Analysis
-
max time kernel
143s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20250502-en -
resource tags
arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system -
submitted
15/05/2025, 06:48
Static task
static1
Behavioral task
behavioral1
Sample
8915077b9c04c6f1c86967261d1881088cda637e180d30cb83fc1f8dbe2074b0.exe
Resource
win10v2004-20250502-en
General
-
Target
8915077b9c04c6f1c86967261d1881088cda637e180d30cb83fc1f8dbe2074b0.exe
-
Size
2.8MB
-
MD5
b0bcf169213c4c887864704dad5d0212
-
SHA1
1cf69f039900b7bff295ec7f2150102503b7e0ea
-
SHA256
8915077b9c04c6f1c86967261d1881088cda637e180d30cb83fc1f8dbe2074b0
-
SHA512
17cabea5488ac4ee70466b50564abd4eaa5d7a58a6dee912ba15fae12b49e35dd5f515e0388aaab204bf69cdf77e32c852892780bd05a961bd9986b10b22aa31
-
SSDEEP
49152:BR88n9Y6ze5IR6erZfPzdLAV+a/N5cNfhlHd0M9NcfrF:Bz/R6erBzdLA3/N5cZhlHd0M9NcfrF
Malware Config
Signatures
-
Renames multiple (57) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Blocklisted process makes network request 4 IoCs
flow pid Process 9 1760 powershell.exe 16 4148 powershell.exe 19 1400 powershell.exe 20 1400 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Run Powershell and hide display window.
pid Process 1400 powershell.exe 1996 powershell.exe 1760 powershell.exe 1240 powershell.exe 4148 powershell.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\International\Geo\Nation 8915077b9c04c6f1c86967261d1881088cda637e180d30cb83fc1f8dbe2074b0.exe Key value queried \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\International\Geo\Nation WScript.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@ChangeFhoto_rn@\\ransomware_warning.bmp" powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
pid Process 5012 timeout.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000_Classes\Local Settings 8915077b9c04c6f1c86967261d1881088cda637e180d30cb83fc1f8dbe2074b0.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 1760 powershell.exe 1760 powershell.exe 4148 powershell.exe 1240 powershell.exe 1240 powershell.exe 4148 powershell.exe 1400 powershell.exe 1400 powershell.exe 4148 powershell.exe 4148 powershell.exe 1996 powershell.exe 1996 powershell.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 1760 powershell.exe Token: SeDebugPrivilege 4148 powershell.exe Token: SeDebugPrivilege 1240 powershell.exe Token: SeDebugPrivilege 1400 powershell.exe Token: SeDebugPrivilege 1996 powershell.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2896 wrote to memory of 32 2896 8915077b9c04c6f1c86967261d1881088cda637e180d30cb83fc1f8dbe2074b0.exe 86 PID 2896 wrote to memory of 32 2896 8915077b9c04c6f1c86967261d1881088cda637e180d30cb83fc1f8dbe2074b0.exe 86 PID 32 wrote to memory of 1760 32 WScript.exe 87 PID 32 wrote to memory of 1760 32 WScript.exe 87 PID 2896 wrote to memory of 5104 2896 8915077b9c04c6f1c86967261d1881088cda637e180d30cb83fc1f8dbe2074b0.exe 92 PID 2896 wrote to memory of 5104 2896 8915077b9c04c6f1c86967261d1881088cda637e180d30cb83fc1f8dbe2074b0.exe 92 PID 2896 wrote to memory of 4884 2896 8915077b9c04c6f1c86967261d1881088cda637e180d30cb83fc1f8dbe2074b0.exe 