Overview
overview
10Static
static
10TrashMalwa...in.exe
windows10-2004-x64
8TrashMalwa...er.exe
windows10-2004-x64
8TrashMalwa...nk.exe
windows10-2004-x64
8TrashMalwa...oN.bat
windows10-2004-x64
8TrashMalwa...zz.exe
windows10-2004-x64
6TrashMalwa...de.exe
windows10-2004-x64
8TrashMalwa...20.exe
windows10-2004-x64
7TrashMalwa...ll.exe
windows10-2004-x64
8TrashMalwa...le.exe
windows10-2004-x64
8TrashMalwa...oe.bat
windows10-2004-x64
TrashMalwa....0.exe
windows10-2004-x64
7TrashMalwa....0.exe
windows10-2004-x64
8TrashMalwa....0.exe
windows10-2004-x64
8TrashMalwa...ic.exe
windows10-2004-x64
6TrashMalwa...OD.exe
windows10-2004-x64
10TrashMalwa...um.exe
windows10-2004-x64
6TrashMalwa...er.exe
windows10-2004-x64
8TrashMalwa...MZ.exe
windows10-2004-x64
1TrashMalwa...ch.exe
windows10-2004-x64
8TrashMalwa....5.exe
windows10-2004-x64
8TrashMalwa...ol.exe
windows10-2004-x64
8TrashMalwa...hm.exe
windows10-2004-x64
10TrashMalwa...10.exe
windows10-2004-x64
7TrashMalwa...V6.exe
windows10-2004-x64
7TrashMalwa.../x.exe
windows10-2004-x64
7Analysis
-
max time kernel
303s -
max time network
339s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
18-09-2022 14:13
Behavioral task
behavioral1
Sample
TrashMalwares-main/AcidRain.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral2
Sample
TrashMalwares-main/Antivirus_Installer.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral3
Sample
TrashMalwares-main/Dro trojan. Virus prank.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral4
Sample
TrashMalwares-main/FaZoN.bat
Resource
win10v2004-20220901-en
Behavioral task
behavioral5
Sample
TrashMalwares-main/Fizz.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral6
Sample
TrashMalwares-main/Ginxide.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral7
Sample
TrashMalwares-main/Install Windows20.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral8
Sample
TrashMalwares-main/MS-RickRoll.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral9
Sample
TrashMalwares-main/MercuryXhoffle.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral10
Sample
TrashMalwares-main/NetPakoe.bat
Resource
win10v2004-20220812-en
Behavioral task
behavioral11
Sample
TrashMalwares-main/NetPakoe3.0.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral12
Sample
TrashMalwares-main/NoEscape8.0.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral13
Sample
TrashMalwares-main/PC shaking v4.0.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral14
Sample
TrashMalwares-main/Phsyletric.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral15
Sample
TrashMalwares-main/RealBSOD.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral16
Sample
TrashMalwares-main/Sankylium.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral17
Sample
TrashMalwares-main/SuperWacker.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral18
Sample
TrashMalwares-main/TEMZ.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral19
Sample
TrashMalwares-main/ach.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral20
Sample
TrashMalwares-main/even0.5.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral21
Sample
TrashMalwares-main/lol.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral22
Sample
TrashMalwares-main/mhm.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral23
Sample
TrashMalwares-main/winnit6.6.6 V10.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral24
Sample
TrashMalwares-main/winnit6.6.6_V6.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral25
Sample
TrashMalwares-main/x.exe
Resource
win10v2004-20220812-en
General
-
Target
TrashMalwares-main/NetPakoe3.0.exe
