Overview
overview
10Static
static
3BSOD/BSOD/...OD.exe
windows7-x64
1BSOD/BSOD/...OD.exe
windows10-2004-x64
BSOD/BSOD/...OD.exe
windows10-ltsc 2021-x64
1BSOD/BSOD/...OD.exe
windows11-21h2-x64
1RANSOMWARE....0.exe
windows7-x64
10RANSOMWARE....0.exe
windows10-2004-x64
10RANSOMWARE....0.exe
windows10-ltsc 2021-x64
10RANSOMWARE....0.exe
windows11-21h2-x64
10Analysis
-
max time kernel
1796s -
max time network
1156s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20/11/2024, 12:56
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
BSOD/BSOD/bin/Debug/BSOD.exe
Resource
win7-20240903-en
windows7-x64
1 signatures
1800 seconds
Behavioral task
behavioral2
Sample
BSOD/BSOD/bin/Debug/BSOD.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
0 signatures
1800 seconds
Behavioral task
behavioral3
Sample
BSOD/BSOD/bin/Debug/BSOD.exe
Resource
win10ltsc2021-20241023-en
windows10-ltsc 2021-x64
0 signatures
1800 seconds
Behavioral task
behavioral4
Sample
BSOD/BSOD/bin/Debug/BSOD.exe
Resource
win11-20241007-en
windows11-21h2-x64
0 signatures
1800 seconds
Behavioral task
behavioral5
Sample
RANSOMWARE3.0/RANSOMWARE3.0/obj/Debug/RANSOMWARE3.0.exe
Resource
win7-20240903-en
windows7-x64
15 signatures
1800 seconds
Behavioral task
behavioral6
Sample
RANSOMWARE3.0/RANSOMWARE3.0/obj/Debug/RANSOMWARE3.0.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
15 signatures
1800 seconds
Behavioral task
behavioral7
Sample
RANSOMWARE3.0/RANSOMWARE3.0/obj/Debug/RANSOMWARE3.0.exe
Resource
win10ltsc2021-20241023-en
windows10-ltsc 2021-x64
15 signatures
1800 seconds
Behavioral task
behavioral8
Sample
RANSOMWARE3.0/RANSOMWARE3.0/obj/Debug/RANSOMWARE3.0.exe
Resource
win11-20241007-en
windows11-21h2-x64
15 signatures
1800 seconds
General
-
Target
RANSOMWARE3.0/RANSOMWARE3.0/obj/Debug/RANSOMWARE3.0.exe
-
Size
206KB
-
MD5
d82aef6e33a9bb4bbbec1e38547b1a47
-
SHA1
bb74e90eab11ecc0a2e3702882489a2523949315
-
SHA256
9cff1ba17b83e537751fe1cd414690c3aa9627f06899afd906efaa114575d42d
-
SHA512
88e61e2a6ce3fe80f4ce77493254fcd56476ffc1e6a36a7f4f063757c6fd2cd1332f2a1d71222cbae244b294dcc5b56b8a83e53e15138a4ef1c3fbd56690f804
-
SSDEEP
3072:qRkbWhQAqY5+I00000000000000cGh4u3J+QGAqYVZmXMZhGq4ziqY:qSbsqgP4QbqS1ZhGq4Gq
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\BSOD.exe" RANSOMWARE3.0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "BSOD.exe" RANSOMWARE3.0.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RANSOMWARE3.0.exe -
Renames multiple (271) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" RANSOMWARE3.0.exe -
Disables Task Manager via registry modification
-
Manipulates Digital Signatures 1 IoCs
Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.
