Analysis Overview
SHA256
5683ca1c57b180b87add6f7b901f29f53e39d012c13085ee0e5f0a50e8b612a0
Threat Level: Likely malicious
The file 241113-3wefca1h8m_pw_infected.zip was found to be: Likely malicious.
Malicious Activity Summary
Deletes shadow copies
Renames multiple (198) files with added filename extension
Renames multiple (163) files with added filename extension
Sets desktop wallpaper using registry
System Location Discovery: System Language Discovery
Unsigned PE
Interacts with shadow copies
Modifies Control Panel
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Uses Volume Shadow Copy service COM API
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-14 00:35
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-14 00:35
Reported
2024-11-14 00:42
Platform
win7-20240903-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Deletes shadow copies
Renames multiple (198) files with added filename extension
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\z.png" | C:\Users\Admin\AppData\Local\Temp\314c52fc3ef69ee952e54c38157ea7451068a5361deb8782a54d03f59f722f65.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\My Wallpaper.jpg" | C:\Users\Admin\AppData\Local\Temp\314c52fc3ef69ee952e54c38157ea7451068a5361deb8782a54d03f59f722f65.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\314c52fc3ef69ee952e54c38157ea7451068a5361deb8782a54d03f59f722f65.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\vssadmin.exe | N/A |
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\vssadmin.exe | N/A |
Modifies Control Panel
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\WallpaperStyle = "\n" | C:\Users\Admin\AppData\Local\Temp\314c52fc3ef69ee952e54c38157ea7451068a5361deb8782a54d03f59f722f65.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\TileWallpaper | C:\Users\Admin\AppData\Local\Temp\314c52fc3ef69ee952e54c38157ea7451068a5361deb8782a54d03f59f722f65.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.DARKSET | C:\Users\Admin\AppData\Local\Temp\314c52fc3ef69ee952e54c38157ea7451068a5361deb8782a54d03f59f722f65.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.DARKSET\DefaultIcon\ = "C:\\ProgramData\\z.png" | C:\Users\Admin\AppData\Local\Temp\314c52fc3ef69ee952e54c38157ea7451068a5361deb8782a54d03f59f722f65.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.DARKSET\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\314c52fc3ef69ee952e54c38157ea7451068a5361deb8782a54d03f59f722f65.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2100 wrote to memory of 2320 | N/A | C:\Users\Admin\AppData\Local\Temp\314c52fc3ef69ee952e54c38157ea7451068a5361deb8782a54d03f59f722f65.exe | C:\Windows\SysWOW64\vssadmin.exe |
| PID 2100 wrote to memory of 2320 | N/A | C:\Users\Admin\AppData\Local\Temp\314c52fc3ef69ee952e54c38157ea7451068a5361deb8782a54d03f59f722f65.exe | C:\Windows\SysWOW64\vssadmin.exe |
| PID 2100 wrote to memory of 2320 | N/A | C:\Users\Admin\AppData\Local\Temp\314c52fc3ef69ee952e54c38157ea7451068a5361deb8782a54d03f59f722f65.exe | C:\Windows\SysWOW64\vssadmin.exe |
| PID 2100 wrote to memory of 2320 | N/A | C:\Users\Admin\AppData\Local\Temp\314c52fc3ef69ee952e54c38157ea7451068a5361deb8782a54d03f59f722f65.exe | C:\Windows\SysWOW64\vssadmin.exe |
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\314c52fc3ef69ee952e54c38157ea7451068a5361deb8782a54d03f59f722f65.exe
"C:\Users\Admin\AppData\Local\Temp\314c52fc3ef69ee952e54c38157ea7451068a5361deb8782a54d03f59f722f65.exe"
C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
Network
Files
C:\Recovery\ReadMe.txt
| MD5 | 5bc30cda2b587e1bef4a038c4a3dd28a |
| SHA1 | 19b974c3f1868c287ac1b2bcb585dd8b87ea9147 |
| SHA256 | 0d123b405d094620fdf2f9f4a9c18b6776a4cefd391e4a183dc8d7fc4b4d9cf3 |
| SHA512 | 1e1401f6c9bcee4635e0ea816c91e80aaad49454e60d7ca08f9e7ac738782534b681e1eb7d44be5750ef353439d3fe09e4a5253ca76c380bbac50fd8d84e233e |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-14 00:35
Reported
2024-11-14 00:42
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Renames multiple (163) files with added filename extension
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\z.png" | C:\Users\Admin\AppData\Local\Temp\314c52fc3ef69ee952e54c38157ea7451068a5361deb8782a54d03f59f722f65.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\314c52fc3ef69ee952e54c38157ea7451068a5361deb8782a54d03f59f722f65.exe | N/A |
Modifies Control Panel
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\Desktop\WallpaperStyle = "\n" | C:\Users\Admin\AppData\Local\Temp\314c52fc3ef69ee952e54c38157ea7451068a5361deb8782a54d03f59f722f65.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\Desktop\TileWallpaper | C:\Users\Admin\AppData\Local\Temp\314c52fc3ef69ee952e54c38157ea7451068a5361deb8782a54d03f59f722f65.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.DARKSET\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\314c52fc3ef69ee952e54c38157ea7451068a5361deb8782a54d03f59f722f65.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.DARKSET | C:\Users\Admin\AppData\Local\Temp\314c52fc3ef69ee952e54c38157ea7451068a5361deb8782a54d03f59f722f65.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.DARKSET\DefaultIcon\ = "C:\\ProgramData\\z.png" | C:\Users\Admin\AppData\Local\Temp\314c52fc3ef69ee952e54c38157ea7451068a5361deb8782a54d03f59f722f65.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Processes
C:\Users\Admin\AppData\Local\Temp\314c52fc3ef69ee952e54c38157ea7451068a5361deb8782a54d03f59f722f65.exe
"C:\Users\Admin\AppData\Local\Temp\314c52fc3ef69ee952e54c38157ea7451068a5361deb8782a54d03f59f722f65.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
Files
C:\Users\ReadMe.txt
| MD5 | 65cb50035da49a040f4f5e090bc6eacb |
| SHA1 | 871ff1f10b33e61adbe617a9cca5a4c8faaa7640 |
| SHA256 | a4935c44cd602fa2337af74b1dca24e284126d0526d93a35427d1b04ff119516 |
| SHA512 | 47415b00eb2935fa11e237e1de28d589d7279ff3303348ad1e627a66d39ca9d561ea6405cffbe0580cedde08fda09dadd519890195d8c2c9535043f52a75eb59 |