Resubmissions
31-03-2023 16:17
230331-trclhsch2y 10Analysis
-
max time kernel
168s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
-
submitted
31-03-2023 16:17
General
-
Target
WinXP.Horror.Destructive.exe
-
Size
57.9MB
-
MD5
063ea883f8c67d3bb22e0a465136ca4c
-
SHA1
3a168a9153ee32b86d9a5411b0af13846c55ee1d
-
SHA256
3b64ce283febf3207dd20c99fc53de65b07044231eb544c4c41de374a2571c5c
-
SHA512
2dd6be23a5af8c458b94eeb5a4e83fc8cacb3fd2c2566b5682eee286c01726dca90db3d9b4e218eeded9b0c9bce8ba3c9ca9cc497e3a57aab580633a038e4b74
-
SSDEEP
1572864:aj6L5PLk/mBCSyKOYl39GFoFEujFMm+B997DaNHN1oS72fnD9hRzZ01tO0DpvrvI:i6cSzV9GCFEujFMm+B997DaNHN1oS72X
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
UAC bypass 3 TTPs 1 IoCs
-
Disables RegEdit via registry modification 1 IoCs
-
Disables Task Manager via registry modification
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Modifies Control Panel 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
System policy modification 1 TTPs 5 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\WinXP.Horror.Destructive.exe"C:\Users\Admin\AppData\Local\Temp\WinXP.Horror.Destructive.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Disables RegEdit via registry modification
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- System policy modification
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5501⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1156-54-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/1156-55-0x0000000000400000-0x0000000003DF3000-memory.dmpFilesize
57.9MB
-
memory/1156-56-0x0000000000400000-0x0000000003DF3000-memory.dmpFilesize
57.9MB
-
memory/1156-57-0x0000000000400000-0x0000000003DF3000-memory.dmpFilesize
57.9MB
-
memory/1156-58-0x0000000000400000-0x0000000003DF3000-memory.dmpFilesize
57.9MB
-
memory/1156-59-0x0000000000400000-0x0000000003DF3000-memory.dmpFilesize
57.9MB
-
memory/1156-60-0x0000000000400000-0x0000000003DF3000-memory.dmpFilesize
57.9MB
-
memory/1156-61-0x0000000000400000-0x0000000003DF3000-memory.dmpFilesize
57.9MB
-
memory/1156-62-0x0000000000400000-0x0000000003DF3000-memory.dmpFilesize
57.9MB
-
memory/1156-63-0x0000000000400000-0x0000000003DF3000-memory.dmpFilesize
57.9MB
-
memory/1156-64-0x0000000000400000-0x0000000003DF3000-memory.dmpFilesize
57.9MB
-
memory/1156-65-0x0000000000400000-0x0000000003DF3000-memory.dmpFilesize
57.9MB
-
memory/1156-67-0x0000000000400000-0x0000000003DF3000-memory.dmpFilesize
57.9MB