description ioc Process File opened for modification C:\Windows\SysWOW64\wintrust.dll RANSOMWARE3.0.exe -
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BSOD.exe RANSOMWARE3.0.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BSOD.exe RANSOMWARE3.0.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RANSOMWARE3.0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RANSOMWARE3.0.exe -
Drops desktop.ini file(s) 7 IoCs
description ioc Process File opened for modification C:\Users\Admin\Videos\desktop.ini RANSOMWARE3.0.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini RANSOMWARE3.0.exe File opened for modification C:\Program Files\desktop.ini RANSOMWARE3.0.exe File opened for modification C:\Program Files (x86)\desktop.ini RANSOMWARE3.0.exe File opened for modification C:\Users\Admin\Documents\desktop.ini RANSOMWARE3.0.exe File opened for modification C:\Users\Admin\Music\desktop.ini RANSOMWARE3.0.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini RANSOMWARE3.0.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\licmgr10.dll.CLUTTER RANSOMWARE3.0.exe File opened for modification C:\Windows\SysWOW64\mf3216.dll RANSOMWARE3.0.exe File created C:\Windows\SysWOW64\SyncInfrastructure.dll.CLUTTER RANSOMWARE3.0.exe File created C:\Windows\SysWOW64\wmiclnt.dll.CLUTTER RANSOMWARE3.0.exe File created C:\Windows\SysWOW64\write.exe.CLUTTER RANSOMWARE3.0.exe File opened for modification C:\Windows\SysWOW64\fsmgmt.msc RANSOMWARE3.0.exe File opened for modification C:\Windows\SysWOW64\imaadp32.acm RANSOMWARE3.0.exe File created C:\Windows\SysWOW64\SessEnv.dll.CLUTTER RANSOMWARE3.0.exe File created C:\Windows\SysWOW64\CHxReadingStringIME.dll.CLUTTER RANSOMWARE3.0.exe File created C:\Windows\SysWOW64\msjter40.dll.CLUTTER RANSOMWARE3.0.exe File opened for modification C:\Windows\SysWOW64\devobj.dll RANSOMWARE3.0.exe File opened for modification C:\Windows\SysWOW64\InstallService.dll RANSOMWARE3.0.exe File opened for modification C:\Windows\SysWOW64\KBDAZE.DLL RANSOMWARE3.0.exe File opened for modification C:\Windows\SysWOW64\msdtcprx.dll RANSOMWARE3.0.exe File opened for modification C:\Windows\SysWOW64\NcdProp.dll RANSOMWARE3.0.exe File created C:\Windows\SysWOW64\RacEngn.dll.CLUTTER RANSOMWARE3.0.exe File created C:\Windows\SysWOW64\console.dll.CLUTTER RANSOMWARE3.0.exe File opened for modification C:\Windows\SysWOW64\daxexec.dll RANSOMWARE3.0.exe File opened for modification C:\Windows\SysWOW64\WMVENCOD.DLL RANSOMWARE3.0.exe File created C:\Windows\SysWOW64\usoapi.dll.CLUTTER RANSOMWARE3.0.exe File created C:\Windows\SysWOW64\winrscmd.dll.CLUTTER RANSOMWARE3.0.exe File opened for modification C:\Windows\SysWOW64\mprapi.dll RANSOMWARE3.0.exe File opened for modification C:\Windows\SysWOW64\MrmDeploy.dll RANSOMWARE3.0.exe File created C:\Windows\SysWOW64\Windows.System.UserDeviceAssociation.dll.CLUTTER RANSOMWARE3.0.exe File created C:\Windows\SysWOW64\gb2312.uce.CLUTTER RANSOMWARE3.0.exe File created C:\Windows\SysWOW64\jscript9.dll.CLUTTER RANSOMWARE3.0.exe File created C:\Windows\SysWOW64\mfc120deu.dll.CLUTTER RANSOMWARE3.0.exe File opened for modification C:\Windows\SysWOW64\msafd.dll RANSOMWARE3.0.exe File opened for