Analysis Overview
SHA256
734403a96fad68cb2ef2b340adddd9cadd5894007aac703dcdb4a4cb8326c538
Threat Level: Likely malicious
The file eeeeeeeeeeeeee.zip was found to be: Likely malicious.
Malicious Activity Summary
Disables Task Manager via registry modification
Enumerates connected drives
Modifies WinLogon
Sets desktop wallpaper using registry
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Kills process with taskkill
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-15 23:13
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-15 23:12
Reported
2024-09-15 23:14
Platform
win11-20240802-en
Max time kernel
6s
Max time network
22s
Command Line
Signatures
Disables Task Manager via registry modification
Enumerates connected drives
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoRestartShell = "0" | C:\Users\Admin\AppData\Local\Temp\eeeeeeeeeeeeee\Malware_pack_2\Malware_pack_2\000\[email protected] | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Control Panel\Desktop\Wallpaper | C:\Users\Admin\AppData\Local\Temp\eeeeeeeeeeeeee\Malware_pack_2\Malware_pack_2\000\[email protected] | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\eeeeeeeeeeeeee\Malware_pack_2\Malware_pack_2\000\[email protected] | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\eeeeeeeeeeeeee\Malware_pack_2\Malware_pack_2\000\[email protected] | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile | C:\Users\Admin\AppData\Local\Temp\eeeeeeeeeeeeee\Malware_pack_2\Malware_pack_2\000\[email protected] | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\icon.ico" | C:\Users\Admin\AppData\Local\Temp\eeeeeeeeeeeeee\Malware_pack_2\Malware_pack_2\000\[email protected] | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2842058299-443432012-2465494467-1000\{CD2347F6-A75D-431C-A9C4-6A0D0BA538B0} | C:\Users\Admin\AppData\Local\Temp\eeeeeeeeeeeeee\Malware_pack_2\Malware_pack_2\000\[email protected] | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\eeeeeeeeeeeeee\Malware_pack_2\Malware_pack_2\000\[email protected] | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\eeeeeeeeeeeeee\Malware_pack_2\Malware_pack_2\000\[email protected] | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\eeeeeeeeeeeeee\Malware_pack_2\Malware_pack_2\000\[email protected]
"C:\Users\Admin\AppData\Local\Temp\eeeeeeeeeeeeee\Malware_pack_2\Malware_pack_2\000\[email protected]"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\windl.bat""
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im explorer.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic useraccount where name='Admin' set FullName='UR NEXT'
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic useraccount where name='Admin' rename 'UR NEXT'
C:\Windows\SysWOW64\shutdown.exe
shutdown /f /r /t 0
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3a08055 /state1:0x41c64e6d
Network
Files
memory/1884-0-0x0000000074B4E000-0x0000000074B4F000-memory.dmp
memory/1884-1-0x00000000005A0000-0x0000000000C4E000-memory.dmp
memory/1884-2-0x0000000074B40000-0x00000000752F1000-memory.dmp
memory/1884-3-0x0000000005DA0000-0x0000000006346000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\windl.bat
| MD5 | a9401e260d9856d1134692759d636e92 |
| SHA1 | 4141d3c60173741e14f36dfe41588bb2716d2867 |
| SHA256 | b551fba71dfd526d4916ae277d8686d83fff36d22fcf6f18457924a070b30ef7 |
| SHA512 | 5cbe38cdab0283b87d9a9875f7ba6fa4e8a7673d933ca05deddddbcf6cf793bd1bf34ac0add798b4ed59ab483e49f433ce4012f571a658bc0add28dd987a57b6 |
memory/1884-11-0x0000000074B40000-0x00000000752F1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML
| MD5 | 7050d5ae8acfbe560fa11073fef8185d |
| SHA1 | 5bc38e77ff06785fe0aec5a345c4ccd15752560e |
| SHA256 | cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b |
| SHA512 | a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b |
memory/1884-23-0x00000000091C0000-0x00000000091CE000-memory.dmp
memory/1884-22-0x000000000BA30000-0x000000000BA68000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\rniw.exe
| MD5 | 9232120b6ff11d48a90069b25aa30abc |
| SHA1 | 97bb45f4076083fca037eee15d001fd284e53e47 |
| SHA256 | 70faa0e1498461731f873d3594f20cbf2beaa6f123a06b66f9df59a9cdf862be |
| SHA512 | b06688a9fc0b853d2895f11e812c48d5871f2793183fda5e9638ded22fc5dc1e813f174baedc980a1f0b6a7b0a65cd61f29bb16acc6dd45da62988eb012d6877 |
memory/1884-32-0x000000000BA20000-0x000000000BA30000-memory.dmp
memory/1884-30-0x000000000BA20000-0x000000000BA30000-memory.dmp
memory/1884-29-0x000000000BA20000-0x000000000BA30000-memory.dmp
memory/1884-31-0x000000000BA20000-0x000000000BA30000-memory.dmp
memory/1884-33-0x000000000C0E0000-0x000000000C0F0000-memory.dmp
memory/1884-34-0x000000000C0E0000-0x000000000C0F0000-memory.dmp
memory/1884-35-0x000000000BA20000-0x000000000BA30000-memory.dmp
memory/1884-37-0x000000000C0E0000-0x000000000C0F0000-memory.dmp
memory/1884-36-0x000000000BA20000-0x000000000BA30000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
| MD5 | 47b35ef5a779acc476fe696cf618ad94 |
| SHA1 | f330a543fe7fed7b55b701f956f4ecb428f6db50 |
| SHA256 | fc8aa4c9aa4a369949d294149ce5100491013f8e847dd6f5511c2ee31ed0a91d |
| SHA512 | 780151ef86ac23db35c6964a19613d74c7fab1bfbf71295f195a60ca62ac898e41acfe8a878aa25af6a4aaafe452b4bd06063474e3fd962ac2837c072a89ed1c |
C:\Users\Admin\AppData\Local\Temp\text.txt
| MD5 | 9037ebf0a18a1c17537832bc73739109 |
| SHA1 | 1d951dedfa4c172a1aa1aae096cfb576c1fb1d60 |
| SHA256 | 38c889b5d7bdcb79bbcb55554c520a9ce74b5bfc29c19d1e4cb1419176c99f48 |
| SHA512 | 4fb5c06089524c6dcd48b6d165cedb488e9efe2d27613289ef8834dbb6c010632d2bd5e3ac75f83b1d8024477ebdf05b9e0809602bbe1780528947c36e4de32f |
C:\Users\Admin\AppData\Local\Temp\one.rtf
| MD5 | 6fbd6ce25307749d6e0a66ebbc0264e7 |
| SHA1 | faee71e2eac4c03b96aabecde91336a6510fff60 |
| SHA256 | e152b106733d9263d3cf175f0b6197880d70acb753f8bde8035a3e4865b31690 |
| SHA512 | 35a0d6d91178ec10619cf4d2fd44d3e57aa0266e1779e15b1eef6e9c359c77c384e0ffe4edb2cde980a6847e53f47733e6eacb72d46762066b3541dee3d29064 |
memory/1884-856-0x0000000074B4E000-0x0000000074B4F000-memory.dmp
memory/1884-857-0x0000000074B40000-0x00000000752F1000-memory.dmp
memory/1884-858-0x0000000074B40000-0x00000000752F1000-memory.dmp