Malware Analysis Report

2024-11-16 12:40

Sample ID 240303-qg4qgabe68
Target MyMalwareDatabase-main.zip
SHA256 332596c3a5a92c4dfbdb3de366d9ab8601f87644c1b4ee7ca416507d859cf284
Tags
discovery evasion exploit persistence trojan bootkit upx ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

332596c3a5a92c4dfbdb3de366d9ab8601f87644c1b4ee7ca416507d859cf284

Threat Level: Known bad

The file MyMalwareDatabase-main.zip was found to be: Known bad.

Malicious Activity Summary

discovery evasion exploit persistence trojan bootkit upx ransomware

Modifies WinLogon for persistence

UAC bypass

Disables RegEdit via registry modification

Disables Task Manager via registry modification

Possible privilege escalation attempt

Modifies system executable filetype association

Loads dropped DLL

Executes dropped EXE

UPX packed file

Checks computer location settings

Modifies file permissions

Drops desktop.ini file(s)

Modifies WinLogon

Writes to the Master Boot Record (MBR)

Checks whether UAC is enabled

Drops file in System32 directory

Sets desktop wallpaper using registry

Drops file in Windows directory

Unsigned PE

Program crash

Enumerates physical storage devices

NSIS installer

Modifies data under HKEY_USERS

Runs net.exe

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Suspicious use of SetWindowsHookEx

Modifies Control Panel

Modifies registry key

Kills process with taskkill

System policy modification

Modifies registry class

Modifies File Icons

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-03 13:15

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-03-03 13:14

Reported

2024-03-03 13:17

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Losange.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Losange.exe

"C:\Users\Admin\AppData\Local\Temp\Losange.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/1400-0-0x00007FF798630000-0x00007FF798656000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2024-03-03 13:14

Reported

2024-03-03 13:17

Platform

win7-20240221-en

Max time kernel

150s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\Monoxidex64.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\Monoxidex64.exe

"C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\Monoxidex64.exe"

Network

N/A

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-03-03 13:14

Reported

2024-03-03 13:17

Platform

win10v2004-20240226-en

Max time kernel

148s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NightMare.exe"

Signatures

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A

Disables Task Manager via registry modification

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\Videos\Captures\desktop.ini C:\Windows\system32\svchost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Recovery C:\Windows\SysWOW64\ReAgentc.exe N/A
File opened for modification C:\Windows\SysWOW64\Recovery\ReAgent.xml C:\Windows\SysWOW64\ReAgentc.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(7415).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(2008).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(527).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(3522).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(3621).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(4317).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(9716).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(503).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(7741).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(9568).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(6943).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(1150).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(2291).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(221).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(1672).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(2638).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(6957).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(7999).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(8569).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(1442).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(6509).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(3896).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(3970).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(4757).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(7724).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(9871).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(3188).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(7442).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(9571).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(395).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(4477).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(1140).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(4908).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(794).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(1918).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(2491).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(5020).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(6406).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(7376).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(8152).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(8958).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(663).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(4655).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(3515).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(4274).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(4528).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(6536).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(7065).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(1876).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(3425).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(4535).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(7480).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(7638).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(8272).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(1393).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(6132).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(4646).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(6551).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(1333).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(1785).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(4743).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(5750).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(1325).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(2624).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\svchost.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\Cursors\UpArrow = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\Cursors\Hand = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\Cursors\Help = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\Cursors\No = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\Cursors\NWPen = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\Cursors\SizeAll = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\Cursors\SizeWE = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\Cursors\ = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\Cursors\Wait = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\Cursors\SizeNESW = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\Cursors\SizeNS = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\Cursors\SizeNWSE = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\Cursors\Arrow = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A

Modifies File Icons

ransomware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\3 C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\4 C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\giffile\DefaultIcon\ C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htlm\DefaultIcon C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htlm\DefaultIcon\ C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htlm C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\icmfile\DefaultIcon\ C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\DefaultIcon\ C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\WOW6432Node\CLSID\{031E4825-7B94-4dc3-B131-E946B44C8DD5}\DefaultIcon C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\WOW6432Node\CLSID\{031E4825-7B94-4dc3-B131-E946B44C8DD5} C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3045580317-3728985860-206385570-1000\{F40EF9B6-22AB-4520-B606-11D985A58B11} C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\icofile\DefaultIcon\ C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pjpegfile\DefaultIcon\ C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\DefaultIcon\ C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\textfile\DefaultIcon C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\WOW6432Node\CLSID\{031E4825-7B94-4dc3-B131-E946B44C8DD5}\DefaultIcon\ C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\dllfile\DefaultIcon\ C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mscfile\DefaultIcon\ C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pnffile\DefaultIcon\ C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sysfile\DefaultIcon C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\sysfile\DefaultIcon\ C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\textfile\DefaultIcon\ C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\DefaultIcon\ C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\jarfile\DefaultIcon\ C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\jntfile\DefaultIcon\ C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\jntfile\DefaultIcon C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\jntfile C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JSFile\DefaultIcon\ C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pngfile\DefaultIcon\ C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\WOW6432Node\CLSID\{1248BD21-B584-4EB8-85D0-8EC479CD043B}\DefaultIcon\ C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\WOW6432Node\CLSID\{1248BD21-B584-4EB8-85D0-8EC479CD043B} C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\DefaultIcon\ C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\jpegfile\DefaultIcon\ C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JSEFile\DefaultIcon\ C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\jarfile\DefaultIcon C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\WOW6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\WOW6432Node\CLSID\{1248BD21-B584-4EB8-85D0-8EC479CD043B}\DefaultIcon C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ratfile\DefaultIcon\ C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\zapfile\DefaultIcon\ C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\WOW6432Node C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 32 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 32 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 32 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 32 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 32 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 32 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 32 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 32 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 32 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 32 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 32 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 32 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 32 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 32 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 32 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 32 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 32 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 32 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 32 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 32 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 32 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 2108 wrote to memory of 1704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 2108 wrote to memory of 1704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 2108 wrote to memory of 1704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 4560 wrote to memory of 3596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4560 wrote to memory of 3596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4560 wrote to memory of 3596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1828 wrote to memory of 3160 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 1828 wrote to memory of 3160 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 1828 wrote to memory of 3160 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 2920 wrote to memory of 3184 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ReAgentc.exe
PID 2920 wrote to memory of 3184 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ReAgentc.exe
PID 2920 wrote to memory of 3184 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ReAgentc.exe
PID 2252 wrote to memory of 3776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 2252 wrote to memory of 3776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 2252 wrote to memory of 3776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 5096 wrote to memory of 3932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 5096 wrote to memory of 3932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 5096 wrote to memory of 3932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1704 wrote to memory of 3244 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1704 wrote to memory of 3244 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1704 wrote to memory of 3244 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2956 wrote to memory of 3432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2956 wrote to memory of 3432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2956 wrote to memory of 3432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2252 wrote to memory of 3584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 2252 wrote to memory of 3584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 2252 wrote to memory of 3584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 32 wrote to memory of 5688 N/A C:\Users\Admin\AppData\Local\Temp\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 32 wrote to memory of 5688 N/A C:\Users\Admin\AppData\Local\Temp\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 32 wrote to memory of 5688 N/A C:\Users\Admin\AppData\Local\Temp\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 5688 wrote to memory of 2348 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 5688 wrote to memory of 2348 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 5688 wrote to memory of 2348 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 32 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 32 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 32 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 32 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 32 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 32 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 32 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 32 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 32 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 32 wrote to memory of 5996 N/A C:\Users\Admin\AppData\Local\Temp\NightMare.exe C:\Windows\SysWOW64\cmd.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\NightMare.exe

