Malware Analysis Report

2024-09-23 05:03

Sample ID 240613-fet35svcqf
Target 023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f
SHA256 023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f
Tags
ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f

Threat Level: Known bad

The file 023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f was found to be: Known bad.

Malicious Activity Summary

ransomware

Renames multiple (153) files with added filename extension

Renames multiple (142) files with added filename extension

Loads dropped DLL

Deletes itself

Checks computer location settings

Executes dropped EXE

Drops desktop.ini file(s)

Suspicious use of NtSetInformationThreadHideFromDebugger

Sets desktop wallpaper using registry

Enumerates physical storage devices

Unsigned PE

Program crash

Modifies Control Panel

Suspicious use of WriteProcessMemory

Suspicious behavior: RenamesItself

Uses Volume Shadow Copy service COM API

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-13 04:47

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 04:47

Reported

2024-06-13 04:50

Platform

win7-20240611-en

Max time kernel

117s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe"

Signatures

Renames multiple (153) files with added filename extension

ransomware

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\9E52.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\9E52.tmp N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-39690363-730359138-1046745555-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-39690363-730359138-1046745555-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\B4WORB8uq.bmp" C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\B4WORB8uq.bmp" C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\B4WORB8uq\DefaultIcon C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\B4WORB8uq C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\B4WORB8uq\DefaultIcon\ = "C:\\ProgramData\\B4WORB8uq.ico" C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.B4WORB8uq C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.B4WORB8uq\ = "B4WORB8uq" C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe

"C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\ProgramData\9E52.tmp

"C:\ProgramData\9E52.tmp"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x150

Network

N/A

Files

memory/2436-3-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2436-2-0x0000000000220000-0x0000000000249000-memory.dmp

memory/2436-1-0x0000000001C90000-0x0000000001D90000-memory.dmp

memory/2436-5-0x0000000000400000-0x0000000001BD5000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-39690363-730359138-1046745555-1000\desktop.ini

MD5 946c346dd66f378d167acf9979d2d110
SHA1 d8928d40899b51ab7b2f7059180061ad6695e264
SHA256 e038279915665f41c095602757a277e83248b1bc113ba9b7d11ec1e171c5531e
SHA512 3840a9167c83c6cb84f0ef37608d09b5fcd0afec982bbeee8e8d613f1c52babcbe9477102bfabe85281e7e13e0f6f0e3a17f71b4afb374f914e82d9be0e8095c

F:\$RECYCLE.BIN\S-1-5-21-39690363-730359138-1046745555-1000\DDDDDDDDDDD

MD5 9a9f428151edf273ad044445078da19b
SHA1 bafc43c84c18b95cc32d09b937ad8ca820054a8b
SHA256 509da34a85e4e5e3ec199559ff9faa9b2ec15a3a2e85a4fc9e97859a4b59d7c9
SHA512 13909be8d7138cdde7424492e29001ae657ce93b5b1c0ee7d5a7b980b33df2c52a334b81ed5d1e561651fef661889b1c66556ca5b184c33ddc7e52686cb3ef33

memory/2436-65-0x0000000000400000-0x0000000001BD5000-memory.dmp

C:\B4WORB8uq.README.txt

MD5 7f57737c3f0eee4e563b8d606b7ec0c7
SHA1 a6b97230bc0d9f3c53d58f47c435cfafc9cb9053
SHA256 54bfd21c3afca896238e8380f85624d2fb9bdd05ede229da83552853ffb6db80
SHA512 8413bec5783e562202c67511735c5ecf15c7ee038147a8e048293f2e33ee698b6603a169c3f9d0aaf24eab23d5630237df78328f19679154e1753e42b2e16cdb

memory/2436-282-0x0000000000400000-0x0000000001BD5000-memory.dmp

\ProgramData\9E52.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

memory/2436-292-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2996-294-0x0000000000400000-0x0000000000407000-memory.dmp

memory/2436-295-0x0000000000400000-0x0000000001BD5000-memory.dmp

memory/2436-293-0x0000000001C90000-0x0000000001D90000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

MD5 6b80ab69d250fbf199158ed75191bc0a
SHA1 50c9925600a45cd7da5ce14c233e8d716a5b6080
SHA256 988b3eccba89b7e0db7786792a154aff59f28f3253afe65545078030e4801bff
SHA512 22091619371a1ca041a09f157068f5f7e0cfd4d5fc1f664610e0aa6627ea0478415ea63780d3a546903f476a0c8731f52757da838a057b2cf270f2afbfb3165b

memory/2996-324-0x0000000000400000-0x0000000000407000-memory.dmp

memory/2996-325-0x0000000000400000-0x0000000000407000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 04:47

