0e095735ba2333e4a05d21a7d640f06c92408ddbdefeb800e920f6f5d7f24fd0

Reason

Machine shutdown

General

Target

0e095735ba2333e4a05d21a7d640f06c92408ddbdefeb800e920f6f5d7f24fd0.exe
Size

2.3MB
MD5

4715ca3b58910a9d7d5c20eb1720c2ab
SHA1

53205e63db2aba2eedcd4b8c4cff8ce38b4ec3d0
SHA256

0e095735ba2333e4a05d21a7d640f06c92408ddbdefeb800e920f6f5d7f24fd0
SHA512

264f85ab848798e02c7786f892e5f0e1a9c1254938d4740f6e15098115b67c61fc66e255e5c340614034e7477ecfce299518a5021fa7ea00923177c1bfa583d0
SSDEEP

49152:atpyaEIgRtPXRFfmiLXhiuKPIQyUxosEF1DsP2l8Qmv0g4xp7fn+lj0:4vEbRtPXrmHJgQZx5EFxDl8t14E

Score

10^/10

evasion persistence ransomware trojan upx

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

reg.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

cmd.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation cmd.exe
Executes dropped EXE 1 IoCs

Processes:

CLWCP.exe

pid process

4656 CLWCP.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	cmd.exe

pid	process
4656	CLWCP.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/872-133-0x0000000000400000-0x0000000000BC3000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\6F68.tmp\kern64.exe	upx
behavioral2/memory/872-198-0x0000000000400000-0x0000000000BC3000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Kernel = "C:\\HorrorTrojan\\kern64.exe"	reg.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

CLWCP.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\Desktop\Wallpaper = "c:\\horrortrojan\\bg.bmp"	CLWCP.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "173"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe

Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings cmd.exe
Modifies registry key 1 TTPs 2 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exe

pid process

1804 reg.exe
2020 reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings	cmd.exe

pid	process
1804	reg.exe
2020	reg.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

Processes:

WMIC.exeshutdown.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2156	WMIC.exe
Token: SeSecurityPrivilege	2156	WMIC.exe
Token: SeTakeOwnershipPrivilege	2156	WMIC.exe
Token: SeLoadDriverPrivilege	2156	WMIC.exe
Token: SeSystemProfilePrivilege	2156	WMIC.exe
Token: SeSystemtimePrivilege	2156	WMIC.exe
Token: SeProfSingleProcessPrivilege	2156	WMIC.exe
Token: SeIncBasePriorityPrivilege	2156	WMIC.exe
Token: SeCreatePagefilePrivilege	2156	WMIC.exe
Token: SeBackupPrivilege	2156	WMIC.exe
Token: SeRestorePrivilege	2156	WMIC.exe
Token: SeShutdownPrivilege	2156	WMIC.exe
Token: SeDebugPrivilege	2156	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2156	WMIC.exe
Token: SeRemoteShutdownPrivilege	2156	WMIC.exe
Token: SeUndockPrivilege	2156	WMIC.exe
Token: SeManageVolumePrivilege	2156	WMIC.exe
Token: 33	2156	WMIC.exe
Token: 34	2156	WMIC.exe
Token: 35	2156	WMIC.exe
Token: 36	2156	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2156	WMIC.exe
Token: SeSecurityPrivilege	2156	WMIC.exe
Token: SeTakeOwnershipPrivilege	2156	WMIC.exe
Token: SeLoadDriverPrivilege	2156	WMIC.exe
Token: SeSystemProfilePrivilege	2156	WMIC.exe
Token: SeSystemtimePrivilege	2156	WMIC.exe
Token: SeProfSingleProcessPrivilege	2156	WMIC.exe
Token: SeIncBasePriorityPrivilege	2156	WMIC.exe
Token: SeCreatePagefilePrivilege	2156	WMIC.exe
Token: SeBackupPrivilege	2156	WMIC.exe
Token: SeRestorePrivilege	2156	WMIC.exe
Token: SeShutdownPrivilege	2156	WMIC.exe
Token: SeDebugPrivilege	2156	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2156	WMIC.exe
Token: SeRemoteShutdownPrivilege	2156	WMIC.exe
Token: SeUndockPrivilege	2156	WMIC.exe
Token: SeManageVolumePrivilege	2156	WMIC.exe
Token: 33	2156	WMIC.exe
Token: 34	2156	WMIC.exe
Token: 35	2156	WMIC.exe
Token: 36	2156	WMIC.exe
Token: SeShutdownPrivilege	2212	shutdown.exe
Token: SeRemoteShutdownPrivilege	2212	shutdown.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

