Malware Analysis Report

2025-06-16 05:32

Sample ID 250507-mg8smshl9t
Target 0e386e1fa6f7a1ef81465dbce1a775b0229ce4ed7497d72483d529088cf5f63d.exe
SHA256 0e386e1fa6f7a1ef81465dbce1a775b0229ce4ed7497d72483d529088cf5f63d
Tags
raworld defense_evasion execution impact ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0e386e1fa6f7a1ef81465dbce1a775b0229ce4ed7497d72483d529088cf5f63d

Threat Level: Known bad

The file 0e386e1fa6f7a1ef81465dbce1a775b0229ce4ed7497d72483d529088cf5f63d.exe was found to be: Known bad.

Malicious Activity Summary

raworld defense_evasion execution impact ransomware

RA World

Raworld family

Renames multiple (154) files with added filename extension

Deletes shadow copies

Checks computer location settings

Enumerates connected drives

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Uses Volume Shadow Copy service COM API

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Interacts with shadow copies

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-07 10:27

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-07 10:27

Reported

2025-05-07 10:29

Platform

win10v2004-20250502-en

Max time kernel

105s

Max time network

134s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0e386e1fa6f7a1ef81465dbce1a775b0229ce4ed7497d72483d529088cf5f63d.exe"

Signatures

RA World

ransomware raworld

Raworld family

raworld

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (154) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0e386e1fa6f7a1ef81465dbce1a775b0229ce4ed7497d72483d529088cf5f63d.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\0e386e1fa6f7a1ef81465dbce1a775b0229ce4ed7497d72483d529088cf5f63d.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\0e386e1fa6f7a1ef81465dbce1a775b0229ce4ed7497d72483d529088cf5f63d.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\0e386e1fa6f7a1ef81465dbce1a775b0229ce4ed7497d72483d529088cf5f63d.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\0e386e1fa6f7a1ef81465dbce1a775b0229ce4ed7497d72483d529088cf5f63d.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\0e386e1fa6f7a1ef81465dbce1a775b0229ce4ed7497d72483d529088cf5f63d.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\0e386e1fa6f7a1ef81465dbce1a775b0229ce4ed7497d72483d529088cf5f63d.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\0e386e1fa6f7a1ef81465dbce1a775b0229ce4ed7497d72483d529088cf5f63d.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\0e386e1fa6f7a1ef81465dbce1a775b0229ce4ed7497d72483d529088cf5f63d.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\0e386e1fa6f7a1ef81465dbce1a775b0229ce4ed7497d72483d529088cf5f63d.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\0e386e1fa6f7a1ef81465dbce1a775b0229ce4ed7497d72483d529088cf5f63d.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\0e386e1fa6f7a1ef81465dbce1a775b0229ce4ed7497d72483d529088cf5f63d.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\0e386e1fa6f7a1ef81465dbce1a775b0229ce4ed7497d72483d529088cf5f63d.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\0e386e1fa6f7a1ef81465dbce1a775b0229ce4ed7497d72483d529088cf5f63d.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\0e386e1fa6f7a1ef81465dbce1a775b0229ce4ed7497d72483d529088cf5f63d.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\0e386e1fa6f7a1ef81465dbce1a775b0229ce4ed7497d72483d529088cf5f63d.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\0e386e1fa6f7a1ef81465dbce1a775b0229ce4ed7497d72483d529088cf5f63d.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\0e386e1fa6f7a1ef81465dbce1a775b0229ce4ed7497d72483d529088cf5f63d.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\0e386e1fa6f7a1ef81465dbce1a775b0229ce4ed7497d72483d529088cf5f63d.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\0e386e1fa6f7a1ef81465dbce1a775b0229ce4ed7497d72483d529088cf5f63d.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\0e386e1fa6f7a1ef81465dbce1a775b0229ce4ed7497d72483d529088cf5f63d.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\0e386e1fa6f7a1ef81465dbce1a775b0229ce4ed7497d72483d529088cf5f63d.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\0e386e1fa6f7a1ef81465dbce1a775b0229ce4ed7497d72483d529088cf5f63d.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\0e386e1fa6f7a1ef81465dbce1a775b0229ce4ed7497d72483d529088cf5f63d.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Help\Finish.exe C:\Users\Admin\AppData\Local\Temp\0e386e1fa6f7a1ef81465dbce1a775b0229ce4ed7497d72483d529088cf5f63d.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\0e386e1fa6f7a1ef81465dbce1a775b0229ce4ed7497d72483d529088cf5f63d.exe

"C:\Users\Admin\AppData\Local\Temp\0e386e1fa6f7a1ef81465dbce1a775b0229ce4ed7497d72483d529088cf5f63d.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 c.pki.goog udp
DE 142.250.184.195:80 c.pki.goog tcp

Files

C:\Recovery\WindowsRE\Data breach warning.txt

MD5 e7264a4c331eac851fa75438919e0531
SHA1 38f6dc2b0c5e86d38c2a9bd7f5aaf4447be97a61
SHA256 07ab218d5c865cb4fe78353340ab923e24a1f2881ec7206520651c5246b1a492
SHA512 f8aca867b199f5494dbc6919423788533b4b55f249ac1ab2707c38788212b585eb39234be74d1f2b039d00ee096b5d2036c1066e19e4fa304b048ffb61ca1edb