Analysis Overview
SHA256
b4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7
Threat Level: Known bad
The file 01.exe was found to be: Known bad.
Malicious Activity Summary
Blackmatter family
BlackMatter Ransomware
Modifies extensions of user files
Enumerates connected drives
Suspicious use of NtSetInformationThreadHideFromDebugger
Sets desktop wallpaper using registry
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Opens file in notepad (likely ransom note)
Modifies Control Panel
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-10-22 06:42
Signatures
Blackmatter family
Analysis: behavioral1
Detonation Overview
Submitted
2021-10-22 06:42
Reported
2021-10-22 06:44
Platform
win7-en-20210920
Max time kernel
70s
Max time network
92s
Command Line
Signatures
BlackMatter Ransomware
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File renamed | C:\Users\Admin\Pictures\ReadMount.tif => C:\Users\Admin\Pictures\ReadMount.tif.chkvc3MvG | C:\Users\Admin\AppData\Local\Temp\01.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\UnregisterMount.crw.chkvc3MvG | C:\Users\Admin\AppData\Local\Temp\01.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\CompressRestart.tif.chkvc3MvG | C:\Users\Admin\AppData\Local\Temp\01.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\DenyUnregister.raw.chkvc3MvG | C:\Users\Admin\AppData\Local\Temp\01.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\DisconnectPop.tif => C:\Users\Admin\Pictures\DisconnectPop.tif.chkvc3MvG | C:\Users\Admin\AppData\Local\Temp\01.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\DisconnectPop.tif.chkvc3MvG | C:\Users\Admin\AppData\Local\Temp\01.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\EnableSuspend.png.chkvc3MvG | C:\Users\Admin\AppData\Local\Temp\01.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\InitializeRepair.tiff => C:\Users\Admin\Pictures\InitializeRepair.tiff.chkvc3MvG | C:\Users\Admin\AppData\Local\Temp\01.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\AssertInstall.tif => C:\Users\Admin\Pictures\AssertInstall.tif.chkvc3MvG | C:\Users\Admin\AppData\Local\Temp\01.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\DenyUnregister.raw => C:\Users\Admin\Pictures\DenyUnregister.raw.chkvc3MvG | C:\Users\Admin\AppData\Local\Temp\01.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\DismountSubmit.tiff => C:\Users\Admin\Pictures\DismountSubmit.tiff.chkvc3MvG | C:\Users\Admin\AppData\Local\Temp\01.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\DismountSubmit.tiff.chkvc3MvG | C:\Users\Admin\AppData\Local\Temp\01.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\MeasureSelect.raw.chkvc3MvG | C:\Users\Admin\AppData\Local\Temp\01.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\EnableSuspend.png => C:\Users\Admin\Pictures\EnableSuspend.png.chkvc3MvG | C:\Users\Admin\AppData\Local\Temp\01.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ExpandRegister.png => C:\Users\Admin\Pictures\ExpandRegister.png.chkvc3MvG | C:\Users\Admin\AppData\Local\Temp\01.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\ExpandRegister.png.chkvc3MvG | C:\Users\Admin\AppData\Local\Temp\01.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\InitializeRepair.tiff | C:\Users\Admin\AppData\Local\Temp\01.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\InitializeRepair.tiff.chkvc3MvG | C:\Users\Admin\AppData\Local\Temp\01.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\UnregisterMount.crw => C:\Users\Admin\Pictures\UnregisterMount.crw.chkvc3MvG | C:\Users\Admin\AppData\Local\Temp\01.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\ReadMount.tif.chkvc3MvG | C:\Users\Admin\AppData\Local\Temp\01.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\AssertInstall.tif.chkvc3MvG | C:\Users\Admin\AppData\Local\Temp\01.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\CompressRestart.tif => C:\Users\Admin\Pictures\CompressRestart.tif.chkvc3MvG | C:\Users\Admin\AppData\Local\Temp\01.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\DismountSubmit.tiff | C:\Users\Admin\AppData\Local\Temp\01.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\MeasureSelect.raw => C:\Users\Admin\Pictures\MeasureSelect.raw.chkvc3MvG | C:\Users\Admin\AppData\Local\Temp\01.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\MountRegister.tif => C:\Users\Admin\Pictures\MountRegister.tif.chkvc3MvG | C:\Users\Admin\AppData\Local\Temp\01.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\MountRegister.tif.chkvc3MvG | C:\Users\Admin\AppData\Local\Temp\01.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\chkvc3MvG.bmp" | C:\Users\Admin\AppData\Local\Temp\01.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\chkvc3MvG.bmp" | C:\Users\Admin\AppData\Local\Temp\01.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\01.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\01.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\01.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\01.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\01.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\01.exe | N/A |