93 PID 2896 wrote to memory of 4884 2896 8915077b9c04c6f1c86967261d1881088cda637e180d30cb83fc1f8dbe2074b0.exe 93 PID 5104 wrote to memory of 1240 5104 WScript.exe 95 PID 5104 wrote to memory of 1240 5104 WScript.exe 95 PID 4884 wrote to memory of 4148 4884 cmd.exe 96 PID 4884 wrote to memory of 4148 4884 cmd.exe 96 PID 2896 wrote to memory of 396 2896 8915077b9c04c6f1c86967261d1881088cda637e180d30cb83fc1f8dbe2074b0.exe 98 PID 2896 wrote to memory of 396 2896 8915077b9c04c6f1c86967261d1881088cda637e180d30cb83fc1f8dbe2074b0.exe 98 PID 396 wrote to memory of 1400 396 WScript.exe 99 PID 396 wrote to memory of 1400 396 WScript.exe 99 PID 4148 wrote to memory of 1996 4148 powershell.exe 102 PID 4148 wrote to memory of 1996 4148 powershell.exe 102 PID 4884 wrote to memory of 5012 4884 cmd.exe 103 PID 4884 wrote to memory of 5012 4884 cmd.exe 103 PID 1996 wrote to memory of 2620 1996 powershell.exe 104 PID 1996 wrote to memory of 2620 1996 powershell.exe 104 PID 2620 wrote to memory of 3332 2620 csc.exe 105 PID 2620 wrote to memory of 3332 2620 csc.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\8915077b9c04c6f1c86967261d1881088cda637e180d30cb83fc1f8dbe2074b0.exe"C:\Users\Admin\AppData\Local\Temp\8915077b9c04c6f1c86967261d1881088cda637e180d30cb83fc1f8dbe2074b0.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\installer.vbs"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:32 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\Users\Admin\executer.ps1"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1760
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\temp-executer.vbs"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Users\Admin\dirEncryption.ps13⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1240
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\@ChangeFhoto_rn@\EzXecutorQ.cmd" "2⤵
- Suspicious use of WriteProcessMemory
PID:4884 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden -ExecutionPolicy Bypass -File "installer-temp-DesktopChanger.ps1"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4148 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -File background_changer_rn.ps14⤵
- Command and Scripting Interpreter: PowerShell
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tjcyo4iz\tjcyo4iz.cmdline"5⤵
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9625.tmp" "c:\Users\Admin\AppData\Local\Temp\tjcyo4iz\CSCCEF8525228E241B0A2BDCA53CE3EDF3.TMP"6⤵PID:3332
-
-
-
-
-
C:\Windows\system32\timeout.exetimeout /t 1 /Nobreak3⤵
- Delays execution with timeout.exe
PID:5012
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\GamWWW\vbsExecInter.vbs"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\Users\Admin\GamWWW\Interface-Installer-powershell.ps1"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1400
-
-
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5556084f2c6d459c116a69d6fedcc4105
SHA1633e89b9a1e77942d822d14de6708430a3944dbc
SHA25688cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8
