Overview
overview
10Static
static
10@_136 @828...SM.exe
windows7-x64
7@_136 @828...SM.exe
windows10-2004-x64
7TrashMalwa...in.exe
windows7-x64
8TrashMalwa...in.exe
windows10-2004-x64
8AdStRkJ.exe
windows7-x64
8AdStRkJ.exe
windows10-2004-x64
8Anatralier.exe
windows7-x64
7Anatralier.exe
windows10-2004-x64
7TrashMalwa...er.exe
windows7-x64
3TrashMalwa...er.exe
windows10-2004-x64
8TrashMalwa...nk.exe
windows7-x64
8TrashMalwa...nk.exe
windows10-2004-x64
8TrashMalwa...oN.bat
windows7-x64
8TrashMalwa...oN.bat
windows10-2004-x64
8TrashMalwa...zz.exe
windows7-x64
6TrashMalwa...zz.exe
windows10-2004-x64
6TrashMalwa...de.exe
windows7-x64
7TrashMalwa...de.exe
windows10-2004-x64
7TrashMalwa...20.exe
windows7-x64
4TrashMalwa...20.exe
windows10-2004-x64
7TrashMalwa...ll.exe
windows7-x64
7TrashMalwa...ll.exe
windows10-2004-x64
7TrashMalwa...le.exe
windows7-x64
8TrashMalwa...le.exe
windows10-2004-x64
8TrashMalwa...oe.bat
windows7-x64
8TrashMalwa...oe.bat
windows10-2004-x64
8TrashMalwa....0.exe
windows7-x64
6TrashMalwa....0.exe
windows10-2004-x64
7TrashMalwa....0.exe
windows7-x64
8TrashMalwa....0.exe
windows10-2004-x64
7TrashMalwa....0.exe
windows7-x64
7TrashMalwa....0.exe
windows10-2004-x64
7Analysis
-
max time kernel
145s -
max time network
113s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
02-03-2024 20:26
Behavioral task
behavioral1
Sample
@_136 @828#-138389J-SJFJDSM.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
@_136 @828#-138389J-SJFJDSM.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
TrashMalwares-main/AcidRain.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
TrashMalwares-main/AcidRain.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
AdStRkJ.exe
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
AdStRkJ.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
Anatralier.exe
Resource
win7-20240215-en
Behavioral task
behavioral8
Sample
Anatralier.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
TrashMalwares-main/Antivirus_Installer.exe
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
TrashMalwares-main/Antivirus_Installer.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral11
Sample
TrashMalwares-main/Dro trojan. Virus prank.exe
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
TrashMalwares-main/Dro trojan. Virus prank.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral13
Sample
TrashMalwares-main/FaZoN.bat
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
TrashMalwares-main/FaZoN.bat
Resource
win10v2004-20240226-en
Behavioral task
behavioral15
Sample
TrashMalwares-main/Fizz.exe
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
TrashMalwares-main/Fizz.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral17
Sample
TrashMalwares-main/Ginxide.exe
Resource
win7-20240221-en
Behavioral task
behavioral18
Sample
TrashMalwares-main/Ginxide.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral19
Sample
TrashMalwares-main/Install Windows20.exe
Resource
win7-20240221-en
Behavioral task
behavioral20
Sample
TrashMalwares-main/Install Windows20.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral21
Sample
TrashMalwares-main/MS-RickRoll.exe
Resource
win7-20240220-en
Behavioral task
behavioral22
Sample
TrashMalwares-main/MS-RickRoll.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral23
Sample
TrashMalwares-main/MercuryXhoffle.exe
Resource
win7-20240221-en
Behavioral task
behavioral24
Sample
TrashMalwares-main/MercuryXhoffle.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral25
Sample
TrashMalwares-main/NetPakoe.bat
Resource
win7-20240221-en
Behavioral task
behavioral26
Sample
TrashMalwares-main/NetPakoe.bat
Resource
win10v2004-20240226-en
Behavioral task
behavioral27
Sample
TrashMalwares-main/NetPakoe3.0.exe
