a9027c6070365053c3cb91261991c71f1d3a63707df8467e413847f344b3af4d

Analysis

max time kernel
36s
max time network
182s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
18-09-2022 14:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TrashMalwares-main/PC shaking v4.0.exe
Size

21.7MB
MD5

d2eb6a0f3b1353b6f60c1ce3a63ef8d1
SHA1

a879af3e84106f4da79519ce08643eeb91f72a15
SHA256

b8d65832342d1fec828025eacbcc6e1df9c2f3276524a4abb1a965707fd475ee
SHA512

9473e711b785eba3e5cfcb36437069a96290864fe9562a5619d95f9fac9c0b46b0c3c942be8ff7fec4204a938392e8be471ea6ce683027cd29b181028b0e2481
SSDEEP

393216:MUbg/uqZ8EuLjIlYgJMFBoJPYG6O4BcwikWGmivl4yA1cmBBS:6G9LjHgUOJPEOyresC4

Score

8^/10

ransomware

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

PCshakingv4.0.exe

pid process

3288 PCshakingv4.0.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

PC shaking v4.0.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	PC shaking v4.0.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

PCshakingv4.0.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Media\\logotip.jpg"	PCshakingv4.0.exe

Drops file in Windows directory 11 IoCs

Processes:

PC shaking v4.0.exe

description	ioc	process
File created	C:\Windows\Media\logotip.jpg	PC shaking v4.0.exe
File opened for modification	C:\Windows\Media\logotip.jpg	PC shaking v4.0.exe
File created	C:\Windows\Media\mouse.ico	PC shaking v4.0.exe
File created	C:\Windows\Media\Tobu.wav	PC shaking v4.0.exe
File opened for modification	C:\Windows\Media\Tobu.wav	PC shaking v4.0.exe
File opened for modification	C:\Windows\Media\PCshakingv4.0.exe	PC shaking v4.0.exe
File created	C:\Windows\Media\CustomBSoD.exe	PC shaking v4.0.exe
File opened for modification	C:\Windows\Media\CustomBSoD.exe	PC shaking v4.0.exe
File opened for modification	C:\Windows\Media\mouse.ico	PC shaking v4.0.exe
File created	C:\Windows\Media\__tmp_rar_sfx_access_check_240569109	PC shaking v4.0.exe
File created	C:\Windows\Media\PCshakingv4.0.exe	PC shaking v4.0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

PCshakingv4.0.exe

pid process

3288 PCshakingv4.0.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

AUDIODG.EXE

description pid process

Token: 33 3492 AUDIODG.EXE
Token: SeIncBasePriorityPrivilege 3492 AUDIODG.EXE

description	pid	process
Token: 33	3492	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3492	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

PCshakingv4.0.exe

pid	process
3288	PCshakingv4.0.exe
3288	PCshakingv4.0.exe
3288	PCshakingv4.0.exe
3288	PCshakingv4.0.exe
3288	PCshakingv4.0.exe
3288	PCshakingv4.0.exe
3288	PCshakingv4.0.exe
3288	PCshakingv4.0.exe
3288	PCshakingv4.0.exe
3288	PCshakingv4.0.exe
3288	PCshakingv4.0.exe
3288	PCshakingv4.0.exe
3288	PCshakingv4.0.exe
3288	PCshakingv4.0.exe
3288	PCshakingv4.0.exe
3288	PCshakingv4.0.exe
3288	PCshakingv4.0.exe
3288	PCshakingv4.0.exe
3288	PCshakingv4.0.exe
3288	PCshakingv4.0.exe
3288	PCshakingv4.0.exe
3288	PCshakingv4.0.exe
3288	PCshakingv4.0.exe
3288	PCshakingv4.0.exe
3288	PCshakingv4.0.exe
3288	PCshakingv4.0.exe
3288	PCshakingv4.0.exe
3288	PCshakingv4.0.exe
3288	PCshakingv4.0.exe
3288	PCshakingv4.0.exe
3288	PCshakingv4.0.exe
3288	PCshakingv4.0.exe
3288	PCshakingv4.0.exe
3288	PCshakingv4.0.exe
3288	PCshakingv4.0.exe
3288	PCshakingv4.0.exe
3288	PCshakingv4.0.exe
3288	PCshakingv4.0.exe
3288	PCshakingv4.0.exe
3288	PCshakingv4.0.exe
3288	PCshakingv4.0.exe
3288	PCshakingv4.0.exe
3288	PCshakingv4.0.exe
3288	PCshakingv4.0.exe
3288	PCshakingv4.0.exe
3288	PCshakingv4.0.exe
3288	PCshakingv4.0.exe
3288	PCshakingv4.0.exe
3288	PCshakingv4.0.exe
3288	PCshakingv4.0.exe
3288	PCshakingv4.0.exe
3288	PCshakingv4.0.exe
3288	PCshakingv4.0.exe
3288	PCshakingv4.0.exe
3288	PCshakingv4.0.exe
3288	PCshakingv4.0.exe
3288	PCshakingv4.0.exe
3288	PCshakingv4.0.exe
3288	PCshakingv4.0.exe
3288	PCshakingv4.0.exe
3288	PCshakingv4.0.exe
3288	PCshakingv4.0.exe
3288	PCshakingv4.0.exe
3288	PCshakingv4.0.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

