Analysis Overview
SHA256
d090c4b65f8f3145301e612f6007996c2408a140fbfd09b608cee3d4a273ff26
Threat Level: Known bad
The file specialsurprise.exe was found to be: Known bad.
Malicious Activity Summary
Modifies WinLogon for persistence
UAC bypass
Disables Task Manager via registry modification
Disables RegEdit via registry modification
Executes dropped EXE
Checks computer location settings
Writes to the Master Boot Record (MBR)
Sets desktop wallpaper using registry
Drops file in Windows directory
Enumerates physical storage devices
Program crash
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious use of FindShellTrayWindow
System policy modification
Modifies Control Panel
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-03-28 06:23
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-03-28 06:23
Reported
2023-03-28 06:31
Platform
win7-20230220-en
Max time kernel
158s
Max time network
35s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, wscript.exe \"C:\\windows\\winbase_base_procid_none\\secureloc0x65\\WinRapistI386.vbs\"" | C:\Users\Admin\AppData\Local\Temp\FD72.tmp\gdifuncs.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\FD72.tmp\gdifuncs.exe | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\FD72.tmp\gdifuncs.exe | N/A |
Disables Task Manager via registry modification
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FD72.tmp\mbr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FD72.tmp\MainWindow.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FD72.tmp\gdifuncs.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\FD72.tmp\mbr.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Control Panel\Desktop\Wallpaper = "c:\\bg.bmp" | C:\Windows\system32\reg.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\windows\winbase_base_procid_none\secureloc0x65\mainbgtheme.wav | C:\Windows\system32\cmd.exe | N/A |
| File created | \??\c:\windows\winbase_base_procid_none\secureloc0x65\gdifuncs.exe | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | \??\c:\windows\winbase_base_procid_none\secureloc0x65\gdifuncs.exe | C:\Windows\system32\cmd.exe | N/A |
| File created | \??\c:\windows\winbase_base_procid_none\secureloc0x65\mainbgtheme.wav | C:\Windows\system32\cmd.exe | N/A |
Enumerates physical storage devices
Modifies Control Panel
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur" | C:\Users\Admin\AppData\Local\Temp\FD72.tmp\gdifuncs.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Control Panel\Cursors\Hand = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur" | C:\Users\Admin\AppData\Local\Temp\FD72.tmp\gdifuncs.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Control Panel\Cursors\Arrow = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur" | C:\Users\Admin\AppData\Local\Temp\FD72.tmp\gdifuncs.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\FD72.tmp\gdifuncs.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\FD72.tmp\gdifuncs.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FD72.tmp\MainWindow.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\FD72.tmp\gdifuncs.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\specialsurprise.exe
