Analysis
-
max time kernel
49s -
max time network
52s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
28-03-2023 06:49
Behavioral task
behavioral1
Sample
0e095735ba2333e4a05d21a7d640f06c92408ddbdefeb800e920f6f5d7f24fd0.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
0e095735ba2333e4a05d21a7d640f06c92408ddbdefeb800e920f6f5d7f24fd0.exe
Resource
win10v2004-20230220-en
Errors
General
-
Target
0e095735ba2333e4a05d21a7d640f06c92408ddbdefeb800e920f6f5d7f24fd0.exe
-
Size
2.3MB
-
MD5
4715ca3b58910a9d7d5c20eb1720c2ab
-
SHA1
53205e63db2aba2eedcd4b8c4cff8ce38b4ec3d0
-
SHA256
0e095735ba2333e4a05d21a7d640f06c92408ddbdefeb800e920f6f5d7f24fd0
-
SHA512
264f85ab848798e02c7786f892e5f0e1a9c1254938d4740f6e15098115b67c61fc66e255e5c340614034e7477ecfce299518a5021fa7ea00923177c1bfa583d0
-
SSDEEP
49152:atpyaEIgRtPXRFfmiLXhiuKPIQyUxosEF1DsP2l8Qmv0g4xp7fn+lj0:4vEbRtPXrmHJgQZx5EFxDl8t14E
Malware Config
Signatures
-
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Executes dropped EXE 1 IoCs
Processes:
CLWCP.exepid process 1004 CLWCP.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid process 572 cmd.exe 572 cmd.exe -
Processes:
resource yara_rule behavioral1/memory/1240-68-0x0000000000400000-0x0000000000BC3000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\47DA.tmp\kern64.exe upx behavioral1/memory/1240-160-0x0000000000400000-0x0000000000BC3000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Kernel = "C:\\HorrorTrojan\\kern64.exe" reg.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
CLWCP.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Control Panel\Desktop\Wallpaper = "c:\\horrortrojan\\bg.bmp" CLWCP.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry key 1 TTPs 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 44 IoCs
Processes:
WMIC.exeAUDIODG.EXEdescription pid process Token: SeIncreaseQuotaPrivilege 396 WMIC.exe Token: SeSecurityPrivilege 396 WMIC.exe Token: SeTakeOwnershipPrivilege 396 WMIC.exe Token: SeLoadDriverPrivilege 396 WMIC.exe Token: SeSystemProfilePrivilege 396 WMIC.exe Token: SeSystemtimePrivilege 396 WMIC.exe Token: SeProfSingleProcessPrivilege 396 WMIC.exe Token: SeIncBasePriorityPrivilege 396 WMIC.exe Token: SeCreatePagefilePrivilege 396 WMIC.exe Token: SeBackupPrivilege 396 WMIC.exe Token: SeRestorePrivilege 396 WMIC.exe Token: SeShutdownPrivilege 396 WMIC.exe Token: SeDebugPrivilege 396 WMIC.exe Token: SeSystemEnvironmentPrivilege 396 WMIC.exe Token: SeRemoteShutdownPrivilege 396 WMIC.exe Token: SeUndockPrivilege 396 WMIC.exe Token: SeManageVolumePrivilege 396 WMIC.exe Token: 33 396 WMIC.exe Token: 34 396 WMIC.exe Token: 35 396 WMIC.exe Token: SeIncreaseQuotaPrivilege 396 WMIC.exe Token: SeSecurityPrivilege 396 WMIC.exe Token: SeTakeOwnershipPrivilege 396 WMIC.exe Token: SeLoadDriverPrivilege 396 WMIC.exe Token: SeSystemProfilePrivilege 396 WMIC.exe Token: SeSystemtimePrivilege 396 WMIC.exe Token: SeProfSingleProcessPrivilege 396 WMIC.exe Token: SeIncBasePriorityPrivilege 396 WMIC.exe Token: SeCreatePagefilePrivilege 396 WMIC.exe Token: SeBackupPrivilege 396 WMIC.exe Token: SeRestorePrivilege 396 WMIC.exe Token: SeShutdownPrivilege 396 WMIC.exe Token: SeDebugPrivilege 396 WMIC.exe Token: SeSystemEnvironmentPrivilege 396 WMIC.exe Token: SeRemoteShutdownPrivilege 396 WMIC.exe Token: SeUndockPrivilege 396 WMIC.exe Token: SeManageVolumePrivilege 396 WMIC.exe Token: 33 396 WMIC.exe Token: 34 396 WMIC.exe Token: 35 396 WMIC.exe Token: 33 1012 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1012 AUDIODG.EXE Token: 33 1012 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1012 AUDIODG.EXE -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
