Overview
overview
10Static
static
3BSOD/BSOD/...OD.exe
windows7-x64
1BSOD/BSOD/...OD.exe
windows10-2004-x64
BSOD/BSOD/...OD.exe
windows10-ltsc 2021-x64
1BSOD/BSOD/...OD.exe
windows11-21h2-x64
1RANSOMWARE....0.exe
windows7-x64
10RANSOMWARE....0.exe
windows10-2004-x64
10RANSOMWARE....0.exe
windows10-ltsc 2021-x64
10RANSOMWARE....0.exe
windows11-21h2-x64
10Analysis
-
max time kernel
1776s -
max time network
1441s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
20/11/2024, 12:56
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
BSOD/BSOD/bin/Debug/BSOD.exe
Resource
win7-20240903-en
windows7-x64
1 signatures
1800 seconds
Behavioral task
behavioral2
Sample
BSOD/BSOD/bin/Debug/BSOD.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
0 signatures
1800 seconds
Behavioral task
behavioral3
Sample
BSOD/BSOD/bin/Debug/BSOD.exe
Resource
win10ltsc2021-20241023-en
windows10-ltsc 2021-x64
0 signatures
1800 seconds
Behavioral task
behavioral4
Sample
BSOD/BSOD/bin/Debug/BSOD.exe
Resource
win11-20241007-en
windows11-21h2-x64
0 signatures
1800 seconds
Behavioral task
behavioral5
Sample
RANSOMWARE3.0/RANSOMWARE3.0/obj/Debug/RANSOMWARE3.0.exe
Resource
win7-20240903-en
windows7-x64
15 signatures
1800 seconds
Behavioral task
behavioral6
Sample
RANSOMWARE3.0/RANSOMWARE3.0/obj/Debug/RANSOMWARE3.0.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
15 signatures
1800 seconds
Behavioral task
behavioral7
Sample
RANSOMWARE3.0/RANSOMWARE3.0/obj/Debug/RANSOMWARE3.0.exe
Resource
win10ltsc2021-20241023-en
windows10-ltsc 2021-x64
15 signatures
1800 seconds
Behavioral task
behavioral8
Sample
RANSOMWARE3.0/RANSOMWARE3.0/obj/Debug/RANSOMWARE3.0.exe
Resource
win11-20241007-en
windows11-21h2-x64
15 signatures
1800 seconds
General
-
Target
RANSOMWARE3.0/RANSOMWARE3.0/obj/Debug/RANSOMWARE3.0.exe
-
Size
206KB
-
MD5
d82aef6e33a9bb4bbbec1e38547b1a47
-
SHA1
bb74e90eab11ecc0a2e3702882489a2523949315
-
SHA256
9cff1ba17b83e537751fe1cd414690c3aa9627f06899afd906efaa114575d42d
-
SHA512
88e61e2a6ce3fe80f4ce77493254fcd56476ffc1e6a36a7f4f063757c6fd2cd1332f2a1d71222cbae244b294dcc5b56b8a83e53e15138a4ef1c3fbd56690f804
-
SSDEEP
3072:qRkbWhQAqY5+I00000000000000cGh4u3J+QGAqYVZmXMZhGq4ziqY:qSbsqgP4QbqS1ZhGq4Gq
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "BSOD.exe" RANSOMWARE3.0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\BSOD.exe" RANSOMWARE3.0.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RANSOMWARE3.0.exe -
Renames multiple (300) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" RANSOMWARE3.0.exe -
Disables Task Manager via registry modification
-
Manipulates Digital Signatures 1 IoCs
Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.
