Overview
overview
10Static
static
10@_136 @828...SM.exe
windows7-x64
7@_136 @828...SM.exe
windows10-2004-x64
7TrashMalwa...in.exe
windows7-x64
8TrashMalwa...in.exe
windows10-2004-x64
8AdStRkJ.exe
windows7-x64
8AdStRkJ.exe
windows10-2004-x64
8Anatralier.exe
windows7-x64
7Anatralier.exe
windows10-2004-x64
7TrashMalwa...er.exe
windows7-x64
3TrashMalwa...er.exe
windows10-2004-x64
8TrashMalwa...nk.exe
windows7-x64
8TrashMalwa...nk.exe
windows10-2004-x64
8TrashMalwa...oN.bat
windows7-x64
8TrashMalwa...oN.bat
windows10-2004-x64
8TrashMalwa...zz.exe
windows7-x64
6TrashMalwa...zz.exe
windows10-2004-x64
6TrashMalwa...de.exe
windows7-x64
7TrashMalwa...de.exe
windows10-2004-x64
7TrashMalwa...20.exe
windows7-x64
4TrashMalwa...20.exe
windows10-2004-x64
7TrashMalwa...ll.exe
windows7-x64
7TrashMalwa...ll.exe
windows10-2004-x64
7TrashMalwa...le.exe
windows7-x64
8TrashMalwa...le.exe
windows10-2004-x64
8TrashMalwa...oe.bat
windows7-x64
8TrashMalwa...oe.bat
windows10-2004-x64
8TrashMalwa....0.exe
windows7-x64
6TrashMalwa....0.exe
windows10-2004-x64
7TrashMalwa....0.exe
windows7-x64
8TrashMalwa....0.exe
windows10-2004-x64
7TrashMalwa....0.exe
windows7-x64
7TrashMalwa....0.exe
windows10-2004-x64
7Analysis
-
max time kernel
165s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02-03-2024 20:26
Behavioral task
behavioral1
Sample
@_136 @828#-138389J-SJFJDSM.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
@_136 @828#-138389J-SJFJDSM.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
TrashMalwares-main/AcidRain.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
TrashMalwares-main/AcidRain.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
AdStRkJ.exe
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
AdStRkJ.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
Anatralier.exe
Resource
win7-20240215-en
Behavioral task
behavioral8
Sample
Anatralier.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
TrashMalwares-main/Antivirus_Installer.exe
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
TrashMalwares-main/Antivirus_Installer.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral11
Sample
TrashMalwares-main/Dro trojan. Virus prank.exe
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
TrashMalwares-main/Dro trojan. Virus prank.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral13
Sample
TrashMalwares-main/FaZoN.bat
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
TrashMalwares-main/FaZoN.bat
Resource
win10v2004-20240226-en
Behavioral task
behavioral15
Sample
TrashMalwares-main/Fizz.exe
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
TrashMalwares-main/Fizz.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral17
Sample
TrashMalwares-main/Ginxide.exe
Resource
win7-20240221-en
Behavioral task
behavioral18
Sample
TrashMalwares-main/Ginxide.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral19
Sample
TrashMalwares-main/Install Windows20.exe
Resource
win7-20240221-en
Behavioral task
behavioral20
Sample
TrashMalwares-main/Install Windows20.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral21
Sample
TrashMalwares-main/MS-RickRoll.exe
Resource