Enumerates physical storage devices
Modifies Control Panel
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Control Panel\International | C:\Users\Admin\AppData\Local\Temp\01.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Control Panel\Desktop | C:\Users\Admin\AppData\Local\Temp\01.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Control Panel\Desktop\WallpaperStyle = "10" | C:\Users\Admin\AppData\Local\Temp\01.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\Sort = 000000000000000000000000000000000200000030f125b7ef471a10a5f102608c9eebac0a0000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff | C:\Windows\splwow64.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\splwow64.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Windows\splwow64.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\IconSize = "16" | C:\Windows\splwow64.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags | C:\Windows\splwow64.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_FolderType = "{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}" | C:\Windows\splwow64.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\Mode = "4" | C:\Windows\splwow64.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC} | C:\Windows\splwow64.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\splwow64.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg | C:\Windows\splwow64.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}" | C:\Windows\splwow64.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff | C:\Windows\splwow64.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" | C:\Windows\splwow64.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 | C:\Windows\splwow64.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_Classes\Local Settings | C:\Windows\splwow64.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\splwow64.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff | C:\Windows\splwow64.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\FFlags = "1092616257" | C:\Windows\splwow64.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 | C:\Windows\splwow64.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewVersion = "0" | C:\Windows\splwow64.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg | C:\Windows\splwow64.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 | C:\Windows\splwow64.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders | C:\Windows\splwow64.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 9e0000001a00eebbfe23000010007db10d7bd29c934a973346cc89022e7c00002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000000000efbe7e47b3fbe4c93b4ba2bad3f5d3cd46f98207ba827a5b6945b5d7ec83085f08cc20002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020000000 | C:\Windows\splwow64.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 | C:\Windows\splwow64.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff | C:\Windows\splwow64.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\Windows\splwow64.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\FFlags = "1" | C:\Windows\splwow64.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f4225481e03947bc34db131e946b44c8dd50000 | C:\Windows\splwow64.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9} | C:\Windows\splwow64.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\LogicalViewMode = "1" | C:\Windows\splwow64.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\NOTEPAD.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\01.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\01.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\01.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\01.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\splwow64.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1200 wrote to memory of 1676 | N/A | C:\Users\Admin\AppData\Local\Temp\01.exe | C:\Windows\SysWOW64\NOTEPAD.EXE |
