Analysis Overview
SHA256
b032160f9e2615100cb77791fa40d48f6b721f50bda0ed428053e1af12d2a922
Threat Level: Likely malicious
The file b032160f9e2615100cb77791fa40d48f6b721f50bda0ed428053e1af12d2a922.exe was found to be: Likely malicious.
Malicious Activity Summary
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Sets desktop wallpaper using registry
Unsigned PE
Enumerates physical storage devices
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Delays execution with timeout.exe
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V16
Analysis: static1
Detonation Overview
Reported
2025-05-15 06:48
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-05-15 06:48
Reported
2025-05-15 06:51
Platform
win10v2004-20250502-en
Max time kernel
106s
Max time network
149s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\b032160f9e2615100cb77791fa40d48f6b721f50bda0ed428053e1af12d2a922.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@ChangeFhoto_rn@\\ransomware_warning.bmp" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\b032160f9e2615100cb77791fa40d48f6b721f50bda0ed428053e1af12d2a922.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b032160f9e2615100cb77791fa40d48f6b721f50bda0ed428053e1af12d2a922.exe
"C:\Users\Admin\AppData\Local\Temp\b032160f9e2615100cb77791fa40d48f6b721f50bda0ed428053e1af12d2a922.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\installer.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\Users\Admin\executer.ps1"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\temp-executer.vbs"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\@ChangeFhoto_rn@\EzXecutorQ.cmd" "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Users\Admin\dirEncryption.ps1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden -ExecutionPolicy Bypass -File "installer-temp-DesktopChanger.ps1"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\GamWWW\vbsExecInter.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\Users\Admin\GamWWW\Interface-Installer-powershell.ps1"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -File background_changer_rn.ps1
C:\Windows\system32\timeout.exe
timeout /t 1 /Nobreak
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dz2nx3g5\dz2nx3g5.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBBED.tmp" "c:\Users\Admin\AppData\Local\Temp\dz2nx3g5\CSCBD4E58C693DA454A80C769C9B2A38119.TMP"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | gitea.com | udp |
| US | 34.217.253.146:443 | gitea.com | tcp |
| US | 34.217.253.146:443 | gitea.com | tcp |
| US | 8.8.8.8:53 | www.dropbox.com | udp |
| FR | 104.115.83.97:443 | www.bing.com | tcp |
| DE | 162.125.66.18:80 | www.dropbox.com | tcp |
| DE | 162.125.66.18:443 | www.dropbox.com | tcp |
| DE | 142.250.185.131:80 | c.pki.goog | tcp |
Files
C:\Users\Admin\installer.vbs
| MD5 | 0e5a9fd5854d73cdd7e02f8032d56237 |
| SHA1 | 5d4a57abf2d6d576333ead6f4cd3e8f778dc4828 |
| SHA256 | 5ffc80078b84601d6d5243ecd0f1c891207af10bc950313582cf1226f8ebb1fd |
| SHA512 | bbe77ebf4a1ce324e47b36da96cbbba42884bc5a2e36be545c9ec292e3bc58aab62903263c21e4ebb7c98c9215b03b5c2643cd8fc773b3d7d74d0e5de0466a74 |
memory/4448-14-0x000001F248940000-0x000001F248962000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2fw4fqex.t2j.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\executer.ps1
| MD5 | 83756272904dd4186eea7117811d48ee |
| SHA1 | 6e963aef8c0448a90c21157c94087b1e2747a014 |
| SHA256 | 5ba444bd893a971d842a4c4041e94172f66d5acb3986dee58e1e33ffbfd9e07c |
