c492c1ed09bf6a85b5c9d16cf672ee6598974a89aaa54e731c83708d79bdca87

Resubmissions

23/12/2023, 12:47

231223-p1h3facef2 4

23/12/2023, 12:47

231223-pz6r4sced3 3

Analysis

max time kernel
0s
max time network
1s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
23/12/2023, 12:47

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

THEOBLIVION.exe
Size

58KB
MD5

26ac3ad16bab5dbee05d83e5f2d83cfc
SHA1

02aeb82ca90175be1c79cb73cb7b73da5459be83
SHA256

c492c1ed09bf6a85b5c9d16cf672ee6598974a89aaa54e731c83708d79bdca87
SHA512

b3b780db2d071944a262eba327ce9c1406b0b1bbdf142da710e2071aeac4564e809446197ff3d2730e98f4b113329326c1f6bed7d93492a17ab57fa02b49026d
SSDEEP

768:tdiH7ekigOqvGMveAIAy51sL4rI1xd/4qOncBxQjVdRH:GbekCKvZu8icBxQjVL

Score

1^/10

Malware Config

Signatures

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
2280	reg.exe
2692	reg.exe
2672	reg.exe
2616	reg.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2624	PING.EXE

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v LegalNoticeCaption /t REG_SZ /d "O B L I V I O N V1" > nul 2>&1
1⤵
PID:2352
- C:\Windows\SysWOW64\reg.exe
  reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v LegalNoticeCaption /t REG_SZ /d "O B L I V I O N V1"
  2⤵
  PID:2328

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v LegalNoticeText /t REG_SZ /d "OBLIVION TROJAN -- YOUR COMPUTER IS NO MORE!!!! :-)" > nul 2>&1
1⤵
PID:1844
- C:\Windows\SysWOW64\reg.exe
  reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v LegalNoticeText /t REG_SZ /d "OBLIVION TROJAN -- YOUR COMPUTER IS NO MORE!!!! :-)"
  2⤵
  PID:2408

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Control Panel\Desktop" /f /v WallpaperStyle /t REG_SZ /d 2
1⤵
PID:1156

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping 127.0.0.1 -w 200 -n 2 > nul 2>&1
1⤵
PID:2736
- C:\Windows\SysWOW64\PING.EXE
  ping 127.0.0.1 -w 200 -n 2
  2⤵
  - Runs ping.exe
  PID:2624

C:\Windows\SysWOW64\reg.exe
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /f /v DisableLUA /t REG_DWORD /d 0
1⤵
- Modifies registry key
PID:2692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /f /v DisableLUA /t REG_DWORD /d 0 > nul 2>&1
1⤵
PID:2688

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /f /v NoRun /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:2672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /f /v NoRun /t REG_DWORD /d 1 > nul 2>&1
1⤵
PID:2576

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /f /v DisableTaskMgr /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:2616

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /f /v DisableTaskMgr /t REG_DWORD /d 1 > nul 2>&1
1⤵
PID:2580

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Policies\Microsoft\Windows\System /f /v DisableCMD /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:2280

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKCU\Software\Policies\Microsoft\Windows\System /f /v DisableCMD /t REG_DWORD /d 2 > nul 2>&1
1⤵
PID:2380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg add "HKCU\Control Panel\Desktop" /f /v WallpaperStyle /t REG_SZ /d 2 > nul 2>&1
1⤵
PID:2388

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Control Panel\Desktop" /f /v Wallpaper /t REG_SZ /d "C:\Windows\inf\tHeOblIVIOn.bmp"
1⤵
PID:2376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg add "HKCU\Control Panel\Desktop" /f /v Wallpaper /t REG_SZ /d "C:\Windows\inf\tHeOblIVIOn.bmp" > nul 2>&1
1⤵
PID:1756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c shutdown -r -t 0 > nul 2>&1
1⤵
PID:2728
- C:\Windows\SysWOW64\shutdown.exe
  shutdown -r -t 0
  2⤵
  PID:2640

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:2468

C:\Users\Admin\AppData\Local\Temp\THEOBLIVION.exe
"C:\Users\Admin\AppData\Local\Temp\THEOBLIVION.exe"
1⤵
PID:2216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2216-1-0x0000000000170000-0x0000000000182000-memory.dmp

Filesize
72KB

Download
memory/2468-2-0x0000000002D80000-0x0000000002D81000-memory.dmp

Filesize
4KB

Download