description ioc Process File opened for modification C:\Windows\SysWOW64\wintrust.dll RANSOMWARE3.0.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BSOD.exe RANSOMWARE3.0.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BSOD.exe RANSOMWARE3.0.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RANSOMWARE3.0.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RANSOMWARE3.0.exe -
Drops desktop.ini file(s) 7 IoCs
description ioc Process File opened for modification C:\Program Files\desktop.ini RANSOMWARE3.0.exe File opened for modification C:\Program Files (x86)\desktop.ini RANSOMWARE3.0.exe File opened for modification C:\Users\Admin\Documents\desktop.ini RANSOMWARE3.0.exe File opened for modification C:\Users\Admin\Music\desktop.ini RANSOMWARE3.0.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini RANSOMWARE3.0.exe File opened for modification C:\Users\Admin\Videos\desktop.ini RANSOMWARE3.0.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini RANSOMWARE3.0.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\fsutilext.dll.CLUTTER RANSOMWARE3.0.exe File opened for modification C:\Windows\SysWOW64\KBDBLR.DLL RANSOMWARE3.0.exe File created C:\Windows\SysWOW64\KBDINTEL.DLL.CLUTTER RANSOMWARE3.0.exe File created C:\Windows\SysWOW64\provthrd.dll.CLUTTER RANSOMWARE3.0.exe File created C:\Windows\SysWOW64\wfapigp.dll.CLUTTER RANSOMWARE3.0.exe File created C:\Windows\SysWOW64\win32u.dll.CLUTTER RANSOMWARE3.0.exe File created C:\Windows\SysWOW64\azroles.dll.CLUTTER RANSOMWARE3.0.exe File created C:\Windows\SysWOW64\cryptxml.dll.CLUTTER RANSOMWARE3.0.exe File opened for modification C:\Windows\SysWOW64\Windows.UI.Core.TextInput.dll RANSOMWARE3.0.exe File opened for modification C:\Windows\SysWOW64\cmutil.dll RANSOMWARE3.0.exe File opened for modification C:\Windows\SysWOW64\Windows.Devices.Printers.Extensions.dll RANSOMWARE3.0.exe File created C:\Windows\SysWOW64\winrshost.exe.CLUTTER RANSOMWARE3.0.exe File opened for modification C:\Windows\SysWOW64\WpcWebFilter.dll RANSOMWARE3.0.exe File created C:\Windows\SysWOW64\AuthFWWizFwk.dll.CLUTTER RANSOMWARE3.0.exe File created C:\Windows\SysWOW64\BCP47Langs.dll.CLUTTER RANSOMWARE3.0.exe File opened for modification C:\Windows\SysWOW64\KBDHAU.DLL RANSOMWARE3.0.exe File opened for modification C:\Windows\SysWOW64\netcenter.dll RANSOMWARE3.0.exe File opened for modification C:\Windows\SysWOW64\scecli.dll RANSOMWARE3.0.exe File created C:\Windows\SysWOW64\fontview.exe.CLUTTER RANSOMWARE3.0.exe File created C:\Windows\SysWOW64\KBDES.DLL.CLUTTER RANSOMWARE3.0.exe File created C:\Windows\SysWOW64\FXSCOMEX.dll.CLUTTER RANSOMWARE3.0.exe File created C:\Windows\SysWOW64\cldapi.dll.CLUTTER RANSOMWARE3.0.exe File created C:\Windows\SysWOW64\CoreMessaging.dll.CLUTTER RANSOMWARE3.0.exe File opened for modification C:\Windows\SysWOW64\intl.cpl RANSOMWARE3.0.exe File opened for modification C:\Windows\SysWOW64\KBDTH3.DLL RANSOMWARE3.0.exe File opened for modification C:\Windows\SysWOW64\mimefilt.dll RANSOMWARE3.0.exe File opened for modification C:\Windows\SysWOW64\msdt.exe RANSOMWARE3.0.exe File created C:\Windows\SysWOW64\RpcNs4.dll.CLUTTER RANSOMWARE3.0.exe File opened for modification C:\Windows\SysWOW64\tree.com RANSOMWARE3.0.exe File created C:\Windows\SysWOW64\BrowserSettingSync.dll.CLUTTER RANSOMWARE3.0.exe File created C:\Windows\SysWOW64\dmime.dll.CLUTTER RANSOMWARE3.0.exe File created C:\Windows\SysWOW64\wiadss.dll.CLUTTER