Overview
overview
10Static
static
10TrashMalwa...in.exe
windows10-2004-x64
8TrashMalwa...er.exe
windows10-2004-x64
8TrashMalwa...nk.exe
windows10-2004-x64
8TrashMalwa...oN.bat
windows10-2004-x64
8TrashMalwa...zz.exe
windows10-2004-x64
6TrashMalwa...de.exe
windows10-2004-x64
8TrashMalwa...20.exe
windows10-2004-x64
7TrashMalwa...ll.exe
windows10-2004-x64
8TrashMalwa...le.exe
windows10-2004-x64
8TrashMalwa...oe.bat
windows10-2004-x64
TrashMalwa....0.exe
windows10-2004-x64
7TrashMalwa....0.exe
windows10-2004-x64
8TrashMalwa....0.exe
windows10-2004-x64
8TrashMalwa...ic.exe
windows10-2004-x64
6TrashMalwa...OD.exe
windows10-2004-x64
10TrashMalwa...um.exe
windows10-2004-x64
6TrashMalwa...er.exe
windows10-2004-x64
8TrashMalwa...MZ.exe
windows10-2004-x64
1TrashMalwa...ch.exe
windows10-2004-x64
8TrashMalwa....5.exe
windows10-2004-x64
8TrashMalwa...ol.exe
windows10-2004-x64
8TrashMalwa...hm.exe
windows10-2004-x64
10TrashMalwa...10.exe
windows10-2004-x64
7TrashMalwa...V6.exe
windows10-2004-x64
7TrashMalwa.../x.exe
windows10-2004-x64
7Analysis
-
max time kernel
283s -
max time network
333s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
18-09-2022 14:13
Behavioral task
behavioral1
Sample
TrashMalwares-main/AcidRain.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral2
Sample
TrashMalwares-main/Antivirus_Installer.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral3
Sample
TrashMalwares-main/Dro trojan. Virus prank.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral4
Sample
TrashMalwares-main/FaZoN.bat
Resource
win10v2004-20220901-en
Behavioral task
behavioral5
Sample
TrashMalwares-main/Fizz.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral6
Sample
TrashMalwares-main/Ginxide.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral7
Sample
TrashMalwares-main/Install Windows20.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral8
Sample
TrashMalwares-main/MS-RickRoll.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral9
Sample
TrashMalwares-main/MercuryXhoffle.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral10
Sample
TrashMalwares-main/NetPakoe.bat
Resource
win10v2004-20220812-en
Behavioral task
behavioral11
Sample
TrashMalwares-main/NetPakoe3.0.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral12
Sample
TrashMalwares-main/NoEscape8.0.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral13
Sample
TrashMalwares-main/PC shaking v4.0.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral14
Sample
TrashMalwares-main/Phsyletric.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral15
Sample
TrashMalwares-main/RealBSOD.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral16
Sample
TrashMalwares-main/Sankylium.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral17
Sample
TrashMalwares-main/SuperWacker.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral18
Sample
TrashMalwares-main/TEMZ.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral19
Sample
TrashMalwares-main/ach.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral20
