Overview
overview
10Static
static
7Trojan/+.exe
windows7-x64
1Trojan/+.exe
windows10-2004-x64
1Trojan/0.9...35.exe
windows7-x64
8Trojan/0.9...35.exe
windows10-2004-x64
8Trojan/000.exe
windows7-x64
Trojan/000.exe
windows10-2004-x64
Trojan/0x07.exe
windows7-x64
8Trojan/0x07.exe
windows10-2004-x64
8Trojan/0xc6666666.exe
windows7-x64
1Trojan/0xc6666666.exe
windows10-2004-x64
1Trojan/10r...er.exe
windows7-x64
6Trojan/10r...er.exe
windows10-2004-x64
6Trojan/10r...et.exe
windows7-x64
Trojan/10r...et.exe
windows10-2004-x64
Trojan/13r...er.exe
windows7-x64
Trojan/13r...er.exe
windows10-2004-x64
6Trojan/13r...et.exe
windows7-x64
3Trojan/13r...et.exe
windows10-2004-x64
7Trojan/2repair.exe
windows7-x64
Trojan/2repair.exe
windows10-2004-x64
Trojan/3PC.exe
windows7-x64
1Trojan/3PC.exe
windows10-2004-x64
1Trojan/4mm...sy.exe
windows7-x64
1Trojan/4mm...sy.exe
windows10-2004-x64
1Trojan/666.exe
windows7-x64
Trojan/666.exe
windows10-2004-x64
Trojan/666...sy.exe
windows7-x64
1Trojan/666...sy.exe
windows10-2004-x64
1Trojan/9re...er.exe
windows7-x64
Trojan/9re...er.exe
windows10-2004-x64
Trojan/9re...et.exe
windows7-x64
3Trojan/9re...et.exe
windows10-2004-x64
7Analysis
-
max time kernel
4s -
max time network
10s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02-03-2024 23:32
Behavioral task
behavioral1
Sample
Trojan/+.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Trojan/+.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
Trojan/0.950095298700035.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Trojan/0.950095298700035.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
Trojan/000.exe
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
Trojan/000.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
Trojan/0x07.exe
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
Trojan/0x07.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
Trojan/0xc6666666.exe
Resource
win7-20240220-en
Behavioral task
behavioral10
Sample
Trojan/0xc6666666.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral11
Sample
Trojan/10reset/10reset-helper.exe
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
Trojan/10reset/10reset-helper.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral13
Sample
Trojan/10reset/10reset.exe
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
Trojan/10reset/10reset.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral15
Sample
Trojan/13reset/13reset-helper.exe
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
Trojan/13reset/13reset-helper.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral17
Sample
Trojan/13reset/13reset.exe
Resource
win7-20240221-en
Behavioral task
behavioral18
Sample
Trojan/13reset/13reset.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral19
Sample
Trojan/2repair.exe
Resource
win7-20240221-en
Behavioral task
behavioral20
Sample
Trojan/2repair.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral21
Sample
Trojan/3PC.exe
Resource
win7-20240221-en
Behavioral task
behavioral22
Sample
Trojan/3PC.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral23
Sample
Trojan/4mm psy/4mm psy.exe
Resource
win7-20240215-en
Behavioral task
behavioral24
Sample
Trojan/4mm psy/4mm psy.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral25
Sample
Trojan/666.exe
Resource
win7-20240221-en
Behavioral task
behavioral26
Sample
Trojan/666.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral27
Sample
Trojan/666mm psy/666mm psy.exe
Resource
win7-20240221-en
Behavioral task
behavioral28
Sample
Trojan/666mm psy/666mm psy.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral29
Sample
Trojan/9reset/9RESET-helper.exe
Resource
win7-20240215-en
Behavioral task
behavioral30
Sample
