Overview

overview

7

Static

static

3

SystemCras...el.exe

windows7-x64

4

SystemCras...el.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    133s
  • max time network
    36s
  • platform
    windows7_x64
  • resource
    win7-20230621-en
  • resource tags

    arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
  • submitted
    30-06-2023 12:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SystemCrasher_ByDaniel.exe

  • Size

    296KB

  • MD5

    fe6bb808dff8cb1a8571a1a07dbafe89

  • SHA1

    5611d48b3998ca8d428cd19f8ad85c30e1e54686

  • SHA256

    b14a43816be48e5624a82bc768011389daf67645ae8cfe2078a9ee523d8e8afe

  • SHA512

    4ac28bb677c6808159b5cc1edc7562e1d220b5e3552ac6c817d558804e347107f560e07caaab67ff3530134eccac62a8bb877836adc5e7cff5504f3977d60d61

  • SSDEEP

    6144:Et5hBPi0BW69hd1MMdxPe9N9uA069TBIcr7tGuHo67g7GnJaKeOnSlt6iPigOqZt:Etzww69Ta0ZGuVLJat/lsiPigO0npUq

Score
4/10

Malware Config

Signatures

  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs net.exe
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 57 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SystemCrasher_ByDaniel.exe
    "C:\Users\Admin\AppData\Local\Temp\SystemCrasher_ByDaniel.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1428
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\FDD0.tmp\FDD1.tmp\FDD2.bat C:\Users\Admin\AppData\Local\Temp\SystemCrasher_ByDaniel.exe"
      2⤵
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of WriteProcessMemory
      PID:820
      • C:\Windows\system32\calc.exe
        calc
        3⤵
          PID:1548
        • C:\Windows\system32\msg.exe
          msg * Looks Your OS Has Been Trashed By The Daniel Trojan Malware. Make Sure Have Fun And Enjoy Your System Destroyed! -Daniel
          3⤵
            PID:1196
          • C:\Windows\system32\msg.exe
            msg * Looks Your OS Has Been Trashed By The Daniel Trojan Malware. Make Sure Have Fun And Enjoy Your System Destroyed! -Daniel
            3⤵
              PID:560
            • C:\Windows\explorer.exe
              explorer
              3⤵
                PID:468
              • C:\Windows\system32\msg.exe
                msg * Looks Your OS Has Been Trashed By The Daniel Trojan Malware. Make Sure Have Fun And Enjoy Your System Destroyed! -Daniel
                3⤵
                  PID:1636
                • C:\Windows\system32\mspaint.exe
                  mspaint
                  3⤵
                  • Drops file in Windows directory
                  • Suspicious use of SetWindowsHookEx
                  PID:672
                • C:\Windows\system32\msg.exe
                  msg * Looks Your OS Has Been Trashed By The Daniel Trojan Malware. Make Sure Have Fun And Enjoy Your System Destroyed! -Daniel
                  3⤵
                    PID:1000
                  • C:\Windows\system32\write.exe
                    write
                    3⤵
                    • Suspicious use of WriteProcessMemory
                    PID:768
                    • C:\Program Files\Windows NT\Accessories\wordpad.exe
                      "C:\Program Files\Windows NT\Accessories\wordpad.exe"
                      4⤵
                      • Suspicious use of SetWindowsHookEx
                      PID:2012
                  • C:\Windows\system32\msg.exe
                    msg * Looks Your OS Has Been Trashed By The Daniel Trojan Malware. Make Sure Have Fun And Enjoy Your System Destroyed! -Daniel
                    3⤵
                      PID:1624
                    • C:\Windows\system32\msg.exe
                      msg * Looks Your OS Has Been Trashed By The Daniel Trojan Malware. Make Sure Have Fun And Enjoy Your System Destroyed! -Daniel
                      3⤵
                        PID:812
                      • C:\Windows\system32\write.exe
                        write
                        3⤵
                        • Suspicious use of WriteProcessMemory
                        PID:1924
                        • C:\Program Files\Windows NT\Accessories\wordpad.exe
                          "C:\Program Files\Windows NT\Accessories\wordpad.exe"
                          4⤵
                          • Suspicious use of SetWindowsHookEx
                          PID:1028
                      • C:\Windows\system32\write.exe
                        write
                        3⤵
                        • Suspicious use of WriteProcessMemory
                        PID:1944
                        • C:\Program Files\Windows NT\Accessories\wordpad.exe
                          "C:\Program Files\Windows NT\Accessories\wordpad.exe"
                          4⤵
                          • Suspicious use of SetWindowsHookEx
                          PID:1460
                      • C:\Windows\system32\msg.exe
                        msg * Looks Your OS Has Been Trashed By The Daniel Trojan Malware. Make Sure Have Fun And Enjoy Your System Destroyed! -Daniel
                        3⤵
                          PID:808
                        • C:\Windows\system32\control.exe
                          control
                          3⤵
                            PID:1068
                          • C:\Windows\system32\net.exe
                            net user DANIEL TROJAN /add
                            3⤵
                            • Suspicious use of WriteProcessMemory
                            PID:1672
                            • C:\Windows\system32\net1.exe
                              C:\Windows\system32\net1 user DANIEL TROJAN /add
                              4⤵
                                PID:1884
                            • C:\Windows\system32\net.exe
                              net user 2231 /add
                              3⤵
                              • Suspicious use of WriteProcessMemory
                              PID:1196
                              • C:\Windows\system32\net1.exe
                                C:\Windows\system32\net1 user 2231 /add
                                4⤵
                                  PID:1844
                              • C:\Windows\system32\net.exe
                                net user YOUR PC IS TRASHED BY DANIEL /add
                                3⤵
                                  PID:1744
                                  • C:\Windows\system32\net1.exe
                                    C:\Windows\system32\net1 user YOUR PC IS TRASHED BY DANIEL /add
                                    4⤵
                                      PID:1512
                                  • C:\Windows\system32\calc.exe
                                    calc
                                    3⤵
                                      PID:1544
                                    • C:\Windows\system32\msg.exe
                                      msg * Looks Your OS Has Been Trashed By The Daniel Trojan Malware. Make Sure Have Fun And Enjoy Your System Destroyed! -Daniel
                                      3⤵
                                        PID:1580
                                      • C:\Windows\system32\msg.exe
                                        msg * Looks Your OS Has Been Trashed By The Daniel Trojan Malware. Make Sure Have Fun And Enjoy Your System Destroyed! -Daniel
                                        3⤵
                                          PID:1516