Resource
win7-20240221-en
Behavioral task
behavioral28
Sample
TrashMalwares-main/NetPakoe3.0.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral29
Sample
TrashMalwares-main/NoEscape8.0.exe
Resource
win7-20240221-en
Behavioral task
behavioral30
Sample
TrashMalwares-main/NoEscape8.0.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral31
Sample
TrashMalwares-main/PC shaking v4.0.exe
Resource
win7-20240220-en
Behavioral task
behavioral32
Sample
TrashMalwares-main/PC shaking v4.0.exe
Resource
win10v2004-20240226-en
General
-
Target
AdStRkJ.exe
-
Size
33.4MB
-
MD5
3eb8af41b3573b4000377782e8bf7719
-
SHA1
c41e2c89b50ccfe34c022a4395f0c79dedb2b980
-
SHA256
967ca86ca75f576aa916872d908e584b4a5029dfed9277d3faf1f7fb67e99e0d
-
SHA512
012cbe18463953a4e7e23e9f6f824b46033575d6804d72fa2eac7924b4a90c78951db38af043d3fc788f21bd63f20533340609b6da575c453937d08346de600a
-
SSDEEP
786432:WTWY2yV45F8akEJ+iG3yE8gL52LSiTusS9jXoVu:
Malware Config
Signatures
-
Disables RegEdit via registry modification 1 IoCs
Processes:
AdStRkJ.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" AdStRkJ.exe -
Disables Task Manager via registry modification
-
Possible privilege escalation attempt 4 IoCs
Processes:
icacls.exetakeown.exeicacls.exetakeown.exepid process 3804 icacls.exe 2156 takeown.exe 3576 icacls.exe 4772 takeown.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
AdStRkJ.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation AdStRkJ.exe -
Executes dropped EXE 2 IoCs
Processes:
MBR.exeAdStRkJ_sound.exepid process 560 MBR.exe 4048 AdStRkJ_sound.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 4772 takeown.exe 3804 icacls.exe 2156 takeown.exe 3576 icacls.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
MBR.exedescription ioc process File opened for modification \??\PhysicalDrive0 MBR.exe -
Drops file in System32 directory 6 IoCs
Processes:
AdStRkJ.exeReAgentc.exedescription ioc process File created C:\Windows\System32\taskkill.exe AdStRkJ.exe File opened for modification C:\Windows\system32\Recovery ReAgentc.exe File opened for modification C:\Windows\system32\Recovery\ReAgent.xml ReAgentc.exe File created C:\Windows\System32\notepad.exe AdStRkJ.exe File opened for modification C:\Windows\System32\notepad.exe AdStRkJ.exe File created C:\Windows\System32\sfc.exe AdStRkJ.exe -
Drops file in Program Files directory 4 IoCs
Processes:
AdStRkJ.exedescription ioc process File opened for modification C:\Program Files\Windows NT 32\sound.wav AdStRkJ.exe File opened for modification C:\Program Files\Windows NT 32\AdStRkJ_sound.exe AdStRkJ.exe File opened for modification C:\Program Files\Windows NT 32\MBR.exe AdStRkJ.exe File opened for modification C:\Program Files\Windows NT 32\lock_files.exe AdStRkJ.exe -
Drops file in Windows directory 4 IoCs
Processes:
ReAgentc.exedescription ioc process File opened for modification C:\Windows\Panther\UnattendGC\diagwrn.xml ReAgentc.exe File opened for modification C:\Windows\Logs\ReAgent\ReAgent.log ReAgentc.exe File opened for modification C:\Windows\Panther\UnattendGC\setuperr.log ReAgentc.exe File opened for modification C:\Windows\Panther\UnattendGC\diagerr.xml ReAgentc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
takeown.exetakeown.exeAdStRkJ.exeAdStRkJ_sound.exeAUDIODG.EXEdescription pid process Token: SeTakeOwnershipPrivilege 2156 takeown.exe Token: SeTakeOwnershipPrivilege 4772 takeown.exe Token: SeDebugPrivilege 864 AdStRkJ.exe Token: SeDebugPrivilege 864 AdStRkJ.exe Token: SeDebugPrivilege 4048 AdStRkJ_sound.exe Token: SeDebugPrivilege 4048 AdStRkJ_sound.exe Token: 33 2468 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2468 AUDIODG.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
