Analysis

  • max time kernel
    14s
  • max time network
    142s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    02-03-2024 20:29

General

  • Target

    TheMalwaredev-s-garbage-main/Install Windows20/installer/dead.exe

  • Size

    1.6MB

  • MD5

    f2a055b5634373f384692c2daaedf299

  • SHA1

    41d6f65378f2360c48bcc6684baddf9c62585086

  • SHA256

    926d3b91619e6a5d327f09b6d95d46486777910c9ca4965c6e0917c30b9561d8

  • SHA512

    4656d7d8e5e74c3c490a008e8a06b73f05bb971d458d04c8bec55ec3d25afe2644ee70be98b826f7f397b05e6ed7bc02d14ed88661c12d1651a31dde9478f69b

  • SSDEEP

    49152:sS2T7/SkG76l0Ra0kDmGVabYw1lmR7MFyeUgAnay2oV:FmSkG76l0M0K3sbY8lmReye3Mayt

Malware Config

Signatures

  • Possible privilege escalation attempt 2 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 1 IoCs
  • Modifies file permissions 1 TTPs 2 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • AutoIT Executable 7 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in Program Files directory 13 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 10 IoCs
  • Kills process with taskkill 1 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 43 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\dead.exe
    "C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\dead.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:2360
    • C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\68F0.tmp\68F1.tmp\68F2.bat "C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\dead.exe""
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1460
      • C:\Windows\system32\timeout.exe
        timeout /t 3 /nobreak
        3⤵
        • Delays execution with timeout.exe
        PID:2936
      • C:\Windows\system32\timeout.exe
        timeout /t 5 /nobreak
        3⤵
        • Delays execution with timeout.exe
        PID:2544
      • \??\c:\Program Files (x86)\mbr.exe
        mbr.exe
        3⤵
        • Executes dropped EXE
        • Writes to the Master Boot Record (MBR)
        • Suspicious behavior: CmdExeWriteProcessMemorySpam
        PID:2624
      • \??\c:\Program Files (x86)\logon.exe
        logon.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2548
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "%username%:F"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2420
          • C:\Windows\system32\takeown.exe
            takeown /f C:\Windows\System32
            5⤵
            • Possible privilege escalation attempt
            • Modifies file permissions
            • Suspicious use of AdjustPrivilegeToken
            PID:2560
          • C:\Windows\system32\icacls.exe
            icacls C:\Windows\System32 /grant "Admin:F"
            5⤵
            • Possible privilege escalation attempt
            • Modifies file permissions
            PID:2424
      • \??\c:\Program Files (x86)\ScreenMelter.exe
        ScreenMelter.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: CmdExeWriteProcessMemorySpam
        PID:2644
      • C:\Windows\system32\timeout.exe
        timeout /t 2 /nobreak
        3⤵
        • Delays execution with timeout.exe
        PID:2620
      • \??\c:\Program Files (x86)\error.exe
        error.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: CmdExeWriteProcessMemorySpam
        PID:2532
      • \??\c:\Program Files (x86)\mover.exe
        mover.exe
        3⤵
        • Executes dropped EXE
        PID:2580
      • C:\Windows\system32\timeout.exe
        timeout /t 1 /nobreak
        3⤵
        • Delays execution with timeout.exe
        PID:2388
      • \??\c:\Program Files (x86)\RandomLines.exe
        RandomLines.exe
        3⤵
          PID:2516
        • C:\Windows\system32\timeout.exe
          timeout /t 4 /nobreak
          3⤵
          • Delays execution with timeout.exe
          PID:2092
        • \??\c:\Program Files (x86)\tunnel.exe
          tunnel.exe
          3⤵
            PID:2376
          • \??\c:\Program Files (x86)\ScreenGlitch.exe
            ScreenGlitch.exe
            3⤵
              PID:1832
            • C:\Windows\system32\timeout.exe
              timeout /t 1 /nobreak
              3⤵
              • Delays execution with timeout.exe
              PID:2148
            • \??\c:\Program Files (x86)\bomb.exe
              bomb.exe
              3⤵
                PID:764
              • \??\c:\Program Files (x86)\InvertColor.exe
                InvertColor.exe
                3⤵
                  PID:1604
                • C:\Windows\system32\timeout.exe
                  timeout /t 4 /nobreak
                  3⤵
                  • Delays execution with timeout.exe
                  PID:1060
                • \??\c:\Program Files (x86)\start.exe
                  start.exe
                  3⤵
                    PID:1096
                  • C:\Windows\system32\timeout.exe
                    timeout /t 8 /nobreak
                    3⤵
                    • Delays execution with timeout.exe
                    PID:2340
                  • C:\Windows\system32\LogonUI.exe
                    LogonUI.exe
                    3⤵
                      PID:1084
                    • C:\Windows\system32\timeout.exe
                      timeout /t 3 /nobreak
                      3⤵
                      • Delays execution with timeout.exe
                      PID:2304
                    • C:\Windows\system32\taskkill.exe
                      taskkill /im explorer.exe /f
                      3⤵
                      • Kills process with taskkill
                      PID:1620
                    • C:\Windows\system32\timeout.exe
                      timeout /t 10 /nobreak
                      3⤵
                      • Delays execution with timeout.exe
                      PID:2240

