Analysis
-
max time kernel
106s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20250502-en -
resource tags
arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system -
submitted
15/05/2025, 06:48
Static task
static1
Behavioral task
behavioral1
Sample
b032160f9e2615100cb77791fa40d48f6b721f50bda0ed428053e1af12d2a922.exe
Resource
win10v2004-20250502-en
General
-
Target
b032160f9e2615100cb77791fa40d48f6b721f50bda0ed428053e1af12d2a922.exe
-
Size
2.8MB
-
MD5
043a3c3daf625d92c773925b696eb976
-
SHA1
1f819290581f8e18f8ff6f35c7d4cdce153fde70
-
SHA256
b032160f9e2615100cb77791fa40d48f6b721f50bda0ed428053e1af12d2a922
-
SHA512
748c4c970be98f797bb64b36a4b0818d99f1cb122d070196b19ce0a9b72d88a0a1980e1598b40af07c52e7602637529314b57c858651eb0242f9b1a525d39623
-
SSDEEP
49152:TR88n9Y6ze5IR6erZfPzdLAV+a/N5cNfhlHd0M9NcfrF:Tz/R6erBzdLA3/N5cZhlHd0M9NcfrF
Malware Config
Signatures
-
Blocklisted process makes network request 4 IoCs
flow pid Process 3 4448 powershell.exe 25 5084 powershell.exe 37 672 powershell.exe 40 672 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Run Powershell and hide display window.
pid Process 4448 powershell.exe 2180 powershell.exe 5084 powershell.exe 672 powershell.exe 1620 powershell.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\International\Geo\Nation b032160f9e2615100cb77791fa40d48f6b721f50bda0ed428053e1af12d2a922.exe Key value queried \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\International\Geo\Nation WScript.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@ChangeFhoto_rn@\\ransomware_warning.bmp" powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
pid Process 2744 timeout.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings b032160f9e2615100cb77791fa40d48f6b721f50bda0ed428053e1af12d2a922.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 4448 powershell.exe 4448 powershell.exe 5084 powershell.exe 2180 powershell.exe 5084 powershell.exe 2180 powershell.exe 672 powershell.exe 672 powershell.exe 5084 powershell.exe 5084 powershell.exe 1620 powershell.exe 1620 powershell.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 4448 powershell.exe Token: SeDebugPrivilege 5084 powershell.exe Token: SeDebugPrivilege 2180 powershell.exe Token: SeDebugPrivilege 672 powershell.exe Token: SeDebugPrivilege 1620 powershell.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 1492 wrote to memory of 840 1492 b032160f9e2615100cb77791fa40d48f6b721f50bda0ed428053e1af12d2a922.exe 86 PID 1492 wrote to memory of 840 1492 b032160f9e2615100cb77791fa40d48f6b721f50bda0ed428053e1af12d2a922.exe 86 PID 840 wrote to memory of 4448 840 WScript.exe 88 PID 840 wrote to memory of 4448 840 WScript.exe 88 PID 1492 wrote to memory of 2292 1492 b032160f9e2615100cb77791fa40d48f6b721f50bda0ed428053e1af12d2a922.exe 94 PID 1492 wrote to memory of 2292 1492 b032160f9e2615100cb77791fa40d48f6b721f50bda0ed428053e1af12d2a922.exe 94 PID 1492 wrote to memory of 4592 1492 b032160f9e2615100cb77791fa40d48f6b721f50bda0ed428053e1af12d2a922.exe 95 PID 1492 wrote to memory of 4592 1492 