AdStRkJ.execmd.exedescription pid process target process PID 864 wrote to memory of 8 864 AdStRkJ.exe cmd.exe PID 864 wrote to memory of 8 864 AdStRkJ.exe cmd.exe PID 8 wrote to memory of 2156 8 cmd.exe takeown.exe PID 8 wrote to memory of 2156 8 cmd.exe takeown.exe PID 8 wrote to memory of 3576 8 cmd.exe icacls.exe PID 8 wrote to memory of 3576 8 cmd.exe icacls.exe PID 8 wrote to memory of 4772 8 cmd.exe takeown.exe PID 8 wrote to memory of 4772 8 cmd.exe takeown.exe PID 8 wrote to memory of 3804 8 cmd.exe icacls.exe PID 8 wrote to memory of 3804 8 cmd.exe icacls.exe PID 8 wrote to memory of 4932 8 cmd.exe ReAgentc.exe PID 8 wrote to memory of 4932 8 cmd.exe ReAgentc.exe PID 864 wrote to memory of 560 864 AdStRkJ.exe MBR.exe PID 864 wrote to memory of 560 864 AdStRkJ.exe MBR.exe PID 864 wrote to memory of 560 864 AdStRkJ.exe MBR.exe PID 864 wrote to memory of 4048 864 AdStRkJ.exe AdStRkJ_sound.exe PID 864 wrote to memory of 4048 864 AdStRkJ.exe AdStRkJ_sound.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\AdStRkJ.exe"C:\Users\Admin\AppData\Local\Temp\AdStRkJ.exe"1⤵
- Disables RegEdit via registry modification
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:864 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k color 47 && title Critical process && takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant %username%:F && takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant %username%:F && reagentc.exe /disable && Exit2⤵
- Suspicious use of WriteProcessMemory
PID:8 -
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System323⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2156
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32 /grant Admin:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3576
-
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4772
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers /grant Admin:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3804
-
-
C:\Windows\system32\ReAgentc.exereagentc.exe /disable3⤵
- Drops file in System32 directory
- Drops file in Windows directory
PID:4932
-
-
-
C:\Program Files\Windows NT 32\MBR.exe"C:\Program Files\Windows NT 32\MBR.exe"2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:560
-
-
C:\Program Files\Windows NT 32\AdStRkJ_sound.exe"C:\Program Files\Windows NT 32\AdStRkJ_sound.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4048
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x38c 0x3941⤵
- Suspicious use of AdjustPrivilegeToken
PID:2468
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
141KB
MD5330d74c84f4597a0c7f45b232c7b0ae2
SHA146d93d7d2907e60c0b5fb3fd7246410c33a591e9
SHA2566b685298579ec278cf041c12ef0ddbc102567ef274bdd43711643da89ba799e1
SHA512c88cd6a3e511a76e6baccf9b30ace996689432e335b264996cf6ce3b2f0947515e34151bc620dae1a05d96342be0f856832814a3b7cd5b898b0f8b08ca371814
-
Filesize
179KB
MD5a0195c08fbfe459520423bf0a7c20504
SHA19d62a03597d8c056951e8d377b4db62b51fbbfa3
SHA25695a2cfb0da507b544ae915d6fd2a8d4fd8acb2456310e11d1bc066b531449ea9
SHA51251c9cc7ade18fe5ffd8c58df5f573f625ee6831a8e3d87b8d529ad67a4334a7ca69e311e3a2b93e33b57879c93e20e8d7eef9f3ebc22b55c63f6a7a759bbadc5
-
Filesize
343KB
MD57734bece0c7493447d2df4b0a05179d0
SHA1f8ab23f32dc38f9ae49e8debb23df5116f8fe6dc
SHA2563814d3d7c09d6ad199f43a24ba0b9a831355c3f66bbeb62f9768d995be049593
SHA51288686fa176b439e4c515d453617c47039984c8956be519b410d80d9757c58408f115d57eed0a6b3a14b2d09e4835491d72e5a84abf28e4e7162ef59380dcc385
-
Filesize
17.4MB
MD57d2e73f2f72bb20fa52bae59caf5a6bd
SHA162370d4921deb4e5144c6de43c05205df84b04ce
SHA2566beb0272ada327dd92f7c3a5c2457325e51b7ac1206a816f1109384807660e38
SHA5128a495d7255628eb91cc8c4b56ebf958075e2831e683a20c9be85a7f5082f1372993ad2bbee9fd61bd408fb74108fa699127ffb894105d7f31fcdc0a0c59a0f62