0e095735ba2333e4a05d21a7d640f06c92408ddbdefeb800e920f6f5d7f24fd0.execmd.exedescription pid process target process PID 1240 wrote to memory of 572 1240 0e095735ba2333e4a05d21a7d640f06c92408ddbdefeb800e920f6f5d7f24fd0.exe cmd.exe PID 1240 wrote to memory of 572 1240 0e095735ba2333e4a05d21a7d640f06c92408ddbdefeb800e920f6f5d7f24fd0.exe cmd.exe PID 1240 wrote to memory of 572 1240 0e095735ba2333e4a05d21a7d640f06c92408ddbdefeb800e920f6f5d7f24fd0.exe cmd.exe PID 1240 wrote to memory of 572 1240 0e095735ba2333e4a05d21a7d640f06c92408ddbdefeb800e920f6f5d7f24fd0.exe cmd.exe PID 572 wrote to memory of 1004 572 cmd.exe CLWCP.exe PID 572 wrote to memory of 1004 572 cmd.exe CLWCP.exe PID 572 wrote to memory of 1004 572 cmd.exe CLWCP.exe PID 572 wrote to memory of 1004 572 cmd.exe CLWCP.exe PID 572 wrote to memory of 872 572 cmd.exe reg.exe PID 572 wrote to memory of 872 572 cmd.exe reg.exe PID 572 wrote to memory of 872 572 cmd.exe reg.exe PID 572 wrote to memory of 872 572 cmd.exe reg.exe PID 572 wrote to memory of 868 572 cmd.exe reg.exe PID 572 wrote to memory of 868 572 cmd.exe reg.exe PID 572 wrote to memory of 868 572 cmd.exe reg.exe PID 572 wrote to memory of 868 572 cmd.exe reg.exe PID 572 wrote to memory of 1684 572 cmd.exe reg.exe PID 572 wrote to memory of 1684 572 cmd.exe reg.exe PID 572 wrote to memory of 1684 572 cmd.exe reg.exe PID 572 wrote to memory of 1684 572 cmd.exe reg.exe PID 572 wrote to memory of 1892 572 cmd.exe reg.exe PID 572 wrote to memory of 1892 572 cmd.exe reg.exe PID 572 wrote to memory of 1892 572 cmd.exe reg.exe PID 572 wrote to memory of 1892 572 cmd.exe reg.exe PID 572 wrote to memory of 396 572 cmd.exe WMIC.exe PID 572 wrote to memory of 396 572 cmd.exe WMIC.exe PID 572 wrote to memory of 396 572 cmd.exe WMIC.exe PID 572 wrote to memory of 396 572 cmd.exe WMIC.exe PID 572 wrote to memory of 112 572 cmd.exe WScript.exe PID 572 wrote to memory of 112 572 cmd.exe WScript.exe PID 572 wrote to memory of 112 572 cmd.exe WScript.exe PID 572 wrote to memory of 112 572 cmd.exe WScript.exe PID 572 wrote to memory of 1632 572 cmd.exe shutdown.exe PID 572 wrote to memory of 1632 572 cmd.exe shutdown.exe PID 572 wrote to memory of 1632 572 cmd.exe shutdown.exe PID 572 wrote to memory of 1632 572 cmd.exe shutdown.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0e095735ba2333e4a05d21a7d640f06c92408ddbdefeb800e920f6f5d7f24fd0.exe"C:\Users\Admin\AppData\Local\Temp\0e095735ba2333e4a05d21a7d640f06c92408ddbdefeb800e920f6f5d7f24fd0.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\47DA.tmp\HorrorTrojan.bat""2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\47DA.tmp\CLWCP.execlwcp c:\horrortrojan\bg.bmp3⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
-
C:\Windows\SysWOW64\reg.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d /1 /f3⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exeReg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Windows Kernel" /t REG_SZ /F /D "C:\HorrorTrojan\kern64.exe"3⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\reg.exereg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- UAC bypass
- Modifies registry key
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic useraccount where name='Admin' rename UR_DED3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\47DA.tmp\complete.vbs"3⤵
-
C:\Windows\SysWOW64\shutdown.exeshutdown /r /t 003⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x49c1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\47DA.tmp\CLWCP.exeFilesize
505KB
MD5e62ee6f1efc85cb36d62ab779db6e4ec
SHA1da07ec94cf2cb2b430e15bd0c5084996a47ee649
SHA25613b4ec59785a1b367efb691a3d5c86eb5aaf1ca0062521c4782e1baac6633f8a
SHA5128142086979ec1ca9675418e94326a40078400aff8587fc613e17164e034badd828e9615589e6cb8b9339da7cdc9bcb8c48e0890c5f288068f4b86ff659670a69
