Analysis
-
max time kernel
4s -
max time network
4s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
25-04-2024 14:17
Static task
static1
Behavioral task
behavioral1
Sample
000.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
000.exe
Resource
win10v2004-20240412-en
Errors
General
-
Target
000.exe
-
Size
6.7MB
-
MD5
d5671758956b39e048680b6a8275e96a
-
SHA1
33c341130bf9c93311001a6284692c86fec200ef
-
SHA256
4a900b344ef765a66f98cf39ac06273d565ca0f5d19f7ea4ca183786155d4a47
-
SHA512
972e89ed8b7b4d75df0a05c53e71fb5c29edaa173d7289656676b9d2a1ed439be1687beddc6fb1fbf068868c3da9c3d2deb03b55e5ab5e7968858b5efc49fbe7
-
SSDEEP
3072:V3LA1++iCeFj0im6X/AXpT8vVMCcHVcdhghUuzzo9Y:lLJlC6j0CX4XmvWHVcd62uo9
Malware Config
Signatures
-
Disables Task Manager via registry modification
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
000.exedescription ioc process File opened (read-only) \??\T: 000.exe File opened (read-only) \??\V: 000.exe File opened (read-only) \??\B: 000.exe File opened (read-only) \??\I: 000.exe File opened (read-only) \??\M: 000.exe File opened (read-only) \??\N: 000.exe File opened (read-only) \??\O: 000.exe File opened (read-only) \??\P: 000.exe File opened (read-only) \??\X: 000.exe File opened (read-only) \??\H: 000.exe File opened (read-only) \??\L: 000.exe File opened (read-only) \??\Q: 000.exe File opened (read-only) \??\W: 000.exe File opened (read-only) \??\G: 000.exe File opened (read-only) \??\J: 000.exe File opened (read-only) \??\S: 000.exe File opened (read-only) \??\Y: 000.exe File opened (read-only) \??\A: 000.exe File opened (read-only) \??\E: 000.exe File opened (read-only) \??\K: 000.exe File opened (read-only) \??\R: 000.exe File opened (read-only) \??\U: 000.exe File opened (read-only) \??\Z: 000.exe -
Modifies WinLogon 2 TTPs 1 IoCs
Processes:
000.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoRestartShell = "0" 000.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
000.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\Wallpaper 000.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 2528 taskkill.exe 2500 taskkill.exe -
Modifies registry class 1 IoCs
Processes:
000.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\icon.ico" 000.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
taskkill.exetaskkill.exeWMIC.exeWMIC.exedescription pid process Token: SeDebugPrivilege 2528 taskkill.exe Token: SeDebugPrivilege 2500 taskkill.exe Token: SeIncreaseQuotaPrivilege 2632 WMIC.exe Token: SeSecurityPrivilege 2632 WMIC.exe Token: SeTakeOwnershipPrivilege 2632 WMIC.exe Token: SeLoadDriverPrivilege 2632 WMIC.exe Token: SeSystemProfilePrivilege 2632 WMIC.exe Token: SeSystemtimePrivilege 2632 WMIC.exe Token: SeProfSingleProcessPrivilege 2632 WMIC.exe Token: SeIncBasePriorityPrivilege 2632 WMIC.exe Token: SeCreatePagefilePrivilege 2632 WMIC.exe Token: SeBackupPrivilege 2632 WMIC.exe Token: SeRestorePrivilege 2632 WMIC.exe Token: SeShutdownPrivilege 2632 WMIC.exe Token: SeDebugPrivilege 2632 WMIC.exe Token: SeSystemEnvironmentPrivilege 2632 WMIC.exe Token: SeRemoteShutdownPrivilege 2632 WMIC.exe Token: SeUndockPrivilege 2632 WMIC.exe Token: SeManageVolumePrivilege 2632 WMIC.exe Token: 33 2632 WMIC.exe Token: 34 2632 WMIC.exe Token: 35 2632 WMIC.exe Token: SeIncreaseQuotaPrivilege 2632 WMIC.exe Token: SeSecurityPrivilege 2632 WMIC.exe Token: SeTakeOwnershipPrivilege 2632 WMIC.exe Token: SeLoadDriverPrivilege 2632 WMIC.exe Token: SeSystemProfilePrivilege 2632 WMIC.exe