Overview
overview
10Static
static
7TheMalware...20.exe
windows7-x64
4TheMalware...20.exe
windows10-2004-x64
7TheMalware...om.bat
windows7-x64
1TheMalware...om.bat
windows10-2004-x64
1TheMalware...er.exe
windows7-x64
TheMalware...er.exe
windows10-2004-x64
TheMalware.../1.vbs
windows7-x64
1TheMalware.../1.vbs
windows10-2004-x64
1TheMalware...ad.exe
windows7-x64
8TheMalware...ad.exe
windows10-2004-x64
8TheMalware...os.vbs
windows7-x64
1TheMalware...os.vbs
windows10-2004-x64
1TheMalware...er.hta
windows7-x64
1TheMalware...er.hta
windows10-2004-x64
3TheMalware...r.html
windows7-x64
1TheMalware...r.html
windows10-2004-x64
1TheMalware...in.bat
windows7-x64
TheMalware...in.bat
windows10-2004-x64
TheMalware...ix.bat
windows7-x64
1TheMalware...ix.bat
windows10-2004-x64
1TheMalware...er.exe
windows7-x64
1TheMalware...er.exe
windows10-2004-x64
1TheMalware...er.exe
windows7-x64
5TheMalware...er.exe
windows10-2004-x64
5TheMalware.../o.vbs
windows7-x64
1TheMalware.../o.vbs
windows10-2004-x64
1TheMalware...op.vbs
windows7-x64
1TheMalware...op.vbs
windows10-2004-x64
TheMalware...om.vbs
windows7-x64
1TheMalware...om.vbs
windows10-2004-x64
1TheMalware...es.exe
windows7-x64
7TheMalware...es.exe
windows10-2004-x64
7Analysis
-
max time kernel
27s -
max time network
33s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
02-03-2024 20:29
Behavioral task
behavioral1
Sample
TheMalwaredev-s-garbage-main/Install Windows20.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
TheMalwaredev-s-garbage-main/Install Windows20.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
TheMalwaredev-s-garbage-main/Install Windows20/doom.bat
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
TheMalwaredev-s-garbage-main/Install Windows20/doom.bat
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
TheMalwaredev-s-garbage-main/Install Windows20/installer.exe
Resource
win7-20240215-en
Behavioral task
behavioral6
Sample
TheMalwaredev-s-garbage-main/Install Windows20/installer.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
TheMalwaredev-s-garbage-main/Install Windows20/installer/1.vbs
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
TheMalwaredev-s-garbage-main/Install Windows20/installer/1.vbs
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
TheMalwaredev-s-garbage-main/Install Windows20/installer/dead.exe
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
TheMalwaredev-s-garbage-main/Install Windows20/installer/dead.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral11
Sample
TheMalwaredev-s-garbage-main/Install Windows20/installer/dos.vbs
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
TheMalwaredev-s-garbage-main/Install Windows20/installer/dos.vbs
Resource
win10v2004-20240226-en
Behavioral task
behavioral13
Sample
TheMalwaredev-s-garbage-main/Install Windows20/installer/explorer.hta
Resource
win7-20240220-en
Behavioral task
behavioral14
Sample
TheMalwaredev-s-garbage-main/Install Windows20/installer/explorer.hta
Resource
win10v2004-20240226-en
Behavioral task
behavioral15
Sample
TheMalwaredev-s-garbage-main/Install Windows20/installer/explorer.html
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
TheMalwaredev-s-garbage-main/Install Windows20/installer/explorer.html
Resource
win10v2004-20240226-en
Behavioral task
behavioral17
Sample
TheMalwaredev-s-garbage-main/Install Windows20/installer/main.bat
Resource
win7-20240221-en
Behavioral task
behavioral18
Sample
TheMalwaredev-s-garbage-main/Install Windows20/installer/main.bat
Resource
win10v2004-20240226-en
Behavioral task
behavioral19
Sample
TheMalwaredev-s-garbage-main/Install Windows20/installer/matrix.bat
Resource
win7-20240221-en
Behavioral task
behavioral20
Sample
TheMalwaredev-s-garbage-main/Install Windows20/installer/matrix.bat
Resource
win10v2004-20240226-en
Behavioral task
behavioral21
Sample
TheMalwaredev-s-garbage-main/Install Windows20/installer/melter.exe
Resource
win7-20240221-en
Behavioral task
behavioral22
Sample
TheMalwaredev-s-garbage-main/Install Windows20/installer/melter.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral23
Sample
