a9c4d78cd5e550155bf8cc080f30d632a15155a6dd55b1d5991b7d40809ce336

General

Target

UnluckyWare.exe
Size

228KB
MD5

d7924023e6cb8826e6db9c1bb917ee4e
SHA1

d3727664988db585b9d632d2888963019b5e6e11
SHA256

a9c4d78cd5e550155bf8cc080f30d632a15155a6dd55b1d5991b7d40809ce336
SHA512

249102437da4a1a361b082b1683f4a69f7ee48ec7e423d2e0551440b61cbbd9f86ce2bd9b93507f7ffa4d268fb0f8d898870162eeb5eea458db67b50b3091519

Score

6^/10

persistence ransomware

Malware Config

Signatures

Modifies control panel 2 IoCs

evasion

Processes:

UnluckyWare.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Control Panel\Desktop\WallpaperStyle = "0"	UnluckyWare.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Control Panel\Desktop\TileWallpaper = "0"	UnluckyWare.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

UnluckyWare.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\000000051470.jpg"	UnluckyWare.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

UnluckyWare.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	3812	UnluckyWare.exe
Token: SeRestorePrivilege	3916	WerFault.exe
Token: SeBackupPrivilege	3916	WerFault.exe
Token: SeDebugPrivilege	3916	WerFault.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3916 3812 WerFault.exe UnluckyWare.exe

pid	pid_target	process	target process
3916	3812	WerFault.exe	UnluckyWare.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

WerFault.exe

pid	process
3916	WerFault.exe
3916	WerFault.exe
3916	WerFault.exe
3916	WerFault.exe
3916	WerFault.exe
3916	WerFault.exe
3916	WerFault.exe
3916	WerFault.exe
3916	WerFault.exe
3916	WerFault.exe
3916	WerFault.exe
3916	WerFault.exe
3916	WerFault.exe

Adds Run entry to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

UnluckyWare.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\HWID = "\"C:\\Users\\Admin\\AppData\\Roaming\\{7ed61d16-823d-46a4-b281-6496d4589840}.exe\""	UnluckyWare.exe

Drops file in Windows directory 1 IoCs

Processes:

UnluckyWare.exe

description ioc process

File created C:\Windows\000000051470.jpg UnluckyWare.exe

description	ioc	process
File created	C:\Windows\000000051470.jpg	UnluckyWare.exe

Drops desktop.ini file(s) 45 IoCs

Processes:

UnluckyWare.exe

description	ioc	process
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	UnluckyWare.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	UnluckyWare.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	UnluckyWare.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	UnluckyWare.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	UnluckyWare.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	UnluckyWare.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	UnluckyWare.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	UnluckyWare.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	UnluckyWare.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	UnluckyWare.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	UnluckyWare.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	UnluckyWare.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	UnluckyWare.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	UnluckyWare.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	UnluckyWare.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\desktop.ini	UnluckyWare.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	UnluckyWare.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	UnluckyWare.exe
File opened for modification	C:\Users\Public\desktop.ini	UnluckyWare.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	UnluckyWare.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	UnluckyWare.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	UnluckyWare.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu Places\desktop.ini	UnluckyWare.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	UnluckyWare.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	UnluckyWare.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	UnluckyWare.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	UnluckyWare.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	UnluckyWare.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	UnluckyWare.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	UnluckyWare.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	UnluckyWare.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	UnluckyWare.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini	UnluckyWare.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	UnluckyWare.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1231583446-2617009595-2137880041-1000\desktop.ini	UnluckyWare.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	UnluckyWare.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	UnluckyWare.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	UnluckyWare.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	UnluckyWare.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	UnluckyWare.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	UnluckyWare.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	UnluckyWare.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	UnluckyWare.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	UnluckyWare.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	UnluckyWare.exe

C:\Users\Admin\AppData\Local\Temp\UnluckyWare.exe
"C:\Users\Admin\AppData\Local\Temp\UnluckyWare.exe"
1⤵
- Modifies control panel
- Sets desktop wallpaper using registry
- Suspicious use of AdjustPrivilegeToken
- Adds Run entry to start application
- Drops file in Windows directory
- Drops desktop.ini file(s)
PID:3812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3812 -s 8524
2⤵
- Suspicious use of AdjustPrivilegeToken
- Program crash
- Suspicious behavior: EnumeratesProcesses
PID:3916

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3916-0-0x0000000004DA0000-0x0000000004DA1000-memory.dmp

Filesize
4KB

Download
memory/3916-1-0x00000000051A0000-0x00000000051A1000-memory.dmp

Filesize
4KB

Download
memory/3916-2-0x00000000055A0000-0x00000000055A1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads