Malware Analysis Report

2025-01-03 08:34

Sample ID 240611-bd377sycpj
Target 9aca8535911d5dd9010f11360ac3b6e8df1d86fe4fc67b17930c5ea8b1d96d0e
SHA256 9aca8535911d5dd9010f11360ac3b6e8df1d86fe4fc67b17930c5ea8b1d96d0e
Tags
ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9aca8535911d5dd9010f11360ac3b6e8df1d86fe4fc67b17930c5ea8b1d96d0e

Threat Level: Known bad

The file 9aca8535911d5dd9010f11360ac3b6e8df1d86fe4fc67b17930c5ea8b1d96d0e was found to be: Known bad.

Malicious Activity Summary

ransomware

Detects executables built or packed with MPress PE compressor

Detects executables built or packed with MPress PE compressor

Enumerates connected drives

Sets desktop wallpaper using registry

Drops file in Windows directory

Drops file in Program Files directory

Program crash

Enumerates physical storage devices

Unsigned PE

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-11 01:02

Signatures

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 01:02

Reported

2024-06-11 01:05

Platform

win7-20240221-en

Max time kernel

140s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9aca8535911d5dd9010f11360ac3b6e8df1d86fe4fc67b17930c5ea8b1d96d0e.exe"

Signatures

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\TranscodedWallpaper.jpg" C:\Users\Admin\AppData\Local\Temp\9aca8535911d5dd9010f11360ac3b6e8df1d86fe4fc67b17930c5ea8b1d96d0e.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.cab C:\Users\Admin\AppData\Local\Temp\9aca8535911d5dd9010f11360ac3b6e8df1d86fe4fc67b17930c5ea8b1d96d0e.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe C:\Users\Admin\AppData\Local\Temp\9aca8535911d5dd9010f11360ac3b6e8df1d86fe4fc67b17930c5ea8b1d96d0e.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\RCX13E6.tmp C:\Users\Admin\AppData\Local\Temp\9aca8535911d5dd9010f11360ac3b6e8df1d86fe4fc67b17930c5ea8b1d96d0e.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Users\Admin\AppData\Local\Temp\9aca8535911d5dd9010f11360ac3b6e8df1d86fe4fc67b17930c5ea8b1d96d0e.exe N/A
File created C:\Program Files\DVD Maker\DVDMaker.exe C:\Users\Admin\AppData\Local\Temp\9aca8535911d5dd9010f11360ac3b6e8df1d86fe4fc67b17930c5ea8b1d96d0e.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\RCX1419.tmp C:\Users\Admin\AppData\Local\Temp\9aca8535911d5dd9010f11360ac3b6e8df1d86fe4fc67b17930c5ea8b1d96d0e.exe N/A
File opened for modification C:\Program Files\7-Zip\RCX1367.tmp C:\Users\Admin\AppData\Local\Temp\9aca8535911d5dd9010f11360ac3b6e8df1d86fe4fc67b17930c5ea8b1d96d0e.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe C:\Users\Admin\AppData\Local\Temp\9aca8535911d5dd9010f11360ac3b6e8df1d86fe4fc67b17930c5ea8b1d96d0e.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\RCX141B.tmp C:\Users\Admin\AppData\Local\Temp\9aca8535911d5dd9010f11360ac3b6e8df1d86fe4fc67b17930c5ea8b1d96d0e.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.cab C:\Users\Admin\AppData\Local\Temp\9aca8535911d5dd9010f11360ac3b6e8df1d86fe4fc67b17930c5ea8b1d96d0e.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.cab C:\Users\Admin\AppData\Local\Temp\9aca8535911d5dd9010f11360ac3b6e8df1d86fe4fc67b17930c5ea8b1d96d0e.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe C:\Users\Admin\AppData\Local\Temp\9aca8535911d5dd9010f11360ac3b6e8df1d86fe4fc67b17930c5ea8b1d96d0e.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.cab C:\Users\Admin\AppData\Local\Temp\9aca8535911d5dd9010f11360ac3b6e8df1d86fe4fc67b17930c5ea8b1d96d0e.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.cab C:\Users\Admin\AppData\Local\Temp\9aca8535911d5dd9010f11360ac3b6e8df1d86fe4fc67b17930c5ea8b1d96d0e.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\RCX1441.tmp C:\Users\Admin\AppData\Local\Temp\9aca8535911d5dd9010f11360ac3b6e8df1d86fe4fc67b17930c5ea8b1d96d0e.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.cab C:\Users\Admin\AppData\Local\Temp\9aca8535911d5dd9010f11360ac3b6e8df1d86fe4fc67b17930c5ea8b1d96d0e.exe N/A
File created C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Local\Temp\9aca8535911d5dd9010f11360ac3b6e8df1d86fe4fc67b17930c5ea8b1d96d0e.exe N/A
File opened for modification C:\Program Files\7-Zip\RCX1343.tmp C:\Users\Admin\AppData\Local\Temp\9aca8535911d5dd9010f11360ac3b6e8df1d86fe4fc67b17930c5ea8b1d96d0e.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.cab C:\Users\Admin\AppData\Local\Temp\9aca8535911d5dd9010f11360ac3b6e8df1d86fe4fc67b17930c5ea8b1d96d0e.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.cab C:\Users\Admin\AppData\Local\Temp\9aca8535911d5dd9010f11360ac3b6e8df1d86fe4fc67b17930c5ea8b1d96d0e.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\mip.cab C:\Users\Admin\AppData\Local\Temp\9aca8535911d5dd9010f11360ac3b6e8df1d86fe4fc67b17930c5ea8b1d96d0e.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.cab C:\Users\Admin\AppData\Local\Temp\9aca8535911d5dd9010f11360ac3b6e8df1d86fe4fc67b17930c5ea8b1d96d0e.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\RCX141C.tmp C:\Users\Admin\AppData\Local\Temp\9aca8535911d5dd9010f11360ac3b6e8df1d86fe4fc67b17930c5ea8b1d96d0e.exe N/A
File created C:\Program Files\readme.1xt C:\Users\Admin\AppData\Local\Temp\9aca8535911d5dd9010f11360ac3b6e8df1d86fe4fc67b17930c5ea8b1d96d0e.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\RCX142F.tmp C:\Users\Admin\AppData\Local\Temp\9aca8535911d5dd9010f11360ac3b6e8df1d86fe4fc67b17930c5ea8b1d96d0e.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\9aca8535911d5dd9010f11360ac3b6e8df1d86fe4fc67b17930c5ea8b1d96d0e.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.cab C:\Users\Admin\AppData\Local\Temp\9aca8535911d5dd9010f11360ac3b6e8df1d86fe4fc67b17930c5ea8b1d96d0e.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe C:\Users\Admin\AppData\Local\Temp\9aca8535911d5dd9010f11360ac3b6e8df1d86fe4fc67b17930c5ea8b1d96d0e.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.cab C:\Users\Admin\AppData\Local\Temp\9aca8535911d5dd9010f11360ac3b6e8df1d86fe4fc67b17930c5ea8b1d96d0e.exe N/A
File created C:\Program Files\Google\Chrome\Application\chrome.exe C:\Users\Admin\AppData\Local\Temp\9aca8535911d5dd9010f11360ac3b6e8df1d86fe4fc67b17930c5ea8b1d96d0e.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\RCX142E.tmp C:\Users\Admin\AppData\Local\Temp\9aca8535911d5dd9010f11360ac3b6e8df1d86fe4fc67b17930c5ea8b1d96d0e.exe N/A
File created C:\Program Files\Google\Chrome\Application\chrome_proxy.cab C:\Users\Admin\AppData\Local\Temp\9aca8535911d5dd9010f11360ac3b6e8df1d86fe4fc67b17930c5ea8b1d96d0e.exe N/A
File created C:\Program Files\7-Zip\7zFM.cab C:\Users\Admin\AppData\Local\Temp\9aca8535911d5dd9010f11360ac3b6e8df1d86fe4fc67b17930c5ea8b1d96d0e.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe C:\Users\Admin\AppData\Local\Temp\9aca8535911d5dd9010f11360ac3b6e8df1d86fe4fc67b17930c5ea8b1d96d0e.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.cab C:\Users\Admin\AppData\Local\Temp\9aca8535911d5dd9010f11360ac3b6e8df1d86fe4fc67b17930c5ea8b1d96d0e.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\RCX13D5.tmp C:\Users\Admin\AppData\Local\Temp\9aca8535911d5dd9010f11360ac3b6e8df1d86fe4fc67b17930c5ea8b1d96d0e.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\chrome.cab C:\Users\Admin\AppData\Local\Temp\9aca8535911d5dd9010f11360ac3b6e8df1d86fe4fc67b17930c5ea8b1d96d0e.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.cab C:\Users\Admin\AppData\Local\Temp\9aca8535911d5dd9010f11360ac3b6e8df1d86fe4fc67b17930c5ea8b1d96d0e.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.cab C:\Users\Admin\AppData\Local\Temp\9aca8535911d5dd9010f11360ac3b6e8df1d86fe4fc67b17930c5ea8b1d96d0e.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.cab C:\Users\Admin\AppData\Local\Temp\9aca8535911d5dd9010f11360ac3b6e8df1d86fe4fc67b17930c5ea8b1d96d0e.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.cab C:\Users\Admin\AppData\Local\Temp\9aca8535911d5dd9010f11360ac3b6e8df1d86fe4fc67b17930c5ea8b1d96d0e.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.cab C:\Users\Admin\AppData\Local\Temp\9aca8535911d5dd9010f11360ac3b6e8df1d86fe4fc67b17930c5ea8b1d96d0e.exe N/A
File created C:\Program Files\DVD Maker\DVDMaker.cab C:\Users\Admin\AppData\Local\Temp\9aca8535911d5dd9010f11360ac3b6e8df1d86fe4fc67b17930c5ea8b1d96d0e.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\RCX1455.tmp C:\Users\Admin\AppData\Local\Temp\9aca8535911d5dd9010f11360ac3b6e8df1d86fe4fc67b17930c5ea8b1d96d0e.exe N/A
File opened for modification C:\Program Files\7-Zip\RCX1342.tmp C:\Users\Admin\AppData\Local\Temp\9aca8535911d5dd9010f11360ac3b6e8df1d86fe4fc67b17930c5ea8b1d96d0e.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.cab C:\Users\Admin\AppData\Local\Temp\9aca8535911d5dd9010f11360ac3b6e8df1d86fe4fc67b17930c5ea8b1d96d0e.exe N/A
File opened for modification C:\Program Files\7-Zip\RCX1366.tmp C:\Users\Admin\AppData\Local\Temp\9aca8535911d5dd9010f11360ac3b6e8df1d86fe4fc67b17930c5ea8b1d96d0e.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.cab C:\Users\Admin\AppData\Local\Temp\9aca8535911d5dd9010f11360ac3b6e8df1d86fe4fc67b17930c5ea8b1d96d0e.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\RCX1453.tmp C:\Users\Admin\AppData\Local\Temp\9aca8535911d5dd9010f11360ac3b6e8df1d86fe4fc67b17930c5ea8b1d96d0e.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Local\Temp\9aca8535911d5dd9010f11360ac3b6e8df1d86fe4fc67b17930c5ea8b1d96d0e.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.cab C:\Users\Admin\AppData\Local\Temp\9aca8535911d5dd9010f11360ac3b6e8df1d86fe4fc67b17930c5ea8b1d96d0e.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\RCX1418.tmp C:\Users\Admin\AppData\Local\Temp\9aca8535911d5dd9010f11360ac3b6e8df1d86fe4fc67b17930c5ea8b1d96d0e.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\RCX141A.tmp C:\Users\Admin\AppData\Local\Temp\9aca8535911d5dd9010f11360ac3b6e8df1d86fe4fc67b17930c5ea8b1d96d0e.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\RCX1442.tmp C:\Users\Admin\AppData\Local\Temp\9aca8535911d5dd9010f11360ac3b6e8df1d86fe4fc67b17930c5ea8b1d96d0e.exe N/A
File opened for modification C:\Program Files\7-Zip\RCX1364.tmp C:\Users\Admin\AppData\Local\Temp\9aca8535911d5dd9010f11360ac3b6e8df1d86fe4fc67b17930c5ea8b1d96d0e.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\RCX1417.tmp C:\Users\Admin\AppData\Local\Temp\9aca8535911d5dd9010f11360ac3b6e8df1d86fe4fc67b17930c5ea8b1d96d0e.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\RCX1430.tmp C:\Users\Admin\AppData\Local\Temp\9aca8535911d5dd9010f11360ac3b6e8df1d86fe4fc67b17930c5ea8b1d96d0e.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\RCX1431.tmp C:\Users\Admin\AppData\Local\Temp\9aca8535911d5dd9010f11360ac3b6e8df1d86fe4fc67b17930c5ea8b1d96d0e.exe N/A
File created C:\Program Files\Google\Chrome\Application\chrome_proxy.exe C:\Users\Admin\AppData\Local\Temp\9aca8535911d5dd9010f11360ac3b6e8df1d86fe4fc67b17930c5ea8b1d96d0e.exe N/A
File created C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\9aca8535911d5dd9010f11360ac3b6e8df1d86fe4fc67b17930c5ea8b1d96d0e.exe N/A
File opened for modification C:\Program Files\7-Zip\RCX1365.tmp C:\Users\Admin\AppData\Local\Temp\9aca8535911d5dd9010f11360ac3b6e8df1d86fe4fc67b17930c5ea8b1d96d0e.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe C:\Users\Admin\AppData\Local\Temp\9aca8535911d5dd9010f11360ac3b6e8df1d86fe4fc67b17930c5ea8b1d96d0e.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\RCX1454.tmp C:\Users\Admin\AppData\Local\Temp\9aca8535911d5dd9010f11360ac3b6e8df1d86fe4fc67b17930c5ea8b1d96d0e.exe N/A
File created C:\Program Files\7-Zip\7z.cab C:\Users\Admin\AppData\Local\Temp\9aca8535911d5dd9010f11360ac3b6e8df1d86fe4fc67b17930c5ea8b1d96d0e.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\windows\readme.1xt C:\Users\Admin\AppData\Local\Temp\9aca8535911d5dd9010f11360ac3b6e8df1d86fe4fc67b17930c5ea8b1d96d0e.exe N/A
File created C:\windows\WallPapers.jpg C:\Users\Admin\AppData\Local\Temp\9aca8535911d5dd9010f11360ac3b6e8df1d86fe4fc67b17930c5ea8b1d96d0e.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Desktop\General C:\Users\Admin\AppData\Local\Temp\9aca8535911d5dd9010f11360ac3b6e8df1d86fe4fc67b17930c5ea8b1d96d0e.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Desktop\General\WallpaperSource = "C:\\windows\\WallPapers.jpg" C:\Users\Admin\AppData\Local\Temp\9aca8535911d5dd9010f11360ac3b6e8df1d86fe4fc67b17930c5ea8b1d96d0e.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9aca8535911d5dd9010f11360ac3b6e8df1d86fe4fc67b17930c5ea8b1d96d0e.exe

"C:\Users\Admin\AppData\Local\Temp\9aca8535911d5dd9010f11360ac3b6e8df1d86fe4fc67b17930c5ea8b1d96d0e.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 860 -s 964

Network

N/A

Files

memory/860-0-0x0000000000400000-0x0000000000474000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg

MD5 0d472c9720e55e9c249207de6c69722c
SHA1 7244426a440a268cb37b49005812b8f20f052776
SHA256 bc1d3cfb69f97bc930af3af7be8601e60eb1cc78516aa844e41c65e51c316de3
SHA512 f77bf33604691e0f21f1f3548187153495aad5cd5beb80b409ff50c71502e5303ddb7d64b652edc5b4177bf88e8cee0df914f91b9532b9b1116af32050291cca

C:\Program Files\7-Zip\7z.exe

MD5 737a4f0ffbc57f06a0c2a141893f35bb
SHA1 8b914286c7b89cf54bc8be600aa3d95b85d77716
SHA256 6a891e292008c96b42a3a9ef58e44bac3237a7f27b928871f70f901c3a0f550f
SHA512 2e0c81188da4b38bc2fb048932103ab8410c7c48cf86a2fce07daf871ae4724d42fc86a823a2873c52f9404c58859b65c7058bd9fe3ef2ed024846d13a9830de

C:\Program Files\7-Zip\7z.cab

MD5 9a1dd1d96481d61934dcc2d568971d06
SHA1 f136ef9bf8bd2fc753292fb5b7cf173a22675fb3
SHA256 8cebb25e240db3b6986fcaed6bc0b900fa09dad763a56fb71273529266c5c525
SHA512 7ac1581f8a29e778ba1a1220670796c47fa5b838417f8f635e2cb1998a01515cff3ee57045dacb78a8ec70d43754b970743aba600379fe6d9481958d32d8a5aa

C:\Program Files\7-Zip\7zFM.cab

MD5 30ac0b832d75598fb3ec37b6f2a8c86a
SHA1 6f47dbfd6ff36df7ba581a4cef024da527dc3046
SHA256 1ea0839c8dc95ad2c060af7d042c40c0daed58ce8e4524c0fba12fd73e4afb74
SHA512 505870601a4389b7ed2c8fecf85835adfd2944cbc10801f74bc4e08f5a0d6ecc9a52052fc37e216304cd1655129021862294a698ed36b3b43d428698f7263057

C:\Program Files\Common Files\Microsoft Shared\OFFICE14\RCX13D5.tmp

MD5 32e2cae7e76918b070f8c32616ab6bd5
SHA1 0aa207dea9e3cf5669b6f486cf9c660825b4f4b9
SHA256 58f07057ad332b7ce92d297fccb1636e5c6a1bd5b7b770adaee6b5a09a0b2e79
SHA512 7d2f860072871e603d389bb81222168050819d25c5de1176beb8520159aae0a40526aec7c40cf9f26e09a85bfa3f72e6426887bd9f927c1756261a52acc09845

C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.cab

MD5 f45a7db6aec433fd579774dfdb3eaa89
SHA1 2f8773cc2b720143776a0909d19b98c4954b39cc
SHA256 2bc2372cfabd26933bc4012046e66a5d2efc9554c0835d1a0aa012d3bd1a6f9a
SHA512 03a4b7c53373ff6308a0292bb84981dc1566923e93669bbb11cb03d9f58a8d477a1a2399aac5059f477bbf1cf14b17817d208bc7c496b8675ece83cdabec5662

C:\Program Files\Google\Chrome\Application\chrome.cab

MD5 095092f4e746810c5829038d48afd55a
SHA1 246eb3d41194dddc826049bbafeb6fc522ec044a
SHA256 2f606012843d144610dc7be55d1716d5d106cbc6acbce57561dc0e62c38b8588
SHA512 7f36fc03bfed0f3cf6ac3406c819993bf995e4f8c26a7589e9032c14b5a9c7048f5567f77b3b15f946c5282fc0be6308a92eab7879332d74c400d0c139ce8400

C:\Program Files\Google\Chrome\Application\chrome.exe

MD5 98df0a4866678a453d77ab781e087ab8
SHA1 94849175dc50d38c79a7cc8d6e0f37a05e00003c
SHA256 4b40ae07443a6fccaf8aef78dc91b9b17b1b6f497e205856a842c252bf6540d0
SHA512 1bc2704092f1800b9a9d1d72ee81d1a2d0ded5216364f528d7d3bef4c7bd6eda006e46f5a106cefd56b6ee8966f46931ac4c383e4f923c9276779c412a009504

C:\Program Files\Google\Chrome\Application\chrome_proxy.cab

MD5 b65d7344b0a7faa207d2e1a7adaafb60
SHA1 755ad15b1745b0e730d658d4a92e2b754425b7db
SHA256 f4b91fbbcba8a46eefe4965e4a24c6ede3decbd1fec96e141a1953173efd1c92
SHA512 f17ac73c2df7c73a31b11ce0f533d6db91bdb0cdeea653dcd52ac72c3cf28da0c236b79586ddc7a6c825fdd171290722f888465e776f12ac2cae75be82726b22

C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.cab

MD5 527e039ba9add8a7fac3a6bc30a6d476
SHA1 729a329265eda72cada039c1941e7c672addfc19
SHA256 4b8a72fc81b733ed2e6e70d4c5401f954002783dbf14927849ad579860780b94
SHA512 9e73e14e33a5f07a87e9c1fecfdaee09d1408471052aacfde3d1e877dad4d253b525ebefca6bddabc23cf81d8dcce0785aedcc2f135d171ecbb1feaeb922c449

memory/860-219-0x0000000000400000-0x0000000000474000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-11 01:02

Reported

2024-06-11 01:05

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9aca8535911d5dd9010f11360ac3b6e8df1d86fe4fc67b17930c5ea8b1d96d0e.exe"