Trojan/9reset/9RESET-helper.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral31
Sample
Trojan/9reset/9reset.exe
Resource
win7-20240221-en
Behavioral task
behavioral32
Sample
Trojan/9reset/9reset.exe
Resource
win10v2004-20240226-en
Errors
General
-
Target
Trojan/666.exe
-
Size
6.8MB
-
MD5
63c96886aade3b86d982ad249ef7eb50
-
SHA1
12a56093ebfa3ba038742ab7e9a472727e70a3b5
-
SHA256
db6bbaa7de79fa26489c511fb59e996db796a491f047539fea8ef42107ff3eb6
-
SHA512
bcaf4f10292e4b15ab940457f13a917a323a47e03084e4694dab158d4c4f47807080407ceb206945b19a385411b7fb36d80ce39a07e1da7d88e38694b259c06c
-
SSDEEP
12288:+Rx0AYhMCua0AYhMCuulE0AYhMCud0AYhMCuf:+Rx0n3b0n3PlE0n3C0n3I
Malware Config
Signatures
-
Disables Task Manager via registry modification
-
Modifies WinLogon 2 TTPs 1 IoCs
Processes:
666.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoRestartShell = "0" 666.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
666.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Desktop\WallPaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\666.png" 666.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 2564 taskkill.exe -
Modifies registry class 1 IoCs
Processes:
666.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\666.ico" 666.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
taskkill.exeWMIC.exeWMIC.exedescription pid process Token: SeDebugPrivilege 2564 taskkill.exe Token: SeIncreaseQuotaPrivilege 2664 WMIC.exe Token: SeSecurityPrivilege 2664 WMIC.exe Token: SeTakeOwnershipPrivilege 2664 WMIC.exe Token: SeLoadDriverPrivilege 2664 WMIC.exe Token: SeSystemProfilePrivilege 2664 WMIC.exe Token: SeSystemtimePrivilege 2664 WMIC.exe Token: SeProfSingleProcessPrivilege 2664 WMIC.exe Token: SeIncBasePriorityPrivilege 2664 WMIC.exe Token: SeCreatePagefilePrivilege 2664 WMIC.exe Token: SeBackupPrivilege 2664 WMIC.exe Token: SeRestorePrivilege 2664 WMIC.exe Token: SeShutdownPrivilege 2664 WMIC.exe Token: SeDebugPrivilege 2664 WMIC.exe Token: SeSystemEnvironmentPrivilege 2664 WMIC.exe Token: SeRemoteShutdownPrivilege 2664 WMIC.exe Token: SeUndockPrivilege 2664 WMIC.exe Token: SeManageVolumePrivilege 2664 WMIC.exe Token: 33 2664 WMIC.exe Token: 34 2664 WMIC.exe Token: 35 2664 WMIC.exe Token: SeIncreaseQuotaPrivilege 2664 WMIC.exe Token: SeSecurityPrivilege 2664 WMIC.exe Token: SeTakeOwnershipPrivilege 2664 WMIC.exe Token: SeLoadDriverPrivilege 2664 WMIC.exe Token: SeSystemProfilePrivilege 2664 WMIC.exe Token: SeSystemtimePrivilege 2664 WMIC.exe Token: SeProfSingleProcessPrivilege 2664 WMIC.exe Token: SeIncBasePriorityPrivilege 2664 WMIC.exe Token: SeCreatePagefilePrivilege 2664 WMIC.exe Token: SeBackupPrivilege 2664 WMIC.exe Token: SeRestorePrivilege 2664 WMIC.exe Token: SeShutdownPrivilege 2664 WMIC.exe Token: SeDebugPrivilege 2664 WMIC.exe Token: SeSystemEnvironmentPrivilege 2664 WMIC.exe Token: SeRemoteShutdownPrivilege 2664 WMIC.exe Token: SeUndockPrivilege 2664 WMIC.exe Token: SeManageVolumePrivilege 2664 WMIC.exe Token: 33 2664 WMIC.exe Token: 34 2664 WMIC.exe Token: 35 2664 WMIC.exe Token: SeIncreaseQuotaPrivilege 2368 WMIC.exe Token: SeSecurityPrivilege 2368 WMIC.exe Token: SeTakeOwnershipPrivilege 2368 WMIC.exe Token: SeLoadDriverPrivilege 2368 WMIC.exe Token: SeSystemProfilePrivilege 2368 WMIC.exe Token: SeSystemtimePrivilege 2368 WMIC.exe Token: SeProfSingleProcessPrivilege 2368 WMIC.exe Token: SeIncBasePriorityPrivilege 2368 WMIC.exe Token: SeCreatePagefilePrivilege 2368 WMIC.exe Token: SeBackupPrivilege 2368 WMIC.exe Token: SeRestorePrivilege 2368 WMIC.exe Token: SeShutdownPrivilege 2368 WMIC.exe Token: SeDebugPrivilege 2368 WMIC.exe Token: SeSystemEnvironmentPrivilege 2368 WMIC.exe Token: SeRemoteShutdownPrivilege 2368 WMIC.exe Token: SeUndockPrivilege 2368 WMIC.exe Token: SeManageVolumePrivilege 2368 WMIC.exe Token: 33 2368 WMIC.exe Token: 34 2368 WMIC.exe Token: 35 2368 WMIC.exe Token: SeIncreaseQuotaPrivilege 2368 WMIC.exe Token: SeSecurityPrivilege 2368 WMIC.exe Token: SeTakeOwnershipPrivilege 2368 WMIC.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