"C:\Users\Admin\AppData\Local\Temp\NightMare.exe"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k net user %username% /delete && exit

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k reg delete HKCR && exit

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k reg delete HKU && exit

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k reg delete HKLM && exit

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\Boot\DVD\EFI && pause

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k reagentc.exe /disable && pause

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k color 47 && takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant %username%:F && takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant %username%:F && Exit

C:\Windows\SysWOW64\net.exe

net user Admin /delete

C:\Windows\SysWOW64\reg.exe

reg delete HKCR

C:\Windows\SysWOW64\takeown.exe

takeown /F C:\Windows\Boot\DVD\EFI

C:\Windows\SysWOW64\ReAgentc.exe

reagentc.exe /disable

C:\Windows\SysWOW64\takeown.exe

takeown /f C:\Windows\System32

C:\Windows\SysWOW64\reg.exe

reg delete HKLM

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 user Admin /delete

C:\Windows\SysWOW64\reg.exe

reg delete HKU

C:\Windows\SysWOW64\icacls.exe

icacls C:\Windows\System32 /grant Admin:F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\Boot\DVD\EFI && pause

C:\Windows\SysWOW64\takeown.exe

takeown /F C:\Windows\Boot\DVD\EFI

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\system32\taskmgr.exe && pause

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\system32\LogonUI.exe && pause

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\Boot\DVD\EFI\BCD && pause

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\Boot\DVD\EFI\boot.sdi && pause

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\system32\drivers && pause

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\servicing\TrustedInstaller.exe && pause

C:\Windows\SysWOW64\takeown.exe

takeown /F C:\Windows\system32\taskmgr.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\System32\WUDFHost.exe && pause

C:\Windows\SysWOW64\taskkill.exe

"C:\Windows\System32\taskkill.exe" /IM fontdrvhost.exe /F

C:\Windows\SysWOW64\takeown.exe

takeown /F C:\Windows\system32\LogonUI.exe

C:\Windows\SysWOW64\takeown.exe

takeown /F C:\Windows\Boot\DVD\EFI\BCD

C:\Windows\SysWOW64\takeown.exe

takeown /F C:\Windows\system32\drivers

C:\Windows\SysWOW64\takeown.exe

takeown /F C:\Windows\System32\WUDFHost.exe

C:\Windows\SysWOW64\takeown.exe

takeown /F C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\SysWOW64\takeown.exe

takeown /F C:\Windows\Boot\DVD\EFI\boot.sdi

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\Boot\DVD\EFI && pause

C:\Windows\SysWOW64\takeown.exe

takeown /F C:\Windows\Boot\DVD\EFI

Network

Country Destination Domain Proto
US 8.8.8.8:53 23.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.73.42.20.in-addr.arpa udp

Files

memory/32-0-0x0000000000060000-0x0000000000070000-memory.dmp

memory/32-1-0x0000000074DC0000-0x0000000075570000-memory.dmp

memory/32-2-0x00000000050A0000-0x0000000005644000-memory.dmp

memory/32-3-0x0000000004A40000-0x0000000004AD2000-memory.dmp

memory/32-4-0x0000000004B90000-0x0000000004BA0000-memory.dmp

memory/32-5-0x0000000004B10000-0x0000000004B1A000-memory.dmp

C:\Users\Admin\Videos\Captures\desktop.ini

MD5 b0d27eaec71f1cd73b015f5ceeb15f9d
SHA1 62264f8b5c2f5034a1e4143df6e8c787165fbc2f
SHA256 86d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2
SHA512 7b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c

C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE.txt

MD5 21ad42bd4156f914d3a265823a1c269c
SHA1 4129bc994a0947b38e3bac2aeabc8e2fbdbd503f
SHA256 680671bac3f22a5f19ffbd2c82eec069a32844cf93d419aa59319cd0cbc98ac2
SHA512 7ec8c3801798b4fd547578d31badd96edeaacf0a91dca807c04e40ad65d97592043cb8e747947f74b9850f8e99dcd1c8f1c311cb0f8b79be301be36ca884cc5a

memory/32-7955-0x0000000074DC0000-0x0000000075570000-memory.dmp

memory/32-10464-0x0000000004B90000-0x0000000004BA0000-memory.dmp

memory/32-120019-0x0000000004B90000-0x0000000004BA0000-memory.dmp

memory/32-120041-0x0000000004B90000-0x0000000004BA0000-memory.dmp

Analysis: behavioral19

Detonation Overview

Submitted

2024-03-03 13:14

Reported

2024-03-03 13:17

Platform

win7-20240221-en

Max time kernel

121s

Max time network

124s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\REGFuck.bat"

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\REGFuck.bat"

Network

N/A

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-03-03 13:14

Reported

2024-03-03 13:15

Platform

win7-20240221-en

Max time kernel

0s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Sulfoxide\Sulfoxide_fixes.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Sulfoxide\Sulfoxide_fixes.exe

"C:\Users\Admin\AppData\Local\Temp\Sulfoxide\Sulfoxide_fixes.exe"

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-03 13:14

Reported

2024-03-03 13:17

Platform

win7-20240215-en

Max time kernel

141s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\Frog.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\1337\Frog.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\1337\Frog.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\Frog.exe