"C:\Users\Admin\AppData\Local\Temp\specialsurprise.exe"
C:\Windows\system32\wscript.exe
"C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\FD72.tmp\FD73.tmp\FD74.vbs //Nologo
C:\Users\Admin\AppData\Local\Temp\FD72.tmp\mbr.exe
"C:\Users\Admin\AppData\Local\Temp\FD72.tmp\mbr.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\FD72.tmp\tools.cmd" "
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d c:\bg.bmp /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Users\Admin\AppData\Local\Temp\FD72.tmp\MainWindow.exe
"C:\Users\Admin\AppData\Local\Temp\FD72.tmp\MainWindow.exe"
C:\Users\Admin\AppData\Local\Temp\FD72.tmp\gdifuncs.exe
"C:\Users\Admin\AppData\Local\Temp\FD72.tmp\gdifuncs.exe"
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x510
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\SPONGEBOB_IS_WATCHING_YOU 46.txt
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\SPONGEBOB_IS_WATCHING_YOU 46.txt
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\SPONGEBOB_IS_WATCHING_YOU 46.txt
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
Network
Files
C:\Users\Admin\AppData\Local\Temp\FD72.tmp\FD73.tmp\FD74.vbs
| MD5 | b893c34dd666c3c4acef2e2974834a10 |
| SHA1 | 2664e328e76c324fd53fb9f9cb64c24308472e82 |
| SHA256 | 984a07d5e914ed0b2487b5f6035d6e8d97a40c23fa847d5fbf87209fee4c4bbc |
| SHA512 | 98a3413117e27c02c35322e17c83f529955b83e72f2af7caaaff53099b583cd241cec95e70c3c0d6d440cb22cf0109d4e46dfda09ef2480427e9a9ab7a4c866b |
C:\Users\Admin\Desktop\SPONGEBOB_IS_WATCHING_YOU 5.txt
| MD5 | bb6d68d7181108015cd381c28360dfc4 |
| SHA1 | 192c34b9cba6f9c4b742f2b70d9731b8ba2ac764 |
| SHA256 | aea8fb9235900760ac374c6a4a10fba62c2a0ef5bea2dd7ef4db70fe55e0b317 |
| SHA512 | e3d6bf8f6ae16daa235e2bc7ce64da5a76ff0155fa89942a4e9d3f10ce70229e081c5029a6b67702a6b14000f62e6c9188ba394ee7183d0667ddac9e0224f3f3 |
C:\Users\Admin\AppData\Local\Temp\FD72.tmp\mbr.exe
| MD5 | 33bd7d68378c2e3aa4e06a6a85879f63 |
| SHA1 | 00914180e1add12a7f6d03de29c69ad6da67f081 |
| SHA256 | 6e79302d7ae9cc69e4fd1ba77bd4315d5e09f7a173b55ba823d6069a587a2e05 |
| SHA512 | b100e43fb45a2c8b6d31dd92a8ae9d8efea88977a62118547b4609cc7fe0e42efc25dc043bac4b20f662fab044c0ba007b322c77e66f0c791cc906eafc72fb95 |
C:\Users\Admin\AppData\Local\Temp\FD72.tmp\mbr.exe
| MD5 | 33bd7d68378c2e3aa4e06a6a85879f63 |
| SHA1 | 00914180e1add12a7f6d03de29c69ad6da67f081 |
| SHA256 | 6e79302d7ae9cc69e4fd1ba77bd4315d5e09f7a173b55ba823d6069a587a2e05 |
| SHA512 | b100e43fb45a2c8b6d31dd92a8ae9d8efea88977a62118547b4609cc7fe0e42efc25dc043bac4b20f662fab044c0ba007b322c77e66f0c791cc906eafc72fb95 |
C:\Users\Admin\AppData\Local\Temp\FD72.tmp\tools.cmd
| MD5 | 397c1a185b596e4d6a4a36c4bdcbd3b2 |