TheMalwaredev-s-garbage-main/Install Windows20/installer/mover.exe
Resource
win7-20240220-en
Behavioral task
behavioral24
Sample
TheMalwaredev-s-garbage-main/Install Windows20/installer/mover.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral25
Sample
TheMalwaredev-s-garbage-main/Install Windows20/installer/o.vbs
Resource
win7-20240221-en
Behavioral task
behavioral26
Sample
TheMalwaredev-s-garbage-main/Install Windows20/installer/o.vbs
Resource
win10v2004-20240226-en
Behavioral task
behavioral27
Sample
TheMalwaredev-s-garbage-main/Install Windows20/installer/op.vbs
Resource
win7-20240221-en
Behavioral task
behavioral28
Sample
TheMalwaredev-s-garbage-main/Install Windows20/installer/op.vbs
Resource
win10v2004-20240226-en
Behavioral task
behavioral29
Sample
TheMalwaredev-s-garbage-main/Install Windows20/installer/random.vbs
Resource
win7-20240221-en
Behavioral task
behavioral30
Sample
TheMalwaredev-s-garbage-main/Install Windows20/installer/random.vbs
Resource
win10v2004-20240226-en
Behavioral task
behavioral31
Sample
TheMalwaredev-s-garbage-main/Install Windows20/installer/res.exe
Resource
win7-20240221-en
Behavioral task
behavioral32
Sample
TheMalwaredev-s-garbage-main/Install Windows20/installer/res.exe
Resource
win10v2004-20240226-en
Errors
General
-
Target
TheMalwaredev-s-garbage-main/Install Windows20/installer/main.bat
-
Size
3KB
-
MD5
5f54a2c61397eb3d4f1bc8e9736fec2a
-
SHA1
5c3ad25b0bff96ad74d2743b15089847d6be2d40
-
SHA256
9995fab89f303652abc14b153ea864d9a5e39e20c8077d165e9944948eeeb968
-
SHA512
d7c84ac92cb35aca9fb4c2e7bb43924e5033ad49a9b4fcee320386a5d0bfddf2ec674e33a575c0848b9d274bebeb4dc9abca0360493c968bbc29c7a09438141f
Malware Config
Signatures
-
Processes:
reg.exereg.exereg.exereg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "5" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "3" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "5" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "3" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "3" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "3" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "5" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "5" reg.exe -
Disables Task Manager via registry modification
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation cmd.exe -
Processes:
resource yara_rule behavioral18/memory/4120-57-0x0000000000400000-0x0000000000410000-memory.dmp upx C:\Users\Public\Desktop\setup3.exe upx behavioral18/memory/4068-88-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral18/memory/3312-91-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral18/memory/3712-90-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral18/memory/2348-87-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral18/memory/3168-92-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral18/memory/4120-89-0x0000000000400000-0x0000000000410000-memory.dmp upx -
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral18/memory/652-56-0x0000000140000000-0x0000000140126000-memory.dmp autoit_exe behavioral18/memory/652-86-0x0000000140000000-0x0000000140126000-memory.dmp autoit_exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Public\\temp\\noescape.bmp" reg.exe -
Drops file in Windows directory 16 IoCs
Processes:
cmd.exedescription ioc process File created C:\Windows\winhelper.vbs cmd.exe File opened for modification C:\Windows\winhelper.vbs cmd.exe File opened for modification C:\Windows\Web\you cant escape.exe cmd.exe File created C:\Windows\SAVEYOURSELF.vbs cmd.exe File opened for modification C:\Windows\Web\NO.exe cmd.exe File opened for modification C:\Windows\Web\Screen\154.exe cmd.exe File opened for modification C:\Windows\WinKernel32.bat cmd.exe File opened for modification C:\Windows\Web\setup64.exe cmd.exe File created C:\Windows\WinKernel32.bat cmd.exe File created C:\Windows\Web\you cant escape.exe cmd.exe File opened for modification C:\Windows\SAVEYOURSELF.vbs cmd.exe File created C:\Windows\Web\setup64.exe cmd.exe File created C:\Windows\updatepush.exe cmd.exe File opened for modification C:\Windows\updatepush.exe cmd.exe File created C:\Windows\Web\NO.exe cmd.exe File created C:\Windows\Web\Screen\154.exe cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1740 timeout.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 4056 taskkill.exe -