Signatures

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\Wallpaper = "C:\\windows\\WallPapers.jpg" C:\Users\Admin\AppData\Local\Temp\9aca8535911d5dd9010f11360ac3b6e8df1d86fe4fc67b17930c5ea8b1d96d0e.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\9aca8535911d5dd9010f11360ac3b6e8df1d86fe4fc67b17930c5ea8b1d96d0e.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\RCX4732.tmp C:\Users\Admin\AppData\Local\Temp\9aca8535911d5dd9010f11360ac3b6e8df1d86fe4fc67b17930c5ea8b1d96d0e.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe C:\Users\Admin\AppData\Local\Temp\9aca8535911d5dd9010f11360ac3b6e8df1d86fe4fc67b17930c5ea8b1d96d0e.exe N/A
File opened for modification C:\Program Files\7-Zip\RCX4720.tmp C:\Users\Admin\AppData\Local\Temp\9aca8535911d5dd9010f11360ac3b6e8df1d86fe4fc67b17930c5ea8b1d96d0e.exe N/A
File created C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Local\Temp\9aca8535911d5dd9010f11360ac3b6e8df1d86fe4fc67b17930c5ea8b1d96d0e.exe N/A
File opened for modification C:\Program Files\7-Zip\RCX470C.tmp C:\Users\Admin\AppData\Local\Temp\9aca8535911d5dd9010f11360ac3b6e8df1d86fe4fc67b17930c5ea8b1d96d0e.exe N/A
File opened for modification C:\Program Files\7-Zip\RCX471E.tmp C:\Users\Admin\AppData\Local\Temp\9aca8535911d5dd9010f11360ac3b6e8df1d86fe4fc67b17930c5ea8b1d96d0e.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.cab C:\Users\Admin\AppData\Local\Temp\9aca8535911d5dd9010f11360ac3b6e8df1d86fe4fc67b17930c5ea8b1d96d0e.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.cab C:\Users\Admin\AppData\Local\Temp\9aca8535911d5dd9010f11360ac3b6e8df1d86fe4fc67b17930c5ea8b1d96d0e.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.cab C:\Users\Admin\AppData\Local\Temp\9aca8535911d5dd9010f11360ac3b6e8df1d86fe4fc67b17930c5ea8b1d96d0e.exe N/A
File opened for modification C:\Program Files\7-Zip\RCX46FC.tmp C:\Users\Admin\AppData\Local\Temp\9aca8535911d5dd9010f11360ac3b6e8df1d86fe4fc67b17930c5ea8b1d96d0e.exe N/A
File opened for modification C:\Program Files\7-Zip\RCX471F.tmp C:\Users\Admin\AppData\Local\Temp\9aca8535911d5dd9010f11360ac3b6e8df1d86fe4fc67b17930c5ea8b1d96d0e.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\RCX4731.tmp C:\Users\Admin\AppData\Local\Temp\9aca8535911d5dd9010f11360ac3b6e8df1d86fe4fc67b17930c5ea8b1d96d0e.exe N/A
File created C:\Program Files\7-Zip\7z.cab C:\Users\Admin\AppData\Local\Temp\9aca8535911d5dd9010f11360ac3b6e8df1d86fe4fc67b17930c5ea8b1d96d0e.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Local\Temp\9aca8535911d5dd9010f11360ac3b6e8df1d86fe4fc67b17930c5ea8b1d96d0e.exe N/A
File created C:\Program Files\7-Zip\7zFM.cab C:\Users\Admin\AppData\Local\Temp\9aca8535911d5dd9010f11360ac3b6e8df1d86fe4fc67b17930c5ea8b1d96d0e.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.cab C:\Users\Admin\AppData\Local\Temp\9aca8535911d5dd9010f11360ac3b6e8df1d86fe4fc67b17930c5ea8b1d96d0e.exe N/A
File created C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\9aca8535911d5dd9010f11360ac3b6e8df1d86fe4fc67b17930c5ea8b1d96d0e.exe N/A
File opened for modification C:\Program Files\7-Zip\RCX470D.tmp C:\Users\Admin\AppData\Local\Temp\9aca8535911d5dd9010f11360ac3b6e8df1d86fe4fc67b17930c5ea8b1d96d0e.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe C:\Users\Admin\AppData\Local\Temp\9aca8535911d5dd9010f11360ac3b6e8df1d86fe4fc67b17930c5ea8b1d96d0e.exe N/A
File created C:\Program Files\readme.1xt C:\Users\Admin\AppData\Local\Temp\9aca8535911d5dd9010f11360ac3b6e8df1d86fe4fc67b17930c5ea8b1d96d0e.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\windows\readme.1xt C:\Users\Admin\AppData\Local\Temp\9aca8535911d5dd9010f11360ac3b6e8df1d86fe4fc67b17930c5ea8b1d96d0e.exe N/A
File created C:\windows\WallPapers.jpg C:\Users\Admin\AppData\Local\Temp\9aca8535911d5dd9010f11360ac3b6e8df1d86fe4fc67b17930c5ea8b1d96d0e.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Desktop\General C:\Users\Admin\AppData\Local\Temp\9aca8535911d5dd9010f11360ac3b6e8df1d86fe4fc67b17930c5ea8b1d96d0e.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\WallpaperSource = "C:\\windows\\WallPapers.jpg" C:\Users\Admin\AppData\Local\Temp\9aca8535911d5dd9010f11360ac3b6e8df1d86fe4fc67b17930c5ea8b1d96d0e.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9aca8535911d5dd9010f11360ac3b6e8df1d86fe4fc67b17930c5ea8b1d96d0e.exe

"C:\Users\Admin\AppData\Local\Temp\9aca8535911d5dd9010f11360ac3b6e8df1d86fe4fc67b17930c5ea8b1d96d0e.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1988 -ip 1988

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 728

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp

Files

memory/1988-0-0x0000000000400000-0x0000000000474000-memory.dmp

C:\Program Files\7-Zip\7zFM.exe

MD5 32acb9d3929e3d6683c5d0c310cd9eba
SHA1 70b5afd144758cee639263bdcaa4acb6161d6665
SHA256 65cc7c2004e961f47b0f04f15194882b73d583c9e6d411f03d712dfc41dd04a5
SHA512 ae93cb345f64d31e2b2828559d373405292e62a6082de7ced6287d83d86167c7c204bafe651255852525ddbecf7c4d3db0d85fff9f678a066e3ea8b89065a81a

C:\Program Files\7-Zip\7z.cab

MD5 9a1dd1d96481d61934dcc2d568971d06
SHA1 f136ef9bf8bd2fc753292fb5b7cf173a22675fb3
SHA256 8cebb25e240db3b6986fcaed6bc0b900fa09dad763a56fb71273529266c5c525
SHA512 7ac1581f8a29e778ba1a1220670796c47fa5b838417f8f635e2cb1998a01515cff3ee57045dacb78a8ec70d43754b970743aba600379fe6d9481958d32d8a5aa

C:\Program Files\7-Zip\7z.exe

MD5 76c977787097a5e35566186a2f15ec6d
SHA1 71e5cc0ce1e35ccebf6d7e3185b6a7c3c27746ff
SHA256 03c7994fa1e54ad12ad88404bfb26670430dbb8fe90a99bf8ee4af62f5385bb9
SHA512 80b4f1ad2f705238d102272f68d00d8c344e3203b310bf3849f8073a8578120438a4ec251b59838bf916929b697da9461c63baa8cf8a3cd62e9c24e69f6c217d

C:\Program Files\7-Zip\7zFM.cab

MD5 30ac0b832d75598fb3ec37b6f2a8c86a
SHA1 6f47dbfd6ff36df7ba581a4cef024da527dc3046
SHA256 1ea0839c8dc95ad2c060af7d042c40c0daed58ce8e4524c0fba12fd73e4afb74
SHA512 505870601a4389b7ed2c8fecf85835adfd2944cbc10801f74bc4e08f5a0d6ecc9a52052fc37e216304cd1655129021862294a698ed36b3b43d428698f7263057

C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.cab

MD5 b8d69fa2755c3ab1f12f8866a8e2a4f7
SHA1 8e3cdfb20e158c2906323ba0094a18c7dd2aaf2d
SHA256 7e0976036431640ae1d9f1c0b52bcea5dd37ef86cd3f5304dc8a96459d9483cd
SHA512 5acac46068b331216978500f67a7fa5257bc5b05133fab6d88280b670ae4885ef2d5d1f531169b66bf1952e082f56b1ad2bc3901479b740f96c53ea405adda18

memory/1988-68-0x0000000000400000-0x0000000000474000-memory.dmp