Overview
overview
10Static
static
7Trojan/+.exe
windows7-x64
1Trojan/+.exe
windows10-2004-x64
1Trojan/0.9...35.exe
windows7-x64
8Trojan/0.9...35.exe
windows10-2004-x64
8Trojan/000.exe
windows7-x64
Trojan/000.exe
windows10-2004-x64
Trojan/0x07.exe
windows7-x64
8Trojan/0x07.exe
windows10-2004-x64
8Trojan/0xc6666666.exe
windows7-x64
1Trojan/0xc6666666.exe
windows10-2004-x64
1Trojan/10r...er.exe
windows7-x64
6Trojan/10r...er.exe
windows10-2004-x64
6Trojan/10r...et.exe
windows7-x64
Trojan/10r...et.exe
windows10-2004-x64
Trojan/13r...er.exe
windows7-x64
Trojan/13r...er.exe
windows10-2004-x64
6Trojan/13r...et.exe
windows7-x64
3Trojan/13r...et.exe
windows10-2004-x64
7Trojan/2repair.exe
windows7-x64
Trojan/2repair.exe
windows10-2004-x64
Trojan/3PC.exe
windows7-x64
1Trojan/3PC.exe
windows10-2004-x64
1Trojan/4mm...sy.exe
windows7-x64
1Trojan/4mm...sy.exe
windows10-2004-x64
1Trojan/666.exe
windows7-x64
Trojan/666.exe
windows10-2004-x64
Trojan/666...sy.exe
windows7-x64
1Trojan/666...sy.exe
windows10-2004-x64
1Trojan/9re...er.exe
windows7-x64
Trojan/9re...er.exe
windows10-2004-x64
Trojan/9re...et.exe
windows7-x64
3Trojan/9re...et.exe
windows10-2004-x64
7Analysis
-
max time kernel
50s -
max time network
74s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
02-03-2024 23:32
Behavioral task
behavioral1
Sample
Trojan/+.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Trojan/+.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
Trojan/0.950095298700035.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Trojan/0.950095298700035.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
Trojan/000.exe
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
Trojan/000.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
Trojan/0x07.exe
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
Trojan/0x07.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
Trojan/0xc6666666.exe
Resource
win7-20240220-en
Behavioral task
behavioral10
Sample
Trojan/0xc6666666.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral11
Sample
Trojan/10reset/10reset-helper.exe
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
Trojan/10reset/10reset-helper.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral13
Sample
Trojan/10reset/10reset.exe
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
Trojan/10reset/10reset.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral15
Sample
Trojan/13reset/13reset-helper.exe
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
Trojan/13reset/13reset-helper.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral17
Sample
Trojan/13reset/13reset.exe
Resource
win7-20240221-en
Behavioral task
behavioral18
Sample
Trojan/13reset/13reset.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral19
Sample
Trojan/2repair.exe
Resource
win7-20240221-en
Behavioral task
behavioral20
Sample
Trojan/2repair.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral21
Sample
Trojan/3PC.exe
Resource
win7-20240221-en
Behavioral task
behavioral22
Sample
Trojan/3PC.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral23
Sample
Trojan/4mm psy/4mm psy.exe
Resource
win7-20240215-en
Behavioral task
behavioral24
Sample
Trojan/4mm psy/4mm psy.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral25
Sample
Trojan/666.exe
Resource
win7-20240221-en
Behavioral task
behavioral26
Sample
Trojan/666.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral27
Sample
Trojan/666mm psy/666mm psy.exe
Resource
win7-20240221-en
Behavioral task
behavioral28
Sample
Trojan/666mm psy/666mm psy.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral29
Sample
Trojan/9reset/9RESET-helper.exe
Resource
win7-20240215-en
Behavioral task
behavioral30
Sample
Trojan/9reset/9RESET-helper.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral31