Sample
TrashMalwares-main/even0.5.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral21
Sample
TrashMalwares-main/lol.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral22
Sample
TrashMalwares-main/mhm.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral23
Sample
TrashMalwares-main/winnit6.6.6 V10.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral24
Sample
TrashMalwares-main/winnit6.6.6_V6.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral25
Sample
TrashMalwares-main/x.exe
Resource
win10v2004-20220812-en
General
-
Target
TrashMalwares-main/NoEscape8.0.exe
-
Size
15.0MB
-
MD5
1c18f75dafd667fb5559cf9b7cb5868e
-
SHA1
deab3392cf25ebc52f15ecdcf7e4187dcaec81f7
-
SHA256
bf3c03ff11e6610bbf806084ec2d58cd5aacb87e52cbf965a789fa74584de3a5
-
SHA512
c68c8ee27265c81e7bb6ead434436398d198b9c2ce83092a8deb8539045b10b47ed660e2451297edd7eeebedc5254000fd5ad481f4642f64f4d74d6a964d3015
-
SSDEEP
393216:ph/RLjBJPkh/6StJ+4qnWSz0hgSovW+PABRMW:phVcm9z06WEORX
Malware Config
Signatures
-
Disables Task Manager via registry modification
-
Executes dropped EXE 6 IoCs
Processes:
boot.exeINV.exetunnel.exemelter.exe10.exeMagix.exepid process 4240 boot.exe 2240 INV.exe 1748 tunnel.exe 2532 melter.exe 4844 10.exe 4564 Magix.exe -
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
NoEscape8.0.execmd.exeWScript.execmd.exe10.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation NoEscape8.0.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 10.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
boot.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run boot.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "C:\\yourpc\\boot.exe" boot.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
boot.exedescription ioc process File opened for modification \??\PhysicalDrive0 boot.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 2 IoCs
Processes:
timeout.exetimeout.exepid process 2588 timeout.exe 2008 timeout.exe -
Modifies registry class 3 IoCs
Processes:
cmd.exe10.execmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings 10.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings cmd.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 44 IoCs
Processes:
NoEscape8.0.execmd.exeWScript.execmd.exeboot.exe10.exedescription pid process target process PID 3644 wrote to memory of 2656 3644 NoEscape8.0.exe cmd.exe PID 3644 wrote to memory of 2656 3644 NoEscape8.0.exe cmd.exe PID 3644 wrote to memory of 2656 3644 NoEscape8.0.exe cmd.exe PID 2656 wrote to memory of 3868 2656 cmd.exe WScript.exe PID 2656 wrote to memory of 3868 2656 cmd.exe WScript.exe PID 2656 wrote to memory of 3868 2656 cmd.exe WScript.exe PID 3868 wrote to memory of 3692 3868 WScript.exe cmd.exe PID 3868 wrote to memory of 3692 3868 WScript.exe cmd.exe PID 3868 wrote to memory of 3692 3868 WScript.exe cmd.exe PID 3692 wrote to memory of 4240 3692 cmd.exe boot.exe PID 3692 wrote to memory of 4240 3692 cmd.exe boot.exe PID 3692 wrote to memory of 4240 3692 