Malware Analysis Report

2024-10-24 18:40

Sample ID 211005-pr17naaagq
Target 2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c
SHA256 2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c
Tags
28cc82fd466e0d0976a6359f264775a8 blackmatter ransomware suricata
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c

Threat Level: Known bad

The file 2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c was found to be: Known bad.

Malicious Activity Summary

28cc82fd466e0d0976a6359f264775a8 blackmatter ransomware suricata

BlackMatter Ransomware

Blackmatter family

suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

Modifies extensions of user files

Enumerates connected drives

Sets desktop wallpaper using registry

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

Opens file in notepad (likely ransom note)

Modifies Control Panel

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-10-05 12:34

Signatures

Blackmatter family

blackmatter

Analysis: behavioral1

Detonation Overview

Submitted

2021-10-05 12:34

Reported

2021-10-05 12:37

Platform

win7-en-20210920

Max time kernel

149s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe"

Signatures

BlackMatter Ransomware

ransomware blackmatter

suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

suricata

Modifies extensions of user files

ransomware
Description Indicator Process Target
File opened for modification C:\Users\Admin\Pictures\InvokeWrite.tif.chkvc3MvG C:\Users\Admin\AppData\Local\Temp\2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
File opened for modification C:\Users\Admin\Pictures\SearchUndo.tiff C:\Users\Admin\AppData\Local\Temp\2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
File opened for modification C:\Users\Admin\Pictures\SearchUndo.tiff.chkvc3MvG C:\Users\Admin\AppData\Local\Temp\2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
File opened for modification C:\Users\Admin\Pictures\TraceCopy.png.chkvc3MvG C:\Users\Admin\AppData\Local\Temp\2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
File renamed C:\Users\Admin\Pictures\WaitRedo.tif => C:\Users\Admin\Pictures\WaitRedo.tif.chkvc3MvG C:\Users\Admin\AppData\Local\Temp\2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
File renamed C:\Users\Admin\Pictures\InstallLock.crw => C:\Users\Admin\Pictures\InstallLock.crw.chkvc3MvG C:\Users\Admin\AppData\Local\Temp\2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
File renamed C:\Users\Admin\Pictures\InvokeWrite.tif => C:\Users\Admin\Pictures\InvokeWrite.tif.chkvc3MvG C:\Users\Admin\AppData\Local\Temp\2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
File opened for modification C:\Users\Admin\Pictures\InstallLock.crw.chkvc3MvG C:\Users\Admin\AppData\Local\Temp\2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
File renamed C:\Users\Admin\Pictures\SearchUndo.tiff => C:\Users\Admin\Pictures\SearchUndo.tiff.chkvc3MvG C:\Users\Admin\AppData\Local\Temp\2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
File renamed C:\Users\Admin\Pictures\TraceCopy.png => C:\Users\Admin\Pictures\TraceCopy.png.chkvc3MvG C:\Users\Admin\AppData\Local\Temp\2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
File opened for modification C:\Users\Admin\Pictures\WaitRedo.tif.chkvc3MvG C:\Users\Admin\AppData\Local\Temp\2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
File renamed C:\Users\Admin\Pictures\CheckpointUnpublish.tif => C:\Users\Admin\Pictures\CheckpointUnpublish.tif.chkvc3MvG C:\Users\Admin\AppData\Local\Temp\2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
File opened for modification C:\Users\Admin\Pictures\CheckpointUnpublish.tif.chkvc3MvG C:\Users\Admin\AppData\Local\Temp\2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\chkvc3MvG.bmp" C:\Users\Admin\AppData\Local\Temp\2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\chkvc3MvG.bmp" C:\Users\Admin\AppData\Local\Temp\2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A

Enumerates physical storage devices

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Control Panel\International C:\Users\Admin\AppData\Local\Temp\2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 C:\Windows\splwow64.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\Windows\splwow64.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 C:\Windows\splwow64.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" C:\Windows\splwow64.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff C:\Windows\splwow64.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\splwow64.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\splwow64.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\splwow64.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewVersion = "0" C:\Windows\splwow64.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_FolderType = "{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}" C:\Windows\splwow64.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}" C:\Windows\splwow64.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 9e0000001a00eebbfe23000010007db10d7bd29c934a973346cc89022e7c00002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000000000efbe7e47b3fbe4c93b4ba2bad3f5d3cd46f98207ba827a5b6945b5d7ec83085f08cc20002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020000000 C:\Windows\splwow64.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff C:\Windows\splwow64.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg C:\Windows\splwow64.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Windows\splwow64.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 C:\Windows\splwow64.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_Classes\Local Settings C:\Windows\splwow64.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f4225481e03947bc34db131e946b44c8dd50000 C:\Windows\splwow64.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 C:\Windows\splwow64.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\splwow64.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\NOTEPAD.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\splwow64.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\splwow64.exe N/A
N/A N/A C:\Windows\splwow64.exe N/A
N/A N/A C:\Windows\splwow64.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe

"C:\Users\Admin\AppData\Local\Temp\2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" /p C:\chkvc3MvG.README.txt

