Analysis
-
max time kernel
614s -
max time network
614s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
05/01/2022, 22:16
Static task
static1
Behavioral task
behavioral1
Sample
Rasomware2.0.exe
Resource
win7-en-20211208
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Rasomware2.0.exe
Resource
win10-en-20211208
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral3
Sample
Rasomware2.0.exe
Resource
win11
windows11_x64
0 signatures
0 seconds
General
-
Target
Rasomware2.0.exe
-
Size
824KB
-
MD5
7d17a868abac9de81fe79087eee31471
-
SHA1
2d3f58ea051db43964243b8aefb7279e45e7bda9
-
SHA256
1d871d84ee02630558411e47c81ef2aa8bef8f6cd8daaf594f133f545f772c26
-
SHA512
85ec6c3cf0908b306712041fc9d971d27349641245c29f126e01443dcc6ccd78530c789b15d345938c194009c890b42f7c95bc65deae1ef7372e5744651f9540
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "empty" Rasomware2.0.exe -
Disables Task Manager via registry modification
-
Drops desktop.ini file(s) 1 IoCs
description ioc Process File created C:\Users\Admin\Downloads\desktop.ini Rasomware2.0.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Control Panel\Desktop\Wallpaper Rasomware2.0.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1992 960 WerFault.exe 26 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 960 Rasomware2.0.exe 960 Rasomware2.0.exe 960 Rasomware2.0.exe 960 Rasomware2.0.exe 960 Rasomware2.0.exe 960 Rasomware2.0.exe 960 Rasomware2.0.exe 960 Rasomware2.0.exe 960 Rasomware2.0.exe 960 Rasomware2.0.exe 960 Rasomware2.0.exe 960 Rasomware2.0.exe 960 Rasomware2.0.exe 960 Rasomware2.0.exe 960 Rasomware2.0.exe 960 Rasomware2.0.exe 960 Rasomware2.0.exe 960 Rasomware2.0.exe 960 Rasomware2.0.exe 960 Rasomware2.0.exe 960 Rasomware2.0.exe 960 Rasomware2.0.exe 960 Rasomware2.0.exe 960 Rasomware2.0.exe 960 Rasomware2.0.exe 960 Rasomware2.0.exe 960 Rasomware2.0.exe 960 Rasomware2.0.exe 960 Rasomware2.0.exe 960 Rasomware2.0.exe 960 Rasomware2.0.exe 960 Rasomware2.0.exe 960 Rasomware2.0.exe 960 Rasomware2.0.exe 960 Rasomware2.0.exe 960 Rasomware2.0.exe 960 Rasomware2.0.exe 960 Rasomware2.0.exe 960 Rasomware2.0.exe 960 Rasomware2.0.exe 960 Rasomware2.0.exe 960 Rasomware2.0.exe 960 Rasomware2.0.exe 960 Rasomware2.0.exe 960 Rasomware2.0.exe 960 Rasomware2.0.exe 960 Rasomware2.0.exe 960 Rasomware2.0.exe 960 Rasomware2.0.exe 960 Rasomware2.0.exe 960 Rasomware2.0.exe 960 Rasomware2.0.exe 960 Rasomware2.0.exe 960 Rasomware2.0.exe 960 Rasomware2.0.exe 960 Rasomware2.0.exe 960 Rasomware2.0.exe 960 Rasomware2.0.exe 960 Rasomware2.0.exe 960 Rasomware2.0.exe 960 Rasomware2.0.exe 960 Rasomware2.0.exe 960 Rasomware2.0.exe 960 Rasomware2.0.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1992 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 960 Rasomware2.0.exe Token: SeDebugPrivilege 1992 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 960 wrote to memory of 1992 960 Rasomware2.0.exe 28 PID 960 wrote to memory of 1992 960 Rasomware2.0.exe 28 PID 960 wrote to memory of 1992 960 Rasomware2.0.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\Rasomware2.0.exe"C:\Users\Admin\AppData\Local\Temp\Rasomware2.0.exe"1⤵
- Modifies WinLogon for persistence
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 960 -s 7082⤵
- Program crash
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1992
-