                                        • C:\Windows\explorer.exe
                                          explorer
                                          3⤵
                                            PID:1940
                                          • C:\Windows\system32\msg.exe
                                            msg * Looks Your OS Has Been Trashed By The Daniel Trojan Malware. Make Sure Have Fun And Enjoy Your System Destroyed! -Daniel
                                            3⤵
                                              PID:1036
                                            • C:\Windows\system32\mspaint.exe
                                              mspaint
                                              3⤵
                                              • Drops file in Windows directory
                                              • Suspicious use of SetWindowsHookEx
                                              PID:1948
                                            • C:\Windows\system32\msg.exe
                                              msg * Looks Your OS Has Been Trashed By The Daniel Trojan Malware. Make Sure Have Fun And Enjoy Your System Destroyed! -Daniel
                                              3⤵
                                                PID:1848
                                              • C:\Windows\system32\msg.exe
                                                msg * Looks Your OS Has Been Trashed By The Daniel Trojan Malware. Make Sure Have Fun And Enjoy Your System Destroyed! -Daniel
                                                3⤵
                                                  PID:1676
                                                • C:\Windows\system32\write.exe
                                                  write
                                                  3⤵
                                                    PID:1512
                                                    • C:\Program Files\Windows NT\Accessories\wordpad.exe
                                                      "C:\Program Files\Windows NT\Accessories\wordpad.exe"
                                                      4⤵
                                                      • Suspicious use of SetWindowsHookEx
                                                      PID:1852
                                                  • C:\Windows\system32\write.exe
                                                    write
                                                    3⤵
                                                      PID:548
                                                      • C:\Program Files\Windows NT\Accessories\wordpad.exe
                                                        "C:\Program Files\Windows NT\Accessories\wordpad.exe"
                                                        4⤵
                                                        • Suspicious use of SetWindowsHookEx
                                                        PID:1584
                                                    • C:\Windows\system32\msg.exe
                                                      msg * Looks Your OS Has Been Trashed By The Daniel Trojan Malware. Make Sure Have Fun And Enjoy Your System Destroyed! -Daniel
                                                      3⤵
                                                        PID:1796
                                                      • C:\Windows\system32\write.exe
                                                        write
                                                        3⤵
                                                          PID:1940
                                                          • C:\Program Files\Windows NT\Accessories\wordpad.exe
                                                            "C:\Program Files\Windows NT\Accessories\wordpad.exe"
                                                            4⤵
                                                            • Suspicious use of SetWindowsHookEx
                                                            PID:1944
                                                        • C:\Windows\system32\msg.exe
                                                          msg * Looks Your OS Has Been Trashed By The Daniel Trojan Malware. Make Sure Have Fun And Enjoy Your System Destroyed! -Daniel
                                                          3⤵
                                                            PID:1764
                                                          • C:\Windows\system32\control.exe
                                                            control
                                                            3⤵
                                                              PID:1636
                                                            • C:\Windows\system32\calc.exe
                                                              calc
                                                              3⤵
                                                                PID:1928
                                                              • C:\Windows\system32\msg.exe
                                                                msg * Looks Your OS Has Been Trashed By The Daniel Trojan Malware. Make Sure Have Fun And Enjoy Your System Destroyed! -Daniel
                                                                3⤵
                                                                  PID:920
                                                                • C:\Windows\system32\msg.exe
                                                                  msg * Looks Your OS Has Been Trashed By The Daniel Trojan Malware. Make Sure Have Fun And Enjoy Your System Destroyed! -Daniel
                                                                  3⤵
                                                                    PID:520
                                                                  • C:\Windows\explorer.exe
                                                                    explorer
                                                                    3⤵
                                                                      PID:1312
                                                                    • C:\Windows\system32\msg.exe
                                                                      msg * Looks Your OS Has Been Trashed By The Daniel Trojan Malware. Make Sure Have Fun And Enjoy Your System Destroyed! -Daniel
                                                                      3⤵
                                                                        PID:1408
                                                                      • C:\Windows\system32\mspaint.exe
                                                                        mspaint
                                                                        3⤵
                                                                        • Drops file in Windows directory
                                                                        • Suspicious use of SetWindowsHookEx
                                                                        PID:1160
                                                                      • C:\Windows\system32\msg.exe
