Analysis Overview
SHA256
5683ca1c57b180b87add6f7b901f29f53e39d012c13085ee0e5f0a50e8b612a0
Threat Level: Likely malicious
The file 241113-3wefca1h8m_pw_infected.zip was found to be: Likely malicious.
Malicious Activity Summary
Renames multiple (208) files with added filename extension
Renames multiple (167) files with added filename extension
Deletes shadow copies
Sets desktop wallpaper using registry
System Location Discovery: System Language Discovery
Unsigned PE
Modifies registry class
Suspicious use of WriteProcessMemory
Opens file in notepad (likely ransom note)
Modifies Control Panel
Suspicious use of AdjustPrivilegeToken
Interacts with shadow copies
Suspicious behavior: EnumeratesProcesses
Uses Volume Shadow Copy service COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-14 01:55
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-14 01:55
Reported
2024-11-14 01:58
Platform
win7-20240903-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Deletes shadow copies
Renames multiple (208) files with added filename extension
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\z.png" | C:\Users\Admin\AppData\Local\Temp\314c52fc3ef69ee952e54c38157ea7451068a5361deb8782a54d03f59f722f65.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\My Wallpaper.jpg" | C:\Users\Admin\AppData\Local\Temp\314c52fc3ef69ee952e54c38157ea7451068a5361deb8782a54d03f59f722f65.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\314c52fc3ef69ee952e54c38157ea7451068a5361deb8782a54d03f59f722f65.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\vssadmin.exe | N/A |
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\vssadmin.exe | N/A |
Modifies Control Panel
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Desktop\WallpaperStyle = "\n" | C:\Users\Admin\AppData\Local\Temp\314c52fc3ef69ee952e54c38157ea7451068a5361deb8782a54d03f59f722f65.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Desktop\TileWallpaper | C:\Users\Admin\AppData\Local\Temp\314c52fc3ef69ee952e54c38157ea7451068a5361deb8782a54d03f59f722f65.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.DARKSET\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\314c52fc3ef69ee952e54c38157ea7451068a5361deb8782a54d03f59f722f65.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.DARKSET | C:\Users\Admin\AppData\Local\Temp\314c52fc3ef69ee952e54c38157ea7451068a5361deb8782a54d03f59f722f65.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.DARKSET\DefaultIcon\ = "C:\\ProgramData\\z.png" | C:\Users\Admin\AppData\Local\Temp\314c52fc3ef69ee952e54c38157ea7451068a5361deb8782a54d03f59f722f65.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2356 wrote to memory of 2156 | N/A | C:\Users\Admin\AppData\Local\Temp\314c52fc3ef69ee952e54c38157ea7451068a5361deb8782a54d03f59f722f65.exe | C:\Windows\SysWOW64\vssadmin.exe |
| PID 2356 wrote to memory of 2156 | N/A | C:\Users\Admin\AppData\Local\Temp\314c52fc3ef69ee952e54c38157ea7451068a5361deb8782a54d03f59f722f65.exe | C:\Windows\SysWOW64\vssadmin.exe |
| PID 2356 wrote to memory of 2156 | N/A | C:\Users\Admin\AppData\Local\Temp\314c52fc3ef69ee952e54c38157ea7451068a5361deb8782a54d03f59f722f65.exe | C:\Windows\SysWOW64\vssadmin.exe |
| PID 2356 wrote to memory of 2156 | N/A | C:\Users\Admin\AppData\Local\Temp\314c52fc3ef69ee952e54c38157ea7451068a5361deb8782a54d03f59f722f65.exe | C:\Windows\SysWOW64\vssadmin.exe |
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\314c52fc3ef69ee952e54c38157ea7451068a5361deb8782a54d03f59f722f65.exe
"C:\Users\Admin\AppData\Local\Temp\314c52fc3ef69ee952e54c38157ea7451068a5361deb8782a54d03f59f722f65.exe"
C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
Network
Files
C:\Recovery\ReadMe.txt
| MD5 | 938961e4fbeb2fa0943872977c3d906f |
| SHA1 | 8362d19300dc94f99ae4ef8c9848e4de0ce0ce6c |
| SHA256 | b15b603127917c9ec9381fdbd6ebb715f5216d8266042b7b925d9a8444ea7a4e |
| SHA512 | a2fd5917e8d7fccd6eebb6ae104d4bffc7367ba9eb5ea5b33f1ffe5004e2ca6f6a2841dab4ac0674f15b599297b7f0500a963028e189ba33ffa6a110542f1c00 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-14 01:55
Reported
2024-11-14 01:58
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
149s
Command Line
Signatures
Renames multiple (167) files with added filename extension
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\z.png" | C:\Users\Admin\AppData\Local\Temp\314c52fc3ef69ee952e54c38157ea7451068a5361deb8782a54d03f59f722f65.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\314c52fc3ef69ee952e54c38157ea7451068a5361deb8782a54d03f59f722f65.exe | N/A |
Modifies Control Panel
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Desktop\WallpaperStyle = "\n" | C:\Users\Admin\AppData\Local\Temp\314c52fc3ef69ee952e54c38157ea7451068a5361deb8782a54d03f59f722f65.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Desktop\TileWallpaper | C:\Users\Admin\AppData\Local\Temp\314c52fc3ef69ee952e54c38157ea7451068a5361deb8782a54d03f59f722f65.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.DARKSET\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\314c52fc3ef69ee952e54c38157ea7451068a5361deb8782a54d03f59f722f65.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.DARKSET | C:\Users\Admin\AppData\Local\Temp\314c52fc3ef69ee952e54c38157ea7451068a5361deb8782a54d03f59f722f65.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.DARKSET\DefaultIcon\ = "C:\\ProgramData\\z.png" | C:\Users\Admin\AppData\Local\Temp\314c52fc3ef69ee952e54c38157ea7451068a5361deb8782a54d03f59f722f65.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Processes
C:\Users\Admin\AppData\Local\Temp\314c52fc3ef69ee952e54c38157ea7451068a5361deb8782a54d03f59f722f65.exe
"C:\Users\Admin\AppData\Local\Temp\314c52fc3ef69ee952e54c38157ea7451068a5361deb8782a54d03f59f722f65.exe"
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\ReadMe.txt
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.130.81.91.in-addr.arpa | udp |
Files
C:\Users\ReadMe.txt
| MD5 | 85340bd19cfa5baea16d08fc6e80ae15 |
| SHA1 | b66db47a9ac34e865b59a4f47825fc9b2c003f1b |
| SHA256 | ff3d090168dcfce1cfc375e67699d2a68a60d8dcc7c9d1b8ba708b9e4cb00cbd |
| SHA512 | f5bf6da3f248ffe70f16ae79df341f68968b4a6a265fc5e532b01618b39041da8eb25fc707bf5a430e3c3aa7ab73106a6b067d48654900ac6cefa30f4c10ec97 |