cmd.exe boot.exe PID 4240 wrote to memory of 4516 4240 boot.exe schtasks.exe PID 4240 wrote to memory of 4516 4240 boot.exe schtasks.exe PID 4240 wrote to memory of 4516 4240 boot.exe schtasks.exe PID 3692 wrote to memory of 2788 3692 cmd.exe WScript.exe PID 3692 wrote to memory of 2788 3692 cmd.exe WScript.exe PID 3692 wrote to memory of 2788 3692 cmd.exe WScript.exe PID 3692 wrote to memory of 1472 3692 cmd.exe reg.exe PID 3692 wrote to memory of 1472 3692 cmd.exe reg.exe PID 3692 wrote to memory of 1472 3692 cmd.exe reg.exe PID 3692 wrote to memory of 2008 3692 cmd.exe timeout.exe PID 3692 wrote to memory of 2008 3692 cmd.exe timeout.exe PID 3692 wrote to memory of 2008 3692 cmd.exe timeout.exe PID 3692 wrote to memory of 2240 3692 cmd.exe INV.exe PID 3692 wrote to memory of 2240 3692 cmd.exe INV.exe PID 3692 wrote to memory of 2240 3692 cmd.exe INV.exe PID 3692 wrote to memory of 1748 3692 cmd.exe tunnel.exe PID 3692 wrote to memory of 1748 3692 cmd.exe tunnel.exe PID 3692 wrote to memory of 1748 3692 cmd.exe tunnel.exe PID 3692 wrote to memory of 2532 3692 cmd.exe melter.exe PID 3692 wrote to memory of 2532 3692 cmd.exe melter.exe PID 3692 wrote to memory of 2532 3692 cmd.exe melter.exe PID 3692 wrote to memory of 4844 3692 cmd.exe 10.exe PID 3692 wrote to memory of 4844 3692 cmd.exe 10.exe PID 3692 wrote to memory of 4844 3692 cmd.exe 10.exe PID 3692 wrote to memory of 4564 3692 cmd.exe Magix.exe PID 3692 wrote to memory of 4564 3692 cmd.exe Magix.exe PID 3692 wrote to memory of 2588 3692 cmd.exe timeout.exe PID 3692 wrote to memory of 2588 3692 cmd.exe timeout.exe PID 3692 wrote to memory of 2588 3692 cmd.exe timeout.exe PID 4844 wrote to memory of 1476 4844 10.exe NOTEPAD.EXE PID 4844 wrote to memory of 1476 4844 10.exe NOTEPAD.EXE PID 4844 wrote to memory of 1476 4844 10.exe NOTEPAD.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\NoEscape8.0.exe"C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\NoEscape8.0.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\yourpc\skid.bat" "2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\yourpc\run.vbs"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\yourpc\main.bat" "4⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\yourpc\boot.exeboot.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Create /TN wininit /ru SYSTEM /SC ONSTART /TR "C:\yourpc\boot.exe"6⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\yourpc\es.vbs"5⤵
-
C:\Windows\SysWOW64\reg.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f5⤵
- Modifies registry key
-
C:\Windows\SysWOW64\timeout.exetimeout 105⤵
- Delays execution with timeout.exe
-
C:\yourpc\INV.exeINV.exe5⤵
- Executes dropped EXE
-
C:\yourpc\tunnel.exetunnel.exe5⤵
- Executes dropped EXE
-
C:\yourpc\melter.exemelter.exe5⤵
- Executes dropped EXE
-
C:\yourpc\10.exe10.exe5⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Documents and Settings\Administrator\Desktop\18769.txt6⤵
-
C:\yourpc\Magix.exeMagix.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\timeout.exetimeout 305⤵