modification C:\Windows\SysWOW64\radarrs.dll RANSOMWARE3.0.exe File created C:\Windows\SysWOW64\SortWindows6Compat.dll.CLUTTER RANSOMWARE3.0.exe File created C:\Windows\SysWOW64\ttdrecordcpu.dll.CLUTTER RANSOMWARE3.0.exe File opened for modification C:\Windows\SysWOW64\vds_ps.dll RANSOMWARE3.0.exe File created C:\Windows\SysWOW64\embeddedmodesvcapi.dll.CLUTTER RANSOMWARE3.0.exe File opened for modification C:\Windows\SysWOW64\iassdo.dll RANSOMWARE3.0.exe File created C:\Windows\SysWOW64\wdi.dll.CLUTTER RANSOMWARE3.0.exe File created C:\Windows\SysWOW64\pid.dll.CLUTTER RANSOMWARE3.0.exe File opened for modification C:\Windows\SysWOW64\provmigrate.dll RANSOMWARE3.0.exe File created C:\Windows\SysWOW64\Windows.Globalization.dll.CLUTTER RANSOMWARE3.0.exe File opened for modification C:\Windows\SysWOW64\Windows.Networking.Proximity.dll RANSOMWARE3.0.exe File opened for modification C:\Windows\SysWOW64\xwizard.exe RANSOMWARE3.0.exe File opened for modification C:\Windows\SysWOW64\desk.cpl RANSOMWARE3.0.exe File created C:\Windows\SysWOW64\KBDBU.DLL.CLUTTER RANSOMWARE3.0.exe File opened for modification C:\Windows\SysWOW64\qcap.dll RANSOMWARE3.0.exe File opened for modification C:\Windows\SysWOW64\Windows.Media.Ocr.dll RANSOMWARE3.0.exe File opened for modification C:\Windows\SysWOW64\wscproxystub.dll RANSOMWARE3.0.exe File opened for modification C:\Windows\SysWOW64\bopomofo.uce RANSOMWARE3.0.exe File created C:\Windows\SysWOW64\EditBufferTestHook.dll.CLUTTER RANSOMWARE3.0.exe File created C:\Windows\SysWOW64\umdmxfrm.dll.CLUTTER RANSOMWARE3.0.exe File created C:\Windows\SysWOW64\wermgr.exe.CLUTTER RANSOMWARE3.0.exe File opened for modification C:\Windows\SysWOW64\ws2_32.dll RANSOMWARE3.0.exe File opened for modification C:\Windows\SysWOW64\xpsservices.dll RANSOMWARE3.0.exe File opened for modification C:\Windows\SysWOW64\fidocredprov.dll RANSOMWARE3.0.exe File created C:\Windows\SysWOW64\KBDHAU.DLL.CLUTTER RANSOMWARE3.0.exe File created C:\Windows\SysWOW64\Windows.Networking.BackgroundTransfer.dll.CLUTTER RANSOMWARE3.0.exe File created C:\Windows\SysWOW64\UserLanguageProfileCallback.dll.CLUTTER RANSOMWARE3.0.exe File created C:\Windows\SysWOW64\WiFiDisplay.dll.CLUTTER RANSOMWARE3.0.exe File opened for modification C:\Windows\SysWOW64\SystemSettings.DataModel.dll RANSOMWARE3.0.exe File opened for modification C:\Windows\SysWOW64\umdmxfrm.dll RANSOMWARE3.0.exe File opened for modification C:\Windows\SysWOW64\WMNetMgr.dll RANSOMWARE3.0.exe File opened for modification C:\Windows\SysWOW64\wsp_sr.dll RANSOMWARE3.0.exe File created C:\Windows\SysWOW64\MsSpellCheckingFacility.dll.CLUTTER RANSOMWARE3.0.exe File opened for modification C:\Windows\SysWOW64\ndproxystub.dll RANSOMWARE3.0.exe File created C:\Windows\SysWOW64\mfc120jpn.dll.CLUTTER RANSOMWARE3.0.exe File created C:\Windows\SysWOW64\wsmplpxy.dll.CLUTTER RANSOMWARE3.0.exe -
Drops file in Program Files directory 32 IoCs
