Malware Analysis Report

2025-06-16 05:32

Sample ID 250507-mf5platkz7
Target 10bb96e0680971c11b16dab51f905804f09f3605eb8d157b791abb5ad21af204.exe
SHA256 10bb96e0680971c11b16dab51f905804f09f3605eb8d157b791abb5ad21af204
Tags
raworld defense_evasion execution impact ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

10bb96e0680971c11b16dab51f905804f09f3605eb8d157b791abb5ad21af204

Threat Level: Known bad

The file 10bb96e0680971c11b16dab51f905804f09f3605eb8d157b791abb5ad21af204.exe was found to be: Known bad.

Malicious Activity Summary

raworld defense_evasion execution impact ransomware

RA World

Raworld family

Deletes shadow copies

Renames multiple (160) files with added filename extension

Renames multiple (199) files with added filename extension

Checks computer location settings

Enumerates connected drives

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Uses Volume Shadow Copy service COM API

Interacts with shadow copies

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-07 10:25

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-07 10:25

Reported

2025-05-07 10:27

Platform

win10v2004-20250502-en

Max time kernel

106s

Max time network

130s

Command Line

"C:\Users\Admin\AppData\Local\Temp\10bb96e0680971c11b16dab51f905804f09f3605eb8d157b791abb5ad21af204.exe"

Signatures

RA World

ransomware raworld

Raworld family

raworld

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (160) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\10bb96e0680971c11b16dab51f905804f09f3605eb8d157b791abb5ad21af204.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\10bb96e0680971c11b16dab51f905804f09f3605eb8d157b791abb5ad21af204.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\10bb96e0680971c11b16dab51f905804f09f3605eb8d157b791abb5ad21af204.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\10bb96e0680971c11b16dab51f905804f09f3605eb8d157b791abb5ad21af204.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\10bb96e0680971c11b16dab51f905804f09f3605eb8d157b791abb5ad21af204.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\10bb96e0680971c11b16dab51f905804f09f3605eb8d157b791abb5ad21af204.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\10bb96e0680971c11b16dab51f905804f09f3605eb8d157b791abb5ad21af204.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\10bb96e0680971c11b16dab51f905804f09f3605eb8d157b791abb5ad21af204.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\10bb96e0680971c11b16dab51f905804f09f3605eb8d157b791abb5ad21af204.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\10bb96e0680971c11b16dab51f905804f09f3605eb8d157b791abb5ad21af204.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\10bb96e0680971c11b16dab51f905804f09f3605eb8d157b791abb5ad21af204.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\10bb96e0680971c11b16dab51f905804f09f3605eb8d157b791abb5ad21af204.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\10bb96e0680971c11b16dab51f905804f09f3605eb8d157b791abb5ad21af204.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\10bb96e0680971c11b16dab51f905804f09f3605eb8d157b791abb5ad21af204.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\10bb96e0680971c11b16dab51f905804f09f3605eb8d157b791abb5ad21af204.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\10bb96e0680971c11b16dab51f905804f09f3605eb8d157b791abb5ad21af204.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\10bb96e0680971c11b16dab51f905804f09f3605eb8d157b791abb5ad21af204.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\10bb96e0680971c11b16dab51f905804f09f3605eb8d157b791abb5ad21af204.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\10bb96e0680971c11b16dab51f905804f09f3605eb8d157b791abb5ad21af204.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\10bb96e0680971c11b16dab51f905804f09f3605eb8d157b791abb5ad21af204.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\10bb96e0680971c11b16dab51f905804f09f3605eb8d157b791abb5ad21af204.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\10bb96e0680971c11b16dab51f905804f09f3605eb8d157b791abb5ad21af204.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\10bb96e0680971c11b16dab51f905804f09f3605eb8d157b791abb5ad21af204.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\10bb96e0680971c11b16dab51f905804f09f3605eb8d157b791abb5ad21af204.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Help\Finish.exe C:\Users\Admin\AppData\Local\Temp\10bb96e0680971c11b16dab51f905804f09f3605eb8d157b791abb5ad21af204.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\10bb96e0680971c11b16dab51f905804f09f3605eb8d157b791abb5ad21af204.exe

"C:\Users\Admin\AppData\Local\Temp\10bb96e0680971c11b16dab51f905804f09f3605eb8d157b791abb5ad21af204.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

Network

Country Destination Domain Proto
GB 95.101.143.194:443 www.bing.com tcp
US 8.8.8.8:53 c.pki.goog udp
DE 142.250.184.195:80 c.pki.goog tcp

