Overview
overview
10Static
static
10TrashMalwa...in.exe
windows10-2004-x64
8TrashMalwa...er.exe
windows10-2004-x64
8TrashMalwa...nk.exe
windows10-2004-x64
8TrashMalwa...oN.bat
windows10-2004-x64
8TrashMalwa...zz.exe
windows10-2004-x64
6TrashMalwa...de.exe
windows10-2004-x64
8TrashMalwa...20.exe
windows10-2004-x64
7TrashMalwa...ll.exe
windows10-2004-x64
8TrashMalwa...le.exe
windows10-2004-x64
8TrashMalwa...oe.bat
windows10-2004-x64
TrashMalwa....0.exe
windows10-2004-x64
7TrashMalwa....0.exe
windows10-2004-x64
8TrashMalwa....0.exe
windows10-2004-x64
8TrashMalwa...ic.exe
windows10-2004-x64
6TrashMalwa...OD.exe
windows10-2004-x64
10TrashMalwa...um.exe
windows10-2004-x64
6TrashMalwa...er.exe
windows10-2004-x64
8TrashMalwa...MZ.exe
windows10-2004-x64
1TrashMalwa...ch.exe
windows10-2004-x64
8TrashMalwa....5.exe
windows10-2004-x64
8TrashMalwa...ol.exe
windows10-2004-x64
8TrashMalwa...hm.exe
windows10-2004-x64
10TrashMalwa...10.exe
windows10-2004-x64
7TrashMalwa...V6.exe
windows10-2004-x64
7TrashMalwa.../x.exe
windows10-2004-x64
7Analysis
-
max time kernel
36s -
max time network
182s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
18-09-2022 14:13
Behavioral task
behavioral1
Sample
TrashMalwares-main/AcidRain.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral2
Sample
TrashMalwares-main/Antivirus_Installer.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral3
Sample
TrashMalwares-main/Dro trojan. Virus prank.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral4
Sample
TrashMalwares-main/FaZoN.bat
Resource
win10v2004-20220901-en
Behavioral task
behavioral5
Sample
TrashMalwares-main/Fizz.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral6
Sample
TrashMalwares-main/Ginxide.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral7
Sample
TrashMalwares-main/Install Windows20.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral8
Sample
TrashMalwares-main/MS-RickRoll.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral9
Sample
TrashMalwares-main/MercuryXhoffle.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral10
Sample
TrashMalwares-main/NetPakoe.bat
Resource
win10v2004-20220812-en
Behavioral task
behavioral11
Sample
TrashMalwares-main/NetPakoe3.0.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral12
Sample
TrashMalwares-main/NoEscape8.0.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral13
Sample
TrashMalwares-main/PC shaking v4.0.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral14
Sample
TrashMalwares-main/Phsyletric.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral15
Sample
TrashMalwares-main/RealBSOD.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral16
Sample
TrashMalwares-main/Sankylium.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral17
Sample
TrashMalwares-main/SuperWacker.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral18
Sample
TrashMalwares-main/TEMZ.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral19
Sample
TrashMalwares-main/ach.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral20
Sample
TrashMalwares-main/even0.5.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral21
Sample
TrashMalwares-main/lol.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral22
Sample
TrashMalwares-main/mhm.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral23
Sample
TrashMalwares-main/winnit6.6.6 V10.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral24
Sample
TrashMalwares-main/winnit6.6.6_V6.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral25
Sample
TrashMalwares-main/x.exe
Resource
win10v2004-20220812-en
General
-
Target
TrashMalwares-main/PC shaking v4.0.exe
-
Size
21.7MB
-
MD5
d2eb6a0f3b1353b6f60c1ce3a63ef8d1
-
SHA1
a879af3e84106f4da79519ce08643eeb91f72a15
-
SHA256
b8d65832342d1fec828025eacbcc6e1df9c2f3276524a4abb1a965707fd475ee
-
SHA512
9473e711b785eba3e5cfcb36437069a96290864fe9562a5619d95f9fac9c0b46b0c3c942be8ff7fec4204a938392e8be471ea6ce683027cd29b181028b0e2481
-
SSDEEP
393216:MUbg/uqZ8EuLjIlYgJMFBoJPYG6O4BcwikWGmivl4yA1cmBBS:6G9LjHgUOJPEOyresC4
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
PCshakingv4.0.exepid process 3288 PCshakingv4.0.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
PC shaking v4.0.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation PC shaking v4.0.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
PCshakingv4.0.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Media\\logotip.jpg" PCshakingv4.0.exe -
Drops file in Windows directory 11 IoCs
Processes:
