Analysis Overview
SHA256
8915077b9c04c6f1c86967261d1881088cda637e180d30cb83fc1f8dbe2074b0
Threat Level: Likely malicious
The file 8915077b9c04c6f1c86967261d1881088cda637e180d30cb83fc1f8dbe2074b0.exe was found to be: Likely malicious.
Malicious Activity Summary
Renames multiple (57) files with added filename extension
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Sets desktop wallpaper using registry
Unsigned PE
Enumerates physical storage devices
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V16
Analysis: static1
Detonation Overview
Reported
2025-05-15 06:48
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-05-15 06:48
Reported
2025-05-15 06:50
Platform
win10v2004-20250502-en
Max time kernel
143s
Max time network
149s
Command Line
Signatures
Renames multiple (57) files with added filename extension
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\8915077b9c04c6f1c86967261d1881088cda637e180d30cb83fc1f8dbe2074b0.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@ChangeFhoto_rn@\\ransomware_warning.bmp" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\8915077b9c04c6f1c86967261d1881088cda637e180d30cb83fc1f8dbe2074b0.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8915077b9c04c6f1c86967261d1881088cda637e180d30cb83fc1f8dbe2074b0.exe
"C:\Users\Admin\AppData\Local\Temp\8915077b9c04c6f1c86967261d1881088cda637e180d30cb83fc1f8dbe2074b0.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\installer.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\Users\Admin\executer.ps1"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\temp-executer.vbs"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\@ChangeFhoto_rn@\EzXecutorQ.cmd" "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Users\Admin\dirEncryption.ps1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden -ExecutionPolicy Bypass -File "installer-temp-DesktopChanger.ps1"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\GamWWW\vbsExecInter.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\Users\Admin\GamWWW\Interface-Installer-powershell.ps1"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -File background_changer_rn.ps1
C:\Windows\system32\timeout.exe
timeout /t 1 /Nobreak
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tjcyo4iz\tjcyo4iz.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9625.tmp" "c:\Users\Admin\AppData\Local\Temp\tjcyo4iz\CSCCEF8525228E241B0A2BDCA53CE3EDF3.TMP"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | gitea.com | udp |
| US | 34.217.253.146:443 | gitea.com | tcp |
| US | 8.8.8.8:53 | gitea.com | udp |
| US | 34.217.253.146:443 | gitea.com | tcp |
| US | 8.8.8.8:53 | www.dropbox.com | udp |
| DE | 162.125.66.18:80 | www.dropbox.com | tcp |
| DE | 162.125.66.18:443 | www.dropbox.com | tcp |
| FR | 104.115.83.35:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| FR | 142.251.37.35:80 | c.pki.goog | tcp |
Files
C:\Users\Admin\installer.vbs
| MD5 | 0e5a9fd5854d73cdd7e02f8032d56237 |
| SHA1 | 5d4a57abf2d6d576333ead6f4cd3e8f778dc4828 |
| SHA256 | 5ffc80078b84601d6d5243ecd0f1c891207af10bc950313582cf1226f8ebb1fd |
| SHA512 | bbe77ebf4a1ce324e47b36da96cbbba42884bc5a2e36be545c9ec292e3bc58aab62903263c21e4ebb7c98c9215b03b5c2643cd8fc773b3d7d74d0e5de0466a74 |
memory/1760-5-0x000001E0CDFE0000-0x000001E0CE002000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_il1r5z31.ao3.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\executer.ps1
| MD5 | 83756272904dd4186eea7117811d48ee |
| SHA1 | 6e963aef8c0448a90c21157c94087b1e2747a014 |
| SHA256 | 5ba444bd893a971d842a4c4041e94172f66d5acb3986dee58e1e33ffbfd9e07c |