Sample
Trojan/9reset/9reset.exe
Resource
win7-20240221-en
Behavioral task
behavioral32
Sample
Trojan/9reset/9reset.exe
Resource
win10v2004-20240226-en
Errors
General
-
Target
Trojan/666.exe
-
Size
6.8MB
-
MD5
63c96886aade3b86d982ad249ef7eb50
-
SHA1
12a56093ebfa3ba038742ab7e9a472727e70a3b5
-
SHA256
db6bbaa7de79fa26489c511fb59e996db796a491f047539fea8ef42107ff3eb6
-
SHA512
bcaf4f10292e4b15ab940457f13a917a323a47e03084e4694dab158d4c4f47807080407ceb206945b19a385411b7fb36d80ce39a07e1da7d88e38694b259c06c
-
SSDEEP
12288:+Rx0AYhMCua0AYhMCuulE0AYhMCud0AYhMCuf:+Rx0n3b0n3PlE0n3C0n3I
Malware Config
Signatures
-
Disables Task Manager via registry modification
-
Modifies WinLogon 2 TTPs 1 IoCs
Processes:
666.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoRestartShell = "0" 666.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
666.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\Desktop\WallPaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\666.png" 666.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1352 taskkill.exe -
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "117" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe -
Modifies registry class 1 IoCs
Processes:
666.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\666.ico" 666.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
taskkill.exeWMIC.exeWMIC.exedescription pid process Token: SeDebugPrivilege 1352 taskkill.exe Token: SeIncreaseQuotaPrivilege 3732 WMIC.exe Token: SeSecurityPrivilege 3732 WMIC.exe Token: SeTakeOwnershipPrivilege 3732 WMIC.exe Token: SeLoadDriverPrivilege 3732 WMIC.exe Token: SeSystemProfilePrivilege 3732 WMIC.exe Token: SeSystemtimePrivilege 3732 WMIC.exe Token: SeProfSingleProcessPrivilege 3732 WMIC.exe Token: SeIncBasePriorityPrivilege 3732 WMIC.exe Token: SeCreatePagefilePrivilege 3732 WMIC.exe Token: SeBackupPrivilege 3732 WMIC.exe Token: SeRestorePrivilege 3732 WMIC.exe Token: SeShutdownPrivilege 3732 WMIC.exe Token: SeDebugPrivilege 3732 WMIC.exe Token: SeSystemEnvironmentPrivilege 3732 WMIC.exe Token: SeRemoteShutdownPrivilege 3732 WMIC.exe Token: SeUndockPrivilege 3732 WMIC.exe Token: SeManageVolumePrivilege 3732 WMIC.exe Token: 33 3732 WMIC.exe Token: 34 3732 WMIC.exe Token: 35 3732 WMIC.exe Token: 36 3732 WMIC.exe Token: SeIncreaseQuotaPrivilege 3732 WMIC.exe Token: SeSecurityPrivilege 3732 WMIC.exe Token: SeTakeOwnershipPrivilege 3732 WMIC.exe Token: SeLoadDriverPrivilege 3732 WMIC.exe Token: SeSystemProfilePrivilege 3732 WMIC.exe Token: SeSystemtimePrivilege 3732 WMIC.exe Token: SeProfSingleProcessPrivilege 3732 WMIC.exe Token: SeIncBasePriorityPrivilege 3732 WMIC.exe Token: SeCreatePagefilePrivilege 3732 WMIC.exe Token: SeBackupPrivilege 3732 WMIC.exe Token: SeRestorePrivilege 3732 WMIC.exe Token: SeShutdownPrivilege 3732 WMIC.exe Token: SeDebugPrivilege 3732 WMIC.exe Token: SeSystemEnvironmentPrivilege 3732 WMIC.exe Token: SeRemoteShutdownPrivilege 3732 WMIC.exe Token: SeUndockPrivilege 3732 WMIC.exe Token: SeManageVolumePrivilege 3732 WMIC.exe Token: 33 3732 WMIC.exe Token: 34 3732 WMIC.exe Token: 35 3732 WMIC.exe Token: 36 3732 WMIC.exe Token: SeIncreaseQuotaPrivilege 4084 WMIC.exe Token: SeSecurityPrivilege 4084 WMIC.exe Token: SeTakeOwnershipPrivilege 4084 WMIC.exe Token: SeLoadDriverPrivilege 4084 WMIC.exe Token: SeSystemProfilePrivilege 4084 WMIC.exe Token: SeSystemtimePrivilege 4084 WMIC.exe Token: SeProfSingleProcessPrivilege 4084 WMIC.exe Token: SeIncBasePriorityPrivilege 4084 WMIC.exe Token: SeCreatePagefilePrivilege 4084 WMIC.exe Token: SeBackupPrivilege 4084 WMIC.exe Token: SeRestorePrivilege 4084 WMIC.exe Token: SeShutdownPrivilege 4084 WMIC.exe Token: SeDebugPrivilege 4084 WMIC.exe Token: SeSystemEnvironmentPrivilege 4084 WMIC.exe Token: SeRemoteShutdownPrivilege 4084 WMIC.exe Token: SeUndockPrivilege 4084 WMIC.exe Token: SeManageVolumePrivilege 4084 WMIC.exe Token: 33 4084 WMIC.exe Token: 34 4084 WMIC.exe Token: 35 4084 WMIC.exe Token: 36 4084 WMIC.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
