Analysis
-
max time kernel
102s -
max time network
104s -
platform
windows11-21h2_x64 -
resource
win11-20250502-en -
resource tags
arch:x64arch:x86image:win11-20250502-enlocale:en-usos:windows11-21h2-x64system -
submitted
07/05/2025, 10:25
Static task
static1
Behavioral task
behavioral1
Sample
10bb96e0680971c11b16dab51f905804f09f3605eb8d157b791abb5ad21af204.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral2
Sample
10bb96e0680971c11b16dab51f905804f09f3605eb8d157b791abb5ad21af204.exe
Resource
win11-20250502-en
General
-
Target
10bb96e0680971c11b16dab51f905804f09f3605eb8d157b791abb5ad21af204.exe
-
Size
270KB
-
MD5
da0c807e2a9c933c46502eccf349fc01
-
SHA1
b7ddd6ac3b12e4034f2b5f0a2a3ca5683cd1dd2f
-
SHA256
10bb96e0680971c11b16dab51f905804f09f3605eb8d157b791abb5ad21af204
-
SHA512
8a645d7a5390f49e78f47a79cc92141a2974c313af80d107d49305643a0395d3226067fb883987122bc0cae392af67319b241d21df81e35e7e3783e77e164b62
-
SSDEEP
6144:XqohGFel4VQg/U+Dgx3bMAVVzddi6jWGPxF:XqoplK53DgZMSVFjW0x
Malware Config
Extracted
C:\Data breach warning.txt
https://qtox.github.io
http://raworldw32b2qxevn3gp63pvibgixr4v75z62etlptg3u3pmajwra4ad.onion
http://161.35.200.18
https://gofile.io/d/ufuFye
Signatures
-
RA World
RA World ransomware, also known as RA Group, is a crypto-ransomware variant that has evolved from the earlier Babuk ransomware. It emerged in April 2023.
-
Raworld family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (199) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\S: 10bb96e0680971c11b16dab51f905804f09f3605eb8d157b791abb5ad21af204.exe File opened (read-only) \??\Y: 10bb96e0680971c11b16dab51f905804f09f3605eb8d157b791abb5ad21af204.exe File opened (read-only) \??\A: 10bb96e0680971c11b16dab51f905804f09f3605eb8d157b791abb5ad21af204.exe File opened (read-only) \??\V: 10bb96e0680971c11b16dab51f905804f09f3605eb8d157b791abb5ad21af204.exe File opened (read-only) \??\W: 10bb96e0680971c11b16dab51f905804f09f3605eb8d157b791abb5ad21af204.exe File opened (read-only) \??\R: 10bb96e0680971c11b16dab51f905804f09f3605eb8d157b791abb5ad21af204.exe File opened (read-only) \??\O: 10bb96e0680971c11b16dab51f905804f09f3605eb8d157b791abb5ad21af204.exe File opened (read-only) \??\G: 10bb96e0680971c11b16dab51f905804f09f3605eb8d157b791abb5ad21af204.exe File opened (read-only) \??\L: 10bb96e0680971c11b16dab51f905804f09f3605eb8d157b791abb5ad21af204.exe File opened (read-only) \??\X: 10bb96e0680971c11b16dab51f905804f09f3605eb8d157b791abb5ad21af204.exe File opened (read-only) \??\B: 10bb96e0680971c11b16dab51f905804f09f3605eb8d157b791abb5ad21af204.exe File opened (read-only) \??\H: 10bb96e0680971c11b16dab51f905804f09f3605eb8d157b791abb5ad21af204.exe File opened (read-only) \??\Q: 10bb96e0680971c11b16dab51f905804f09f3605eb8d157b791abb5ad21af204.exe File opened (read-only) \??\E: 10bb96e0680971c11b16dab51f905804f09f3605eb8d157b791abb5ad21af204.exe File opened (read-only) \??\T: 10bb96e0680971c11b16dab51f905804f09f3605eb8d157b791abb5ad21af204.exe File opened (read-only) \??\U: 10bb96e0680971c11b16dab51f905804f09f3605eb8d157b791abb5ad21af204.exe File opened (read-only) \??\I: 10bb96e0680971c11b16dab51f905804f09f3605eb8d157b791abb5ad21af204.exe File opened (read-only) \??\P: 10bb96e0680971c11b16dab51f905804f09f3605eb8d157b791abb5ad21af204.exe File opened (read-only) \??\K: 10bb96e0680971c11b16dab51f905804f09f3605eb8d157b791abb5ad21af204.exe File opened (read-only) \??\J: 10bb96e0680971c11b16dab51f905804f09f3605eb8d157b791abb5ad21af204.exe File opened (read-only) \??\Z: 10bb96e0680971c11b16dab51f905804f09f3605eb8d157b791abb5ad21af204.exe File opened (read-only) \??\N: 10bb96e0680971c11b16dab51f905804f09f3605eb8d157b791abb5ad21af204.exe File opened (read-only) \??\M: 10bb96e0680971c11b16dab51f905804f09f3605eb8d157b791abb5ad21af204.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Help\Finish.exe 10bb96e0680971c11b16dab51f905804f09f3605eb8d157b791abb5ad21af204.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 3 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 3612 vssadmin.exe 808 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2692 10bb96e0680971c11b16dab51f905804f09f3605eb8d157b791abb5ad21af204.exe 2692 10bb96e0680971c11b16dab51f905804f09f3605eb8d157b791abb5ad21af204.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeBackupPrivilege 4352 vssvc.exe Token: SeRestorePrivilege 4352 vssvc.exe Token: SeAuditPrivilege 4352 vssvc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2692 wrote to memory of 5820 2692 10bb96e0680971c11b16dab51f905804f09f3605eb8d157b791abb5ad21af204.exe 79 PID 2692 wrote to memory of 5820 2692 10bb96e0680971c11b16dab51f905804f09f3605eb8d157b791abb5ad21af204.exe 79 PID 5820 wrote to memory of 3612 5820 cmd.exe 82 PID 5820 wrote to memory of 3612 5820 cmd.exe 82 PID 2692 wrote to memory of 3296 2692 10bb96e0680971c11b16dab51f905804f09f3605eb8d157b791abb5ad21af204.exe 86 PID 2692 wrote to memory of 3296 2692 10bb96e0680971c11b16dab51f905804f09f3605eb8d157b791abb5ad21af204.exe 86 PID 3296 wrote to memory of 808 3296 cmd.exe 88 PID 3296 wrote to memory of 808 3296 cmd.exe 88 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\10bb96e0680971c11b16dab51f905804f09f3605eb8d157b791abb5ad21af204.exe"C:\Users\Admin\AppData\Local\Temp\10bb96e0680971c11b16dab51f905804f09f3605eb8d157b791abb5ad21af204.exe"1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:5820 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:3612
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:3296 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:808
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4352
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5e7264a4c331eac851fa75438919e0531
SHA138f6dc2b0c5e86d38c2a9bd7f5aaf4447be97a61
SHA25607ab218d5c865cb4fe78353340ab923e24a1f2881ec7206520651c5246b1a492
SHA512f8aca867b199f5494dbc6919423788533b4b55f249ac1ab2707c38788212b585eb39234be74d1f2b039d00ee096b5d2036c1066e19e4fa304b048ffb61ca1edb