| SHA512 | b99d15add348bc5db6ae26412562cd9e05fa73c1ec215fbaefce6028d1c9b0a63669f4d5d57f36327ca0c71916e86840183eceec751d2df0e28b83c896cc4e0c |
C:\Users\Admin\dirEncryption.ps1
| MD5 | 073808dcdfb549cb413de3c44e7e9a51 |
| SHA1 | 11ee5de475de13614ebbcad77834f06d6f8b4ae8 |
| SHA256 | 8f09e857827b8c59feb50925292f3fb4128588fa9db5f85b2885cbf05ea02458 |
| SHA512 | 0d4660f7a5c3e1be85e64b25ead47f46fac4b07e32bfd132070ff1583c6af3e5748348dc7fc497beccbd2fc318a0a17657a612be99b5792d8e286c2667c4cf9a |
C:\Users\Admin\temp-executer.vbs
| MD5 | bdec31aa4041c490e3c28d9ca20ee0cc |
| SHA1 | a556bde276196a5a87d569b6cb215a88e5df4baf |
| SHA256 | 84cbb472b3ebf316d00dab06391aaa5bb26cd7b4ff005ccaac4b3992c94384fe |
| SHA512 | 257487ecca4683af97a8f013444dcf87f1086a48d42bf7fcdefcf4eaa14e856e733f0337d2b768e86c34d04e0ba6ebcb336a69bd04d9642c7b89ddf8c67cb8df |
C:\Users\Admin\Desktop\@ChangeFhoto_rn@\EzXecutorQ.cmd
| MD5 | 9b208162db392380fe9b09a6e8db8634 |
| SHA1 | 82f3aeb70547ec85446cda4b9105121a70d5edab |
| SHA256 | e7379e5d62ac2a0b6799f592ee3f1de8b471385c8ba0f1519c2bd40bc1c4dfdb |
| SHA512 | b8cf166452f3d23be7bf294e166b3ab0e6b225afaff6bafc0b253c2bfa7b44801b18690dde137ab38db900c59bb29bb1a0b9d6a3d3453717e7a847d34f64261a |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 556084f2c6d459c116a69d6fedcc4105 |
| SHA1 | 633e89b9a1e77942d822d14de6708430a3944dbc |
| SHA256 | 88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8 |
| SHA512 | 0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e |
C:\Users\Admin\GamWWW\vbsExecInter.vbs
| MD5 | 94cbaa5abe405e1c5625e083d4204dc5 |
| SHA1 | 35abe4b4bf1ed0d4a3e0165a5c8e70758b47dd52 |
| SHA256 | f5c3e23e03afa55ad48ad717806272a021790755b7f4806e307f471b957a05cf |
| SHA512 | 5bf82574ec0b435086ed16f8e12101605b6831fb71473ebea572e70e68b5f5ced5bc8d2095606309c6fb010346322e7d573a35130423807942f55c6d7abf16e4 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 62a62fbd81433adc5b97665bbd447163 |
| SHA1 | 6cb602b1d20ad2e246425d513d467e8e407b4b2c |
| SHA256 | 21103f6be40dddc101f4a99810ad62ef80a4528a050bc289a53b0507002ea8c1 |
| SHA512 | 44e4d809d9eea55b984cb519f0ff6095d3feeb906d76355bfa3b9f8188392e156cd31bd0045e5df773ed350f3dfbce8f6a45d53b5afe171426b89e90ff616289 |
memory/2896-56-0x0000000000400000-0x0000000000605000-memory.dmp
C:\Users\Admin\Desktop\@ChangeFhoto_rn@\installer-temp-DesktopChanger.ps1
| MD5 | ca31a268228d61c22e45b990933fc39d |
| SHA1 | ba0368d8fa3e364ee8b21fe424ca5b5eab2cbe16 |
| SHA256 | b05a6f47f989fa5bbfc84cdb38d91f0c73283b993378a090d8ccdfdd5d667cc4 |
| SHA512 | 820646133f1f36aa19451e6c93b0367334e5180691531ceac62f456a15b7a9d50d5fd8f5e51943afdc45c3324213007dfb2b0d8caa5eef7983b09edea52fd321 |
C:\Users\Admin\GamWWW\Interface-Installer-powershell.ps1
| MD5 | 3854d2178f5bdf103f70c29d75218540 |
| SHA1 | d13eddfbc274b502d72b6bc72f33853e2971c874 |
| SHA256 | 66fd3f7df3ffc77415bad417b9b253aaee8d166fe481653aa5b12b4cf259ded2 |
| SHA512 | dbcde328ffbe92e41d6103326048d34549278a0f9b9f67d3ee0f26fd881a8e680d8e9cd5dcdd3fe1763bec965e295d77364a1274672b6a67cf57146c785155a6 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 8652f09b564fcf2743c043836278d835 |
| SHA1 | 3e170c9238e64492cc610daf3c1aa9f62a6fa256 |
| SHA256 | 7804d51f6932f783054c0c369150c4f319a370240dd1e237666f365568422a9d |
| SHA512 | 6c1d295b1abe7abab65ca643f93ee27aae5e903c0e238fa8b73d02c11b46afa3ab843e4f6b7f9b056f86842a0f2f8266fda08b0f36509a489b53d50271c017e1 |
C:\Users\Admin\Desktop\@ChangeFhoto_rn@\background_changer_rn.ps1
| MD5 | cf1d91dfc343b775368092e235667dbc |
| SHA1 | 789ce2d3449f3a99505b9e20be0ec00c7ed49864 |
