Resubmissions
31-03-2023 16:17
230331-trclhsch2y 10Analysis
-
max time kernel
168s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
31-03-2023 16:17
Static task
static1
Behavioral task
behavioral1
Sample
WinXP.Horror.Destructive.exe
Resource
win7-20230220-en
General
-
Target
WinXP.Horror.Destructive.exe
-
Size
57.9MB
-
MD5
063ea883f8c67d3bb22e0a465136ca4c
-
SHA1
3a168a9153ee32b86d9a5411b0af13846c55ee1d
-
SHA256
3b64ce283febf3207dd20c99fc53de65b07044231eb544c4c41de374a2571c5c
-
SHA512
2dd6be23a5af8c458b94eeb5a4e83fc8cacb3fd2c2566b5682eee286c01726dca90db3d9b4e218eeded9b0c9bce8ba3c9ca9cc497e3a57aab580633a038e4b74
-
SSDEEP
1572864:aj6L5PLk/mBCSyKOYl39GFoFEujFMm+B997DaNHN1oS72fnD9hRzZ01tO0DpvrvI:i6cSzV9GCFEujFMm+B997DaNHN1oS72X
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
WinXP.Horror.Destructive.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "0" WinXP.Horror.Destructive.exe -
Processes:
WinXP.Horror.Destructive.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WinXP.Horror.Destructive.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
WinXP.Horror.Destructive.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" WinXP.Horror.Destructive.exe -
Disables Task Manager via registry modification
-
Processes:
WinXP.Horror.Destructive.exedescription ioc process Delete value \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WinXP.Horror.Destructive.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WinXP.Horror.Destructive.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
WinXP.Horror.Destructive.exedescription ioc process File opened for modification \??\PhysicalDrive0 WinXP.Horror.Destructive.exe -
Modifies Control Panel 2 IoCs
Processes:
WinXP.Horror.Destructive.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Control Panel\Mouse WinXP.Horror.Destructive.exe Set value (str) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Control Panel\Mouse\SwapMouseButtons = "1" WinXP.Horror.Destructive.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
WinXP.Horror.Destructive.exepid process 1156 WinXP.Horror.Destructive.exe 1156 WinXP.Horror.Destructive.exe 1156 WinXP.Horror.Destructive.exe 1156 WinXP.Horror.Destructive.exe 1156 WinXP.Horror.Destructive.exe 1156 WinXP.Horror.Destructive.exe 1156 WinXP.Horror.Destructive.exe 1156 WinXP.Horror.Destructive.exe 1156 WinXP.Horror.Destructive.exe 1156 WinXP.Horror.Destructive.exe 1156 WinXP.Horror.Destructive.exe 1156 WinXP.Horror.Destructive.exe 1156 WinXP.Horror.Destructive.exe 1156 WinXP.Horror.Destructive.exe 1156 WinXP.Horror.Destructive.exe 1156 WinXP.Horror.Destructive.exe 1156 WinXP.Horror.Destructive.exe 1156 WinXP.Horror.Destructive.exe 1156 WinXP.Horror.Destructive.exe 1156 WinXP.Horror.Destructive.exe 1156 WinXP.Horror.Destructive.exe 1156 WinXP.Horror.Destructive.exe 1156 WinXP.Horror.Destructive.exe 1156 WinXP.Horror.Destructive.exe 1156 WinXP.Horror.Destructive.exe 1156 WinXP.Horror.Destructive.exe 1156 WinXP.Horror.Destructive.exe 1156 WinXP.Horror.Destructive.exe 1156 WinXP.Horror.Destructive.exe 1156 WinXP.Horror.Destructive.exe 1156 WinXP.Horror.Destructive.exe 1156 WinXP.Horror.Destructive.exe 1156 WinXP.Horror.Destructive.exe 1156 WinXP.Horror.Destructive.exe 1156 WinXP.Horror.Destructive.exe 1156 WinXP.Horror.Destructive.exe 1156 WinXP.Horror.Destructive.exe 1156 WinXP.Horror.Destructive.exe 1156 WinXP.Horror.Destructive.exe 1156 WinXP.Horror.Destructive.exe 1156 WinXP.Horror.Destructive.exe 1156 WinXP.Horror.Destructive.exe 1156 WinXP.Horror.Destructive.exe 1156 WinXP.Horror.Destructive.exe 1156 WinXP.Horror.Destructive.exe 1156 WinXP.Horror.Destructive.exe 1156 WinXP.Horror.Destructive.exe 1156 WinXP.Horror.Destructive.exe 1156 WinXP.Horror.Destructive.exe 1156 WinXP.Horror.Destructive.exe 1156 WinXP.Horror.Destructive.exe 1156 WinXP.Horror.Destructive.exe 1156 WinXP.Horror.Destructive.exe 1156 WinXP.Horror.Destructive.exe 1156 WinXP.Horror.Destructive.exe 1156 WinXP.Horror.Destructive.exe 1156 WinXP.Horror.Destructive.exe 1156 WinXP.Horror.Destructive.exe 1156 WinXP.Horror.Destructive.exe 1156 WinXP.Horror.Destructive.exe 1156 WinXP.Horror.Destructive.exe 1156 WinXP.Horror.Destructive.exe 1156 WinXP.Horror.Destructive.exe 1156 WinXP.Horror.Destructive.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
AUDIODG.EXEdescription pid process Token: 33 1904 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1904 AUDIODG.EXE Token: 33 1904 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1904 AUDIODG.EXE -
System policy modification 1 TTPs 5 IoCs
Processes:
WinXP.Horror.Destructive.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer WinXP.Horror.Destructive.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop = "1" WinXP.Horror.Destructive.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\HideFastUserSwitching = "1" WinXP.Horror.Destructive.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System WinXP.Horror.Destructive.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WinXP.Horror.Destructive.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\WinXP.Horror.Destructive.exe"C:\Users\Admin\AppData\Local\Temp\WinXP.Horror.Destructive.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Disables RegEdit via registry modification
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- System policy modification
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5501⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1156-54-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/1156-55-0x0000000000400000-0x0000000003DF3000-memory.dmpFilesize
57.9MB
-
memory/1156-56-0x0000000000400000-0x0000000003DF3000-memory.dmpFilesize
57.9MB
-
memory/1156-57-0x0000000000400000-0x0000000003DF3000-memory.dmpFilesize
57.9MB
-
memory/1156-58-0x0000000000400000-0x0000000003DF3000-memory.dmpFilesize
57.9MB
-
memory/1156-59-0x0000000000400000-0x0000000003DF3000-memory.dmpFilesize
57.9MB
-
memory/1156-60-0x0000000000400000-0x0000000003DF3000-memory.dmpFilesize
57.9MB
-
memory/1156-61-0x0000000000400000-0x0000000003DF3000-memory.dmpFilesize
57.9MB
-
memory/1156-62-0x0000000000400000-0x0000000003DF3000-memory.dmpFilesize
57.9MB
-
memory/1156-63-0x0000000000400000-0x0000000003DF3000-memory.dmpFilesize
57.9MB
-
memory/1156-64-0x0000000000400000-0x0000000003DF3000-memory.dmpFilesize
57.9MB
-
memory/1156-65-0x0000000000400000-0x0000000003DF3000-memory.dmpFilesize
57.9MB
-
memory/1156-67-0x0000000000400000-0x0000000003DF3000-memory.dmpFilesize
57.9MB