| PID 1200 wrote to memory of 1676 | N/A | C:\Users\Admin\AppData\Local\Temp\01.exe | C:\Windows\SysWOW64\NOTEPAD.EXE |
| PID 1200 wrote to memory of 1676 | N/A | C:\Users\Admin\AppData\Local\Temp\01.exe | C:\Windows\SysWOW64\NOTEPAD.EXE |
| PID 1200 wrote to memory of 1676 | N/A | C:\Users\Admin\AppData\Local\Temp\01.exe | C:\Windows\SysWOW64\NOTEPAD.EXE |
| PID 1676 wrote to memory of 1660 | N/A | C:\Windows\SysWOW64\NOTEPAD.EXE | C:\Windows\splwow64.exe |
| PID 1676 wrote to memory of 1660 | N/A | C:\Windows\SysWOW64\NOTEPAD.EXE | C:\Windows\splwow64.exe |
| PID 1676 wrote to memory of 1660 | N/A | C:\Windows\SysWOW64\NOTEPAD.EXE | C:\Windows\splwow64.exe |
| PID 1676 wrote to memory of 1660 | N/A | C:\Windows\SysWOW64\NOTEPAD.EXE | C:\Windows\splwow64.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\01.exe
"C:\Users\Admin\AppData\Local\Temp\01.exe"
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" /p C:\chkvc3MvG.README.txt
C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | mojobiden.com | udp |
| US | 8.8.8.8:53 | nowautomation.com | udp |
Files
memory/1200-53-0x00000000751A1000-0x00000000751A3000-memory.dmp
memory/1200-54-0x00000000009E5000-0x00000000009F6000-memory.dmp
memory/1200-56-0x00000000009F6000-0x00000000009F7000-memory.dmp
memory/1200-55-0x00000000009E0000-0x00000000009E1000-memory.dmp
memory/1676-57-0x0000000000000000-mapping.dmp
C:\chkvc3MvG.README.txt
| MD5 | 2a2ac841d6b7515f4b1021b92cc5f072 |
| SHA1 | e48a7a2be20b978f71a92f12ada328bcfd0b89c6 |
| SHA256 | 9a59566d9ef3bab7faf9abc23f25aa19218d5afa2a910144acd011a78521377e |
| SHA512 | a7944a10f2721db3dbdf5c36e80aae057c5fc8e2aab22a8d50c4d4e6436a7e22313257dd934961db1fa5e506c39ca23600c9d3e96a463221c13b54651bd47579 |
memory/1660-60-0x0000000000000000-mapping.dmp
memory/1660-61-0x000007FEFB8B1000-0x000007FEFB8B3000-memory.dmp
memory/1660-62-0x00000000041E0000-0x00000000041E1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2021-10-22 06:42
Reported
2021-10-22 06:45
Platform
win10-en-20211014
Max time kernel
109s
Max time network
126s
Command Line
Signatures
BlackMatter Ransomware
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File renamed | C:\Users\Admin\Pictures\LimitImport.tif => C:\Users\Admin\Pictures\LimitImport.tif.WRLMMTHME | C:\Users\Admin\AppData\Local\Temp\01.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\RegisterLock.tiff => C:\Users\Admin\Pictures\RegisterLock.tiff.WRLMMTHME | C:\Users\Admin\AppData\Local\Temp\01.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\SplitStop.png.WRLMMTHME | C:\Users\Admin\AppData\Local\Temp\01.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\StepRequest.tiff => C:\Users\Admin\Pictures\StepRequest.tiff.WRLMMTHME | C:\Users\Admin\AppData\Local\Temp\01.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\ApproveEnter.png.WRLMMTHME | C:\Users\Admin\AppData\Local\Temp\01.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\SelectReset.tiff | C:\Users\Admin\AppData\Local\Temp\01.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\SelectReset.tiff.WRLMMTHME | C:\Users\Admin\AppData\Local\Temp\01.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\SplitWrite.raw => C:\Users\Admin\Pictures\SplitWrite.raw.WRLMMTHME | C:\Users\Admin\AppData\Local\Temp\01.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\SplitWrite.raw.WRLMMTHME | C:\Users\Admin\AppData\Local\Temp\01.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\RegisterLock.tiff.WRLMMTHME | C:\Users\Admin\AppData\Local\Temp\01.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\ClearEnable.tiff.WRLMMTHME | C:\Users\Admin\AppData\Local\Temp\01.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\InstallTest.raw.WRLMMTHME | C:\Users\Admin\AppData\Local\Temp\01.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\ResolveTrace.crw.WRLMMTHME | C:\Users\Admin\AppData\Local\Temp\01.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\StepRequest.tiff.WRLMMTHME | C:\Users\Admin\AppData\Local\Temp\01.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\SubmitInstall.crw.WRLMMTHME | C:\Users\Admin\AppData\Local\Temp\01.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ApproveEnter.png => C:\Users\Admin\Pictures\ApproveEnter.png.WRLMMTHME | C:\Users\Admin\AppData\Local\Temp\01.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\RegisterLock.tiff | C:\Users\Admin\AppData\Local\Temp\01.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\GroupBackup.raw => C:\Users\Admin\Pictures\GroupBackup.raw.WRLMMTHME | C:\Users\Admin\AppData\Local\Temp\01.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\InstallTest.raw => C:\Users\Admin\Pictures\InstallTest.raw.WRLMMTHME | C:\Users\Admin\AppData\Local\Temp\01.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\LimitImport.tif.WRLMMTHME | C:\Users\Admin\AppData\Local\Temp\01.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ResolveTrace.crw => C:\Users\Admin\Pictures\ResolveTrace.crw.WRLMMTHME | C:\Users\Admin\AppData\Local\Temp\01.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\SelectReset.tiff => C:\Users\Admin\Pictures\SelectReset.tiff.WRLMMTHME | C:\Users\Admin\AppData\Local\Temp\01.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\SplitStop.png => C:\Users\Admin\Pictures\SplitStop.png.WRLMMTHME | C:\Users\Admin\AppData\Local\Temp\01.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\StepRequest.tiff | C:\Users\Admin\AppData\Local\Temp\01.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\GroupBackup.raw.WRLMMTHME | C:\Users\Admin\AppData\Local\Temp\01.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\SubmitInstall.crw => C:\Users\Admin\Pictures\SubmitInstall.crw.WRLMMTHME | C:\Users\Admin\AppData\Local\Temp\01.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\WriteExit.raw => C:\Users\Admin\Pictures\WriteExit.raw.WRLMMTHME | C:\Users\Admin\AppData\Local\Temp\01.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\CloseUnpublish.tif => C:\Users\Admin\Pictures\CloseUnpublish.tif.WRLMMTHME | C:\Users\Admin\AppData\Local\Temp\01.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ClearEnable.tiff => C:\Users\Admin\Pictures\ClearEnable.tiff.WRLMMTHME | C:\Users\Admin\AppData\Local\Temp\01.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\CloseUnpublish.tif.WRLMMTHME | C:\Users\Admin\AppData\Local\Temp\01.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\WriteExit.raw.WRLMMTHME | C:\Users\Admin\AppData\Local\Temp\01.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\ClearEnable.tiff | C:\Users\Admin\AppData\Local\Temp\01.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\Z: | C:\Users\Admin\AppData\Local\Temp\01.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\WRLMMTHME.bmp" | C:\Users\Admin\AppData\Local\Temp\01.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\WRLMMTHME.bmp" | C:\Users\Admin\AppData\Local\Temp\01.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\01.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\01.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\01.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\01.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\01.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\01.exe | N/A |
Modifies Control Panel
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Control Panel\Desktop\WallpaperStyle = "10" | C:\Users\Admin\AppData\Local\Temp\01.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Control Panel\International | C:\Users\Admin\AppData\Local\Temp\01.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Control Panel\Desktop | C:\Users\Admin\AppData\Local\Temp\01.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\01.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\01.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\01.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\01.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Processes
C:\Users\Admin\AppData\Local\Temp\01.exe
"C:\Users\Admin\AppData\Local\Temp\01.exe"
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\WRLMMTHME.README.txt
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Network
| Country | Destination | Domain | Proto |
| IE | 52.109.76.32:443 | tcp | |
| US | 8.8.8.8:53 | time.windows.com | udp |
| NL | 20.101.57.9:123 | time.windows.com | udp |
| US | 8.8.8.8:53 | mojobiden.com | udp |
| US | 8.8.8.8:53 | nowautomation.com | udp |
| US | 8.8.8.8:53 | mojobiden.com | udp |
| US | 8.8.8.8:53 | nowautomation.com | udp |
| US | 8.8.8.8:53 | sv.symcb.com | udp |
| US | 93.184.220.29:80 | sv.symcb.com | tcp |
Files
memory/3380-115-0x0000000002553000-0x0000000002555000-memory.dmp
memory/3380-116-0x0000000002550000-0x0000000002551000-memory.dmp
C:\Users\Admin\Desktop\WRLMMTHME.README.txt
| MD5 | 2a2ac841d6b7515f4b1021b92cc5f072 |
| SHA1 | e48a7a2be20b978f71a92f12ada328bcfd0b89c6 |
| SHA256 | 9a59566d9ef3bab7faf9abc23f25aa19218d5afa2a910144acd011a78521377e |
| SHA512 | a7944a10f2721db3dbdf5c36e80aae057c5fc8e2aab22a8d50c4d4e6436a7e22313257dd934961db1fa5e506c39ca23600c9d3e96a463221c13b54651bd47579 |