| SHA512 | b99d15add348bc5db6ae26412562cd9e05fa73c1ec215fbaefce6028d1c9b0a63669f4d5d57f36327ca0c71916e86840183eceec751d2df0e28b83c896cc4e0c |
C:\Users\Admin\dirEncryption.ps1
| MD5 | 073808dcdfb549cb413de3c44e7e9a51 |
| SHA1 | 11ee5de475de13614ebbcad77834f06d6f8b4ae8 |
| SHA256 | 8f09e857827b8c59feb50925292f3fb4128588fa9db5f85b2885cbf05ea02458 |
| SHA512 | 0d4660f7a5c3e1be85e64b25ead47f46fac4b07e32bfd132070ff1583c6af3e5748348dc7fc497beccbd2fc318a0a17657a612be99b5792d8e286c2667c4cf9a |
C:\Users\Admin\temp-executer.vbs
| MD5 | bdec31aa4041c490e3c28d9ca20ee0cc |
| SHA1 | a556bde276196a5a87d569b6cb215a88e5df4baf |
| SHA256 | 84cbb472b3ebf316d00dab06391aaa5bb26cd7b4ff005ccaac4b3992c94384fe |
| SHA512 | 257487ecca4683af97a8f013444dcf87f1086a48d42bf7fcdefcf4eaa14e856e733f0337d2b768e86c34d04e0ba6ebcb336a69bd04d9642c7b89ddf8c67cb8df |
C:\Users\Admin\Desktop\@ChangeFhoto_rn@\EzXecutorQ.cmd
| MD5 | 9b208162db392380fe9b09a6e8db8634 |
| SHA1 | 82f3aeb70547ec85446cda4b9105121a70d5edab |
| SHA256 | e7379e5d62ac2a0b6799f592ee3f1de8b471385c8ba0f1519c2bd40bc1c4dfdb |
| SHA512 | b8cf166452f3d23be7bf294e166b3ab0e6b225afaff6bafc0b253c2bfa7b44801b18690dde137ab38db900c59bb29bb1a0b9d6a3d3453717e7a847d34f64261a |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 556084f2c6d459c116a69d6fedcc4105 |
| SHA1 | 633e89b9a1e77942d822d14de6708430a3944dbc |
| SHA256 | 88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8 |
| SHA512 | 0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e |
C:\Users\Admin\GamWWW\vbsExecInter.vbs
| MD5 | 94cbaa5abe405e1c5625e083d4204dc5 |
| SHA1 | 35abe4b4bf1ed0d4a3e0165a5c8e70758b47dd52 |
| SHA256 | f5c3e23e03afa55ad48ad717806272a021790755b7f4806e307f471b957a05cf |
| SHA512 | 5bf82574ec0b435086ed16f8e12101605b6831fb71473ebea572e70e68b5f5ced5bc8d2095606309c6fb010346322e7d573a35130423807942f55c6d7abf16e4 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 0697a3ca38eda2fa41d80c205e82bf3b |
| SHA1 | 0d34707e8502e41d74a3669c16558b786de65e48 |
| SHA256 | 324190bc220acdf5d7fdac9c76c893884e4a01d2e78ec31d718b975630da4be2 |
| SHA512 | 91c4223ea7b6377293e48d39312052e894490a2f966873029ba3e59caa6ae1d3c732750af1caac7b326fded140d98937490885ab9c441ee747656a51afbe3937 |
memory/1492-47-0x0000000000400000-0x0000000000605000-memory.dmp
C:\Users\Admin\Desktop\@ChangeFhoto_rn@\installer-temp-DesktopChanger.ps1
| MD5 | ca31a268228d61c22e45b990933fc39d |
| SHA1 | ba0368d8fa3e364ee8b21fe424ca5b5eab2cbe16 |
| SHA256 | b05a6f47f989fa5bbfc84cdb38d91f0c73283b993378a090d8ccdfdd5d667cc4 |
| SHA512 | 820646133f1f36aa19451e6c93b0367334e5180691531ceac62f456a15b7a9d50d5fd8f5e51943afdc45c3324213007dfb2b0d8caa5eef7983b09edea52fd321 |
C:\Users\Admin\GamWWW\Interface-Installer-powershell.ps1
| MD5 | 3854d2178f5bdf103f70c29d75218540 |
| SHA1 | d13eddfbc274b502d72b6bc72f33853e2971c874 |
| SHA256 | 66fd3f7df3ffc77415bad417b9b253aaee8d166fe481653aa5b12b4cf259ded2 |
| SHA512 | dbcde328ffbe92e41d6103326048d34549278a0f9b9f67d3ee0f26fd881a8e680d8e9cd5dcdd3fe1763bec965e295d77364a1274672b6a67cf57146c785155a6 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6ad73df38c7cca17a055ded5eef3f2c7 |
| SHA1 | 204fc1157b303172e1549ffcfd7eb3284ea9b95e |
| SHA256 | 654ccd28f8b345e26bbbca9b26518047616bbb75643a678c0d468ba8fc77c67f |
| SHA512 | 83c33e653b54d1c885f4408c57cf02bd3d11fc4ace0feff0271c2efc4379ff43a176e8e8fdbd9e6e6b95feca8e68e1e07de5ff62b95d8508f582b8d99f651beb |
C:\Users\Admin\Desktop\@ChangeFhoto_rn@\background_changer_rn.ps1
| MD5 | cf1d91dfc343b775368092e235667dbc |
| SHA1 | 789ce2d3449f3a99505b9e20be0ec00c7ed49864 |
| SHA256 | fe7e01f7be4ee2d4e0ed7dd9a543fd8fd08f263a4d7aebc74e48d1bada6180f4 |
