Malware Analysis Report

2025-01-19 04:33

Sample ID 240810-qlcsjs1ckp
Target lolhahahackerwowohnoo.zip
SHA256 0dd46341ec484a9634677c19ce94f04287f2f288c7bf4b751e0ca28a569986a2
Tags
execution ransomware
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

0dd46341ec484a9634677c19ce94f04287f2f288c7bf4b751e0ca28a569986a2

Threat Level: Likely malicious

The file lolhahahackerwowohnoo.zip was found to be: Likely malicious.

Malicious Activity Summary

execution ransomware

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

Sets desktop wallpaper using registry

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-10 13:20

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-10 13:20

Reported

2024-08-10 13:50

Platform

win10v2004-20240802-en

Max time kernel

1358s

Max time network

1151s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\lolhahahackerwowohnoo.zip

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\lolhahahackerwowohnoo.zip

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 7.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-10 13:20

Reported

2024-08-10 13:50

Platform

win10v2004-20240802-en

Max time kernel

1359s

Max time network

1801s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\lolhahahackerwowohnoo\hello.bat"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lolhahahackerwowohnoo\\wowcoolfile.png" C:\Windows\system32\reg.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3036 wrote to memory of 380 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3036 wrote to memory of 380 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3036 wrote to memory of 4968 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3036 wrote to memory of 4968 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3036 wrote to memory of 220 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 3036 wrote to memory of 220 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 3036 wrote to memory of 2516 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\msg.exe
PID 3036 wrote to memory of 2516 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\msg.exe
PID 3036 wrote to memory of 2084 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3036 wrote to memory of 2084 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3036 wrote to memory of 3608 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\msg.exe
PID 3036 wrote to memory of 3608 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\msg.exe
PID 3036 wrote to memory of 3680 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3036 wrote to memory of 3680 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3036 wrote to memory of 4740 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\msg.exe
PID 3036 wrote to memory of 4740 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\msg.exe
PID 3036 wrote to memory of 2888 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3036 wrote to memory of 2888 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3036 wrote to memory of 5080 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\msg.exe
PID 3036 wrote to memory of 5080 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\msg.exe
PID 3036 wrote to memory of 4008 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3036 wrote to memory of 4008 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3036 wrote to memory of 1468 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\msg.exe
PID 3036 wrote to memory of 1468 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\msg.exe
PID 3036 wrote to memory of 1916 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3036 wrote to memory of 1916 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3036 wrote to memory of 4292 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3036 wrote to memory of 4292 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\lolhahahackerwowohnoo\hello.bat"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -command "Add-Type -TypeDefinition @'

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\lolhahahackerwowohnoo\wowcoolfile.png" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\msg.exe

msg * "Error 404: Productivity not found. Did you try turning it off and on again?"

C:\Windows\system32\timeout.exe

timeout /t 4 /nobreak

C:\Windows\system32\msg.exe

msg * "Error 500: Coffee is empty. Time to panic"

C:\Windows\system32\timeout.exe

timeout /t 4 /nobreak

C:\Windows\system32\msg.exe

msg * "Error 403: Access to Netflix denied. Go outside for a change"

C:\Windows\system32\timeout.exe

timeout /t 4 /nobreak

C:\Windows\system32\msg.exe

msg * "Error 301: Memes not loading. Did you check your WiFi connection?"

C:\Windows\system32\timeout.exe

timeout /t 4 /nobreak

C:\Windows\system32\msg.exe

msg * "Error 999: The 'Enter' key is broken. Please perform a ritual dance to fix it."

C:\Windows\system32\timeout.exe

timeout /t 4 /nobreak

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -command "Invoke-WebRequest -Uri 'https://mirrors.cicku.me/linuxmint/iso/stable/22/linuxmint-22-cinnamon-64bit.iso' -OutFile 'C:\Users\Admin\AppData\Local\Temp\lolhahahackerwowohnoo\linuxmint-22-cinnamon-64bit.iso'"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 mirrors.cicku.me udp
US 104.18.129.116:443 mirrors.cicku.me tcp
US 8.8.8.8:53 116.129.18.104.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 91.16.208.104.in-addr.arpa udp

Files

memory/380-0-0x00007FFF8B313000-0x00007FFF8B315000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cofxcg5t.nb4.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/380-10-0x0000024C2D760000-0x0000024C2D782000-memory.dmp

memory/380-11-0x00007FFF8B310000-0x00007FFF8BDD1000-memory.dmp

memory/380-12-0x00007FFF8B310000-0x00007FFF8BDD1000-memory.dmp

memory/380-15-0x0000024C2D410000-0x0000024C2D62C000-memory.dmp

memory/380-16-0x00007FFF8B310000-0x00007FFF8BDD1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 77d622bb1a5b250869a3238b9bc1402b
SHA1 d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256 f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512 d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Analysis: behavioral3

Detonation Overview

Submitted

2024-08-10 13:20

Reported

2024-08-10 13:50

Platform

win10v2004-20240802-en

Max time kernel

1755s

Max time network

1148s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\lolhahahackerwowohnoo\wowcoolfile.png

Signatures

Enumerates physical storage devices

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\lolhahahackerwowohnoo\wowcoolfile.png

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 2.173.189.20.in-addr.arpa udp

Files

N/A