LogonUI.exe

pid process

3600 LogonUI.exe

pid	process
3600	LogonUI.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

0e095735ba2333e4a05d21a7d640f06c92408ddbdefeb800e920f6f5d7f24fd0.execmd.exe

description	pid	process	target process
PID 872 wrote to memory of 1536	872	0e095735ba2333e4a05d21a7d640f06c92408ddbdefeb800e920f6f5d7f24fd0.exe	cmd.exe
PID 872 wrote to memory of 1536	872	0e095735ba2333e4a05d21a7d640f06c92408ddbdefeb800e920f6f5d7f24fd0.exe	cmd.exe
PID 872 wrote to memory of 1536	872	0e095735ba2333e4a05d21a7d640f06c92408ddbdefeb800e920f6f5d7f24fd0.exe	cmd.exe
PID 1536 wrote to memory of 4656	1536	cmd.exe	CLWCP.exe
PID 1536 wrote to memory of 4656	1536	cmd.exe	CLWCP.exe
PID 1536 wrote to memory of 4656	1536	cmd.exe	CLWCP.exe
PID 1536 wrote to memory of 1804	1536	cmd.exe	reg.exe
PID 1536 wrote to memory of 1804	1536	cmd.exe	reg.exe
PID 1536 wrote to memory of 1804	1536	cmd.exe	reg.exe
PID 1536 wrote to memory of 1696	1536	cmd.exe	reg.exe
PID 1536 wrote to memory of 1696	1536	cmd.exe	reg.exe
PID 1536 wrote to memory of 1696	1536	cmd.exe	reg.exe
PID 1536 wrote to memory of 2460	1536	cmd.exe	reg.exe
PID 1536 wrote to memory of 2460	1536	cmd.exe	reg.exe
PID 1536 wrote to memory of 2460	1536	cmd.exe	reg.exe
PID 1536 wrote to memory of 2020	1536	cmd.exe	reg.exe
PID 1536 wrote to memory of 2020	1536	cmd.exe	reg.exe
PID 1536 wrote to memory of 2020	1536	cmd.exe	reg.exe
PID 1536 wrote to memory of 2156	1536	cmd.exe	WMIC.exe
PID 1536 wrote to memory of 2156	1536	cmd.exe	WMIC.exe
PID 1536 wrote to memory of 2156	1536	cmd.exe	WMIC.exe
PID 1536 wrote to memory of 3028	1536	cmd.exe	WScript.exe
PID 1536 wrote to memory of 3028	1536	cmd.exe	WScript.exe
PID 1536 wrote to memory of 3028	1536	cmd.exe	WScript.exe
PID 1536 wrote to memory of 2212	1536	cmd.exe	shutdown.exe
PID 1536 wrote to memory of 2212	1536	cmd.exe	shutdown.exe
PID 1536 wrote to memory of 2212	1536	cmd.exe	shutdown.exe

C:\Users\Admin\AppData\Local\Temp\0e095735ba2333e4a05d21a7d640f06c92408ddbdefeb800e920f6f5d7f24fd0.exe
"C:\Users\Admin\AppData\Local\Temp\0e095735ba2333e4a05d21a7d640f06c92408ddbdefeb800e920f6f5d7f24fd0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6F68.tmp\HorrorTrojan.bat""
2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1536

C:\Users\Admin\AppData\Local\Temp\6F68.tmp\CLWCP.exe
clwcp c:\horrortrojan\bg.bmp
3⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
PID:4656

C:\Windows\SysWOW64\reg.exe
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d /1 /f
3⤵
- Modifies registry key
PID:1804

C:\Windows\SysWOW64\reg.exe
Reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
3⤵
PID:1696

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Windows Kernel" /t REG_SZ /F /D "C:\HorrorTrojan\kern64.exe"
3⤵
- Adds Run key to start application
PID:2460

C:\Windows\SysWOW64\reg.exe
reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
3⤵
- UAC bypass
- Modifies registry key
PID:2020