-
Size
188KB
-
MD5
912c74cb1e5e132515956f5c8470114a
-
SHA1
71556617096cdb4b70b220568f1d3697362c14a5
-
SHA256
6376111c1c39414187abeae4c6a75ae58351b2202802afc9bde2be5ceae0f400
-
SHA512
c4a0a299d085a33e567ebcc6586c911a130425c805d71175362c09c46eb0739a040c787fa1d3f9e9f06aad14bac686adc10d1bae75602e96f1c7238f3d4e73d6
-
SSDEEP
3072:YhM2idhON/D8259BH1DzJ5PzVNtGgc+F9TBfV0gwzH:Yh3idhONY259BH1DzJ5PzVNtGgc+F9TA
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
NetPakoe3.0.exewscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation NetPakoe3.0.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Program = "C:\\TEMP\\NetPakoe3.0.exe /autorun" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
AUDIODG.EXEdescription pid process Token: 33 4704 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 4704 AUDIODG.EXE -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
NetPakoe3.0.exewscript.exedescription pid process target process PID 5004 wrote to memory of 2320 5004 NetPakoe3.0.exe wscript.exe PID 5004 wrote to memory of 2320 5004 NetPakoe3.0.exe wscript.exe PID 2320 wrote to memory of 4528 2320 wscript.exe cmd.exe PID 2320 wrote to memory of 4528 2320 wscript.exe cmd.exe PID 2320 wrote to memory of 3172 2320 wscript.exe cmd.exe PID 2320 wrote to memory of 3172 2320 wscript.exe cmd.exe PID 2320 wrote to memory of 3500 2320 wscript.exe cmd.exe PID 2320 wrote to memory of 3500 2320 wscript.exe cmd.exe PID 2320 wrote to memory of 3772 2320 wscript.exe cmd.exe PID 2320 wrote to memory of 3772 2320 wscript.exe cmd.exe PID 2320 wrote to memory of 3120 2320 wscript.exe cmd.exe PID 2320 wrote to memory of 3120 2320 wscript.exe cmd.exe PID 2320 wrote to memory of 4308 2320 wscript.exe cmd.exe PID 2320 wrote to memory of 4308 2320 wscript.exe cmd.exe PID 2320 wrote to memory of 2136 2320 wscript.exe cmd.exe PID 2320 wrote to memory of 2136 2320 wscript.exe cmd.exe PID 2320 wrote to memory of 3576 2320 wscript.exe cmd.exe PID 2320 wrote to memory of 3576 2320 wscript.exe cmd.exe PID 2320 wrote to memory of 4224 2320 wscript.exe cmd.exe PID 2320 wrote to memory of 4224 2320 wscript.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\NetPakoe3.0.exe"C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\NetPakoe3.0.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wscript.exe"C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\A1ED.tmp\A1FE.tmp\A1FF.vbs //Nologo2⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"3⤵
-
C:\Windows\System32\notepad.exe"C:\Windows\System32\notepad.exe"3⤵
-
C:\Windows\System32\notepad.exe"C:\Windows\System32\notepad.exe"3⤵
-
C:\Windows\System32\notepad.exe"C:\Windows\System32\notepad.exe"3⤵
-
C:\Windows\System32\notepad.exe"C:\Windows\System32\notepad.exe"3⤵
-
C:\Windows\System32\notepad.exe"C:\Windows\System32\notepad.exe"3⤵
-
C:\Windows\System32\calc.exe"C:\Windows\System32\calc.exe"3⤵
-
C:\Windows\System32\calc.exe"C:\Windows\System32\calc.exe"3⤵
-
C:\Windows\System32\calc.exe"C:\Windows\System32\calc.exe"3⤵
-
C:\Windows\System32\calc.exe"C:\Windows\System32\calc.exe"3⤵
-
C:\Windows\System32\calc.exe"C:\Windows\System32\calc.exe"3⤵
-
C:\Windows\System32\calc.exe"C:\Windows\System32\calc.exe"3⤵
-
C:\Windows\System32\calc.exe"C:\Windows\System32\calc.exe"3⤵
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"3⤵
-
C:\Windows\System32\calc.exe"C:\Windows\System32\calc.exe"3⤵
-
C:\Windows\System32\notepad.exe"C:\Windows\System32\notepad.exe"3⤵
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"3⤵
-
C:\Windows\System32\calc.exe"C:\Windows\System32\calc.exe"3⤵
-
C:\Windows\System32\notepad.exe"C:\Windows\System32\notepad.exe"3⤵
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"3⤵
-
C:\Windows\System32\calc.exe"C:\Windows\System32\calc.exe"3⤵
-
C:\Windows\System32\notepad.exe"C:\Windows\System32\notepad.exe"3⤵
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"3⤵
-
C:\Windows\System32\calc.exe"C:\Windows\System32\calc.exe"3⤵
-
C:\Windows\System32\notepad.exe"C:\Windows\System32\notepad.exe"3⤵
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"3⤵
-
C:\Windows\System32\calc.exe"C:\Windows\System32\calc.exe"3⤵
-
C:\Windows\System32\notepad.exe"C:\Windows\System32\notepad.exe"3⤵
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"3⤵
-
C:\Windows\System32\calc.exe"C:\Windows\System32\calc.exe"3⤵
-
C:\Windows\System32\notepad.exe"C:\Windows\System32\notepad.exe"3⤵
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"3⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x150 0x4541⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\A1ED.tmp\A1FE.tmp\A1FF.vbsFilesize
11KB
MD536072dc09cf0a99e3936b50bacd9a3e5
SHA1731ede51ad7869ae0b01248267b0354a5fe52cba
SHA256a8dd0c012506f5ec41f90909e88de316ce3cbdb294db2b925c832af104e8b94f
SHA512c4d9858e67295ef124218e2493e9990427df16bc722df621ffebbcc4229e270f42fbccd9a2376448c19319ab18c1982f6d9a7371a77c148d434a64b8fe0a874d
-
memory/316-149-0x0000000000000000-mapping.dmp
-
memory/392-146-0x0000000000000000-mapping.dmp
-
memory/656-177-0x0000000000000000-mapping.dmp
-
memory/1260-150-0x0000000000000000-mapping.dmp
-
memory/1408-165-0x0000000000000000-mapping.dmp
-
memory/1528-158-0x0000000000000000-mapping.dmp
-
memory/1708-159-0x0000000000000000-mapping.dmp
-
memory/1828-176-0x0000000000000000-mapping.dmp
-
memory/2136-140-0x0000000000000000-mapping.dmp
-
memory/2192-143-0x0000000000000000-mapping.dmp
-
memory/2264-180-0x0000000000000000-mapping.dmp
-
memory/2320-132-0x0000000000000000-mapping.dmp
-
memory/2416-170-0x0000000000000000-mapping.dmp
-
memory/2532-157-0x0000000000000000-mapping.dmp
-
memory/2788-167-0x0000000000000000-mapping.dmp
-
memory/2832-144-0x0000000000000000-mapping.dmp
-
memory/2900-147-0x0000000000000000-mapping.dmp
-
memory/2992-172-0x0000000000000000-mapping.dmp
-
memory/3120-138-0x0000000000000000-mapping.dmp
-
memory/3172-135-0x0000000000000000-mapping.dmp
-
memory/3212-154-0x0000000000000000-mapping.dmp
-
memory/3404-166-0x0000000000000000-mapping.dmp
-
memory/3500-136-0x0000000000000000-mapping.dmp
-
memory/3552-171-0x0000000000000000-mapping.dmp
-
memory/3576-141-0x0000000000000000-mapping.dmp
-
memory/3580-153-0x0000000000000000-mapping.dmp
-
memory/3672-156-0x0000000000000000-mapping.dmp
-
memory/3720-152-0x0000000000000000-mapping.dmp
-
memory/3772-137-0x0000000000000000-mapping.dmp
-
memory/3980-164-0x0000000000000000-mapping.dmp
-
memory/4196-160-0x0000000000000000-mapping.dmp
-
memory/4224-142-0x0000000000000000-mapping.dmp
-
memory/4268-174-0x0000000000000000-mapping.dmp
-
memory/4284-168-0x0000000000000000-mapping.dmp
-
memory/4308-139-0x0000000000000000-mapping.dmp
-
memory/4360-173-0x0000000000000000-mapping.dmp
-
memory/4388-162-0x0000000000000000-mapping.dmp
-
memory/4412-178-0x0000000000000000-mapping.dmp
-
memory/4496-148-0x0000000000000000-mapping.dmp
-
memory/4528-134-0x0000000000000000-mapping.dmp
-
memory/4588-169-0x0000000000000000-mapping.dmp
-
memory/4620-145-0x0000000000000000-mapping.dmp
-
memory/4676-175-0x0000000000000000-mapping.dmp
-
memory/4752-163-0x0000000000000000-mapping.dmp
-
memory/4788-155-0x0000000000000000-mapping.dmp
-
memory/4976-179-0x0000000000000000-mapping.dmp
-
memory/5028-161-0x0000000000000000-mapping.dmp
-
memory/5084-151-0x0000000000000000-mapping.dmp