3b64ce283febf3207dd20c99fc53de65b07044231eb544c4c41de374a2571c5c

Analysis

max time kernel
1799s
max time network
1441s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
10-08-2024 19:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WinXP.Horror.Destructive (Created By WobbyChip).exe
Size

57.9MB
MD5

063ea883f8c67d3bb22e0a465136ca4c
SHA1

3a168a9153ee32b86d9a5411b0af13846c55ee1d
SHA256

3b64ce283febf3207dd20c99fc53de65b07044231eb544c4c41de374a2571c5c
SHA512

2dd6be23a5af8c458b94eeb5a4e83fc8cacb3fd2c2566b5682eee286c01726dca90db3d9b4e218eeded9b0c9bce8ba3c9ca9cc497e3a57aab580633a038e4b74
SSDEEP

1572864:aj6L5PLk/mBCSyKOYl39GFoFEujFMm+B997DaNHN1oS72fnD9hRzZ01tO0DpvrvI:i6cSzV9GCFEujFMm+B997DaNHN1oS72X

Score

10^/10

bootkit discovery evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "0"	WinXP.Horror.Destructive (Created By WobbyChip).exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinXP.Horror.Destructive (Created By WobbyChip).exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	WinXP.Horror.Destructive (Created By WobbyChip).exe

Disables Task Manager via registry modification
evasion

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinXP.Horror.Destructive (Created By WobbyChip).exe
Delete value	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WinXP.Horror.Destructive (Created By WobbyChip).exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	WinXP.Horror.Destructive (Created By WobbyChip).exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinXP.Horror.Destructive (Created By WobbyChip).exe

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Control Panel\Mouse	WinXP.Horror.Destructive (Created By WobbyChip).exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Control Panel\Mouse\SwapMouseButtons = "1"	WinXP.Horror.Destructive (Created By WobbyChip).exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2052	WinXP.Horror.Destructive (Created By WobbyChip).exe
2052	WinXP.Horror.Destructive (Created By WobbyChip).exe
2052	WinXP.Horror.Destructive (Created By WobbyChip).exe
2052	WinXP.Horror.Destructive (Created By WobbyChip).exe
2052	WinXP.Horror.Destructive (Created By WobbyChip).exe
2052	WinXP.Horror.Destructive (Created By WobbyChip).exe
2052	WinXP.Horror.Destructive (Created By WobbyChip).exe
2052	WinXP.Horror.Destructive (Created By WobbyChip).exe
2052	WinXP.Horror.Destructive (Created By WobbyChip).exe
2052	WinXP.Horror.Destructive (Created By WobbyChip).exe
2052	WinXP.Horror.Destructive (Created By WobbyChip).exe
2052	WinXP.Horror.Destructive (Created By WobbyChip).exe
2052	WinXP.Horror.Destructive (Created By WobbyChip).exe
2052	WinXP.Horror.Destructive (Created By WobbyChip).exe
2052	WinXP.Horror.Destructive (Created By WobbyChip).exe
2052	WinXP.Horror.Destructive (Created By WobbyChip).exe
2052	WinXP.Horror.Destructive (Created By WobbyChip).exe
2052	WinXP.Horror.Destructive (Created By WobbyChip).exe
2052	WinXP.Horror.Destructive (Created By WobbyChip).exe
2052	WinXP.Horror.Destructive (Created By WobbyChip).exe
2052	WinXP.Horror.Destructive (Created By WobbyChip).exe
2052	WinXP.Horror.Destructive (Created By WobbyChip).exe
2052	WinXP.Horror.Destructive (Created By WobbyChip).exe
2052	WinXP.Horror.Destructive (Created By WobbyChip).exe
2052	WinXP.Horror.Destructive (Created By WobbyChip).exe
2052	WinXP.Horror.Destructive (Created By WobbyChip).exe
2052	WinXP.Horror.Destructive (Created By WobbyChip).exe
2052	WinXP.Horror.Destructive (Created By WobbyChip).exe
2052	WinXP.Horror.Destructive (Created By WobbyChip).exe
2052	WinXP.Horror.Destructive (Created By WobbyChip).exe
2052	WinXP.Horror.Destructive (Created By WobbyChip).exe
2052	WinXP.Horror.Destructive (Created By WobbyChip).exe
2052	WinXP.Horror.Destructive (Created By WobbyChip).exe
2052	WinXP.Horror.Destructive (Created By WobbyChip).exe
2052	WinXP.Horror.Destructive (Created By WobbyChip).exe
2052	WinXP.Horror.Destructive (Created By WobbyChip).exe
2052	WinXP.Horror.Destructive (Created By WobbyChip).exe
2052	WinXP.Horror.Destructive (Created By WobbyChip).exe
2052	WinXP.Horror.Destructive (Created By WobbyChip).exe
2052	WinXP.Horror.Destructive (Created By WobbyChip).exe
2052	WinXP.Horror.Destructive (Created By WobbyChip).exe
2052	WinXP.Horror.Destructive (Created By WobbyChip).exe
2052	WinXP.Horror.Destructive (Created By WobbyChip).exe
2052	WinXP.Horror.Destructive (Created By WobbyChip).exe
2052	WinXP.Horror.Destructive (Created By WobbyChip).exe
2052	WinXP.Horror.Destructive (Created By WobbyChip).exe
2052	WinXP.Horror.Destructive (Created By WobbyChip).exe
2052	WinXP.Horror.Destructive (Created By WobbyChip).exe
2052	WinXP.Horror.Destructive (Created By WobbyChip).exe
2052	WinXP.Horror.Destructive (Created By WobbyChip).exe
2052	WinXP.Horror.Destructive (Created By WobbyChip).exe
2052	WinXP.Horror.Destructive (Created By WobbyChip).exe
2052	WinXP.Horror.Destructive (Created By WobbyChip).exe
2052	WinXP.Horror.Destructive (Created By WobbyChip).exe
2052	WinXP.Horror.Destructive (Created By WobbyChip).exe
2052	WinXP.Horror.Destructive (Created By WobbyChip).exe
2052	WinXP.Horror.Destructive (Created By WobbyChip).exe
2052	WinXP.Horror.Destructive (Created By WobbyChip).exe
2052	WinXP.Horror.Destructive (Created By WobbyChip).exe
2052	WinXP.Horror.Destructive (Created By WobbyChip).exe
2052	WinXP.Horror.Destructive (Created By WobbyChip).exe
2052	WinXP.Horror.Destructive (Created By WobbyChip).exe
2052	WinXP.Horror.Destructive (Created By WobbyChip).exe
2052	WinXP.Horror.Destructive (Created By WobbyChip).exe

System policy modification 1 TTPs 5 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	WinXP.Horror.Destructive (Created By WobbyChip).exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop = "1"	WinXP.Horror.Destructive (Created By WobbyChip).exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\HideFastUserSwitching = "1"	WinXP.Horror.Destructive (Created By WobbyChip).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	WinXP.Horror.Destructive (Created By WobbyChip).exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinXP.Horror.Destructive (Created By WobbyChip).exe

C:\Users\Admin\AppData\Local\Temp\WinXP.Horror.Destructive (Created By WobbyChip).exe
"C:\Users\Admin\AppData\Local\Temp\WinXP.Horror.Destructive (Created By WobbyChip).exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Disables RegEdit via registry modification
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:2052

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2052-0-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/2052-1-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/2052-2-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/2052-3-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download
memory/2052-4-0x0000000000400000-0x0000000003DF3000-memory.dmp

Filesize
57.9MB

Download