Analysis
-
max time kernel
105s -
max time network
134s -
platform
windows10-2004_x64 -
resource
win10v2004-20250502-en -
resource tags
arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system -
submitted
07/05/2025, 10:27
Static task
static1
Behavioral task
behavioral1
Sample
0e386e1fa6f7a1ef81465dbce1a775b0229ce4ed7497d72483d529088cf5f63d.exe
Resource
win10v2004-20250502-en
General
-
Target
0e386e1fa6f7a1ef81465dbce1a775b0229ce4ed7497d72483d529088cf5f63d.exe
-
Size
270KB
-
MD5
2c29f8ca69cd2cf27629edf0c77d7d71
-
SHA1
f2edacceefbab686632b95ab320f1c934091d247
-
SHA256
0e386e1fa6f7a1ef81465dbce1a775b0229ce4ed7497d72483d529088cf5f63d
-
SHA512
8d768f8e29e277b1b8a6864138a9899cc085040cdc3295226ef8a1da34b53eb631a0f9db7ced7260df57bc7e34385236bdd0ac43abf27f0a90ed4b2da100ad86
-
SSDEEP
6144:XxohG1el4VQg/U+Dgx3bMAVVzddi6jWGPxF:Xxo5lK53DgZMSVFjW0x
Malware Config
Extracted
C:\Recovery\WindowsRE\Data breach warning.txt
https://qtox.github.io
http://raworldw32b2qxevn3gp63pvibgixr4v75z62etlptg3u3pmajwra4ad.onion
http://161.35.200.18
https://gofile.io/d/ufuFye
Signatures
-
RA World
RA World ransomware, also known as RA Group, is a crypto-ransomware variant that has evolved from the earlier Babuk ransomware. It emerged in April 2023.
-
Raworld family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (154) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\International\Geo\Nation 0e386e1fa6f7a1ef81465dbce1a775b0229ce4ed7497d72483d529088cf5f63d.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Q: 0e386e1fa6f7a1ef81465dbce1a775b0229ce4ed7497d72483d529088cf5f63d.exe File opened (read-only) \??\T: 0e386e1fa6f7a1ef81465dbce1a775b0229ce4ed7497d72483d529088cf5f63d.exe File opened (read-only) \??\I: 0e386e1fa6f7a1ef81465dbce1a775b0229ce4ed7497d72483d529088cf5f63d.exe File opened (read-only) \??\H: 0e386e1fa6f7a1ef81465dbce1a775b0229ce4ed7497d72483d529088cf5f63d.exe File opened (read-only) \??\K: 0e386e1fa6f7a1ef81465dbce1a775b0229ce4ed7497d72483d529088cf5f63d.exe File opened (read-only) \??\L: 0e386e1fa6f7a1ef81465dbce1a775b0229ce4ed7497d72483d529088cf5f63d.exe File opened (read-only) \??\Z: 0e386e1fa6f7a1ef81465dbce1a775b0229ce4ed7497d72483d529088cf5f63d.exe File opened (read-only) \??\V: 0e386e1fa6f7a1ef81465dbce1a775b0229ce4ed7497d72483d529088cf5f63d.exe File opened (read-only) \??\R: 0e386e1fa6f7a1ef81465dbce1a775b0229ce4ed7497d72483d529088cf5f63d.exe File opened (read-only) \??\U: 0e386e1fa6f7a1ef81465dbce1a775b0229ce4ed7497d72483d529088cf5f63d.exe File opened (read-only) \??\G: 0e386e1fa6f7a1ef81465dbce1a775b0229ce4ed7497d72483d529088cf5f63d.exe File opened (read-only) \??\B: 0e386e1fa6f7a1ef81465dbce1a775b0229ce4ed7497d72483d529088cf5f63d.exe File opened (read-only) \??\M: 0e386e1fa6f7a1ef81465dbce1a775b0229ce4ed7497d72483d529088cf5f63d.exe File opened (read-only) \??\E: 0e386e1fa6f7a1ef81465dbce1a775b0229ce4ed7497d72483d529088cf5f63d.exe File opened (read-only) \??\Y: 0e386e1fa6f7a1ef81465dbce1a775b0229ce4ed7497d72483d529088cf5f63d.exe File opened (read-only) \??