e7174ec526df613645d3f275e0216d05cf2d217.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingNews_1.0.6.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\NewsMedTile.scale-100.png	3dc6902dc87d976787bdf0878e7174ec526df613645d3f275e0216d05cf2d217.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_12104.1001.1.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreAppList.targetsize-32_altform-unplated.png	3dc6902dc87d976787bdf0878e7174ec526df613645d3f275e0216d05cf2d217.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\lib\types\IEffects.js	3dc6902dc87d976787bdf0878e7174ec526df613645d3f275e0216d05cf2d217.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\utilities\lib-commonjs\rtl.js	3dc6902dc87d976787bdf0878e7174ec526df613645d3f275e0216d05cf2d217.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_gridview_selected.svg	3dc6902dc87d976787bdf0878e7174ec526df613645d3f275e0216d05cf2d217.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.42251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-40_altform-unplated_contrast-black.png	3dc6902dc87d976787bdf0878e7174ec526df613645d3f275e0216d05cf2d217.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\HxMailSplashLogo.scale-150.png	3dc6902dc87d976787bdf0878e7174ec526df613645d3f275e0216d05cf2d217.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_12104.1001.1.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreAppList.targetsize-24.png	3dc6902dc87d976787bdf0878e7174ec526df613645d3f275e0216d05cf2d217.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\Microsoft.Terminal.TerminalControl\#HowToRecover.txt	3dc6902dc87d976787bdf0878e7174ec526df613645d3f275e0216d05cf2d217.exe
File created	C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\Fonts\#HowToRecover.txt	3dc6902dc87d976787bdf0878e7174ec526df613645d3f275e0216d05cf2d217.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ja-jp\ui-strings.js	3dc6902dc87d976787bdf0878e7174ec526df613645d3f275e0216d05cf2d217.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tr.txt	3dc6902dc87d976787bdf0878e7174ec526df613645d3f275e0216d05cf2d217.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_1.0.6.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherAppList.targetsize-30_altform-unplated.png	3dc6902dc87d976787bdf0878e7174ec526df613645d3f275e0216d05cf2d217.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailMediumTile.scale-150.png	3dc6902dc87d976787bdf0878e7174ec526df613645d3f275e0216d05cf2d217.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-20_contrast-white.png	3dc6902dc87d976787bdf0878e7174ec526df613645d3f275e0216d05cf2d217.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib\components\DetailsList\DetailsColumn.styles.js	3dc6902dc87d976787bdf0878e7174ec526df613645d3f275e0216d05cf2d217.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\ShouldNotMatch.snippets.ps1xml	3dc6902dc87d976787bdf0878e7174ec526df613645d3f275e0216d05cf2d217.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\hr-hr\ui-strings.js	3dc6902dc87d976787bdf0878e7174ec526df613645d3f275e0216d05cf2d217.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.42251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\AppPackageSmallTile.scale-100_contrast-black.png	3dc6902dc87d976787bdf0878e7174ec526df613645d3f275e0216d05cf2d217.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_1.0.22.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsMedTile.scale-200_contrast-white.png	3dc6902dc87d976787bdf0878e7174ec526df613645d3f275e0216d05cf2d217.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsNotepad_10.2102.13.0_x64__8wekyb3d8bbwe\Assets\contrast-white\NotepadAppList.targetsize-16_altform-unplated.png	3dc6902dc87d976787bdf0878e7174ec526df613645d3f275e0216d05cf2d217.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_10.2.41172.0_x64__8wekyb3d8bbwe\Assets\TipsAppList.targetsize-96.png	3dc6902dc87d976787bdf0878e7174ec526df613645d3f275e0216d05cf2d217.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_1.0.65.0_neutral_split.scale-100_8wekyb3d8bbwe\Images\PowerAutomateSquare71x71Logo.scale-100.png	3dc6902dc87d976787bdf0878e7174ec526df613645d3f275e0216d05cf2d217.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\Theme_Illustration_Seasons_Fall_Right.svg	3dc6902dc87d976787bdf0878e7174ec526df613645d3f275e0216d05cf2d217.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\Wallpaper = "C:\\background.bmp"	3dc6902dc87d976787bdf0878e7174ec526df613645d3f275e0216d05cf2d217.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Control Panel\Desktop\Wallpaper = "C:\\background.bmp"	3dc6902dc87d976787bdf0878e7174ec526df613645d3f275e0216d05cf2d217.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Control Panel\Desktop\Wallpaper = "C:\\background.bmp"	3dc6902dc87d976787bdf0878e7174ec526df613645d3f275e0216d05cf2d217.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2784	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3904	3dc6902dc87d976787bdf0878e7174ec526df613645d3f275e0216d05cf2d217.exe
3904	3dc6902dc87d976787bdf0878e7174ec526df613645d3f275e0216d05cf2d217.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3904 wrote to memory of 2516	3904	3dc6902dc87d976787bdf0878e7174ec526df613645d3f275e0216d05cf2d217.exe	77
PID 3904 wrote to memory of 2516	3904	3dc6902dc87d976787bdf0878e7174ec526df613645d3f275e0216d05cf2d217.exe	77
PID 2516 wrote to memory of 2784	2516	cmd.exe	79
PID 2516 wrote to memory of 2784	2516	cmd.exe	79
PID 3904 wrote to memory of 4080	3904	3dc6902dc87d976787bdf0878e7174ec526df613645d3f275e0216d05cf2d217.exe	86
PID 3904 wrote to memory of 4080	3904	3dc6902dc87d976787bdf0878e7174ec526df613645d3f275e0216d05cf2d217.exe	86
PID 4080 wrote to memory of 2108	4080	cmd.exe	88
PID 4080 wrote to memory of 2108	4080	cmd.exe	88

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\3dc6902dc87d976787bdf0878e7174ec526df613645d3f275e0216d05cf2d217.exe
"C:\Users\Admin\AppData\Local\Temp\3dc6902dc87d976787bdf0878e7174ec526df613645d3f275e0216d05cf2d217.exe"
1⤵
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3904
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Update ALPHV" /TR "C:\Users\Admin\AppData\Local\Temp\3dc6902dc87d976787bdf0878e7174ec526df613645d3f275e0216d05cf2d217.exe" /F
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2516
- - C:\Windows\system32\schtasks.exe
    SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Update ALPHV" /TR "C:\Users\Admin\AppData\Local\Temp\3dc6902dc87d976787bdf0878e7174ec526df613645d3f275e0216d05cf2d217.exe" /F
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2784
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Delete /TN "Windows Update ALPHV" /F
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4080
- - C:\Windows\system32\schtasks.exe
    SCHTASKS.exe /Delete /TN "Windows Update ALPHV" /F
    3⤵
    PID:2108

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3016

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\#HowToRecover.txt
1⤵
PID:4036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\#HowToRecover.txt

Filesize
870B

MD5
5db88e0b5a239631c21cf936cf51b127

SHA1
f006536e9403e5e68b98133e345486f58899817c

SHA256
d288f1700505cebbeb365ba1a16fea79c44ab9822c7d814b1b35214c0f76c219

SHA512
661e7979d0c866175474d40fe6e3c1469976e0f588dad46a2aa574425e5f23cb67e9c3e204984da7a5827f08e19e7195534204d2d6b46df0416cf576190deb86

Download Submit