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "54" LogonUI.exe -
Modifies registry class 20 IoCs
Processes:
cmd.exereg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ShellEx reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ShellEx\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}\ = "{00021401-0000-0000-C000-000000000046}" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ = "xxx" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ShellEx\{000214EE-0000-0000-C000-000000000046} reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ShellEx\{000214EE-0000-0000-C000-000000000046}\ = "{00021401-0000-0000-C000-000000000046}" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ShellEx\{00021500-0000-0000-C000-000000000046} reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ShellEx\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1} reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ShellNew reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ShellNew\IconPath = "%SystemRoot%\\system32\\shell32.dll,-16769" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ShellNew\ItemName = "@shell32.dll,-30397" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ShellNew\Config\DontRename reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ShellNew\Config reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ShellEx\{000214F9-0000-0000-C000-000000000046} reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ShellEx\{000214F9-0000-0000-C000-000000000046}\ = "{00021401-0000-0000-C000-000000000046}" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ShellEx\{00021500-0000-0000-C000-000000000046}\ = "{00021401-0000-0000-C000-000000000046}" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ShellNew\NullFile reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ShellNew\Handler = "{ceefea1b-3e29-4ef1-b34c-fec79c4f70af}" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ShellNew\MenuText = "@shell32.dll,-30318" reg.exe -
Modifies registry key 1 TTPs 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
taskkill.exeshutdown.exedescription pid process Token: SeDebugPrivilege 4056 taskkill.exe Token: SeShutdownPrivilege 3900 shutdown.exe Token: SeRemoteShutdownPrivilege 3900 shutdown.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
LogonUI.exepid process 3612 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.exedescription pid process target process PID 2088 wrote to memory of 4056 2088 cmd.exe taskkill.exe PID 2088 wrote to memory of 4056 2088 cmd.exe taskkill.exe PID 2088 wrote to memory of 3332 2088 cmd.exe WScript.exe PID 2088 wrote to memory of 3332 2088 cmd.exe WScript.exe PID 2088 wrote to memory of 1740 2088 cmd.exe timeout.exe PID 2088 wrote to memory of 1740 2088 cmd.exe timeout.exe PID 2088 wrote to memory of 4776 2088 cmd.exe reg.exe PID 2088 wrote to memory of 4776 2088 cmd.exe reg.exe PID 2088 wrote to memory of 3776 2088 cmd.exe rundll32.exe PID 2088 wrote to memory of 3776 2088 cmd.exe rundll32.exe PID 2088 wrote to memory of 468 2088 cmd.exe reg.exe PID 2088 wrote to memory of 468 2088 cmd.exe reg.exe PID 2088 wrote to memory of 1304 2088 cmd.exe reg.exe PID 2088 wrote to memory of 1304 2088 cmd.exe reg.exe PID 2088 wrote to memory of 2628 2088 cmd.exe reg.exe PID 2088 wrote to memory of 2628 2088 cmd.exe reg.exe PID 2088 wrote to memory of 2216 2088 cmd.exe reg.exe PID 2088 wrote to memory of 2216 2088 cmd.exe reg.exe PID 2088 wrote to memory of 776 2088 cmd.exe reg.exe PID 2088 wrote to memory of 776 2088 cmd.exe reg.exe PID 2088 wrote to memory of 1564 2088 cmd.exe reg.exe PID 2088 wrote to memory of 1564 2088 cmd.exe reg.exe PID 2088 wrote to memory of 3876 2088 cmd.exe reg.exe PID 2088 wrote to memory of 3876 2088 cmd.exe reg.exe PID 2088 wrote to memory of 5100 2088 cmd.exe reg.exe PID 2088 wrote to memory of 5100 2088 cmd.exe reg.exe PID 2088 wrote to memory of 1680 2088 cmd.exe reg.exe PID 2088 