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic useraccount where name='Admin' rename UR_DED
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2156

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6F68.tmp\complete.vbs"
3⤵
PID:3028

C:\Windows\SysWOW64\shutdown.exe
shutdown /r /t 00
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2212

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39f9855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3600

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

1

T1089

Modify Registry

4

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6F68.tmp\CLWCP.exe
Filesize
505KB

MD5
e62ee6f1efc85cb36d62ab779db6e4ec

SHA1
da07ec94cf2cb2b430e15bd0c5084996a47ee649

SHA256
13b4ec59785a1b367efb691a3d5c86eb5aaf1ca0062521c4782e1baac6633f8a

SHA512
8142086979ec1ca9675418e94326a40078400aff8587fc613e17164e034badd828e9615589e6cb8b9339da7cdc9bcb8c48e0890c5f288068f4b86ff659670a69

Download Submit
C:\Users\Admin\AppData\Local\Temp\6F68.tmp\CLWCP.exe
Filesize
505KB

MD5
e62ee6f1efc85cb36d62ab779db6e4ec

SHA1
da07ec94cf2cb2b430e15bd0c5084996a47ee649

SHA256
13b4ec59785a1b367efb691a3d5c86eb5aaf1ca0062521c4782e1baac6633f8a

SHA512
8142086979ec1ca9675418e94326a40078400aff8587fc613e17164e034badd828e9615589e6cb8b9339da7cdc9bcb8c48e0890c5f288068f4b86ff659670a69

Download Submit
C:\Users\Admin\AppData\Local\Temp\6F68.tmp\HorrorTrojan.bat
Filesize
6KB

MD5
e4fc7f0e5f204964aa1877570ffb9655

SHA1
d65e05be88a2772fbb59dd6ada48cee04f0f4f59

SHA256
f4905f12b1e4155f9faab7e2937e890da9ddb226fb008f0f3cb1d94ac9d05a5d

SHA512
be8d93ce24eddd1ed97512055527f900588ef8b395c9d78df92eca569ef8f8fe6c4afbc9cb6bdd893227e487e4cdbf1154eebac077c8f6c9fe7012584820f5ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\6F68.tmp\bg.bmp
Filesize
6.6MB

MD5
a605dbeda4f89c1569dd46221c5e85b5

SHA1
5f28ce1e1788a083552b9ac760e57d278467a1f9

SHA256
77897f44096311ddb6d569c2a595eca3967c645f24c274318a51e5346816eb8e

SHA512
e4afa652f0133d51480f1d249c828600d02f024aa2cccfb58a0830a9d0c6ee56906736e6d87554ed25c4e69252536cb7379b60b2867b647966269c965b538610

Download Submit
C:\Users\Admin\AppData\Local\Temp\6F68.tmp\complete.vbs
Filesize
77B

MD5
c6f73e6db67c73b6c161f146c3c12210

SHA1
8ee0301d838839864f003ec015a40be5f331c73a

SHA256
8f6e476dc0d92fecc5a75110404ee32b0fd537de7a52e011c984325e7c18b0aa

SHA512
7b5db6969f55a956714266fe9ba6f49db436dead5db882d82525a6b17b414cac451951f4339e1416a14877881f64fbb2ab1e5007d30d8e3c7c5c815c8e0f0ea8

Download Submit
C:\Users\Admin\AppData\Local\Temp\6F68.tmp\kern64.exe
Filesize
621KB

MD5
56afeca82ab6ecefeeb80a794b66a0b1

SHA1
444f6fef5cae216b648cd10acd98b219ae09355b

SHA256
1931c82abb2b5481c9999c5e16b0dc3291bb1aa44b4729e93266134c057ae9a2

SHA512
9eeeef45ab27c88c93620e0d5e9a2f9fe5512fdaa935118ed0d585a229c10f58e79c0ef2fad15d49ddb822b1aa622d1b347d518cf7cd3eb84e85f146c941c9bc

Download Submit
memory/872-133-0x0000000000400000-0x0000000000BC3000-memory.dmp

Filesize
7.8MB

Download
memory/872-198-0x0000000000400000-0x0000000000BC3000-memory.dmp

Filesize
7.8MB

Download
memory/4656-162-0x0000000002320000-0x0000000002321000-memory.dmp

Filesize
4KB

Download
memory/4656-199-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads