Overview
overview
10Static
static
10@_136 @828...SM.exe
windows7-x64
7@_136 @828...SM.exe
windows10-2004-x64
7TrashMalwa...in.exe
windows7-x64
8TrashMalwa...in.exe
windows10-2004-x64
8AdStRkJ.exe
windows7-x64
8AdStRkJ.exe
windows10-2004-x64
8Anatralier.exe
windows7-x64
7Anatralier.exe
windows10-2004-x64
7TrashMalwa...er.exe
windows7-x64
3TrashMalwa...er.exe
windows10-2004-x64
8TrashMalwa...nk.exe
windows7-x64
8TrashMalwa...nk.exe
windows10-2004-x64
8TrashMalwa...oN.bat
windows7-x64
8TrashMalwa...oN.bat
windows10-2004-x64
8TrashMalwa...zz.exe
windows7-x64
6TrashMalwa...zz.exe
windows10-2004-x64
6TrashMalwa...de.exe
windows7-x64
7TrashMalwa...de.exe
windows10-2004-x64
7TrashMalwa...20.exe
windows7-x64
4TrashMalwa...20.exe
windows10-2004-x64
7TrashMalwa...ll.exe
windows7-x64
7TrashMalwa...ll.exe
windows10-2004-x64
7TrashMalwa...le.exe
windows7-x64
8TrashMalwa...le.exe
windows10-2004-x64
8TrashMalwa...oe.bat
windows7-x64
8TrashMalwa...oe.bat
windows10-2004-x64
8TrashMalwa....0.exe
windows7-x64
6TrashMalwa....0.exe
windows10-2004-x64
7TrashMalwa....0.exe
windows7-x64
8TrashMalwa....0.exe
windows10-2004-x64
7TrashMalwa....0.exe
windows7-x64
7TrashMalwa....0.exe
windows10-2004-x64
7Analysis
-
max time kernel
132s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02-03-2024 20:26
Behavioral task
behavioral1
Sample
@_136 @828#-138389J-SJFJDSM.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
@_136 @828#-138389J-SJFJDSM.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
TrashMalwares-main/AcidRain.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
TrashMalwares-main/AcidRain.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
AdStRkJ.exe
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
AdStRkJ.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
Anatralier.exe
Resource
win7-20240215-en
Behavioral task
behavioral8
Sample
Anatralier.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
TrashMalwares-main/Antivirus_Installer.exe
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
TrashMalwares-main/Antivirus_Installer.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral11
Sample
TrashMalwares-main/Dro trojan. Virus prank.exe
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
TrashMalwares-main/Dro trojan. Virus prank.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral13
Sample
TrashMalwares-main/FaZoN.bat
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
TrashMalwares-main/FaZoN.bat
Resource
win10v2004-20240226-en
Behavioral task
behavioral15
Sample
TrashMalwares-main/Fizz.exe
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
TrashMalwares-main/Fizz.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral17
Sample
TrashMalwares-main/Ginxide.exe
Resource
win7-20240221-en
Behavioral task
behavioral18
Sample
TrashMalwares-main/Ginxide.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral19
Sample
TrashMalwares-main/Install Windows20.exe
Resource
win7-20240221-en
Behavioral task
behavioral20
Sample
TrashMalwares-main/Install Windows20.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral21
Sample
TrashMalwares-main/MS-RickRoll.exe
Resource
win7-20240220-en
Behavioral task
behavioral22
Sample
TrashMalwares-main/MS-RickRoll.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral23
Sample
TrashMalwares-main/MercuryXhoffle.exe
Resource
win7-20240221-en
Behavioral task
behavioral24
Sample
TrashMalwares-main/MercuryXhoffle.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral25
Sample
TrashMalwares-main/NetPakoe.bat
Resource
win7-20240221-en
Behavioral task
behavioral26
Sample
TrashMalwares-main/NetPakoe.bat
Resource
win10v2004-20240226-en
Behavioral task
behavioral27
Sample
TrashMalwares-main/NetPakoe3.0.exe
Resource
win7-20240221-en
Behavioral task
behavioral28
Sample
TrashMalwares-main/NetPakoe3.0.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral29
Sample
TrashMalwares-main/NoEscape8.0.exe
Resource
win7-20240221-en
Behavioral task
behavioral30
Sample
TrashMalwares-main/NoEscape8.0.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral31
Sample
TrashMalwares-main/PC shaking v4.0.exe
Resource
win7-20240220-en
Behavioral task
behavioral32
Sample
TrashMalwares-main/PC shaking v4.0.exe
Resource
win10v2004-20240226-en
General
-
Target
AdStRkJ.exe
-
Size
33.4MB
-
MD5
3eb8af41b3573b4000377782e8bf7719
-
SHA1
c41e2c89b50ccfe34c022a4395f0c79dedb2b980
-
SHA256
967ca86ca75f576aa916872d908e584b4a5029dfed9277d3faf1f7fb67e99e0d
-
SHA512
012cbe18463953a4e7e23e9f6f824b46033575d6804d72fa2eac7924b4a90c78951db38af043d3fc788f21bd63f20533340609b6da575c453937d08346de600a
-
SSDEEP
786432:WTWY2yV45F8akEJ+iG3yE8gL52LSiTusS9jXoVu:
Malware Config
Signatures
-
Disables RegEdit via registry modification 1 IoCs
Processes:
AdStRkJ.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" AdStRkJ.exe -
Disables Task Manager via registry modification
-
Possible privilege escalation attempt 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 2544 takeown.exe 2652 icacls.exe 2676 takeown.exe 2688 icacls.exe -
Executes dropped EXE 2 IoCs
Processes:
MBR.exeAdStRkJ_sound.exepid process 2620 MBR.exe 324 AdStRkJ_sound.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 2544 takeown.exe 2652 icacls.exe 2676 takeown.exe 2688 icacls.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
MBR.exedescription ioc process File opened for modification \??\PhysicalDrive0 MBR.exe -
Drops file in System32 directory 6 IoCs
Processes:
AdStRkJ.exeReAgentc.exedescription ioc process File created C:\Windows\System32\sfc.exe AdStRkJ.exe File created C:\Windows\System32\taskkill.exe AdStRkJ.exe File opened for modification C:\Windows\system32\Recovery ReAgentc.exe File opened for modification C:\Windows\system32\Recovery\ReAgent.xml ReAgentc.exe File created C:\Windows\System32\notepad.exe AdStRkJ.exe File opened for modification C:\Windows\System32\notepad.exe AdStRkJ.exe -
Drops file in Program Files directory 4 IoCs
Processes:
AdStRkJ.exedescription ioc process File opened for modification C:\Program Files\Windows NT 32\sound.wav AdStRkJ.exe File opened for modification C:\Program Files\Windows NT 32\AdStRkJ_sound.exe AdStRkJ.exe File opened for modification C:\Program Files\Windows NT 32\MBR.exe AdStRkJ.exe File opened for modification C:\Program Files\Windows NT 32\lock_files.exe AdStRkJ.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
takeown.exetakeown.exeAdStRkJ.exeAdStRkJ_sound.exedescription pid process Token: SeTakeOwnershipPrivilege 2544 takeown.exe Token: SeTakeOwnershipPrivilege 2676 takeown.exe Token: SeDebugPrivilege 1048 AdStRkJ.exe Token: SeDebugPrivilege 1048 AdStRkJ.exe Token: SeDebugPrivilege 324 AdStRkJ_sound.exe Token: SeDebugPrivilege 324 AdStRkJ_sound.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