SHA5120f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e
-
Filesize
1KB
MD5e633afeab2aed0638782e0ab1744c697
SHA1c2405aaf049fd6b69178ce1523ff15dd0e1690d9
SHA256c3db1330edba15d1d88fbfe893d3779387b984be31a334bd687310fba23e0cea
SHA51225626b86dc07bb37505155f90cc4441951bf7acaba8ddda18b280620ea12b47a1bb95f8c3a82c3a2507274ed96063e73054435cf5e6e726bb532dddc0a811c8c
-
Filesize
1KB
MD56d16c8e0539e60da15e2aa98c956003e
SHA1174046d3e59c99a991098168f508b557089f0af4
SHA256090abf6503ea805106c38529ee1743e50bcbc7037a37f142dd20220f11218b67
SHA512d577c8c4f30ac4e05827e1025b168a5752eb006ec06e0dae23b7f3273e6062a598874837948fd271bba34c24059b350851d2213bdb4586253c5919c561edb314
-
Filesize
1KB
MD562a62fbd81433adc5b97665bbd447163
SHA16cb602b1d20ad2e246425d513d467e8e407b4b2c
SHA25621103f6be40dddc101f4a99810ad62ef80a4528a050bc289a53b0507002ea8c1
SHA51244e4d809d9eea55b984cb519f0ff6095d3feeb906d76355bfa3b9f8188392e156cd31bd0045e5df773ed350f3dfbce8f6a45d53b5afe171426b89e90ff616289
-
Filesize
1KB
MD58652f09b564fcf2743c043836278d835
SHA13e170c9238e64492cc610daf3c1aa9f62a6fa256
SHA2567804d51f6932f783054c0c369150c4f319a370240dd1e237666f365568422a9d
SHA5126c1d295b1abe7abab65ca643f93ee27aae5e903c0e238fa8b73d02c11b46afa3ab843e4f6b7f9b056f86842a0f2f8266fda08b0f36509a489b53d50271c017e1
-
Filesize
1KB
MD5670a5b89a171e1fa9959bd8ad822641f
SHA1776f7fc3f7146e2b5d7feddd61cc536c37b5b090
SHA25665b7bb7de8bf56f5da5cb21d29ceb0fc2c19c16f73c3f8354b5cff26c5298ce7
SHA5121d098127265e8fd52ac6c9aa99f4c9f24308630115f4cf73aac7cf144f01d6da9588e4863dfb71db9ac209e4a548e42c61a4edb1f72ec89bdb6214ff040756a5
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
3KB
MD5752eb4feb919bb4fc982b1c23ce2ac86
SHA190c84fddd7c64ec2cf28f15374856e1bfb510450
SHA256394205b92f84c675aaa1d5b33507a69af07b407d1ebf0a1c9eba3d56713aa7b7
SHA512234bf5bd02833fd976da822e7d8a13147e32ffd82ace34d4282a7e05ac9fd4ffb18c5a4c3800ea54529ef3d9cab4313d6940a8ffe3b321e17ce5c766e054ee1d
-
Filesize
179B
MD59b208162db392380fe9b09a6e8db8634
SHA182f3aeb70547ec85446cda4b9105121a70d5edab
SHA256e7379e5d62ac2a0b6799f592ee3f1de8b471385c8ba0f1519c2bd40bc1c4dfdb
SHA512b8cf166452f3d23be7bf294e166b3ab0e6b225afaff6bafc0b253c2bfa7b44801b18690dde137ab38db900c59bb29bb1a0b9d6a3d3453717e7a847d34f64261a
-
Filesize
4KB
MD5cf1d91dfc343b775368092e235667dbc
SHA1789ce2d3449f3a99505b9e20be0ec00c7ed49864
SHA256fe7e01f7be4ee2d4e0ed7dd9a543fd8fd08f263a4d7aebc74e48d1bada6180f4
SHA512ea3af34c9c3c8f36b93b6b4f53bdb607c4b2075d480e2f1eb0ef4c37671891c5f2b2e7b7bd08c6738b51fb7b1bf111324a6f99b3720f912869e224990ee61344
-
Filesize
359B
MD5ca31a268228d61c22e45b990933fc39d
SHA1ba0368d8fa3e364ee8b21fe424ca5b5eab2cbe16
SHA256b05a6f47f989fa5bbfc84cdb38d91f0c73283b993378a090d8ccdfdd5d667cc4
SHA512820646133f1f36aa19451e6c93b0367334e5180691531ceac62f456a15b7a9d50d5fd8f5e51943afdc45c3324213007dfb2b0d8caa5eef7983b09edea52fd321
-
Filesize
158KB
MD58eafc4bd1bc64b4756d3727b590a286d
SHA1ab6ec69d99963633f47c97eac4b156c13d7836e0
SHA256aa9952807c0f7d5c0f6c58ef8a0981e0cc98b9837c6c296e633c38697754f20e
SHA512675172ef2e1ec533ae1d6862cf6beee8c775f79d904e8eb5b500e8c17cf5e5e5c369ccbe5262f233e6fb5501be637335b38d9c97b75eca2769ed05fcc046005e