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Program Files (x86)\RandomLines.exe

                  Filesize

                  103KB

                  MD5

                  50caeee44dc92a147cf95fd82eb6e299

                  SHA1

                  a6619a150a31f4c1b4913884123f5b5334e23489

                  SHA256

                  81b9a2e3e9ee39f05b585ad871696a946837fcf784d3d4ecd4b9caea16560a1e

                  SHA512

                  e009de28d24abbecac2b20c4dcbbe4bd2de461c0d3140043d1ef6db3e4807d13723fb1916bc9bd1a636cfdc4bb3e102ecae645e783901ebdf9996e9bcdd9466b

                • C:\Program Files (x86)\logon.exe

                  Filesize

                  37KB

                  MD5

                  2d88dda976244bc9a14591abf1432f46

                  SHA1

                  cfea29897c1882cadad18841f75013f9d4b2e6c8

                  SHA256

                  b738e6861277724c5f2f1037fd529b77ed75749b00df76860e949e1ef7316eac

                  SHA512

                  f65404b030835ca4c84bc4a3cacd0d2695e69708fb3660698e140e5a8a4260d1658c783d130407eefb14139d5c42cf2253d82da3f48ade76fcab934e8a3daf95

                • C:\Program Files (x86)\mover.exe

                  Filesize

                  548KB

                  MD5

                  c1978e4080d1ec7e2edf49d6c9710045

                  SHA1

                  b6a87a32d80f6edf889e99fb47518e69435321ed

                  SHA256

                  c9e2a7905501745c304ffc5a70b290db40088d9dc10c47a98a953267468284a8

                  SHA512

                  2de11fdf749dc7f4073062cdd4881cf51b78e56cb27351f463a45c934388da2cda24bf6b71670b432c9fc039e24de9edd0e2d5382b67b2681e097636ba17626e

                • C:\Users\Admin\AppData\Local\Temp\68F0.tmp\68F1.tmp\68F2.bat

                  Filesize

                  633B

                  MD5

                  df6f6c2eae66cff8c13a3faa2bf1699d

                  SHA1

                  0173e526e42ccfb8dbe81b70f56764d923cc5b58

                  SHA256

                  2a3e63f855dfb9a48d89337959d521650b04b038463d8dd96d7e344b4ed47c34

                  SHA512

                  438419caa2ce8e6fdcbd8270959178644da2f4b716511cfef35d9ca37354805a563c077efc5354a78115f47ec1213793da70d7fdad6000b032224f2315ae95b3

                • C:\Windows\System32\LogonUI.exe

                  Filesize

                  12KB

                  MD5

                  53774c83432658cabec4e2ccd2f25d2a

                  SHA1

                  8264ed786bf6b732ab1ccb0acf27d3dc23e26a8c

                  SHA256

                  7a3409c7456705b53959f83adbdcb7f812a51124df794393f1488c776dc2f20f

                  SHA512

                  37553c19ff120267b45df0b45d34b7c6170d4b98ba3ed587e622d4891138a2aa1484c25253ef43c38c4853cae5fa13b9747c84d63bac33d2b11a993ca06c8d4c

                • \??\c:\Program Files (x86)\InvertColor.exe

                  Filesize

                  359KB

                  MD5

                  ebb811d0396c06a70fe74d9b23679446

                  SHA1

                  e375f124a8284479dd052161a07f57de28397638

                  SHA256

                  28e979002cb4db546bf9d9d58f5a55fd8319be638a0974c634cae6e7e9dbcd89

                  SHA512

                  1de3dcd856f30004becee7c769d62530f3a5e9785c853537adc0a387d461c97b305f75cbaf13f278dd72ba22d4650e92c48edf3c3a74b13ed68ffc0d45e13774

                • \??\c:\Program Files (x86)\ScreenGlitch.exe

                  Filesize

                  103KB

                  MD5

                  47801f0cf73d320054676a56d0264edb

                  SHA1

                  14147de6009f6ad7308cd0cc42864f85d4f41fa9

                  SHA256

                  f25853b17ee25c1df537cd39ba15a338b92b0812833e3a523aa2f90efbf766e8

                  SHA512

                  2d8f22ea28fbde67f63ea59d262df06658f075d1ef05c2837cea599528d01115a84ab5f88678c4a1fefd4f66a4946b7b20c7744a5bea8dcb3b5444e6c614d2ed