b032160f9e2615100cb77791fa40d48f6b721f50bda0ed428053e1af12d2a922.exe 95 PID 2292 wrote to memory of 2180 2292 WScript.exe 97 PID 2292 wrote to memory of 2180 2292 WScript.exe 97 PID 4592 wrote to memory of 5084 4592 cmd.exe 99 PID 4592 wrote to memory of 5084 4592 cmd.exe 99 PID 1492 wrote to memory of 4640 1492 b032160f9e2615100cb77791fa40d48f6b721f50bda0ed428053e1af12d2a922.exe 100 PID 1492 wrote to memory of 4640 1492 b032160f9e2615100cb77791fa40d48f6b721f50bda0ed428053e1af12d2a922.exe 100 PID 4640 wrote to memory of 672 4640 WScript.exe 101 PID 4640 wrote to memory of 672 4640 WScript.exe 101 PID 5084 wrote to memory of 1620 5084 powershell.exe 104 PID 5084 wrote to memory of 1620 5084 powershell.exe 104 PID 4592 wrote to memory of 2744 4592 cmd.exe 105 PID 4592 wrote to memory of 2744 4592 cmd.exe 105 PID 1620 wrote to memory of 3492 1620 powershell.exe 106 PID 1620 wrote to memory of 3492 1620 powershell.exe 106 PID 3492 wrote to memory of 1992 3492 csc.exe 107 PID 3492 wrote to memory of 1992 3492 csc.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\b032160f9e2615100cb77791fa40d48f6b721f50bda0ed428053e1af12d2a922.exe"C:\Users\Admin\AppData\Local\Temp\b032160f9e2615100cb77791fa40d48f6b721f50bda0ed428053e1af12d2a922.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\installer.vbs"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\Users\Admin\executer.ps1"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4448
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\temp-executer.vbs"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Users\Admin\dirEncryption.ps13⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2180
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\@ChangeFhoto_rn@\EzXecutorQ.cmd" "2⤵
- Suspicious use of WriteProcessMemory
PID:4592 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden -ExecutionPolicy Bypass -File "installer-temp-DesktopChanger.ps1"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5084 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -File background_changer_rn.ps14⤵
- Command and Scripting Interpreter: PowerShell
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dz2nx3g5\dz2nx3g5.cmdline"5⤵
- Suspicious use of WriteProcessMemory
PID:3492 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBBED.tmp" "c:\Users\Admin\AppData\Local\Temp\dz2nx3g5\CSCBD4E58C693DA454A80C769C9B2A38119.TMP"6⤵PID:1992
-
-
-
-
-
C:\Windows\system32\timeout.exetimeout /t 1 /Nobreak3⤵
- Delays execution with timeout.exe
PID:2744
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\GamWWW\vbsExecInter.vbs"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4640 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\Users\Admin\GamWWW\Interface-Installer-powershell.ps1"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:672
-
-
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5556084f2c6d459c116a69d6fedcc4105
SHA1633e89b9a1e77942d822d14de6708430a3944dbc
SHA25688cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8
SHA5120f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e