Files

C:\Recovery\WindowsRE\Data breach warning.txt

MD5 e7264a4c331eac851fa75438919e0531
SHA1 38f6dc2b0c5e86d38c2a9bd7f5aaf4447be97a61
SHA256 07ab218d5c865cb4fe78353340ab923e24a1f2881ec7206520651c5246b1a492
SHA512 f8aca867b199f5494dbc6919423788533b4b55f249ac1ab2707c38788212b585eb39234be74d1f2b039d00ee096b5d2036c1066e19e4fa304b048ffb61ca1edb

Analysis: behavioral2

Detonation Overview

Submitted

2025-05-07 10:25

Reported

2025-05-07 10:27

Platform

win11-20250502-en

Max time kernel

102s

Max time network

104s

Command Line

"C:\Users\Admin\AppData\Local\Temp\10bb96e0680971c11b16dab51f905804f09f3605eb8d157b791abb5ad21af204.exe"

Signatures

RA World

ransomware raworld

Raworld family

raworld

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (199) files with added filename extension

ransomware

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\10bb96e0680971c11b16dab51f905804f09f3605eb8d157b791abb5ad21af204.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\10bb96e0680971c11b16dab51f905804f09f3605eb8d157b791abb5ad21af204.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\10bb96e0680971c11b16dab51f905804f09f3605eb8d157b791abb5ad21af204.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\10bb96e0680971c11b16dab51f905804f09f3605eb8d157b791abb5ad21af204.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\10bb96e0680971c11b16dab51f905804f09f3605eb8d157b791abb5ad21af204.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\10bb96e0680971c11b16dab51f905804f09f3605eb8d157b791abb5ad21af204.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\10bb96e0680971c11b16dab51f905804f09f3605eb8d157b791abb5ad21af204.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\10bb96e0680971c11b16dab51f905804f09f3605eb8d157b791abb5ad21af204.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\10bb96e0680971c11b16dab51f905804f09f3605eb8d157b791abb5ad21af204.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\10bb96e0680971c11b16dab51f905804f09f3605eb8d157b791abb5ad21af204.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\10bb96e0680971c11b16dab51f905804f09f3605eb8d157b791abb5ad21af204.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\10bb96e0680971c11b16dab51f905804f09f3605eb8d157b791abb5ad21af204.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\10bb96e0680971c11b16dab51f905804f09f3605eb8d157b791abb5ad21af204.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\10bb96e0680971c11b16dab51f905804f09f3605eb8d157b791abb5ad21af204.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\10bb96e0680971c11b16dab51f905804f09f3605eb8d157b791abb5ad21af204.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\10bb96e0680971c11b16dab51f905804f09f3605eb8d157b791abb5ad21af204.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\10bb96e0680971c11b16dab51f905804f09f3605eb8d157b791abb5ad21af204.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\10bb96e0680971c11b16dab51f905804f09f3605eb8d157b791abb5ad21af204.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\10bb96e0680971c11b16dab51f905804f09f3605eb8d157b791abb5ad21af204.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\10bb96e0680971c11b16dab51f905804f09f3605eb8d157b791abb5ad21af204.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\10bb96e0680971c11b16dab51f905804f09f3605eb8d157b791abb5ad21af204.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\10bb96e0680971c11b16dab51f905804f09f3605eb8d157b791abb5ad21af204.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\10bb96e0680971c11b16dab51f905804f09f3605eb8d157b791abb5ad21af204.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Help\Finish.exe C:\Users\Admin\AppData\Local\Temp\10bb96e0680971c11b16dab51f905804f09f3605eb8d157b791abb5ad21af204.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\10bb96e0680971c11b16dab51f905804f09f3605eb8d157b791abb5ad21af204.exe

"C:\Users\Admin\AppData\Local\Temp\10bb96e0680971c11b16dab51f905804f09f3605eb8d157b791abb5ad21af204.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

Network

Files

C:\Data breach warning.txt

MD5 e7264a4c331eac851fa75438919e0531
SHA1 38f6dc2b0c5e86d38c2a9bd7f5aaf4447be97a61
SHA256 07ab218d5c865cb4fe78353340ab923e24a1f2881ec7206520651c5246b1a492
SHA512 f8aca867b199f5494dbc6919423788533b4b55f249ac1ab2707c38788212b585eb39234be74d1f2b039d00ee096b5d2036c1066e19e4fa304b048ffb61ca1edb