wrote to memory of 1680 2088 cmd.exe reg.exe PID 2088 wrote to memory of 1856 2088 cmd.exe reg.exe PID 2088 wrote to memory of 1856 2088 cmd.exe reg.exe PID 2088 wrote to memory of 2568 2088 cmd.exe WScript.exe PID 2088 wrote to memory of 2568 2088 cmd.exe WScript.exe PID 2088 wrote to memory of 2260 2088 cmd.exe WScript.exe PID 2088 wrote to memory of 2260 2088 cmd.exe WScript.exe PID 2088 wrote to memory of 4336 2088 cmd.exe WScript.exe PID 2088 wrote to memory of 4336 2088 cmd.exe WScript.exe PID 2088 wrote to memory of 752 2088 cmd.exe WScript.exe PID 2088 wrote to memory of 752 2088 cmd.exe WScript.exe PID 2088 wrote to memory of 652 2088 cmd.exe mover.exe PID 2088 wrote to memory of 652 2088 cmd.exe mover.exe PID 2088 wrote to memory of 2192 2088 cmd.exe WScript.exe PID 2088 wrote to memory of 2192 2088 cmd.exe WScript.exe PID 2088 wrote to memory of 3988 2088 cmd.exe WScript.exe PID 2088 wrote to memory of 3988 2088 cmd.exe WScript.exe PID 2088 wrote to memory of 1248 2088 cmd.exe WScript.exe PID 2088 wrote to memory of 1248 2088 cmd.exe WScript.exe PID 2088 wrote to memory of 2644 2088 cmd.exe WScript.exe PID 2088 wrote to memory of 2644 2088 cmd.exe WScript.exe PID 2088 wrote to memory of 4068 2088 cmd.exe x.exe PID 2088 wrote to memory of 4068 2088 cmd.exe x.exe PID 2088 wrote to memory of 4068 2088 cmd.exe x.exe PID 2088 wrote to memory of 4120 2088 cmd.exe x.exe PID 2088 wrote to memory of 4120 2088 cmd.exe x.exe PID 2088 wrote to memory of 4120 2088 cmd.exe x.exe PID 2088 wrote to memory of 3712 2088 cmd.exe x.exe PID 2088 wrote to memory of 3712 2088 cmd.exe x.exe PID 2088 wrote to memory of 3712 2088 cmd.exe x.exe PID 2088 wrote to memory of 3312 2088 cmd.exe x.exe PID 2088 wrote to memory of 3312 2088 cmd.exe x.exe PID 2088 wrote to memory of 3312 2088 cmd.exe x.exe PID 2088 wrote to memory of 2348 2088 cmd.exe x.exe PID 2088 wrote to memory of 2348 2088 cmd.exe x.exe PID 2088 wrote to memory of 2348 2088 cmd.exe x.exe PID 2088 wrote to memory of 3168 2088 cmd.exe x.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\main.bat"1⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\system32\taskkill.exetaskkill /f /im explorer.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4056
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\update.vbs"2⤵PID:3332
-
-
C:\Windows\system32\timeout.exetimeout 202⤵
- Delays execution with timeout.exe
PID:1740
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Users\Public\temp\noescape.bmp /f2⤵
- Sets desktop wallpaper using registry
PID:4776
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters2⤵PID:3776
-
-
C:\Windows\system32\reg.exeReg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f2⤵PID:468
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoTrayItemsDisplay" /t REG_DWORD /d "1" /f2⤵PID:1304
-
-
C:\Windows\system32\reg.exereg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop /v NoChangingWallPaper /t REG_DWORD /d 12⤵
- Modifies registry key
PID:2628
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoPinningToTaskbar" /t REG_DWORD /d "1" /f2⤵PID:2216
-
-
C:\Windows\system32\reg.exereg import virus.reg2⤵PID:776
-
-
C:\Windows\system32\reg.exereg import here.reg2⤵
- UAC bypass
PID:1564
-
-
C:\Windows\system32\reg.exereg import death.reg2⤵PID:3876
-
-
C:\Windows\system32\reg.exereg import no.reg2⤵
- UAC bypass
PID:5100
-
-
C:\Windows\system32\reg.exereg import password.reg2⤵PID:1680
-
-
C:\Windows\system32\reg.exereg import color.reg2⤵PID:1856
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\op.vbs"2⤵PID:2568
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\op.vbs"2⤵PID:2260
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\op.vbs"2⤵PID:4336
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\op.vbs"2⤵PID:752
-
-
C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\mover.exemover.exe2⤵PID:652
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\op.vbs"2⤵PID:2192
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\op.vbs"2⤵PID:3988
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\op.vbs"2⤵PID:1248
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\op.vbs"2⤵PID:2644