RANSOMWARE3.0.exe File created C:\Windows\SysWOW64\KBDMON.DLL.CLUTTER RANSOMWARE3.0.exe File opened for modification C:\Windows\SysWOW64\atl110.dll RANSOMWARE3.0.exe File opened for modification C:\Windows\SysWOW64\iscsium.dll RANSOMWARE3.0.exe File created C:\Windows\SysWOW64\mfc100rus.dll.CLUTTER RANSOMWARE3.0.exe File opened for modification C:\Windows\SysWOW64\MosHostClient.dll RANSOMWARE3.0.exe File opened for modification C:\Windows\SysWOW64\ntdsapi.dll RANSOMWARE3.0.exe File opened for modification C:\Windows\SysWOW64\chkdsk.exe RANSOMWARE3.0.exe File created C:\Windows\SysWOW64\ir32_32original.dll.CLUTTER RANSOMWARE3.0.exe File created C:\Windows\SysWOW64\oleprn.dll.CLUTTER RANSOMWARE3.0.exe File created C:\Windows\SysWOW64\Windows.Devices.Custom.ps.dll.CLUTTER RANSOMWARE3.0.exe File opened for modification C:\Windows\SysWOW64\kbdnec95.DLL RANSOMWARE3.0.exe File created C:\Windows\SysWOW64\mfc110cht.dll.CLUTTER RANSOMWARE3.0.exe File opened for modification C:\Windows\SysWOW64\KBDSORST.DLL RANSOMWARE3.0.exe File created C:\Windows\SysWOW64\MsRdpWebAccess.dll.CLUTTER RANSOMWARE3.0.exe File created C:\Windows\SysWOW64\raschapext.dll.CLUTTER RANSOMWARE3.0.exe File opened for modification C:\Windows\SysWOW64\sqlsrv32.dll RANSOMWARE3.0.exe File created C:\Windows\SysWOW64\VAN.dll.CLUTTER RANSOMWARE3.0.exe File opened for modification C:\Windows\SysWOW64\efswrt.dll RANSOMWARE3.0.exe File opened for modification C:\Windows\SysWOW64\ir50_32original.dll RANSOMWARE3.0.exe File opened for modification C:\Windows\SysWOW64\iaspolcy.dll RANSOMWARE3.0.exe File created C:\Windows\SysWOW64\msvcrt.dll.CLUTTER RANSOMWARE3.0.exe File opened for modification C:\Windows\SysWOW64\TapiUnattend.exe RANSOMWARE3.0.exe File opened for modification C:\Windows\SysWOW64\werui.dll RANSOMWARE3.0.exe File opened for modification C:\Windows\SysWOW64\XInput9_1_0.dll RANSOMWARE3.0.exe File created C:\Windows\SysWOW64\AcLayers.dll.CLUTTER RANSOMWARE3.0.exe File opened for modification C:\Windows\SysWOW64\expand.exe RANSOMWARE3.0.exe File opened for modification C:\Windows\SysWOW64\msrepl40.dll RANSOMWARE3.0.exe File opened for modification C:\Windows\SysWOW64\Windows.Devices.Scanners.dll RANSOMWARE3.0.exe File opened for modification C:\Windows\SysWOW64\fdBth.dll RANSOMWARE3.0.exe File opened for modification C:\Windows\SysWOW64\JavaScriptCollectionAgent.dll RANSOMWARE3.0.exe File created C:\Windows\SysWOW64\TempSignedLicenseExchangeTask.dll.CLUTTER RANSOMWARE3.0.exe File created C:\Windows\SysWOW64\bdaplgin.ax.CLUTTER RANSOMWARE3.0.exe -
Drops file in Program Files directory 46 IoCs
description ioc Process File created C:\Program Files\LimitBlock.vst.CLUTTER RANSOMWARE3.0.exe File created C:\Program Files\MergeNew.ocx.CLUTTER RANSOMWARE3.0.exe File created C:\Program Files\ResolveJoin.MOD.CLUTTER RANSOMWARE3.0.exe File created C:\Program Files\ShowReceive.mpeg3.CLUTTER RANSOMWARE3.0.exe File opened for modification C:\Program Files\ConvertToCompare.mp2v RANSOMWARE3.0.exe File opened for modification C:\Program Files\GroupLock.xsl RANSOMWARE3.0.exe File opened for modification C:\Program Files\ImportRestart.mp4v RANSOMWARE3.0.exe File created C:\Program Files\ImportRestart.mp4v.CLUTTER RANSOMWARE3.0.exe File opened for modification C:\Program Files\SendCompress.doc RANSOMWARE3.0.exe File opened for modification C:\Program Files\UpdateClear.wmx RANSOMWARE3.0.exe File opened for modification