"C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\Frog.exe"

C:\Users\Admin\AppData\Roaming\1337\Frog.exe

"C:\Users\Admin\AppData\Roaming\1337\Frog.exe"

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x0

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nst1383.tmp\System.dll

MD5 2ae993a2ffec0c137eb51c8832691bcb
SHA1 98e0b37b7c14890f8a599f35678af5e9435906e1
SHA256 681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59
SHA512 2501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9

\Users\Admin\AppData\Roaming\1337\Frog.exe

MD5 41e75c80873b0ca18d56ddaba4c5aadd
SHA1 1d0423d6e66a4739db22939e1c16bcdc7eaa9746
SHA256 b7d4eef3fa0244a3618b3d60eab9a3ebaf1f8ec5cce9598d37e99b9d7a988cec
SHA512 402de19c72015fefefe02347fad8907762c991538c4ef7aa6b646c90d6fd7aadadcdb8be9f03d78a1b7cec712516faa318fde738b52dfa7b3aaa34219f2d1530

memory/2552-15-0x00000000001C0000-0x00000000001C1000-memory.dmp

C:\Users\Admin\AppData\Roaming\1337\php5ts.dll

MD5 c9aff68f6673fae7580527e8c76805b6
SHA1 bb62cc1db82cfe07a8c08a36446569dfc9c76d10
SHA256 9b2c8b8c4cec301c4303f58ca4e8b261d516f10feb24573b092dfccc263baea4
SHA512 c7836f46e535046562046fdd8d3264cd712a78c0f41eab152c88ea91b17d34f000e2387ded7e9e7b3410332354aabf8ca7d37729eb68e46ab5ce58936e63ac56

memory/2552-21-0x0000000003460000-0x0000000003461000-memory.dmp

memory/2584-22-0x0000000002D90000-0x0000000002D91000-memory.dmp

memory/2552-23-0x0000000000400000-0x000000000064F000-memory.dmp

memory/2552-25-0x00000000001C0000-0x00000000001C1000-memory.dmp

memory/2552-26-0x0000000003460000-0x0000000003461000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-03-03 13:14

Reported

2024-03-03 13:17

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\GonnaCry.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\GonnaCry.exe

"C:\Users\Admin\AppData\Local\Temp\GonnaCry.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 89.65.42.20.in-addr.arpa udp

Files

memory/3316-0-0x000001C48C460000-0x000001C48C56E000-memory.dmp

memory/3316-1-0x00007FFA7DA20000-0x00007FFA7E4E1000-memory.dmp

memory/3316-2-0x000001C4A6AC0000-0x000001C4A6AD0000-memory.dmp

C:\Users\Admin\Desktop\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE.txt

MD5 7f0df170f9cea3f0bedc79894eb44bdf
SHA1 79a083f09bf614d80543d0c455bb27b031da8adf
SHA256 1d9712c98621bfda7f5247f6fd6ef93165db44710685438cf27a3fe5ecc1e738
SHA512 f3bb9891ae73a4ce45894b30edf753007505d6afce716d1589750721c143e8b483219196d8c6a39d56496e4b7f4b76e64fa85a5c1d000aa0bb9d1224889f9d1c

memory/3316-1202-0x00007FFA7DA20000-0x00007FFA7E4E1000-memory.dmp

memory/3316-1203-0x000001C4A6AC0000-0x000001C4A6AD0000-memory.dmp

Analysis: behavioral24

Detonation Overview

Submitted

2024-03-03 13:14

Reported

2024-03-03 13:17

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\Protactinium (1).exe"

Signatures

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\REG.exe N/A

Disables Task Manager via registry modification

evasion

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\Protactinium (1).exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\REG.exe N/A
N/A N/A C:\Windows\SysWOW64\REG.exe N/A
N/A N/A C:\Windows\SysWOW64\REG.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4004 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\Protactinium (1).exe C:\Windows\SysWOW64\taskkill.exe
PID 4004 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\Protactinium (1).exe C:\Windows\SysWOW64\taskkill.exe
PID 4004 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\Protactinium (1).exe C:\Windows\SysWOW64\taskkill.exe
PID 4004 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\Protactinium (1).exe C:\Windows\SysWOW64\REG.exe
PID 4004 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\Protactinium (1).exe C:\Windows\SysWOW64\REG.exe
PID 4004 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\Protactinium (1).exe C:\Windows\SysWOW64\REG.exe
PID 4004 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\Protactinium (1).exe C:\Windows\SysWOW64\REG.exe
PID 4004 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\Protactinium (1).exe C:\Windows\SysWOW64\REG.exe
PID 4004 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\Protactinium (1).exe C:\Windows\SysWOW64\REG.exe
PID 4004 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\Protactinium (1).exe C:\Windows\SysWOW64\REG.exe
PID 4004 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\Protactinium (1).exe C:\Windows\SysWOW64\REG.exe
PID 4004 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\Protactinium (1).exe C:\Windows\SysWOW64\REG.exe

Processes

C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\Protactinium (1).exe

"C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\Protactinium (1).exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im taskmgr.exe

C:\Windows\SysWOW64\REG.exe

REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\REG.exe

REG add HKCU\SOFTWARE\Policies\Microsoft\Windows\System /v DisableCMD /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\REG.exe

REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x4f4 0x15c

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4004 -ip 4004

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4004 -s 1060

Network

Country Destination Domain Proto
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/4004-0-0x0000000000400000-0x000000000040E000-memory.dmp

memory/4004-1-0x0000000000400000-0x000000000040E000-memory.dmp

Analysis: behavioral29

Detonation Overview

Submitted

2024-03-03 13:14

Reported

2024-03-03 13:15

Platform

win7-20240221-en

Max time kernel

0s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Sulfoxide\Sulfoxide.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Sulfoxide\Sulfoxide.exe

"C:\Users\Admin\AppData\Local\Temp\Sulfoxide\Sulfoxide.exe"

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-03-03 13:14

Reported

2024-03-03 13:17

Platform

win10v2004-20240226-en

Max time kernel

146s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 556 wrote to memory of 3976 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 556 wrote to memory of 3976 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 556 wrote to memory of 3976 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3976 -ip 3976

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 193.98.74.40.in-addr.arpa udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-03-03 13:14

Reported

2024-03-03 13:17

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\Hydromatic (1).exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\Hydromatic (1).exe

"C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\Hydromatic (1).exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 131.109.69.13.in-addr.arpa udp