description ioc Process File created C:\Program Files\CheckpointWrite.csv.CLUTTER RANSOMWARE3.0.exe File created C:\Program Files\FormatCompare.MTS.CLUTTER RANSOMWARE3.0.exe File opened for modification C:\Program Files\FormatCompare.MTS RANSOMWARE3.0.exe File created C:\Program Files\UnprotectRename.cab.CLUTTER RANSOMWARE3.0.exe File opened for modification C:\Program Files\UnprotectRename.cab RANSOMWARE3.0.exe File created C:\Program Files\ApproveSelect.aif.CLUTTER RANSOMWARE3.0.exe File created C:\Program Files\PushExport.pptx.CLUTTER RANSOMWARE3.0.exe File created C:\Program Files\SaveInitialize.au3.CLUTTER RANSOMWARE3.0.exe File created C:\Program Files\PingDisconnect.htm.CLUTTER RANSOMWARE3.0.exe File created C:\Program Files (x86)\desktop.ini.CLUTTER RANSOMWARE3.0.exe File opened for modification C:\Program Files\desktop.ini RANSOMWARE3.0.exe File opened for modification C:\Program Files\InitializeSkip.mp4v RANSOMWARE3.0.exe File opened for modification C:\Program Files\PingDisconnect.htm RANSOMWARE3.0.exe File created C:\Program Files\SyncCompress.pdf.CLUTTER RANSOMWARE3.0.exe File created C:\Program Files\EnableFind.zip.CLUTTER RANSOMWARE3.0.exe File created C:\Program Files\InitializeSkip.mp4v.CLUTTER RANSOMWARE3.0.exe File opened for modification C:\Program Files\PushExport.pptx RANSOMWARE3.0.exe File created C:\Program Files\RevokeGrant.M2T.CLUTTER RANSOMWARE3.0.exe File created C:\Program Files\SkipShow.wmv.CLUTTER RANSOMWARE3.0.exe File opened for modification C:\Program Files\SkipShow.wmv RANSOMWARE3.0.exe File opened for modification C:\Program Files\SyncCompress.pdf RANSOMWARE3.0.exe File created C:\Program Files\CheckpointRename.au3.CLUTTER RANSOMWARE3.0.exe File opened for modification C:\Program Files\CheckpointRename.au3 RANSOMWARE3.0.exe File opened for modification C:\Program Files\CheckpointWrite.csv RANSOMWARE3.0.exe File created C:\Program Files\desktop.ini.CLUTTER RANSOMWARE3.0.exe File created C:\Program Files\RevokeCompare.search-ms.CLUTTER RANSOMWARE3.0.exe File opened for modification C:\Program Files\RevokeCompare.search-ms RANSOMWARE3.0.exe File opened for modification C:\Program Files\ApproveSelect.aif RANSOMWARE3.0.exe File opened for modification C:\Program Files\RevokeGrant.M2T RANSOMWARE3.0.exe File opened for modification C:\Program Files (x86)\desktop.ini RANSOMWARE3.0.exe File opened for modification C:\Program Files\EnableFind.zip RANSOMWARE3.0.exe File opened for modification C:\Program Files\SaveInitialize.au3 RANSOMWARE3.0.exe -
Drops file in Windows directory 46 IoCs
description ioc Process File opened for modification C:\Windows\bootstat.dat RANSOMWARE3.0.exe File created C:\Windows\DtcInstall.log.CLUTTER RANSOMWARE3.0.exe File created C:\Windows\lsasetup.log.CLUTTER RANSOMWARE3.0.exe File opened for modification C:\Windows\lsasetup.log RANSOMWARE3.0.exe File opened for modification C:\Windows\system.ini RANSOMWARE3.0.exe File opened for modification C:\Windows\bfsvc.exe RANSOMWARE3.0.exe File opened for modification C:\Windows\Professional.xml RANSOMWARE3.0.exe File opened for modification C:\Windows\twain_32.dll RANSOMWARE3.0.exe File created C:\Windows\win.ini.CLUTTER RANSOMWARE3.0.exe File created C:\Windows\write.exe.CLUTTER RANSOMWARE3.0.exe File opened for modification C:\Windows\BSOD.exe RANSOMWARE3.0.exe File opened for modification C:\Windows\DtcInstall.log RANSOMWARE3.0.exe File created C:\Windows\Professional.xml.CLUTTER RANSOMWARE3.0.exe File