| SHA1 | 054819dae87cee9b1783b09940a52433b63f01ae |
| SHA256 | 56c7054c00a849648d3681d08536dc56c0fb637f1f1ec3f9e102eace0a796a9f |
| SHA512 | c2a77479ca0aa945826dccea75d5a7224c85b7b415fda802301be8a2305197276a33c48f82717faddb2a0ac58300f5b849a8c0dffb5a4443663c3dfd951d4e5c |
memory/1964-275-0x0000000000400000-0x00000000004D8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FD72.tmp\bg.bmp
| MD5 | ce45a70d3cc2941a147c09264fc1cda5 |
| SHA1 | 44cdf6c6a9ab62766b47caed1a6f832a86ecb6f9 |
| SHA256 | eceedadfde8506a73650cfa9a936e6a8fff7ffb664c9602bb14432aa2f8109ac |
| SHA512 | d1bf6cdade55e9a7ce4243e41a696ae051835711f3d1e0f273ad3643f0b878266a8213cc13ca887a8181981ba4937350986e01e819b4bb109330718ef6251149 |
C:\Users\Admin\AppData\Local\Temp\FD72.tmp\mainbgtheme.wav
| MD5 | 1b185a156cfc1ddeff939bf62672516b |
| SHA1 | fd8b803400036f42c8d20ae491e2f1f040a1aed5 |
| SHA256 | e147a3c7a333cbc90e1bf9c08955d191ce83f33542297121635c1d79ecfdfa36 |
| SHA512 | 41b33930e3efe628dae39083ef616baaf6ceb46056a94ab21b4b67eec490b0442a4211eaab79fce1f75f40ecdc853d269c82b5c5389081102f11e0f2f6503ae7 |
C:\Users\Admin\AppData\Local\Temp\FD72.tmp\gdifuncs.exe
| MD5 | e254e9598ee638c01e5ccc40e604938b |
| SHA1 | 541fa2a47f3caaae6aa8f5fbfe4d8aef0001905d |
| SHA256 | 4040ad3437e51139819148ed6378828adcfbd924251af39de8bf100a3a476a63 |
| SHA512 | 92f129a52f2df1f8ed20156e838b79a13baf0cbcdd9c94a5c34f6639c714311f41eb3745fdcc64eac88ce3e6f27d25f9a3250f4ababc630eff7a89802e18b4bb |
\??\c:\bg.bmp
| MD5 | ce45a70d3cc2941a147c09264fc1cda5 |
| SHA1 | 44cdf6c6a9ab62766b47caed1a6f832a86ecb6f9 |
| SHA256 | eceedadfde8506a73650cfa9a936e6a8fff7ffb664c9602bb14432aa2f8109ac |
| SHA512 | d1bf6cdade55e9a7ce4243e41a696ae051835711f3d1e0f273ad3643f0b878266a8213cc13ca887a8181981ba4937350986e01e819b4bb109330718ef6251149 |
C:\Users\Admin\AppData\Local\Temp\FD72.tmp\MainWindow.exe
| MD5 | 7c92316762d584133b9cabf31ab6709b |
| SHA1 | 7ad040508cef1c0fa5edf45812b7b9cd16259474 |
| SHA256 | 01995c3715c30c0c292752448516b94485db51035c3a4f86eb18c147f10b6298 |
| SHA512 | f9fc7600c30cb11079185841fb15ee3ba5c33fff13979d5e69b2bae5723a0404177195d2e0bd28142356ff9b293850880b28322b2ce1ff9fe35e8961bb3f7be1 |
C:\Users\Admin\AppData\Local\Temp\FD72.tmp\MainWindow.exe
| MD5 | 7c92316762d584133b9cabf31ab6709b |
| SHA1 | 7ad040508cef1c0fa5edf45812b7b9cd16259474 |
| SHA256 | 01995c3715c30c0c292752448516b94485db51035c3a4f86eb18c147f10b6298 |
| SHA512 | f9fc7600c30cb11079185841fb15ee3ba5c33fff13979d5e69b2bae5723a0404177195d2e0bd28142356ff9b293850880b28322b2ce1ff9fe35e8961bb3f7be1 |
C:\Users\Admin\AppData\Local\Temp\FD72.tmp\gdifuncs.exe
| MD5 | e254e9598ee638c01e5ccc40e604938b |
| SHA1 | 541fa2a47f3caaae6aa8f5fbfe4d8aef0001905d |
| SHA256 | 4040ad3437e51139819148ed6378828adcfbd924251af39de8bf100a3a476a63 |
| SHA512 | 92f129a52f2df1f8ed20156e838b79a13baf0cbcdd9c94a5c34f6639c714311f41eb3745fdcc64eac88ce3e6f27d25f9a3250f4ababc630eff7a89802e18b4bb |
memory/1956-295-0x0000000001190000-0x00000000011B2000-memory.dmp