Files

memory/4476-0-0x0000000000160000-0x0000000000192000-memory.dmp

memory/4476-1-0x0000000000160000-0x0000000000192000-memory.dmp

memory/4476-2-0x0000000000160000-0x0000000000192000-memory.dmp

memory/4476-3-0x0000000000160000-0x0000000000192000-memory.dmp

memory/4476-4-0x0000000000160000-0x0000000000192000-memory.dmp

memory/4476-5-0x0000000000160000-0x0000000000192000-memory.dmp

memory/4476-6-0x0000000000160000-0x0000000000192000-memory.dmp

memory/4476-7-0x0000000000160000-0x0000000000192000-memory.dmp

memory/4476-8-0x0000000000160000-0x0000000000192000-memory.dmp

memory/4476-9-0x0000000000160000-0x0000000000192000-memory.dmp

memory/4476-10-0x0000000000160000-0x0000000000192000-memory.dmp

memory/4476-11-0x0000000000160000-0x0000000000192000-memory.dmp

memory/4476-12-0x0000000000160000-0x0000000000192000-memory.dmp

memory/4476-13-0x0000000000160000-0x0000000000192000-memory.dmp

memory/4476-14-0x0000000000160000-0x0000000000192000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-03-03 13:14

Reported

2024-03-03 13:17

Platform

win10v2004-20240226-en

Max time kernel

151s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\Monoxidex64.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\Monoxidex64.exe

"C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\Monoxidex64.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 9.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-03-03 13:14

Reported

2024-03-03 13:17

Platform

win7-20240221-en

Max time kernel

141s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\Protactinium (1).exe"

Signatures

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\REG.exe N/A

Disables Task Manager via registry modification

evasion

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\Protactinium (1).exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\REG.exe N/A
N/A N/A C:\Windows\SysWOW64\REG.exe N/A
N/A N/A C:\Windows\SysWOW64\REG.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1836 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\Protactinium (1).exe C:\Windows\SysWOW64\taskkill.exe
PID 1836 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\Protactinium (1).exe C:\Windows\SysWOW64\taskkill.exe
PID 1836 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\Protactinium (1).exe C:\Windows\SysWOW64\taskkill.exe
PID 1836 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\Protactinium (1).exe C:\Windows\SysWOW64\taskkill.exe
PID 1836 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\Protactinium (1).exe C:\Windows\SysWOW64\REG.exe
PID 1836 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\Protactinium (1).exe C:\Windows\SysWOW64\REG.exe
PID 1836 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\Protactinium (1).exe C:\Windows\SysWOW64\REG.exe
PID 1836 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\Protactinium (1).exe C:\Windows\SysWOW64\REG.exe
PID 1836 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\Protactinium (1).exe C:\Windows\SysWOW64\REG.exe
PID 1836 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\Protactinium (1).exe C:\Windows\SysWOW64\REG.exe
PID 1836 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\Protactinium (1).exe C:\Windows\SysWOW64\REG.exe
PID 1836 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\Protactinium (1).exe C:\Windows\SysWOW64\REG.exe
PID 1836 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\Protactinium (1).exe C:\Windows\SysWOW64\REG.exe
PID 1836 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\Protactinium (1).exe C:\Windows\SysWOW64\REG.exe
PID 1836 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\Protactinium (1).exe C:\Windows\SysWOW64\REG.exe
PID 1836 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\Protactinium (1).exe C:\Windows\SysWOW64\REG.exe
PID 1836 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\Protactinium (1).exe C:\Windows\SysWOW64\WerFault.exe
PID 1836 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\Protactinium (1).exe C:\Windows\SysWOW64\WerFault.exe
PID 1836 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\Protactinium (1).exe C:\Windows\SysWOW64\WerFault.exe
PID 1836 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\Protactinium (1).exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\Protactinium (1).exe

"C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\Protactinium (1).exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im taskmgr.exe

C:\Windows\SysWOW64\REG.exe

REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\REG.exe

REG add HKCU\SOFTWARE\Policies\Microsoft\Windows\System /v DisableCMD /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\REG.exe

REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1836 -s 564

Network

N/A

Files

memory/1836-0-0x0000000000400000-0x000000000040E000-memory.dmp

memory/1836-1-0x0000000000400000-0x000000000040E000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-03-03 13:14

Reported

2024-03-03 13:17

Platform

win10v2004-20240226-en

Max time kernel

141s

Max time network

114s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$1\1337\Frog.exe"

Signatures

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\$1\1337\Frog.exe

"C:\Users\Admin\AppData\Local\Temp\$1\1337\Frog.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

memory/3720-0-0x0000000000990000-0x0000000000991000-memory.dmp

memory/3720-3-0x0000000000400000-0x000000000064F000-memory.dmp

memory/3720-4-0x0000000000400000-0x000000000064F000-memory.dmp

memory/3720-5-0x0000000000990000-0x0000000000991000-memory.dmp

memory/3720-6-0x0000000000400000-0x000000000064F000-memory.dmp

memory/3720-7-0x0000000000400000-0x000000000064F000-memory.dmp

memory/3720-8-0x0000000000400000-0x000000000064F000-memory.dmp

memory/3720-9-0x0000000000400000-0x000000000064F000-memory.dmp

memory/3720-10-0x0000000000400000-0x000000000064F000-memory.dmp

memory/3720-11-0x0000000000400000-0x000000000064F000-memory.dmp

memory/3720-12-0x0000000000400000-0x000000000064F000-memory.dmp

memory/3720-13-0x0000000000400000-0x000000000064F000-memory.dmp

memory/3720-14-0x0000000000400000-0x000000000064F000-memory.dmp

memory/3720-15-0x0000000000400000-0x000000000064F000-memory.dmp

memory/3720-16-0x0000000000400000-0x000000000064F000-memory.dmp

memory/3720-17-0x0000000000400000-0x000000000064F000-memory.dmp

Analysis: behavioral22

Detonation Overview

Submitted

2024-03-03 13:14

Reported

2024-03-03 13:16

Platform

win10v2004-20240226-en

Max time kernel

14s

Max time network

36s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\NoEscape (1).exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\winnt32.exe" C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\NoEscape (1).exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\NoEscape (1).exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\NoEscape (1).exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\NoEscape (1).exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\NoEscape (1).exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\NoEscape (1).exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoAdminLogon = "0" C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\NoEscape (1).exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DisableCAD = "1" C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\NoEscape (1).exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoRestartShell = "0" C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\NoEscape (1).exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\noescape.png" C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\NoEscape (1).exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\winnt32.exe C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\NoEscape (1).exe N/A
File opened for modification C:\Windows\winnt32.exe C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\NoEscape (1).exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\Mouse C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\NoEscape (1).exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\Mouse\SwapMouseButtons = "1" C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\NoEscape (1).exe N/A
Key created \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\NoEscape (1).exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\Desktop\AutoColorization = "1" C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\NoEscape (1).exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" C:\Windows\system32\LogonUI.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "117" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" C:\Windows\system32\LogonUI.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\LogonUI.exe N/A