opened for modification C:\Windows\SysmonDrv.sys RANSOMWARE3.0.exe File created C:\Windows\twain_32.dll.CLUTTER RANSOMWARE3.0.exe File created C:\Windows\WindowsUpdate.log.CLUTTER RANSOMWARE3.0.exe File opened for modification C:\Windows\write.exe RANSOMWARE3.0.exe File created C:\Windows\explorer.exe.CLUTTER RANSOMWARE3.0.exe File created C:\Windows\hh.exe.CLUTTER RANSOMWARE3.0.exe File created C:\Windows\notepad.exe.CLUTTER RANSOMWARE3.0.exe File opened for modification C:\Windows\PFRO.log RANSOMWARE3.0.exe File opened for modification C:\Windows\sysmon.exe RANSOMWARE3.0.exe File created C:\Windows\bootstat.dat.CLUTTER RANSOMWARE3.0.exe File opened for modification C:\Windows\hh.exe RANSOMWARE3.0.exe File created C:\Windows\mib.bin.CLUTTER RANSOMWARE3.0.exe File created C:\Windows\PFRO.log.CLUTTER RANSOMWARE3.0.exe File opened for modification C:\Windows\splwow64.exe RANSOMWARE3.0.exe File created C:\Windows\winhlp32.exe.CLUTTER RANSOMWARE3.0.exe File opened for modification C:\Windows\winhlp32.exe RANSOMWARE3.0.exe File opened for modification C:\Windows\HelpPane.exe RANSOMWARE3.0.exe File created C:\Windows\sysmon.exe.CLUTTER RANSOMWARE3.0.exe File created C:\Windows\SysmonDrv.sys.CLUTTER RANSOMWARE3.0.exe File opened for modification C:\Windows\win.ini RANSOMWARE3.0.exe File created C:\Windows\WindowsShell.Manifest.CLUTTER RANSOMWARE3.0.exe File created C:\Windows\bfsvc.exe.CLUTTER RANSOMWARE3.0.exe File created C:\Windows\HelpPane.exe.CLUTTER RANSOMWARE3.0.exe File opened for modification C:\Windows\mib.bin RANSOMWARE3.0.exe File created C:\Windows\WMSysPr9.prx.CLUTTER RANSOMWARE3.0.exe File opened for modification C:\Windows\WMSysPr9.prx RANSOMWARE3.0.exe File opened for modification C:\Windows\explorer.exe RANSOMWARE3.0.exe File opened for modification C:\Windows\notepad.exe RANSOMWARE3.0.exe File created C:\Windows\regedit.exe.CLUTTER RANSOMWARE3.0.exe File created C:\Windows\splwow64.exe.CLUTTER RANSOMWARE3.0.exe File created C:\Windows\system.ini.CLUTTER RANSOMWARE3.0.exe File opened for modification C:\Windows\WindowsShell.Manifest RANSOMWARE3.0.exe File opened for modification C:\Windows\WindowsUpdate.log RANSOMWARE3.0.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RANSOMWARE3.0.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 228 RANSOMWARE3.0.exe -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "1" RANSOMWARE3.0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RANSOMWARE3.0.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\RANSOMWARE3.0\RANSOMWARE3.0\obj\Debug\RANSOMWARE3.0.exe"C:\Users\Admin\AppData\Local\Temp\RANSOMWARE3.0\RANSOMWARE3.0\obj\Debug\RANSOMWARE3.0.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Disables RegEdit via registry modification
- Manipulates Digital Signatures
- Drops startup file
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:228
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD54ec85cec090259e2ad98bc922a70cc5c
SHA17fbc4d3a11395f373d6bb40ad7f8bdf9088853e4
SHA256dc0e9cae1e53b8f74c9bda8fc5c76c9f8a925e29275bbca0b4e35204af6c3fa3
SHA512df72554135d7dd06e60b8bb4b98617b16693127b91889a188cedc80a3e85ac3fb578ed9261bd54de465387f0cc755916dc5eb15b24e0350c91f188bc4b703cfb