                                                                        msg * Looks Your OS Has Been Trashed By The Daniel Trojan Malware. Make Sure Have Fun And Enjoy Your System Destroyed! -Daniel
                                                                        3⤵
                                                                          PID:1540
                                                                        • C:\Windows\system32\write.exe
                                                                          write
                                                                          3⤵
                                                                            PID:1604
                                                                            • C:\Program Files\Windows NT\Accessories\wordpad.exe
                                                                              "C:\Program Files\Windows NT\Accessories\wordpad.exe"
                                                                              4⤵
                                                                              • Suspicious use of SetWindowsHookEx
                                                                              PID:1724
                                                                          • C:\Windows\system32\msg.exe
                                                                            msg * Looks Your OS Has Been Trashed By The Daniel Trojan Malware. Make Sure Have Fun And Enjoy Your System Destroyed! -Daniel
                                                                            3⤵
                                                                              PID:1888
                                                                            • C:\Windows\system32\write.exe
                                                                              write
                                                                              3⤵
                                                                                PID:1980
                                                                                • C:\Program Files\Windows NT\Accessories\wordpad.exe
                                                                                  "C:\Program Files\Windows NT\Accessories\wordpad.exe"
                                                                                  4⤵
                                                                                  • Suspicious use of SetWindowsHookEx
                                                                                  PID:996
                                                                              • C:\Windows\system32\msg.exe
                                                                                msg * Looks Your OS Has Been Trashed By The Daniel Trojan Malware. Make Sure Have Fun And Enjoy Your System Destroyed! -Daniel
                                                                                3⤵
                                                                                  PID:572
                                                                                • C:\Windows\system32\write.exe
                                                                                  write
                                                                                  3⤵
                                                                                    PID:1312
                                                                                    • C:\Program Files\Windows NT\Accessories\wordpad.exe
                                                                                      "C:\Program Files\Windows NT\Accessories\wordpad.exe"
                                                                                      4⤵
                                                                                      • Suspicious use of SetWindowsHookEx
                                                                                      PID:1540
                                                                                  • C:\Windows\system32\msg.exe
                                                                                    msg * Looks Your OS Has Been Trashed By The Daniel Trojan Malware. Make Sure Have Fun And Enjoy Your System Destroyed! -Daniel
                                                                                    3⤵
                                                                                      PID:1456
                                                                                    • C:\Windows\system32\control.exe
                                                                                      control
                                                                                      3⤵
                                                                                        PID:1888
                                                                                      • C:\Windows\system32\calc.exe
                                                                                        calc
                                                                                        3⤵
                                                                                          PID:1296
                                                                                        • C:\Windows\system32\msg.exe
                                                                                          msg * Looks Your OS Has Been Trashed By The Daniel Trojan Malware. Make Sure Have Fun And Enjoy Your System Destroyed! -Daniel
                                                                                          3⤵
                                                                                            PID:652
                                                                                          • C:\Windows\system32\msg.exe
                                                                                            msg * Looks Your OS Has Been Trashed By The Daniel Trojan Malware. Make Sure Have Fun And Enjoy Your System Destroyed! -Daniel
                                                                                            3⤵
                                                                                              PID:1408
                                                                                            • C:\Windows\explorer.exe
                                                                                              explorer
                                                                                              3⤵
                                                                                                PID:288
                                                                                          • C:\Windows\SysWOW64\DllHost.exe
                                                                                            C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
                                                                                            1⤵
                                                                                              PID:1924