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon = "0" C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\NoEscape (1).exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\NoEscape (1).exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\UseDefaultTile = "1" C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\NoEscape (1).exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\NoEscape (1).exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\NoEscape (1).exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\NoEscape (1).exe

"C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\NoEscape (1).exe"

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x4 /state0:0xa39b4055 /state1:0x41c64e6d

Network

Country Destination Domain Proto
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 13.107.246.64:443 tcp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 171.117.168.52.in-addr.arpa udp

Files

memory/2628-0-0x0000000000400000-0x00000000005CC000-memory.dmp

memory/2628-1-0x0000000000400000-0x00000000005CC000-memory.dmp

C:\Users\Public\Desktop\శՂⴣᏲ؂ᘨ⻔ᐦᕲ➵Ჩᚴ༙፽༼ㄝ▽

MD5 e49f0a8effa6380b4518a8064f6d240b
SHA1 ba62ffe370e186b7f980922067ac68613521bd51
SHA256 8dbd06e9585c5a16181256c9951dbc65621df66ceb22c8e3d2304477178bee13
SHA512 de6281a43a97702dd749a1b24f4c65bed49a2e2963cabeeb2a309031ab601f5ec488f48059c03ec3001363d085e8d2f0f046501edf19fafe7508d27e596117d4

memory/2628-177-0x0000000000400000-0x00000000005CC000-memory.dmp

Analysis: behavioral25

Detonation Overview

Submitted

2024-03-03 13:14

Reported

2024-03-03 13:17

Platform

win7-20240221-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Rebcoana.exe"

Signatures

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Rebcoana.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Rebcoana.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Rebcoana.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Rebcoana.exe

"C:\Users\Admin\AppData\Local\Temp\Rebcoana.exe"

Network

N/A

Files

memory/2212-1-0x0000000000400000-0x0000000000584000-memory.dmp

memory/2212-0-0x0000000000400000-0x0000000000584000-memory.dmp

memory/2212-2-0x0000000000400000-0x0000000000584000-memory.dmp

Analysis: behavioral32

Detonation Overview

Submitted

2024-03-03 13:14

Reported

2024-03-03 13:15

Platform

win10v2004-20240226-en

Max time kernel

0s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Sulfoxide\Sulfoxide_fixes.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Sulfoxide\Sulfoxide_fixes.exe

"C:\Users\Admin\AppData\Local\Temp\Sulfoxide\Sulfoxide_fixes.exe"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-03 13:14

Reported

2024-03-03 13:17

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\Frog.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\Frog.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\1337\Frog.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\Frog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1337\Frog.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\Frog.exe

"C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\Frog.exe"

C:\Users\Admin\AppData\Roaming\1337\Frog.exe

"C:\Users\Admin\AppData\Roaming\1337\Frog.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Local\Temp\nsx590F.tmp\System.dll

MD5 2ae993a2ffec0c137eb51c8832691bcb
SHA1 98e0b37b7c14890f8a599f35678af5e9435906e1
SHA256 681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59
SHA512 2501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9

C:\Users\Admin\AppData\Roaming\1337\Frog.exe

MD5 41e75c80873b0ca18d56ddaba4c5aadd
SHA1 1d0423d6e66a4739db22939e1c16bcdc7eaa9746
SHA256 b7d4eef3fa0244a3618b3d60eab9a3ebaf1f8ec5cce9598d37e99b9d7a988cec
SHA512 402de19c72015fefefe02347fad8907762c991538c4ef7aa6b646c90d6fd7aadadcdb8be9f03d78a1b7cec712516faa318fde738b52dfa7b3aaa34219f2d1530

memory/3952-19-0x00000000008A0000-0x00000000008A1000-memory.dmp

C:\Users\Admin\AppData\Roaming\1337\php5ts.dll

MD5 c9aff68f6673fae7580527e8c76805b6
SHA1 bb62cc1db82cfe07a8c08a36446569dfc9c76d10
SHA256 9b2c8b8c4cec301c4303f58ca4e8b261d516f10feb24573b092dfccc263baea4
SHA512 c7836f46e535046562046fdd8d3264cd712a78c0f41eab152c88ea91b17d34f000e2387ded7e9e7b3410332354aabf8ca7d37729eb68e46ab5ce58936e63ac56

memory/3952-24-0x0000000000400000-0x000000000064F000-memory.dmp

memory/3952-25-0x0000000000400000-0x000000000064F000-memory.dmp

memory/3952-26-0x00000000008A0000-0x00000000008A1000-memory.dmp

memory/3952-27-0x0000000000400000-0x000000000064F000-memory.dmp

memory/3952-28-0x0000000000400000-0x000000000064F000-memory.dmp

memory/3952-29-0x0000000000400000-0x000000000064F000-memory.dmp

memory/3952-30-0x0000000000400000-0x000000000064F000-memory.dmp

memory/3952-31-0x0000000000400000-0x000000000064F000-memory.dmp

memory/3952-32-0x0000000000400000-0x000000000064F000-memory.dmp

memory/3952-33-0x0000000000400000-0x000000000064F000-memory.dmp

memory/3952-34-0x0000000000400000-0x000000000064F000-memory.dmp

memory/3952-35-0x0000000000400000-0x000000000064F000-memory.dmp

memory/3952-36-0x0000000000400000-0x000000000064F000-memory.dmp

memory/3952-37-0x0000000000400000-0x000000000064F000-memory.dmp

memory/3952-38-0x0000000000400000-0x000000000064F000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-03-03 13:14

Reported

2024-03-03 13:17

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

155s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$1\1337\php5ts.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2916 wrote to memory of 796 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2916 wrote to memory of 796 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2916 wrote to memory of 796 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$1\1337\php5ts.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$1\1337\php5ts.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 23.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 131.109.69.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-03-03 13:14