- Delays execution with timeout.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\yourpc\10.exeFilesize
291KB
MD5e2001b6e75f84968a254b49faa45b7be
SHA1c70f93d5833543bb96c06a2e5a6642da0b283f12
SHA256fa758441587efb6f25391ceda3bf7c9293555dbd7d36472a2c76c3036f6d9c33
SHA512ebcd62730268b7f6f8b880a7c6d321bfb444e4a6ae0ea9e1a1c02a00db5737abd09b4db5e4515a9060de6d95cba49c5bd0e69a9903bdfd1c54f18eeb031220e3
-
C:\yourpc\10.exeFilesize
291KB
MD5e2001b6e75f84968a254b49faa45b7be
SHA1c70f93d5833543bb96c06a2e5a6642da0b283f12
SHA256fa758441587efb6f25391ceda3bf7c9293555dbd7d36472a2c76c3036f6d9c33
SHA512ebcd62730268b7f6f8b880a7c6d321bfb444e4a6ae0ea9e1a1c02a00db5737abd09b4db5e4515a9060de6d95cba49c5bd0e69a9903bdfd1c54f18eeb031220e3
-
C:\yourpc\INV.exeFilesize
103KB
MD5e079c468c9caed494623dbf95e9ce5e8
SHA14d8d1d17e9d7ff455a5c69e048d7575b5a3ea0f7
SHA2568e217ce5670ac1021fdb6101372f9322f7ff82481ecd9badc104ff542e46128c
SHA512d9c1a6f28c0c76b6856dec8723eb79d1b620a70b8ab3b5f028848e890a684beeb3460e310959c69f21cffb0a14751ea6cb719aacdbc2043121f057dd56f868a8
-
C:\yourpc\INV.exeFilesize
103KB
MD5e079c468c9caed494623dbf95e9ce5e8
SHA14d8d1d17e9d7ff455a5c69e048d7575b5a3ea0f7
SHA2568e217ce5670ac1021fdb6101372f9322f7ff82481ecd9badc104ff542e46128c
SHA512d9c1a6f28c0c76b6856dec8723eb79d1b620a70b8ab3b5f028848e890a684beeb3460e310959c69f21cffb0a14751ea6cb719aacdbc2043121f057dd56f868a8
-
C:\yourpc\Magix.exeFilesize
59KB
MD5026992ed7c38fae57e8839a6c0d883c8
SHA19b389aa3dd774f3cfff3dcbe8ea8779ef005b31f
SHA25668cb1fe2ee7c3f69fe2d508d117b502ed19337bd332e722605e491a823f89645
SHA512d20fe47538b9e1fa0ccf198f5a4a31506cc59622b2492e9f64435fb06b66ccf93cde056693656da626ebf56ab434425fbf3291db979fe6c67b2a7a14649d9dc7
-
C:\yourpc\Magix.exeFilesize
59KB
MD5026992ed7c38fae57e8839a6c0d883c8
SHA19b389aa3dd774f3cfff3dcbe8ea8779ef005b31f
SHA25668cb1fe2ee7c3f69fe2d508d117b502ed19337bd332e722605e491a823f89645
SHA512d20fe47538b9e1fa0ccf198f5a4a31506cc59622b2492e9f64435fb06b66ccf93cde056693656da626ebf56ab434425fbf3291db979fe6c67b2a7a14649d9dc7
-
C:\yourpc\boot.exeFilesize
150KB
MD50b71c2b0a5cb052457abd1e09f6302cb
SHA1e17040a434a818b98d6c217bb73ccdcdc603c56a
SHA256986192549387d257436b94d956234dce12f151ce6904de660e5d39cfce21b775
SHA512fd3e41b1fc8e9aa5f1a5da6161be6f4aa277e3e1377f20ffd217004bc015ddbf3e4c80a7316d99fdfda6e32d497a0996eecb4ddc55b0b011e7c9a74944fbe1d5
-
C:\yourpc\boot.exeFilesize
150KB
MD50b71c2b0a5cb052457abd1e09f6302cb
SHA1e17040a434a818b98d6c217bb73ccdcdc603c56a
SHA256986192549387d257436b94d956234dce12f151ce6904de660e5d39cfce21b775
SHA512fd3e41b1fc8e9aa5f1a5da6161be6f4aa277e3e1377f20ffd217004bc015ddbf3e4c80a7316d99fdfda6e32d497a0996eecb4ddc55b0b011e7c9a74944fbe1d5
-
C:\yourpc\es.vbsFilesize
39B
MD59c2d6662913494f5f7ecc95564f87132
SHA1e62502b0da2c9714b4cc1bae0f39c7014a9b2d00
SHA256095f01222915f9f8d71edb1593d70b7336c89aed4b42b14dc8e5cff482ab8d3b
SHA512366b4739de8aaddf5133a9f50589e870b187ee0a366c4c3166adcb071c8d3aa180d978c3f85916690763dcd0d99449782ecd18df5144447695490b112f9d4cbc