PC shaking v4.0.exe

description	pid	process	target process
PID 948 wrote to memory of 3288	948	PC shaking v4.0.exe	PCshakingv4.0.exe
PID 948 wrote to memory of 3288	948	PC shaking v4.0.exe	PCshakingv4.0.exe
PID 948 wrote to memory of 3288	948	PC shaking v4.0.exe	PCshakingv4.0.exe

C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\PC shaking v4.0.exe
"C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\PC shaking v4.0.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:948

C:\Windows\Media\PCshakingv4.0.exe
"C:\Windows\Media\PCshakingv4.0.exe"
2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:3288

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x52c 0x528
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3492

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Media\PCshakingv4.0.exe
Filesize
71KB

MD5
129c1a8094f0a6a9cdc9f63e86f8a482

SHA1
917c6809ae03670edbf5da4cb19c49e85390642c

SHA256
2eadcdfd00b8bec4d18b71830cd334569844002a7971c56d3e1e38ff7972c4f3

SHA512
076cf44955bebbad12ca905a36a12da4cd20520d8795e2f47f972ad996932731be4f007792954c9737b68330cd395a17ad19aa1e5b1c9e248379c37dcdf1a9e5

Download Submit
C:\Windows\Media\PCshakingv4.0.exe
Filesize
71KB

MD5
129c1a8094f0a6a9cdc9f63e86f8a482

SHA1
917c6809ae03670edbf5da4cb19c49e85390642c

SHA256
2eadcdfd00b8bec4d18b71830cd334569844002a7971c56d3e1e38ff7972c4f3

SHA512
076cf44955bebbad12ca905a36a12da4cd20520d8795e2f47f972ad996932731be4f007792954c9737b68330cd395a17ad19aa1e5b1c9e248379c37dcdf1a9e5

Download Submit
C:\Windows\Media\mouse.ico
Filesize
203KB

MD5
3abff26e58afe2b94ce801295336bf82

SHA1
b3222e30303115469b5b3e3d03ed9aed846d830f

SHA256
fb078b09259f96b032dce2c345c683b6b9d9316819dc363edd780b91dc11704d

SHA512
ba546709378b529eb8887cc5f7ff9f4bc587bae61af009adf8778dc3972c2e57d9291df6f2b6cc8ba36b27c262b8eb6f650d610fc1d731c154bb4cad6df46ac2

Download Submit
\??\c:\Windows\Media\Tobu.wav
Filesize
33.3MB

MD5
d0533435fa1c748c3154263a8081a941

SHA1
5714ab67aa46a57bb3b8efcb521e96fa00283c73

SHA256
0ccd3ab6ac691e67c3bfeab4aab35500d8ebe803d15eb958bee942650e9e2dd6

SHA512
5a600cc219dcadbea8f8c651f5ef874ff5ceb05dc5b384a822571ea672165cdbfd1b0b9d5a6e5761088fcff7a83459eabf6c688826429d71e8c09a72b42d3cf6

Download Submit
memory/3288-132-0x0000000000000000-mapping.dmp

Download