Malware Analysis Report

2025-08-11 01:06

Sample ID 240302-tx4beseh3w
Target [email protected]
SHA256 4ea1f2ecf7eb12896f2cbf8683dae8546d2b8dc43cf7710d68ce99e127c0a966
Tags
evasion persistence ransomware
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

4ea1f2ecf7eb12896f2cbf8683dae8546d2b8dc43cf7710d68ce99e127c0a966

Threat Level: Likely malicious

The file [email protected] was found to be: Likely malicious.

Malicious Activity Summary

evasion persistence ransomware

Disables Task Manager via registry modification

Enumerates connected drives

Modifies WinLogon

Sets desktop wallpaper using registry

Unsigned PE

Enumerates physical storage devices

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Kills process with taskkill

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-02 16:27

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-02 16:27

Reported

2024-03-02 16:27

Platform

win7-20240221-en

Max time kernel

4s

Max time network

5s

Command Line

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

Signatures

Disables Task Manager via registry modification

evasion

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoRestartShell = "0" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Desktop\Wallpaper C:\Users\Admin\AppData\Local\Temp\[email protected] N/A

Enumerates physical storage devices

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\icon.ico" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2112 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\SysWOW64\cmd.exe
PID 2112 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\SysWOW64\cmd.exe
PID 2112 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\SysWOW64\cmd.exe
PID 2112 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\SysWOW64\cmd.exe
PID 2552 wrote to memory of 2656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2552 wrote to memory of 2656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2552 wrote to memory of 2656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2552 wrote to memory of 2656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2552 wrote to memory of 2640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2552 wrote to memory of 2640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2552 wrote to memory of 2640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2552 wrote to memory of 2640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2552 wrote to memory of 2472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 2552 wrote to memory of 2472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 2552 wrote to memory of 2472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 2552 wrote to memory of 2472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 2552 wrote to memory of 2436 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 2552 wrote to memory of 2436 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 2552 wrote to memory of 2436 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 2552 wrote to memory of 2436 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 2552 wrote to memory of 868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\shutdown.exe
PID 2552 wrote to memory of 868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\shutdown.exe
PID 2552 wrote to memory of 868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\shutdown.exe
PID 2552 wrote to memory of 868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\shutdown.exe

Processes

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\windl.bat""

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im explorer.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im taskmgr.exe

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic useraccount where name='Admin' set FullName='UR NEXT'

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic useraccount where name='Admin' rename 'UR NEXT'

C:\Windows\SysWOW64\shutdown.exe

shutdown /f /r /t 0

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x0

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x1

Network

N/A

Files

memory/2112-0-0x0000000074840000-0x0000000074F2E000-memory.dmp

memory/2112-1-0x0000000000DB0000-0x000000000145E000-memory.dmp

memory/2112-2-0x00000000054F0000-0x0000000005530000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\windl.bat

MD5 a9401e260d9856d1134692759d636e92
SHA1 4141d3c60173741e14f36dfe41588bb2716d2867
SHA256 b551fba71dfd526d4916ae277d8686d83fff36d22fcf6f18457924a070b30ef7
SHA512 5cbe38cdab0283b87d9a9875f7ba6fa4e8a7673d933ca05deddddbcf6cf793bd1bf34ac0add798b4ed59ab483e49f433ce4012f571a658bc0add28dd987a57b6

memory/2112-16-0x0000000000590000-0x000000000059A000-memory.dmp

memory/2112-15-0x0000000000590000-0x000000000059A000-memory.dmp

memory/2112-17-0x00000000054F0000-0x0000000005530000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rniw.exe

MD5 9232120b6ff11d48a90069b25aa30abc
SHA1 97bb45f4076083fca037eee15d001fd284e53e47
SHA256 70faa0e1498461731f873d3594f20cbf2beaa6f123a06b66f9df59a9cdf862be
SHA512 b06688a9fc0b853d2895f11e812c48d5871f2793183fda5e9638ded22fc5dc1e813f174baedc980a1f0b6a7b0a65cd61f29bb16acc6dd45da62988eb012d6877