-
C:\Users\Admin\AppData\Local\Temp\47DA.tmp\CLWCP.exeFilesize
505KB
MD5e62ee6f1efc85cb36d62ab779db6e4ec
SHA1da07ec94cf2cb2b430e15bd0c5084996a47ee649
SHA25613b4ec59785a1b367efb691a3d5c86eb5aaf1ca0062521c4782e1baac6633f8a
SHA5128142086979ec1ca9675418e94326a40078400aff8587fc613e17164e034badd828e9615589e6cb8b9339da7cdc9bcb8c48e0890c5f288068f4b86ff659670a69
-
C:\Users\Admin\AppData\Local\Temp\47DA.tmp\HorrorTrojan.batFilesize
6KB
MD5e4fc7f0e5f204964aa1877570ffb9655
SHA1d65e05be88a2772fbb59dd6ada48cee04f0f4f59
SHA256f4905f12b1e4155f9faab7e2937e890da9ddb226fb008f0f3cb1d94ac9d05a5d
SHA512be8d93ce24eddd1ed97512055527f900588ef8b395c9d78df92eca569ef8f8fe6c4afbc9cb6bdd893227e487e4cdbf1154eebac077c8f6c9fe7012584820f5ab
-
C:\Users\Admin\AppData\Local\Temp\47DA.tmp\HorrorTrojan.batFilesize
6KB
MD5e4fc7f0e5f204964aa1877570ffb9655
SHA1d65e05be88a2772fbb59dd6ada48cee04f0f4f59
SHA256f4905f12b1e4155f9faab7e2937e890da9ddb226fb008f0f3cb1d94ac9d05a5d
SHA512be8d93ce24eddd1ed97512055527f900588ef8b395c9d78df92eca569ef8f8fe6c4afbc9cb6bdd893227e487e4cdbf1154eebac077c8f6c9fe7012584820f5ab
-
C:\Users\Admin\AppData\Local\Temp\47DA.tmp\bg.bmpFilesize
6.6MB
MD5a605dbeda4f89c1569dd46221c5e85b5
SHA15f28ce1e1788a083552b9ac760e57d278467a1f9
SHA25677897f44096311ddb6d569c2a595eca3967c645f24c274318a51e5346816eb8e
SHA512e4afa652f0133d51480f1d249c828600d02f024aa2cccfb58a0830a9d0c6ee56906736e6d87554ed25c4e69252536cb7379b60b2867b647966269c965b538610
-
C:\Users\Admin\AppData\Local\Temp\47DA.tmp\complete.vbsFilesize
77B
MD5c6f73e6db67c73b6c161f146c3c12210
SHA18ee0301d838839864f003ec015a40be5f331c73a
SHA2568f6e476dc0d92fecc5a75110404ee32b0fd537de7a52e011c984325e7c18b0aa
SHA5127b5db6969f55a956714266fe9ba6f49db436dead5db882d82525a6b17b414cac451951f4339e1416a14877881f64fbb2ab1e5007d30d8e3c7c5c815c8e0f0ea8
-
C:\Users\Admin\AppData\Local\Temp\47DA.tmp\kern64.exeFilesize
621KB
MD556afeca82ab6ecefeeb80a794b66a0b1
SHA1444f6fef5cae216b648cd10acd98b219ae09355b
SHA2561931c82abb2b5481c9999c5e16b0dc3291bb1aa44b4729e93266134c057ae9a2
SHA5129eeeef45ab27c88c93620e0d5e9a2f9fe5512fdaa935118ed0d585a229c10f58e79c0ef2fad15d49ddb822b1aa622d1b347d518cf7cd3eb84e85f146c941c9bc
-
\??\c:\horrortrojan\bg.bmpFilesize
6.6MB
MD5a605dbeda4f89c1569dd46221c5e85b5
SHA15f28ce1e1788a083552b9ac760e57d278467a1f9
SHA25677897f44096311ddb6d569c2a595eca3967c645f24c274318a51e5346816eb8e
SHA512e4afa652f0133d51480f1d249c828600d02f024aa2cccfb58a0830a9d0c6ee56906736e6d87554ed25c4e69252536cb7379b60b2867b647966269c965b538610
-
\Users\Admin\AppData\Local\Temp\47DA.tmp\CLWCP.exeFilesize
505KB
MD5e62ee6f1efc85cb36d62ab779db6e4ec
SHA1da07ec94cf2cb2b430e15bd0c5084996a47ee649
SHA25613b4ec59785a1b367efb691a3d5c86eb5aaf1ca0062521c4782e1baac6633f8a
SHA5128142086979ec1ca9675418e94326a40078400aff8587fc613e17164e034badd828e9615589e6cb8b9339da7cdc9bcb8c48e0890c5f288068f4b86ff659670a69
-
\Users\Admin\AppData\Local\Temp\47DA.tmp\CLWCP.exeFilesize
505KB
MD5e62ee6f1efc85cb36d62ab779db6e4ec
SHA1da07ec94cf2cb2b430e15bd0c5084996a47ee649
SHA25613b4ec59785a1b367efb691a3d5c86eb5aaf1ca0062521c4782e1baac6633f8a
SHA5128142086979ec1ca9675418e94326a40078400aff8587fc613e17164e034badd828e9615589e6cb8b9339da7cdc9bcb8c48e0890c5f288068f4b86ff659670a69
-
memory/1004-84-0x0000000000220000-0x0000000000221000-memory.dmpFilesize
4KB
-
memory/1004-162-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/1240-68-0x0000000000400000-0x0000000000BC3000-memory.dmpFilesize
7.8MB
-
memory/1240-160-0x0000000000400000-0x0000000000BC3000-memory.dmpFilesize
7.8MB
-
memory/1588-163-0x0000000002900000-0x0000000002901000-memory.dmpFilesize
4KB
-
memory/1860-164-0x0000000002760000-0x0000000002761000-memory.dmpFilesize
4KB