win7-20240220-en
Behavioral task
behavioral22
Sample
TrashMalwares-main/MS-RickRoll.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral23
Sample
TrashMalwares-main/MercuryXhoffle.exe
Resource
win7-20240221-en
Behavioral task
behavioral24
Sample
TrashMalwares-main/MercuryXhoffle.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral25
Sample
TrashMalwares-main/NetPakoe.bat
Resource
win7-20240221-en
Behavioral task
behavioral26
Sample
TrashMalwares-main/NetPakoe.bat
Resource
win10v2004-20240226-en
Behavioral task
behavioral27
Sample
TrashMalwares-main/NetPakoe3.0.exe
Resource
win7-20240221-en
Behavioral task
behavioral28
Sample
TrashMalwares-main/NetPakoe3.0.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral29
Sample
TrashMalwares-main/NoEscape8.0.exe
Resource
win7-20240221-en
Behavioral task
behavioral30
Sample
TrashMalwares-main/NoEscape8.0.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral31
Sample
TrashMalwares-main/PC shaking v4.0.exe
Resource
win7-20240220-en
Behavioral task
behavioral32
Sample
TrashMalwares-main/PC shaking v4.0.exe
Resource
win10v2004-20240226-en
General
-
Target
TrashMalwares-main/MercuryXhoffle.exe
-
Size
6.0MB
-
MD5
f72d4ee1ff7439bda08ce89b606a6f08
-
SHA1
40673463d8fe4ac1b53c5e35642e6a67fe252c41
-
SHA256
15bd99bd0c7c8a7c5836e687db2d7eded6195491df7e5f04633e33e66ae8361c
-
SHA512
c8b3b3ee73de22492e1455bc68405924861ff2814ff2bcf627df04712f33d30d3e63a3835f8b6b41bd254269e22c4da6d655fb718d6b4e97c9a2706ff8040976
-
SSDEEP
98304:lgJZv2O7hzxNA5P7Mb5mXHMDU+WDwL0ubziP7Us8F2m5rylw/ViFkfGOzNL3kz3f:OJ92OH6Zwb58wU+WDFFu2XlwXGKNLEjr
Malware Config
Signatures
-
Disables RegEdit via registry modification 1 IoCs
Processes:
MercuryXhoffle.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" MercuryXhoffle.exe -
Disables Task Manager via registry modification
-
Executes dropped EXE 1 IoCs
Processes:
bootrec.exepid process 2168 bootrec.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
bootrec.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bootrec.exe" bootrec.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
bootrec.exedescription ioc process File opened for modification \??\PhysicalDrive0 bootrec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
MercuryXhoffle.exepid process 2564 MercuryXhoffle.exe 2564 MercuryXhoffle.exe 2564 MercuryXhoffle.exe 2564 MercuryXhoffle.exe 2564 MercuryXhoffle.exe 2564 MercuryXhoffle.exe 2564 MercuryXhoffle.exe 2564 MercuryXhoffle.exe 2564 MercuryXhoffle.exe 2564 MercuryXhoffle.exe 2564 MercuryXhoffle.exe 2564 MercuryXhoffle.exe 2564 MercuryXhoffle.exe 2564 MercuryXhoffle.exe 2564 MercuryXhoffle.exe 2564 MercuryXhoffle.exe 2564 MercuryXhoffle.exe 2564 MercuryXhoffle.exe 2564 MercuryXhoffle.exe 2564 MercuryXhoffle.exe 2564 MercuryXhoffle.exe 2564 MercuryXhoffle.exe 2564 MercuryXhoffle.exe 2564 MercuryXhoffle.exe 2564 MercuryXhoffle.exe 2564 MercuryXhoffle.exe 2564 MercuryXhoffle.exe 2564 MercuryXhoffle.exe 2564 MercuryXhoffle.exe 2564 MercuryXhoffle.exe 2564 MercuryXhoffle.exe 2564 MercuryXhoffle.exe 2564 MercuryXhoffle.exe 2564 MercuryXhoffle.exe 2564 MercuryXhoffle.exe 2564 MercuryXhoffle.exe 2564 