Malware Analysis Report

2024-12-07 14:53

Sample ID 241010-yfw81atbjb
Target Wallpaperskibidi.exe
SHA256 6ae94bfc81dfe7bd664592c67ff224eec1c6e0a9bd47ba23a766260e86bf1095
Tags
discovery exploit ransomware
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

6ae94bfc81dfe7bd664592c67ff224eec1c6e0a9bd47ba23a766260e86bf1095

Threat Level: Likely malicious

The file Wallpaperskibidi.exe was found to be: Likely malicious.

Malicious Activity Summary

discovery exploit ransomware

Possible privilege escalation attempt

Checks computer location settings

Modifies file permissions

Sets desktop wallpaper using registry

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-10 19:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-10 19:44

Reported

2024-10-10 19:47

Platform

win7-20240903-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Wallpaperskibidi.exe"

Signatures

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\My Wallpaper.jpg" C:\Users\Admin\AppData\Local\Temp\Wallpaperskibidi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\wallpaper.jpg" C:\Users\Admin\AppData\Local\Temp\Wallpaperskibidi.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\boot\resources\bootres.dll C:\Users\Admin\AppData\Local\Temp\Wallpaperskibidi.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Wallpaperskibidi.exe

"C:\Users\Admin\AppData\Local\Temp\Wallpaperskibidi.exe"

C:\Windows\system32\cmd.exe

"cmd.exe" /c takeown /f "C:\Windows\boot\resources\bootres.dll" /a

C:\Windows\system32\takeown.exe

takeown /f "C:\Windows\boot\resources\bootres.dll" /a

C:\Windows\system32\cmd.exe

"cmd.exe" /c icacls "C:\Windows\boot\resources\bootres.dll" /grant administrators:F

C:\Windows\system32\icacls.exe

icacls "C:\Windows\boot\resources\bootres.dll" /grant administrators:F

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.waifu.pics udp
US 104.21.71.83:443 api.waifu.pics tcp
US 8.8.8.8:53 i.waifu.pics udp
US 172.67.143.250:443 i.waifu.pics tcp

Files

memory/2212-0-0x000000013FE27000-0x000000013FE29000-memory.dmp

memory/2212-2-0x0000000003670000-0x0000000004300000-memory.dmp

memory/2212-45-0x0000000004D10000-0x0000000004D30000-memory.dmp

memory/2212-41-0x0000000004B30000-0x0000000004CE0000-memory.dmp

memory/2212-37-0x0000000004960000-0x0000000004980000-memory.dmp

memory/2212-29-0x00000000048D0000-0x0000000004910000-memory.dmp

memory/2212-25-0x0000000002810000-0x0000000002850000-memory.dmp

memory/2212-21-0x0000000002770000-0x00000000027D0000-memory.dmp

memory/2212-17-0x0000000002110000-0x0000000002130000-memory.dmp

memory/2212-13-0x00000000021C0000-0x0000000002200000-memory.dmp

memory/2212-9-0x0000000001CA0000-0x0000000001CC0000-memory.dmp

memory/2212-33-0x0000000001E30000-0x0000000001E40000-memory.dmp

memory/2212-5-0x0000000000430000-0x0000000000460000-memory.dmp

memory/2212-57-0x0000000002340000-0x0000000002350000-memory.dmp

memory/2212-61-0x00000000051B0000-0x0000000005260000-memory.dmp

memory/2212-53-0x00000000022F0000-0x0000000002320000-memory.dmp

memory/2212-49-0x0000000002260000-0x00000000022B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\newbootimage.bmp

MD5 631d99fe2b71fd05318d20215b4ff736
SHA1 b12b8ec19cfedbd678665bf229b29ecb1d880ea0
SHA256 baf9bba9dff173f0793ea113eb4dd425d6ba84dd8325f9d7a1871a06173b2d37
SHA512 1f86cb5f32a1f35850dd69294fe187b5e69d82d641ed1397fe0dab7ef951a0be60e8bd0d2c294db2df43ec4ca780f067c2a8d7a79c634b73bd73e942c9ae21b7

memory/2212-170-0x000000013FE27000-0x000000013FE29000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-10 19:44

Reported

2024-10-10 19:47

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Wallpaperskibidi.exe"

Signatures

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Wallpaperskibidi.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\wallpaper.jpg" C:\Users\Admin\AppData\Local\Temp\Wallpaperskibidi.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\boot\resources\bootres.dll C:\Users\Admin\AppData\Local\Temp\Wallpaperskibidi.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Wallpaperskibidi.exe

"C:\Users\Admin\AppData\Local\Temp\Wallpaperskibidi.exe"

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /c takeown /f "C:\Windows\boot\resources\bootres.dll" /a

C:\Windows\system32\takeown.exe

takeown /f "C:\Windows\boot\resources\bootres.dll" /a

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /c icacls "C:\Windows\boot\resources\bootres.dll" /grant administrators:F

C:\Windows\system32\icacls.exe

icacls "C:\Windows\boot\resources\bootres.dll" /grant administrators:F

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.waifu.pics udp
US 104.21.71.83:443 api.waifu.pics tcp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 83.71.21.104.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 i.waifu.pics udp
US 172.67.143.250:443 i.waifu.pics tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 250.143.67.172.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 105.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

C:\Windows\Boot\Resources\bootres.dll

MD5 aff506b9137a95e6a5e42217af8f3847
SHA1 4bdbb4c9d3c240a29f53bfdbc277912a185b13d9
SHA256 fc233d90fbc9d52567d94ac0752dbdac02aabcadc33ad957750e1755c29ad68a
SHA512 34fc48753a48c88d2c226721c0bd8143f870e5405c270fade48ceb2bf43cc7126b28090b02bb8d5dc4131cfd6d7a819810803e2f226ec25a8586bd0ca6c70a04

C:\Users\Admin\Desktop\Skibidi160.png

MD5 650d26d12db909f48966da80911abffb
SHA1 1f982db181250bd39414ff1e98e3751503a269d4
SHA256 25ac1304b11d605a1438016f5cc66b3964faf3450a6d81f533ceb0060612be18
SHA512 f6310e8fd763f7eced41b67947230e80b16f01ea3dbce5b611ff542f3d46734ae84431ed196b6e657819d97b71d160b7e48e25c979a14a10695311ebab6c2cbf