\P: 0e386e1fa6f7a1ef81465dbce1a775b0229ce4ed7497d72483d529088cf5f63d.exe File opened (read-only) \??\A: 0e386e1fa6f7a1ef81465dbce1a775b0229ce4ed7497d72483d529088cf5f63d.exe File opened (read-only) \??\J: 0e386e1fa6f7a1ef81465dbce1a775b0229ce4ed7497d72483d529088cf5f63d.exe File opened (read-only) \??\W: 0e386e1fa6f7a1ef81465dbce1a775b0229ce4ed7497d72483d529088cf5f63d.exe File opened (read-only) \??\O: 0e386e1fa6f7a1ef81465dbce1a775b0229ce4ed7497d72483d529088cf5f63d.exe File opened (read-only) \??\S: 0e386e1fa6f7a1ef81465dbce1a775b0229ce4ed7497d72483d529088cf5f63d.exe File opened (read-only) \??\X: 0e386e1fa6f7a1ef81465dbce1a775b0229ce4ed7497d72483d529088cf5f63d.exe File opened (read-only) \??\N: 0e386e1fa6f7a1ef81465dbce1a775b0229ce4ed7497d72483d529088cf5f63d.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Help\Finish.exe 0e386e1fa6f7a1ef81465dbce1a775b0229ce4ed7497d72483d529088cf5f63d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 3 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 4452 vssadmin.exe 4440 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3468 0e386e1fa6f7a1ef81465dbce1a775b0229ce4ed7497d72483d529088cf5f63d.exe 3468 0e386e1fa6f7a1ef81465dbce1a775b0229ce4ed7497d72483d529088cf5f63d.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeBackupPrivilege 2820 vssvc.exe Token: SeRestorePrivilege 2820 vssvc.exe Token: SeAuditPrivilege 2820 vssvc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3468 wrote to memory of 1696 3468 0e386e1fa6f7a1ef81465dbce1a775b0229ce4ed7497d72483d529088cf5f63d.exe 85 PID 3468 wrote to memory of 1696 3468 0e386e1fa6f7a1ef81465dbce1a775b0229ce4ed7497d72483d529088cf5f63d.exe 85 PID 1696 wrote to memory of 4452 1696 cmd.exe 89 PID 1696 wrote to memory of 4452 1696 cmd.exe 89 PID 3468 wrote to memory of 1788 3468 0e386e1fa6f7a1ef81465dbce1a775b0229ce4ed7497d72483d529088cf5f63d.exe 91 PID 3468 wrote to memory of 1788 3468 0e386e1fa6f7a1ef81465dbce1a775b0229ce4ed7497d72483d529088cf5f63d.exe 91 PID 1788 wrote to memory of 4440 1788 cmd.exe 94 PID 1788 wrote to memory of 4440 1788 cmd.exe 94 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\0e386e1fa6f7a1ef81465dbce1a775b0229ce4ed7497d72483d529088cf5f63d.exe"C:\Users\Admin\AppData\Local\Temp\0e386e1fa6f7a1ef81465dbce1a775b0229ce4ed7497d72483d529088cf5f63d.exe"1⤵
- Checks computer location settings
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3468 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:4452
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:4440
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2820
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5e7264a4c331eac851fa75438919e0531
SHA138f6dc2b0c5e86d38c2a9bd7f5aaf4447be97a61
SHA25607ab218d5c865cb4fe78353340ab923e24a1f2881ec7206520651c5246b1a492
SHA512f8aca867b199f5494dbc6919423788533b4b55f249ac1ab2707c38788212b585eb39234be74d1f2b039d00ee096b5d2036c1066e19e4fa304b048ffb61ca1edb