                                                                                            Network

                                                                                            MITRE ATT&CK Enterprise v6

                                                                                            Replay Monitor

                                                                                            Loading Replay Monitor...

                                                                                            Downloads

                                                                                            • C:\Users\Admin\AppData\Local\Temp\FDD0.tmp\FDD1.tmp\FDD2.bat
                                                                                              Filesize

                                                                                              153KB

                                                                                              MD5

                                                                                              abe73cfada21f9c25c517bdb245da915

                                                                                              SHA1

                                                                                              72e733b0fff0d55434bf0ac70fa45bbdbfa61774

                                                                                              SHA256

                                                                                              223449ea63e12906be577ce45d82ee688a55d9f874dc7fe243d9c2c085324182

                                                                                              SHA512

                                                                                              179f6abc2da020046fc3b61ef39cd1a0da1c00f1c62e4a4b00daac72f8f04550023067ff7f7da37cc8cb45474c7f146070c80022edf14556cb057643305b65ce

                                                                                              Download Submit

                                                                                            • C:\Windows\system32\spool\DRIVERS\x64\3\mxdwdui.BUD
                                                                                              Filesize

                                                                                              56KB

                                                                                              MD5

                                                                                              bd72dcf1083b6e22ccbfa0e8e27fb1e0

                                                                                              SHA1

                                                                                              3fd23d4f14da768da7b8364d74c54932d704e74e

                                                                                              SHA256

                                                                                              90f44f69950a796ab46ff09181585ac9dabf21271f16ebb9ea385c957e5955c1

                                                                                              SHA512

                                                                                              72360ab4078ad5e0152324f9a856b3396e2d0247f7f95ac8a5a53a25126ac3cff567cc523849e28d92a99730ee8ffb30366f09c428258f93a5cca6d0c5905562

                                                                                              Download Submit

                                                                                            • C:\Windows\system32\spool\DRIVERS\x64\3\mxdwdui.BUD
                                                                                              Filesize