memory/1956-296-0x00000000010B0000-0x00000000010F0000-memory.dmp
C:\windows\winbase_base_procid_none\secureloc0x65\mainbgtheme.wav
| MD5 | 1b185a156cfc1ddeff939bf62672516b |
| SHA1 | fd8b803400036f42c8d20ae491e2f1f040a1aed5 |
| SHA256 | e147a3c7a333cbc90e1bf9c08955d191ce83f33542297121635c1d79ecfdfa36 |
| SHA512 | 41b33930e3efe628dae39083ef616baaf6ceb46056a94ab21b4b67eec490b0442a4211eaab79fce1f75f40ecdc853d269c82b5c5389081102f11e0f2f6503ae7 |
memory/1956-298-0x00000000010B0000-0x00000000010F0000-memory.dmp
memory/1956-299-0x00000000010B0000-0x00000000010F0000-memory.dmp
memory/1956-300-0x00000000010B0000-0x00000000010F0000-memory.dmp
memory/1956-301-0x00000000010B0000-0x00000000010F0000-memory.dmp
memory/1956-302-0x00000000010B0000-0x00000000010F0000-memory.dmp
memory/1956-303-0x00000000010B0000-0x00000000010F0000-memory.dmp
memory/1956-304-0x00000000010B0000-0x00000000010F0000-memory.dmp
memory/1956-305-0x00000000010B0000-0x00000000010F0000-memory.dmp
memory/1956-306-0x00000000010B0000-0x00000000010F0000-memory.dmp
memory/1956-307-0x00000000010B0000-0x00000000010F0000-memory.dmp
memory/1956-308-0x00000000010B0000-0x00000000010F0000-memory.dmp
memory/1956-309-0x00000000010B0000-0x00000000010F0000-memory.dmp
memory/1956-310-0x00000000010B0000-0x00000000010F0000-memory.dmp
memory/1956-311-0x00000000010B0000-0x00000000010F0000-memory.dmp
memory/1956-312-0x00000000010B0000-0x00000000010F0000-memory.dmp
C:\Users\Admin\Desktop\SPONGEBOB_IS_WATCHING_YOU 46.txt
| MD5 | bb6d68d7181108015cd381c28360dfc4 |
| SHA1 | 192c34b9cba6f9c4b742f2b70d9731b8ba2ac764 |
| SHA256 | aea8fb9235900760ac374c6a4a10fba62c2a0ef5bea2dd7ef4db70fe55e0b317 |
| SHA512 | e3d6bf8f6ae16daa235e2bc7ce64da5a76ff0155fa89942a4e9d3f10ce70229e081c5029a6b67702a6b14000f62e6c9188ba394ee7183d0667ddac9e0224f3f3 |
memory/2448-314-0x0000000002900000-0x0000000002901000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-03-28 06:23
Reported
2023-03-28 06:26
Platform
win10v2004-20230221-en
Max time kernel
30s
Max time network
77s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\specialsurprise.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\68E0.tmp\mbr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\68E0.tmp\MainWindow.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\68E0.tmp\gdifuncs.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\68E0.tmp\mbr.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\Desktop\Wallpaper = "c:\\bg.bmp" | C:\Windows\system32\reg.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | \??\c:\windows\winbase_base_procid_none\secureloc0x65\mainbgtheme.wav | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | \??\c:\windows\winbase_base_procid_none\secureloc0x65\mainbgtheme.wav | C:\Windows\system32\cmd.exe | N/A |