                • \??\c:\Program Files (x86)\ScreenMelter.exe

                  Filesize

                  455KB

                  MD5

                  615d04a80c94f9e36efb9c567a8afc34

                  SHA1

                  cb3b158ce9b5a0eef3097c55c226e6084a4f4877

                  SHA256

                  9f2c6d14a476d10615fe8e099ef8f87681b80382665b81c041eb5128ae7c7cb8

                  SHA512

                  0b4c3e073d170b7de1635e3b6af1f641215d217ce9f96d6c57d2ca8a6af45c9aa94a84b6b9f0876a7a8a7a31763943ba5e3bb6f44316a3a2007574359c461294

                • \??\c:\Program Files (x86)\bomb.exe

                  Filesize

                  96KB

                  MD5

                  05ad3f85b73e5ff86504f8dcc55b5d42

                  SHA1

                  927d4554328cc6d767a566c3c6cb54c16d58857a

                  SHA256

                  124cf5ca90e7aaede685fe0cda72b6a63b80583d2d5ec04d5baeb4a1851c48af

                  SHA512

                  6fda7808e0b96caf3a1ff35734fec63f1e78cca6ae0abaa54fd5dd7bca6299a587b8f2c455b9385d7cf9b9cd9b74edbab1e37d8f98e8777059b3c3e2964feb18

                • \??\c:\Program Files (x86)\error.exe

                  Filesize

                  10KB

                  MD5

                  bcdc1a6f1805a6130dfd1913b1659bc2

                  SHA1

                  f4b80ac7fe17332f916ce450d29f7ce671e49bb0

                  SHA256

                  78e706c684da0134ace5fdd5cc5e7263c5f17b905d783f928eb68d558116aac6

                  SHA512

                  0769ecf207e224ceceba33854b457d4389897163037b91141b958762304f64e75af32679c4d6ea88c4cf02aaadde077fef048837ef280a13948e82d69b6358b4

                • \??\c:\Program Files (x86)\mbr.exe

                  Filesize

                  47KB

                  MD5

                  03dc6a471476a26055fc25b81df800ef

                  SHA1

                  8f3bc66b51516c07e2a7a9dd43e33cfc5d81961c

                  SHA256

                  ba125e407dc4bac03a8e7ae352ce4d17f6dced729f69689058d020ce00f95643

                  SHA512

                  4564f26763227ffc7c7a8878a3e713d388da6a8f9e0fb6dff307f7a52a17ea5fb052306fb393f5f931d0b918ed8909326343211c5d18afada74ef35f40ee2bba

                • \??\c:\Program Files (x86)\start.exe

                  Filesize

                  119KB

                  MD5

                  67088968f1b274502a887933e634ceb4

                  SHA1

                  0fc02f39152bafe954158d3da8facbbd62b15b0e

                  SHA256

                  81c9ad8512b2c5248a6a107b7f6fa529c959fa23329e599c9afa2afeb84d2163

                  SHA512

                  a4cb194f53865f5a41e80795a97c548f572aa66d50a75741e908353b598b17f61e1289d0b98f6c01b400522f2082985f7885a1d7dae0dc86925d81ce949d26c9

                • \??\c:\Program Files (x86)\tunnel.exe

                  Filesize

                  13KB

                  MD5

                  0909dca5d016f70b982b3a39b92aa0ff

                  SHA1

                  d210e6a3de95b2c651a849cb80fde5b3cfd63a87

                  SHA256

                  4f74cf50abb877593ca5fe53281b206adcf6bda2ffc9a600eca0eb1206c5dd6b

                  SHA512

                  1908b38c2baec2938c927e800501b146825ee7650517e5f7096fdc91f023a8d693911c72c5002483499e912fe0e66fd923639d9b5a96388bc251d6c51021448d