PC shaking v4.0.exedescription ioc process File created C:\Windows\Media\logotip.jpg PC shaking v4.0.exe File opened for modification C:\Windows\Media\logotip.jpg PC shaking v4.0.exe File created C:\Windows\Media\mouse.ico PC shaking v4.0.exe File created C:\Windows\Media\Tobu.wav PC shaking v4.0.exe File opened for modification C:\Windows\Media\Tobu.wav PC shaking v4.0.exe File opened for modification C:\Windows\Media\PCshakingv4.0.exe PC shaking v4.0.exe File created C:\Windows\Media\CustomBSoD.exe PC shaking v4.0.exe File opened for modification C:\Windows\Media\CustomBSoD.exe PC shaking v4.0.exe File opened for modification C:\Windows\Media\mouse.ico PC shaking v4.0.exe File created C:\Windows\Media\__tmp_rar_sfx_access_check_240569109 PC shaking v4.0.exe File created C:\Windows\Media\PCshakingv4.0.exe PC shaking v4.0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
PCshakingv4.0.exepid process 3288 PCshakingv4.0.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
AUDIODG.EXEdescription pid process Token: 33 3492 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 3492 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
PCshakingv4.0.exepid process 3288 PCshakingv4.0.exe 3288 PCshakingv4.0.exe 3288 PCshakingv4.0.exe 3288 PCshakingv4.0.exe 3288 PCshakingv4.0.exe 3288 PCshakingv4.0.exe 3288 PCshakingv4.0.exe 3288 PCshakingv4.0.exe 3288 PCshakingv4.0.exe 3288 PCshakingv4.0.exe 3288 PCshakingv4.0.exe 3288 PCshakingv4.0.exe 3288 PCshakingv4.0.exe 3288 PCshakingv4.0.exe 3288 PCshakingv4.0.exe 3288 PCshakingv4.0.exe 3288 PCshakingv4.0.exe 3288 PCshakingv4.0.exe 3288 PCshakingv4.0.exe 3288 PCshakingv4.0.exe 3288 PCshakingv4.0.exe 3288 PCshakingv4.0.exe 3288 PCshakingv4.0.exe 3288 PCshakingv4.0.exe 3288 PCshakingv4.0.exe 3288 PCshakingv4.0.exe 3288 PCshakingv4.0.exe 3288 PCshakingv4.0.exe 3288 PCshakingv4.0.exe 3288 PCshakingv4.0.exe 3288 PCshakingv4.0.exe 3288 PCshakingv4.0.exe 3288 PCshakingv4.0.exe 3288 PCshakingv4.0.exe 3288 PCshakingv4.0.exe 3288 PCshakingv4.0.exe 3288 PCshakingv4.0.exe 3288 PCshakingv4.0.exe 3288 PCshakingv4.0.exe 3288 PCshakingv4.0.exe 3288 PCshakingv4.0.exe 3288 PCshakingv4.0.exe 3288 PCshakingv4.0.exe 3288 PCshakingv4.0.exe 3288 PCshakingv4.0.exe 3288 PCshakingv4.0.exe 3288 PCshakingv4.0.exe 3288 PCshakingv4.0.exe 3288 PCshakingv4.0.exe 3288 PCshakingv4.0.exe 3288 PCshakingv4.0.exe 3288 PCshakingv4.0.exe 3288 PCshakingv4.0.exe 3288 PCshakingv4.0.exe 3288 PCshakingv4.0.exe 3288 PCshakingv4.0.exe 3288 PCshakingv4.0.exe 3288 PCshakingv4.0.exe 3288 PCshakingv4.0.exe 3288 PCshakingv4.0.exe 3288 PCshakingv4.0.exe 3288 PCshakingv4.0.exe 3288 PCshakingv4.0.exe 3288 PCshakingv4.0.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
PC shaking v4.0.exedescription pid process target process PID 948 wrote to memory of 3288 948 PC shaking v4.0.exe PCshakingv4.0.exe PID 948 wrote to memory of 3288 948 PC shaking v4.0.exe PCshakingv4.0.exe PID 948 wrote to memory of 3288 948 PC shaking v4.0.exe PCshakingv4.0.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\PC shaking v4.0.exe"C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\PC shaking v4.0.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\Media\PCshakingv4.0.exe"C:\Windows\Media\PCshakingv4.0.exe"2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x52c 0x5281⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Media\PCshakingv4.0.exeFilesize
71KB
MD5129c1a8094f0a6a9cdc9f63e86f8a482
SHA1917c6809ae03670edbf5da4cb19c49e85390642c
SHA2562eadcdfd00b8bec4d18b71830cd334569844002a7971c56d3e1e38ff7972c4f3
SHA512076cf44955bebbad12ca905a36a12da4cd20520d8795e2f47f972ad996932731be4f007792954c9737b68330cd395a17ad19aa1e5b1c9e248379c37dcdf1a9e5
-
C:\Windows\Media\PCshakingv4.0.exeFilesize
71KB
MD5129c1a8094f0a6a9cdc9f63e86f8a482
SHA1917c6809ae03670edbf5da4cb19c49e85390642c
SHA2562eadcdfd00b8bec4d18b71830cd334569844002a7971c56d3e1e38ff7972c4f3
SHA512076cf44955bebbad12ca905a36a12da4cd20520d8795e2f47f972ad996932731be4f007792954c9737b68330cd395a17ad19aa1e5b1c9e248379c37dcdf1a9e5
-
C:\Windows\Media\mouse.icoFilesize
203KB
MD53abff26e58afe2b94ce801295336bf82
SHA1b3222e30303115469b5b3e3d03ed9aed846d830f
SHA256fb078b09259f96b032dce2c345c683b6b9d9316819dc363edd780b91dc11704d
SHA512ba546709378b529eb8887cc5f7ff9f4bc587bae61af009adf8778dc3972c2e57d9291df6f2b6cc8ba36b27c262b8eb6f650d610fc1d731c154bb4cad6df46ac2
-
\??\c:\Windows\Media\Tobu.wavFilesize
33.3MB
MD5d0533435fa1c748c3154263a8081a941
SHA15714ab67aa46a57bb3b8efcb521e96fa00283c73
SHA2560ccd3ab6ac691e67c3bfeab4aab35500d8ebe803d15eb958bee942650e9e2dd6
SHA5125a600cc219dcadbea8f8c651f5ef874ff5ceb05dc5b384a822571ea672165cdbfd1b0b9d5a6e5761088fcff7a83459eabf6c688826429d71e8c09a72b42d3cf6
-
memory/3288-132-0x0000000000000000-mapping.dmp