MercuryXhoffle.exe 2564 MercuryXhoffle.exe 2564 MercuryXhoffle.exe 2564 MercuryXhoffle.exe 2564 MercuryXhoffle.exe 2564 MercuryXhoffle.exe 2564 MercuryXhoffle.exe 2564 MercuryXhoffle.exe 2564 MercuryXhoffle.exe 2564 MercuryXhoffle.exe 2564 MercuryXhoffle.exe 2564 MercuryXhoffle.exe 2564 MercuryXhoffle.exe 2564 MercuryXhoffle.exe 2564 MercuryXhoffle.exe 2564 MercuryXhoffle.exe 2564 MercuryXhoffle.exe 2564 MercuryXhoffle.exe 2564 MercuryXhoffle.exe 2564 MercuryXhoffle.exe 2564 MercuryXhoffle.exe 2564 MercuryXhoffle.exe 2564 MercuryXhoffle.exe 2564 MercuryXhoffle.exe 2564 MercuryXhoffle.exe 2564 MercuryXhoffle.exe 2564 MercuryXhoffle.exe 2564 MercuryXhoffle.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
MercuryXhoffle.exedescription pid process Token: SeDebugPrivilege 2564 MercuryXhoffle.exe Token: SeDebugPrivilege 2564 MercuryXhoffle.exe -
Suspicious use of SetWindowsHookEx 29 IoCs
Processes:
MercuryXhoffle.exepid process 2564 MercuryXhoffle.exe 2564 MercuryXhoffle.exe 2564 MercuryXhoffle.exe 2564 MercuryXhoffle.exe 2564 MercuryXhoffle.exe 2564 MercuryXhoffle.exe 2564 MercuryXhoffle.exe 2564 MercuryXhoffle.exe 2564 MercuryXhoffle.exe 2564 MercuryXhoffle.exe 2564 MercuryXhoffle.exe 2564 MercuryXhoffle.exe 2564 MercuryXhoffle.exe 2564 MercuryXhoffle.exe 2564 MercuryXhoffle.exe 2564 MercuryXhoffle.exe 2564 MercuryXhoffle.exe 2564 MercuryXhoffle.exe 2564 MercuryXhoffle.exe 2564 MercuryXhoffle.exe 2564 MercuryXhoffle.exe 2564 MercuryXhoffle.exe 2564 MercuryXhoffle.exe 2564 MercuryXhoffle.exe 2564 MercuryXhoffle.exe 2564 MercuryXhoffle.exe 2564 MercuryXhoffle.exe 2564 MercuryXhoffle.exe 2564 MercuryXhoffle.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
MercuryXhoffle.exebootrec.exedescription pid process target process PID 2564 wrote to memory of 2168 2564 MercuryXhoffle.exe bootrec.exe PID 2564 wrote to memory of 2168 2564 MercuryXhoffle.exe bootrec.exe PID 2564 wrote to memory of 2168 2564 MercuryXhoffle.exe bootrec.exe PID 2564 wrote to memory of 2168 2564 MercuryXhoffle.exe bootrec.exe PID 2168 wrote to memory of 2464 2168 bootrec.exe schtasks.exe PID 2168 wrote to memory of 2464 2168 bootrec.exe schtasks.exe PID 2168 wrote to memory of 2464 2168 bootrec.exe schtasks.exe PID 2168 wrote to memory of 2464 2168 bootrec.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\MercuryXhoffle.exe"C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\MercuryXhoffle.exe"1⤵
- Disables RegEdit via registry modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Users\Admin\AppData\Local\Temp\bootrec.exe"C:\Users\Admin\AppData\Local\Temp\bootrec.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Create /TN "Windows Update" /ru SYSTEM /SC ONSTART /TR "C:\Users\Admin\AppData\Local\Temp\bootrec.exe"3⤵
- Creates scheduled task(s)
PID:2464
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
167KB
MD5f14b989516f256db1befee3dee508f55
SHA1fbd2c6b1d783debb9a69c5766d3672138e24e127
SHA256c88dbbd0002395beaeaef3f855790abef3430d76307953825745339bdc1f9388
SHA512bfa84b7837d3bcda55571710289092af7e6cb7ee48b21a2a032d24b495ddbe9259c07eeceb58fb2a5ac4482e2b120259fe5b95162eb632228c86516f41bf035e