| File created | \??\c:\windows\winbase_base_procid_none\secureloc0x65\gdifuncs.exe | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | \??\c:\windows\winbase_base_procid_none\secureloc0x65\gdifuncs.exe | C:\Windows\system32\cmd.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\68E0.tmp\gdifuncs.exe |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\68E0.tmp\gdifuncs.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\68E0.tmp\gdifuncs.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\68E0.tmp\MainWindow.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\specialsurprise.exe
"C:\Users\Admin\AppData\Local\Temp\specialsurprise.exe"
C:\Windows\system32\wscript.exe
"C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\68E0.tmp\68E1.tmp\68E2.vbs //Nologo
C:\Users\Admin\AppData\Local\Temp\68E0.tmp\mbr.exe
"C:\Users\Admin\AppData\Local\Temp\68E0.tmp\mbr.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\68E0.tmp\tools.cmd" "
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d c:\bg.bmp /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\SPONGEBOB_IS_WATCHING_YOU 5.txt
C:\Users\Admin\AppData\Local\Temp\68E0.tmp\MainWindow.exe
"C:\Users\Admin\AppData\Local\Temp\68E0.tmp\MainWindow.exe"
C:\Users\Admin\AppData\Local\Temp\68E0.tmp\gdifuncs.exe
"C:\Users\Admin\AppData\Local\Temp\68E0.tmp\gdifuncs.exe"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x498 0x308
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2184 -ip 2184
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2184 -s 1928
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.211.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | assets.msn.com | udp |
| NL | 95.101.74.151:443 | assets.msn.com | tcp |
| US | 8.8.8.8:53 | 151.74.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 123.108.74.40.in-addr.arpa | udp |
| US | 52.152.108.96:443 | tcp | |
| US | 20.189.173.2:443 | tcp | |
| US | 209.197.3.8:80 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\68E0.tmp\68E1.tmp\68E2.vbs
| MD5 | b893c34dd666c3c4acef2e2974834a10 |
| SHA1 | 2664e328e76c324fd53fb9f9cb64c24308472e82 |
| SHA256 | 984a07d5e914ed0b2487b5f6035d6e8d97a40c23fa847d5fbf87209fee4c4bbc |
| SHA512 | 98a3413117e27c02c35322e17c83f529955b83e72f2af7caaaff53099b583cd241cec95e70c3c0d6d440cb22cf0109d4e46dfda09ef2480427e9a9ab7a4c866b |
C:\Users\Admin\Desktop\SPONGEBOB_IS_WATCHING_YOU 5.txt
| MD5 | bb6d68d7181108015cd381c28360dfc4 |
| SHA1 | 192c34b9cba6f9c4b742f2b70d9731b8ba2ac764 |
| SHA256 | aea8fb9235900760ac374c6a4a10fba62c2a0ef5bea2dd7ef4db70fe55e0b317 |
| SHA512 | e3d6bf8f6ae16daa235e2bc7ce64da5a76ff0155fa89942a4e9d3f10ce70229e081c5029a6b67702a6b14000f62e6c9188ba394ee7183d0667ddac9e0224f3f3 |
C:\Users\Admin\AppData\Local\Temp\68E0.tmp\mbr.exe
| MD5 | 33bd7d68378c2e3aa4e06a6a85879f63 |
| SHA1 | 00914180e1add12a7f6d03de29c69ad6da67f081 |
| SHA256 | 6e79302d7ae9cc69e4fd1ba77bd4315d5e09f7a173b55ba823d6069a587a2e05 |
| SHA512 | b100e43fb45a2c8b6d31dd92a8ae9d8efea88977a62118547b4609cc7fe0e42efc25dc043bac4b20f662fab044c0ba007b322c77e66f0c791cc906eafc72fb95 |