Token: SeSystemtimePrivilege 2632 WMIC.exe Token: SeProfSingleProcessPrivilege 2632 WMIC.exe Token: SeIncBasePriorityPrivilege 2632 WMIC.exe Token: SeCreatePagefilePrivilege 2632 WMIC.exe Token: SeBackupPrivilege 2632 WMIC.exe Token: SeRestorePrivilege 2632 WMIC.exe Token: SeShutdownPrivilege 2632 WMIC.exe Token: SeDebugPrivilege 2632 WMIC.exe Token: SeSystemEnvironmentPrivilege 2632 WMIC.exe Token: SeRemoteShutdownPrivilege 2632 WMIC.exe Token: SeUndockPrivilege 2632 WMIC.exe Token: SeManageVolumePrivilege 2632 WMIC.exe Token: 33 2632 WMIC.exe Token: 34 2632 WMIC.exe Token: 35 2632 WMIC.exe Token: SeIncreaseQuotaPrivilege 1564 WMIC.exe Token: SeSecurityPrivilege 1564 WMIC.exe Token: SeTakeOwnershipPrivilege 1564 WMIC.exe Token: SeLoadDriverPrivilege 1564 WMIC.exe Token: SeSystemProfilePrivilege 1564 WMIC.exe Token: SeSystemtimePrivilege 1564 WMIC.exe Token: SeProfSingleProcessPrivilege 1564 WMIC.exe Token: SeIncBasePriorityPrivilege 1564 WMIC.exe Token: SeCreatePagefilePrivilege 1564 WMIC.exe Token: SeBackupPrivilege 1564 WMIC.exe Token: SeRestorePrivilege 1564 WMIC.exe Token: SeShutdownPrivilege 1564 WMIC.exe Token: SeDebugPrivilege 1564 WMIC.exe Token: SeSystemEnvironmentPrivilege 1564 WMIC.exe Token: SeRemoteShutdownPrivilege 1564 WMIC.exe Token: SeUndockPrivilege 1564 WMIC.exe Token: SeManageVolumePrivilege 1564 WMIC.exe Token: 33 1564 WMIC.exe Token: 34 1564 WMIC.exe Token: 35 1564 WMIC.exe Token: SeIncreaseQuotaPrivilege 1564 WMIC.exe Token: SeSecurityPrivilege 1564 WMIC.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
000.exepid process 2868 000.exe 2868 000.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
000.execmd.exedescription pid process target process PID 2868 wrote to memory of 2340 2868 000.exe cmd.exe PID 2868 wrote to memory of 2340 2868 000.exe cmd.exe PID 2868 wrote to memory of 2340 2868 000.exe cmd.exe PID 2868 wrote to memory of 2340 2868 000.exe cmd.exe PID 2340 wrote to memory of 2528 2340 cmd.exe taskkill.exe PID 2340 wrote to memory of 2528 2340 cmd.exe taskkill.exe PID 2340 wrote to memory of 2528 2340 cmd.exe taskkill.exe PID 2340 wrote to memory of 2528 2340 cmd.exe taskkill.exe PID 2340 wrote to memory of 2500 2340 cmd.exe taskkill.exe PID 2340 wrote to memory of 2500 2340 cmd.exe taskkill.exe PID 2340 wrote to memory of 2500 2340 cmd.exe taskkill.exe PID 2340 wrote to memory of 2500 2340 cmd.exe taskkill.exe PID 2340 wrote to memory of 2632 2340 cmd.exe WMIC.exe PID 2340 wrote to memory of 2632 2340 cmd.exe WMIC.exe PID 2340 wrote to memory of 2632 2340 cmd.exe WMIC.exe PID 2340 wrote to memory of 2632 2340 cmd.exe WMIC.exe PID 2340 wrote to memory of 1564 2340 cmd.exe WMIC.exe PID 2340 wrote to memory of 1564 2340 cmd.exe WMIC.exe PID 2340 wrote to memory of 1564 2340 cmd.exe WMIC.exe PID 2340 wrote to memory of 1564 2340 cmd.exe WMIC.exe PID 2340 wrote to memory of 1924 2340 cmd.exe shutdown.exe PID 2340 wrote to memory of 1924 2340 cmd.exe shutdown.exe PID 2340 wrote to memory of 1924 2340 cmd.exe shutdown.exe PID 2340 wrote to memory of 1924 2340 cmd.exe shutdown.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\000.exe"C:\Users\Admin\AppData\Local\Temp\000.exe"1⤵
- Enumerates connected drives
- Modifies WinLogon