AdStRkJ.execmd.exedescription pid process target process PID 1048 wrote to memory of 2928 1048 AdStRkJ.exe cmd.exe PID 1048 wrote to memory of 2928 1048 AdStRkJ.exe cmd.exe PID 1048 wrote to memory of 2928 1048 AdStRkJ.exe cmd.exe PID 2928 wrote to memory of 2544 2928 cmd.exe takeown.exe PID 2928 wrote to memory of 2544 2928 cmd.exe takeown.exe PID 2928 wrote to memory of 2544 2928 cmd.exe takeown.exe PID 2928 wrote to memory of 2652 2928 cmd.exe icacls.exe PID 2928 wrote to memory of 2652 2928 cmd.exe icacls.exe PID 2928 wrote to memory of 2652 2928 cmd.exe icacls.exe PID 2928 wrote to memory of 2676 2928 cmd.exe takeown.exe PID 2928 wrote to memory of 2676 2928 cmd.exe takeown.exe PID 2928 wrote to memory of 2676 2928 cmd.exe takeown.exe PID 2928 wrote to memory of 2688 2928 cmd.exe icacls.exe PID 2928 wrote to memory of 2688 2928 cmd.exe icacls.exe PID 2928 wrote to memory of 2688 2928 cmd.exe icacls.exe PID 2928 wrote to memory of 2712 2928 cmd.exe ReAgentc.exe PID 2928 wrote to memory of 2712 2928 cmd.exe ReAgentc.exe PID 2928 wrote to memory of 2712 2928 cmd.exe ReAgentc.exe PID 1048 wrote to memory of 2620 1048 AdStRkJ.exe MBR.exe PID 1048 wrote to memory of 2620 1048 AdStRkJ.exe MBR.exe PID 1048 wrote to memory of 2620 1048 AdStRkJ.exe MBR.exe PID 1048 wrote to memory of 2620 1048 AdStRkJ.exe MBR.exe PID 1048 wrote to memory of 324 1048 AdStRkJ.exe AdStRkJ_sound.exe PID 1048 wrote to memory of 324 1048 AdStRkJ.exe AdStRkJ_sound.exe PID 1048 wrote to memory of 324 1048 AdStRkJ.exe AdStRkJ_sound.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\AdStRkJ.exe"C:\Users\Admin\AppData\Local\Temp\AdStRkJ.exe"1⤵
- Disables RegEdit via registry modification
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k color 47 && title Critical process && takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant %username%:F && takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant %username%:F && reagentc.exe /disable && Exit2⤵
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System323⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2544
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32 /grant Admin:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2652
-
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2676
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers /grant Admin:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2688
-
-
C:\Windows\system32\ReAgentc.exereagentc.exe /disable3⤵
- Drops file in System32 directory
PID:2712
-
-
-
C:\Program Files\Windows NT 32\MBR.exe"C:\Program Files\Windows NT 32\MBR.exe"2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:2620
-
-
C:\Program Files\Windows NT 32\AdStRkJ_sound.exe"C:\Program Files\Windows NT 32\AdStRkJ_sound.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:324
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
141KB
MD5330d74c84f4597a0c7f45b232c7b0ae2
SHA146d93d7d2907e60c0b5fb3fd7246410c33a591e9
SHA2566b685298579ec278cf041c12ef0ddbc102567ef274bdd43711643da89ba799e1
SHA512c88cd6a3e511a76e6baccf9b30ace996689432e335b264996cf6ce3b2f0947515e34151bc620dae1a05d96342be0f856832814a3b7cd5b898b0f8b08ca371814
-
Filesize
179KB
MD5a0195c08fbfe459520423bf0a7c20504
SHA19d62a03597d8c056951e8d377b4db62b51fbbfa3
SHA25695a2cfb0da507b544ae915d6fd2a8d4fd8acb2456310e11d1bc066b531449ea9
SHA51251c9cc7ade18fe5ffd8c58df5f573f625ee6831a8e3d87b8d529ad67a4334a7ca69e311e3a2b93e33b57879c93e20e8d7eef9f3ebc22b55c63f6a7a759bbadc5
-
Filesize
256KB
MD51a287576d58f0c02fc4b772c594148eb
SHA16a7caea118b97dc253a7f67ce0b7118b7fd78136
SHA256ebd87671cbcf7c6409571c18e2d8350662851df64e6644c76b12a1b40a8c1dc6
SHA512ca6ef3c8433b0f1d68458665ee9bbb7b323c2404100d5c86d6a6b327bdcdba8dec0aea3412772cd6e646b16aae36afd3d2a73be70f9b6500ab5f0d065a7e3eb6
-
Filesize
21.2MB
MD5c22ec43f4e6c8b4189860c054a4064e5
SHA13b1885ca71df82a3906c71b51c0a373e8dc4d474
SHA25635481f89e8b2eee81ceb5b514b44cb13dca103603a2501fbac6826fbca490c0f
SHA51251a88f9e4ccee4528c47c909eb6141338f6371591276bcb2eb1dcda92ace4af621e2c8a9d36def7403a9ed8a591ef0e544108d4f539737b9054ddebef068d432