| SHA512 | ea3af34c9c3c8f36b93b6b4f53bdb607c4b2075d480e2f1eb0ef4c37671891c5f2b2e7b7bd08c6738b51fb7b1bf111324a6f99b3720f912869e224990ee61344 |
\??\c:\Users\Admin\AppData\Local\Temp\dz2nx3g5\dz2nx3g5.cmdline
| MD5 | d6db258127000731c51739e5f32f0603 |
| SHA1 | d6b1f95c0fe0b9ced2a82faa8198f3bc9b1612aa |
| SHA256 | caa395cd230069f9ef502f69a41b37052588dab02d985173b054f1d3c6e5cff5 |
| SHA512 | 47e9c6ea72bd01981456c6d6d1f8620e49496de12ba2e6ccb985916872fce4ad9780c3a868f62c112e734cfd0ba52fe1bc41bfbcf1c70e5bc83eff6bf36e8e14 |
\??\c:\Users\Admin\AppData\Local\Temp\dz2nx3g5\dz2nx3g5.0.cs
| MD5 | 3d671b8bd74d498a4ebbef58b43f8e49 |
| SHA1 | 5c9875d02606d9ca03c6efda37c04ba57496df1b |
| SHA256 | eb7f0b1b17f9d8a8d128156bb478f8256cd9603d2dfada4bcdc8aa466c94eb76 |
| SHA512 | 6ae5f147da69f6ec88cbc614311f2cbfb982e40f43d5b8d8107bc28ea938a9fabee4358b23dd67a9f6a4468093eddfbde18d6e6e9a2a41a26b4faa6a01af5dbb |
\??\c:\Users\Admin\AppData\Local\Temp\dz2nx3g5\CSCBD4E58C693DA454A80C769C9B2A38119.TMP
| MD5 | 8ec775c2540c171285b7772421444556 |
| SHA1 | 4129f0eda88fdf59f2363d34459664bbe587627a |
| SHA256 | e3b253fddc89919bbe678dbfc0503df0b67bc7ec6e602a4e15b9ab2d029e7960 |
| SHA512 | 2a0437807f75a197d5675abfcf1a532674a31ec245bc9054315e5def0fa0326d204600bbaa8c4ea2b1747d5c91ebdeafcd11b27d5d307f25e51beb0edebf9649 |
C:\Users\Admin\AppData\Local\Temp\RESBBED.tmp
| MD5 | 6abcc097e2d6dc779c0ebce436f22d78 |
| SHA1 | 304b1d22aa5228e2019dce28a9ed08e70873f012 |
| SHA256 | 5d1780ed092951c462919b27602e52445d7a3c109eb9f5b7ef0ad6397703f3b0 |
| SHA512 | b8cd3c72fad78581c16869c2f6f182b651ae036ce5ea2fcc7f6a7e5f50d546837329b973cbde69ec9dcea608c974bba00622d93701e415460637d6683078f366 |
C:\Users\Admin\AppData\Local\Temp\dz2nx3g5\dz2nx3g5.dll
| MD5 | bc3895141d33623f6020c91bf722a7e9 |
| SHA1 | d08c0c7b6b904887720cc14161f4139c300793d1 |
| SHA256 | a0b942c67feea42a2b1f8732ad1caca64e26f916287614da66e82a243747e76b |
| SHA512 | 9d34c9f6da49873583227249d162b3436fd237ca5051ba2d0c4d65904c327c51318ebb027ef218840e938012bfc4a7a8153f888f229b8aa4c6bce46278b9b86f |
memory/1620-110-0x000001C05BA40000-0x000001C05BA48000-memory.dmp
C:\Users\Admin\Desktop\Show_Encrypted_Files.txt
| MD5 | c76e6c4aec3a021e3b94493bb9830096 |
| SHA1 | 58d497d2f5c0fa64ba978aefc73d556ce4466cb5 |
| SHA256 | bae4855ecf00c1102acfad1999a5c3e3c33b1edf9aacd436843c2036143124b6 |
| SHA512 | 4ee4462bad79e9db90eb2a6b41f3bc8a099b403e0b265a23cb50f34bcabbd0c94a87af18866b75776e24883a06c26d488e14399f69cf13a8714efba31955eef2 |
C:\Users\Admin\Desktop\InGlockZ.exe
| MD5 | b441413fe282962a0ff3f51133ec7245 |
| SHA1 | 4af939289a45f2f8d34d1b86dd64a392dba50ccf |
| SHA256 | 4765823ca2efaae5b50fc711e8cb494f52dcaa88f796e751a3dff4711b5ae193 |
| SHA512 | 005658e42a1511168918f021e2c07e054bc9afff427c9694532c8191035dc9d24c4f853084a25975413a78dd2f135451acc14c20209074589883e2b7be5ee109 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e633afeab2aed0638782e0ab1744c697 |
| SHA1 | c2405aaf049fd6b69178ce1523ff15dd0e1690d9 |
| SHA256 | c3db1330edba15d1d88fbfe893d3779387b984be31a334bd687310fba23e0cea |
| SHA512 | 25626b86dc07bb37505155f90cc4441951bf7acaba8ddda18b280620ea12b47a1bb95f8c3a82c3a2507274ed96063e73054435cf5e6e726bb532dddc0a811c8c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 7377600c4be284ac63835ae91dc5a985 |
| SHA1 | 80fd387c48ab4ae1509da92bcc30fae2304c3bc5 |
| SHA256 | 9d3687ba96e4cb1bf01b13760c4f563ac6366e16282717328165091a2e2431a5 |
| SHA512 | 98b374ae08b77465ccc232a0921c1df9ab48061d92780acbe4107297e91ecf4e6bb8578b766a10c0551e81403ae657643f3111b3275879d29c69e8b46b04a982 |