                                                                                              56KB

                                                                                              MD5

                                                                                              bd72dcf1083b6e22ccbfa0e8e27fb1e0

                                                                                              SHA1

                                                                                              3fd23d4f14da768da7b8364d74c54932d704e74e

                                                                                              SHA256

                                                                                              90f44f69950a796ab46ff09181585ac9dabf21271f16ebb9ea385c957e5955c1

                                                                                              SHA512

                                                                                              72360ab4078ad5e0152324f9a856b3396e2d0247f7f95ac8a5a53a25126ac3cff567cc523849e28d92a99730ee8ffb30366f09c428258f93a5cca6d0c5905562

                                                                                              Download Submit

                                                                                            • memory/672-96-0x0000000001D00000-0x0000000001D01000-memory.dmp

                                                                                              Filesize

                                                                                              4KB

                                                                                              Download

                                                                                            • memory/672-95-0x000007FEF67B0000-0x000007FEF67FC000-memory.dmp

                                                                                              Filesize

                                                                                              304KB

                                                                                              Download

                                                                                            • memory/820-70-0x0000000002330000-0x0000000002331000-memory.dmp

                                                                                              Filesize

                                                                                              4KB

                                                                                              Download

                                                                                            • memory/996-141-0x00000000020A0000-0x00000000020A1000-memory.dmp

                                                                                              Filesize

                                                                                              4KB

                                                                                              Download

                                                                                            • memory/1028-93-0x0000000001F50000-0x0000000001F51000-memory.dmp

                                                                                              Filesize

                                                                                              4KB

                                                                                              Download

                                                                                            • memory/1160-139-0x000007FEF67B0000-0x000007FEF67FC000-memory.dmp

                                                                                              Filesize

                                                                                              304KB

                                                                                              Download

                                                                                            • memory/1160-140-0x0000000001E50000-0x0000000001E51000-memory.dmp

                                                                                              Filesize

                                                                                              4KB

                                                                                              Download

                                                                                            • memory/1460-94-0x0000000001F50000-0x0000000001F51000-memory.dmp

                                                                                              Filesize

                                                                                              4KB

                                                                                              Download

                                                                                            • memory/1460-97-0x0000000001F50000-0x0000000001F51000-memory.dmp

                                                                                              Filesize

                                                                                              4KB

                                                                                              Download

                                                                                            • memory/1540-143-0x0000000001FF0000-0x0000000001FF1000-memory.dmp

                                                                                              Filesize

                                                                                              4KB

                                                                                              Download

                                                                                            • memory/1584-110-0x00000000021B0000-0x00000000021B1000-memory.dmp

                                                                                              Filesize

                                                                                              4KB

                                                                                              Download

                                                                                            • memory/1724-142-0x0000000001F90000-0x0000000001F91000-memory.dmp

                                                                                              Filesize

                                                                                              4KB

                                                                                              Download

                                                                                            • memory/1852-119-0x0000000002000000-0x0000000002001000-memory.dmp

                                                                                              Filesize

                                                                                              4KB

                                                                                              Download

                                                                                            • memory/1852-121-0x0000000002000000-0x0000000002001000-memory.dmp

                                                                                              Filesize

                                                                                              4KB

                                                                                              Download

                                                                                            • memory/1944-120-0x0000000001F00000-0x0000000001F01000-memory.dmp

                                                                                              Filesize

                                                                                              4KB

                                                                                              Download

                                                                                            • memory/1948-108-0x00000000021B0000-0x00000000021B1000-memory.dmp

                                                                                              Filesize

                                                                                              4KB

                                                                                              Download

                                                                                            • memory/1948-107-0x000007FEF67B0000-0x000007FEF67FC000-memory.dmp

                                                                                              Filesize

                                                                                              304KB

                                                                                              Download

                                                                                            • memory/2012-92-0x0000000001DF0000-0x0000000001DF1000-memory.dmp

                                                                                              Filesize

                                                                                              4KB

                                                                                              Download