C:\Users\Admin\AppData\Local\Temp\68E0.tmp\mbr.exe
| MD5 | 33bd7d68378c2e3aa4e06a6a85879f63 |
| SHA1 | 00914180e1add12a7f6d03de29c69ad6da67f081 |
| SHA256 | 6e79302d7ae9cc69e4fd1ba77bd4315d5e09f7a173b55ba823d6069a587a2e05 |
| SHA512 | b100e43fb45a2c8b6d31dd92a8ae9d8efea88977a62118547b4609cc7fe0e42efc25dc043bac4b20f662fab044c0ba007b322c77e66f0c791cc906eafc72fb95 |
C:\Users\Admin\AppData\Local\Temp\68E0.tmp\tools.cmd
| MD5 | 397c1a185b596e4d6a4a36c4bdcbd3b2 |
| SHA1 | 054819dae87cee9b1783b09940a52433b63f01ae |
| SHA256 | 56c7054c00a849648d3681d08536dc56c0fb637f1f1ec3f9e102eace0a796a9f |
| SHA512 | c2a77479ca0aa945826dccea75d5a7224c85b7b415fda802301be8a2305197276a33c48f82717faddb2a0ac58300f5b849a8c0dffb5a4443663c3dfd951d4e5c |
memory/3044-354-0x0000000000400000-0x00000000004D8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\68E0.tmp\bg.bmp
| MD5 | ce45a70d3cc2941a147c09264fc1cda5 |
| SHA1 | 44cdf6c6a9ab62766b47caed1a6f832a86ecb6f9 |
| SHA256 | eceedadfde8506a73650cfa9a936e6a8fff7ffb664c9602bb14432aa2f8109ac |
| SHA512 | d1bf6cdade55e9a7ce4243e41a696ae051835711f3d1e0f273ad3643f0b878266a8213cc13ca887a8181981ba4937350986e01e819b4bb109330718ef6251149 |
C:\Users\Admin\AppData\Local\Temp\68E0.tmp\gdifuncs.exe
| MD5 | e254e9598ee638c01e5ccc40e604938b |
| SHA1 | 541fa2a47f3caaae6aa8f5fbfe4d8aef0001905d |
| SHA256 | 4040ad3437e51139819148ed6378828adcfbd924251af39de8bf100a3a476a63 |
| SHA512 | 92f129a52f2df1f8ed20156e838b79a13baf0cbcdd9c94a5c34f6639c714311f41eb3745fdcc64eac88ce3e6f27d25f9a3250f4ababc630eff7a89802e18b4bb |
C:\Users\Admin\AppData\Local\Temp\68E0.tmp\mainbgtheme.wav
| MD5 | 1b185a156cfc1ddeff939bf62672516b |
| SHA1 | fd8b803400036f42c8d20ae491e2f1f040a1aed5 |
| SHA256 | e147a3c7a333cbc90e1bf9c08955d191ce83f33542297121635c1d79ecfdfa36 |
| SHA512 | 41b33930e3efe628dae39083ef616baaf6ceb46056a94ab21b4b67eec490b0442a4211eaab79fce1f75f40ecdc853d269c82b5c5389081102f11e0f2f6503ae7 |
C:\Users\Admin\Desktop\SPONGEBOB_IS_WATCHING_YOU 5.txt
| MD5 | bb6d68d7181108015cd381c28360dfc4 |
| SHA1 | 192c34b9cba6f9c4b742f2b70d9731b8ba2ac764 |
| SHA256 | aea8fb9235900760ac374c6a4a10fba62c2a0ef5bea2dd7ef4db70fe55e0b317 |
| SHA512 | e3d6bf8f6ae16daa235e2bc7ce64da5a76ff0155fa89942a4e9d3f10ce70229e081c5029a6b67702a6b14000f62e6c9188ba394ee7183d0667ddac9e0224f3f3 |
C:\Users\Admin\AppData\Local\Temp\68E0.tmp\MainWindow.exe
| MD5 | 7c92316762d584133b9cabf31ab6709b |
| SHA1 | 7ad040508cef1c0fa5edf45812b7b9cd16259474 |
| SHA256 | 01995c3715c30c0c292752448516b94485db51035c3a4f86eb18c147f10b6298 |
| SHA512 | f9fc7600c30cb11079185841fb15ee3ba5c33fff13979d5e69b2bae5723a0404177195d2e0bd28142356ff9b293850880b28322b2ce1ff9fe35e8961bb3f7be1 |
C:\Users\Admin\AppData\Local\Temp\68E0.tmp\MainWindow.exe
| MD5 | 7c92316762d584133b9cabf31ab6709b |
| SHA1 | 7ad040508cef1c0fa5edf45812b7b9cd16259474 |
| SHA256 | 01995c3715c30c0c292752448516b94485db51035c3a4f86eb18c147f10b6298 |