-
Filesize
1KB
MD5e633afeab2aed0638782e0ab1744c697
SHA1c2405aaf049fd6b69178ce1523ff15dd0e1690d9
SHA256c3db1330edba15d1d88fbfe893d3779387b984be31a334bd687310fba23e0cea
SHA51225626b86dc07bb37505155f90cc4441951bf7acaba8ddda18b280620ea12b47a1bb95f8c3a82c3a2507274ed96063e73054435cf5e6e726bb532dddc0a811c8c
-
Filesize
1KB
MD57377600c4be284ac63835ae91dc5a985
SHA180fd387c48ab4ae1509da92bcc30fae2304c3bc5
SHA2569d3687ba96e4cb1bf01b13760c4f563ac6366e16282717328165091a2e2431a5
SHA51298b374ae08b77465ccc232a0921c1df9ab48061d92780acbe4107297e91ecf4e6bb8578b766a10c0551e81403ae657643f3111b3275879d29c69e8b46b04a982
-
Filesize
1KB
MD50697a3ca38eda2fa41d80c205e82bf3b
SHA10d34707e8502e41d74a3669c16558b786de65e48
SHA256324190bc220acdf5d7fdac9c76c893884e4a01d2e78ec31d718b975630da4be2
SHA51291c4223ea7b6377293e48d39312052e894490a2f966873029ba3e59caa6ae1d3c732750af1caac7b326fded140d98937490885ab9c441ee747656a51afbe3937
-
Filesize
1KB
MD56ad73df38c7cca17a055ded5eef3f2c7
SHA1204fc1157b303172e1549ffcfd7eb3284ea9b95e
SHA256654ccd28f8b345e26bbbca9b26518047616bbb75643a678c0d468ba8fc77c67f
SHA51283c33e653b54d1c885f4408c57cf02bd3d11fc4ace0feff0271c2efc4379ff43a176e8e8fdbd9e6e6b95feca8e68e1e07de5ff62b95d8508f582b8d99f651beb
-
Filesize
1KB
MD56abcc097e2d6dc779c0ebce436f22d78
SHA1304b1d22aa5228e2019dce28a9ed08e70873f012
SHA2565d1780ed092951c462919b27602e52445d7a3c109eb9f5b7ef0ad6397703f3b0
SHA512b8cd3c72fad78581c16869c2f6f182b651ae036ce5ea2fcc7f6a7e5f50d546837329b973cbde69ec9dcea608c974bba00622d93701e415460637d6683078f366
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
3KB
MD5bc3895141d33623f6020c91bf722a7e9
SHA1d08c0c7b6b904887720cc14161f4139c300793d1
SHA256a0b942c67feea42a2b1f8732ad1caca64e26f916287614da66e82a243747e76b
SHA5129d34c9f6da49873583227249d162b3436fd237ca5051ba2d0c4d65904c327c51318ebb027ef218840e938012bfc4a7a8153f888f229b8aa4c6bce46278b9b86f
-
Filesize
179B
MD59b208162db392380fe9b09a6e8db8634
SHA182f3aeb70547ec85446cda4b9105121a70d5edab
SHA256e7379e5d62ac2a0b6799f592ee3f1de8b471385c8ba0f1519c2bd40bc1c4dfdb
SHA512b8cf166452f3d23be7bf294e166b3ab0e6b225afaff6bafc0b253c2bfa7b44801b18690dde137ab38db900c59bb29bb1a0b9d6a3d3453717e7a847d34f64261a
-
Filesize
4KB
MD5cf1d91dfc343b775368092e235667dbc
SHA1789ce2d3449f3a99505b9e20be0ec00c7ed49864
SHA256fe7e01f7be4ee2d4e0ed7dd9a543fd8fd08f263a4d7aebc74e48d1bada6180f4
SHA512ea3af34c9c3c8f36b93b6b4f53bdb607c4b2075d480e2f1eb0ef4c37671891c5f2b2e7b7bd08c6738b51fb7b1bf111324a6f99b3720f912869e224990ee61344
-
Filesize
359B
MD5ca31a268228d61c22e45b990933fc39d
SHA1ba0368d8fa3e364ee8b21fe424ca5b5eab2cbe16
SHA256b05a6f47f989fa5bbfc84cdb38d91f0c73283b993378a090d8ccdfdd5d667cc4
SHA512820646133f1f36aa19451e6c93b0367334e5180691531ceac62f456a15b7a9d50d5fd8f5e51943afdc45c3324213007dfb2b0d8caa5eef7983b09edea52fd321
-
Filesize
157KB
MD5b441413fe282962a0ff3f51133ec7245
SHA14af939289a45f2f8d34d1b86dd64a392dba50ccf
SHA2564765823ca2efaae5b50fc711e8cb494f52dcaa88f796e751a3dff4711b5ae193
SHA512005658e42a1511168918f021e2c07e054bc9afff427c9694532c8191035dc9d24c4f853084a25975413a78dd2f135451acc14c20209074589883e2b7be5ee109