Reported

2024-03-03 13:17

Platform

win7-20240215-en

Max time kernel

150s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\Hydromatic (1).exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\Hydromatic (1).exe

"C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\Hydromatic (1).exe"

Network

N/A

Files

memory/2892-0-0x0000000000E40000-0x0000000000E72000-memory.dmp

memory/2892-1-0x0000000000E40000-0x0000000000E72000-memory.dmp

memory/2892-2-0x0000000000E40000-0x0000000000E72000-memory.dmp

memory/2892-3-0x0000000000E40000-0x0000000000E72000-memory.dmp

memory/2892-4-0x0000000000E40000-0x0000000000E72000-memory.dmp

memory/2892-5-0x0000000000E40000-0x0000000000E72000-memory.dmp

memory/2892-6-0x0000000000E40000-0x0000000000E72000-memory.dmp

memory/2892-7-0x0000000000E40000-0x0000000000E72000-memory.dmp

memory/2892-8-0x0000000000E40000-0x0000000000E72000-memory.dmp

memory/2892-9-0x0000000000E40000-0x0000000000E72000-memory.dmp

memory/2892-10-0x0000000000E40000-0x0000000000E72000-memory.dmp

memory/2892-11-0x0000000000E40000-0x0000000000E72000-memory.dmp

memory/2892-12-0x0000000000E40000-0x0000000000E72000-memory.dmp

memory/2892-13-0x0000000000E40000-0x0000000000E72000-memory.dmp

memory/2892-14-0x0000000000E40000-0x0000000000E72000-memory.dmp

Analysis: behavioral20

Detonation Overview

Submitted

2024-03-03 13:14

Reported

2024-03-03 13:17

Platform

win10v2004-20240226-en

Max time kernel

93s

Max time network

127s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\REGFuck.bat"

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\REGFuck.bat"

Network

Country Destination Domain Proto
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-03-03 13:14

Reported

2024-03-03 13:17

Platform

win7-20240221-en

Max time kernel

150s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\Saturn.exe"

Signatures

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\Saturn.exe

"C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\Saturn.exe"

Network

N/A

Files

memory/2344-0-0x0000000000E20000-0x0000000000E66000-memory.dmp

memory/2344-1-0x0000000074A30000-0x000000007511E000-memory.dmp

memory/2344-2-0x0000000004CB0000-0x0000000004CF0000-memory.dmp

memory/2344-3-0x0000000004CB0000-0x0000000004CF0000-memory.dmp

memory/2344-4-0x0000000074A30000-0x000000007511E000-memory.dmp

memory/2344-5-0x0000000004CB0000-0x0000000004CF0000-memory.dmp

memory/2344-6-0x0000000004CB0000-0x0000000004CF0000-memory.dmp

memory/2344-7-0x0000000004CB0000-0x0000000004CF0000-memory.dmp

memory/2344-8-0x0000000004CB0000-0x0000000004CF0000-memory.dmp

memory/2344-9-0x0000000005E70000-0x0000000005F70000-memory.dmp

Analysis: behavioral30

Detonation Overview

Submitted

2024-03-03 13:14

Reported

2024-03-03 13:15

Platform

win10v2004-20240226-en

Max time kernel

0s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Sulfoxide\Sulfoxide.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Sulfoxide\Sulfoxide.exe

"C:\Users\Admin\AppData\Local\Temp\Sulfoxide\Sulfoxide.exe"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 udp
N/A 20.190.159.0:443 tcp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-03-03 13:14

Reported

2024-03-03 13:17

Platform

win7-20240221-en

Max time kernel

141s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$1\1337\Frog.exe"

Signatures

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\$1\1337\Frog.exe

"C:\Users\Admin\AppData\Local\Temp\$1\1337\Frog.exe"

Network

N/A

Files

memory/2400-0-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2400-3-0x0000000002360000-0x0000000002361000-memory.dmp

memory/2400-4-0x0000000000400000-0x000000000064F000-memory.dmp

memory/2400-5-0x0000000000400000-0x000000000064F000-memory.dmp

memory/2400-6-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2400-7-0x0000000002360000-0x0000000002361000-memory.dmp

Analysis: behavioral21

Detonation Overview

Submitted

2024-03-03 13:14

Reported

2024-03-03 13:17

Platform

win7-20240221-en

Max time kernel

117s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\NoEscape (1).exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\NoEscape (1).exe

"C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\NoEscape (1).exe"

Network

N/A

Files

memory/2196-0-0x0000000000400000-0x00000000005CC000-memory.dmp

memory/2196-1-0x0000000000400000-0x00000000005CC000-memory.dmp

Analysis: behavioral26

Detonation Overview

Submitted

2024-03-03 13:14

Reported

2024-03-03 13:17

Platform

win10v2004-20240226-en

Max time kernel

147s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Rebcoana.exe"

Signatures

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Rebcoana.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Rebcoana.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Rebcoana.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Rebcoana.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Rebcoana.exe

"C:\Users\Admin\AppData\Local\Temp\Rebcoana.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 89.16.208.104.in-addr.arpa udp

Files

memory/3044-0-0x0000000000400000-0x0000000000584000-memory.dmp

memory/3044-1-0x0000000000400000-0x0000000000584000-memory.dmp

memory/3044-2-0x0000000000400000-0x0000000000584000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2024-03-03 13:14

Reported

2024-03-03 13:17

Platform

win7-20240215-en

Max time kernel

139s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NightMare.exe"

Signatures

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A

Disables Task Manager via registry modification

evasion

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(9366).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(1412).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(2080).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(4435).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(6408).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(4337).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(4903).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(5192).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(6403).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(229).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(6743).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(8924).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(7212).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(7848).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(9686).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(3200).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(5295).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(5889).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(6609).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(2209).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(2288).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(6706).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(5115).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(5127).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(8926).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(9651).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(210).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(793).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(4218).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(4638).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(5013).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(7773).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(7409).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(7874).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(8553).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(1286).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(5161).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(6942).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(7367).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(9285).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(1024).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(3587).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(4309).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(7531).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(3778).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(3880).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(6548).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(7668).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(934).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(1487).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(2591).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(3531).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(7772).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(7853).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(8824).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(9623).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(2519).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(4974).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(6225).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(8187).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(4080).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(1164).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(1848).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(3348).txt C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A