C:\Program Files\CompleteMerge.mht RANSOMWARE3.0.exe File opened for modification C:\Program Files\ConvertToInstall.dib RANSOMWARE3.0.exe File opened for modification C:\Program Files\GrantFormat.WTV RANSOMWARE3.0.exe File opened for modification C:\Program Files\ConfirmSelect.zip RANSOMWARE3.0.exe File created C:\Program Files\ConvertToInstall.dib.CLUTTER RANSOMWARE3.0.exe File opened for modification C:\Program Files\LimitBlock.vst RANSOMWARE3.0.exe File created C:\Program Files\ResetWatch.M2T.CLUTTER RANSOMWARE3.0.exe File created C:\Program Files\UpdateClear.wmx.CLUTTER RANSOMWARE3.0.exe File opened for modification C:\Program Files\BackupDebug.ods RANSOMWARE3.0.exe File created C:\Program Files\CompleteMerge.mht.CLUTTER RANSOMWARE3.0.exe File created C:\Program Files\ConfirmSelect.zip.CLUTTER RANSOMWARE3.0.exe File created C:\Program Files (x86)\desktop.ini.CLUTTER RANSOMWARE3.0.exe File opened for modification C:\Program Files (x86)\desktop.ini RANSOMWARE3.0.exe File created C:\Program Files\desktop.ini.CLUTTER RANSOMWARE3.0.exe File opened for modification C:\Program Files\desktop.ini RANSOMWARE3.0.exe File created C:\Program Files\EnablePing.mov.CLUTTER RANSOMWARE3.0.exe File created C:\Program Files\GrantFormat.WTV.CLUTTER RANSOMWARE3.0.exe File created C:\Program Files\PublishUse.au3.CLUTTER RANSOMWARE3.0.exe File created C:\Program Files\AddConnect.wma.CLUTTER RANSOMWARE3.0.exe File created C:\Program Files\BackupClose.tiff.CLUTTER RANSOMWARE3.0.exe File created C:\Program Files\ConvertToCompare.mp2v.CLUTTER RANSOMWARE3.0.exe File opened for modification C:\Program Files\PublishUse.au3 RANSOMWARE3.0.exe File created C:\Program Files\SendCompress.doc.CLUTTER RANSOMWARE3.0.exe File created C:\Program Files\TraceRevoke.xls.CLUTTER RANSOMWARE3.0.exe File opened for modification C:\Program Files\AddConnect.wma RANSOMWARE3.0.exe File opened for modification C:\Program Files\MergeNew.ocx RANSOMWARE3.0.exe File created C:\Program Files\BackupDebug.ods.CLUTTER RANSOMWARE3.0.exe File opened for modification C:\Program Files\EnablePing.mov RANSOMWARE3.0.exe File opened for modification C:\Program Files\ResolveJoin.MOD RANSOMWARE3.0.exe File opened for modification C:\Program Files\ShowReceive.mpeg3 RANSOMWARE3.0.exe File opened for modification C:\Program Files\TraceRevoke.xls RANSOMWARE3.0.exe File created C:\Program Files\UpdateRestart.mpe.CLUTTER RANSOMWARE3.0.exe File opened for modification C:\Program Files\UpdateRestart.mpe RANSOMWARE3.0.exe File opened for modification C:\Program Files\BackupClose.tiff RANSOMWARE3.0.exe File created C:\Program Files\GroupLock.xsl.CLUTTER RANSOMWARE3.0.exe File opened for modification C:\Program Files\ResetWatch.M2T RANSOMWARE3.0.exe -
Drops file in Windows directory 50 IoCs
description ioc Process File opened for modification C:\Windows\WindowsUpdate.log RANSOMWARE3.0.exe File created C:\Windows\WMSysPr9.prx.CLUTTER RANSOMWARE3.0.exe File created C:\Windows\write.exe.CLUTTER RANSOMWARE3.0.exe File created C:\Windows\DtcInstall.log.CLUTTER RANSOMWARE3.0.exe File created C:\Windows\HelpPane.exe.CLUTTER RANSOMWARE3.0.exe File opened for modification C:\Windows\HelpPane.exe RANSOMWARE3.0.exe File opened for modification C:\Windows\lsasetup.log RANSOMWARE3.0.exe File created C:\Windows\mib.bin.CLUTTER RANSOMWARE3.0.exe File opened for modification C:\Windows\BSOD.exe RANSOMWARE3.0.exe File created C:\Windows\lsasetup.log.CLUTTER