-
Filesize
4KB
MD5be7cee2a680217b86866bc7da68c137a
SHA14d26121df1a8513af284dfd0a411d16ecb420951
SHA256e5aed7f063f48e11f5fe50c94cf968751a63f589d8aa0c082bac3ffb24dbe0f6
SHA5126fc920fe2f6132a23195d270c54a4eca445514f3a41f9f75cd5fc9059e1f932fc4a35b94a5408a4fd6b2c47315ace344e7374db6cf406a0bf26c7af354da8a4a
-
Filesize
504B
MD53854d2178f5bdf103f70c29d75218540
SHA1d13eddfbc274b502d72b6bc72f33853e2971c874
SHA25666fd3f7df3ffc77415bad417b9b253aaee8d166fe481653aa5b12b4cf259ded2
SHA512dbcde328ffbe92e41d6103326048d34549278a0f9b9f67d3ee0f26fd881a8e680d8e9cd5dcdd3fe1763bec965e295d77364a1274672b6a67cf57146c785155a6
-
Filesize
437B
MD594cbaa5abe405e1c5625e083d4204dc5
SHA135abe4b4bf1ed0d4a3e0165a5c8e70758b47dd52
SHA256f5c3e23e03afa55ad48ad717806272a021790755b7f4806e307f471b957a05cf
SHA5125bf82574ec0b435086ed16f8e12101605b6831fb71473ebea572e70e68b5f5ced5bc8d2095606309c6fb010346322e7d573a35130423807942f55c6d7abf16e4
-
Filesize
5KB
MD5073808dcdfb549cb413de3c44e7e9a51
SHA111ee5de475de13614ebbcad77834f06d6f8b4ae8
SHA2568f09e857827b8c59feb50925292f3fb4128588fa9db5f85b2885cbf05ea02458
SHA5120d4660f7a5c3e1be85e64b25ead47f46fac4b07e32bfd132070ff1583c6af3e5748348dc7fc497beccbd2fc318a0a17657a612be99b5792d8e286c2667c4cf9a
-
Filesize
277B
MD583756272904dd4186eea7117811d48ee
SHA16e963aef8c0448a90c21157c94087b1e2747a014
SHA2565ba444bd893a971d842a4c4041e94172f66d5acb3986dee58e1e33ffbfd9e07c
SHA512b99d15add348bc5db6ae26412562cd9e05fa73c1ec215fbaefce6028d1c9b0a63669f4d5d57f36327ca0c71916e86840183eceec751d2df0e28b83c896cc4e0c
-
Filesize
309B
MD50e5a9fd5854d73cdd7e02f8032d56237
SHA15d4a57abf2d6d576333ead6f4cd3e8f778dc4828
SHA2565ffc80078b84601d6d5243ecd0f1c891207af10bc950313582cf1226f8ebb1fd
SHA512bbe77ebf4a1ce324e47b36da96cbbba42884bc5a2e36be545c9ec292e3bc58aab62903263c21e4ebb7c98c9215b03b5c2643cd8fc773b3d7d74d0e5de0466a74
-
Filesize
245B
MD5bdec31aa4041c490e3c28d9ca20ee0cc
SHA1a556bde276196a5a87d569b6cb215a88e5df4baf
SHA25684cbb472b3ebf316d00dab06391aaa5bb26cd7b4ff005ccaac4b3992c94384fe
SHA512257487ecca4683af97a8f013444dcf87f1086a48d42bf7fcdefcf4eaa14e856e733f0337d2b768e86c34d04e0ba6ebcb336a69bd04d9642c7b89ddf8c67cb8df
-
Filesize
652B
MD5930ad3479360323ac2f496966711100b
SHA143723cd7831910391ce20fc9272de9936872520e
SHA256cd4a608ca89a68c89431376f246cb77b5c1bb942b2cf5f866ab381aae90d55d5
SHA512079907165aa926a60589784a08abf43929abf9d3e8f6f12629666136a6ab7cfcd1ddbbffc4cc5a45e2f2c597cb16a9300a6a9dcca7de4c886c47960cdde7ba5a
-
Filesize
266B
MD53d671b8bd74d498a4ebbef58b43f8e49
SHA15c9875d02606d9ca03c6efda37c04ba57496df1b
SHA256eb7f0b1b17f9d8a8d128156bb478f8256cd9603d2dfada4bcdc8aa466c94eb76
SHA5126ae5f147da69f6ec88cbc614311f2cbfb982e40f43d5b8d8107bc28ea938a9fabee4358b23dd67a9f6a4468093eddfbde18d6e6e9a2a41a26b4faa6a01af5dbb
-
Filesize
369B
MD5fd671712d84d5472352b3a16868e1aa5
SHA1617412741ff5dcfdf256f51a26d0436cde467817
SHA25625948813bdeccdf6ca05f20b80fd03d05597fbefbf94593718b57ba21ff280d9
SHA5126cc6efa1b5a0262616aae9b36c7f061850abbb6bf4b9a0f65adc0c83718423020237b6f43443aea4500a780ccff0305dc63c499727f303e734c67fd246e365b0