-
-
C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\x.exex.exe2⤵PID:4068
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B2B6.tmp\x.cmd""3⤵PID:1504
-
-
-
C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\x.exex.exe2⤵PID:4120
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B2B9.tmp\x.cmd""3⤵PID:4924
-
-
-
C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\x.exex.exe2⤵PID:3712
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B2C5.tmp\x.cmd""3⤵PID:5016
-
-
-
C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\x.exex.exe2⤵PID:3312
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B2B7.tmp\x.cmd""3⤵PID:1600
-
-
-
C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\x.exex.exe2⤵PID:2348
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B2B8.tmp\x.cmd""3⤵PID:3660
-
-
-
C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\x.exex.exe2⤵PID:3168
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B2C6.tmp\x.cmd""3⤵PID:3544
-
-
-
C:\Windows\system32\reg.exereg import im.reg2⤵PID:4588
-
-
C:\Windows\system32\reg.exereg import systemmessage.reg2⤵
- UAC bypass
PID:3992
-
-
C:\Windows\system32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f2⤵
- Modifies registry key
PID:3584
-
-
C:\Windows\system32\reg.exereg import UAC.reg2⤵
- UAC bypass
PID:4132
-
-
C:\Windows\system32\reg.exereg import inkfile.reg2⤵
- Modifies registry class
PID:3908
-
-
C:\Windows\system32\shutdown.exeshutdown /r /t 02⤵
- Suspicious use of AdjustPrivilegeToken
PID:3900
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3947855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3612
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
385B
MD51ebb3ddb5424eae8205a111a3b4e2237
SHA17f6603ae0410ea2dc5adfd879632039b0eee955a
SHA256efc4f3065ab66661a92daebbf770103b2e8306d3985ac5c5ae816e0f64e6ab4e
SHA512cc9d3d208f97f8f9f46865ce75257cff6616e49f49b90e1273fa923c1d7c05c68e0ea35eec3361de4167839acec86e03c40cf4f1bf7bb039ec91cd4f8e3c855f
-
Filesize
76B
MD55156c0df260ccc7bc13b73b6de4d9a25
SHA1e6f8b1f6ef658a1f5772b83c898088330184d291
SHA256565850ac8c04867b561958ea678143b383499e729aebace9c84bec0484772b88
SHA512d2e7d791e6ccbf6389659d4fa673bbbb837a8ccbdfec287ff6a5d8a385e9aad413d692bc5cf93cae4d8292f565a7e9ddcc437da97a9b5fdd0c4526c4ca69cc39
-
Filesize
23B
MD523873c064655ec26585bb489cab1965c
SHA1575d47d57ddb6ffb5335f5d48f6bd222e17af599
SHA256828653c66fd126cb9f30a8fc566887d3ae54376ccba637101ae8e0889a6a3b63
SHA51244517e1b3e6ba403d99e3ae6d9340ea3e856a50e4bec3740d3530d066f28677b78ea2a25ebf63df948469dde04547044483bb9d37a5cf79e8b3ea3544bfaf348
-
Filesize
182B
MD581c5f570e4fb185d0d675c450741f28b
SHA1cc7c042a8ec903ea5fd4171ffa2dfe57e8a5586a
SHA2560c32196e293badc8b917f22ecf9d746c631678a15704dc829d594e1e04f01376
SHA5122434226097e83942ddade8a98efaa2d912f8030180729fd6ccedbe70091d262a8d1ac080ae41a6c5ac37c4303c79bbdea8d6fa86828759651536532cb2fa5936
-
Filesize
22KB
MD59d0cbe0006b8e6760679bf893c5d848f
SHA1a85c9378a962f1f3454ec34ce596dea318031618
SHA25641bb8333a815138ccdc1809c33d3263d67834b2493c6b8eeebd5dde3d1ffe20c
SHA51213f513d75235da33bb032901b506c718cece2f7f9d0fbe4bd9d3508f9efca208b10a319b130ec98327b6c5e054abcf7d052ce3e672f2c1c38bac1c162d4358e2
-
Filesize
37B
MD5ac910281f16a464b6257102b715ffafc
SHA1590add7ed48a1d5fa78093812ef88f9d0dfbb7c5
SHA256afb4e7e0f799d76ec4b197427b0933935eddd933baf6379875b3c37eb6b1bc6e
SHA512a62b9363acf0628ec373a33409f13e161779f0d28b0dd163b53d4ec9135b172e68c10dfb37a5459e51ec636ff3e23cc17de4a846d273e5a3e9149abe41a806ad
-
Filesize
113B
MD5284e7e79635ec15370bb7530d20f6b7e
SHA1471f6b7bc91a8c6b51f291c75126a38b082a92ce
SHA2564d81298082414e092ccb0dab56007df80a1930b60315a5b759bf1d10d8c11235
SHA5123bcbce046df39bf285a2e63f83374fc0c6b809b4ee5091744496244b5929753f102402c87671205ae9b7caa78b12328cabfae1523fe6abbc5abd6e66cae57e24
-
Filesize
548KB
MD5c1978e4080d1ec7e2edf49d6c9710045
SHA1b6a87a32d80f6edf889e99fb47518e69435321ed
SHA256c9e2a7905501745c304ffc5a70b290db40088d9dc10c47a98a953267468284a8
SHA5122de11fdf749dc7f4073062cdd4881cf51b78e56cb27351f463a45c934388da2cda24bf6b71670b432c9fc039e24de9edd0e2d5382b67b2681e097636ba17626e