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

Country Destination Domain Proto
US 8.8.8.8:53 mojobiden.com udp

Files

memory/2004-53-0x0000000076581000-0x0000000076583000-memory.dmp

memory/2004-55-0x00000000005C0000-0x00000000005C1000-memory.dmp

memory/2004-54-0x00000000005C5000-0x00000000005D6000-memory.dmp

memory/2004-56-0x00000000005D6000-0x00000000005D7000-memory.dmp

memory/1188-57-0x0000000000000000-mapping.dmp

C:\chkvc3MvG.README.txt

MD5 b920836834910a56ea82efc009b2d4ce
SHA1 a5d1b656b5ab0ab51357afe4c68619f706a9a7c2
SHA256 d6af899e20548251735c7a379d4d6067b16c4d8b42d8c5c2960576d1890058cc
SHA512 e914574fe9d28e0e90eb9ba49f085c39f8c65a458778251845ccd5b5a6a1e30d35b181a6e70c8844de0552a9e010a6b43c3f7b0472eb8e6db1a2507fc8cd01e7

memory/1712-60-0x0000000000000000-mapping.dmp

memory/1712-61-0x000007FEFBC91000-0x000007FEFBC93000-memory.dmp

C:\Users\Admin\Documents\SplitSave.xps.chkvc3MvG

MD5 0b6682ab186b136241588bcb4628b40d
SHA1 6c91c9ee01fe9b8b735716effa408c4059cda816
SHA256 11246f6ffd86336002da4367c9c583d888bdbdd3ed47df3f5ebef6f05e382859
SHA512 1de50e1b594933fdbb51475f61f94a784c2383b5d70f263f0febe934ffe2bdb4d2c6e97846d9d1d2b31c07145c54e2c1c8141bad443c59b854e85d16f52e550a

memory/1712-63-0x00000000042E0000-0x00000000042E1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2021-10-05 12:34

Reported

2021-10-05 12:37

Platform

win10-en-20210920

Max time kernel

116s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe"

Signatures

BlackMatter Ransomware

ransomware blackmatter

suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

suricata

Modifies extensions of user files

ransomware
Description Indicator Process Target
File opened for modification C:\Users\Admin\Pictures\ConvertToWrite.raw.AVx2lZV2X C:\Users\Admin\AppData\Local\Temp\2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
File renamed C:\Users\Admin\Pictures\OpenExpand.raw => C:\Users\Admin\Pictures\OpenExpand.raw.AVx2lZV2X C:\Users\Admin\AppData\Local\Temp\2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
File renamed C:\Users\Admin\Pictures\OptimizeUninstall.raw => C:\Users\Admin\Pictures\OptimizeUninstall.raw.AVx2lZV2X C:\Users\Admin\AppData\Local\Temp\2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
File opened for modification C:\Users\Admin\Pictures\RevokeMove.raw.AVx2lZV2X C:\Users\Admin\AppData\Local\Temp\2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
File renamed C:\Users\Admin\Pictures\UnlockReceive.crw => C:\Users\Admin\Pictures\UnlockReceive.crw.AVx2lZV2X C:\Users\Admin\AppData\Local\Temp\2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
File opened for modification C:\Users\Admin\Pictures\UnlockReceive.crw.AVx2lZV2X C:\Users\Admin\AppData\Local\Temp\2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
File opened for modification C:\Users\Admin\Pictures\DenyRequest.tiff.AVx2lZV2X C:\Users\Admin\AppData\Local\Temp\2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
File opened for modification C:\Users\Admin\Pictures\OptimizeUninstall.raw.AVx2lZV2X C:\Users\Admin\AppData\Local\Temp\2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
File renamed C:\Users\Admin\Pictures\ConvertToWrite.raw => C:\Users\Admin\Pictures\ConvertToWrite.raw.AVx2lZV2X C:\Users\Admin\AppData\Local\Temp\2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
File renamed C:\Users\Admin\Pictures\DenyRequest.tiff => C:\Users\Admin\Pictures\DenyRequest.tiff.AVx2lZV2X C:\Users\Admin\AppData\Local\Temp\2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
File opened for modification C:\Users\Admin\Pictures\OpenExpand.raw.AVx2lZV2X C:\Users\Admin\AppData\Local\Temp\2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
File renamed C:\Users\Admin\Pictures\AddRename.raw => C:\Users\Admin\Pictures\AddRename.raw.AVx2lZV2X C:\Users\Admin\AppData\Local\Temp\2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
File opened for modification C:\Users\Admin\Pictures\AddRename.raw.AVx2lZV2X C:\Users\Admin\AppData\Local\Temp\2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
File renamed C:\Users\Admin\Pictures\ApproveFormat.raw => C:\Users\Admin\Pictures\ApproveFormat.raw.AVx2lZV2X C:\Users\Admin\AppData\Local\Temp\2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
File opened for modification C:\Users\Admin\Pictures\ApproveFormat.raw.AVx2lZV2X C:\Users\Admin\AppData\Local\Temp\2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
File opened for modification C:\Users\Admin\Pictures\DenyRequest.tiff C:\Users\Admin\AppData\Local\Temp\2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
File renamed C:\Users\Admin\Pictures\RevokeMove.raw => C:\Users\Admin\Pictures\RevokeMove.raw.AVx2lZV2X C:\Users\Admin\AppData\Local\Temp\2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\AVx2lZV2X.bmp" C:\Users\Admin\AppData\Local\Temp\2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\AVx2lZV2X.bmp" C:\Users\Admin\AppData\Local\Temp\2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Control Panel\International C:\Users\Admin\AppData\Local\Temp\2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe

"C:\Users\Admin\AppData\Local\Temp\2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 mojobiden.com udp

Files

memory/1840-116-0x0000000000690000-0x0000000000691000-memory.dmp

memory/1840-115-0x0000000000693000-0x0000000000695000-memory.dmp