RANSOMWARE3.0.exe File created C:\Windows\system.ini.CLUTTER RANSOMWARE3.0.exe File opened for modification C:\Windows\twain_32.dll RANSOMWARE3.0.exe File created C:\Windows\WindowsUpdate.log.CLUTTER RANSOMWARE3.0.exe File created C:\Windows\WindowsShell.Manifest.CLUTTER RANSOMWARE3.0.exe File opened for modification C:\Windows\write.exe RANSOMWARE3.0.exe File opened for modification C:\Windows\bfsvc.exe RANSOMWARE3.0.exe File opened for modification C:\Windows\DtcInstall.log RANSOMWARE3.0.exe File opened for modification C:\Windows\mib.bin RANSOMWARE3.0.exe File opened for modification C:\Windows\notepad.exe RANSOMWARE3.0.exe File opened for modification C:\Windows\SysmonDrv.sys RANSOMWARE3.0.exe File created C:\Windows\winhlp32.exe.CLUTTER RANSOMWARE3.0.exe File opened for modification C:\Windows\WMSysPr9.prx RANSOMWARE3.0.exe File opened for modification C:\Windows\EnterpriseS.xml RANSOMWARE3.0.exe File created C:\Windows\regedit.exe.CLUTTER RANSOMWARE3.0.exe File created C:\Windows\splwow64.exe.CLUTTER RANSOMWARE3.0.exe File created C:\Windows\sysmon.exe.CLUTTER RANSOMWARE3.0.exe File created C:\Windows\win.ini.CLUTTER RANSOMWARE3.0.exe File created C:\Windows\bfsvc.exe.CLUTTER RANSOMWARE3.0.exe File opened for modification C:\Windows\explorer.exe RANSOMWARE3.0.exe File created C:\Windows\PFRO.log.CLUTTER RANSOMWARE3.0.exe File opened for modification C:\Windows\setupact.log RANSOMWARE3.0.exe File created C:\Windows\SysmonDrv.sys.CLUTTER RANSOMWARE3.0.exe File created C:\Windows\hh.exe.CLUTTER RANSOMWARE3.0.exe File opened for modification C:\Windows\winhlp32.exe RANSOMWARE3.0.exe File opened for modification C:\Windows\splwow64.exe RANSOMWARE3.0.exe File opened for modification C:\Windows\sysmon.exe RANSOMWARE3.0.exe File opened for modification C:\Windows\system.ini RANSOMWARE3.0.exe File opened for modification C:\Windows\bootstat.dat RANSOMWARE3.0.exe File opened for modification C:\Windows\PFRO.log RANSOMWARE3.0.exe File created C:\Windows\setupact.log.CLUTTER RANSOMWARE3.0.exe File created C:\Windows\setuperr.log.CLUTTER RANSOMWARE3.0.exe File opened for modification C:\Windows\setuperr.log RANSOMWARE3.0.exe File opened for modification C:\Windows\WindowsShell.Manifest RANSOMWARE3.0.exe File created C:\Windows\twain_32.dll.CLUTTER RANSOMWARE3.0.exe File opened for modification C:\Windows\win.ini RANSOMWARE3.0.exe File created C:\Windows\bootstat.dat.CLUTTER RANSOMWARE3.0.exe File created C:\Windows\EnterpriseS.xml.CLUTTER RANSOMWARE3.0.exe File created C:\Windows\explorer.exe.CLUTTER RANSOMWARE3.0.exe File opened for modification C:\Windows\hh.exe RANSOMWARE3.0.exe File created C:\Windows\notepad.exe.CLUTTER RANSOMWARE3.0.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RANSOMWARE3.0.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4008 RANSOMWARE3.0.exe -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "1" RANSOMWARE3.0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RANSOMWARE3.0.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\RANSOMWARE3.0\RANSOMWARE3.0\obj\Debug\RANSOMWARE3.0.exe"C:\Users\Admin\AppData\Local\Temp\RANSOMWARE3.0\RANSOMWARE3.0\obj\Debug\RANSOMWARE3.0.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Disables RegEdit via registry modification
- Manipulates Digital Signatures
- Drops startup file
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4008
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
3