Enumerates physical storage devices

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Cursors\Help = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Cursors\SizeNESW = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Cursors\SizeNWSE = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Cursors\UpArrow = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Cursors\Hand = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Cursors\NWPen = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Cursors\SizeWE = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Cursors\Arrow = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Cursors\SizeAll = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Cursors\SizeNS = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Cursors\ = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Cursors\No = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Cursors\Wait = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A

Modifies File Icons

ransomware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Shell Icons\3 C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Shell Icons\4 C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\Wow6432Node\CLSID\{031E4825-7B94-4dc3-B131-E946B44C8DD5}\DefaultIcon C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\Wow6432Node C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\icmfile\DefaultIcon\ C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\icofile\DefaultIcon\ C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\DefaultIcon\ C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\jarfile\DefaultIcon\ C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\DefaultIcon\ C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JSEFile\DefaultIcon\ C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\Wow6432Node\CLSID\{031E4825-7B94-4dc3-B131-E946B44C8DD5}\DefaultIcon\ C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\Wow6432Node\CLSID\{1248BD21-B584-4EB8-85D0-8EC479CD043B}\DefaultIcon\ C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\DefaultIcon\ C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JSFile\DefaultIcon\ C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\textfile\DefaultIcon\ C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\Wow6432Node\CLSID\{1248BD21-B584-4EB8-85D0-8EC479CD043B}\DefaultIcon C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htlm C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\jntfile\DefaultIcon\ C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\jpegfile\DefaultIcon\ C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\DefaultIcon\ C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ratfile\DefaultIcon\ C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\zapfile\DefaultIcon\ C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\dllfile\DefaultIcon\ C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\jarfile\DefaultIcon C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htlm\DefaultIcon\ C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pjpegfile\DefaultIcon\ C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pngfile\DefaultIcon\ C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htlm\DefaultIcon C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\textfile\DefaultIcon C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\Wow6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\Wow6432Node\CLSID\{031E4825-7B94-4dc3-B131-E946B44C8DD5} C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\sysfile\DefaultIcon\ C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\Wow6432Node\CLSID\{1248BD21-B584-4EB8-85D0-8EC479CD043B} C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\giffile\DefaultIcon\ C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mscfile\DefaultIcon\ C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pnffile\DefaultIcon\ C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sysfile\DefaultIcon C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2740 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 2740 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 2740 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 2740 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 2740 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 2740 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 2740 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 2740 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 2740 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 2740 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 2740 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 2740 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 2740 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 2740 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 2740 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 2740 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 2740 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 2740 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 2740 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 2740 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 2740 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 2740 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 2740 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 2740 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 2740 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 2740 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 2740 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 2740 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\NightMare.exe C:\Windows\SysWOW64\cmd.exe
PID 2368 wrote to memory of 2560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 2368 wrote to memory of 2560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 2368 wrote to memory of 2560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 2368 wrote to memory of 2560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 2156 wrote to memory of 2800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2156 wrote to memory of 2800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2156 wrote to memory of 2800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2156 wrote to memory of 2800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1540 wrote to memory of 2728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1540 wrote to memory of 2728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1540 wrote to memory of 2728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1540 wrote to memory of 2728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2560 wrote to memory of 1808 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2560 wrote to memory of 1808 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2560 wrote to memory of 1808 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2560 wrote to memory of 1808 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2664 wrote to memory of 2764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 2664 wrote to memory of 2764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 2664 wrote to memory of 2764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 2664 wrote to memory of 2764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 2604 wrote to memory of 2148 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 2604 wrote to memory of 2148 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 2604 wrote to memory of 2148 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 2604 wrote to memory of 2148 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 2668 wrote to memory of 2588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ReAgentc.exe
PID 2668 wrote to memory of 2588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ReAgentc.exe
PID 2668 wrote to memory of 2588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ReAgentc.exe
PID 2668 wrote to memory of 2588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ReAgentc.exe
PID 2996 wrote to memory of 2712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2996 wrote to memory of 2712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2996 wrote to memory of 2712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2996 wrote to memory of 2712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2604 wrote to memory of 2496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 2604 wrote to memory of 2496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 2604 wrote to memory of 2496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 2604 wrote to memory of 2496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\NightMare.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\NightMare.exe

"C:\Users\Admin\AppData\Local\Temp\NightMare.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k net user %username% /delete && exit

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k reg delete HKCR && exit

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k reg delete HKU && exit

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k reg delete HKLM && exit

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\Boot\DVD\EFI && pause

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k reagentc.exe /disable && pause

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k color 47 && takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant %username%:F && takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant %username%:F && Exit

C:\Windows\SysWOW64\net.exe

net user Admin /delete

C:\Windows\SysWOW64\reg.exe

reg delete HKU

C:\Windows\SysWOW64\reg.exe

reg delete HKCR

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 user Admin /delete

C:\Windows\SysWOW64\takeown.exe

takeown /F C:\Windows\Boot\DVD\EFI

C:\Windows\SysWOW64\takeown.exe

takeown /f C:\Windows\System32

C:\Windows\SysWOW64\ReAgentc.exe

reagentc.exe /disable

C:\Windows\SysWOW64\reg.exe

reg delete HKLM

C:\Windows\SysWOW64\icacls.exe

icacls C:\Windows\System32 /grant Admin:F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\Boot\DVD\EFI && pause

C:\Windows\SysWOW64\takeown.exe

takeown /F C:\Windows\Boot\DVD\EFI

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\system32\taskmgr.exe && pause

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\system32\LogonUI.exe && pause

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\Boot\DVD\EFI\BCD && pause

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\Boot\DVD\EFI\boot.sdi && pause

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\system32\drivers && pause

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\servicing\TrustedInstaller.exe && pause

C:\Windows\SysWOW64\takeown.exe

takeown /F C:\Windows\system32\taskmgr.exe

C:\Windows\SysWOW64\takeown.exe

takeown /F C:\Windows\system32\LogonUI.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\System32\WUDFHost.exe && pause

C:\Windows\SysWOW64\taskkill.exe

"C:\Windows\System32\taskkill.exe" /IM fontdrvhost.exe /F

C:\Windows\SysWOW64\takeown.exe

takeown /F C:\Windows\system32\drivers

C:\Windows\SysWOW64\taskkill.exe

"C:\Windows\System32\taskkill.exe" /IM dwm.exe.exe /F

C:\Windows\SysWOW64\takeown.exe

takeown /F C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\SysWOW64\taskkill.exe