| SHA512 | f9fc7600c30cb11079185841fb15ee3ba5c33fff13979d5e69b2bae5723a0404177195d2e0bd28142356ff9b293850880b28322b2ce1ff9fe35e8961bb3f7be1 |
C:\Users\Admin\AppData\Local\Temp\68E0.tmp\gdifuncs.exe
| MD5 | e254e9598ee638c01e5ccc40e604938b |
| SHA1 | 541fa2a47f3caaae6aa8f5fbfe4d8aef0001905d |
| SHA256 | 4040ad3437e51139819148ed6378828adcfbd924251af39de8bf100a3a476a63 |
| SHA512 | 92f129a52f2df1f8ed20156e838b79a13baf0cbcdd9c94a5c34f6639c714311f41eb3745fdcc64eac88ce3e6f27d25f9a3250f4ababc630eff7a89802e18b4bb |
memory/2184-370-0x00000000000D0000-0x00000000000F2000-memory.dmp
memory/2184-374-0x0000000004FB0000-0x0000000005554000-memory.dmp
memory/2184-375-0x0000000004AA0000-0x0000000004B32000-memory.dmp
memory/2184-376-0x0000000004F70000-0x0000000004F7A000-memory.dmp
memory/2184-377-0x0000000004CD0000-0x0000000004CE0000-memory.dmp
C:\windows\winbase_base_procid_none\secureloc0x65\mainbgtheme.wav
| MD5 | 1b185a156cfc1ddeff939bf62672516b |
| SHA1 | fd8b803400036f42c8d20ae491e2f1f040a1aed5 |
| SHA256 | e147a3c7a333cbc90e1bf9c08955d191ce83f33542297121635c1d79ecfdfa36 |
| SHA512 | 41b33930e3efe628dae39083ef616baaf6ceb46056a94ab21b4b67eec490b0442a4211eaab79fce1f75f40ecdc853d269c82b5c5389081102f11e0f2f6503ae7 |
memory/2184-379-0x0000000004CD0000-0x0000000004CE0000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_AEB400E9C1014AFBA892194423A878CA.dat
| MD5 | 33ebb78f767e29b26580fd2feefaead6 |
| SHA1 | ed9f6f6e86a6ca9390e26b15ae55c218aa36590a |
| SHA256 | b4834e8ab3d24faa70443729045675ff099536c151bcbef35fad246d0ef1df8d |
| SHA512 | 0168a2de3f0270c4b8625bd12a634066366ec23c6ed18eabcc9db6fdf79473fbef4bb78f7657f96e39a9eddabeaac91ec8e15740fdde2dbffea777a8e74ae0a5 |
memory/2184-385-0x000000000B150000-0x000000000B250000-memory.dmp
memory/2184-386-0x000000000B150000-0x000000000B250000-memory.dmp
memory/2184-384-0x0000000004CD0000-0x0000000004CE0000-memory.dmp
memory/2184-383-0x0000000004CD0000-0x0000000004CE0000-memory.dmp
memory/2184-382-0x0000000004CD0000-0x0000000004CE0000-memory.dmp
memory/2184-387-0x000000000B150000-0x000000000B250000-memory.dmp
memory/2184-388-0x000000000B150000-0x000000000B250000-memory.dmp
memory/2184-389-0x000000000B150000-0x000000000B250000-memory.dmp
memory/2184-390-0x000000000B150000-0x000000000B250000-memory.dmp
memory/2184-391-0x0000000004CD0000-0x0000000004CE0000-memory.dmp
memory/2184-394-0x000000000B150000-0x000000000B250000-memory.dmp
memory/2184-395-0x000000000B150000-0x000000000B250000-memory.dmp
memory/2184-396-0x000000000B150000-0x000000000B250000-memory.dmp
memory/2184-397-0x000000000B150000-0x000000000B250000-memory.dmp
memory/2184-399-0x000000000B150000-0x000000000B250000-memory.dmp
memory/2184-398-0x000000000B150000-0x000000000B250000-memory.dmp
memory/2184-402-0x000000000B150000-0x000000000B250000-memory.dmp
memory/2184-403-0x000000000B150000-0x000000000B250000-memory.dmp
memory/2184-404-0x000000000B150000-0x000000000B250000-memory.dmp
memory/2184-405-0x000000000B150000-0x000000000B250000-memory.dmp