666.exepid process 1912 666.exe 1912 666.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
666.execmd.exedescription pid process target process PID 1912 wrote to memory of 2468 1912 666.exe cmd.exe PID 1912 wrote to memory of 2468 1912 666.exe cmd.exe PID 1912 wrote to memory of 2468 1912 666.exe cmd.exe PID 1912 wrote to memory of 2468 1912 666.exe cmd.exe PID 2468 wrote to memory of 2564 2468 cmd.exe taskkill.exe PID 2468 wrote to memory of 2564 2468 cmd.exe taskkill.exe PID 2468 wrote to memory of 2564 2468 cmd.exe taskkill.exe PID 2468 wrote to memory of 2564 2468 cmd.exe taskkill.exe PID 2468 wrote to memory of 2664 2468 cmd.exe WMIC.exe PID 2468 wrote to memory of 2664 2468 cmd.exe WMIC.exe PID 2468 wrote to memory of 2664 2468 cmd.exe WMIC.exe PID 2468 wrote to memory of 2664 2468 cmd.exe WMIC.exe PID 2468 wrote to memory of 2368 2468 cmd.exe WMIC.exe PID 2468 wrote to memory of 2368 2468 cmd.exe WMIC.exe PID 2468 wrote to memory of 2368 2468 cmd.exe WMIC.exe PID 2468 wrote to memory of 2368 2468 cmd.exe WMIC.exe PID 2468 wrote to memory of 2252 2468 cmd.exe shutdown.exe PID 2468 wrote to memory of 2252 2468 cmd.exe shutdown.exe PID 2468 wrote to memory of 2252 2468 cmd.exe shutdown.exe PID 2468 wrote to memory of 2252 2468 cmd.exe shutdown.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Trojan\666.exe"C:\Users\Admin\AppData\Local\Temp\Trojan\666.exe"1⤵
- Modifies WinLogon
- Sets desktop wallpaper using registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\z666.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2564
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic useraccount where name='Admin' set FullName='No System Anymore'3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2664
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic useraccount where name='Admin' rename 'No System Anymore'3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2368
-
-
C:\Windows\SysWOW64\shutdown.exeshutdown /f /r /t 03⤵PID:2252
-
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵PID:1016
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵PID:1688
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
273KB
MD5ef4e8ea4440efc48d5cd1a05a3a6f2a8
SHA174b5a40d4d9cb94ac7ed93b1cf9045539e50f068
SHA256b1f25de77226ad8cf0e06226653e1c5aa7ac27a1ba8ba7bff8845685c2e53709
SHA512f7aaa82dacf0ceee3f8311c787a568fdbe0b322d47371ddab37427902ceb74d0b324d6335878366d40f4d5d2b04b00157b81c8bd7b5c7b27fdcd26c770c13bf4
-
Filesize
274KB
MD5f1896231e9622dd044601962a9866a77
SHA136ad39e7d797ae43ee415e90a2dc234e0be3087b
SHA256a254d664351a6db50d98bebbd530c46e64f9b9455bf4f378254045b2cde971f8
SHA512e4004c3879b2b337260848e748c9d0b5e51bb4c8a8c317e44cedfe30e614391c329d1c07e7b052983897cc1010eee994c09cb370f721317f9c429c1d82e50901
-
Filesize
912B
MD5391403276c6df4a164b0544a3411c6c7
SHA1c4c06a4c7710d1d8140b07abd4b7bcd4187485ab
SHA256524dcba7e6a293bc6a19c1522672598a71ff4def394ac696ec30ea99154d511b
SHA5122b0b05f4e8241ec07bd35f1a40113be5fa8689d5bfb8a4064a5c8dc119b10fe40b33697ad2e3195c068fa8cce5d7a860dbbbffebb45d8a9fc1ec121b6a5216f8
-
Filesize
691B
MD5ee655674ba8e05d5a4c32de58a6757c1
SHA1f06f54710d5a0b341a9e6d467e1bb1a78f2f9606
SHA25640cc0b6734258fc61e9940e359b7e0b84651e44a12943bb4381523a5cea325ef
SHA51226bc97bff5612643c379776baf3637f7233748e7ecd8d8b94aa995e0a77d79c4c02d49ed98ef1bdc6d417bcf82e35069427692967c73d3b3899aff3868c93ebd