"C:\Windows\System32\taskkill.exe" /IM TrustedInstaller.exe.exe /F

C:\Windows\SysWOW64\takeown.exe

takeown /F C:\Windows\System32\WUDFHost.exe

C:\Windows\SysWOW64\takeown.exe

takeown /F C:\Windows\Boot\DVD\EFI\BCD

C:\Windows\SysWOW64\takeown.exe

takeown /F C:\Windows\Boot\DVD\EFI\boot.sdi

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\Boot\DVD\EFI && pause

C:\Windows\SysWOW64\takeown.exe

takeown /F C:\Windows\Boot\DVD\EFI

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\Boot\DVD\EFI && pause

C:\Windows\SysWOW64\takeown.exe

takeown /F C:\Windows\Boot\DVD\EFI

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\Boot\DVD\EFI && pause

C:\Windows\SysWOW64\takeown.exe

takeown /F C:\Windows\Boot\DVD\EFI

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\Boot\DVD\EFI && pause

C:\Windows\SysWOW64\takeown.exe

takeown /F C:\Windows\Boot\DVD\EFI

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\Boot\DVD\EFI && pause

C:\Windows\SysWOW64\takeown.exe

takeown /F C:\Windows\Boot\DVD\EFI

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\Boot\DVD\EFI && pause

C:\Windows\SysWOW64\takeown.exe

takeown /F C:\Windows\Boot\DVD\EFI

Network

N/A

Files

memory/2740-0-0x0000000001160000-0x0000000001170000-memory.dmp

memory/2740-1-0x0000000074140000-0x000000007482E000-memory.dmp

memory/2740-2-0x0000000001090000-0x00000000010D0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE.txt

MD5 21ad42bd4156f914d3a265823a1c269c
SHA1 4129bc994a0947b38e3bac2aeabc8e2fbdbd503f
SHA256 680671bac3f22a5f19ffbd2c82eec069a32844cf93d419aa59319cd0cbc98ac2
SHA512 7ec8c3801798b4fd547578d31badd96edeaacf0a91dca807c04e40ad65d97592043cb8e747947f74b9850f8e99dcd1c8f1c311cb0f8b79be301be36ca884cc5a

memory/2740-13523-0x0000000074140000-0x000000007482E000-memory.dmp

memory/2740-19154-0x0000000001090000-0x00000000010D0000-memory.dmp

memory/2740-80006-0x0000000001090000-0x00000000010D0000-memory.dmp

memory/2740-80028-0x0000000001090000-0x00000000010D0000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-03-03 13:14

Reported

2024-03-03 13:17

Platform

win7-20240221-en

Max time kernel

120s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 228

Network

N/A

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-03-03 13:14

Reported

2024-03-03 13:17

Platform

win7-20240221-en

Max time kernel

120s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\GonnaCry.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\GonnaCry.exe

"C:\Users\Admin\AppData\Local\Temp\GonnaCry.exe"

Network

N/A

Files

memory/2020-0-0x00000000003B0000-0x00000000004BE000-memory.dmp

memory/2020-1-0x000007FEF5D80000-0x000007FEF676C000-memory.dmp

memory/2020-2-0x000000001B340000-0x000000001B3C0000-memory.dmp

C:\Users\Admin\Desktop\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE.txt

MD5 7f0df170f9cea3f0bedc79894eb44bdf
SHA1 79a083f09bf614d80543d0c455bb27b031da8adf
SHA256 1d9712c98621bfda7f5247f6fd6ef93165db44710685438cf27a3fe5ecc1e738
SHA512 f3bb9891ae73a4ce45894b30edf753007505d6afce716d1589750721c143e8b483219196d8c6a39d56496e4b7f4b76e64fa85a5c1d000aa0bb9d1224889f9d1c

memory/2020-803-0x000000001B340000-0x000000001B3C0000-memory.dmp

memory/2020-804-0x000007FEF5D80000-0x000007FEF676C000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-03-03 13:14

Reported

2024-03-03 13:17

Platform

win7-20240221-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Losange.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Losange.exe

"C:\Users\Admin\AppData\Local\Temp\Losange.exe"

Network

N/A

Files

memory/2168-0-0x000000013F2B0000-0x000000013F2D6000-memory.dmp

memory/2168-1-0x000000013F2B0000-0x000000013F2D6000-memory.dmp

Analysis: behavioral28

Detonation Overview

Submitted

2024-03-03 13:14

Reported

2024-03-03 13:17

Platform

win10v2004-20240226-en

Max time kernel

151s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\Saturn.exe"

Signatures

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Processes

C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\Saturn.exe

"C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\Saturn.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3780 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x3f4 0x40c

Network

Country Destination Domain Proto
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 216.58.212.234:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 234.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 89.65.42.20.in-addr.arpa udp

Files

memory/3688-0-0x0000000074F30000-0x00000000756E0000-memory.dmp

memory/3688-1-0x00000000005A0000-0x00000000005E6000-memory.dmp

memory/3688-2-0x00000000056A0000-0x0000000005C44000-memory.dmp

memory/3688-3-0x0000000005000000-0x0000000005092000-memory.dmp

memory/3688-4-0x0000000004FE0000-0x0000000004FF0000-memory.dmp

memory/3688-5-0x0000000004FF0000-0x0000000004FFA000-memory.dmp

memory/3688-6-0x0000000004FE0000-0x0000000004FF0000-memory.dmp

memory/3688-7-0x0000000074F30000-0x00000000756E0000-memory.dmp

memory/3688-8-0x0000000004FE0000-0x0000000004FF0000-memory.dmp

memory/3688-9-0x0000000004FE0000-0x0000000004FF0000-memory.dmp

memory/3688-10-0x0000000004FE0000-0x0000000004FF0000-memory.dmp

memory/3688-11-0x0000000004FE0000-0x0000000004FF0000-memory.dmp

memory/3688-12-0x0000000004FE0000-0x0000000004FF0000-memory.dmp

memory/3688-13-0x0000000004FE0000-0x0000000004FF0000-memory.dmp

memory/3688-14-0x0000000004FE0000-0x0000000004FF0000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-03-03 13:14

Reported

2024-03-03 13:17

Platform

win7-20240221-en

Max time kernel

122s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$1\1337\php5ts.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2492 wrote to memory of 2732 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2492 wrote to memory of 2732 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2492 wrote to memory of 2732 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2492 wrote to memory of 2732 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2492 wrote to memory of 2732 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2492 wrote to memory of 2732 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2492 wrote to memory of 2732 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$1\1337\php5ts.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$1\1337\php5ts.dll,#1

Network

N/A

Files

N/A