C:\Users\Admin\AppData\Local\Temp\v.mp4

MD5 d2774b188ab5dde3e2df5033a676a0b4
SHA1 6e8f668cba211f1c3303e4947676f2fc9e4a1bcc
SHA256 95374cf300097872a546d89306374e7cf2676f7a8b4c70274245d2dccfc79443
SHA512 3047a831ed9c8690b00763061807e98e15e9534ebc9499e3e5abb938199f9716c0e24a83a13291a8fd5b91a6598aeeef377d6793f6461fc0247ec4bbd901a131

memory/2112-31-0x0000000000B50000-0x0000000000B5A000-memory.dmp

memory/2112-30-0x0000000000B50000-0x0000000000B5A000-memory.dmp

memory/2112-29-0x0000000000B50000-0x0000000000B5A000-memory.dmp

memory/2112-28-0x0000000000B50000-0x0000000000B5A000-memory.dmp

memory/2112-27-0x0000000000B50000-0x0000000000B5A000-memory.dmp

memory/2112-26-0x000000006BA80000-0x000000006BD92000-memory.dmp

memory/2112-32-0x0000000000C10000-0x0000000000C1A000-memory.dmp

memory/2112-33-0x0000000000C20000-0x0000000000C2A000-memory.dmp

memory/2112-34-0x0000000000C20000-0x0000000000C2A000-memory.dmp

memory/2112-35-0x0000000000AD0000-0x0000000000AD1000-memory.dmp

C:\Users\Admin\Desktop\UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR N1XT.txt

MD5 9037ebf0a18a1c17537832bc73739109
SHA1 1d951dedfa4c172a1aa1aae096cfb576c1fb1d60
SHA256 38c889b5d7bdcb79bbcb55554c520a9ce74b5bfc29c19d1e4cb1419176c99f48
SHA512 4fb5c06089524c6dcd48b6d165cedb488e9efe2d27613289ef8834dbb6c010632d2bd5e3ac75f83b1d8024477ebdf05b9e0809602bbe1780528947c36e4de32f

C:\Users\Admin\AppData\Local\Temp\one.rtf

MD5 6fbd6ce25307749d6e0a66ebbc0264e7
SHA1 faee71e2eac4c03b96aabecde91336a6510fff60
SHA256 e152b106733d9263d3cf175f0b6197880d70acb753f8bde8035a3e4865b31690
SHA512 35a0d6d91178ec10619cf4d2fd44d3e57aa0266e1779e15b1eef6e9c359c77c384e0ffe4edb2cde980a6847e53f47733e6eacb72d46762066b3541dee3d29064

memory/2112-844-0x000000006BA80000-0x000000006BD92000-memory.dmp

memory/2112-846-0x0000000000C20000-0x0000000000C25000-memory.dmp

memory/2112-845-0x0000000000C10000-0x0000000000C1A000-memory.dmp

memory/2112-843-0x00000000054F0000-0x0000000005530000-memory.dmp

memory/2112-842-0x0000000074840000-0x0000000074F2E000-memory.dmp

memory/1048-841-0x0000000002E90000-0x0000000002E91000-memory.dmp

memory/2844-847-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-02 16:27

Reported

2024-03-02 16:27

Platform

win10-20240221-en

Max time kernel

2s

Max time network

12s

Command Line

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

Signatures

Disables Task Manager via registry modification

evasion

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoRestartShell = "0" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000\Control Panel\Desktop\Wallpaper C:\Users\Admin\AppData\Local\Temp\[email protected] N/A

Enumerates physical storage devices

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\icon.ico" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3452 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\SysWOW64\cmd.exe
PID 3452 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\SysWOW64\cmd.exe
PID 3452 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\SysWOW64\cmd.exe
PID 3528 wrote to memory of 4380 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3528 wrote to memory of 4380 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3528 wrote to memory of 4380 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3528 wrote to memory of 4432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3528 wrote to memory of 4432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3528 wrote to memory of 4432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3528 wrote to memory of 5116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 3528 wrote to memory of 5116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 3528 wrote to memory of 5116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 3528 wrote to memory of 2424 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 3528 wrote to memory of 2424 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 3528 wrote to memory of 2424 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe

Processes

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\windl.bat""

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im explorer.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im taskmgr.exe

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic useraccount where name='Admin' set FullName='UR NEXT'

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic useraccount where name='Admin' rename 'UR NEXT'

C:\Windows\SysWOW64\shutdown.exe

shutdown /f /r /t 0

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x0 /state0:0xa3af5055 /state1:0x41c64e6d

Network

Country Destination Domain Proto
US 20.231.121.79:80 tcp

Files

memory/3452-1-0x00000000739B0000-0x000000007409E000-memory.dmp

memory/3452-0-0x0000000000590000-0x0000000000C3E000-memory.dmp

memory/3452-2-0x00000000055D0000-0x00000000055E0000-memory.dmp

memory/3452-3-0x0000000005BA0000-0x000000000609E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\windl.bat