| SHA256 | fe7e01f7be4ee2d4e0ed7dd9a543fd8fd08f263a4d7aebc74e48d1bada6180f4 |
| SHA512 | ea3af34c9c3c8f36b93b6b4f53bdb607c4b2075d480e2f1eb0ef4c37671891c5f2b2e7b7bd08c6738b51fb7b1bf111324a6f99b3720f912869e224990ee61344 |
\??\c:\Users\Admin\AppData\Local\Temp\tjcyo4iz\tjcyo4iz.cmdline
| MD5 | fd671712d84d5472352b3a16868e1aa5 |
| SHA1 | 617412741ff5dcfdf256f51a26d0436cde467817 |
| SHA256 | 25948813bdeccdf6ca05f20b80fd03d05597fbefbf94593718b57ba21ff280d9 |
| SHA512 | 6cc6efa1b5a0262616aae9b36c7f061850abbb6bf4b9a0f65adc0c83718423020237b6f43443aea4500a780ccff0305dc63c499727f303e734c67fd246e365b0 |
\??\c:\Users\Admin\AppData\Local\Temp\tjcyo4iz\tjcyo4iz.0.cs
| MD5 | 3d671b8bd74d498a4ebbef58b43f8e49 |
| SHA1 | 5c9875d02606d9ca03c6efda37c04ba57496df1b |
| SHA256 | eb7f0b1b17f9d8a8d128156bb478f8256cd9603d2dfada4bcdc8aa466c94eb76 |
| SHA512 | 6ae5f147da69f6ec88cbc614311f2cbfb982e40f43d5b8d8107bc28ea938a9fabee4358b23dd67a9f6a4468093eddfbde18d6e6e9a2a41a26b4faa6a01af5dbb |
\??\c:\Users\Admin\AppData\Local\Temp\tjcyo4iz\CSCCEF8525228E241B0A2BDCA53CE3EDF3.TMP
| MD5 | 930ad3479360323ac2f496966711100b |
| SHA1 | 43723cd7831910391ce20fc9272de9936872520e |
| SHA256 | cd4a608ca89a68c89431376f246cb77b5c1bb942b2cf5f866ab381aae90d55d5 |
| SHA512 | 079907165aa926a60589784a08abf43929abf9d3e8f6f12629666136a6ab7cfcd1ddbbffc4cc5a45e2f2c597cb16a9300a6a9dcca7de4c886c47960cdde7ba5a |
C:\Users\Admin\AppData\Local\Temp\RES9625.tmp
| MD5 | 670a5b89a171e1fa9959bd8ad822641f |
| SHA1 | 776f7fc3f7146e2b5d7feddd61cc536c37b5b090 |
| SHA256 | 65b7bb7de8bf56f5da5cb21d29ceb0fc2c19c16f73c3f8354b5cff26c5298ce7 |
| SHA512 | 1d098127265e8fd52ac6c9aa99f4c9f24308630115f4cf73aac7cf144f01d6da9588e4863dfb71db9ac209e4a548e42c61a4edb1f72ec89bdb6214ff040756a5 |
C:\Users\Admin\AppData\Local\Temp\tjcyo4iz\tjcyo4iz.dll
| MD5 | 752eb4feb919bb4fc982b1c23ce2ac86 |
| SHA1 | 90c84fddd7c64ec2cf28f15374856e1bfb510450 |
| SHA256 | 394205b92f84c675aaa1d5b33507a69af07b407d1ebf0a1c9eba3d56713aa7b7 |
| SHA512 | 234bf5bd02833fd976da822e7d8a13147e32ffd82ace34d4282a7e05ac9fd4ffb18c5a4c3800ea54529ef3d9cab4313d6940a8ffe3b321e17ce5c766e054ee1d |
memory/1996-108-0x0000026F77B60000-0x0000026F77B68000-memory.dmp
C:\Users\Admin\Desktop\InGlockZ.exe
| MD5 | 8eafc4bd1bc64b4756d3727b590a286d |
| SHA1 | ab6ec69d99963633f47c97eac4b156c13d7836e0 |
| SHA256 | aa9952807c0f7d5c0f6c58ef8a0981e0cc98b9837c6c296e633c38697754f20e |
| SHA512 | 675172ef2e1ec533ae1d6862cf6beee8c775f79d904e8eb5b500e8c17cf5e5e5c369ccbe5262f233e6fb5501be637335b38d9c97b75eca2769ed05fcc046005e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e633afeab2aed0638782e0ab1744c697 |
| SHA1 | c2405aaf049fd6b69178ce1523ff15dd0e1690d9 |
| SHA256 | c3db1330edba15d1d88fbfe893d3779387b984be31a334bd687310fba23e0cea |
| SHA512 | 25626b86dc07bb37505155f90cc4441951bf7acaba8ddda18b280620ea12b47a1bb95f8c3a82c3a2507274ed96063e73054435cf5e6e726bb532dddc0a811c8c |
C:\Users\Admin\Desktop\Show_Encrypted_Files.txt
| MD5 | be7cee2a680217b86866bc7da68c137a |
| SHA1 | 4d26121df1a8513af284dfd0a411d16ecb420951 |
| SHA256 | e5aed7f063f48e11f5fe50c94cf968751a63f589d8aa0c082bac3ffb24dbe0f6 |
| SHA512 | 6fc920fe2f6132a23195d270c54a4eca445514f3a41f9f75cd5fc9059e1f932fc4a35b94a5408a4fd6b2c47315ace344e7374db6cf406a0bf26c7af354da8a4a |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6d16c8e0539e60da15e2aa98c956003e |
| SHA1 | 174046d3e59c99a991098168f508b557089f0af4 |
| SHA256 | 090abf6503ea805106c38529ee1743e50bcbc7037a37f142dd20220f11218b67 |
| SHA512 | d577c8c4f30ac4e05827e1025b168a5752eb006ec06e0dae23b7f3273e6062a598874837948fd271bba34c24059b350851d2213bdb4586253c5919c561edb314 |