Malware Analysis Report

2025-06-16 05:32

Sample ID 250507-mgnsgahl6y
Target 0f423c7722c550d26cdb474b537144f4c6ed0bbb75eee0fa33cc667113b6aa40.exe
SHA256 0f423c7722c550d26cdb474b537144f4c6ed0bbb75eee0fa33cc667113b6aa40
Tags
raworld defense_evasion execution impact ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0f423c7722c550d26cdb474b537144f4c6ed0bbb75eee0fa33cc667113b6aa40

Threat Level: Known bad

The file 0f423c7722c550d26cdb474b537144f4c6ed0bbb75eee0fa33cc667113b6aa40.exe was found to be: Known bad.

Malicious Activity Summary

raworld defense_evasion execution impact ransomware

Raworld family

RA World

Deletes shadow copies

Renames multiple (180) files with added filename extension

Checks computer location settings

Enumerates connected drives

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Interacts with shadow copies

Uses Volume Shadow Copy service COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-07 10:26

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-07 10:26

Reported

2025-05-07 10:29

Platform

win10v2004-20250502-en

Max time kernel

106s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0f423c7722c550d26cdb474b537144f4c6ed0bbb75eee0fa33cc667113b6aa40.exe"

Signatures

RA World

ransomware raworld

Raworld family

raworld

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (180) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0f423c7722c550d26cdb474b537144f4c6ed0bbb75eee0fa33cc667113b6aa40.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\0f423c7722c550d26cdb474b537144f4c6ed0bbb75eee0fa33cc667113b6aa40.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\0f423c7722c550d26cdb474b537144f4c6ed0bbb75eee0fa33cc667113b6aa40.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\0f423c7722c550d26cdb474b537144f4c6ed0bbb75eee0fa33cc667113b6aa40.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\0f423c7722c550d26cdb474b537144f4c6ed0bbb75eee0fa33cc667113b6aa40.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\0f423c7722c550d26cdb474b537144f4c6ed0bbb75eee0fa33cc667113b6aa40.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\0f423c7722c550d26cdb474b537144f4c6ed0bbb75eee0fa33cc667113b6aa40.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\0f423c7722c550d26cdb474b537144f4c6ed0bbb75eee0fa33cc667113b6aa40.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\0f423c7722c550d26cdb474b537144f4c6ed0bbb75eee0fa33cc667113b6aa40.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\0f423c7722c550d26cdb474b537144f4c6ed0bbb75eee0fa33cc667113b6aa40.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\0f423c7722c550d26cdb474b537144f4c6ed0bbb75eee0fa33cc667113b6aa40.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\0f423c7722c550d26cdb474b537144f4c6ed0bbb75eee0fa33cc667113b6aa40.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\0f423c7722c550d26cdb474b537144f4c6ed0bbb75eee0fa33cc667113b6aa40.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\0f423c7722c550d26cdb474b537144f4c6ed0bbb75eee0fa33cc667113b6aa40.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\0f423c7722c550d26cdb474b537144f4c6ed0bbb75eee0fa33cc667113b6aa40.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\0f423c7722c550d26cdb474b537144f4c6ed0bbb75eee0fa33cc667113b6aa40.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\0f423c7722c550d26cdb474b537144f4c6ed0bbb75eee0fa33cc667113b6aa40.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\0f423c7722c550d26cdb474b537144f4c6ed0bbb75eee0fa33cc667113b6aa40.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\0f423c7722c550d26cdb474b537144f4c6ed0bbb75eee0fa33cc667113b6aa40.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\0f423c7722c550d26cdb474b537144f4c6ed0bbb75eee0fa33cc667113b6aa40.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\0f423c7722c550d26cdb474b537144f4c6ed0bbb75eee0fa33cc667113b6aa40.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\0f423c7722c550d26cdb474b537144f4c6ed0bbb75eee0fa33cc667113b6aa40.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\0f423c7722c550d26cdb474b537144f4c6ed0bbb75eee0fa33cc667113b6aa40.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\0f423c7722c550d26cdb474b537144f4c6ed0bbb75eee0fa33cc667113b6aa40.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Help\Finish.exe C:\Users\Admin\AppData\Local\Temp\0f423c7722c550d26cdb474b537144f4c6ed0bbb75eee0fa33cc667113b6aa40.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\0f423c7722c550d26cdb474b537144f4c6ed0bbb75eee0fa33cc667113b6aa40.exe

"C:\Users\Admin\AppData\Local\Temp\0f423c7722c550d26cdb474b537144f4c6ed0bbb75eee0fa33cc667113b6aa40.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 c.pki.goog udp
DE 142.250.184.195:80 c.pki.goog tcp

Files

C:\Recovery\Data breach warning.txt

MD5 e7264a4c331eac851fa75438919e0531
SHA1 38f6dc2b0c5e86d38c2a9bd7f5aaf4447be97a61
SHA256 07ab218d5c865cb4fe78353340ab923e24a1f2881ec7206520651c5246b1a492
SHA512 f8aca867b199f5494dbc6919423788533b4b55f249ac1ab2707c38788212b585eb39234be74d1f2b039d00ee096b5d2036c1066e19e4fa304b048ffb61ca1edb