Analysis

  • max time kernel
    55s
  • max time network
    162s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-03-2024 20:26

General

  • Target

    TrashMalwares-main/PC shaking v4.0.exe

  • Size

    21.7MB

  • MD5

    d2eb6a0f3b1353b6f60c1ce3a63ef8d1

  • SHA1

    a879af3e84106f4da79519ce08643eeb91f72a15

  • SHA256

    b8d65832342d1fec828025eacbcc6e1df9c2f3276524a4abb1a965707fd475ee

  • SHA512

    9473e711b785eba3e5cfcb36437069a96290864fe9562a5619d95f9fac9c0b46b0c3c942be8ff7fec4204a938392e8be471ea6ce683027cd29b181028b0e2481

  • SSDEEP

    393216:MUbg/uqZ8EuLjIlYgJMFBoJPYG6O4BcwikWGmivl4yA1cmBBS:6G9LjHgUOJPEOyresC4

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Drops file in Windows directory 11 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\PC shaking v4.0.exe
    "C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\PC shaking v4.0.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:3524
    • C:\Windows\Media\PCshakingv4.0.exe
      "C:\Windows\Media\PCshakingv4.0.exe"
      2⤵
      • Executes dropped EXE
      • Sets desktop wallpaper using registry
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of FindShellTrayWindow
      PID:4800
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x460 0x508
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2636

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\Media\PCshakingv4.0.exe

    Filesize

    71KB

    MD5

    129c1a8094f0a6a9cdc9f63e86f8a482

    SHA1

    917c6809ae03670edbf5da4cb19c49e85390642c

    SHA256

    2eadcdfd00b8bec4d18b71830cd334569844002a7971c56d3e1e38ff7972c4f3

    SHA512

    076cf44955bebbad12ca905a36a12da4cd20520d8795e2f47f972ad996932731be4f007792954c9737b68330cd395a17ad19aa1e5b1c9e248379c37dcdf1a9e5

  • C:\Windows\Media\mouse.ico

    Filesize

    203KB

    MD5

    3abff26e58afe2b94ce801295336bf82

    SHA1

    b3222e30303115469b5b3e3d03ed9aed846d830f

    SHA256

    fb078b09259f96b032dce2c345c683b6b9d9316819dc363edd780b91dc11704d

    SHA512

    ba546709378b529eb8887cc5f7ff9f4bc587bae61af009adf8778dc3972c2e57d9291df6f2b6cc8ba36b27c262b8eb6f650d610fc1d731c154bb4cad6df46ac2

  • \??\c:\Windows\Media\Tobu.wav

    Filesize

    26.4MB

    MD5

    5c806e6fadc4b2b7fc497bf7dee7b516

    SHA1

    11fcd5cd32a63a5c27387faf99a6a7bb5a321b63

    SHA256

    2721c6f73e2323def0a13492cac64a1c22e44fc603ce9a1b7c5e92fb5f51c9c7

    SHA512

    dae704def25c729c33704ba18a02cc64ffd4cc24f6660d224dd06952522eacbee42ac1c8c05b3d4dfaf51d4b920c35979011613cc16ac31247cb405e025cbaa4