Analysis

  • max time kernel
    4s
  • max time network
    10s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    02-03-2024 23:32

Errors

Reason
Machine shutdown

General

  • Target

    Trojan/666.exe

  • Size

    6.8MB

  • MD5

    63c96886aade3b86d982ad249ef7eb50

  • SHA1

    12a56093ebfa3ba038742ab7e9a472727e70a3b5

  • SHA256

    db6bbaa7de79fa26489c511fb59e996db796a491f047539fea8ef42107ff3eb6

  • SHA512

    bcaf4f10292e4b15ab940457f13a917a323a47e03084e4694dab158d4c4f47807080407ceb206945b19a385411b7fb36d80ce39a07e1da7d88e38694b259c06c

  • SSDEEP

    12288:+Rx0AYhMCua0AYhMCuulE0AYhMCud0AYhMCuf:+Rx0n3b0n3PlE0n3C0n3I

Malware Config

Signatures

  • Disables Task Manager via registry modification
  • Modifies WinLogon 2 TTPs 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Kills process with taskkill 1 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Trojan\666.exe
    "C:\Users\Admin\AppData\Local\Temp\Trojan\666.exe"
    1⤵
    • Modifies WinLogon
    • Sets desktop wallpaper using registry
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1912
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\z666.bat""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2468
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im explorer.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2564
      • C:\Windows\SysWOW64\Wbem\WMIC.exe
        wmic useraccount where name='Admin' set FullName='No System Anymore'
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2664
      • C:\Windows\SysWOW64\Wbem\WMIC.exe
        wmic useraccount where name='Admin' rename 'No System Anymore'
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2368
      • C:\Windows\SysWOW64\shutdown.exe
        shutdown /f /r /t 0
        3⤵
          PID:2252
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x0
      1⤵
        PID:1016
      • C:\Windows\system32\LogonUI.exe
        "LogonUI.exe" /flags:0x1
        1⤵
          PID:1688

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\NoSystemAnymore.exe

          Filesize

          273KB

          MD5

          ef4e8ea4440efc48d5cd1a05a3a6f2a8

          SHA1

          74b5a40d4d9cb94ac7ed93b1cf9045539e50f068

          SHA256

          b1f25de77226ad8cf0e06226653e1c5aa7ac27a1ba8ba7bff8845685c2e53709

          SHA512

          f7aaa82dacf0ceee3f8311c787a568fdbe0b322d47371ddab37427902ceb74d0b324d6335878366d40f4d5d2b04b00157b81c8bd7b5c7b27fdcd26c770c13bf4

        • C:\Users\Admin\AppData\Local\Temp\bsod.exe

          Filesize

          274KB

          MD5

          f1896231e9622dd044601962a9866a77

          SHA1

          36ad39e7d797ae43ee415e90a2dc234e0be3087b

          SHA256

          a254d664351a6db50d98bebbd530c46e64f9b9455bf4f378254045b2cde971f8

          SHA512

          e4004c3879b2b337260848e748c9d0b5e51bb4c8a8c317e44cedfe30e614391c329d1c07e7b052983897cc1010eee994c09cb370f721317f9c429c1d82e50901

        • C:\Users\Admin\AppData\Local\Temp\noway.txt

          Filesize

          912B

          MD5

          391403276c6df4a164b0544a3411c6c7

          SHA1

          c4c06a4c7710d1d8140b07abd4b7bcd4187485ab

          SHA256

          524dcba7e6a293bc6a19c1522672598a71ff4def394ac696ec30ea99154d511b

          SHA512

          2b0b05f4e8241ec07bd35f1a40113be5fa8689d5bfb8a4064a5c8dc119b10fe40b33697ad2e3195c068fa8cce5d7a860dbbbffebb45d8a9fc1ec121b6a5216f8

        • C:\Users\Admin\AppData\Local\Temp\z666.bat

          Filesize

          691B

          MD5

          ee655674ba8e05d5a4c32de58a6757c1

          SHA1

          f06f54710d5a0b341a9e6d467e1bb1a78f2f9606

          SHA256

          40cc0b6734258fc61e9940e359b7e0b84651e44a12943bb4381523a5cea325ef

          SHA512

          26bc97bff5612643c379776baf3637f7233748e7ecd8d8b94aa995e0a77d79c4c02d49ed98ef1bdc6d417bcf82e35069427692967c73d3b3899aff3868c93ebd

        • memory/1016-823-0x0000000002D70000-0x0000000002D71000-memory.dmp

          Filesize

          4KB

        • memory/1688-825-0x0000000002B30000-0x0000000002B31000-memory.dmp

          Filesize

          4KB

        • memory/1912-0-0x0000000074790000-0x0000000074E7E000-memory.dmp

          Filesize

          6.9MB

        • memory/1912-1-0x0000000000E10000-0x00000000014DA000-memory.dmp

          Filesize

          6.8MB

        • memory/1912-2-0x0000000005490000-0x00000000054D0000-memory.dmp

          Filesize

          256KB

        • memory/1912-824-0x0000000074790000-0x0000000074E7E000-memory.dmp

          Filesize

          6.9MB