- Sets desktop wallpaper using registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\windl.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic useraccount where name='Admin' set FullName='UR NEXT'3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic useraccount where name='Admin' rename 'UR NEXT'3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\shutdown.exeshutdown /f /r /t 03⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\one.rtfFilesize
403B
MD56fbd6ce25307749d6e0a66ebbc0264e7
SHA1faee71e2eac4c03b96aabecde91336a6510fff60
SHA256e152b106733d9263d3cf175f0b6197880d70acb753f8bde8035a3e4865b31690
SHA51235a0d6d91178ec10619cf4d2fd44d3e57aa0266e1779e15b1eef6e9c359c77c384e0ffe4edb2cde980a6847e53f47733e6eacb72d46762066b3541dee3d29064
-
C:\Users\Admin\AppData\Local\Temp\rniw.exeFilesize
76KB
MD59232120b6ff11d48a90069b25aa30abc
SHA197bb45f4076083fca037eee15d001fd284e53e47
SHA25670faa0e1498461731f873d3594f20cbf2beaa6f123a06b66f9df59a9cdf862be
SHA512b06688a9fc0b853d2895f11e812c48d5871f2793183fda5e9638ded22fc5dc1e813f174baedc980a1f0b6a7b0a65cd61f29bb16acc6dd45da62988eb012d6877
-
C:\Users\Admin\AppData\Local\Temp\v.mp4Filesize
81KB
MD5d2774b188ab5dde3e2df5033a676a0b4
SHA16e8f668cba211f1c3303e4947676f2fc9e4a1bcc
SHA25695374cf300097872a546d89306374e7cf2676f7a8b4c70274245d2dccfc79443
SHA5123047a831ed9c8690b00763061807e98e15e9534ebc9499e3e5abb938199f9716c0e24a83a13291a8fd5b91a6598aeeef377d6793f6461fc0247ec4bbd901a131
-
C:\Users\Admin\AppData\Local\Temp\windl.batFilesize
771B
MD5a9401e260d9856d1134692759d636e92
SHA14141d3c60173741e14f36dfe41588bb2716d2867
SHA256b551fba71dfd526d4916ae277d8686d83fff36d22fcf6f18457924a070b30ef7
SHA5125cbe38cdab0283b87d9a9875f7ba6fa4e8a7673d933ca05deddddbcf6cf793bd1bf34ac0add798b4ed59ab483e49f433ce4012f571a658bc0add28dd987a57b6
-
C:\Users\Admin\Desktop\UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR N1XT.txtFilesize
396B
MD59037ebf0a18a1c17537832bc73739109
SHA11d951dedfa4c172a1aa1aae096cfb576c1fb1d60
SHA25638c889b5d7bdcb79bbcb55554c520a9ce74b5bfc29c19d1e4cb1419176c99f48
SHA5124fb5c06089524c6dcd48b6d165cedb488e9efe2d27613289ef8834dbb6c010632d2bd5e3ac75f83b1d8024477ebdf05b9e0809602bbe1780528947c36e4de32f
-
memory/1548-838-0x0000000002E10000-0x0000000002E11000-memory.dmpFilesize
4KB
-
memory/2868-29-0x00000000026C0000-0x00000000026CA000-memory.dmpFilesize
40KB
-
memory/2868-32-0x0000000002640000-0x0000000002641000-memory.dmpFilesize
4KB
-
memory/2868-15-0x0000000000970000-0x000000000097A000-memory.dmpFilesize
40KB
-
memory/2868-28-0x00000000026A0000-0x00000000026AA000-memory.dmpFilesize
40KB
-
memory/2868-27-0x00000000026A0000-0x00000000026AA000-memory.dmpFilesize
40KB
-
memory/2868-26-0x000000006B860000-0x000000006BB72000-memory.dmpFilesize
3.1MB
-
memory/2868-0-0x0000000074610000-0x0000000074CFE000-memory.dmpFilesize
6.9MB
-
memory/2868-31-0x0000000004950000-0x000000000495A000-memory.dmpFilesize
40KB
-
memory/2868-30-0x0000000004950000-0x000000000495A000-memory.dmpFilesize
40KB
-
memory/2868-17-0x00000000049C0000-0x0000000004A00000-memory.dmpFilesize
256KB
-
memory/2868-16-0x0000000000970000-0x000000000097A000-memory.dmpFilesize
40KB
-
memory/2868-2-0x00000000049C0000-0x0000000004A00000-memory.dmpFilesize
256KB
-
memory/2868-841-0x000000006B860000-0x000000006BB72000-memory.dmpFilesize
3.1MB
-
memory/2868-840-0x00000000049C0000-0x0000000004A00000-memory.dmpFilesize
256KB
-
memory/2868-839-0x0000000074610000-0x0000000074CFE000-memory.dmpFilesize
6.9MB
-
memory/2868-842-0x0000000004950000-0x0000000004955000-memory.dmpFilesize
20KB
-
memory/2868-1-0x00000000009C0000-0x000000000106E000-memory.dmpFilesize
6.7MB
-
memory/2960-843-0x0000000002AB0000-0x0000000002AB1000-memory.dmpFilesize
4KB