-
C:\yourpc\main.batFilesize
1KB
MD5d381fdbe8f6a130e25247fa1e029805b
SHA1618a09cf851eb5bea77595df2e66412d2d954cba
SHA2569eca23b0358e5507734ef7a2247c310c7be23c85776913c49947afb41c885273
SHA512f1f7ca8d93c9764a6223121943fb2b31bd896df975a1c17f745a66cdd5777fe8e0197721da0b9e1610b2a5bdbd8b4ecb4d676df09baef7f35a038a7e5a97a444
-
C:\yourpc\melter.exeFilesize
3KB
MD5d9baac374cc96e41c9f86c669e53f61c
SHA1b0ba67bfac3d23e718b3bfdfe120e5446d0229e8
SHA256a1d883577bcb6c4f9de47b06fe97c370c09bddffb6569b6cf93576371bdbc412
SHA5124ecdf8757e75b02da06a9d42a8ca62b9f2ef292dc04fa37d96603af78433f8aa9dd82fcf1e128a8f463b9691dcc1645b4a64e34f3c5d631f3a0e0670da0d0457
-
C:\yourpc\melter.exeFilesize
3KB
MD5d9baac374cc96e41c9f86c669e53f61c
SHA1b0ba67bfac3d23e718b3bfdfe120e5446d0229e8
SHA256a1d883577bcb6c4f9de47b06fe97c370c09bddffb6569b6cf93576371bdbc412
SHA5124ecdf8757e75b02da06a9d42a8ca62b9f2ef292dc04fa37d96603af78433f8aa9dd82fcf1e128a8f463b9691dcc1645b4a64e34f3c5d631f3a0e0670da0d0457
-
C:\yourpc\run.vbsFilesize
54B
MD595cd248d3e5740a059a01eeef728ab48
SHA1ae3e55904ade22ab4672f1f85db865e8e66fcff6
SHA256ac59324226f082c21f5364d027f364086e86c9488dce674d7e93bf5c7c0cbcea
SHA512aa149aa3b524002defd4f92579f672e6e5f3f2deb5124f5adf8980e8386e0faf8f81a5b9667751ac6e19dd3b50f1688a7dfd147e18c9de229ce6f955184ad4b3
-
C:\yourpc\skid.batFilesize
310B
MD5427d18145e233d828cdbad04596134c9
SHA184cb6fae8ee844be1fd9eda8a6a74a5cce97ded8
SHA25623efa2c8b42c0c599a2bd60cadfab2eac3a439e891509dc70c1ee2a9f5e86f2c
SHA512fd5e0a70a4bd082311ab5559b832ba8ae8fce91a62faeec827e3a14a302ceda3697b2cc4d9f1c082170fe22ffff52b022791ebc8c6ec35a3946a9c3712e99444
-
C:\yourpc\tunnel.exeFilesize
103KB
MD57dae1fb2e3a65e8dd594b021a6923e24
SHA1acd069dc223cc4802402944e5afec57d2ae31c08
SHA256732adadb4c7167e61f0f5763c2c01e43fb01369683d23c9652aea99f6c42c810
SHA512121f7f7c30361aa141192586133a670d989b2615d7e451b0e5a2e5375c46a67c9c404df4575778b7474ddf48b1be2d29d61df7d534473725d66295b3d4ef2919
-
C:\yourpc\tunnel.exeFilesize
103KB
MD57dae1fb2e3a65e8dd594b021a6923e24
SHA1acd069dc223cc4802402944e5afec57d2ae31c08
SHA256732adadb4c7167e61f0f5763c2c01e43fb01369683d23c9652aea99f6c42c810
SHA512121f7f7c30361aa141192586133a670d989b2615d7e451b0e5a2e5375c46a67c9c404df4575778b7474ddf48b1be2d29d61df7d534473725d66295b3d4ef2919
-
memory/1472-144-0x0000000000000000-mapping.dmp
-
memory/1476-162-0x0000000000000000-mapping.dmp
-
memory/1748-148-0x0000000000000000-mapping.dmp
-
memory/2008-145-0x0000000000000000-mapping.dmp
-
memory/2240-146-0x0000000000000000-mapping.dmp
-
memory/2532-150-0x0000000000000000-mapping.dmp
-
memory/2588-160-0x0000000000000000-mapping.dmp
-
memory/2656-132-0x0000000000000000-mapping.dmp
-
memory/2788-143-0x0000000000000000-mapping.dmp
-
memory/3692-137-0x0000000000000000-mapping.dmp
-
memory/3868-135-0x0000000000000000-mapping.dmp
-
memory/4240-138-0x0000000000000000-mapping.dmp
-
memory/4516-141-0x0000000000000000-mapping.dmp
-
memory/4564-156-0x0000000000000000-mapping.dmp
-
memory/4844-153-0x0000000000000000-mapping.dmp