Analysis Overview
SHA256
5683ca1c57b180b87add6f7b901f29f53e39d012c13085ee0e5f0a50e8b612a0
Threat Level: Likely malicious
The file 241113-3wefca1h8m_pw_infected.zip was found to be: Likely malicious.
Malicious Activity Summary
Deletes shadow copies
Renames multiple (169) files with added filename extension
Renames multiple (196) files with added filename extension
Sets desktop wallpaper using registry
Unsigned PE
System Location Discovery: System Language Discovery
Interacts with shadow copies
Modifies Control Panel
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-14 00:44
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-14 00:44
Reported
2024-11-14 00:47
Platform
win7-20240903-en
Max time kernel
117s
Max time network
117s
Command Line
Signatures
Deletes shadow copies
Renames multiple (196) files with added filename extension
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\z.png" | C:\Users\Admin\AppData\Local\Temp\314c52fc3ef69ee952e54c38157ea7451068a5361deb8782a54d03f59f722f65.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\My Wallpaper.jpg" | C:\Users\Admin\AppData\Local\Temp\314c52fc3ef69ee952e54c38157ea7451068a5361deb8782a54d03f59f722f65.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\314c52fc3ef69ee952e54c38157ea7451068a5361deb8782a54d03f59f722f65.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\vssadmin.exe | N/A |
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\vssadmin.exe | N/A |
Modifies Control Panel
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\WallpaperStyle = "\n" | C:\Users\Admin\AppData\Local\Temp\314c52fc3ef69ee952e54c38157ea7451068a5361deb8782a54d03f59f722f65.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\TileWallpaper | C:\Users\Admin\AppData\Local\Temp\314c52fc3ef69ee952e54c38157ea7451068a5361deb8782a54d03f59f722f65.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.DARKSET\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\314c52fc3ef69ee952e54c38157ea7451068a5361deb8782a54d03f59f722f65.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.DARKSET | C:\Users\Admin\AppData\Local\Temp\314c52fc3ef69ee952e54c38157ea7451068a5361deb8782a54d03f59f722f65.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.DARKSET\DefaultIcon\ = "C:\\ProgramData\\z.png" | C:\Users\Admin\AppData\Local\Temp\314c52fc3ef69ee952e54c38157ea7451068a5361deb8782a54d03f59f722f65.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2224 wrote to memory of 616 | N/A | C:\Users\Admin\AppData\Local\Temp\314c52fc3ef69ee952e54c38157ea7451068a5361deb8782a54d03f59f722f65.exe | C:\Windows\SysWOW64\vssadmin.exe |
| PID 2224 wrote to memory of 616 | N/A | C:\Users\Admin\AppData\Local\Temp\314c52fc3ef69ee952e54c38157ea7451068a5361deb8782a54d03f59f722f65.exe | C:\Windows\SysWOW64\vssadmin.exe |
| PID 2224 wrote to memory of 616 | N/A | C:\Users\Admin\AppData\Local\Temp\314c52fc3ef69ee952e54c38157ea7451068a5361deb8782a54d03f59f722f65.exe | C:\Windows\SysWOW64\vssadmin.exe |
| PID 2224 wrote to memory of 616 | N/A | C:\Users\Admin\AppData\Local\Temp\314c52fc3ef69ee952e54c38157ea7451068a5361deb8782a54d03f59f722f65.exe | C:\Windows\SysWOW64\vssadmin.exe |
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\314c52fc3ef69ee952e54c38157ea7451068a5361deb8782a54d03f59f722f65.exe
"C:\Users\Admin\AppData\Local\Temp\314c52fc3ef69ee952e54c38157ea7451068a5361deb8782a54d03f59f722f65.exe"
C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
Network
Files
C:\Recovery\ReadMe.txt
| MD5 | 9ac988884ad711401686a658c209e768 |
| SHA1 | 731563bc3a2f5a316302c875e8373c42f352f26c |
| SHA256 | 0ff0b9f61cc696926b9d003e936cbf3fd7bf575706dd935cbdf0c4cd34ef861d |
| SHA512 | 65fae02e2462c14b973a810f1714658df200b05943ecb2a154c0bf1e8b92e9530eab31bffc2e0c449fc6987f96ac3907dcbbd7584b551fb25461edc69abc217e |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-14 00:44
Reported
2024-11-14 00:47
Platform
win10v2004-20241007-en
Max time kernel
94s
Max time network
143s
Command Line
Signatures
Renames multiple (169) files with added filename extension
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\z.png" | C:\Users\Admin\AppData\Local\Temp\314c52fc3ef69ee952e54c38157ea7451068a5361deb8782a54d03f59f722f65.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\314c52fc3ef69ee952e54c38157ea7451068a5361deb8782a54d03f59f722f65.exe | N/A |
Modifies Control Panel
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Desktop\TileWallpaper | C:\Users\Admin\AppData\Local\Temp\314c52fc3ef69ee952e54c38157ea7451068a5361deb8782a54d03f59f722f65.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Desktop\WallpaperStyle = "\n" | C:\Users\Admin\AppData\Local\Temp\314c52fc3ef69ee952e54c38157ea7451068a5361deb8782a54d03f59f722f65.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.DARKSET\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\314c52fc3ef69ee952e54c38157ea7451068a5361deb8782a54d03f59f722f65.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.DARKSET | C:\Users\Admin\AppData\Local\Temp\314c52fc3ef69ee952e54c38157ea7451068a5361deb8782a54d03f59f722f65.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.DARKSET\DefaultIcon\ = "C:\\ProgramData\\z.png" | C:\Users\Admin\AppData\Local\Temp\314c52fc3ef69ee952e54c38157ea7451068a5361deb8782a54d03f59f722f65.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Processes
C:\Users\Admin\AppData\Local\Temp\314c52fc3ef69ee952e54c38157ea7451068a5361deb8782a54d03f59f722f65.exe
"C:\Users\Admin\AppData\Local\Temp\314c52fc3ef69ee952e54c38157ea7451068a5361deb8782a54d03f59f722f65.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
Files
C:\Users\ReadMe.txt
| MD5 | 391f25c43670125158de193aa6d31bc9 |
| SHA1 | 59e3d055126bea398e303384219d022944e50220 |
| SHA256 | cebdb6495ac99d33c5da8100fb581d4e84a43e6f2bf48c3095c7dc48f9a32040 |
| SHA512 | 1d434fdc87605055739560de18924ef8733816710291adda4304fff241e2314f009ca1457ab930adf82939f752684db147a198f151e26e4cf038e2656a9045f2 |