Reported

2024-06-13 04:50

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe"

Signatures

Renames multiple (142) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\ProgramData\6273.tmp N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\6273.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\6273.tmp N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-4124900551-4068476067-3491212533-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-4124900551-4068476067-3491212533-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\B4WORB8uq.bmp" C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\B4WORB8uq.bmp" C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A

Enumerates physical storage devices

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.B4WORB8uq C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.B4WORB8uq\ = "B4WORB8uq" C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\B4WORB8uq\DefaultIcon C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\B4WORB8uq C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\B4WORB8uq\DefaultIcon\ = "C:\\ProgramData\\B4WORB8uq.ico" C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe

"C:\Users\Admin\AppData\Local\Temp\023d28cc44088b151ce1bf8cd2295087162174efa0bd5feaef7f9aaeb61e2b0f.exe"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\ProgramData\6273.tmp

"C:\ProgramData\6273.tmp"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2980 -ip 2980

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2980 -s 1228

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\6273.tmp >> NUL

Network

Files

memory/2980-1-0x0000000001F80000-0x0000000002080000-memory.dmp

memory/2980-3-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2980-2-0x0000000001D30000-0x0000000001D59000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-4124900551-4068476067-3491212533-1000\EEEEEEEEEEE

MD5 335c1551429f4f2a42550a0accfcfdbd
SHA1 ac08b3425e755828b4afa062c0bd3b47def6fc3d
SHA256 0f7d3183e5f5cd1735c8749b4698e41a5a39ce477dc6e95c9dad005923fda414
SHA512 20fd9974bb906bd06865cad1bbdc13f002a5ca2b488d4ef9d20e806242a7147bd69b9211d78fa1fb90319a453333c9e185a365ec5ed3ed0023d138166c790bd1

F:\$RECYCLE.BIN\S-1-5-21-4124900551-4068476067-3491212533-1000\DDDDDDDDDDD

MD5 03dec7b7de3c91c48ec337ad42d02ada
SHA1 27de1a92345154c2d7f160e10c5ad2f21dee5c4b
SHA256 603fcd0c9f2a35ea84c422d134a3a3b26dc7d15687dfa4ac45d9e98eac635d41
SHA512 b1aa25479f0a580b6bce3b162bc033875a656f87fe390d8be14123125b7a75b569c60ce000954a18fbff38d6fbb2af9442f5684b15b11e668a5a494413022379

memory/2980-87-0x0000000000400000-0x0000000001BD5000-memory.dmp

memory/2980-88-0x0000000000400000-0x0000000001BD5000-memory.dmp

C:\Users\B4WORB8uq.README.txt

MD5 69910a075267b6991993a9c7fa46ca9d
SHA1 d27701986d32a86e32b2e93e16136e41554adfa5
SHA256 1c201cb33c6ac9a4004e24cce90fad69175612df15a4b6a0505336cb3f1531b7
SHA512 e24fc5c7aa9b889337e63688bfeefd4993e452b9541d675d93d5a79a4d733e0ac1d16d412f5ccde6fb7fda1cc77ddcfd2805b69b408957f5257f00c51d091369

C:\ProgramData\6273.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

memory/4368-299-0x0000000000400000-0x0000000000407000-memory.dmp

memory/4368-300-0x0000000000400000-0x0000000000407000-memory.dmp

memory/2980-301-0x0000000000400000-0x0000000001BD5000-memory.dmp

memory/2980-302-0x0000000000400000-0x000000000042C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

MD5 1cf67c9b4850635d30ac5a4e5250d0b9
SHA1 e1380d83e77858962c51d65118457df549dddabe
SHA256 7abfbcad4eab6a4ed707f882dc4c7a89622e2b8da56a79ceed31dac345f152a1
SHA512 b8578f55d52f2a119a05e13de417a37a7e8a6a9454a9540b25b0ea1c9cb75eb3dda9ccfe6110fd200e44704c79029f55f43b9fb4e5d73974bc42b54f7bf358ea

memory/4368-331-0x0000000000400000-0x0000000000407000-memory.dmp

memory/4368-334-0x0000000000400000-0x0000000000407000-memory.dmp