MD5 a9401e260d9856d1134692759d636e92
SHA1 4141d3c60173741e14f36dfe41588bb2716d2867
SHA256 b551fba71dfd526d4916ae277d8686d83fff36d22fcf6f18457924a070b30ef7
SHA512 5cbe38cdab0283b87d9a9875f7ba6fa4e8a7673d933ca05deddddbcf6cf793bd1bf34ac0add798b4ed59ab483e49f433ce4012f571a658bc0add28dd987a57b6

memory/3452-11-0x00000000055D0000-0x00000000055E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rniw.exe

MD5 9232120b6ff11d48a90069b25aa30abc
SHA1 97bb45f4076083fca037eee15d001fd284e53e47
SHA256 70faa0e1498461731f873d3594f20cbf2beaa6f123a06b66f9df59a9cdf862be
SHA512 b06688a9fc0b853d2895f11e812c48d5871f2793183fda5e9638ded22fc5dc1e813f174baedc980a1f0b6a7b0a65cd61f29bb16acc6dd45da62988eb012d6877

C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

MD5 7050d5ae8acfbe560fa11073fef8185d
SHA1 5bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256 cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512 a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

memory/3452-25-0x000000000C7D0000-0x000000000C808000-memory.dmp

memory/3452-28-0x000000000C7A0000-0x000000000C7B0000-memory.dmp

memory/3452-32-0x000000000C7A0000-0x000000000C7B0000-memory.dmp

memory/3452-33-0x000000000C7A0000-0x000000000C7B0000-memory.dmp

memory/3452-30-0x000000000C7A0000-0x000000000C7B0000-memory.dmp

memory/3452-34-0x000000000C7A0000-0x000000000C7B0000-memory.dmp

memory/3452-35-0x000000000CE80000-0x000000000CE90000-memory.dmp

memory/3452-36-0x000000000CE80000-0x000000000CE90000-memory.dmp

memory/3452-38-0x000000000CE80000-0x000000000CE90000-memory.dmp

memory/3452-65-0x000000000C7A0000-0x000000000C7B0000-memory.dmp

memory/3452-67-0x000000000C7A0000-0x000000000C7B0000-memory.dmp

memory/3452-66-0x000000000CE80000-0x000000000CE90000-memory.dmp

memory/3452-68-0x000000000CE80000-0x000000000CE90000-memory.dmp

C:\Users\Admin\Desktop\UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR N1XT.txt

MD5 9037ebf0a18a1c17537832bc73739109
SHA1 1d951dedfa4c172a1aa1aae096cfb576c1fb1d60
SHA256 38c889b5d7bdcb79bbcb55554c520a9ce74b5bfc29c19d1e4cb1419176c99f48
SHA512 4fb5c06089524c6dcd48b6d165cedb488e9efe2d27613289ef8834dbb6c010632d2bd5e3ac75f83b1d8024477ebdf05b9e0809602bbe1780528947c36e4de32f

memory/3452-37-0x000000000C7A0000-0x000000000C7B0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

MD5 b4b0aa5dbb1a8d4a1659ddf177217734
SHA1 089e7800eddd81e178ac743b97dce407063d3b55
SHA256 a658afec3ffcdf1e0e7e9aa2aab98b9ed92f800f34dbef5f2cad0f028afa165b
SHA512 3bf2ad717b4554eb6ff29cfc88d90b3c39970dfcda7ac95802167fe64c3c36cc164e1eee16c2bafc4402c5424f4352173270960192c4b325c59416687031bab8

C:\Users\Admin\AppData\Local\Temp\one.rtf

MD5 6fbd6ce25307749d6e0a66ebbc0264e7
SHA1 faee71e2eac4c03b96aabecde91336a6510fff60
SHA256 e152b106733d9263d3cf175f0b6197880d70acb753f8bde8035a3e4865b31690
SHA512 35a0d6d91178ec10619cf4d2fd44d3e57aa0266e1779e15b1eef6e9c359c77c384e0ffe4edb2cde980a6847e53f47733e6eacb72d46762066b3541dee3d29064

memory/3452-862-0x00000000739B0000-0x000000007409E000-memory.dmp

memory/3452-863-0x00000000739B0000-0x000000007409E000-memory.dmp