                • memory/764-72-0x0000000000400000-0x000000000043E000-memory.dmp

                  Filesize

                  248KB

                • memory/764-104-0x0000000000400000-0x000000000043E000-memory.dmp

                  Filesize

                  248KB

                • memory/764-96-0x0000000000310000-0x0000000000311000-memory.dmp

                  Filesize

                  4KB

                • memory/764-113-0x0000000000400000-0x000000000043E000-memory.dmp

                  Filesize

                  248KB

                • memory/1084-92-0x0000000001180000-0x000000000118A000-memory.dmp

                  Filesize

                  40KB

                • memory/1084-97-0x000000001A990000-0x000000001AA10000-memory.dmp

                  Filesize

                  512KB

                • memory/1084-79-0x000007FEF4FD0000-0x000007FEF59BC000-memory.dmp

                  Filesize

                  9.9MB

                • memory/1084-154-0x000007FEF4FD0000-0x000007FEF59BC000-memory.dmp

                  Filesize

                  9.9MB

                • memory/1096-95-0x0000000000400000-0x0000000000450000-memory.dmp

                  Filesize

                  320KB

                • memory/1096-106-0x0000000000400000-0x0000000000450000-memory.dmp

                  Filesize

                  320KB

                • memory/1096-88-0x0000000000400000-0x0000000000450000-memory.dmp

                  Filesize

                  320KB

                • memory/1096-115-0x0000000000400000-0x0000000000450000-memory.dmp

                  Filesize

                  320KB

                • memory/1096-132-0x00000000001B0000-0x00000000001B1000-memory.dmp

                  Filesize

                  4KB

                • memory/1096-74-0x0000000000400000-0x0000000000450000-memory.dmp

                  Filesize

                  320KB

                • memory/1460-42-0x0000000140000000-0x0000000140126000-memory.dmp

                  Filesize

                  1.1MB

                • memory/1604-73-0x0000000000400000-0x0000000000460000-memory.dmp

                  Filesize

                  384KB

                • memory/1604-87-0x0000000000400000-0x0000000000460000-memory.dmp

                  Filesize

                  384KB

                • memory/1604-114-0x0000000000400000-0x0000000000460000-memory.dmp

                  Filesize

                  384KB

                • memory/1604-119-0x0000000000220000-0x0000000000221000-memory.dmp

                  Filesize

                  4KB

                • memory/1832-61-0x0000000000400000-0x000000000041D000-memory.dmp

                  Filesize

                  116KB

                • memory/2376-60-0x0000000000400000-0x000000000040A000-memory.dmp

                  Filesize

                  40KB

                • memory/2516-59-0x0000000000400000-0x000000000041D000-memory.dmp

                  Filesize

                  116KB

                • memory/2532-37-0x0000000000400000-0x000000000040D000-memory.dmp

                  Filesize

                  52KB

                • memory/2548-34-0x0000000000C70000-0x0000000000CF0000-memory.dmp

                  Filesize

                  512KB

                • memory/2548-33-0x000007FEF59C0000-0x000007FEF63AC000-memory.dmp

                  Filesize

                  9.9MB

                • memory/2548-47-0x000007FEF59C0000-0x000007FEF63AC000-memory.dmp

                  Filesize

                  9.9MB

                • memory/2548-32-0x0000000000E50000-0x0000000000E5E000-memory.dmp

                  Filesize

                  56KB

                • memory/2580-58-0x0000000140000000-0x0000000140126000-memory.dmp

                  Filesize

                  1.1MB

                • memory/2580-82-0x0000000140000000-0x0000000140126000-memory.dmp

                  Filesize

                  1.1MB

                • memory/2580-100-0x0000000140000000-0x0000000140126000-memory.dmp

                  Filesize

                  1.1MB

                • memory/2580-41-0x0000000140000000-0x0000000140126000-memory.dmp

                  Filesize

                  1.1MB

                • memory/2580-122-0x0000000140000000-0x0000000140126000-memory.dmp

                  Filesize

                  1.1MB

                • memory/2580-109-0x0000000140000000-0x0000000140126000-memory.dmp

                  Filesize

                  1.1MB

                • memory/2580-68-0x0000000140000000-0x0000000140126000-memory.dmp

                  Filesize

                  1.1MB

                • memory/2624-28-0x0000000000400000-0x0000000000412000-memory.dmp

                  Filesize

                  72KB

                • memory/2644-98-0x0000000000400000-0x0000000000477000-memory.dmp

                  Filesize

                  476KB

                • memory/2644-116-0x0000000000400000-0x0000000000477000-memory.dmp

                  Filesize

                  476KB

                • memory/2644-66-0x0000000000400000-0x0000000000477000-memory.dmp

                  Filesize

                  476KB

                • memory/2644-75-0x0000000000400000-0x0000000000477000-memory.dmp

                  Filesize

                  476KB

                • memory/2644-120-0x0000000000400000-0x0000000000477000-memory.dmp

                  Filesize

                  476KB

                • memory/2644-107-0x0000000000400000-0x0000000000477000-memory.dmp

                  Filesize

                  476KB

                • memory/2644-80-0x0000000000400000-0x0000000000477000-memory.dmp

                  Filesize

                  476KB

                • memory/2644-56-0x0000000000400000-0x0000000000477000-memory.dmp

                  Filesize

                  476KB