-
Filesize
4KB
MD5c76e6c4aec3a021e3b94493bb9830096
SHA158d497d2f5c0fa64ba978aefc73d556ce4466cb5
SHA256bae4855ecf00c1102acfad1999a5c3e3c33b1edf9aacd436843c2036143124b6
SHA5124ee4462bad79e9db90eb2a6b41f3bc8a099b403e0b265a23cb50f34bcabbd0c94a87af18866b75776e24883a06c26d488e14399f69cf13a8714efba31955eef2
-
Filesize
504B
MD53854d2178f5bdf103f70c29d75218540
SHA1d13eddfbc274b502d72b6bc72f33853e2971c874
SHA25666fd3f7df3ffc77415bad417b9b253aaee8d166fe481653aa5b12b4cf259ded2
SHA512dbcde328ffbe92e41d6103326048d34549278a0f9b9f67d3ee0f26fd881a8e680d8e9cd5dcdd3fe1763bec965e295d77364a1274672b6a67cf57146c785155a6
-
Filesize
437B
MD594cbaa5abe405e1c5625e083d4204dc5
SHA135abe4b4bf1ed0d4a3e0165a5c8e70758b47dd52
SHA256f5c3e23e03afa55ad48ad717806272a021790755b7f4806e307f471b957a05cf
SHA5125bf82574ec0b435086ed16f8e12101605b6831fb71473ebea572e70e68b5f5ced5bc8d2095606309c6fb010346322e7d573a35130423807942f55c6d7abf16e4
-
Filesize
5KB
MD5073808dcdfb549cb413de3c44e7e9a51
SHA111ee5de475de13614ebbcad77834f06d6f8b4ae8
SHA2568f09e857827b8c59feb50925292f3fb4128588fa9db5f85b2885cbf05ea02458
SHA5120d4660f7a5c3e1be85e64b25ead47f46fac4b07e32bfd132070ff1583c6af3e5748348dc7fc497beccbd2fc318a0a17657a612be99b5792d8e286c2667c4cf9a
-
Filesize
277B
MD583756272904dd4186eea7117811d48ee
SHA16e963aef8c0448a90c21157c94087b1e2747a014
SHA2565ba444bd893a971d842a4c4041e94172f66d5acb3986dee58e1e33ffbfd9e07c
SHA512b99d15add348bc5db6ae26412562cd9e05fa73c1ec215fbaefce6028d1c9b0a63669f4d5d57f36327ca0c71916e86840183eceec751d2df0e28b83c896cc4e0c
-
Filesize
309B
MD50e5a9fd5854d73cdd7e02f8032d56237
SHA15d4a57abf2d6d576333ead6f4cd3e8f778dc4828
SHA2565ffc80078b84601d6d5243ecd0f1c891207af10bc950313582cf1226f8ebb1fd
SHA512bbe77ebf4a1ce324e47b36da96cbbba42884bc5a2e36be545c9ec292e3bc58aab62903263c21e4ebb7c98c9215b03b5c2643cd8fc773b3d7d74d0e5de0466a74
-
Filesize
245B
MD5bdec31aa4041c490e3c28d9ca20ee0cc
SHA1a556bde276196a5a87d569b6cb215a88e5df4baf
SHA25684cbb472b3ebf316d00dab06391aaa5bb26cd7b4ff005ccaac4b3992c94384fe
SHA512257487ecca4683af97a8f013444dcf87f1086a48d42bf7fcdefcf4eaa14e856e733f0337d2b768e86c34d04e0ba6ebcb336a69bd04d9642c7b89ddf8c67cb8df
-
Filesize
652B
MD58ec775c2540c171285b7772421444556
SHA14129f0eda88fdf59f2363d34459664bbe587627a
SHA256e3b253fddc89919bbe678dbfc0503df0b67bc7ec6e602a4e15b9ab2d029e7960
SHA5122a0437807f75a197d5675abfcf1a532674a31ec245bc9054315e5def0fa0326d204600bbaa8c4ea2b1747d5c91ebdeafcd11b27d5d307f25e51beb0edebf9649
-
Filesize
266B
MD53d671b8bd74d498a4ebbef58b43f8e49
SHA15c9875d02606d9ca03c6efda37c04ba57496df1b
SHA256eb7f0b1b17f9d8a8d128156bb478f8256cd9603d2dfada4bcdc8aa466c94eb76
SHA5126ae5f147da69f6ec88cbc614311f2cbfb982e40f43d5b8d8107bc28ea938a9fabee4358b23dd67a9f6a4468093eddfbde18d6e6e9a2a41a26b4faa6a01af5dbb
-
Filesize
369B
MD5d6db258127000731c51739e5f32f0603
SHA1d6b1f95c0fe0b9ced2a82faa8198f3bc9b1612aa
SHA256caa395cd230069f9ef502f69a41b37052588dab02d985173b054f1d3c6e5cff5
SHA51247e9c6ea72bd01981456c6d6d1f8620e49496de12ba2e6ccb985916872fce4ad9780c3a868f62c112e734cfd0ba52fe1bc41bfbcf1c70e5bc83eff6bf36e8e14