666.exeLogonUI.exepid process 4676 666.exe 4676 666.exe 4144 LogonUI.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
666.execmd.exedescription pid process target process PID 4676 wrote to memory of 3588 4676 666.exe cmd.exe PID 4676 wrote to memory of 3588 4676 666.exe cmd.exe PID 4676 wrote to memory of 3588 4676 666.exe cmd.exe PID 3588 wrote to memory of 1352 3588 cmd.exe taskkill.exe PID 3588 wrote to memory of 1352 3588 cmd.exe taskkill.exe PID 3588 wrote to memory of 1352 3588 cmd.exe taskkill.exe PID 3588 wrote to memory of 3732 3588 cmd.exe WMIC.exe PID 3588 wrote to memory of 3732 3588 cmd.exe WMIC.exe PID 3588 wrote to memory of 3732 3588 cmd.exe WMIC.exe PID 3588 wrote to memory of 4084 3588 cmd.exe WMIC.exe PID 3588 wrote to memory of 4084 3588 cmd.exe WMIC.exe PID 3588 wrote to memory of 4084 3588 cmd.exe WMIC.exe PID 3588 wrote to memory of 1956 3588 cmd.exe shutdown.exe PID 3588 wrote to memory of 1956 3588 cmd.exe shutdown.exe PID 3588 wrote to memory of 1956 3588 cmd.exe shutdown.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Trojan\666.exe"C:\Users\Admin\AppData\Local\Temp\Trojan\666.exe"1⤵
- Modifies WinLogon
- Sets desktop wallpaper using registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4676 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\z666.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:3588 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1352
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic useraccount where name='Admin' set FullName='No System Anymore'3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3732
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic useraccount where name='Admin' rename 'No System Anymore'3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4084
-
-
C:\Windows\SysWOW64\shutdown.exeshutdown /f /r /t 03⤵PID:1956
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4184 --field-trial-handle=2588,i,14229658658073991926,6938034815163866135,262144 --variations-seed-version /prefetch:81⤵PID:4600
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3940855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4144
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
128KB
MD51752fc8c651ac03a9c863946ac76366d
SHA103b4668b7f6b09f55b73be9c67e8d24850eeecaf
SHA2562b0c1632471eb16a8731dd0a6396d98209f8cbb9aab7cca6864fdedde87f71c6
SHA51246f9b269843cd9c636c4511aa7fc9b640bcb675490e15258b6eec6f02c179a3a396da9de32238df6600d3bad3ff5c46da56a35f69b9a0873e0d7272ec33bcc94
-
Filesize
274KB
MD5f1896231e9622dd044601962a9866a77
SHA136ad39e7d797ae43ee415e90a2dc234e0be3087b
SHA256a254d664351a6db50d98bebbd530c46e64f9b9455bf4f378254045b2cde971f8
SHA512e4004c3879b2b337260848e748c9d0b5e51bb4c8a8c317e44cedfe30e614391c329d1c07e7b052983897cc1010eee994c09cb370f721317f9c429c1d82e50901
-
Filesize
912B
MD5391403276c6df4a164b0544a3411c6c7
SHA1c4c06a4c7710d1d8140b07abd4b7bcd4187485ab
SHA256524dcba7e6a293bc6a19c1522672598a71ff4def394ac696ec30ea99154d511b
SHA5122b0b05f4e8241ec07bd35f1a40113be5fa8689d5bfb8a4064a5c8dc119b10fe40b33697ad2e3195c068fa8cce5d7a860dbbbffebb45d8a9fc1ec121b6a5216f8
-
Filesize
691B
MD5ee655674ba8e05d5a4c32de58a6757c1
SHA1f06f54710d5a0b341a9e6d467e1bb1a78f2f9606
SHA25640cc0b6734258fc61e9940e359b7e0b84651e44a12943bb4381523a5cea325ef
SHA51226bc97bff5612643c379776baf3637f7233748e7ecd8d8b94aa995e0a77d79c4c02d49ed98ef1bdc6d417bcf82e35069427692967c73d3b3899aff3868c93ebd